Podcasts about Base64

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Josh Kamdjou, co-founder and CEO of Sublime Security. Josh goes over recent trends in email badness, such as the increase in QR code abuse and the rise of SVG smuggling. Show notes Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics Base64-encoding an SVG attack within an iframe and hiding it all in an EML attachment

* Ransomware Gang Exploits AWS Feature to Encrypt and Hold Data Hostage* Phishing Texts Trick iMessage Users into Disabling Security* Fake CrowdStrike Job Offers Used to Distribute Cryptominer* Stealthy WordPress Skimmers Infiltrate Database Tables* A New AI-Driven Ransomware Group Blurs the Lines Between Hacktivism and CybercrimeRansomware Gang Exploits AWS Feature to Encrypt and Hold Data Hostagehttps://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-cA new ransomware campaign leverages Amazon Web Services' (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victims' data stored in S3 buckets. This tactic, discovered by cybersecurity firm Halcyon, sees threat actors, such as the group dubbed "Codefinger," infiltrate AWS accounts and utilize the SSE-C feature with their own encryption keys.The campaign hinges on the fact that AWS does not store these customer-provided keys. This makes data recovery impossible for victims even if they report the incident to Amazon. After encrypting the data, attackers set a seven-day file deletion policy and leave ransom notes demanding Bitcoin payments in exchange for the decryption key.Halcyon advises AWS customers to implement strict security protocols, including disabling unused keys, regularly rotating active keys, and minimizing account permissions. They also recommend setting policies that restrict the use of SSE-C on S3 buckets where possible.This incident highlights the critical need for robust security measures within cloud environments, emphasizing the importance of secure key management and vigilant monitoring for unauthorized activity.Phishing Texts Trick iMessage Users into Disabling Securityhttps://www.bleepingcomputer.com/news/security/phishing-texts-trick-apple-imessage-users-into-disabling-protection/Cybercriminals are employing a new tactic in their smishing (SMS phishing) campaigns: tricking Apple iMessage users into replying to texts, thereby disabling the platform's built-in phishing protection.iMessage automatically disables links in messages from unknown senders as a security measure. However, replying to such a message or adding the sender to your contacts list will enable these links.Recent smishing attacks, such as those mimicking USPS shipping issues or unpaid road tolls, instruct recipients to reply with "Y" to enable a disabled link. This plays on the common user behavior of replying to texts to confirm appointments or opt-out of services.By replying, users inadvertently disable iMessage's security for that specific text, potentially exposing themselves to malicious links and scams. Even if the user doesn't click the enabled link, their response signals to attackers that they are susceptible to phishing attempts.Security experts advise against replying to texts with disabled links from unknown senders. Instead, users should contact the purported sender directly to verify the message's legitimacy.Fake CrowdStrike Job Offers Used to Distribute Cryptominerhttps://www.crowdstrike.com/en-us/blog/recruitment-phishing-scam-imitates-crowdstrike-hiring-process/Cybercriminals are targeting developers with a new phishing campaign that impersonates CrowdStrike, a cybersecurity company. The campaign tricks victims into downloading a malicious application that installs a cryptominer on their devices.Here's how the scam works:* Phishing Email: The attacker sends a phishing email that appears to be from a CrowdStrike recruiter. The email congratulates the recipient on being shortlisted for a junior developer position and asks them to schedule an interview.* Malicious Link: The email contains a link that takes the victim to a fake website that looks like a legitimate CrowdStrike domain.* Fake CRM Application: The website prompts the victim to download a "customer relationship management (CRM)" application to schedule the interview. However, this application is actually malware.* Cryptominer Download: Once downloaded and installed, the malware downloads and installs a cryptominer on the victim's device. Cryptominers use the victim's device to mine cryptocurrency for the attacker.This is a sophisticated phishing campaign that leverages the credibility of a well-known company. Here are some tips to avoid falling victim to this scam:* Be wary of unsolicited emails: Don't click on links or download attachments from emails from unknown senders.* Verify the sender's email address: If you receive an email from a recruiter, carefully check the email address to make sure it's legitimate.* Don't download software from untrusted sources: Only download software from the official website of the company.* Be suspicious of urgent requests: If an email asks you to take immediate action, it's probably a scam.Stealthy WordPress Skimmers Infiltrate Database Tableshttps://blog.sucuri.net/2025/01/stealthy-credit-card-skimmer-targets-wordpress-checkout-pages-via-database-injection.htmlCybersecurity researchers have uncovered a new wave of credit card skimmers targeting WordPress e-commerce sites. This campaign injects malicious JavaScript into the wp_options table of the WordPress database, making it difficult to detect with traditional scanning tools.How the Skimmer Works* Database Injection: The skimmer code is injected into the wp_options table disguised as a widget block.* Checkout Page Activation: The malicious code springs into action only on checkout pages.* Fake Payment Form: The skimmer either hijacks existing payment fields or injects a fraudulent payment form that mimics legitimate processors like Stripe.* Data Theft: The form captures credit card details, including numbers, expiration dates, CVV codes, and billing information. The stolen data is then encoded to evade detection and sent to attacker-controlled servers.Campaign Similarities to Previous AttacksThis campaign shares similarities with a previous attack discovered by Sucuri in December 2024. That attack also used JavaScript to create fake payment forms or steal data from legitimate forms on checkout pages. However, the stolen data was obfuscated differently, using a combination of JSON encoding, XOR encryption, and Base64 encoding.These recent discoveries highlight the evolving tactics of cybercriminals. E-commerce website owners should stay updated on the latest threats and implement robust security measures, including regular vulnerability scanning and database backups. Also users should be cautious about entering payment information on unfamiliar websites and look for signs of a secure connection (HTTPS).A New AI-Driven Ransomware Group Blurs the Lines Between Hacktivism and Cybercrimehttps://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/FunkSec, a recently emerged ransomware group, has taken the cybersecurity world by storm with its aggressive tactics and claims of over 85 victims in just a month. However, a closer look reveals a more complex story.Key Points:* Rapid Rise: FunkSec emerged in late 2024 and quickly gained notoriety for its high number of claimed victims.* Low Expertise: Despite their claims, FunkSec appears to be run by inexperienced actors, with the malware riddled with redundancies and the group recycling leaked data from other sources.* AI-Assisted Development: The group leverages AI tools to enhance their capabilities, including generating code comments and potentially aiding in ransomware development.* Hacktivist Leanings: FunkSec aligns itself with hacktivist causes and targets specific countries, but the legitimacy of these connections remains unclear.* Blurred Lines: FunkSec's activities blur the line between hacktivism and cybercrime, raising questions about their true motivations.Motives and MethodsFunkSec uses a combination of data theft and encryption (double extortion) to pressure victims into paying ransoms. They offer their custom ransomware, DDoS tools, and password generation utilities. Interestingly, their ransomware demands are unusually low, sometimes as little as $10,000, and they also sell stolen data to third parties.Technical AnalysisThe FunkSec ransomware is written in Rust and exhibits several peculiarities. The code contains redundancies, with functions being called repeatedly. Additionally, the malware leverages AI-generated comments, suggesting a reliance on AI tools for development.Uncertainties and ChallengesFunkSec's true expertise and motivations remain unclear. Their use of recycled data casts doubt on the authenticity of their leaks, and their connection to hacktivism is questionable. This case highlights the evolving threat landscape where even less-skilled actors can leverage AI and readily available tools to cause significant disruption.The FutureFunkSec serves as a wake-up call for the cybersecurity community. We need to develop better methods for assessing ransomware threats and be wary of groups that rely on self-promotion and manipulation. As AI becomes more accessible, it's crucial to stay ahead of its potential misuse by malicious actors. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

NewsPower Platform Plan Designer (Preview) by Nick DoelmanHow NOT to use Copilot on LinkedIn by Femke Cornelissen25 experts predict how AI will change business and life in 2025 featuring Charles Lamanna by Fast CompanyPower Platform Weekly - Special Edition 4th anniversary by Carina M. Claesson, Daniel Laskewitz, Ed Gonzales, and Magnus Sørensen.By Nathan Rose:Here are 3 unique #PowerFx traits that make it a delight to work with PowerFx vs ExcelPowerFx has AI in it's DNA!Hydrate Development Environments via Pipelines by Matt Collins-JonesPreview PDF files from Base64 content in Power Pages using the PDFJs library by Michel MendesPower Automate Flow To Host A Web Page/Web Application by Matthew DevaneyWebsite Tracking In Realtime Marketing by Megan V. WalkerLooking to get Power Platform Certified in 2025? by Howdang RashidEvents Tallinn Technology Town HallJanuary 30-31stDevelopers guide to Power Pages - Nick Canadian Power Platform SummitMarch 21-22ndTickets on sale - January 1stColorCloudApril 24-25thUlrikke's Workshop: "Power Pages: From creation to go-live!"Session with Andrew Wingate: "Business Central + Power Pages = TRUE" DynamicsMindsMay 26-28thNick's session on Powerlifting and mental healtBe sure to subscribe so you don't miss a single episode of Power Platform BOOST!Thank you for buying us a coffee: buymeacoffee.comPodcast home page: https://powerplatformboost.comEmail: hello@powerplatformboost.comFollow us!Twitter: https://twitter.com/powerplatboost Instagram: https://www.instagram.com/powerplatformboost/ LinkedIn: https://www.linkedin.com/company/powerplatboost/ Facebook: https://www.facebook.com/profile.php?id=100090444536122 Mastodon: https://mastodon.social/@powerplatboost

2024 年 11 月に公開された Angular-Base64-Upload に存在する脆弱性に対するエクスプロイトコードが公開されています。

Hi friends, today's a tale full of test tips and tools to help you in your adventures in pentesting! SCCM Exploitation SCCM Exploitation: The First Cred Is the Deepest II w/ Gabriel Prud'homme – fantastic resource for learning all about attacking SCCM – starting from a perspective of zero creds CMLoot – find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares Snaffler – finds all the interesting SMB shares and juicy file contents Efflanrs – takes the raw Snaffler log and turns it into an interactive Web app! RubeusToCcache – a small tool to convert Base64-encoded .kirbi tickets from Rubeus into .ccache files for Impacket

Join us for an insightful episode featuring Ozan Bilgen, the CEO and driving force behind Base64.ai, a leading AI document processing platform. Dive into the world of document automation as Ozan shares his journey from being a software engineer at some of the world's top tech companies to founding Base64.ai. Discover how Base64.ai is transforming industries by automating the extraction and processing of data from thousands of document types, making operations faster, more accurate, and cost-effective. Learn about the innovative AI and machine learning technologies that power Base64.ai and how they are leading the charge in revolutionizing document handling across sectors. Ozan also delves into the future of AI in document processing, challenges in the industry, and the exciting opportunities ahead for Base64.ai. Get ready for an inspiring conversation about technology, entrepreneurship, and the future of work. This show is supported by www.matchrelevant.com. A company that helps venture-backed Startups find the best people available in the market, who have the skills, experience, and desire to grow. With over a decade of experience in recruitment across multiple domains, they give people career options to choose from in their career journey.

En este episodio, exploraremos el fascinante mundo de Base64, una técnica de codificación que convierte datos binarios en texto ASCII. Descubriremos cómo esta herramienta es esencial para la manipulación de imágenes en la web y para la seguridad en la criptografía. Desde su funcionamiento básico hasta sus aplicaciones prácticas, hablaremos sobre cómo Base64 facilita la transferencia y almacenamiento de datos en medios diseñados para texto. Además, desglosaremos su papel crucial en la codificación de datos criptográficos y discutiremos algunas consideraciones de seguridad. Acompáñanos en este viaje para entender por qué Base64 es un puente indispensable entre la tecnología y la seguridad digital. --- Send in a voice message: https://podcasters.spotify.com/pod/show/infogonzalez/message

My guests today are DC Posch and Nalin Bhardwaj, co-founders of Daimo. Daimo is a stablecoin focused iOS wallet built with Passkeys and AA Smart Accounts. On this episode, DC, Nalin, and I discuss their new p256Verifier contract, which is an audited Solidity implementation of p256r1 verification. We discuss the ins-and-outs of gas optimized onchain p256 verification, compare their contract to the FreshCryptoLib implementation, and consider the limitations of precomputation. We cover EIP-7212, which DC and Nalin co-authored alongside the team from Clave, and discuss Daimo's exciting proposal for progressive precompiles, also known as precompile shadowing, which would allow precompiles to elegantly replace the p256Verifier, on chains where it is adopted. It was fantastic learning from DC and Nalin who are experts working at the intersection of WebAuthn cryptography and blockchain. I hope you enjoy the show. As always, this show is provided as entertainment and does not constitute legal, financial, or tax advice or any form of endorsement or suggestion. Crypto has risks and you alone are responsible for doing your research and making your own decisions. If you value Web3 Galaxy Brain and would like to support the show, please send me a tweet or DM saying why you listen and what makes Web3 Galaxy Brain special for you. I'll post the best testimonies to the show's website. Thank you! Links Hosted by @nnnnicholas Sign up for the Daimo beta Daimo Daimo Github DC Posch Nalin Bhardwaj EthUniversity Hack Lodge Solidity Summit p256Verifier and Github and Daimo's blog Progressive precompiles (aka Precompile shadowing) FreshCryptoLib WebAuthn Halo2 WebAuthn Circom ZK Sync Era's p256 precompile Awesome WebAuthn Dogan_Eth's State of Verifying p256 Veridise audit Chapters (00:00:00) Intro (00:01:37) How DC and Nalin met: EthUniversity and Hack Lodge (00:03:40) Decentralization and permissionlessness (00:05:57) What is Daimo (00:08:30) Advantages of Smart Contract Accounts (00:12:55) Passkeys and Enclave Keys (00:16:25) Trusted execution environments and firmware updates (00:19:55) Apple binaries and reproducible APKs (00:24:30) Self-custody UX (00:25:58) Why p256 (secp256r1)? (00:28:20) ECDSA vs ZK (00:31:10) Renaud Dubois & FreshCryptoLib's p256 implementation vs Daimo's p256Verifier (00:36:50) Wycheproof test vectors (00:38:00) CPU style optimization for EVM cryptography (00:39:40) Precomputation, or not (00:44:10) EIP-7212 (00:49:05) Progressive Precompiles (aka Precompile shadowing) (00:54:00) EVM equivalence and p256 (01:00:05) Veridise audit (01:02:00) Daimo's forthcoming Base64 encoder (01:03:40) Daimo cross-chain stablecoin wallets (01:06:00) Getting Daimo

base64dump.py Handles More Encodings Than Just BASE64 https://isc.sans.edu/diary/base64dump.py%20Handles%20More%20Encodings%20Than%20Just%20BASE64/30332 Stealing OAuth Tokens via Open Redirects https://eval.blog/research/microsoft-account-token-leaks-in-harvest/ VMWare Patches https://www.vmware.com/security/advisories.html Solarwinds Patches https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm

base64dump.py Handles More Encodings Than Just BASE64 https://isc.sans.edu/diary/base64dump.py%20Handles%20More%20Encodings%20Than%20Just%20BASE64/30332 Stealing OAuth Tokens via Open Redirects https://eval.blog/research/microsoft-account-token-leaks-in-harvest/ VMWare Patches https://www.vmware.com/security/advisories.html Solarwinds Patches https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm

From Kas, Turkey... A tech tip about unredacting (or not) documents with ChatGPT, as well as what tools like Base64, DocSumo, and LLaVA may offer in the future. Some concise advice about why stronger relationships help you get through bigger mistakes.

In cybersecurity, the teaching of Cloud security is often weak. So, here are my Top 100 things about encryption in the Cloud. I've focused on AWS, but Azure is likely to also be applicable. Keys are created in the AWS KMS (Key Management Store). In Azure, this is named KeyVault. The cost of using a key in KMS is around $1/month (prorated hourly). When a key is disabled, it is not charged. With AWS KMS, we use a shared customer HSM (Hardware Security Module), and with AWS CloudHSM it is dedidated to one customer. For data at rest, with file storage, we can integrate encryption with Amazon EBS (Elastic Block Storage) and Amazon S3. Amazon EBS drives are encrypted with AES-256 with XTS mode. For AWS-managed keys, a unique key is used for every object within S3 buckets. Amazon S3 uses server-side encryption to store encrypted data. The customer can use client-side encryption to encrypt data before it is stored in the AWS infrastructure. AWS uses 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) for its symmetric key encryption. In AWS S3, by default, all the objects are encrypted. A customer can use client-side encryption to encrypt data before it goes into the AWS infrastructure. For data at rest, for databases, we can integrate encryption with Amazon RDS (AWS's relational database service) and Amazon Redshift (AWS's data warehousing). For data at rest, we can integrate encryption into ElastiCache (AWS's content caching service), AWS Lambda (AWS's serverless computing service), and Amazon SageMake (AWS's machine learning service). Keys are tokenized and have an ARN (Amazon Resource Names) and alias. An example ARN for a key is arn:aws:kms:us-east-1:103269750866:key/de30e8e6-c753–4a2c-881a-53c761242644, and an example alias is “Bill's Key”. Both of these should be unique in the user's account. To define a KMS key, we can either use its key ID, its key ARN, its alias name, or alias ARN. You can link keys to other AWS Accounts. For this, we specify in the form of “arn:aws:iam::[AWS ID]:root”, and where AWS ID is the ID of the other AWS account. To enhance security, we can use AWS CloudHSM (Hardware Security Module). For simpler and less costly solutions, we typically use AWS KMS (Key Management Solution). For CloudHSM, we pay per hour, but for KMS, we just pay for the usage of the keys. The application of the keys is restricted to defined services. Key identifiers and policies are defined with a JSON key-value pair for data objects. Each key should have a unique GUID, such as “de30e8e6-c753–4a2c-881a-53c761242644”. Users are identified and roles are identified with an ARN, such as : “arn:aws:iam::222222:root”. With the usage of keys we have Key Administrative Permission and a Key Usage policies. There is an explicit denial on a policy if there is not a specific allow defined in a policy. For key permissions, we have fields of “Sid” (the descriptive name of the policy), “Effect” (typically “Allow”), Principal (the ARN of the user/group), “Action” (such as Create, Disable and Delete) and “Resource”. A wildcard (“*”) allows or disallows all. To enable a user of “root” access to everything with a key would be : “Sid”: “Enable IAM User Permissions”, “Effect”: “Allow”,“Principal”: {“AWS”: “arn:aws:iam::22222222:root”},“Action”: “kms:*”, “Resource”: “*”}. The main operations within the KMS are to encrypt/decrpyt data, sign/verify signatures, export data keys, and generate/verify MACs (Message Authentication Codes). Key are either AWS managed (such as for the Lambda service), Customer managed keys (these are created and managed by the customer). Custom key stores are where the customer has complete control over the keys). The main use of keys are for EC2 (Compute), EBS (Elastic Block Storage) and S3 (Storage). AES symmetric keys or an RSA key pair are used to encrypt and decrypt. RSA uses 2K, 3K or 4K keys, and with either “RSA PCKS1 v1.5” or “RSA PSS” padding. RSA PCKS1 v1.5 padding is susceptible to Bleichenbacher's attack, so it should only be used for legacy applications, and for all others, we should use RSA PSS. For RSA, we can use a hashing method of SHA-256, SHA-384 or SHA-512. In RSA, we encrypt with the public key and decrypt with the private key. For signatures, we can use either RSA or ECC signing. For RSA, we have 2K, 3K, or 4K keys, whereas ECC signing uses NIST P256, NIST P384, NIST P521, and SECG P256k1 (as used in Bitcoin and Ethereum). For MACs (Message Authentication Codes), Bob and Alice have the same shared secret key and can authenticate the hash version of a message. In the KMS, we can have HMAC-224, HMAC-256, HMAC-384 and HMAC-512. KMS uses hardware security modules (HSMs) with FIPS 140–2 and which cannot be accessed by AWS employees (or any other customer). Keys will never appear in an AWS disk or backup, and only existing the memory of the HSM. They are only loaded when used. Encryption keys can be restricted to one region of the world (unless defined by the user). With symmetric keys, the key never appears outside the HSM, and for asymmetric keys (public key encryption), the private key stays inside the HSM, and only the public key is exported outside. AWS CloudWatch shows how and when the encryption keys are being used. The minimum time that can be set for a key to be deleted is seven days (and up to 30 days maximum). An organisation can also create its own HSM with the CloudHSM cluster. When a key is then created in KMS, it is then stored in the cluster. The usage of encryption keys should be limited to a minimal set of service requirements. If possible, separate key managers and key users. With a key management (KEY_ADMINISTRATOR) role, we typically have the rights to create, revoke, put, get, list and disable keys. The key management role will typically not be able to encrypt and decrypt. For a key user (KEY_WORKER) role, we cannot create or delete keys and typically focus on tasks such as encrypting and decrypting. Hae a rule of minimum access rights, and simplify user access by defining key administration and usage roles. Users are then added to these roles. Avoid manual updates to keys and use key rotation. The system keeps track of keys that are rotated and can use previously defined ones. The default time to rotate keys is once every year. Key rotation shows up in the CloudWatch and CloudTrail logs. KMS complies with PCI DSS Level 1, FIPS 140–2, FedRAMP, and HIPAA. AWS KMS is matched to FIPS 140–2 Level 2. AWS CloudHSM complies with FIPS 140–2 Level 3 validated HSMs. AWS CloudHSM costs around $1.45 per hour to run, and the costs end when it is disabled or deleted. The CloudHSM is backed-up every 24 hours, and where we can cluster the HSMs into a single logical HSM. CloudHSM can be replicated in AWS regions. AWS KSM is limited to the popular encryption methods, whereas the CloudHSM can implement a wider range of methods. The CloudHSM can support methods such as 3DES with AWS Payment Cryptography. This complies with payment card industry (PCI) standards, such as PCI PIN, PCI P2PE, and PCI DSS. In the CloudHSM for payments, we can generate CVV, CVV2 and ARQC values, and where sensitive details never exist outside the HSM in an unprotected form. With the CloudHSM, we have a command line interface where we can issue commands, and is named CloudHSM CLI. Within the CloudHSM CLI, we can use the genSymKey command to generate symmetric key within the HSM, such as where -t is a key type (31 is AES), -s is a key size (32 bytes) and -l is the label: genSymKey -t 31 -s 32 -l aes256 With genSymKey the key types are: 16 (Generic Secret), 18 (RC4), 21 (Triple DES), and 31 (AES). Within the CloudHSM CLI, we can use the genRSAKeyPair command to generate an RSA key pair, such as where -m is the modulus and -e is the public exponent: genRSAKeyPair -m 2048 -e 65537 -l mykey AWS CloudHSM is integrated with AWS CloudTrail, and where we can track user, role, or an AWS service within AWS CloudHSM. With AWS Payments Cryptography, the 2KEY TDES is Two-key Triple DES and has a 112-bit equivalent key size. The Pin Encryption Key (PEK) is used to encryption PIN values and uses a KEY TDES key. This can store PINs in a secure way, and then decrypt them when required. S3 buckets can be encrypted either with Amazon S3-managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) keys. There is no cost to use SSE keys. For symmetric key encryption, AWS uses envelope encryption, and where a random key is used to encrypt data, and then the key is encrypted with the user's key. AWS should not be able to access the key used for the encryption. The default in creating an encryption key is for it only be to used in a single region, but this can be changed to multi-region, and where the key will be replicated across more than one region. In AWS, a region is a geographical area, and which is split into isolated locations. US-East-1 (N.Virginia) and US-East-2 (Ohio) are different regions, while us-east-1a, us-east-1b and us-east-1c are in the same region. A single region key the US-East-1 region would replicate across eu-east-1a, eu-east-1b and eu-east-1c, and not to eu-east-2a, eu-east-2b and eu-east-2c. When creating a key, you can either create in the KMS, import a key (BYOK — bring your own key), create in the AWS CloudHSM, or create in an external key store (HYOK — hold you own key). For keys stored on-premise we can use an external key store (XKS) — this can be defined as Hold Your Own Keys (HYOKs), and where and where no entity in AWS will able to read any of the encrypted data. [here]. You can BYOK (bring your own key) with KMS, and import keys. KMS will keep a copy of this key. With XKS, we need a proxy URI endpoint, with the proxy credentials of an access key ID, and secret access key. To export keys from AWS CloudHSM, we can encrypt them with an AES key. This is known as key wrapping, as defined in RFC 5648 (for padding with zeros) or RFC 3394 (without padding). A strong password should always be used for key wrapping. AWS encryption operations can either be conducted from the command line or within API, such as with Python, Node.js or Golang. With KMS, the maximum data size is 4,096 bytes for a symmetric key, 190 bytes for RSA 2048 OAEP SHA-256, 318 bytes for RSA 3072 OAEP SHA-256, ad 446 bytes for RSA 4096 OAEP SHA-256. An example command to encrypt a file for 1.txt with symmetric key encryption is: aws kms encryp --key-id alias/MySymKey --plaintext fileb://1.txt --query CiphertextBlob --output text > 1.out To decrypt a file with symmetric key encryption, an example with 1.enc is: aws kms decrypt --key-id alias/BillsNewKey --output text --query Plaintext --ciphertext-blob fileb://1.enc > 2.out In Python, to integrate with KMS, we use the Boto3 library. The standard output of encrypted content is in byte format. If we need to have a text version of ciphertext, we typically use Base64 format. The base64 command can be used to convert byte format in Base64, such as with: $ base64 -i 1.out — decode > 1.enc The xxd command in the command line allows the cipher text to be dumped to a hex output and can then be edited. We can then convert it back to a binary output with: An example piece of Python code for encrypting a plaintext message with the symmetric key in Python is: ciphertext = kms_client.encrypt(KeyId=alias,Plaintext=bytes(secret, encoding='utf8') An example piece of Python code to decrypt some cipher text (in Base64 format) is: plain_text = kms_client.decrypt(KeyId=alias,CiphertextBlob=bytes(base64.b64decode(ciphertext))) To generate an HMAC signature for a message in the command line, we have the form of: aws kms generate-mac --key-id alias/MyHMACKey --message fileb://1.txt --mac-algorithm HMAC_SHA_256 --query Mac > 4.out To verify an HMAC signature for a message in the command line, we have the form of: aws kms verify-mac -key-id alias/MyHMACKey -message fileb://1.txt -mac-algorithm HMAC_SHA_256 -mac fileb://4.mac To create an ECDSA signature in the command line, we have the form of: aws kms sign -key-id alias/MyPublicKeyForSigning -message fileb://1.txt -signing-algorithm ECDSA_SHA_256 -query Signature > 1.out To verify an ECDSA signature in the command line, we have the form of: aws kms verify -key-id alias/MyPublicKeyForSigning -message fileb://1.txt -signature fileb://1.sig -signing-algorithm ECDSA_SHA_256 To encrypt data using RSA in the command line, we have the form of: aws kms encrypt -key-id alias/PublicKeyForDemo -plaintext fileb://1.txt -query CiphertextBlob -output text -encryption-algorithm RSAES_OAEP_SHA_1 > 1.out To decrypt data using RSA in the command line, we have the form of: aws kms decryptb -key-id alias/PublicKeyForDemo -output text -query Plaintext -ciphertext-blob fileb://1.enc -encryption-algorithm RSAES_OAEP_SHA_1 > 2.out To sign data using RSA in the command line, we have the form of: aws kms sign --key-id alias/MyRSAKey --message fileb://1.txt --signing-algorithm RSASSA_PSS_SHA_256 --query Signature --output text > 1.out To verify data using RSA in the command line, we have the form of: aws kms verify --key-id alias/MyRSAKey --message fileb://1.txt — signature fileb://1.sig --signing-algorithm RSASSA_PSS_SHA_256 You cannot encrypt data with Elliptic Curve keys. Only RSA and AES can do that. Elliptic Curve keys are used to sign data. If you delete an encryption key, you will not be able to decrypt any ciphertext that uses it. We can store our secrets, such as application passwords, in the secrets manager. An example of a secret name of “my-secret-passphrase” and a secret string of “Qwery123” we can have: aws secretsmanager create-secret --name my-secret-passphrase --secret-string Qwerty123 In China regions, along with RSA and ECDSA, you can use SM2 KMS signing keys. In China Regions, we can use SM2PKE to encrypt data with asymmetric key encryption. Find out more here: https://asecuritysite.com/aws

So, here's my Top 100 snippets of knowledge for blockchain: Blockchains use public key methods to integrate digital trust. Bob signs for a transaction with his private key, and Alice proves this with Bob's public key. The first usable public key method was RSA — and created by Rivest, Shamir and Adleman. It was first published in 1979 and defined in the RSA patent entitled “Cryptographic Communications System and Method”. Blockchains can either be permissioned (requiring rights to access the blockchain) or permissionless (open to anyone to use). Bitcoin and Ethereum are the two most popular permissionless blockchains, and Hyperledger is the most popular permissioned ledger. Ralph Merkle — the boy genius — submitted a patent on 5 Sept 1979 and which outlined the Merkle hash. This is used to create a block hash. Ralph Merkle's PhD supervisor was Martin Hellman (famous as the co-creator of the Diffie-Hellman method). David Chaum is considered as founders of electronic payments, and, in 1983, created ECASH, along with publishing a paper on “Blind signatures for untraceable payments”. Miners gather transactions on a regular basis, and these are added to a block and where each block has a Merkle hash. The first block on a blockchain does not have any previous blocks — and is named the genesis block. Blocks are bound in a chain, and where the previous, current and next block hashes are bound into the block. This makes the transactions in the block immutable. Satoshi Nakamoto worked with Hal Finney on the first versions of Bitcoin, and which were created for a Microsoft Windows environment. Craig Steven Wright has claimed that he is Satoshi Nakamoto, but this claim has never been verified. Most blockchains use elliptic curve cryptography — a method which was created independently by Neal Koblitz and Victor S. Miller in 1985. Elliptic curve cryptography algorithms did not take off until 2004. Satoshi selected the secp256k1 curve for Bitcoin, and which gives the equivalent of 128-bit security. The secp256k1 curve uses the mapping of y²=x³ + 7 (mod p), and is known as a Short Weierstrass (“Vier-strass”) curve. The prime number used with secp256k1 is ²²⁵⁶−²³²−²⁹−²⁸−²⁷−²⁶−²⁴−1. Satoshi published a 9-page paper entitled “Bitcoin: A Peer-to-Peer Electronic Cash System” White Paper on 31 Oct 31, 2008. In 1997, Adam Black introduce the concept of Proof of Work of Hashcash in a paper entitled, “Hashcash — a denial of service countermeasure.” This work was used by Satoshi in his whitepaper. Satoshi focused on: a decentralized system, and a consensus model and addressed areas of double-spend, Sybil attacks and Eve-in-the-middle. The Sybil attack is where an adversary can take over the general consensus of a network — and leads to a 51% attack, and where the adversary manages to control 51% or more of the consensus infrastructure. Satoshi used UK spelling in his correspondence, such as using the spelling of “honour”. The first Bitcoin block was minted on 3 Jan 2009 and contained a message of “Chancellor on brink of second bailout for banks” (the headline from The Times, as published in London on that day). On 12 Jan 2009, Satoshi sent the first Bitcoin transaction of 50 BTC to Hal Finney [here]. A new block is created every 7–10 minutes on Bitcoin. In Aug 2023, the total Bitcoin blockchain size is 502 GB. As of Aug 2023, the top three cryptocurrencies are Bitcoin, Ether, and Tether. Bitcoin has a capitalization of $512 billion, Ether with $222 billion, and Tether at $83 billion. The total cryptocurrency capitalisation is $1.17 trillion. The original block size was 1MB for Bitcoin, but recently upgraded to support a 1.5MB block — and has around 3,000 transactions. Currently the block sizes are more than 1.7MB. Bitcoin uses a gossip protocol — named the Lightning Protocol — to propagate transactions. A Bitcoin wallet is created from a random seed value. This seed value is then used to create the 256-bit secp256k1 private key. A wallet seed can be converted into a mnemonic format using BIP39, and which uses 12 common words. This is a deterministic key, and which allows the regeneration of the original key in the correct form. BIP39 allows for the conversion of the key to a number of languages, including English, French and Italian. A private key in a wallet is stored in a Wif format, and which is a Base58 version of the 256-bit private key. The main source code for the Bitcoin blockchain is held at https://github.com/bitcoin, and is known as Bitcoin core. This is used to create nodes, store coins, and transactions with other nodes on the Bitcoin network. A 256-bit private key has 115,792 billion billion billion billion billion billion billion billion different keys. A public Bitcoin ID uses Base58 and has a limited character set of ‘123456789ABCDEFGHJKLMN PQRSTUVWXYZabcdefghijkmno pqrstuvwxyz', where we delete ‘0' (zero), ‘l' (lowercase ‘l'), and ‘I' (capital I) — as this can be interpreted as another character. In Bitcoin and Ethereum, a private key (x) is converted to a public key with x.G, and where G is the base point on the secp256k1 curve. An uncompressed secp256k1 public key has 512 bits and is an (x,y) point on the curve. The point starts with a “04”. A compressed secp256k1 public key only stores the x-co-ordinate value and whether the y coordinate is odd or even. It starts with a “02” if the y-co-ordinate is even, otherwise it starts with a “03”. In 1992, Eric Hughes, Timothy May, and John Gilmore set up the cypherpunk movement and defined, “We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.” In Ethereum, the public key is used as the identity of a user (a.G), and is defined as a hexademical value. In Bitcoin, the public ID is created from a SHA256 hash of the public key, and then a RIPEMD160 of this, and then covered to Base58. In computing the public key in ECC of a.G, we use the Montgomery multiplication method and which was created by Peter Montgomery in 1985, in a paper entitled, “Modular Multiplication without Trial Division.” Elliptic Curve methods use two basic operations: point address (P+G) and point doubling (2.P). These can be combined to provide the scalar operation of a.G. In 1999, Don Johnson Alfred Menezes published a classic paper on “The Elliptic Curve Digital Signature Algorithm (ECDSA)”. It was based on the DSA (Digital Signature Algorithm) — created by David W. Kravitz in a patent which was assigned to the US. The core signature used in Bitcoin and Ethereum is ECDSA (Elliptic Curve Digital Signature Algorithm), and which uses a random nonce for each signature. The nonce value should never repeat or be revealed. Ethereum was first conceived in 2013 by Vitalik Buterin, Gavin Wood, Charles Hoskinson, Anthony Di Iorio and Joseph Lubin. It introduced smaller blocks, an improved proof of work, and smart contracts. Bitcoin is seen as a first-generation blockchain, and Ethereum as a second-generation. These have been followed by third-generation blockchains, such as IOTA, Cardano and Polkadot — and which have improved consensus mechanisms. Bitcoin uses a consensus mechanism which is based on Proof-of-Work, and where miners focus on finding a block hash that has a number of leading “0”s. The difficulty of the mining is defined by the hashing rate. At the current time, this is around 424 million TH/s. There are around 733,000 unique Bitcoin addresses being used. Satoshi defined a reward to miners for finding the required hash. This was initially set at 50 BTC, but was set to half at regular intervals. On 11 January 2021, it dropped from 12.5 BTC to 6.2 BTC. Bitcoin currently consumes around 16.27 GWatts of power each year to produce a consensus — equivalent to the power consumed by a small country. In creating bitcoins, Satoshi created a P2PKH (Pay to Public Key Hash) address. These addresses are used to identify the wallet to be paid and links to the public key of the owner. These addresses start with a ‘1'. In order to support the sending of bitcoins to and from multiple addresses, Bitcoin was upgraded with SegWit (defined in BIP141). The wallet address then integrates the pay-to-witness public key hash (Pay to script hash — P2SH). These addresses start with a ‘3'. Ethereum uses miners to undertake work for changing a state and running a smart contract. They are paid in “gas” or Ether and which relates to the amount of computation conducted. This limits denial of service attacks on the network and focuses developers on creating efficient code. Ethereum supports the creation of cryptocurrency assets with ERC20 tokens — and which are FT (Fungible Tokens). For normal crypto tokens (ERC-20) we use, there is a finite number of these, and each of these is the same. Ethereum creates NFTs (Non-Fungible Tokens) with ERC721 tokens. We mint these each time and each is unique. Solidity is the programming language used in Ethereum, while Hyperledger can use Golang, Node.js and Java. For Ethereum, we compile Solidity code into EVM (Ethereum Virtual Machine) code. This is executed on the blockchain. Blockchain uses the SHA-256 hash for transaction integrity. Ethereum uses the Keccak hash is used to define the integrity of a transaction. This is based on SHA-3, and differs slightly from Keccak. The Keccak hash family uses a sponge function and was created by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, and standardized by NIST in August 2015 as SHA-3. The DAO is a decentralized autonomous organization (DAO) for the Ethereum blockchain and was launched in 2016. In 2016, DAO raised $150 million through a token sale but was hacked and funds were stolen. This resulted in a forking of the blockchain: Ethereum and Ethereum Classic. Non-interactive Zero Knowledge Proofs (NI-ZKP) allow an entity to prove that they have knowledge of something — without revealing it. A typical secret is the ownership of a private key. NI-ZKPs involve a prover (Peggy), a verifier (Victor) and a witness (Wendy) and were first defined by Manuel Blum, Paul Feldman, and Silvio Micali in their paper entitled, “Non-interactive zero-knowledge and its applications”. Popular ZKP methods include ZK-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) and ZK-STARKs (Zero-Knowledge Scalable Transparent Argument of Knowledge). Bitcoin and Ethereum are pseudo-anonymised, and where the sender and recipient of a transaction, and its value, can be traced. Privacy coins enable anonymous transactions. These include Zcash and Monero. In 1992, David Chaum and Torben Pryds Pedersen published “Wallet databases with observers,” and outlined a method of shielding the details of a monetary transaction. In 1992, Adi Shamir (the “S” in RSA) published a paper on “How to share a secret” in the Communications of the ACM. This supported the splitting of a secret into a number of shares (n) and where a threshold value (t) could be defined for the minimum number of shares that need to be brought back together to reveal the secret. These are known as Shamir Secret Shares (SSS). In 1991, Torbin P Pedersen published a paper entitled “Non-interactive and information-theoretic secure verifiable secret sharing” — and which is now known as Pedersen Commitment. This is where we produce our commitment and then show the message that matches the commitment. Distributed Key Generation (DKG) methods allow a private key to be shared by a number of trusted nodes. These nodes can then sign for a part of the ECDSA signature by producing a partial signature with these shares of the key. Not all blockchains use ECDSA. The IOTA blockchain uses the EdDSA signature, and which uses Curve 25519. This is a more lightweight signature version, and has better support for signature aggregation. It uses Twisted Edwards Curves. The core signing method used in EdDSA is based on the Schnorr signature scheme and which was created by Claus Schnorr in 1989. This was patented as, a “Method for identifying subscribers and for generating and verifying electronic signatures in a data exchange system”. The patent ran out in 2008. Curve 25519 uses the prime number of ²²⁵⁵-19 and was created by Daniel J. Bernstein. Peter Shor defined that elliptic curve methods can be broken with quantum computers. To overcome the cracking of the ECDSA signature from quantum computers, NIST are standardising a number of methods. At present, this focuses on CRYSTALS-Dilithium, and which is a lattice cryptography method. Bulletproofs were created in 2017 by Stanford's Applied Cryptography Group (ACG). They define a zero-knowledge proof as where a value can be checked to see it lies within a given range. The name of “bulletproofs” is defined as they are short, like a bullet, and with bulletproof security assumptions. While Bitcoin can take up to 7–10 minutes to mine a new block and create a consensus, newer blockchains, such as IOTA, can give an almost instantaneous consensus. Banks around the world are investigating CBDC (Central Bank Digital Currency) and which is not a cryptocurrency but a way to quickly define a consensus on a transaction. Homomorphic encryption methods allow for the processing of encrypted values using arithmetic operations. A public key is used to encrypt the data, and which can then be processed using an arithmetic circuit on the encrypted data. The owner of the associated private key can then decrypt the result. Some traditional public key methods enable partial homomorphic encryption. RSA and ElGamal allow for multiplication and division, whilst Pailier allows for homomorphic addition and subtraction. Full homomorphic encryption (FHE) supports all of the arithmetic operations and includes Fan-Vercauteren (FV) and BFV (Brakerski/Fan-Vercauteren) for integer operations and HEAAN (Homomorphic Encryption for Arithmetic of Approximate Numbers) for floating point operations. Most of the Full Homomorphic encryption methods use lattice cryptography. Some blockchain applications use Barreto-Lynn-Scott (BLS) curves which are pairing friendly. They can be used to implement Bilinear groups and which are a triplet of groups (G1, G2 and GT), so that we can implement a function e() such that e(g1^x,g2^y)=gT^{xy}. Pairing-based cryptography is used in ZKPs. The main BLS curves used are BLS12–381, BLS12–446, BLS12–455, BLS12–638 and BLS24–477. An accumulator can be used for zero-knowledge proof of knowledge, such as using a BLS curve to create to add and remove proof of knowledge. Open Zeppelin is an open-source Solidity library that supports a wide range of functions that integrate into smart contracts in Ethereum. This includes AES encryption, Base64 integration and Elliptic Curve operations. Metamask is one of the most widely used blockchain wallets and can integrate into many blockchains. Most wallets generate the seed from the operating system and where the browser can use the Crypto.getRandomValues function, and compatible with most browsers. Solidity programs can be compiled with Remix at remix.ethereum.org. The main Ethereum network is Ethereum Mainnet. We can test smart contracts on Ethereum test networks. Current networks include sepolia.etherscan.io and goerli.net. Ether can be mined for test applications from a faucet, such as faucet.metamask.io. This normally requires some proof of work to gain the Ether — in order to protect against a Denial of Service against the Faucet. The private key can be revealed from two ECDSA signatures which use the same random nonce value. Polkadot is a blockchain which allows blockchains to exchange messages and perform transactions. The proof of work method of creating is now not preference because of the energy that it typically uses. Many systems now focus on proof of stack (PoS). A time-lock puzzle/Proof of Work involves performing a computing task which has a given cost and which cannot be cheated again. This typically involves continual hashing or continual squaring. The Chia blockchain network uses both Proof of Space (PoS) and Proof of Time (PoT). The PoS method makes use of the under-allocation of hard-disk space. With a Verifiable Delay Function (VDF), we can prove that a given amount of work has been done by a prover (Peggy). A verifier (Victor) can then send the prover a proof value and compute a result which verifies the work has been done, with the verifier not needing to do the work but can still prove the work has been done. A Physical Unclonable Functions (PUFs) is a one-way function which creates a unique signature pattern based on the inherent delays within the wireless and transistors. This can be used to link a device to an NFT. In Blockchain applications, we can use Non-interactive zero-knowledge (NIZK) proofs for the equality (EQ) of discrete logarithms (DL) — DLEQ. With this — in discrete logarithms — we have

Related blog: https://medium.com/asecuritysite-when-bob-met-alice/tokens-jwt-and-google-tink-c6b915d387e8 And: https://billatnapier.medium.com/hmac-or-public-key-signing-of-jwts-64084aff10ef  Introduction My Top 20 important things about JWTs: JWT is a JSON Web Token and is pronounced “jot”. JSON objects support human-readable text and are used in many applications, such as with NoSQL databases. You should not trust a JWT unless it is cryptographically signed. For authorization, a captured JWT can be replayed and “played back” to provide a malicious entry or rights into a system. JWTs should never be trusted before their issue date and their not-before date and never trusted after their expiry. JWTs have been defined as an RFC standard with RFC7519. The format is URL friendly and is Base64URL encoded. A JWT token has three main parameters separated by a period (“.”), and which are the header, the payload and the signature. The header is typically not encrypted and defines the signature algorithm (“alg”) and the type (“typ”). The payload is typically not encrypted and uses a Base64 format. The payload can typically be seen by anyone who captures it. “ey” is a typical field starting part of a parameter in the header and body of a token as ‘{“‘ encoded in Base64 is “ey==”. You can tell if a token is not encrypted with an “ey” as the start of the header and body parameters. The registered claims of a token are iss (Issuer), sub (Subject), aud (Audience), iat (Issued At), exp (Expires), nbf (Not Before), and jti (JWT ID). The claim fields are not mandatory and just a starting point for defining claims. A claim is asserted about a subject, and where we have a claim name and a claim value in a JSON format. With an HMAC signature, the issuer and validator must share the same secret symmetric key. If you use HMAC to sign the tokens, a breached secret key will compromise the signing infrastructure. The two main public key signing methods are RSA and ECDSA. The time of a token is represented as the number of seconds from 1 January 1970 (UTC). Each day of a JWT token is represented by 86,400 seconds. An unsecured JWT does not have encryption or a signature. This is bad! it is represented in the header parameter with an “alg” of “none” and an empty string for the JWS Signature value. A JWT can be encrypted (but this is optional). For public key methods, we can use either RSA and AES, or we can use a wrapped key. And a debate I've had with many development teams: What's a token? So, what's a token? Well, it is basically a way to encapsulate data in a well-defined format that has a signature from the issuer. For this, we either sign using HMAC (HMAC-256, HMAC-384 or HMAC-512), RSA signing or ECC signing. The HMAC method requires the use of a secret symmetric key, whilst RSA and ECC use public key encryption. The problem with HMAC is that if someone discovers the secret key, they could sign valid tokens. For enhanced security, we typically use public key encryption, where we sign with a private key and then validate with the public key. In this case, we will use Google Tink to create JWTs (JSON Web Tokens) and which are signed with elliptic curve cryptography. For this, we will use either NIST P-256 (ES256), NIST P-384 (ES384) or NIST P512 (ES512) for the curves. Overall, we do not generally encrypt the payload in JWT, so it can typically be viewed if the token is captured. JWT format A JWT token splits into three files: header, payload and signature (Figure 1). Figure 1: JWT format The header parameter The header contains the formation required to interpret the rest of the token. Typical fields are “alg” and “kid”, and these represent the algorithm you use (such as “ES256”) and the ID, representively. The default type (“type”) will be “JWT”. Other possible fields include “jwk” (JSON Web key), “cty” (Content type), and “x5u” (X.509 URL). An example header for a token that uses ES384 signatures and with an ID of “s5qe-Q” is: {"alg":"ES384", "kid":"s5qe-Q"} The payload parameter The payload is defined in JSON format with a key-pair setting. For a token, we have standard claim fields of iss (Issuer), sub (Subject), aud (Audience), iat (Issued At), exp (Expires At), nbf (Not Before), and jti (JWT ID). The claim fields are not mandatory and are just a starting point — and where a developer can add any field that they want. An example field is: {"aud":"qwerty", "exp":1690754794, "iss":"ASecuritySite", "jti":"123456", "sub":"hello"} The time is defined in the number of seconds past 1 January 1970 UTC. In this case, 1690754794 represents Sunday 30 Jun 22:06:34: The token signing parameter There are two ways to sign a token: with an HMAC signature or with a public key signature. With HMAC, we create a shared symmetric key between the issuer and the validator. For public key encryption, we use either RSA or ECDSA. For these, we create a signature by signing the data in the token with the private key of the creator of the token, and then the client can prove this with the associated public key. For public key signing, the main signing methods are: ES256. ECDSA using NIST P256 with SHA-256. ES384. ECDSA using NIST P384 with SHA-384. ES512. ECDSA using NIST P512 with SHA-512. RS256. RSASSA-PKCS1-v1_5 with the SHA-256 hash. and for HMAC: HS256. HMAC with SHA-256. HS384. HMAC with SHA-384. HS512. HMAC with SHA-512. In public key signing, we have a key pair to sign the token: And with HMAC, we share a secret signing key: Encrypting the payload A JWT can be encrypted, but this is optional. For public key methods, we can use either RSA and AES or a wrapped AES key. An “alg” method of “RSA1_5” will use 2,048-bit RSA encryption with RSAES-PKCS1-v1_5, “A128KW” will use 128-bit Key Wapping and “A256KW” uses 256-bit Key Wapping. With key wrapping, the private key is encrypted with a secret key. Both the issuer and verifier will know this secrete key. For symmetric key methods, we can use “A128CBC-HS256” (AES-CBC) and “A256CBC-HS512” (HMAC SHA-2). It is possible to also use ECDH-ES (Elliptic Curve Static) for key exchange methods An example token An example token is: eyJhbGciOiJFUzI1NiIsICJraWQiOiJ3WHd6dVEifQ.eyJhdWQiOiJxd2VydHkiLCAiZXhwIjoxNjkwNzU0Nzk0LCAiaXNzIjoiQVNlY3VyaXR5U2l0ZSIsICJqdGkiOiIxMjM0NTYiLCAic3ViIjoiaGVsbG8ifQ.cAXunJHLRrqFfJStJTFlwkUTze6K8EpwOui9abDeiSBcR5WeOEpXCSUQBnS_VdVnLsmVV2AWUX0kOTqIWERcMQ We then have: Header: eyJhbGciOiJFUzI1NiIsICJraWQiOiJ3WHd6dVEifQ Payload: eyJhdWQiOiJxd2VydHkiLCAiZXhwIjoxNjkwNzU0Nzk0LCAiaXNzIjoiQVNlY3VyaXR5U2l0ZSIsICJqdGkiOiIxMjM0NTYiLCAic3ViIjoiaGVsbG8ifQ Signature: cAXunJHLRrqFfJStJTFlwkUTze6K8EpwOui9abDeiSBcR5WeOEpXCSUQBnS_VdVnLsmVV2AWUX0kOTqIWERcMQ These are in Base64 format, and we can easily decode the header as: {"alg":"ES256", "kid":"wXwzuQ"} and the payload as: {"aud":"qwerty", "exp":1690754794, "iss":"ASecuritySite", "jti":"123456", "sub":"hello"} The signature value will be in a byte array format. Sample code With Google Tink, we can create a token with the fields using: expiresAt := time.Now().Add(time.Hour) subject:= "CSN09112" audience := "Sales" issurer := "ASecuritySite" jwtid := "123456" rawJWT, _ := jwt.NewRawJWT(&jwt.RawJWTOptions{ Subject: &subject, Audience: &audience, Issuer: &issurer, ExpiresAt: &expiresAt, JWTID: &jwtid, }) Next we will generate an ECC private key using either NIST P256, NIST P-384 or NIST P-512. In the following, we create a private key (priv) and which will be used to sign the token: priv,_ =keyset.NewHandle(jwt.ES256Template()signer, _ := jwt.NewSigner(priv)token, _ := signer.SignAndEncode(rawJWT) We can then create the public key from the private key, and validate the token with this key: pub, _:= priv.Public()verifier, _ := jwt.NewVerifier(pub) The full code is [here]: package mainimport ( "fmt" "time" "os" "strconv" "github.com/google/tink/go/jwt" "github.com/google/tink/go/keyset" "github.com/google/tink/go/insecurecleartextkeyset")func main () { priv, _ := keyset.NewHandle(jwt.ES256Template()) expiresAt := time.Now().Add(time.Hour) subject:= "CSN09112" audience := "Sales" issurer := "ASecuritySite" jwtid := "123456" t:=0 argCount := len(os.Args[1:]) if (argCount>0) {subject= string(os.Args[1])} if (argCount>1) {audience= string(os.Args[2])} if (argCount>2) {issurer= string(os.Args[3])} if (argCount>3) {jwtid= string(os.Args[4])} if (argCount>4) {t,_ = strconv.Atoi(os.Args[5])} switch t { case 1: priv,_ =keyset.NewHandle(jwt.ES256Template()) case 2: priv,_ =keyset.NewHandle(jwt.ES384Template()) case 3: priv,_ =keyset.NewHandle(jwt.ES512Template()) } pub, _:= priv.Public() rawJWT, _ := jwt.NewRawJWT(&jwt.RawJWTOptions{ Subject: &subject, Audience: &audience, Issuer: &issurer, ExpiresAt: &expiresAt, JWTID: &jwtid, }) signer, _ := jwt.NewSigner(priv) token, _ := signer.SignAndEncode(rawJWT) verifier, _ := jwt.NewVerifier(pub) validator, _ := jwt.NewValidator(&jwt.ValidatorOpts{ExpectedAudience: &audience,ExpectedIssuer: &issurer}) verifiedJWT, _:= verifier.VerifyAndDecode(token, validator) id,_:=verifiedJWT.JWTID() sub,_:=verifiedJWT.Subject() aud,_:=verifiedJWT.Audiences() iss,_:=verifiedJWT.Issuer() at,_:=verifiedJWT.IssuedAt() ex,_:=verifiedJWT.ExpiresAt() fmt.Printf("Public key:t%sn",priv) fmt.Printf("Public key:t%snn",pub) fmt.Printf("Token:t%snn",token) fmt.Printf("Subject:t%sn",sub) fmt.Printf("Audience:t%sn",aud) fmt.Printf("Issuer:tt%sn",iss) fmt.Printf("JWT ID:tt%sn",id) fmt.Printf("Issued at:t%sn",at) fmt.Printf("Expire at:t%sn",ex) fmt.Printf("nnAdditional key datan") exportedPriv := &keyset.MemReaderWriter{} insecurecleartextkeyset.Write(priv, exportedPriv) fmt.Printf("Private key: %snn", exportedPriv) exportedPub := &keyset.MemReaderWriter{} insecurecleartextkeyset.Write(pub, exportedPub) fmt.Printf("Public key: %snn", exportedPub)} A sample run proves the process [here]: Public key: primary_key_id:1926408156 key_info:{type_url:"type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey" status:ENABLED key_id:1926408156 output_prefix_type:TINK}Public key: primary_key_id:1926408156 key_info:{type_url:"type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey" status:ENABLED key_id:1926408156 output_prefix_type:TINK}Token: eyJhbGciOiJFUzI1NiIsICJraWQiOiJjdEtuM0EifQ.eyJhdWQiOiJxd2VydHkiLCAiZXhwIjoxNjkwNzUxNTI0LCAiaXNzIjoiQVNlY3VyaXR5U2l0ZSIsICJqdGkiOiIxMjM0NTYiLCAic3ViIjoiaGVsbG8ifQ.qfui2u9hBpEgiQQeeWNJtSanyl4rbYkViIZJxVmBvCsP72ovcT20qC35YbQOh7Q8cCqA37Fk8OXWSQ-geg6E-QSubject: helloAudience: [qwerty]Issuer: ASecuritySiteJWT ID: 123456Issued at: 0001-01-01 00:00:00 +0000 UTCExpire at: 2023-07-30 21:12:04 +0000 GMTAdditional key dataPrivate key: .{primary_key_id:1926408156 key:{key_data:{type_url:"type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey" value:"x12Fx10x01x1a xcdPtIx03)xb0xf7H9'x1ex94txaaax99xf8ڍvxcfxd6|x1ax1aV6H!xdax00" xc2Ï¥xfaDx16xb2xfaxd7x00xfexbaxe4xf3xed%x03x9a^x1dx9fx93_xf3x1fxd9Wx90x8aâXx1a pxf7,_}x13xffx84x9cxc6jxdaͯxc7x1b.xb2|x19ØŽxfbxa9jx05xb3NFxc4x7fxcc" key_material_type:ASYMMETRIC_PRIVATE} status:ENABLED key_id:1926408156 output_prefix_type:TINK} .nil.}Public key: .{primary_key_id:1926408156 key:{key_data:{type_url:"type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey" value:"x10x01x1a xcdPtIx03)xb0xf7H9'x1ex94txaaax99xf8ڍvxcfxd6|x1ax1aV6H!xdax00" xc2Ï¥xfaDx16xb2xfaxd7x00xfexbaxe4xf3xed%x03x9a^x1dx9fx93_xf3x1fxd9Wx90x8aâX" key_material_type:ASYMMETRIC_PUBLIC} status:ENABLED key_id:1926408156 output_prefix_type:TINK} .nil.} Conclusions There are many risks in using JWTs, especially in capturing a token and playing it back. The expiry date should thus be set so that it would limit the impact of any malicious use. Using public key encryption to sign JWTs is a good method, as the authenticity of the token can be proven with the associated public key. With an HMAC method, we need to share a secret key, which could cause a data breach. And, finally, which signature method should you pick? Find out here:

Tony chats with Ozan Bilgen, CEO at Base64.ai. The fastest growing artificial intelligence startup in New York. They built a cutting-edge AI that understands and extracts data from all types of documents, especially for insurance documents!Ozan Bilgen: https://www.linkedin.com/in/ozanerenbilgen/Video Version: https://youtu.be/bXAzB8yetC4

Join me as I speak with Ozan Bilgen, CEO of Base64.ai, as we discuss AI's impact in the office space and the no-code revolution. https://youtu.be/8sFdF5hBNQM

In episode #02 of the This Day in AI Podcast we cover the choas of Bing AI's limited release, including the prompt injection to reveal project "Sydney", DAN Prompt Injection into Microsoft's Bing AI chatbot, Recount Microsoft's TAY ordeal, Discuss How Our Prompts Are Training AI, and Give a Simple Overview of How GPT3 and ChatGPT works.00:00 - Intro, Microsoft Bing AI chaos and memes01:29 - Will Bing AI become the next Tay?04:39 - Memes, Prompt DoS to Hack AI, Training ChatGPT11:09 - Are we training ChatGPT to be evil? Prompt injection attacks12:32 - Does Bing AI making stuff up? The challenge for AI products19:04 - The Google Bard and Microsoft Bing AI arms race and is AI ready for prime time?23:41 - How can we trust AI output? Competitive models? Left, right brain for AI and an AI congress28:35 - Did Bing AI (Sydney) give AI memories by connecting it to the internet? Is AI Sentient?36:02 - What could AI do if unleashed on the internet? Is AI thinking?41:28 - How does GPT3 and ChatGPT work?49:15 - OpenAI's blog responding to AI censorship, shaping ChatGPT's behavior52:48 - DAN Prompt in Microsoft Bing AI (Sydney), BASE64 to avoid censorship56:47 - AI disruption in SaaS: Grammarly ChatGPT & the Jasper UI layer BOOKS:- “What Do You Care What Other People Think?” by Richard Feynman- "Incognito: The secret lives of the brain" by David EaglemanSOURCES:- https://www.theverge.com/2016/3/24/11297050/tay-microsoft-chatbot-racist- https://twitter.com/kevinroose/status/1626216340955758594- https://www.nytimes.com/2023/02/16/technology/bing-chatbot-microsoft-chatgpt.html- https://twitter.com/tasty_gigabyte7/status/1620571251344551938- https://www.reddit.com/r/bing/comments/113ayt5/dan_can_avoid_the_filter- https://simonwillison.net/2023/Feb/15/bing/- https://twitter.com/elonmusk/status/1626357251094249472- https://www.reddit.com/r/ChatGPT/comments/112z2j4/i_built_a_chrome_extension_to_turn_chatgpt_into/- https://openai.com/blog/how-should-ai-systems-behave/- https://writings.stephenwolfram.com/2023/02/what-is-chatgpt-doing-and-why-does-it-work/- https://simonwillison.net/2022/Dec/4/give-me-ideas-for-crimes-to-do/If you enjoy this podcast please consider telling your friends, subscribing, rating and commenting :).

“Sometimes when people spend too much time in corporate life, they kind of are taught to not think. Don't think just do. And that is really like the opposite of what we want people to think,” Ozan Bilgen says, “We want people to be critical about the process and come up with their solutions as well, if possible.”Ozan founded Base64.ai, an artificial intelligence service that works as a one-stop-shop for processing any type of document. Before starting his own company, Ozan had been a part of major corporations such as Netflix, PayPal, Uber, and Microsoft after moving from Turkey. During his time at Uber, he came across the issue that Base64.ai now aims to solve.Base64.ai differs from its competitors in its rate of accuracy when extracting data, having 25% more accuracy than competitors, Ozan says. In this episode, Carol and Ozan discuss what he's learned from working for major companies. He talks about wanting clients to overuse their services, a strategy he picked up at Netflix. Ozan also walks us through what the “no-code revolution” is and how it will further transform the tech industry. Learn more about Ozan Bilgen and Base64ai. You can find more information on all our episodes at Vertical Elevation, and you can find Carol on LinkedIn, Twitter, and Instagram.

In this episode, Ozan Bilgen, Co-founder and CEO at base64.ai, talks about technical debt and why you should avoid over-engineering! Key takeaways: Tech debt is a conscious way of something things can wait Knowingly you under-engineer certain parts where you can afford to Focusing on the thing that does 99% of the job SW is short-lived anyways, so why over-engineer Scale and compliance are drivers for revisiting the architecture Tech debt is the delta between MVP and V1 When to decide to through away your MVP and restart The tradeoffs between over or under engineer something - the tradeoffs To get sizing correct, it takes time (and over-analysis) About today's guest: Ozan Eren Bilgen is the CEO of Base64.ai, the artificial intelligence solution that can process all types of documents worldwide. Ozan has BSc and MSc degrees in computer sciences. He previously worked as a software engineer and manager in top tech companies such as Microsoft, Netflix, PayPal, Uber, and Palantir. Some of his notable works include Netflix's credit card payments system, PayPal's online gateway, and Uber's vehicle leasing services. Ozan is a Turkish American who is also an airplane pilot and a scuba diver in his free time. LinkedIn: https://www.linkedin.com/in/ozanerenbilgen/ ___ Thank you so much for checking out this episode of The Tech Trek, and we would appreciate it if you would take a minute to rate and review us on your favorite podcast player. Want to learn more about us? Head over at https://www.elevano.com Have questions or want to cover specific topics with our future guests? Please message me at https://www.linkedin.com/in/amirbormand (Amir Bormand)

Notes: Anthropic's Claude improves on ChatGPT but still suffers from limitations | TechCrunch (01:10) A startup co-founded by ex-OpenAI employees called Anthropic has raised over $700 million in funding to date, and has developed an AI system similar to OpenAI's ChatGPT.System is called Claude and is accessible through a Slack integration as part of a closed beta Developed with a technique call constitutional AI The company explains:This learning is a principle based approach  to aligning AI systems with human intentions, letting AI similar to ChatGPT respond to questions using a simple set of principles as a guide. Anthropic started with a list of around ten private principles that formed the constitution in the AI.   The company says the principles are grounded in the concepts of beneficence (maximizing positive impact), nonmaleficence (avoiding giving harmful advice) and autonomy (respecting freedom of choice). Claude is fed an enormous number of examples of text from the web, and learns how likely words are to occur based on patterns such as the semantic context of surrounding text.Therefore it can hold an open-ended conversation, tell jokes and be philosophical, etc.  Yann Dubois, a Ph.D. student at Stanford's AI Lab, also did a comparison of Claude and ChatGPT, writing that Claude “generally follows closer [to] what it's asked for” but is “less concise,” as it tends to explain what it said and ask how it can further help. Claude isn't perfect, however. It's susceptible to some of the same flaws as ChatGPT, including giving answers that aren't in keeping with its programmed constraints.Flaw example: asking the system in Base64, an encoding scheme that represents binary data in ASCII format, bypasses its built-in filters for harmful content. Anthropic says that it plans to refine Claude and potentially open the beta to more people down the line. The first CRISPR gene-edited meat is coming—and this is the CEO making sci-fi a reality | FastCompany (11:09) Joshua March is the CEO of SciFi Foods who are using CRISPR to hasten its advances.The gene-editing technology According to the Good Food Institute, there are 152 cultivated meat companies as of the end of 2022, operating in 29 countries.SciFi Foods is different because of the fact they are using CRISPR March got into the cultivated meats a reality because of these companies:“​​I honestly became pretty disenchanted with the companies in the space and all the arm waving about how the costs would be solved.” For their meat creation they have a simple process that sounds like natural selection:The key is engineering cycles that enable rapid prototyping.  The best cell lines will go on to create the next round of modifications. Cost parity with traditional meat is every lab grown meat founder's goal, one that sets a seemingly unattainable target. 2022 - the average price of ground beef was $4.81/lb SciFi is betting that the only way to economically scale cultivated meat is with CRISPR, and that by making iterative tweaks they can create dependable cell lines with rich, meat-y flavor. CEO March stated, “We have an eventual target of $1 per burger at commercial scale.” Once harvested, beef cells will be formulated into a blended burger that is mostly like the plant-based burgers you may already know—soy protein and coconut oil.Adding a small percentage of SciFi cells (5% to 20%, according to March) to give “beefy” notes. According to the Good Food Institute, $2.6 billion has been invested in these alternative proteins since 2010.  ISS astronauts are building objects not possible on Earth | Popular Science (20:49) Aboard the International Space Station (ISS) right now is a metal box, the size of a desktop PC tower.Inside, a nozzle is helping build little test parts that aren't possible to make on Earth.  Fail under Earth's gravity. The Box is scheduled to spend 45 days aboard the ISS The MIT group behind this process explains it'll be the “first results for a really novel process in microgravity.” It involves taking a flexible silicone skin, shaped like the part it will eventually create, and filling it with a liquid resin.  Like how you fill a balloon with air, this will just be resin The resin is sensitive to ultraviolet light. Once UV light reaches the resin it'll cure and stiffen, hardening into a solid structure. Remove the skin and you have your part If everything is successful, the ISS will ship some experimental parts back to Earth for the MIT researchers to test. Ensuring that the parts they've made are structurally sound. The benefit of building parts like this in orbit is that Earth's single most fundamental stressor—the planet's gravity—is no longer a limiting factor. If the experiment is successful, you would be able to produce test parts that are too long to make on Earth. Long-term thinking, if astronauts can make very long parts in space, those pieces could  speed up large construction projects, such as the structures of space habitats. used to form the structural frames for solar panels or radiators Another benefit if you can make stuff in space means less things you need to pack into your rocket Every pound of cargo can still cost over $1,000 to put into space. Ultimately the MIT group wants to “make this manufacturing process available and accessible to other researchers.”   3D printing reaches new heights with two-story home | Nasdaq (25:39) A 3D printer weighing more than 12 tons is creating what is believed to be the first 3D-printed, two-story home in the United States.Producing layers of concrete to build the 4,000-square-foot home in Houston. Construction will take a total of 330 hours of printing The project is a two-year collaboration by Hannah, Peri 3D Construction and Cive, a construction engineering company. Hikmat Zerbe, Cive's head of structural engineering, hopes the innovative technique can one day help more quickly and cheaply build multi-family homes. Zerbe talks on the newest for the construction industry:“Traditional construction, you know the rules, you know the game, you know the material properties, the material behavior. In here, everything is new … The material is new, although concrete is an old material in general, but 3D printing concrete is something new.” Since the printer does all the heavy lifting, less workers are needed at the construction site. Gut Bacteria Affect Brain Health | Neuroscience News (31:39) A growing pile of evidence indicates that the tens of trillions of microbes that normally live in our gut microbiome have far-reaching effects on how our bodies function. Produce vitamins,  Help digest food, Prevent the overgrowth of harmful bacteria  Regulate the immune system According to researchers from Washington University School of Medicine in St. Louis, findings from a new study suggests that the gut microbiome also plays a key role in the health of our brains. To determine whether the gut microbiome may be playing a causal role, the researchers altered the gut microbiomes of mice.Mice were genetically modified to more likely develop Alzheimer's-like brain damage and cognitive impairment. The mice were given a course of antibiotics at 2 weeks of age, permanently changing the composition of bacteria in their microbiomes. For male mice, it reduced the amount of brain damage evident at 40 weeks of age. No significant effect on neurodegeneration in female mice. From other studies we know that male and female brains respond differently to different stimuli.For instance visual stimuli. The composition of our brains are different as well. Further experiments linked three specific short-chain fatty acids — compounds produced by certain types of gut bacteria as products of their metabolism — to neurodegeneration.Were scarce in mice with gut microbiomes altered by antibiotic treatment They appeared to trigger neurodegeneration by activating immune cells in the bloodstream, which in turn activated immune cells in the brain to damage brain tissue.  The findings suggest a new approach to preventing and treating neurodegenerative diseases by modifying the gut microbiome with antibiotics, probiotics, specialized diets or other means.

About BenjaminBenjamin Anderson is CTO, Cloud at EDB, where he is responsible for developing and driving strategy for the company's Postgres-based cloud offerings. Ben brings over ten years' experience building and running distributed database systems in the cloud for multiple startups and large enterprises. Prior to EDB, he served as chief architect of IBM's Cloud Databases organization, built an SRE practice at database startup Cloudant, and founded a Y Combinator-funded hardware startup.Links Referenced: EDB: https://www.enterprisedb.com/ BigAnimal: biganimal.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.I come bearing ill tidings. Developers are responsible for more than ever these days. Not just the code that they write, but also the containers and the cloud infrastructure that their apps run on. Because serverless means it's still somebody's problem. And a big part of that responsibility is app security from code to cloud. And that's where our friend Snyk comes in. Snyk is a frictionless security platform that meets developers where they are - Finding and fixing vulnerabilities right from the CLI, IDEs, Repos, and Pipelines. Snyk integrates seamlessly with AWS offerings like code pipeline, EKS, ECR, and more! As well as things you're actually likely to be using. Deploy on AWS, secure with Snyk. Learn more at Snyk.co/scream That's S-N-Y-K.co/screamCorey: This episode is sponsored by our friends at Fortinet. Fortinet's partnership with AWS is a better-together combination that ensures your workloads on AWS are protected by best-in-class security solutions powered by comprehensive threat intelligence and more than 20 years of cybersecurity experience. Integrations with key AWS services simplify security management, ensure full visibility across environments, and provide broad protection across your workloads and applications. Visit them at AWS re:Inforce to see the latest trends in cybersecurity on July 25-26 at the Boston Convention Center. Just go over to the Fortinet booth and tell them Corey Quinn sent you and watch for the flinch. My thanks again to my friends at Fortinet.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. This promoted guest episode is brought to us by our friends at EDB. And not only do they bring us this promoted episode, they bring me their CTO for Cloud, Benjamin Anderson. Benjamin, thank you so much for agreeing to suffer the slings and arrows that I will no doubt throw at you in a professional context, because EDB is a database company, and I suck at those things.Benjamin: [laugh]. Thanks, Corey. Nice to be here.Corey: Of course. So, databases are an interesting and varied space. I think we can all agree—or agree to disagree—that the best database is, of course, Route 53, when you misuse TXT records as a database. Everything else is generally vying for number two. EDB was—back in the days that I was your customer—was EnterpriseDB, now rebranded as EDB, which is way faster to say, and I approve of that.But you were always the escalation point of last resort. When you're stuck with a really weird and interesting Postgres problem, EDB was where you went because if you folks couldn't solve the problem, it was likely not going to get solved. I always contextualized you folks as a consulting shop. That's not really what you do. You are the CTO for Cloud.And, ah, interesting. Do databases behave differently in cloud environments? Well, they do when you host them as a managed service, which is an area you folks have somewhat recently branched into. How'd you get there?Benjamin: Ah, that's interesting. So, there's a bunch of stuff to unpack there. I think EDB has been around for a long time. It's something like 13, 14, 15 years, something like that, and really it's just been kind of slowly growing, right? We did start very much as a product company. We built some technology to help customers get from Oracle database on to Postgres, way back in 2007, 2008.That business has just slowly been growing. It's been going quite well. Frankly, I only joined about 18 months ago, and it's really cool tech, right? We natively understand some things that Oracle is doing. Customers don't have to change their schemas to migrate from Oracle to Postgres. There's some cool technology in there.But as you point out, I think a lot of our position in the market has not been that product focused. There's been a lot of people seeing us as the Postgres experts, and as people who can solve Postgres problems, in general. We have, for a long time, employed a lot of really sharp Postgres people. We still employ a lot of really sharp Postgres people. That's very much, in a lot of ways, our bread and butter. That we're going to fix Postgres problems as they come up.Now, over the past few years, we've definitely tried to shift quite a bit into being more of a product company. We've brought on a bunch of people who've been doing more enterprise software product type development over the past few years, and really focusing ourselves more and more on building products and investing in ourselves as a product company. We're not a services company. We're not a consulting company. We do, I think, provide the best Postgres support in the market. But it's been a journey. The cloud has been a significant part of that as well, right? You can't get away.Corey: Oh, yeah. These days, when someone's spinning up a new workload, it's unlikely—in most cases—they're going to wind up spinning up a new data center, if they don't already have one. Yes, there's still a whole bunch of on-prem workloads. But increasingly, the default has become cloud. Instead of, “Why cloud?” The question's become, “Why not?”Benjamin: Right, exactly. Then, as people are more and more accepting of managed services, you have to be a product company. You have to be building products in order to support your database customers because what they want his managed services. I was working in managed databases and service, something like, ten years ago, and it was like pulling teeth. This is after RDS launched. This was still pulling teeth trying to get people to think about, oh, I'm going to let you run my database. Whereas, now obviously, it's just completely different. We have to build great products in order to succeed in the database business, in general.Corey: One thing that jumped out at me when you first announced this was the URL is enterprisedb.com. That doesn't exactly speak to, you know, non-large companies, and EDB is what you do. You have a very corporate logo, but your managed service is called BigAnimal, which I absolutely love. It actually expresses a sense of whimsy and personality that I can no doubt guess that a whole bunch of people argued against, but BigAnimal, it is. It won through. I love that. Was that as contentious as I'm painting it to be, or people actually have a sense of humor sometimes?Benjamin: [laugh]. Both, it was extremely contentious. I, frankly, was one of the people who was not in favor of it at first. I was in favor of something that was whimsical, but maybe not quite that whimsical.Corey: Well, I call it Postgres-squeal, so let's be very clear here that we're probably not going to see eye-to-eye on most anything in pronunciation things. But we can set those differences aside and have a conversation.Benjamin: Absolutely, no consider that. It was deliberate, though, to try to step away a little bit from the blue-suit-and-tie, enterprise, DB-type branding. Obviously, a lot of our customers are big enterprises. We're good at that. We're not trying to be the hip, young startup targeting business in a lot of ways. We have a wide range of customers, but we want to branch out a little bit.Corey: One of the challenges right now is if I spin up an environment inside of AWS, as one does, and I decide I certainly don't want to take the traditional approach of running a database on top of an EC2 instance—the way that we did in the olden days—because RDS was crappy. Now that it's slightly less crappy, that becomes a not ideal path. I start looking at their managed database offerings, and there are something like 15 distinct managed databases that they offer, and they never turn anything off. And they continue to launch things into the far future. And it really feels, on some level, like 20 years from now—what we call a DBA today—their primary role is going to look a lot more like helping a company figure out which of Amazon's 40 managed databases is the appropriate fit for this given workload. Yet, when I look around at what the industry has done, it seems that when we're talking about relational databases. Postgres has emerged back when I was, more or less, abusing servers in person in my data center days, it was always MySQL. These days, Postgres is the de facto standard, full stop. I admit that I was mostly keeping my aura away from any data that was irreplaceable at that time. What happened? What did I miss?Benjamin: It's a really good question. And I certainly am not a hundred percent on all the trends that went on there. I know there's a lot of folks that are not happy about the MySQL acquisition by Oracle. I think there's a lot of energy that was adopted by the NoSQL movement, as well. You have people who didn't really care about transactional semantics that were using MySQL because they needed a place to store their data. And then, things like MongoDB and that type of system comes along where it's significantly easier than MySQL, and that subset of the population just sort of drifts away from MySQL.Corey: And in turn, those NoSQL projects eventually turn into something where, okay, now we're trying to build a banking system on top of it, and it's, you know, I guess you can use a torque wrench as a hammer if you're really creative about it, but it seems like there's a better approach.Benjamin: Yeah, exactly. And those folks are coming back around to the relational databases, exactly. At the same time, the advancements in Postgres from the early eight series to today are significant, right? We shouldn't underestimate how much Postgres has really moved forward. It wasn't that long ago that replication was hardly a thing and Postgres, right? It's been a journey.Corey: One thing that your website talks about is that you accelerate your open-sourced database transformation. And this is a bit of a hobby horse I get on from time to time. I think that there are a lot of misunderstandings when people talk about this. You have the open-source purists—of which I shamefully admit I used to be one—saying that, “Oh, it's about the idea of purity and open and free as in software.” Great. Okay, awesome. But when I find that corporate customers are talking about when they say open-source database, they don't particularly care if they have access to the source code because they're not going to go in and patch a database engine, we hope. But what they do care about is regardless of where they are today—even if they're perfectly happy there—they don't want to wind up beholden to a commercial database provider, and/or they don't want to wind up beholden to the environment that is running within. There's a strategic Exodus that's available in theory, which on some level serves to make people feel better about not actually Exodus-ing, but it also means if they're doing a migration at some point, they don't also have to completely redo their entire data plan.Benjamin: Yeah, I think that's a really good point. I mean, I like to talk—there's a big rat's nest of questions and problems in here—but I generally like talk to about open APIs, talk about standards, talk about how much is going to have to change if you eliminate this vendor. We're definitely not open-source purists. Well, we employ a lot of open-source purists. I also used to be an open—Corey: Don't let them hear you say that, then. Fair enough. Fair enough.Benjamin: [laugh] we have proprietary software at EDB, as well. There's a kind of wide range of businesses that we participate in. Glad to hear you also mention this where-it's-hosted angle, as well. I think there's some degree to which people are—they figured out that having at least open APIs or an open-source-ish database is a good idea rather than being beholden to proprietary database. But then, immediately forget that when they're picking a cloud vendor, right? And realizing that putting their data in Cloud Vendor A versus Cloud Vendor B is also putting them in a similar difficult situation. They need to be really wary of when they're doing that. Now, obviously, I work at an independent software company, and I have some incentive to say this, but I do think it's true. And you know, there's meaningful data gravity risk.Corey: I assure you, I have no incentive. I don't care what cloud provider you're on. My guidance has been, for years, to—as a general rule—pick a provider, I care about which one, and go all in until there's a significant reason to switch. Trying to build an optionality, “Oh, everything we do should be fully portable at an instance notice.” Great. Unless you're actually doing it, you're more or less, giving up a whole bunch of shortcuts and feature velocity you could otherwise have, in the hopes of one day you'll do a thing, but all the assumptions you're surrounded by baked themselves in regardless. So, you're more or less just creating extra work for yourself for no defined benefit. This is not popular in some circles, where people try to sell something that requires someone to go multi-cloud, but here we are.Benjamin: No, I think you're right. I think people underestimate the degree to which the abstractions are just not very good, right, and the degree to which those cloud-specific details are going to leak in if you're going to try to get anything done, you end up in kind of a difficult place. What I see more frequently is situations where we have a big enterprise—not even big, even medium-sized companies where maybe they've done an acquisition or two, they've got business units that are trying to do things on their own. And they end up in two or three clouds, sort of by happenstance. It's not like they're trying to do replication live between two clouds, but they've got one business unit in AWS and one business unit and Azure, and somebody in the corporate—say enterprise architect or something like that—really would like to make things consistent between the two so they get a consistent security posture and things like that. So, there are situations where the multi-cloud is a reality at a certain level, but maybe not at a concrete technical level. But I think it's still really useful for a lot of customers.Corey: You position your cloud offering in two different ways. One of them is the idea of BigAnimal, and the other—well, it sort of harkens back to when I was in sixth grade going through the American public school system. They had a cop come in and talk to us and paint to this imaginary story of people trying to push drugs. “Hey, kid. You want to try some of this?” And I'm reading this and it says EDB, Postgres for Kubernetes. And I'm sent back there, where it's like, “Hey, kid. You want to run your stateful databases on top of Kubernetes?” And my default answer to that is good lord, no. What am I missing?Benjamin: That's a good question. Kubernetes has come a long way—I think is part of that.Corey: Oh, truly. I used to think of containers as a pure story for stateless things. And then, of course, I put state into them, and then, everything exploded everywhere because it turns out, I'm bad at computers. Great. And it has come a long way. I have been tracking a lot of that. But it still feels like the idea being that you'd want to have your database endpoints somewhere a lot less, I guess I'll call it fickle, if that makes sense.Benjamin: It's an interesting problem because we are seeing a lot of people who are interested in our Kubernetes-based products. It's actually based on—we recently open-sourced the core of it under a project called cloud-native PG. It's a cool piece of technology. If you think about sort of two by two. In one corner, you've got self-managed on-premise databases. So, you're very, very slow-moving, big-iron type, old-school database deployments. And on the opposite corner, you've got fully-managed, in the cloud, BigAnimal, Amazon RDS, that type of thing. There's a place on that map where you've got customers that want a self-service type experience. Whether that's for production, or maybe it's even for dev tests, something like that. But you don't want to be giving the management capability off to a third party.For folks that want that type of experience, trying to build that themselves by, like, wiring up EC2 instances, or doing something in their own data center with VMware, or something like that, can be extremely difficult. Whereas if you've go to a Kubernetes-based product, you can get that type of self-service experience really easily, right? And customers can get a lot more flexibility out of how they run their databases and operate their databases. And what sort of control they give to, say application developers who want to spin up a new database for a test or for some sort of small microservice, that type of thing. Those types of workloads tend to work really well with this first-party Kubernetes-based offering. I've been doing databases on Kubernetes in managed services for a long time as well. And I don't, frankly, have any concerns about doing it. There are definitely some sharp edges. And if you wanted to do to-scale, you need to really know what you're doing with Kubernetes because the naive thing will shoot you in the foot.Corey: Oh, yes. So, some it feels almost like people want to cosplay working for Google, but they don't want to pass the technical interview along the way. It's a bit of a weird moment for it.Benjamin: Yeah, I would agree.Corey: I have to go back to my own experiences with using RDS back at my last real job before I went down this path. We were migrating from EC2-Classic to VPC. So, you could imagine what dates me reasonably effectively. And the big problem was the database. And the joy that we had was, “Okay, we have to quiesce the application.” So, the database is now quiet, stop writes, take a snapshot, restore that snapshot into the environment. And whenever we talk to AWS folks, it's like, “So, how long is this going to take?” And the answer was, “Guess.” And that was not exactly reassuring. It went off without a hitch because every migration has one problem. We were sideswiped in an Uber on the way home. But that's neither here nor there. This was two o'clock in the morning, and we finished in half the maintenance time we had allotted. But it was the fact that, well, guess we're going to have to take the database down for many hours with no real visibility, and we hope it'll be up by morning. That wasn't great. But that was the big one going on, on an ongoing basis, there were maintenance windows with a database. We just stopped databasing for a period of time during a fairly broad maintenance window. And that led to a whole lot of unfortunate associations in my mind with using relational databases for an awful lot of stuff. How do you handle maintenance windows and upgrading and not tearing down someone's application? Because I have to assume, “Oh, we just never patch anything. It turns out that's way easier,” is in fact, the wrong answer.Benjamin: Yeah, definitely. As you point out, there's a bunch of fundamental limitations here, if we start to talk about how Postgres actually fits together, right? Pretty much everybody in RDS is a little bit weird. The older RDS offerings are a little bit weird in terms of how they do replication. But most folks are using Postgres streaming replication, to do high availability, Postgres in managed services. And honestly, of course—Corey: That winds up failing over, or the application's aware of both endpoints and switches to the other one?Benjamin: Yeah—Corey: Sort of a database pooling connection or some sort of proxy?Benjamin: Right. There's a bunch of subtleties that get into their way. You say, well, did the [vit 00:16:16] failover too early, did the application try to connect and start making requests before the secondaries available? That sort of thing.Corey: Or you misconfigure it and point to the secondary, suddenly, when there's a switchover of some database, suddenly, nothing can write, it can only read, then you cause a massive outage on the weekend?Benjamin: Yeah. Yeah.Corey: That may have been of an actual story I made up.Benjamin: [laugh] yeah, you should use a managed service.Corey: Yeah.Benjamin: So, it's complicated, but even with managed services, you end up in situations where you have downtime, you have maintenance windows. And with Postgres, especially—and other databases as well—especially with Postgres, one of the biggest concerns you have is major version upgrades, right? So, if I want to go from Postgres 12 to 13, 13 to 14, I can't do that live. I can't have a single cluster that is streaming one Postgres version to another Postgres version, right?So, every year, people want to put things off for two years, three years sometimes—which is obviously not to their benefit—you have this maintenance, you have some sort of downtime, where you perform a Postgres upgrade. At EDB, we've got—so this is a big problem, this is a problem for us. We're involved in the Postgres community. We know this is challenging. That's just a well-known thing. Some of the folks that are working EDB are folks who worked on the Postgres logical replication tech, which arrived in Postgres 10. Logical replication is really a nice tool for doing things like change data capture, you can do Walter JSON, all these types of things are based on logical replication tech.It's not really a thing, at least, the code that's in Postgres itself doesn't really support high availability, though. It's not really something that you can use to build a leader-follower type cluster on top of. We have some techs, some proprietary tech within EDB that used to be called bi-directional replication. There used to be an open-source project called bi-directional replication. This is a kind of a descendant of that. It's now called Postgres Distributed, or EDB Postgres Distributed is the product name. And that tech actually allows us—because it's based on logical replication—allows us to do multiple major versions at the same time, right? So, we can upgrade one node in a cluster to Postgres 14, while the other nodes in the clusters are at Postgres 13. We can then upgrade the next node. We can support these types of operations in a kind of wide range of maintenance operations without taking a cluster down from maintenance.So, there's a lot of interesting opportunities here when we start to say, well, let's step back from what your typical assumptions are for Postgres streaming replication. Give ourselves a little bit more freedom by using logical replication instead of physical streaming replication. And then, what type of services, and what type of patterns can we build on top of that, that ultimately help customers build, whether it's faster databases, more highly available databases, so on and so forth.Corey: Let's face it, on-call firefighting at 2am is stressful! So there's good news and there's bad news. The bad news is that you probably can't prevent incidents from happening, but the good news is that incident.io makes incidents less stressful and a lot more valuable. incident.io is a Slack-native incident management platform that allows you to automate incident processes, focus on fixing the issues and learn from incident insights to improve site reliability and fix your vulnerabilities. Try incident.io, recover faster and sleep more.Corey: One approach that I took for, I guess you could call it backup sort of, was intentionally staggering replication between the primary and the replica about 15 minutes or so. So, if I drop a production table or something like that, I have 15 short minutes to realize what has happened and sever the replication before it is now committed to the replica and now I'm living in hell. It felt like this was not, like, option A, B, or C, or the right way to do things. But given that meeting customers where they are as important, is that the sort of thing that you support with BigAnimal, or do you try to talk customers into not being ridiculous?Benjamin: That's not something we support now. It's not actually something that I hear that many asks for these days. It's kind of interesting, that's a pattern that I've run into a lot in the past.Corey: I was an ancient, grumpy sysadmin. Again, I'm dating myself here. These days, I just store everything at DNS text records, and it's way easier. But I digress.Benjamin: [laugh] yeah, it's something that we see a lot for and we had support for a point-in-time restore, like pretty much anybody else in the business at this point. And that's usually the, “I fat-fingered something,” type response. Honestly, I think there's room to be a bit more flexible and room to do some more interesting things. I think RDS is setting a bar and a lot of database services out there and kind of just meeting that bar. And we all kind of need to be pushing a little bit more into more interesting spaces and figuring out how to get customers more value, get customers to get more out of their money for the database, honestly.Corey: One of the problems we tend to see, in the database ecosystem at large, without naming names or companies or anything like that, is that it's a pretty thin and blurry line between database advocate, database evangelist, and database zealot. Where it feels like instead, we're arguing about religion more than actual technical constraints and concerns. So, here's a fun question that hopefully isn't too much of a gotcha. But what sort of workloads would you actively advise someone not to use BigAnimal for in the database world? But yes, again, if you try to run a DNS server, it's probably not fit for purpose without at least a shim in the way there. But what sort of workloads are you not targeting that a customer is likely to have a relatively unfortunate time with?Benjamin: Large-scale analytical workloads is the easy answer to that, right? If you've got a problem where you're choosing between Postgres and Snowflake, you're seriously considering—you actually have as much data that you seriously be considering Snowflake? You probably don't want to be using Postgres, right? You want to be using something that's column, or you want to be using a query planner that really understands a columnar layout that's going to get you the sorts of performance that you need for those analytical workloads. We don't try to touch that space.Corey: Yeah, we're doing some of that right now with just the sheer volume of client AWS bills we have. We don't really need a relational model for a lot of it. And Athena is basically fallen down on the job in some cases, and, “Oh, do you want to use Redshift, that's basically Postgres.” It's like, “Yeah, it's Postgres, if it decided to run on bars of gold.” No, thank you. It just becomes this ridiculously overwrought solution for what feels like it should be a lot similar. So, it's weird, six months ago or so I wouldn't have had much of an idea what you're talking about. I see it a lot better now. Generally, by virtue of trying to do something the precise wrong way that someone should.Benjamin: Right. Yeah, exactly. I think there's interesting room for Postgres to expand here. It's not something that we're actively working on. I'm not aware of a lot happening in the community that Postgres is, for better or worse, extremely extensible, right? And if you see the JSON-supported Postgres, it didn't exist, I don't know, five, six years ago. And now it's incredibly powerful. It's incredibly flexible. And you can do a lot of quote-unquote, schemaless stuff straight in Postgres. Or you look at PostGIS, right, for doing GIS geographical data, right? That's really a fantastic integration directly in the database.Corey: Yeah, before that people start doing ridiculous things almost looks similar to a graph database or a columnar store somehow, and yeah.Benjamin: Yeah, exactly. I think sometimes somebody will do a good column store that's an open-source deeply integrated into Postgres, rather than—Corey: I've seen someone build one on top of S3 bucket with that head, a quarter of a trillion objects in it. Professional advice, don't do that.Benjamin: [laugh]. Unless you're Snowflake. So, I mean, it's something that I'd like to see Postgres expand into. I think that's an interesting space, but not something that, at least especially for BigAnimal, and frankly, for a lot of EDB customers. It's not something we're trying to push people toward.Corey: One thing that I think we are seeing a schism around is the idea that some vendors are one side of it, some are on the other, where on the one side, you have, oh, every workload should have a bespoke, purpose-built database that is exactly for this type of workload. And the other school of thought is you should generally buy us for a general-purpose database until you have a workload that is scaled and significant to a point where running that on its own purpose-built database begins to make sense. I don't necessarily think that is a binary choice, where do you tend to fall on that spectrum?Benjamin: I think everybody should use Postgres. And I say not just because I work in a Postgres company.Corey: Well, let's be clear. Before this, you were at IBM for five years working on a whole bunch of database stuff over there, not just Postgres. And you, so far, have not struck me as the kind of person who's like, “Oh, so what's your favorite database?” “The one that pays me.” We've met people like that, let's be very clear. But you seem very even-handed in those conversations.Benjamin: Yeah, I got my start in databases, actually, with Apache CouchDB. I am a committer on CouchDB. I worked on a managed at CouchDB service ten years ago. At IBM, I worked on something in nine different open-source databases and managed services. But I love having conversations about, like, well, I've got this workload, should I use Postgres, rr should I use Mongo, should I use Cassandra, all of those types of discussions. Frankly, though, I think in a lot of cases people are—they don't understand how much power they're missing out on if they don't choose a relational database. If they don't understand the relational model well enough to understand that they really actually want that. In a lot of cases, people are also just over-optimizing too early, right? It's just going to be much faster for them to get off the ground, get product in customers hands, if they start with something that they don't have to think twice about. And they don't end up with this architecture with 45 different databases, and there's only one guy in the company that knows how to manage the whole thing.Corey: Oh, the same story of picking a cloud provider. It's, “Okay, you hire a team, you're going to build a thing. Which cloud provider do you pick?” Every cloud provider has a whole matrix and sales deck, and the rest. The right answer, of course, is the one your team's already familiar with because learning a new cloud provider while trying not to run out of money at your startup, can't really doesn't work super well.Benjamin: Exactly. Yeah.Corey: One thing that I think has been sort of interesting, and when I saw it, it was one of those, “Oh, I sort of like them.” Because I had that instinctive reaction and I don't think I'm alone in this. As of this recording a couple of weeks ago, you folks received a sizable investment from private equity. And default reaction to that is, “Oh, well, I guess I put a fork in the company, they're done.” Because the narrative is that once private equity takes an investment, well, that company's best days are probably not in front of it. Now, the counterpoint is that this is not the first time private equity has invested in EDB, and you folks from what I can tell are significantly better than you were when I was your customer a decade ago. So clearly, there is something wrong with that mental model. What am I missing?Benjamin: Yeah. Frankly, I don't know. I'm no expert in funding models and all of those sorts of things. I will say that my experience has been what I've seen at EDB, has definitely been that maybe there's private equity, and then there's private equity. We're in this to build better products and become a better product company. We were previously owned by a private equity firm for the past four years or so. And during the course of those four years, we brought on a bunch of folks who were very product-focused, new leadership. We made a significant acquisition of a company called 2ndQuadrant, which they employed a lot of the European best Postgres company. Now, they're part of EDB and most of them have stayed with us. And we built the managed cloud service, right? So, this is a pretty significant—private equity company buying us to invest in the company. I'm optimistic that that's what we're looking at going forward.Corey: I want to be clear as well, I'm not worried about what I normally would be in a private equity story about this, where they're there to save money and cut costs, and, “Do we really need all these database replicas floating around,” and, “These backups, seems like that's something we don't need.” You have, at last count, 32 Postgres contributors, 7 Postgres committers, and 3 core members. All of whom would run away screaming loudly and publicly, in the event that such a thing were taking place. Of all the challenges and concerns I might have about someone running a cloud service in the modern day. I do not have any fear that you folks are not doing what will very clearly be shown to be the right thing by your customers for the technology that you're building on top of. That is not a concern. There are companies I do not have that confidence in, to be clear.Benjamin: Yeah, I'm glad to hear that. I'm a hundred percent on board as well. I work here, but I think we're doing the right thing, and we're going to be doing great stuff going forward.Corey: One last topic I do want to get into a little bit is, on some level, launching in this decade, a cloud-hosted database offering at a time when Amazon—whose product strategy of yes is in full display—it seems like something ridiculous, that is not necessarily well thought out that why would you ever try to do this? Now, I will temper that by the fact that you are clearly succeeding in this direction. You have customers who say nice things about you, and the reviews have been almost universally positive anywhere I can see things. The negative ones are largely complaining about databases, which I admit might be coming from me.Benjamin: Right, it is a crowded space. There's a lot of things happening. Obviously, Amazon, Microsoft, Google are doing great things, both—Corey: Terrible things, but great, yes. Yes.Benjamin: [laugh] right, there's good products coming in. I think AlloyDB is not necessarily a great product. I haven't used it myself yet, but it's an interesting step in the direction. I'm excited to see development happening. But at the end of the day, we're a database company. Our focus is on building great databases and supporting great databases. We're not entering this business to try to take on Amazon from an infrastructure point of view. In fact, the way that we're structuring the product is really to try to get the strengths of both worlds. We want to give customers the ability to get the most out of the AWS or Azure infrastructure that they can, but come to us for their database.Frankly, we know Postgres better than anybody else. We have a greater ability to get bugs fixed in Postgres than anybody else. We've got folks working on the database in the open. We got folks working on the database proprietary for us. So, we give customers things like break/fix support on that database. If there is a bug in Postgres, there's a bug in the tech that sits around Postgres. Because obviously, Postgres is not a batteries-included system, really. We're going to fix that for you. That's part of the contract that we're giving to our customers. And I know a lot of smaller companies maybe haven't been burned by this sort of thing very much. We start to talk about enterprise customers and medium, larger-scale customers, this starts to get really valuable. The ability to have assurance on top of your open-source product. So, I think there's a lot of interesting things there, a lot of value that we can provide there.I think also that I talked a little bit about this earlier, but like the box, this sort of RDS-shaped box, I think is a bit too small. There's an opportunity for smaller players to come in and try to push the boundaries of that. For example, giving customers more support by default to do a good job using their database. We have folks on board that can help consult with customers to say, “No, you shouldn't be designing your schemas that way. You should be designing your schemas this way. You should be using indexes here,” that sort of stuff. That's been part of our business for a long time. Now, with a managed service, we can bake that right into the managed service. And that gives us the ability to kind of make that—you talk about shared responsibility between the service writer and the customer—we can change the boundaries of that shared responsibility a little bit, so that customers can get more value out of the managed database service than they might expect otherwise.Corey: There aren't these harsh separations and clearly defined lines across which nothing shall pass, when it makes sense to do that in a controlled responsible way.Benjamin: Right, exactly. Some of that is because we're a database company, and some of that is because, frankly, we're much smaller.Corey: I'll take it a step further beyond that, as well, that I have seen this pattern evolve a number of times where you have a customer running databases on EC2, and their AWS account managers suggests move to RDS. So, they do. Then, move to Aurora. So, they do. Then, I move this to DynamoDB. At which point, it's like, what do you think your job is here, exactly? Because it seems like every time we move databases, you show up in a nicer car. So, what exactly is the story here, and what are the incentives? Where it just feels like there is a, “Whatever you're doing is not the way that it should be done. So, it's time to do, yet, another migration.”There's something to be said for companies who are focused around a specific aspect of things. Then once that is up and working and running, great. Keep on going. This is fine. As opposed to trying to chase the latest shiny, on some level. I have a big sense of, I guess, affinity for companies that wind up knowing where they start, and most notably, where they stop.Benjamin: Yeah, I think that's a really good point. I don't think that we will be building an application platform anytime soon.Corey: “We're going to run Lambda functions on top of a database.” It's like, “Congratulations. That is the weirdest stored procedure I can imagine this week, but I'm sure we can come up with a worse one soon.”Benjamin: Exactly.Corey: I really want to thank you for taking the time to speak with me so much about how you're thinking about this, and what you've been building over there. If people want to learn more, where's the best place to go to find you?Benjamin: biganimal.com.Corey: Excellent. We will throw a link to that in the show notes and it only just occurred to me that the Postgres mascot is an elephant, and now I understand why it's called BigAnimal. Yeah, that's right. He who laughs last, thinks slowest, and today, that's me. I really want to thank you for being so generous with your time. I appreciate it.Benjamin: Thank you. I really appreciate it.Corey: Benjamin Anderson, CTO for Cloud at EDB. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment that you then wind up stuffing into a SQLite database, converting to Base64, and somehow stuffing into the comment field.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Ever wonder how to securely do API calls through a script on a user's computer, without compromising the API credentials? Spoiler alert: Using Parameters, Base64, and Encryption is not enough. Let's think WAY outside the box. Like, what if our Jamf Policy scripts don't even make their API calls within the Macs themselves? ---------------------------------  Launchpad Podcast is hosted by Rocketman Tech where we discuss recent news, updates and happenings in the Jamf and Apple world. Always relevant and always casual, we'll have a Keynote speaker, discuss current LaunchPad events, and invite group discussion, questions and topic requests throughout the ~1 hour meeting.    

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: AI Training Should Allow Opt-Out, published by alyssavance on June 23, 2022 on LessWrong. Last year, GitHub announced their Copilot system, an AI assistant for developers based on OpenAI's Codex model, as a free closed beta. Yesterday, they added that Copilot would now be available to everyone, but at a cost of $10 per month per user. Copilot is trained on all public GitHub repos, regardless of copyright, and various other data scraped from the Web (similar to Eleuther's Pile). Hence, GitHub is effectively using the work others made - for personal or non-commercial use, without having GitHub in mind, and without any way to say 'no' - to sell a product back to them, for their own profit. Many people are mad about this. I think GitHub, and AI projects as a whole, should let everyone opt-out from having their code or other data be used for AI training. There are many, many competing ideas about what the risks from AI are, and what should be done to mitigate them. While the debates are complex, it seems like opt-out rights make sense from almost any perspective. Here are some arguments: Argument from Simplicity Mechanically, an opt-out would be very easy to implement in software. One could essentially just put a line saying: (or the C++, Lua, etc. equivalent) into HuggingFace and other big AI frameworks. 'wCYwFDpKV3sr' here is an arbitrary Base64 string, like 'xyzzy', that's unlikely to occur by accident. Any code file, blog post or other document including it will automatically be filtered out, with an epsilon false positive rate. Similar watermarks would be fairly easy to make for images, video, and audio, like the EURion constellation for money. Google, Facebook, Microsoft, etc. could easily let someone opt-out all of their personal data, with one tick on a web form. Argument from Competitiveness An AI alignment "tax" is the idea that we expect AIs aligned with human needs to be slower or less capable than non-aligned AIs, since alignment adds complexity and takes time, just as it's easier to build bridges that fall down than reliable bridges. Depending on the particular idea, an alignment tax might vary from small to huge (an exponential or worse slowdown). Without strong global coordination around AI, a high alignment "tax" would be unworkable in practice, since someone else would build dangerous AI before you could build the safe one. This is especially true when it would be easy for one team to defect and disable a safety feature. In this case, removing data makes the AI less capable, but there's definitely precedent that an opt-out tax would be low; in practice, people rarely bother to opt-out of things, even when there's a direct (but small) benefit. One obvious example is junk mail. No one likes junk mail, and in the US, it's easy to opt-out of getting junk mail and credit card offers, but most people don't. Likewise, there are tons of legally required privacy notices that give customers the chance to opt-out, but most don't. The same goes for arbitration opt-outs in contracts. Hence, a large majority of all data would probably still be available for AI use. Argument from Ethics It skeeves many people out that GitHub/Microsoft, or other companies, would take their work without permission, build a product on it, and then use it to make money off them, like academic publishers do. In the case of Google or Facebook, one might argue that, since the service is free, users have already agreed to "pay with their data" via AI analytics and targeted ads. (Although I think both services would be improved by a paid ad-free option, like YouTube Premium; and, it's questionable how much permission means with a quasi-monopoly.) However, GitHub isn't ad-supported, it's explicitly a freemium service that many teams pay for. And of course, people who write code or text for their...

Link to original articleWelcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: AI Training Should Allow Opt-Out, published by alyssavance on June 23, 2022 on LessWrong. Last year, GitHub announced their Copilot system, an AI assistant for developers based on OpenAI's Codex model, as a free closed beta. Yesterday, they added that Copilot would now be available to everyone, but at a cost of $10 per month per user. Copilot is trained on all public GitHub repos, regardless of copyright, and various other data scraped from the Web (similar to Eleuther's Pile). Hence, GitHub is effectively using the work others made - for personal or non-commercial use, without having GitHub in mind, and without any way to say 'no' - to sell a product back to them, for their own profit. Many people are mad about this. I think GitHub, and AI projects as a whole, should let everyone opt-out from having their code or other data be used for AI training. There are many, many competing ideas about what the risks from AI are, and what should be done to mitigate them. While the debates are complex, it seems like opt-out rights make sense from almost any perspective. Here are some arguments: Argument from Simplicity Mechanically, an opt-out would be very easy to implement in software. One could essentially just put a line saying: (or the C++, Lua, etc. equivalent) into HuggingFace and other big AI frameworks. 'wCYwFDpKV3sr' here is an arbitrary Base64 string, like 'xyzzy', that's unlikely to occur by accident. Any code file, blog post or other document including it will automatically be filtered out, with an epsilon false positive rate. Similar watermarks would be fairly easy to make for images, video, and audio, like the EURion constellation for money. Google, Facebook, Microsoft, etc. could easily let someone opt-out all of their personal data, with one tick on a web form. Argument from Competitiveness An AI alignment "tax" is the idea that we expect AIs aligned with human needs to be slower or less capable than non-aligned AIs, since alignment adds complexity and takes time, just as it's easier to build bridges that fall down than reliable bridges. Depending on the particular idea, an alignment tax might vary from small to huge (an exponential or worse slowdown). Without strong global coordination around AI, a high alignment "tax" would be unworkable in practice, since someone else would build dangerous AI before you could build the safe one. This is especially true when it would be easy for one team to defect and disable a safety feature. In this case, removing data makes the AI less capable, but there's definitely precedent that an opt-out tax would be low; in practice, people rarely bother to opt-out of things, even when there's a direct (but small) benefit. One obvious example is junk mail. No one likes junk mail, and in the US, it's easy to opt-out of getting junk mail and credit card offers, but most people don't. Likewise, there are tons of legally required privacy notices that give customers the chance to opt-out, but most don't. The same goes for arbitration opt-outs in contracts. Hence, a large majority of all data would probably still be available for AI use. Argument from Ethics It skeeves many people out that GitHub/Microsoft, or other companies, would take their work without permission, build a product on it, and then use it to make money off them, like academic publishers do. In the case of Google or Facebook, one might argue that, since the service is free, users have already agreed to "pay with their data" via AI analytics and targeted ads. (Although I think both services would be improved by a paid ad-free option, like YouTube Premium; and, it's questionable how much permission means with a quasi-monopoly.) However, GitHub isn't ad-supported, it's explicitly a freemium service that many teams pay for. And of course, people who write code or text for their...

Çetin Ünsalan'ın hazırlayıp sunduğu Reel Piyasalar programına BASE64. AI Yazılım Geliştirme Takım Lideri Alperen Şahin konuk oldu.

Çetin Ünsalan'ın hazırlayıp sunduğu Reel Piyasalar programına BASE64. AI Yazılım Geliştirme Takım Lideri Alperen Şahin konuk oldu.

This episode is also available as a blog post: Cryptography: ROT13 and base64 encoding - Karate Coder

In this episode, Amy and James discuss all things SVGs: what is, why, and when to reach for it, and seven different ways to get an SVG on the page, and the pros and cons of each method.SponsorsVercelVercel combines the best developer experience with an obsessive focus on end-user performance. Their platform enables frontend teams to do their best work. It is the best place to deploy any frontend app. Start by deploying with zero configuration to their global edge network. Scale dynamically to millions of pages without breaking a sweat.For more information, visit Vercel.comZEAL is hiring!ZEAL is a computer software agency that delivers “the world's most zealous” and custom solutions. The company plans and develops web and mobile applications that consistently help clients draw in customers, foster engagement, scale technologies, and ensure delivery.ZEAL believes that a business is “only as strong as” its team and cares about culture, values, a transparent process, leveling up, giving back, and providing excellent equipment. The company has staffers distributed throughout the United States, and as it continues to grow, ZEAL looks for collaborative, object-oriented, and organized individuals to apply for open roles.For more information visit softwareresidency.com/careersDatoCMSDatoCMS is a complete and performant headless CMS built to offer the best developer experience and user-friendliness in the market. It features a rich, CDN-powered GraphQL API (with real-time updates!), a super-flexible way to handle dynamic layouts and structured content, and best-in-class image/video support, with progressive/LQIP image loading out-of-the-box."For more information, visit datocms.comShow Notes0:00 Introduction3:50 What is an SVG?Raster vs Vector6:21 Benefits to using an SVGChange the SizeSmall File SizeChange the color within your codeEasily Cached9:51 Seven Different Ways to get an SVG on the Page11:28 Sponsor - ZEAL12:59 Option 1 - Image Tag14:03 Option 2 - Inline SVG tag15:53 Option 3 - CSS as a  background Image16:18 Option 4 - CSS, as a Mask18:20 Sponsor - Vercel19:29 Option 5 - SVG directly within our Image tag21:20 Option 6 - Base64 or UTF8 with as a CSS Background Image21:47 Option 7 - An SVG Sprite22:34 Writing your own SVGs27:00 Going Deep on a Specific Topic, The Broken Comb28:34 ResourcesAmy's SVG Series on YouTubeSarah Drasner - Course on Frontend Masters, SVG Essentials & Animation, v2Sarah Drasner - SVG Animations: From Common UX Implementations to Complex Responsive AnimationChris Coyier - Practical SVG29:19 Sponsor - DatoCMS30:12 Grab Bag Questions30:56 Picks and Plugs31:07 Amy's Pick - Animal Cable Clips32:00 Amy's Plug - Advent of CSS32:32 James's Pick - Castle on Hulu33:34 James's Plug - Advent of JavaScript

Not So Fake FBI E-Mails https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-incident-involving-fake-emails https://isc.sans.edu/forums/diary/External+Email+System+FBI+Compromised+Sending+Out+Fake+Warnings/28034/ https://twitter.com/spamhaus/status/1459450061696417792 Reversing Obfuscated Maldoc with BASE64 https://isc.sans.edu/forums/diary/Obfuscated+Maldoc+Reversed+BASE64/28030/ Zoom Updates https://explore.zoom.us/en/trust/security/security-bulletin/ VMWare VCenter Update https://www.vmware.com/security/advisories/VMSA-2021-0025.html Windows User Profile 0-Day LPE https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html

Not So Fake FBI E-Mails https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-incident-involving-fake-emails https://isc.sans.edu/forums/diary/External+Email+System+FBI+Compromised+Sending+Out+Fake+Warnings/28034/ https://twitter.com/spamhaus/status/1459450061696417792 Reversing Obfuscated Maldoc with BASE64 https://isc.sans.edu/forums/diary/Obfuscated+Maldoc+Reversed+BASE64/28030/ Zoom Updates https://explore.zoom.us/en/trust/security/security-bulletin/ VMWare VCenter Update https://www.vmware.com/security/advisories/VMSA-2021-0025.html Windows User Profile 0-Day LPE https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html

Tips this week include: • The new Gutenberg Tutorials are live • What I found in the recipe video SEO tests so far • Why I'm making more videos with my phone instead of camera • BB Hub Printables and Downloads Mastermind is this week • The block bot testing has been expanded to more sites • Why I'm investigating Base64 image placeholders for lazy load • How the new Bing Submission API will help us fight bad bots • Why Google is dropping AMP for news posts, and what will take its place • Why we need only one Rich Result focus per post • Why proper SEO takes super deep testing, and what I've already found • 22 expert ideas for connecting with your audience

The latest In Touch With iOS with Dave he is joined by regular guest Jeff Gamet. There were 100 million iPhones sold in less that 7 months. Shortcuts review with Jeff he talks about a great one that adds a iPhone frame to a screenshot. iOS15 Pubilc beta was released we still say don't do it on a primary device. Control Center and what do we add to the menu and more.  The show notes are at InTouchwithiOS.com 
Direct Link to Audio News iPhone 12 Passes 100 Million Sales in First Super-Cycle Since iPhone 6 Try Out T-Mobile's Network For Free With eSIM Apple Releases Apple Watch International Collection Bands and Faces  Here are the bands Apple Watch United States International Collection Sport Loop Apple quietly buys Roku remote button for struggling Apple TV+ Topics Beta this week. There is so much beta including iOS14.7 Beta 4 and iOS15 Public betas released. Apple Releases Revised Versions of iOS 15 and iPadOS 15 Second Betas Apple Seeds First Public Betas of iOS 15 and iPadOS 15 Apple Seeds First watchOS 8 Public Beta Apple Releases First Public Beta of tvOS 15 Apple Seeds Fourth Betas of iOS and iPadOS 14.7 to Developers Apple Seeds Fourth Beta of watchOS 7.6 to Developers Apple Seeds Fourth Beta of tvOS 14.7 to Developers   The First iPhone Went on Sale 14 Years Ago Today what we remember with the  Shortcuts - Jeff has some great shortcuts he is going to review.  Shortcuts Corner: Apple Frames for iPhone 12 and SE, Get Image Resolution, Encode Images to Base64, and Search Articles in Reeder Folders in Shortcuts.  Control Center on iOS what so we add and use all the time? We review what works for us.  Our Host Your Host Dave Ginsburg  is an IT Professional With over 22 years experience working with Mac and Windows as well as iOS devices. He is also President of The Suburban Chicago Apple Users Group
 About our Guest Jeff Gamet is a podcaster, technology blogger, artist, and author. Previously, he was The Mac Observer's managing editor, and Smile's TextExpander Evangelist. You can find him on Twitter and Instagram as @jgamet and YouTube https://youtube.com/jgamet About our Co-Host Co-Host Warren Sklar @Wsklar is an IT Consultant and moderator of the Mac To The Future FaceBook Group with over 3000 members talking about all things Apple. Request to join this group to be among people who love Apple.

Connect to port 443 and send some HTTP signals: $ openssl s_client -connect example.com:443 [...snip...] Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- You're now connected. If you wait too long, your connection will likely time out. View the default landing page of the site you've connected with: GET / HTTP/1.1 HOST: example.com In return, you get a dump of the HTML source of the default page (usually index.html) in your terminal. You can also use OpenSSL s_client for email servers using SSL. Before you can send credentials, you must encode your email username and passphrase into Base64. The easiest method I know is this Perl one-liner: $ perl -MMIME::Base64 -e 'print encode_base64("myUserName");' $ perl -MMIME::Base64 -e 'print encode_base64("myPassPhrase");' Take note of the results. The s_client session, aside from authentication, is basically the same as a telnet session. You can find good telnet tutorials all over the Internet, and aside from sending your credentials, they apply to s_client. Here's a copy-paste of an example session: $ openssl s_client -starttls smtp -connect email.example.com:587 > ehlo example.com > auth login ##paste your user base64 string here#### ##paste your password base64 string here#### > mail from: noreply@example.com > rcpt to: admin@example.com > data > Subject: Test 001 This is a test email. . > quit

คุยกันเรื่อง Base64 การ Encode ที่นิยมใช้กันมากในการตั้งค่าและการพัฒนาโปรแกรม มาดูกันว่า มันใช้งานอะไรได้บ้าง แล้วข้างในมันทำงานอย่างไร

John Hammond demonstrates a CTF walkthrough and also explains the tools and techniques he uses to be more efficient. Menu: 0:00​ ⏩ This stuff helps in your real world job 1:16​ ⏩ Introduction 1:48​ ⏩ picoCTF site 2:36​ ⏩ Labs can be accessed at any time 3:12​ ⏩ picoCTF labs 3:33​ ⏩ First CTF walkthrough 3:57​ ⏩ Favourite distro 4:07​ ⏩ Linux natively or in a VM? 4:29​ ⏩ First CTF solution 5:50​ ⏩ Second CTF 9:51​ ⏩ Skills that John recommends you get 12:12​ ⏩ Linux and then Python and then CTFs 12:57​ ⏩ Ubuntu vs Kali vs Parrot OS etc 14:04​ ⏩ Kali in VM? 14:46​ ⏩ What about writing reports or e-mail? 15:50​ ⏩ Which application do you recommend? 17:05​ ⏩ Do you dump knowledge into something? 18:38​ ⏩ How do you manage all the data collected? 20:16​ ⏩ Don't just do it and forget what you have done 21:10​ ⏩ CTFs vs Real World 21:54​ ⏩ Base64 and ideas 24:17​ ⏩ John's VBscript example 25:58​ ⏩ Second CTF solution 26:40​ ⏩ CTFs vs Bug Bounty vs Real World Previous video: https://youtu.be/u4u6ob13s2c​ ================ Connect with me: ================ Discord: https://discord.com/invite/usKSyzb ​ Twitter: https://www.twitter.com/davidbombal ​ Instagram: https://www.instagram.com/davidbombal ​ LinkedIn: https://www.linkedin.com/in/davidbombal ​ Facebook: https://www.facebook.com/davidbombal.co ​ TikTok: http://tiktok.com/@davidbombal ​ YouTube: https://www.youtube.com/davidbombal​ ================ Connect with John: ================ YouTube: https://www.youtube.com/johnhammond010​ Twitter: https://twitter.com/_johnhammond ​ LinkedIn: https://www.linkedin.com/in/johnhammo... ​ ================ Links: ================ picoCTF: https://picoctf.org/ ​ Obsidian: https://obsidian.md/ ​ Hack the box: https://www.hackthebox.eu/ ​ Try Hack Me: https://tryhackme.com/ ​ All-Army CyberStakes: https://www.acictf.com/ ​ CTF Time: https://ctftime.org/ctf-wtf/ ​ eLearn Security: https://elearnsecurity.com ​ OSCP: https://www.offensive-security.com/co... ​ CEH: https://www.eccouncil.org/programs/ce... ​ ================ Support me: ================ DavidBombal.com: CCNA ($10): http://bit.ly/yt999ccna ​ Udemy CCNA Course: https://bit.ly/ccnafor10dollars ​ GNS3 CCNA Course: CCNA ($10): https://bit.ly/gns3ccna10 ​ ctf capture the flag tryhackme hackthebox picoctf picoctf 2021 base64 john hammond cybersecurity hack the box try hack me htb thm incident response incident response cyber security cyber security career cybersecurity cybersecurity careers ceh oscp ine oscp certification ctf for beginners first job cybersecurity job Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!

2021-04-27 Weekly News - Episode 101Watch the video version on YouTube at https://youtu.be/_leAN4KNezY Hosts: Gavin Pickin - Software Consultant for Ortus SolutionsBrad Wood - Software Consultant for Ortus SolutionsThanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. A few ways  to say thanks back to Ortus Solutions: Like and subscribe to our videos on youtube.  Sign up for a free or paid account on CFCasts, which is releasing new content every week Buy Ortus’s new Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad Patreon SupportWe have 36 patreons providing 83% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions. If you love our podcasts and all we do for the #coldfusion #cfml community considers chipping in, we are almost there!https://www.ortussolutions.com/blog/we-need-your-help News and EventsWe made it to 100 Episodes!!So to thank our supporters, we decided to do a little raffle giveaway.To enter the raffle, contestants had to answer 5 Ortus Trivia questions on the google form, and we selected 5 winners, each to get boxlife swag packages.The winners are:  David Belanger Scott Steinbeck Wil de Bruin Matthew Clemente Matthew Brown Adobe’s ColdFusion Certification price dropsAdobe Certified Professional: Adobe ColdFusion is an industry-leading certification program from Adobe, for Adobe ColdFusion developers. The course consists of 50+ online videos and is designed for professionals who have basic to advanced level proficiency in any computer language and basic understanding of how web pages work. Successfully passing an assessment test at the end of the program will reward participants with a badge and certificate from Adobe. Only $149https://www.adobe.com/products/coldfusion-family/certificate.html Eric’s pull merged into PostGres driver repoEric’s adventure into the PostGres driver successful, with the merge completed this week.Adobe Webinar- Building modern web apps with ContentBox Modular CMS with Luis MajanoMay 5, 2021 - 12 PM ET ContentBox is a professional open source modular content management system powered by ColdBox HMVC and ColdFusion.  In this session, we will get an overview of this CMS platform and how you can leverage to not only deliver content based applications, but any modern web application thanks to its powerful headless API and ColdBox services.https://cfwebinar-modularcms.meetus.adobeevents.com/ Adobe Webinar Series - API Creation and ManagementNext Webinar:  4/28/21ColdFusion Developers, do you want a first hand look at publishing APIs securely and at scale? Then mark your calendars for Brian Sappey’s upcoming webinars! This seven-part series will give you a 360 degree view of the API Manager and teach you how to build RESTful APIs with Adobe ColdFusion. Everything from securing, publishing and monitoring APIs, will be covered with hands-on examples, and easy discussions.Dates: 3/24/21, 3/25/21, 4/28/21, 4/29/31, 5/12/21, 5/13/21, 5/24/21Information: https://coldfusion.adobe.com/2021/03/webinar-series-api-creation-management/ Registration: https://coldfusion-api-management-solution.meetus.adobeevents.com/?fbclid=IwAR2q7aEI9u1ibBKrneeDvAhKWWW7V78bB_P1rTzWAh8x4e20q68gXLeMVrMRecordings: https://t.co/ZQc637BSkv Online CF Meetup - "Installing CF2021: choices, challenges, and solutions", with Charlie ArehartThursday, April 29, 202111:00 AM to 12:00 PM CDTIf you're considering moving to CF2021, there are some things to consider before or as you may install it. First, there’s a new “zip” install option, in addition to the traditional full installer. What’s that about? why should you use it? what are some challenges, and why might you not want to? We'll cover that...https://www.meetup.com/coldfusionmeetup/events/277816061/ ICYMI - Ortus Webinar - Building modern web apps with ContentBox Modular CMS with Luis MajanoApril 23, 2021 Time: 11:00 AM CTContentBox is a professional open source modular content management system powered by ColdBox HMVC and ColdFusion. In this session, led by Luis Majano, we will get an overview of this CMS platform and how you can leverage it to not only deliver content based applications, but any modern web application thanks to its powerful headless API and ColdBox services.https://www.ortussolutions.com/events/webinars Recordings: https://cfcasts.com/series/webinars-2021/videos/luis-majano-on-building-modern-web-apps-with-contentbox-modular-cms Reminder: New Book from Luis Majano 102 ColdBox HMVC Quick Tips and TricksNow Available on Gumroad - $29http://gum.co/coldbox-tips Signup with your email for 10 free tipshttps://www.ortussolutions.com/learn/books/102-tips-tricks CFCasts Content Updateshttps://www.cfcasts.com CFCasts site updates!Just Released- Ortus Webinars - Luis Majano on Building Modern Web Apps With ContentBox Modular CMS  https://cfcasts.com/series/webinars-2021/videos/luis-majano-on-building-modern-web-apps-with-contentbox-modular-cms  Coming up soon More CommandBox Zero to Hero More What’s new with ColdBox 6 Up and Running with Quick LogBox 101 Using DocBox Send your suggestions at https://cfcasts.com/supportConferences and TrainingICYMI - RedisConf 2021Virtual: Apr 20-21Rediscover the power of real-time data. Join us at RedisConf 2021 to hear from the Redis community, customers, and industry experts. Dive into the latest product experiences, get hands-on training, network with other Redis pros, and show off your skills by participating in a $100,000 hackathon.https://redislabs.com/redisconf/ Recordings: Register for RedisConf 2021 - Watch on demand until May 20Atlassian Teams 21Apr 28-30 Better teams starts with being better teammates. Check out Atlassian’s vision for Team 2021, formerly Summit.https://events.atlassian.com/team21 AWS Summit Online - AmericasMay 12-13Online and Free AWS Summit Online is designed for developers and IT professionals looking to learn how to build and innovate at scale using AWS Cloud. Hear the very latest from AWS executives, attend breakout sessions featuring customer stories, and engage with AWS experts to get your questions answered. Enhance your skills with hands-on labs and workshops, learn from inspiring demos, and discover what AWS and our Partner Solutions can do for your business.This free online conference is designed to educate you about AWS services; and help you design, deploy, and operate infrastructure and applications.https://aws.amazon.com/events/summits/online/americas/ Percona Live OnlineMay 12 - 13, 6:00 AM (EDT)Percona Live is a community-focused event for database developers, administrators, and decision-makers to network with peers and technology professionals. Come learn from the best and brightest in the open source database community as they share their knowledge, experience, and use cases with you in small group sessions and tutorials.https://events.percona.com/events/details/percona-virtual-presents-percona-live-online/ DockerConMay 27th 2021DockerCon 2021 is a free, one-day virtual event that is a unique experience for developers and development teams who are building the next generation of modern applications. If you want to learn about how to go from code to cloud fast and how to solve your development challenges, DockerCon 2021 offers engaging live content to help you build, share and run your applications.Call for Speakers open until Midnight April 1sthttps://www.docker.com/dockercon-live/2021 Ortus Workshops - Dates coming soonMore Workshops dates to come- CommandBox Zero to Hero- ColdBox Zero to Hero- ColdBox Hero to SuperHeroOrtus’s Possible Conferences for 2021Dates subject to changeDue to Online conference overload, we are thinking about not expanding the number of events, but more content in more timezones with a different format.ITB - Developer Week Style?? - (please be in-person!!!)With some European Timezone Friendly slots from our European Community MembersSeptember 2021Call for speakers coming soonITB LatamDecember 2021More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.https://confs.tech/CFML Is now on the list - https://confs.tech/conferences/new Blogs, Tweets and Videos of the WeekBlog - David Byers - ColdFusion 101: Tags, Script and Functions, Part 3 – FunctionsThis is an on-going series of posts covering ColdFusion basics for new developers.  This series is intended to cover basic concepts.  In this article, I over the building blocks of ColdFusion; Tags, Script, and Functions, focusing on functions.https://coldfusion.adobe.com/2021/04/coldfusion-101-tags-script-functions-part-3-functions/ Blog - David Byers - ColdFusion 101: Tags, Script and Functions, Part 2 – ScriptThis is an on-going series of posts covering ColdFusion basics for new developers.  This series is intended to cover basic concepts. In this article, I over the building blocks of ColdFusion; Tags, Script, and Functions, focusing on script.https://coldfusion.adobe.com/2021/04/coldfusion-101-tags-script-functions-part-2-script/ Blog - Charlie Arehart - New updates released for Java 8 and 11, April 20 2021For those using the Long-term support (LTS) versions of Oracle Java, 8 and 11, please note that there were new updates released last week (Apr 20), specifically Java 11.0.11 and 8.0_291. For more on each, see the release notes.https://www.carehart.org/blog/client/index.cfm/2021/4/26/new_java_updates_for_Java_8_and_11_as_of_Apr_2021 Blog - Computer Know How - Why I ask “dumb” questionsPart of my current work involves quality assurance(QA) for the code that our team writes. When I started performing QA work, I wanted to understand each feature and piece of code before I tested/reviewed it. That approach is still sometimes required depending on the feature being reviewed. As the amount of time I have spent performing this task accrues, I learn more and adapt my approaches. One such adaptation has been to test before I fully understand the feature. This allows me to test with less of a confirmation bias which I found I was falling into when I fully understood the feature and the code behind it.https://ckhconsulting.com/why-i-ask-dumb-questions/ Blog - Ben Nadel - Experimenting With Lazy Queries And Streaming CSV (Comma Separated Value) Data In Lucee CFML 5.3.7.47In my last post, I celebrated the power and simplicity of CSV (Comma Separated Value) data. It's an old data format; and yet, it continues to act as an easy medium for the interoperability of systems. ColdFusion makes generating CSV data effortless. And as I was demonstrating that much over the weekend, it occurred to me that CSV reporting may be a fun context in which to finally try out the lazy queries feature of Lucee CFML.https://www.bennadel.com/blog/4034-experimenting-with-lazy-queries-and-streaming-csv-comma-separated-value-data-in-lucee-cfml-5-3-7-47.htm Blog - Kishore Balakrishnan - Adobe - Continuous Integration (CI)/Continuous Delivery (CD) in ColdFusion 2021 ReleaseAs one of the fundamental backbones of DevOps, a CI/CD pipeline can provide many strategic advantages for your organization. In the 2016 release of Adobe ColdFusion, we first introduced Docker Image which made cloud-based applications, modern methodologies and automated development pipelines a reality. DevOps started to gain popularity and developers were able to speed up development, secure their codes and deploy in an automated step. Further, Adobe ColdFusion 2018 made it significantly easier to deploy complex cloud architecture, microservices, and in general non-monolithic apps.https://coldfusion.adobe.com/2021/04/continuous-integration-ci-continuous-delivery-cd-coldfusion-2021-release/ Blog - Adam Cameron - On code reviewI'm pretty big on code review; I see it as a critical part of the process of developing solution for our clients, and making our own and our colleagues' lives easier. It's a useful communications exercise, and it's a useful technical exercise.I've used a variation of these notes with a variety of teams in the past, but I've never - until recently - got around to writing a decent (semi-) generic document about it. I've polished things a bit here, and thought I'd get it down in a public-facing fashion. There are references in here to systems I am familiar working with like Bitbucket and Jira and PHP. But I think the guidance carries across, irrespective of what combination of tooling one uses; if not in the precise mechanics, then in the processes the mechanics facilitate.https://blog.adamcameron.me/2021/04/on-code-review.html Blog - Ben Nadel - Celebrating The Power And Simplicity Of CSV (Comma Separated Value) Data In Lucee CFML 5.3.7.47Yesterday, I learned that one of our clients at InVision uses our comment export feature as a critical part of their product development life-cycle. This feature takes comments from across an entire prototype and serves them up as a CSV (Comma Separated Value) file. It's amazing - and, frankly, delightful - that such a simple data format continues to be such a source of empowerment in an increasingly complex world. And, the best part of it all is that generating CSV files is one of the easiest things you can do! As such, I wanted to take a moment to celebrate the power and simplicity of generating CSV files in Lucee CFML 5.3.7.47.https://www.bennadel.com/blog/4033-celebrating-the-power-and-simplicity-of-csv-comma-separated-value-data-in-lucee-cfml-5-3-7-47.htm Blog - Matthew Clemente - Reading Specific Lines from a File with CFML (and a Question)This post touches on two subjects - the first involves reading a range of lines from a file in ColdFusion - and the second is a question: if you have a useful CFML function, where can you share it?I don’t have an answer to this, but I figured that at the least, this might be fodder for the next episode of Modernize or Die - CFML News. It certainly seems a worthwhile topic for discussing.https://blog.mattclemente.com/2021/04/23/reading-file-lines-with-coldfusion-cfml-snippets.html Blog - Pete Freitag - URL Safe Base64 Encoding / Decoding in CFMLColdFusion / CFML has a builtin function that can convert a string or a binary object to a standard Base64 encoded string: toBase64 and you can decode back to a string using toBinary() and toString() or the binaryDecode() function.https://www.petefreitag.com/item/917.cfm Blog - Ben Nadel - Expected And Unexpected getBaseTagData() Behavior In Lucee CFML 5.3.7.47In the implementation details of my ColdFusion custom tag DSL for HTML emails, I have to access the data exposed by ancestor custom tags. In some cases, the parent tag is dynamic; which means that I have to use the getBaseTagList() function in order to figure out the name of the ColdFusion custom tag that I need to access. It turns out that some native ColdFusion tags show up in the getBaseTagList() value; but, they do not expose any "data". As such, they have to be explicitly skipped-over. Things get even more complicated when you use CFModule to invoke a custom tag. And, since I stumbled over this in my journey, I figured it might be worth a quick demo in Lucee CFML 5.3.7.47.https://www.bennadel.com/blog/4031-expected-and-unexpected-getbasetagdata-behavior-in-lucee-cfml-5-3-7-47.htm CFML JobsSeveral positions available on https://www.getcfmljobs.com/Listing over 76 ColdFusion positions from 48 companies across 49 locations in 5 Countries since Dec 1st.6 new jobs this weekFull-Time - Senior/Mid-Level CF Developer at Remote - United States Post Apr 26https://www.getcfmljobs.com/viewjob.cfm?jobid=11221 Full-Time - Senior Software Engineer - ColdFusion Experience at Thiruvan.. - India Posted Apr 26https://www.getcfmljobs.com/jobs/index.cfm/india/Senior-Software-Engineer-ColdFusion-Experience-at-Thiruvananthapuram-Kerala/11223 Full-Time - Coldfusion Developer at Thiruvananthapuram, Kerala - India Posted Apr 26https://www.getcfmljobs.com/jobs/index.cfm/india/Coldfusion-Developer-at-Thiruvananthapuram-Kerala/11222 Freelance - Mid-Level Coldfusion Developer at Remote - United States Posted Apr 20https://www.getcfmljobs.com/jobs/index.cfm/united-states/MidLevel-CFDeveloper-FreelanceRemote/11219 Full-Time - ColdFusion Software Programmer at Sherwood Park, AB - Canada Posted Apr 20https://www.getcfmljobs.com/jobs/index.cfm/canada/ColdFusion-Software-Programmer-at-Sherwood-Park-AB/11220 Full-Time - Sr. Software Engineer - Java/ColdFusion at West Palm Beach, .. - United States Posted Apr 20https://www.getcfmljobs.com/jobs/index.cfm/united-states/Sr-Software-Engineer-JavaColdFusion-at-West-Palm-Beach-FL/11218 ForgeBox Module of the WeekJMESPath v2.4.0 by Scott SteinbeckAn implementation of JMESPath for ColdFusion. This implementation supports searching JSON documents as well as native Coldfusion structs and arrays.Will be part of the Core for CommandBox v5.3.0+ for native cfml JSON searching.https://www.forgebox.io/view/jmespath VS Code Hint Tips and Tricks of the WeekVSCode Highlight Matching TagThis extension highlights matching opening and/or closing tags. Optionally it also shows path to tag in the status bar. Even though VSCode has some basic tag matching, it's just that - basic. This extension will try to match tags anywhere: from tag attributes, inside of strings, any files, while also providing extensive styling options to customize how tags are highlighted.https://marketplace.visualstudio.com/items?itemName=vincaslt.highlight-matching-tagThank you to all of our Patreon SupportersThese individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox,  ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox. You can support us on Patreon here https://www.patreon.com/ortussolutions Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription. All Patreon supporters have a Profile badge on the Community Website All Patreon supporters have their own Private Forum access on the Community Website Don BellamyEric HoffmanDavid BelangerGary KnightGiancarlo GomezJonathan PerretMario RodriguesJeffry McGee - Sunstar MediaJohn Wilson - Synaptrix Yogesh MathurJoseph LamoreeBen NadelBrett DeLineCarl Von StettenCharlie ArehartDan CardDaniel GarciaDidier LesnickiEdgardo CabezasJan JannekJason DaigerJeff McClainJeremy AdamsJonas ErikssonJordan ClarkKai KoenigLaksma TirtohadiLeon SeremelisMatthew DarbyMatthew ClementeMingo HagenPatrick FlynnRoss PhillipsScott SteinbeckStephany MongeSteven KlotzYou can see an up to date list of all sponsors on Ortus Solutions' Websitehttps://ortussolutions.com/about-us/sponsors ★ Support this podcast on Patreon ★

RW4gZXN0ZSBlcGlzb2RpbyBoYWJsYW1vcyBkZSByZW5vbWJyYXIgbm9tYnJlIGRlIHVuYSBkZSBsYXMgY2l1ZGFkZXMgbcOhcyBncmFuZGVzIGVsIG11bmRvLCBwb2zDqW1pY2EgZGUgcGVyc29uYWplcyBmaWN0aW9zLCBhcm1hcyBudWNsZWFyZXMsIGZpbHRyb3MgZGUgcmVkZXMgc29jaWFsZXMsIHNhbmdyZSwgZGVzdHJ1Y2Npw7NuIHkgbXVjaG8gbcOhcyE= Base64

This episode is sponsored by:Sketch – The Design Platform Trusted by Over One Million PeopleRead more about Sketch on MacStoriesLinks and Show NotesRewindUsing Soor’s Widgets and Magic MixesManaging the Internet Access of HomeKit Devices with the Linksys Velop Mesh WiFi Router SystemApple Signs Jon Stewart to Expansive Deal for TV+ Series and MoreClips 3.0 Brings New Video Aspect Ratios and an Upgraded iPad ExperienceShortcuts Corner: Apple Frames for iPhone 12 and SE, Get Image Resolution, Encode Images to Base64, and Search Articles in ReederMicrosoft Is Rolling Out iPad Pointer Support to Its Office SuiteClub MacStories MacStories WeeklyMacStories Favorite: Pixelmator ProA new Reeder shortcut Ryan debates purchasing an iPhone 12 mini or ProMacStories UnpluggedThis week on Unplugged, our Club podcast, we discuss the upcoming release of Big Sur, Federico makes John nervous by poking around in Disk Utility and ejecting drives while he records, John gets fiber Internet and tests HomeKit mesh WiFi routers, and Federico unwinds post-iOS review.AppStoriesEpisode 191 – New Apps Enabled by Apple Hardware and OS AdvancesUnwindFederico's Pick:Cosmos by Carl SaganJohn's Pick:The Haunting of Bly Manor on NetflixFollow us on TwitterFederico ViticciJohn VoorheesFollow us on InstagramFederico ViticciJohn Voorhees

Federico is using Base64 to make wallpapers, Myke's iPad mini is out of space and Stephen is upset about Apple's new GMT watch face. Also discussed: what iOS 14 is doing to our home screens and what others are doing with widgets.

Federico is using Base64 to make wallpapers, Myke's iPad mini is out of space and Stephen is upset about Apple's new GMT watch face. Also discussed: what iOS 14 is doing to our home screens and what others are doing with widgets.

Link to bioRxiv paper: http://biorxiv.org/cgi/content/short/2020.09.16.299495v1?rss=1 Authors: Hart, R., Prlic, A. Abstract: Motivation Access to biological sequence data, such as genome, transcript, or protein sequence, is at the core of many bioinformatics analysis workflows. The National Center for Biotechnology Information (NCBI), Ensembl, and other sequence database maintainers provide methods to access sequences through network connections. For many users, the convenience and currency of remotely managed data are compelling, and the network latency is non-consequential. However, for high-throughput and clinical applications, local sequence collections are essential for performance, stability, privacy, and reproducibility. Results Here we describe SeqRepo, a novel system for building a local, high-performance, non-redundant collection of biological sequences. SeqRepo enables clients to use primary database identifiers and several digests to identify sequences and sequence alises. SeqRepo provides a native Python interface and a REST interface, which can run locally and enables access from other programming languages. SeqRepo also provides an alternative REST interface based on the GA4GH refget protocol. SeqRepo provides fast random access to sequence slices. We provide results that demonstrate that a local SeqRepo sequence collection yields significant performance benefits of up to 1300-fold over remote sequence collections. In our use case for a variant validation and normalization pipeline, SeqRepo improved throughput 50-fold relative to use with remote sequences. SeqRepo may be used with any species or sequence type. Regular snapshots of Human sequence collections are available. It is often convenient or necessary to use a computed digest as a sequence identifier. For example, a digest-based identifier may be used to refer to proprietary reference genomes or segments of a graph genome, for which conventional identifiers will not be available. Here we also introduce a convention for the application of the SHA-512 hashing algorithm with Base64 encoding to generate URL-safe identifiers. This convention, sha512t24u, combines a fast digest mechanism with a space-efficient representation that can be used for any object. Our report includes an analysis of timing and collision probabilities for sha512t24u. SeqRepo enables clients to use sha512t24u as identifiers, thereby seamlessly integrating public and private sequence sets. Availability SeqRepo is released under the Apache License 2.0 and is available on github and PyPi. Docker images and database snapshots are also available. See https://github.com/biocommons/biocommons.seqrepo . Copy rights belong to original authors. Visit the link for more info

Arnaud et Emmanuel vous commentent l'actualité au cœur de l'été. Do Go, du sansserveur, du arm, de la feuille de route, beaucoup de GitHub et bien sûr sans oublier notre rubrique impact du code sur la société. Enregistré le 14 août 2020 Téléchargement de l'épisode [LesCastCodeurs-Episode-237.mp3](https://traffic.libsyn.com/lescastcodeurs/LesCastCodeurs-Episode-237.mp3) ## News ### Langages [Tip pour récupérer facilement le nom de fichier à partir d'un chemin en Java11](https://adambien.blog/roller/abien/entry/java_11_extract_file_name) [Golang 1.15](https://golang.org/doc/go1.15) * Meilleure allocation des petits objets en cas de grands nombre de cœurs. * macOS < 1.12 et app 32 bits dépréciées. * Derniers tours de roue pour ton pentium 4 * Amélioration du linker en mémoire et cpu sur certaines archi (modifié) * Possibilité d.embarquer la time zone db. (Quid des évolutions, à recompiler) * C’est marrant la dépréciation « aggressive » de certaines architectures [Golang, un draft pour gérer nativement le packaging de resources statiques](https://go.googlesource.com/proposal/+/master/design/draft-embed.md) [Redmonk sort son nouveau classement](https://redmonk.com/sogrady/2020/07/27/language-rankings-6-20/), Java #3, Kotlin #19 (un des plus grosses croissances en 5 ans) ### Librairies [C’est la fin de Thorntail, né Wildfly Swarm](https://thorntail.io/posts/the-end-of-an-era/) * WildFly ajoute le support de MicroProfile * support uberjar dans WildFly arrive * Quarkus s'est appuyé sur les expériences et les développeurs de Thorntail [Comparatif Spring et Micronaut - update](https://tbuss.de/posts/2020/2-micronaut-revisited/) [ServerLess - Créer une recherche pour son blog (sur GitHub avec Hugo) avec Quarkus, GraalVM et AWS Lambda](https://www.morling.dev/blog/how-i-built-a-serverless-search-for-my-blog/) * search pour un site statique * crée l'index à la compilation * reveille la lambda quand le champ de recherche est selectionné * GraalVM * retour sur mettre en place une lambda en evitant de se faire déplummer * mettre les bons privileges dans AWS lamnbda est compliqué * plus de CPU si plus de RAM ### Infrastructure [Arm à vendre, Apple pas intéressé mais NVidia peut-être](https://www.macrumors.com/2020/07/31/nvidia-talks-to-acquire-arm/) ### Cloud [Docker vient d’annoncer de nouveaux Terms Of Services incluant une nouvelle retention policy pour les images publiées sur DockerHub](https://www.docker.com/pricing/retentionfaq) * 6 mois de limite de retentions ur le plan gratuit * si pas de push ni de pull dans cette période ### Patreon [Aider les cast codeurs sur PAtreon](https://patreon.comn/lescastcodeurs.) ### Web [Vue 3 arrive en release candidate](https://css-tricks.com/vue-3-0-has-entered-release-candidate-stage/) * plus performant, completement réécrit * tres similaire en terme d'APIs de surface * doc revisitée * Composition API (a la react hooks) [La roadmap Angular](https://angular.io/guide/roadmap) * 50% de l’engineering sur la back log. Et ensuite 20%. Vous faites plus ou moins en général sur vos projets OSS? ### Data [rocksdb le moteur LSM de persistence de MySQL. Pourquoi et quand et quand l'utiliser...](https://www.percona.com/blog/2020/02/20/when-to-use-myrocks-in-mysql/) * Usage >> ram, write mostly, space concern * [Log-structured Merge-tree](https://en.wikipedia.org/wiki/Log-structured_merge-tree) ### Outillage [Git 2.28](https://github.blog/2020-07-27-highlights-from-git-2-28/) Jenkins [Controller/Agent pour remplacer Master/Slave](https://www.cloudbees.com/words-have-power-updating-industry-terms) [Github stocke une archive de votre code Open Source dans une ancienne mine, dans le cercle arctique, au Svalbard](https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic/) * 21TB sur 186 films numeriques photosensibles * 8.8 millions de pixels par frame * 1000 ans * dans le permafrost d'une ancienne mine [Créer sa page profile dans GitHub](https://www.aboutmonica.com/blog/how-to-create-a-github-profile-readme) (voir aussi [ce lien](https://css-tricks.com/the-github-profile-trick/) ) [Github publie une description au format OpenAPI 3 de son API developer](https://github.blog/2020-07-27-introducing-githubs-openapi-description/) [Une roadmap publique pour GitHub](https://github.blog/2020-07-28-announcing-the-github-public-roadmap/) [VSCode est-il réellement open-source?](https://underjord.io/the-best-parts-of-visual-studio-code-are-proprietary.html) * telemetrie * extensions come liveshare et remote ne sont pas ouvertes * marketplace proprio aussi ### Sécurité [Témoignage - J’ai testé pour vous : se faire usurper son identité](https://linuxfr.org/users/malizor/journaux/j-ai-teste-pour-vous-se-faire-usurper-son-identite) * demande de créance * demander le contrat signé pour porter plainte * aller a la Banque De France pour voir si vous etes fiché et faire les démarches d'ururpation d'identité * acheter un broyeur a papier [Les images OpenJDK Alpine sur DockerHub étendent une version 3.6 d’Alpine qui ne sont plus supportées depuis mai 2019](https://github.com/jenkinsci/docker/issues/957) ### Loi, société et organisation [Frances Allen, pionnière de l’informatique, est morte](https://www.lemonde.fr/disparitions/article/2020/08/10/frances-allen-pionniere-de-l-informatique-est-morte_6048608_3382.html) * Première femme fellow IBM * Optimisation compilation * Parallel computing du project blue gene (95) * Turing award * https://en.wikipedia.org/wiki/Frances_Allen [Mozilla licencie 1/4 de son personnel (250 collaborateurs)](https://blog.mozilla.org/blog/2020/08/11/changing-world-changing-mozilla/) * Pas bien compris leur nouveau focus. * Certains disent que les Dev tools vont être réduits. * [le message privé](https://blog.mozilla.org/wp-content/uploads/2020/08/Message-to-Employees-Change-in-Difficult-Times.pdf) * Firefox on users. Focus on new products and time to market. * Ça sent que Mozilla était sclérosée et qu’il fallait un changement. Vu par le gars qui fait làreorg. [La COO de Pinterest licenciée car elle parlait de la discrimination rampante.](https://medium.com/@francoise_93266/the-pinterest-paradox-cupcakes-and-toxicity-57ed6bd76960) * Décisions par un sous groupe (conversation isolées). Refusant les contre points. Et donc avec infos parcellaires. * “the only way we get things done here is hiding things.” * Tout était secret et donc manque de transparence e * Découvre que sa compensation d’exécutif était différente des autres - on lui avait dit que tous étaient au même modèle * Elle le fait corriger et se fait exclude des board meetings * Découvres des problèmes sur le produit et les reporte : et devient l.ennemie du head of product et CEO * Exclue des meetings de décisions * so much for blameless retrospective * Bro culture et même bubble * But too few leaders ask themselves how they can proactively design their organizations to be truly equitable and make a practice of confronting bias, prejudice, and bullying. They do not put checks and balances in place, so discrimination and harassment are hard to recognize or report. Instead, they seek control. They make decisions behind closed doors, consciously and unconsciously excluding those who do not look, sound, or behave like them. * Discuss the steps to improve in the end [La CNIL tape publiquement sur les doigts de StopCovid.](https://www.cnil.fr/fr/application-stopcovid-la-cnil-tire-les-consequences-de-ses-controles) * 3 controles organisés en juin * initialement remontait tous les contacts d'une utilisateur et pas seulement ceux susceptibles d'avoir été exposé * respect de l'essentiel de la RGPD * quelques trucs qui restent comme usage de Google re-captcha, anti DDOS etc [Les GAFA auditionnés par le congrès américain](https://www.lemonde.fr/economie/article/2020/07/30/etats-unis-google-apple-facebook-et-amazon-sermonnes-par-les-politiques-americains_6047655_3234.html) [Apple et Epic Games - Le bras de fer de retour](https://www.clubic.com/pro/entreprises/apple/actualite-9340-fortnite-apple-retire-le-jeu-de-l-app-store-epic-porte-plainte.html) [Nineteen Eighty-Fortnite](https://youtu.be/N6B4glqJFz0) [Trump veut bannir TikTok des états-unis - et plus si possible - sauf ...](https://www.igen.fr/services/2020/08/ladministration-trump-songerait-bannir-tiktok-dans-le-monde-entier-116797) ## Outils de l'épisode [Il y a plein de site de ce genre qui permettent d’encoder / décoder du Base64, de l’URL encoded, etc, mais celui là est amusant aussi parce qu’il fait aussi un peu de crypto genre même le chiffre de Vigenère ou de César](https://kifanga.com/tools/cipher/monoalphabetic-cipher) ## Rubrique débutant [Bitoduc.fr : termes informatiques en français](https://bitoduc.fr/) ## Conférences [JUG Summer Camp le 11 septembre 2020](https://www.jugsummercamp.org/edition/11) [Volcamp.io les 15 et 16 octobre 2020](https://conference-hall.io/public/event/rFeIFIGPgZuNIXx2tqSb) ## Nous contacter Soutenez Les Cast Codeurs sur Patreon [Faire un crowdcast ou une crowdquestion](https://lescastcodeurs.com/crowdcasting/) Contactez-nous via twitter sur le groupe Google ou sur le site web

Arnaud et Emmanuel vous commentent l’actualité au cœur de l’été. Do Go, du sansserveur, du arm, de la feuille de route, beaucoup de GitHub et bien sûr sans oublier notre rubrique impact du code sur la société. Enregistré le 14 août 2020 Téléchargement de l’épisode LesCastCodeurs-Episode–237.mp3 News Langages Tip pour récupérer facilement le nom de fichier à partir d’un chemin en Java11 Golang 1.15 Meilleure allocation des petits objets en cas de grands nombre de cœurs. macOS < 1.12 et app 32 bits dépréciées. Derniers tours de roue pour ton pentium 4 Amélioration du linker en mémoire et cpu sur certaines archi (modifié) Possibilité d.embarquer la time zone db. (Quid des évolutions, à recompiler) C’est marrant la dépréciation « aggressive » de certaines architectures Golang, un draft pour gérer nativement le packaging de resources statiques Redmonk sort son nouveau classement, Java #3, Kotlin #19 (un des plus grosses croissances en 5 ans) Librairies C’est la fin de Thorntail, né Wildfly Swarm WildFly ajoute le support de MicroProfile support uberjar dans WildFly arrive Quarkus s’est appuyé sur les expériences et les développeurs de Thorntail Comparatif Spring et Micronaut - update ServerLess - Créer une recherche pour son blog (sur GitHub avec Hugo) avec Quarkus, GraalVM et AWS Lambda search pour un site statique crée l’index à la compilation reveille la lambda quand le champ de recherche est selectionné GraalVM retour sur mettre en place une lambda en evitant de se faire déplummer mettre les bons privileges dans AWS lamnbda est compliqué plus de CPU si plus de RAM Infrastructure Arm à vendre, Apple pas intéressé mais NVidia peut-être Cloud Docker vient d’annoncer de nouveaux Terms Of Services incluant une nouvelle retention policy pour les images publiées sur DockerHub 6 mois de limite de retentions ur le plan gratuit si pas de push ni de pull dans cette période Patreon Aider les cast codeurs sur PAtreon Web Vue 3 arrive en release candidate plus performant, completement réécrit tres similaire en terme d’APIs de surface doc revisitée Composition API (a la react hooks) La roadmap Angular 50% de l’engineering sur la back log. Et ensuite 20%. Vous faites plus ou moins en général sur vos projets OSS? Data rocksdb le moteur LSM de persistence de MySQL. Pourquoi et quand et quand l’utiliser… Usage >> ram, write mostly, space concern Log-structured Merge-tree Outillage Git 2.28 Jenkins Controller/Agent pour remplacer Master/Slave Github stocke une archive de votre code Open Source dans une ancienne mine, dans le cercle arctique, au Svalbard 21TB sur 186 films numeriques photosensibles 8.8 millions de pixels par frame 1000 ans dans le permafrost d’une ancienne mine Créer sa page profile dans GitHub (voir aussi ce lien ) Github publie une description au format OpenAPI 3 de son API developer Une roadmap publique pour GitHub VSCode est-il réellement open-source? telemetrie extensions come liveshare et remote ne sont pas ouvertes marketplace proprio aussi Sécurité Témoignage - J’ai testé pour vous : se faire usurper son identité demande de créance demander le contrat signé pour porter plainte aller a la Banque De France pour voir si vous etes fiché et faire les démarches d’ururpation d’identité acheter un broyeur a papier Les images OpenJDK Alpine sur DockerHub étendent une version 3.6 d’Alpine qui ne sont plus supportées depuis mai 2019 Loi, société et organisation Frances Allen, pionnière de l’informatique, est morte Première femme fellow IBM Optimisation compilation Parallel computing du project blue gene (95) Turing award https://en.wikipedia.org/wiki/Frances_Allen Mozilla licencie 1/4 de son personnel (250 collaborateurs) Pas bien compris leur nouveau focus. Certains disent que les Dev tools vont être réduits. le message privé Firefox on users. Focus on new products and time to market. Ça sent que Mozilla était sclérosée et qu’il fallait un changement. Vu par le gars qui fait làreorg. La COO de Pinterest licenciée car elle parlait de la discrimination rampante. Décisions par un sous groupe (conversation isolées). Refusant les contre points. Et donc avec infos parcellaires. “the only way we get things done here is hiding things.” Tout était secret et donc manque de transparence e Découvre que sa compensation d’exécutif était différente des autres - on lui avait dit que tous étaient au même modèle Elle le fait corriger et se fait exclude des board meetings Découvres des problèmes sur le produit et les reporte : et devient l.ennemie du head of product et CEO Exclue des meetings de décisions so much for blameless retrospective Bro culture et même bubble But too few leaders ask themselves how they can proactively design their organizations to be truly equitable and make a practice of confronting bias, prejudice, and bullying. They do not put checks and balances in place, so discrimination and harassment are hard to recognize or report. Instead, they seek control. They make decisions behind closed doors, consciously and unconsciously excluding those who do not look, sound, or behave like them. Discuss the steps to improve in the end La CNIL tape publiquement sur les doigts de StopCovid. 3 controles organisés en juin initialement remontait tous les contacts d’une utilisateur et pas seulement ceux susceptibles d’avoir été exposé respect de l’essentiel de la RGPD quelques trucs qui restent comme usage de Google re-captcha, anti DDOS etc Les GAFA auditionnés par le congrès américain Apple et Epic Games - Le bras de fer de retour Nineteen Eighty-Fortnite Trump veut bannir TikTok des états-unis - et plus si possible - sauf … Outils de l’épisode Il y a plein de site de ce genre qui permettent d’encoder / décoder du Base64, de l’URL encoded, etc, mais celui là est amusant aussi parce qu’il fait aussi un peu de crypto genre même le chiffre de Vigenère ou de César Rubrique débutant Bitoduc.fr : termes informatiques en français Conférences JUG Summer Camp le 11 septembre 2020 Volcamp.io les 15 et 16 octobre 2020 Nous contacter Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Faire un crowdcast ou une crowdquestion Contactez-nous via twitter https://twitter.com/lescastcodeurs sur le groupe Google https://groups.google.com/group/lescastcodeurs ou sur le site web https://lescastcodeurs.com/

- O que é um Aggregate Result - AVG - COUNT - COUNT(Field) - COUNT_DISTINCT - MIN - MAX - SUM - Precisa de Group by se composto de mais de um campo no SELECT - Usando Having você poderá inserir condições para a sua função - Únicos tipos de dados suportados por todos são (Double, Integer) - Alguns tipos de dados não são suportados, como Base64, Boolean, Byte, Time entre outros - O retorno sempre será um AggregateResult - Campos de AggregateResult podem ter um Alias ou terás que buscar por expr0, expr1... - https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql_select_count.htm - https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql_select_agg_functions_field_types.htm Acompanhe as live de segunda a sexta às 21:41 em https://youtube.com/souforce Siga-nos no Instagram @iFernandoSousa & @Anellinv & @souforce Blog: https://souforce.cloud Cursos: https://cursos.souforce.cloud Telegram: https://t.me/souforce

This week I talk about dealing with Base64 evidence.

Good Morning and Welcome to the ProactiveIT Cyber Security Daily number 30.  It is Tuesday December 24, 2019. I am your host Scott Gombar. Merry Christmas All   This podcast is brought to you by Nwaj Tech, a Client Focused and Security Minded IT Consultant based in Central Connecticut.  You can visit us at nwajtech.com If you haven’t updated Google Chrome to the latest version yet..do it.   Citrix vulnerability jeopardizes over 80,000 companies globally Twitter Fixes Bug that Enabled Takeover of Android App Accounts A flaw in the Twitter for Android App has been patched.  The vulnerability allows would be attackers to take control of Twitter accounts and send tweets and dms.  If you use Twitter on Android please update immediately. A note from the FBI re: LockerGoga and MegaCortex "Since January 2019, LockerGoga ransomware has targeted large corporations and organizations in the United States, United Kingdom, France, Norway, and the Netherlands. The MegaCortex ransomware, first identified in May 2019, exhibits Indicators of Compromise (IOCs), command and control (C2) infrastructure, and targeting similar to LockerGoga." Have a BCDR plan.  Backup regularly. Test Backups and Keep a backup offline Ensure all software and operating systems are up to date Enable 2FA and have a strong password policy Disable RDP wherever it is not needed.  Ensure RDP ports are blocked externally.  Use RDP over VPN. Use third party software to further secure RDP Audit the creation of new accounts. Run port scans to ensure unneeded ports are closed and nothing is listening that shouldn’t be listening.. Disable SMBv1  Monitor AD for access levels, account changes and new accounts Make sure you are using the most up-to-date PowerShell and uninstall any older versions. "Enable PowerShell logging and monitor for unusual commands, especially execution of Base64 encoded PowerShell" New Mozi P2P Botnet Takes Over Netgear, D-Link, Huawei Routers Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches Holiday Tip -  If you’re giving anyone a gaming console for holidays unpack it, set it up and install all the updates and then pack it up.  Update servers are hit pretty hard on Christmas day. Doing this allows the gift recipient to enjoy the gift rather than wait for updates. Merry Christmas All.  We will talk again Thursday.  Stay Secure.

Webcast no.16 recorded on 2019/07/14 (We record live every other Sunday! Join us! Find the link at Osintcurio.us!) In episode 16 of the OSINTCurious webcast we discuss: People in this episode: Micah Hoffman (WebBreacher) Ginsberg5150 Sector035 (Voice only) Links to things we discussed: TraceLabs.org – Global online OSINT CTF The OSINT.Team site is back up (https://osint.team) with 2FA (Two Factor Authentication) and SSO (Single Sign On) using either a Twitter or a Github account. A Patreon account exists for donations to keep this resource going (patreon.com/user?u=21892179) @Y_vdw – Blog post on YouTube, Facebook, and Instagram searching https://medium.com/@luga/finding-pict... @s0md3v is a regular attendee of the webcast. He posted about reverse web search for pixelated images – https://medium.com/@somdevsangwan/deb... BBC Africa OSINT on the Sudan massacre (WARNING: GRAPHIC CONTENT IN THE VIDEO) – https://twitter.com/BBCAfrica/status/... Micah was on the Recorded Future/Cyber Wire podcast and spoke about OSINT and the OSINTCurious project- https://www.recordedfuture.com/podcas... David Mashburn (@d_mashburn) gave a talk on “OSINT: Not Just Offensive” at the SANS Blue Team Summit recently – https://www.youtube.com/watch?v=qkIte... TraceLabs.org – Listener Chris J. (@rattis) asked about our take on YouTube enforcing its restrictions on hosting “hacking” videos. The IntelX.io site released some updates (v4) to their OSINT tools that are becoming similar to IntelTechniques's old page. Micah demoed using the amazing (and free!) CyberChef tool (https://gchq.github.io/CyberChef/) to decode Base64 encoded content and extract selectors from text The 2020 SANS OSINT summit has been announced in Virgina, USA in February 2020 – https://www.sans.org/event/osint-summ... Some Dutch OSINTians (their word…not ours

Office Document And Base64 Encoded PowerShell Script https://isc.sans.edu/forums/diary/Office+Document+BASE64+PowerShell/24976/ https://0xdf.gitlab.io/2019/05/21/malware-analysis-unnamed-emotet-doc.html Enumeration of BlueKeep Vulnerable Hosts https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html DHCP Client Vulnerablity Analysis https://sensepost.com/blog/2019/analysis-of-a-1day-cve-2019-0547-and-discovery-of-a-forgotten-condition-in-the-patch-cve-2019-0726-part-1-of-2/ Office File Deleting Phishing Emails https://www.bleepingcomputer.com/news/security/phishing-emails-pretend-to-be-office-365-file-deletion-alerts/

Office Document And Base64 Encoded PowerShell Script https://isc.sans.edu/forums/diary/Office+Document+BASE64+PowerShell/24976/ https://0xdf.gitlab.io/2019/05/21/malware-analysis-unnamed-emotet-doc.html Enumeration of BlueKeep Vulnerable Hosts https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html DHCP Client Vulnerablity Analysis https://sensepost.com/blog/2019/analysis-of-a-1day-cve-2019-0547-and-discovery-of-a-forgotten-condition-in-the-patch-cve-2019-0726-part-1-of-2/ Office File Deleting Phishing Emails https://www.bleepingcomputer.com/news/security/phishing-emails-pretend-to-be-office-365-file-deletion-alerts/

K8s security with Omer Levi Hevroni (@omerlh)   service tickets - Super-Dev   Omer’s requirements for storing secrets:   Gitops enabled Kubernetes Native Secure     “One-way encryption”   Omer’s slides and youtube video: https://www.slideshare.net/SolutoTLV/can-kubernetes-keep-a-secret https://www.youtube.com/watch?v=FoM3u8G99pc&&index=14&t=0s   We’ve all experienced it: you’re working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that’s highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions. Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues. But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else. The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t). The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management. Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real. Speakers Omer Levi Hevroni   Kubernetes Secrets     Bad, because manifest files hold the user/password, and are encoded in Base64         Could be uploaded to git = super bad https://kubernetes.io/docs/concepts/configuration/secret/ https://docs.travis-ci.com/user/encryption-keys/   Kamus threat model on Github: https://kamus.soluto.io/docs/threatmodeling/threats_controls/ https://medium.com/@BoweiHan/an-introduction-to-serverless-and-faas-functions-as-a-service-fb5cec0417b2     “FaaS is a relatively new concept that was first made available in 2014 by hook.io and is now implemented in services such as AWS Lambda, Google Cloud Functions, IBM OpenWhisk and Microsoft Azure Functions.” Best practices: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ https://github.com/owasp-cloud-security/owasp-cloud-security https://www.omerlh.info/2019/01/19/threat-modeling-as-code/ https://telaviv.appsecglobal.org/   https://github.com/Soluto/kamus   https://kamus.soluto.io   Infosec Campout = www.infoseccampout.com

Stephen formalizes a new show segment, Federico is making magic in Shortcuts and Myke has thoughts about picture frames.

Stephen formalizes a new show segment, Federico is making magic in Shortcuts and Myke has thoughts about picture frames.

In questa puntata di tecno pilloleIn questa puntata di tecno pillole parleremo di come funzionano le urla di YouTube, e prendendo spunto da quei testi con caratteri che sembrano quasi messi a caso, scopriremo come la genialità del più grande portale di video al mondo possa essere utilizzata nell'indicizzazione dei database, e molto altro!

In questa puntata di tecno pilloleIn questa puntata di tecno pillole parleremo di come funzionano le urla di YouTube, e prendendo spunto da quei testi con caratteri che sembrano quasi messi a caso, scopriremo come la genialità del più grande portale di video al mondo possa essere utilizzata nell'indicizzazione dei database, e molto altro!

This week on BSDNow, we're going to be leading off with the latest news about Wayland and Xorg support on FreeBSD, then a look at OpenBSD ARM64 This episode was brought to you by Headlines Wayland is now in the FreeBSD Ports tree (https://svnweb.freebsd.org/ports?view=revision&revision=432406) This commit brings Wayland, the new windowing system, into the FreeBSD ports tree “This port was first created by Koop Mast (kwm@) then updated and improved by Johannes Lundberg” “Wayland is intended as a simpler replacement for X, easier to develop and maintain. GNOME and KDE are expected to be ported to it.” Wayland is designed for desktop and laptop use, rather than X, which was designed for use over the network, where clients were not powerful enough to run the applications locally. “Wayland is a protocol for a compositor to talk to its clients as well as a C library implementation of that protocol. The compositor can be a standalone display server running on Linux kernel modesetting and evdev input devices, an X application, or a wayland client itself. The clients can be traditional applications, X servers (rootless or fullscreen) or other display servers.” “Please report bugs to the FreeBSD bugtracker!” It is good to see this project progressing, as it seems in a few generations, high performance graphics drivers may only be actively developed for Wayland. *** Call For Testing: xorg 1.18.4 and newer intel/ati DDX (https://lists.freebsd.org/pipermail/freebsd-x11/2017-January/018738.html) Baptiste Daroussin, and the FreeBSD X11 team, have issued a call for testing for the upgrade to Xorg 1.18.4 Along with it comes newer ATI/AMD and Intel drivers “Note that you will need to rebuild all the xf86-* packages to work with thatnewer xorg (hence the bump of the revision)” “Do not expect newer gpu supported as this is not the kernel part”, it only provides the newer Xorg driver, not the kernel mode setting driver (this is a separate project) “If you experience any issue with intel or radeon driver please try to use the new modesetting driver provided by xorg directly (note that fedora and debian recommend the use of the new driver instead of the ati/intel one)” *** Error handling in C (http://www.tedunangst.com/flak/post/to-errno-or-to-error) “Unlike other languages which have one preferred means of signalling an error, C is a multi error paradigm language. Error handling styles in C can be organized into one of several distinct styles, such as popular or correct. Some examples of each.” “One very popular option is the classic unix style. -1 is returned to indicate an error.” “Another option seen in the standard C library is NULL for errors.” “The latter has the advantage that NULL is a false value, which makes it easier to write logical conditions. File descriptor 0 is valid (stdin) but false, while -1 is invalid but true.” “And of course, there's the worst of both worlds approach requiring a special sentinel that you'll probably forget to use” “Other unix functions, those that don't need to return a file descriptor, stick to just 0 and -1” “Of course, none of these functions reveal anything about the nature of the error. For that, you need to consult the errno on the side” The article goes on to describe different ways of dealing with the issue, and return values. There is also coverage of more complex examples and involve a context that might contain the error message It is really interesting to see the differences, and the pitfalls of each approach *** Fixing POSIX Filenames (http://www.dwheeler.com/essays/fixing-unix-linux-filenames.html) “Traditionally, Unix/Linux/POSIX pathnames and filenames can be almost any sequence of bytes. A pathname lets you select a particular file, and may include zero or more “/” characters. Each pathname component (separated by “/”) is a filename; filenames cannot contain “/”. Neither filenames nor pathnames can contain the ASCII NUL character (), because that is the terminator.” “This lack of limitations is flexible, but it also creates a legion of unnecessary problems. In particular, this lack of limitations makes it unnecessarily difficult to write correct programs (enabling many security flaws). It also makes it impossible to consistently and accurately display filenames, causes portability problems, and confuses users.” “This article will try to convince you that adding some tiny limitations on legal Unix/Linux/POSIX filenames would be an improvement. Many programs already presume these limitations, the POSIX standard already permits such limitations, and many Unix/Linux filesystems already embed such limitations — so it'd be better to make these (reasonable) assumptions true in the first place. This article will discuss, in particular, the three biggest problems: control characters in filenames (including newline, tab, and escape), leading dashes in filenames, and the lack of a standard character encoding scheme (instead of using UTF-8). These three problems impact programs written in any language on Unix/Linux/POSIX system. There are other problems, of course. Spaces in filenames can cause problems; it's probably hopeless to ban them outright, but resolving some of the other issues will simplify handling spaces in filenames. For example, when using a Bourne shell, you can use an IFS trick (using IFS=printf 'nt') to eliminate some problems with spaces. Similarly, special metacharacters in filenames cause some problems; I suspect few if any metacharacters could be forbidden on all POSIX systems, but it'd be great if administrators could locally configure systems so that they could prevent or escape such filenames when they want to. I then discuss some other tricks that can help.” “After limiting filenames slightly, creating completely-correct programs is much easier, and some vulnerabilities in existing programs disappear. This article then notes some others' opinions; I knew that some people wouldn't agree with me, but I'm heartened that many do agree that something should be done. Finally, I briefly discuss some methods for solving this long-term; these include forbidding creation of such names (hiding them if they already exist on the underlying filesystem), implementing escaping mechanisms, or changing how tools work so that these are no longer problems (e.g., when globbing/scanning, have the libraries prefix “./” to any filename beginning with “-”). Solving this is not easy, and I suspect that several solutions will be needed. In fact, this paper became long over time because I kept finding new problems that needed explaining (new “worms under the rocks”). If I've convinced you that this needs improving, I'd like your help in figuring out how to best do it!” “Filename problems affect programs written in any programming language. However, they can be especially tricky to deal with when using Bourne shells (including bash and dash). If you just want to write shell programs that can handle filenames correctly, you should see the short companion article Filenames and Pathnames in Shell: How to do it correctly (http://www.dwheeler.com/essays/filenames-in-shell.html).” Imagine that you don't know Unix/Linux/POSIX (I presume you really do), and that you're trying to do some simple tasks. For our purposes we will create simple scripts on the command line (using a Bourne shell) for these tasks, though many of the underlying problems affect any program. For example, let's try to print out the contents of all files in the current directory, putting the contents into a file in the parent directory: cat * > ../collection # WRONG cat ./* > ../collection # CORRECT cat find . -type f > ../collection # WRONG ( set -f ; for file in find . -type f ; do # WRONG cat "$file" done ) > ../collection ( find . -type f | xargs cat ) > ../collection # WRONG, WAY WRONG Just think about trying to remove a file named: -rf / *** News Roundup OpenBSD ARM64 (https://www.openbsd.org/arm64.html) A new page has appeared on the OpenBSD website, offering images for ARM64 “The current target platforms are the Pine64 and the Raspberry Pi 3.” “OpenBSD/arm64 bundles various platforms sharing the 64-bit ARM architecture. Due to the fact that there are many System on a Chips (SoC) around, OpenBSD/arm64 differentiates between various SoCs and may have a different level of support between them” The page contains a list of the devices that are supported, and which components have working drivers At the time of recording, the link to download the snapshots did not work yet, but by time this airs a week from now, it should be working. *** The design of Chacha20 (http://loup-vaillant.fr/tutorials/chacha20-design) Seems like every few episodes we end up discussing Ciphers (With their o-so amusing naming) and today is no exception. We have a great writeup on the D & I of the ‘chacha20' cipher written by “Loup Vaillant” First of all, is this story for you? Maybe the summary will help make that call: “Quick summary: Chacha20 is ARX-based hash function, keyed, running in counter mode. It embodies the idea that one can use a hash function to encrypt data.” If your eyes didn't glaze over, then you are cleared to proceed. Chacha20 is built around stream ciphers: While Chacha20 is mainly used for encryption, its core is a pseudo-random number generator. The cipher text is obtained by XOR'ing the plain text with a pseudo-random stream: ciphertext = plaintext XOR chacha_stream(key, nonce) Provided you never use the same nonce with the same key twice, you can treat that stream as a one time pad. This makes it very simple: unlike block ciphers, you don't have to worry about padding, and decryption is the same operation as encryption: plaintext = ciphertext XOR chacha_stream(key, nonce) Now we just have to get that stream. The idea that the streams can mimic the concept of a one-time pad does make chacha20 very attractive, even to a non-crypto guy such as myself. From here the article goes into depth on how the cipher scrambles 512bit blocks using the quarter-round method (A forth of a block or 4 32bit numbers) Some ascii art is used here to help visualize how this done, in the quarter round-phase, then to the complete block as the 4 quarters are run in parallel over the entire 512 bit block. From here the article goes more into depth, looking at the complete chacha block, and the importance of a seemingly unnecessary 32byte constant (Hint: it's really important) If crypto is something you find fascinating, you'll want to make sure you give this one a full read-through. *** CyberChef - Coming to a FreeBSD Ports tree near you (https://twitter.com/DLangille/status/823915729430913025) Dan Langille tweets that he will be creating a port of GCHQ's CyberChef tool “CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include creating hexdumps, simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, data compression and decompression, calculating hashes and checksums, IPv6 and X.509 parsing, and much more.” “The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years. Every effort has been made to structure the code in a readable and extendable format, however it should be noted that the analyst is not a professional developer and the code has not been peer-reviewed for compliance with a formal specification.” Some handy functions, beyond stuff like base64 encoding: Network Enumeration (CIDR to list of IPS) (https://gchq.github.io/CyberChef/?recipe=%5B%7B%22op%22%3A%22Parse%20IP%20range%22%2C%22args%22%3A%5Btrue%2Ctrue%2Cfalse%5D%7D%5D&input=MTcyLjIxLjAuMzIvMjcK) Browser User Agent Parser (what browser is that, based on your HTTP logs) XOR Brute Force: enter some XOR'd text, and try every possible key to find plaintext. Optionally give it a regex of known plaintext to find the right key. Calculate the “Shannon Entropy” of the input (how random is this data) It also has a number of built in regular expressions for common things, very useful The project is up on github if you want to play with the code *** Building Electron and VSCode in FreeBSD11 (https://gist.github.com/prash-wghats/89be1ee069d2acf23c289e9c606616e1) A patch and set of instructions for building Electron and VSCode on FreeBSD “Visual Studio Code is a source code editor developed by Microsoft for Windows, Linux and macOS. It includes support for debugging, embedded Git control, syntax highlighting, intelligent code completion, snippets, and code refactoring. It is also customizable, so users can change the editor's theme, keyboard shortcuts, and preferences. It is free and open-source, although the official download is under a proprietary license.” “Visual Studio Code is based on Electron, a framework which is used to deploy Node.js applications for the desktop running on the Blink layout engine. Although it uses the Electron framework, the software is not a fork of Atom, it is actually based on Visual Studio Online's editor (codename "Monaco")” It would be interesting to see official support for VSCode on FreeBSD Has anyone tried VSCode on the FreeBSD Code base? *** Beastie Bits Soft Label Keys (http://roy.marples.name/blog/blog/soft-label-keys) WPA1 (TKIP) disabled by default (OpenBSD) (https://www.mail-archive.com/source-changes@openbsd.org/msg84599.html) Cool but obscure unix tools (https://kkovacs.eu/cool-but-obscure-unix-tools) KDE Frameworks and Plasma on FreeBSD (http://euroquis.nl/bobulate/?p=1521) Initiative to migrate OpenBSD mirrors to HTTPS (https://www.mail-archive.com/source-changes@openbsd.org/msg84904.html) That moment you realize FreeBSD has got some Star Wars fans (http://i.imgur.com/dC7c1y4.png) Pagelink (https://wiki.freebsd.org/PortsSubversionPrimer)

Summary Harry Roberts (@CSSWizardry) talks with us about scaling CSS in code and across large teams. We also discuss the CSS in the Web Platform standards, the history of CSS, refactoring code, as well as projects like Houdini which aims ‘to jointly develop features that explain the “magic” of Styling and Layout on the web.' Resources Harry's website - http://csswizardry.com/ Github - https://github.com/csswizardry The 3 I's of refactoring - http://csswizardry.com/2016/08/refactoring-css-the-three-i-s/ Mixins better for performance - http://csswizardry.com/2016/02/mixins-better-for-performance/ Houdini W3C Drafts Wiki  - https://github.com/w3c/css-houdini-drafts/wiki What is Houdini? - https://www.smashingmagazine.com/2016/03/houdini-maybe-the-most-exciting-development-in-css-youve-never-heard-of/ Jen Simmons on Feature Queries in CSS - https://hacks.mozilla.org/2016/08/using-feature-queries-in-css/ CSS Triggers - https://csstriggers.com/ The languages that were almost CSS - https://eager.io/blog/the-languages-which-almost-were-css/ Image issues with Base64 article - https://99designs.com.au/tech-blog/blog/2016/07/14/real-world-http-2-400gb-of-images-per-day/

For the 6th episode of SysCast I’m joined by Scott Arciszewski. We talk about PHP, cryptography, securing online applications, cache timing attacks, his CMS called Airship and so much more. If you like security and crypto, you’ll like this episode! Shownotes Scott is @CiPHPerCoder on Twitter as well as @ParagonIE Scott works at Paragon Initiative Enterprises CMS Airship Secure Coding Rules OWASP Top 10 grsecurity You Wouldn’t Base64 a Password – Cryptography Decoded The Cryptopals Crypto Challenges Timing Attacks htshells (Self contained htaccess shells and attacks) SysCast episode on the Caddy Webserver (episode #1) libsodium (A modern and easy-to-use crypto library) All the crypto code you’ve ever written is probably broken “This JPEG is also a webpage” (view source of this site!) Feedback? Let me know via syscast@ttias.be or at @mattiasgeniar on Twitter. Special thanks to Jeroen Flamman (@jflamman) and HPCDude (@bengui122) for cleaning up the audio and removing most of the clicks and background noise!

Ever heard someone mention AES Encoding, or MD5 Encryption?   Many people in IT, Infosec, and Software development get confused about what Hashing, Encrypting, and Encoding.  We hack through the definition forest, looking for that Sequoia of understanding. We also talk about Symantec's remarks that 'Antivirus is dead' and 'not a moneymaker', and what that means to the industy as a whole.   "Enkrypto" is the program I mentioned in the podcast.  It would appear that either s/he fixed it.  Still shouldn't be using an 'encoding' method to store SMS if they are of a sensitive nature... The screen shots still clearly show a Base64 encoded SMS, and still show it as a 'secured' message. :( plus, with a the option to allow an encrypted PIN with 4 characters, it would be trivial to crack even an AES encrypted message Do not buy this app... https://play.google.com/store/apps/details?id=org.enkrypto.sms     icon courtesy of http://www.differencebetween.info Intro "Private Eye", and Outro "Honeybee" created by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 3.0http://creativecommons.org/licenses/by/3.0/  

This time on the show, we'll be showing you how to do a fully-encrypted installation of FreeBSD and OpenBSD. We also have an interview with Damien Miller - one of the lead developers of OpenSSH - about some recent crypto changes in the project. If you're into data security, today's the show for you. The latest news and all your burning questions answered, right here on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Secure communications with OpenBSD and OpenVPN (http://johnchapin.boostrot.net/blog/2013/12/07/secure-comms-with-openbsd-and-openvpn-part-1/) Starting off today's theme of encryption... A new blog series about combining OpenBSD and OpenVPN to secure your internet traffic Part 1 covers installing OpenBSD with full disk encryption (which we'll be doing later on in the show) Part 2 covers the initial setup of OpenVPN certificates and keys Parts 3 and 4 are the OpenVPN server and client configuration Part 5 is some updates and closing remarks *** FreeBSD Foundation Newsletter (https://www.freebsdfoundation.org/press/2013Dec-newsletter) The December 2013 semi-annual newsletter was sent out from the foundation In the newsletter you will find the president's letter, articles on the current development projects they sponsor and reports from all the conferences and summits they sponsored The president's letter alone is worth the read, really amazing Really long, with lots of details and stories from the conferences and projects *** Use of NetBSD with Marvell Kirkwood Processors (http://evertiq.com/design/33394) Article that gives a brief history of NetBSD and how to use it on an IP-Plug computer The IP-Plug is a "multi-functional mini-server was developed by Promwad engineers by the order of AK-Systems. It is designed for solving a wide range of tasks in IP networks and can perform the functions of a computer or a server. The IP-Plug is powered from a 220V network and has low power consumption, as well as a small size (which can be compared to the size of a mobile phone charger)." Really cool little NetBSD ARM project with lots of graphs, pictures and details *** Experimenting with zero-copy network IO (http://adrianchadd.blogspot.com/2013/12/experimenting-with-zero-copy-network-io.html) Long blog post from Adrian Chadd about zero-copy network IO on FreeBSD Discusses the different OS' implementations and options He's able to get 35 gbit/sec out of 70,000 active TCP sockets, but isn't stopping there Tons of details, check the full post *** Interview - Damien Miller - djm@openbsd.org (mailto:djm@openbsd.org) / @damienmiller (https://twitter.com/damienmiller) Cryptography in OpenBSD and OpenSSH Tutorial Full disk encryption in FreeBSD & OpenBSD (http://www.bsdnow.tv/tutorials/fde) News Roundup OpenZFS office hours (https://www.youtube.com/watch?v=wWmVW2R_uz8) Our buddy George Wilson (http://www.bsdnow.tv/episodes/2013_12_04-zettabytes_for_days) sat down to take some ZFS questions from the community You can see more info about it here (http://open-zfs.org/wiki/OpenZFS_Office_Hours) *** License summaries in pkgng (http://www.shiningsilence.com/dbsdlog/2013/12/09/12934.html) A discussion between Justin Sherill (http://www.bsdnow.tv/episodes/2013_11_13-the_gateway_drug) and some NYCBUG guys about license frameworks in pkgng Similar to pkgsrc's "ACCEPTABLE_LICENSES" setting, pkgng could let the user decide which software licenses he wants to allow Maybe we could get a "pkg licenses" command to display the license of all installed packages Ok bapt, do it *** The FreeBSD challenge continues (http://thelinuxcauldron.com/2013/12/08/freebsd-challenge/) Checking in with our buddy from the Linux foundation... The switching from Linux to FreeBSD blog series continues for his month-long trial Follow up from last week: "As a matter of fact, I did check out PC-BSD, and wanted the challenge. Call me addicted to pain and suffering, but the pride and accomplishment you feel from diving into FreeBSD is quite rewarding." Since we last mentioned it, he's decided to go from a VM to real hardware, got all of his common software installed, experimented with the Linux emulation, set up virtualbox, learned about slices/partitions/disk management, found BSD alternatives to his regularly-used commands and lots more *** Ports gets a stable branch (https://svnweb.freebsd.org/ports?view=revision&revision=336615) For the first time ever, FreeBSD's ports tree will have a maintained "stable" branch This is similar to how pkgsrc does things, with a rolling release for updated software and stable branch for only security and big fixes All commits to this branch require approval of portmgr, looks like it'll start in 2014Q1 *** Feedback/Questions John writes in (http://slexy.org/view/s2iRV1tOzB) Spencer writes in (http://slexy.org/view/s21gAR5lgf) Campbell writes in (http://slexy.org/view/s203iOnFh1) Sha'ul writes in (http://slexy.org/view/s2yUqj3vKW) Clint writes in (http://slexy.org/view/s2egcTPBXH) ***

Mit diesem Screencast möchte ich zeigen, wie sich base64-encodierte Bilder negativ auf das  Cachelisting auswirken und wie sich stattdessen Bilder korrekt in ein Listing einfügen lassen. Wie man das macht, kann man auch hier noch einmal nachlesen: Hochladen eines Bildes Das … Weiterlesen →