Podcasts about Bcrypt

✏️ Suscribirse https://youtu.be/ucwAUBUgYdw WordPress ha lanzado su versión 6.8, y está cargada de innovaciones que prometen optimizar la experiencia tanto para desarrolladores como para usuarios finales. Como siempre, aquí en Negocios y WordPress, nos gusta mantenerte al tanto de las últimas tendencias para sacar el máximo provecho de tus proyectos digitales. Acompáñanos mientras desglosamos sus novedades más relevantes y cómo puedes utilizarlas para mejorar tus sitios web. Introducción a WordPress 6.8 La versión 6.8 de WordPress viene repleta de mejoras en rendimiento, accesibilidad y seguridad. Los avances más destacados incluyen la carga especulativa para acelerar la navegación, la mejora en la seguridad mediante un nuevo cifrado de contraseñas, y múltiples actualizaciones en el editor de bloques y el sistema de estilo. A continuación, desglosamos cada mejora y te mostramos cómo implementarlas y beneficiarte de ellas. Novedades Principales de WordPress 6.8 Seguridad de Contraseñas Mejorada En esta versión, WordPress ha adoptado el cifrado Bcrypt para proteger las contraseñas de usuario. Este método de cifrado es mucho más seguro y resistente a ataques, lo que proporciona una capa adicional de seguridad para todos los sitios web que utilicen WordPress. Beneficios para ti: Seguridad Potenciada: Protege mejor las contraseñas de tus usuarios. Cumplimiento de Seguridad: Ayuda a cumplir con normativas de seguridad más estrictas. Introducción a la Carga Especulativa Una de las adiciones más emocionantes es la carga especulativa (speculative loading), la cual permite que WordPress precargue enlaces antes de que el usuario haga clic en ellos. Esto se traduce en una navegación mucho más rápida y fluida. Cómo implementarlo: Opciones por Defecto: Activa por defecto, salvo que el usuario esté logueado o que los permalinks no sean bonitos. Manipulación con Filtros: Modifica el comportamiento por defecto utilizando filtros de WordPress. Plugin de Configuración: Usa el plugin Speculative Loading para realizar cambios visuales en la configuración. Mejora en el Diseño del Stylebook El Stylebook ahora tiene un diseño más estructurado y, lo mejor de todo, ¡funciona con temas clásicos! Esta actualización hace que el proceso de diseño y personalización sea más intuitivo. Ventajas: Compatibilidad Extensa: Se puede utilizar con una amplia gama de temas clásicos. Facilidad de Uso: Hace que la personalización del diseño sea más fácil para todos los niveles de usuarios. Más de 100 Mejoras de Accesibilidad Esta versión incluye más de cien mejoras en accesibilidad, con el objetivo de hacer que WordPress sea más inclusivo para todos los usuarios. Ya seas desarrollador o cliente, la accesibilidad es clave para mejorar la experiencia de usuario y cumplir con normativas legales. Puntos Claves: Mejor Inclusión: Tus webs serán más accesibles para personas con discapacidades. Cumplimiento Legal: Facilita el cumplimiento de normativas y estándares de accesibilidad. Consultoría y Formación en WordPress Si estás buscando mejorar tus competencias en WordPress, también te ofrecemos formación y consultoría personalizada. En lamaquinadelbranding.com, Yannick proporciona cursos avanzados en WordPress y otras herramientas de marketing digital. Novedades en la Máquina de Branding Recientemente, Yannick ha lanzado un curso integral que abarca desde los aspectos más técnicos hasta la parte estratégica del diseño web. Este curso te prepara para afrontar proyectos de manera más completa y profesional, aportando más valor a tus clientes. Contenido del Curso: Desarrollo Web: Aprende técnicas avanzadas. Auditorías: Mejora tus webs realizando auditorías efectivas. Marketing Estratégico: Conviértete en un desarrollador más completo. Patrocinador: Crocoblock Nos complace anunciar que Crocoblock es el patrocinador de este episodio. Este potente conjunto de plugins para WordPress incluye herramientas como JetEngine, que facilita la creación de estructuras personalizadas en tu sitio web. Ventajas de JetEngine Creación de CPT (Custom Post Types): Organiza y gestiona tus contenidos de manera avanzada. Query Builder: Realiza consultas complejas sin necesidad de saber código. Compatibilidad: Funciona con Gutenberg, Elementor y Bricks. Para obtener más información y disfrutar de un descuento exclusivo, visita nuestro enlace de afiliado: Crocoblock. Consejos Prácticos para Tus Proyectos Optimización de Contraseñas ⬥ Uso de Bitwarden: Este gestor de contraseñas te permite enviar contraseñas de forma segura y encriptada. Aquí te mostramos cómo usarlo: Descargar e Instalar: Ve a Bitwarden y crea una cuenta. Envío Seguro: Desde el panel de Bitwarden, selecciona 'Enviar' y configura el envío seguro de contraseñas. Compartir: Comparte el enlace encriptado con los destinatarios necesarios. Alternativas: Password Pusher KeysForWeb HTTP Shortcuts Este pequeño pero poderoso truco te permitirá realizar llamadas HTTP rápidas y automatizadas desde tu móvil, optimizando tus flujos de trabajo. Descarga la App: Instala HTTP Shortcuts desde tu tienda de aplicaciones. Configuración: Crea atajos con los parámetros necesarios para tus consultas API. Automatización: Usa estos atajos para lanzar rápidamente funcionalidades complejas. Participa en la Comunidad WordPress No olvides unirte a eventos locales y WordCamps. Por ejemplo, la WordCampBilbao 2025 es una excelente oportunidad para aprender, hacer networking y contribuir al proyecto. Highlights de la WordCamp Bilbao Ponencias de Calidad: Incluidas las de Yannick, experto en marketing y desarrollo web. Talleres Prácticos: Desde optimización de SEO hasta estrategias de marketing digital. Conclusión WordPress 6.8 ofrece una serie de mejoras significativas en rendimiento, seguridad y diseño. Aprovecha estas actualizaciones para llevar tus proyectos al siguiente nivel y no olvides explorar las opciones avanzadas que ofrecen plugins como JetEngine de Crocoblock. ¿Qué esperas para implementar estas novedades? Deja tus comentarios y cuéntanos cómo estos cambios están afectando tus proyectos. Además, suscríbete a nuestro grupo de Telegram para estar al tanto de las últimas actualizaciones y recursos. ¡Nos vemos en WordCamp Bilbao! FAQ ¿Qué es la carga especulativa en WordPress 6.8?Es una técnica que permite precargar enlaces antes de que los usuarios hagan clic, acelerando la navegación. ¿Cómo mejora la seguridad de contraseñas en esta versión?WordPress 6.8 utiliza el cifrado Bcrypt, que es más seguro y resistente a ataques. ¿Qué es JetEngine y cómo puede ayudarme?JetEngine es un plugin de Crocoblock que facilita la creación de estructuras personalizadas en WordPress, como CPTs, taxonomías y más. ¡Esperamos tus comentarios y que te suscribas para más contenido como este!

In this episode of WP Builds entitled "Feeling Insecure? Episode #3," Nathan Wrigley and Tim Nash explore various aspects of WordPress security. Tim shares insights into his background in cybersecurity, including his past experience with physical penetration testing. We discuss the Patchstack report on WordPress security, noting an increase in vulnerabilities but reassuring listeners that more vulnerabilities being found isn't necessarily alarming. We get into the complexity of vulnerabilities, security measures like hashing and encryption, and changes coming in WordPress 6.8. The episode highlights the importance of updates and ends with a positive outlook on security advancements. It's a tin foil hat episode, and I hope that you enjoy it!

John Blackbourn discusses significant security enhancements in WordPress 6.8, notably switching to Bcrypt for password storage. The conversation highlights evolving perceptions of open-source security and upcoming events like the CloudFest Hackathon.

Episode 97: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joel jump into some cool news items, including a recent Okta Bcrypt vulnerability, insights into crypto bugs, and some intricacies of Android and Chrome security. They also explore the latest research from Portswigger on payload concealment techniques, and the introduction of the Lightyear tool for PHP exploits.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - ThreatLocker: Check out Network Control!https://www.criticalthinkingpodcast.io/tl-ncResourcesOkta bcryptAndroid Web Attack Surface WriteupsConcealing payloads in URL credentialsDumping PHP files with LightyearLimit maximum number of filter chainsDom-Explorer tool launchedMultiHTMLParseJSON CrackCaido/Burp notes pluginTimestamps(00:00:00) Introduction(00:02:43) Okta Release and bcrypt(00:10:26) Android Web Attack Surface Writeups(00:20:21) More Portswigger Research(00:28:29) Lightyear and PHP filter chains(00:35:09) Dom-Explorer(00:45:24) The JSON Debate(00:49:59) Notes plugin for Burp and Caido

Podcast 770 is totally not a re-branded Podcast 680. It may have the same CUDA core count, but the memory is clocked slightly higher. Also, this one has a [REDACTED] that you won't want to miss!Includes Cisco Firewalls on Fire, and a really cracking story on cracking Bcrypt!  (plus use a longer password!)Timestamps:00:00 Intro03:12 Food with Josh05:21 A very long discussion about Intel 13th and 14th Gen Core i9 stability21:57 Rumor points to reuse of 18 Gbps GDDR6 for RDNA 4 GPUs25:48 Intel Arc beta driver boosts DX11 performance again29:24 Battlemage will supposedly offer uncompressed 8K 144 Hz30:28 Find out what October 2025 means for Microsoft product support33:53 Windows 11 Starts to add ads35:47 Latest builds of Windows 11 require SSE 4.239:58 (in)Security Corner50:43 Gaming Quick Hits55:34 Drop CSTM65 keyboard review1:02:04 Picks of the Week1:13:08 Another smooth outro ★ Support this podcast on Patreon ★

The DOJ indicts four Iranian nationals on hacking charges. Legislation to ban or force the sale of TikTok heads to the President's desk. A Russian hack group claims a cyberattack on an Indiana water treatment plant. A roundup of dark web data leaks. Mandiant monitors dropping dwell times. Bcrypt bogs down brute-forcing. North Korean hackers target defense secrets. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey. On our Industry Voices segment, Tony Velleca, CEO of CyberProof, joins us to explore some of the pain points that CISOs & CIOs are experiencing today, and how they can improve their cyber readiness. Ransomware may leave the shelves in Sweden's liquor stores bare.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guests Learning Layer On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K's comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe discuss content and study strategies for CISSP Domain 3 Security Architecture and Engineering, and discuss encryption and non-repudiation. Specifically they cover sub-domain 3.6, "Select and determine cryptographic solutions," which includes: Cryptographic life cycle Cryptographic method Public key infrastructure (PKI). Industry Voices On our Industry Voices segment, Tony Velleca, CEO of CyberProof, joins us to explore some of the pain points that CISOs & CIOs are experiencing today, and how they can improve their cyber readiness.  Selected Reading Rewards Up to $10 Million for Information on Iranian Hackers (GB Hackers) Congress passes bill that could ban TikTok after years of false starts (Washington Post) Russian hackers claim cyberattack on Indiana water plant (The Record) Major Data Leaks from Honda Vietnam, US Airports, and Chinese Huawei/iPhone Users (SOCRadar® Cyber Intelligence Inc.) Global attacker median dwell time continues to fall (Help Net Security) New Password Cracking Analysis Targets Bcrypt (SecurityWeek) North Korean Hackers Target Dozens of Defense Companies (Infosecurity Magazine) ​​Hackers hijack antivirus updates to drop GuptiMiner malware (Bleeping Computer) Sweden's liquor shelves to run empty this week due to ransomware attack (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer Cory Doctorow's Visions of the Future Humble Book Bundle CTRL-K shortcut for search on a browser Direct bootable image downloading for GRC's servers Closing the loop on compromised emails Taco Bell's passwordless app A solution for Bcrypt's password length limit of 72 bytes Data as the missing piece for law enforcement and privacy advocates The token solution for email-only login Apple's Password Manager Resources on Github The risk of long-term persistent cookies in browsers Why mainframe industries still require weak passwords A conundrum involving an exploitable Response Header error and a bounty payment. An inspection of Apple's new Post-Quantum Encryption upgrade Show Notes - https://www.grc.com/sn/SN-964-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GO.ACILEARNING.COM/TWIT Melissa.com/twit bitwarden.com/twit kolide.com/securitynow

"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer Cory Doctorow's Visions of the Future Humble Book Bundle CTRL-K shortcut for search on a browser Direct bootable image downloading for GRC's servers Closing the loop on compromised emails Taco Bell's passwordless app A solution for Bcrypt's password length limit of 72 bytes Data as the missing piece for law enforcement and privacy advocates The token solution for email-only login Apple's Password Manager Resources on Github The risk of long-term persistent cookies in browsers Why mainframe industries still require weak passwords A conundrum involving an exploitable Response Header error and a bounty payment. An inspection of Apple's new Post-Quantum Encryption upgrade Show Notes - https://www.grc.com/sn/SN-964-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GO.ACILEARNING.COM/TWIT Melissa.com/twit bitwarden.com/twit kolide.com/securitynow

"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer Cory Doctorow's Visions of the Future Humble Book Bundle CTRL-K shortcut for search on a browser Direct bootable image downloading for GRC's servers Closing the loop on compromised emails Taco Bell's passwordless app A solution for Bcrypt's password length limit of 72 bytes Data as the missing piece for law enforcement and privacy advocates The token solution for email-only login Apple's Password Manager Resources on Github The risk of long-term persistent cookies in browsers Why mainframe industries still require weak passwords A conundrum involving an exploitable Response Header error and a bounty payment. An inspection of Apple's new Post-Quantum Encryption upgrade Show Notes - https://www.grc.com/sn/SN-964-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GO.ACILEARNING.COM/TWIT Melissa.com/twit bitwarden.com/twit kolide.com/securitynow

"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer Cory Doctorow's Visions of the Future Humble Book Bundle CTRL-K shortcut for search on a browser Direct bootable image downloading for GRC's servers Closing the loop on compromised emails Taco Bell's passwordless app A solution for Bcrypt's password length limit of 72 bytes Data as the missing piece for law enforcement and privacy advocates The token solution for email-only login Apple's Password Manager Resources on Github The risk of long-term persistent cookies in browsers Why mainframe industries still require weak passwords A conundrum involving an exploitable Response Header error and a bounty payment. An inspection of Apple's new Post-Quantum Encryption upgrade Show Notes - https://www.grc.com/sn/SN-964-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GO.ACILEARNING.COM/TWIT Melissa.com/twit bitwarden.com/twit kolide.com/securitynow

"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer Cory Doctorow's Visions of the Future Humble Book Bundle CTRL-K shortcut for search on a browser Direct bootable image downloading for GRC's servers Closing the loop on compromised emails Taco Bell's passwordless app A solution for Bcrypt's password length limit of 72 bytes Data as the missing piece for law enforcement and privacy advocates The token solution for email-only login Apple's Password Manager Resources on Github The risk of long-term persistent cookies in browsers Why mainframe industries still require weak passwords A conundrum involving an exploitable Response Header error and a bounty payment. An inspection of Apple's new Post-Quantum Encryption upgrade Show Notes - https://www.grc.com/sn/SN-964-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GO.ACILEARNING.COM/TWIT Melissa.com/twit bitwarden.com/twit kolide.com/securitynow

"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer Cory Doctorow's Visions of the Future Humble Book Bundle CTRL-K shortcut for search on a browser Direct bootable image downloading for GRC's servers Closing the loop on compromised emails Taco Bell's passwordless app A solution for Bcrypt's password length limit of 72 bytes Data as the missing piece for law enforcement and privacy advocates The token solution for email-only login Apple's Password Manager Resources on Github The risk of long-term persistent cookies in browsers Why mainframe industries still require weak passwords A conundrum involving an exploitable Response Header error and a bounty payment. An inspection of Apple's new Post-Quantum Encryption upgrade Show Notes - https://www.grc.com/sn/SN-964-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GO.ACILEARNING.COM/TWIT Melissa.com/twit bitwarden.com/twit kolide.com/securitynow

"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer Cory Doctorow's Visions of the Future Humble Book Bundle CTRL-K shortcut for search on a browser Direct bootable image downloading for GRC's servers Closing the loop on compromised emails Taco Bell's passwordless app A solution for Bcrypt's password length limit of 72 bytes Data as the missing piece for law enforcement and privacy advocates The token solution for email-only login Apple's Password Manager Resources on Github The risk of long-term persistent cookies in browsers Why mainframe industries still require weak passwords A conundrum involving an exploitable Response Header error and a bounty payment. An inspection of Apple's new Post-Quantum Encryption upgrade Show Notes - https://www.grc.com/sn/SN-964-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GO.ACILEARNING.COM/TWIT Melissa.com/twit bitwarden.com/twit kolide.com/securitynow

"Death, Lonely Death" by Doug Muir, about the decades-old Voyager 1 explorer Cory Doctorow's Visions of the Future Humble Book Bundle CTRL-K shortcut for search on a browser Direct bootable image downloading for GRC's servers Closing the loop on compromised emails Taco Bell's passwordless app A solution for Bcrypt's password length limit of 72 bytes Data as the missing piece for law enforcement and privacy advocates The token solution for email-only login Apple's Password Manager Resources on Github The risk of long-term persistent cookies in browsers Why mainframe industries still require weak passwords A conundrum involving an exploitable Response Header error and a bounty payment. An inspection of Apple's new Post-Quantum Encryption upgrade Show Notes - https://www.grc.com/sn/SN-964-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: GO.ACILEARNING.COM/TWIT Melissa.com/twit bitwarden.com/twit kolide.com/securitynow

Here are my 100 interesting things to learn about cryptography: For a 128-bit encryption key, there are 340 billion billion billion billion possible keys. [Calc: 2**128/(1e9**4)] For a 256-bit encryption key, there are 115,792 billion billion billion billion billion billion billion billion possible keys. [Calc: 2**256/(1e9**8)] To crack a 128-bit encryption with brute force using a cracker running at 1 Teracracks/second, will take — on average — 5 million million million years to crack. Tera is 1,000 billion. [Calc: 2**128/100e9/2/60/60/24/365/(1e6**3)] For a 256-bit key this is 1,835 million million million million million million million million million years. For the brute force cracking of a 35-bit key symmetric key (such as AES), you only need to pay for the boiling of a teaspoon of energy. For a 50-bit key, you just need to have enough money to pay to boil the water for a shower. For a 90-bit symmetric key, you would need the energy to boil a sea, and for a 105-bit symmetric key, you need the energy to boil and ocean. For a 128-bit key, there just isn't enough water on the planet to boil for that. Ref: here. With symmetric key encryption, anything below 72 bits is relatively inexpensive to crack with brute force. One of the first symmetric key encryption methods was the LUCIFER cipher and was created by Horst Feistel at IBM. It was further developed into the DES encryption method. Many, at the time of the adoption of DES, felt that its 56-bit key was too small to be secure and that the NSA had a role in limiting them. With a block cipher, we only have to deal with a fixed size of blocks. DES and 3DES use a 64-bit (eight-byte) block size, and AES uses a 128-bit block size (16 bytes). With symmetric key methods, we either have block ciphers, such as DES, AES CBC and AES ECB, or stream ciphers, such as ChaCha20 and RC4. In order to enhance security, AES has a number of rounds where parts of the key are applied. With 128-bit AES we have 10 rounds, and 14 rounds for 256-bit AES. In AES, we use an S-box to scramble the bytes, and which is applied for each round. When decrypting, we have the inverse of the S-box used in the encrypting process. A salt/nonce or Initialisation Vector (IV) is used with an encryption key in order to change the ciphertext for the same given input. Stream ciphers are generally much faster than block cipers, and can generally be processed in parallel. With the Diffie-Hellman method. Bob creates x and shares g^x (mod p), and Alice creates y, and shares g^y (mod p). The shared key is g^{xy} (mod p). Ralph Merkle — the boy genius — submitted a patent on 5 Sept 1979 and which outlined the Merkle hash. This is used to create a block hash. Ralph Merkle's PhD supervisor was Martin Hellman (famous as the co-creator of the Diffie-Hellman method). Adi Shamir defines a secret share method, and which defines a mathematical equation with the sharing of (x,y), and where a constant value in the equation is the secret. With Shamir Secret Shares (SSS), for a quadratic equation of y=x²+5x+6, the secret is 6. We can share three points at x=1, x=2 and y=3, and which gives y=12, y=20, and y=20, respectively. With the points of (1,12), (2,20), and (3,20), we can recover the value of 6. Adi Shamir broke the Merkle-Hellman knapsack method at a live event at a rump session of a conference. With secret shares, with the highest polynomial power of n, we need n+1 points to come together to regenerate the secret. For example, y=2x+5 needs two points to come together, while y=x²+15x+4 needs three points. The first usable public key method was RSA — and created by Rivest, Shamir and Adleman. It was first published in 1979 and defined in the RSA patent entitled “Cryptographic Communications System and Method”. In public key encryption, we use the public key to encrypt data and the private key to decrypt it. In digital signing, we use the private key to sign a hash and create a digital signature, and then the associated public key to verify the signature. Len Adleman — the “A” in the RSA method — thought that the RSA paper would be one of the least significant papers he would ever publish. The RSA method came to Ron Rivest while he slept on a couch. Martin Gardner published information on the RSA method in his Scientific American article. Initially, there were 4,000 requests for the paper (which rose to 7,000), and it took until December 1977 for them to be posted. The security of RSA is based on the multiplication of two random prime numbers (p and q) to give a public modulus (N). The difficulty of RSA is the difficulty in factorizing this modulus. Once factorized, it is easy to decrypt a ciphertext that has been encrypted using the related modulus. In RSA, we have a public key of (e,N) and a private key of (d,N). e is the public exponent and d is the private exponent. The public exponent is normally set at 65,537. The binary value of 65,537 is 10000000000000001 — this number is efficient in producing ciphertext in RSA. In RSA, the ciphertext is computed from a message of M as C=M^e (mod N), and is decrypted with M=C^d (mod N). We compute the the private exponent (d) from the inverse of the public exponent (e) modulus PHI, and where PHI is (p-1)*(q-1). If we can determine p and q, we can compute PHI. Anything below a 738-bit public modulus is relatively inexpensive to crack for RSA. To crack 2K RSA at the current time, we would need the energy to boil ever ocean on the planet to break it. RSA requires padding is required for security. A popular method has been PCKS#1v1.5 — but this is not provably secure and is susceptible to Bleichenbacher's attack. An improved method is Optimal Asymmetric Encryption Padding (OAEP) and was defined by Bellare and Rogaway and standardized in PKCS#1 v2. The main entity contained in a digital certificate is the public key of a named entity. This is either an RSA or an Elliptic Curve key. A digital certificate is signed with the private key of a trusted entity — Trent. The public key of Trent is then used to prove the integrity and trust of the associated public key. For an elliptic curve of y²=x³+ax+b (mod p), not every (x,y) point is possible. The total number of points is defined as the order (n). ECC (Elliptic Curve Cryptography) was invented by Neal Koblitz and Victor S. Miller in 1985. Elliptic curve cryptography algorithms did not take off until 2004. In ECC, the public key is a point on the elliptic curve. For secp256k1, we have a 256-bit private key and a 512-bit (x,y) point for the public key. A “04” in the public key is an uncompressed public key, and “02” and “03” are compressed versions with only the x-co-ordinate and whether the y coordinate is odd or even. Satoshi selected the secp256k1 curve for Bitcoin, and which gives the equivalent of 128-bit security. The secp256k1 curve uses the mapping of y²=x³ + 7 (mod p), and is known as a Short Weierstrass (“Vier-strass”) curve. The prime number used with secp256k1 is 2²⁵⁶-2³²-2⁹-2⁸-2⁷-2⁶-2⁴-1. An uncompressed secp256k1 public key has 512 bits and is an (x,y) point on the curve. The point starts with a “04”. A compressed secp256k1 public key only stores the x-co-ordinate value and whether the y coordinate is odd or even. It starts with a “02” if the y-co-ordinate is even; otherwise, it starts with a “03”. In computing the public key in ECC of a.G, we use the Montgomery multiplication method and which was created by Peter Montgomery in 1985, in a paper entitled, “Modular Multiplication without Trial Division.” Elliptic Curve methods use two basic operations: point address (P+Q) and point doubling (2.P). These can be combined to provide the scalar operation of a.G. In 1999, Don Johnson Alfred Menezes published a classic paper on “The Elliptic Curve Digital Signature Algorithm (ECDSA)”. It was based on the DSA (Digital Signature Algorithm) — created by David W. Kravitz in a patent which was assigned to the US. ECDSA is a digital signature method and requires a random nonce value (k), and which should never be reused or repeated. ECDSA is an elliptic curve conversion of the DSA signature method. Digital signatures are defined in FIPS (Federal Information Processing Standard) 186–5. NIST approved the Rijndael method (led by Joan Daemen and Vincent Rijmen) for Advanced Encryption Standard (AES). Other contenders included Serpent (led by Ross Anderson), TwoFish (led by Bruce Schneier), MARS (led by IBM), and RC6 (led by Ron Rivest). ChaCha20 is a stream cipher that is based on Salsa20 and developed by Daniel J. Bernstein. MD5 has a 128-bit hash, SHA-1 has 160 bits and SHA-256 has 256-bits. It is relatively easy to create a hash collision with MD5. Google showed that it was possible to create a signature collision for a document with SHA-1. It is highly unlikely to get a hash collision for SHA-256. In 2015, NIST defined SHA-3 as a standard, and which was built on the Keccak hashing family — and which used a different method to SHA-2. The Keccak hash family uses a sponge function and was created by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche and standardized by NIST in August 2015 as SHA-3. Hash functions such as MD5, SHA-1 and SHA-256 have a fixed hash length, whereas an eXtendable-Output Function (XOF) produces a bit string that can be of any length. Examples are SHAKE128, SHAKE256, BLAKE2XB and BLAKE2XS. BLAKE 3 is the fastest cryptographically secure hashing method and was created by Jack O'Connor, Jean-Philippe Aumasson, Samuel Neves, and Zooko Wilcox-O'Hearn. Hashing methods can be slowed down with a number of rounds. These slower hashing methods include Bcrypt, PBKDF2 and scrypt. Argon 2 uses methods to try and break GPU cracking, such as using a given amount of memory and defining the CPU utlization. To speed up the operation of the SHA-3 hash, the team reduced the security of the method and reduce the number of rounds. The result is the 12 Kangaroo's hashing method. The number of rounds was reduced from 24 to 12 (with a security level of around 128 bits). Integrated Encryption Scheme (IES) is a hybrid encryption scheme which allows Alice to get Bob's public key and then generate an encryption key based on this public key, and she will use her private key to recover the symmetric. With ECIES, we use elliptic curve methods for the public key part. A MAC (Message Authentication Code) uses a symmetric key to sign a hash, and where Bob and Alice share the same secret key. The most popular method is HMAC (hash-based message authentication code). The AES block cipher can be converted into a stream cipher using modes such as GCM (Galois Counter Mode) and CCM (counter with cipher block chaining message authentication code; counter with CBC-MAC). A MAC is added to a symmetric key method in order to stop the ciphertext from being attacked by flipping bits. GCM does not have a MAC, and is thus susceptible to this attack. CCM is more secure, as it contains a MAC. With symmetric key encryption, we must remove the encryption keys in the reverse order they were applied. Commutative encryption overcomes this by allowing the keys to be removed in any order. It is estimated that Bitcoin miners consume 17.05 GW of electrical power per day and 149.46 TWh per year. A KDF (Key Derivation Function) is used to convert a passphrase or secret into an encryption key. The most popular methods are HKDF, PBKDF2 and Bcrypt. RSA, ECC and Discrete Log methods will all be cracked by quantum computers using Shor's algorithm Lattice methods represent bit values as polynomial values, such as 1001 is x³+1 as a polynomial. Taher Elgamal — the sole inventor of the ElGamal encryption method — and Paul Koche were the creators of SSL, and developed it for the Netscape browser. David Chaum is considered as a founder of electronic payments and, in 1983, created ECASH, along with publishing a paper on “Blind signatures for untraceable payments”. Satoshi Nakamoto worked with Hal Finney on the first versions of Bitcoin, and which were created for a Microsoft Windows environment. Blockchains can either be permissioned (requiring rights to access the blockchain) or permissionless (open to anyone to use). Bitcoin and Ethereum are the two most popular permissionless blockchains, and Hyperledger is the most popular permissioned ledger. In 1992, Eric Hughes, Timothy May, and John Gilmore set up the cypherpunk movement and defined, “We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.” In Bitcoin and Ethereum, a private key (x) is converted to a public key with x.G, and where G is the base point on the secp256k1 curve. Ethereum was first conceived in 2013 by Vitalik Buterin, Gavin Wood, Charles Hoskinson, Anthony Di Iorio and Joseph Lubin. It introduced smaller blocks, improved proof of work, and smart contracts. NI-ZKPs involves a prover (Peggy), a verifier (Victor) and a witness (Wendy) and were first defined by Manuel Blum, Paul Feldman, and Silvio Micali in their paper entitled “Non-interactive zero-knowledge and its applications”. Popular ZKP methods include ZK-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) and ZK-STARKs (Zero-Knowledge Scalable Transparent Argument of Knowledge). Bitcoin and Ethereum are pseudo-anonymised, and where the sender and recipient of a transaction, and its value, can be traced. Privacy coins enable anonymous transactions. These include Zcash and Monero. In 1992, David Chaum and Torben Pryds Pedersen published “Wallet databases with observers,” and outlined a method of shielding the details of a monetary transaction. In 1992, Adi Shamir (the “S” in RSA) published a paper on “How to share a secret” in the Communications of the ACM. This supported the splitting of a secret into a number of shares (n) and where a threshold value (t) could be defined for the minimum number of shares that need to be brought back together to reveal the secret. These are known as Shamir Secret Shares (SSS). In 1991, Torbin P Pedersen published a paper entitled “Non-interactive and information-theoretic secure verifiable secret sharing” — and which is now known as Pedersen Commitment. This is where we produce our commitment and then show the message that matches the commitment. Distributed Key Generation (DKG) methods allow a private key to be shared by a number of trusted nodes. These nodes can then sign for a part of the ECDSA signature by producing a partial signature with these shares of the key. Not all blockchains use ECDSA. The IOTA blockchain uses the EdDSA signature, and which uses Curve 25519. This is a more lightweight signature version and has better support for signature aggregation. It uses Twisted Edwards Curves. The core signing method used in EdDSA is based on the Schnorr signature scheme and which was created by Claus Schnorr in 1989. This was patented as a “Method for identifying subscribers and for generating and verifying electronic signatures in a data exchange system”. The patent ran out in 2008. Curve 25519 uses the prime number of 2²⁵⁵-19 and was created by Daniel J. Bernstein. Peter Shor defined that elliptic curve methods can be broken with quantum computers. To overcome the cracking of the ECDSA signature from quantum computers, NIST are standardising a number of methods. At present, this focuses on CRYSTALS-Dilithium, and which is a lattice cryptography method. Bulletproofs were created in 2017 by Stanford's Applied Cryptography Group (ACG). They define a zero-knowledge proof as where a value can be checked to see it lies within a given range. The name “bulletproofs” is defined as they are short, like a bullet, and with bulletproof security assumptions. Homomorphic encryption methods allow for the processing of encrypted values using arithmetic operations. A public key is used to encrypt the data, and which can then be processed using an arithmetic circuit on the encrypted data. The owner of the associated private key can then decrypt the result. Some traditional public key methods enable partial homomorphic encryption. RSA and ElGamal allow for multiplication and division, whilst Pailier allows for homomorphic addition and subtraction. Full homomorphic encryption (FHE) supports all of the arithmetic operations and includes Fan-Vercauteren (FV) and BFV (Brakerski/Fan-Vercauteren) for integer operations and HEAAN (Homomorphic Encryption for Arithmetic of Approximate Numbers) for floating point operations. Most of the Full Homomorphic encryption methods use lattice cryptography. Some blockchain applications use Barreto-Lynn-Scott (BLS) curves which are pairing-friendly. They can be used to implement Bilinear groups and which are a triplet of groups (G1, G2 and GT), so that we can implement a function e() such that e(g1^x,g2^y)=gT^{xy}. Pairing-based cryptography is used in ZKPs. The main BLS curves used are BLS12–381, BLS12–446, BLS12–455, BLS12–638 and BLS24–477. An accumulator can be used for zero-knowledge proof of knowledge, such as using a BLS curve to create to add and remove proof of knowledge. Metamask is one of the most widely used blockchain wallets and can integrate into many blockchains. Most wallets generate the seed from the operating system and where the browser can use the Crypto.getRandomValues function, and compatible with most browsers. With a Verifiable Delay Function (VDF), we can prove that a given amount of work has been done by a prover (Peggy). A verifier (Victor) can then send the prover a proof value and compute a result which verifies the work has been done, with the verifier not needing to do the work but can still prove the work has been done. A Physical Unclonable Functions (PUFs) is a one-way function which creates a unique signature pattern based on the inherent delays within the wires and transistors. This can be used to link a device to an NFT.

Presento las novedades de las verisón 9.6 a 10 de ResourceSpace 9.6 Nuevas funcionalidades La capacidad de mensajería de usuario a usuario añade una funcionalidad interactiva / social basada en el perfil de usuario añadido en la última versión. Mostrar Nuevos informes que se pueden ejecutar contra un subconjunto de recursos sólo directamente desde los resultados de la búsqueda. Muéstrame Mejoras en la funcionalidad existente Una mejora significativa de las herramientas de imagen con una barra de herramientas de iconos y la selección de tamaño predefinido para los formatos de medios sociales comunes. Muéstrame Se ha añadido una forma de eliminar colecciones en bloque en la página Mis colecciones para ayudar a limpiar rápidamente las colecciones que no se utilizan. Muéstrame Una revisión de la funcionalidad de empalme de vídeo con una interfaz más visual. Integración de Mapas de Folletos para la visualización de resultados geográficos. Actualización de la función de zoom de las imágenes para utilizar OpenSeadragon. Estética Simplificación de la visualización del registro de recursos para que los detalles estén ocultos por defecto. El usuario puede hacer clic para mostrar los detalles, como los detalles completos del cambio en un campo de metadatos. Cuando se edita un recurso, la imagen de vista previa permanece a la vista en un nuevo panel de la derecha como recordatorio del recurso que se está editando. Se ha mejorado la visualización de los mosaicos del tablero con una cabecera sombreada y un tamaño que coincide con el de los mosaicos de la Colección Destacada. Se ha añadido la paginación, la clasificación y las acciones masivas a Mis mensajes. Varios Se han eliminado los modos de carga local/ftp por lotes, ya que han sido sustituidos por las cargas en el navegador y StaticSync. Se ha eliminado la posibilidad de enviar correos electrónicos (Bulk Mail), ya que se ha sustituido por la mensajería de usuario a usuario dentro de la aplicación. Se ha actualizado el algoritmo de hash de contraseñas a Argon2 (o BCrypt para versiones antiguas de PHP). La búsqueda por asterisco hace una búsqueda en blanco, para evitar la confusión de los usuarios acostumbrados a sistemas que requieren un asterisco para devolver todos los resultados. Al escribir comentarios es posible enlazar a recursos y colecciones mediante el formato 'r1234' o 'c1234'.

About DanDan Moore is head of developer relations for FusionAuth, where he helps share information about authentication, authorization and security with developers building all kinds of applications.A former CTO, AWS certification instructor, engineering manager and a longtime developer, he's been writing software for (checks watch) over 20 years.Links Referenced: FusionAuth: https://fusionauth.io Twitter: https://twitter.com/mooreds TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at AWS AppConfig. Engineers love to solve, and occasionally create, problems. But not when it's an on-call fire-drill at 4 in the morning. Software problems should drive innovation and collaboration, NOT stress, and sleeplessness, and threats of violence. That's why so many developers are realizing the value of AWS AppConfig Feature Flags. Feature Flags let developers push code to production, but hide that that feature from customers so that the developers can release their feature when it's ready. This practice allows for safe, fast, and convenient software development. You can seamlessly incorporate AppConfig Feature Flags into your AWS or cloud environment and ship your Features with excitement, not trepidation and fear. To get started, go to snark.cloud/appconfig. That's snark.cloud/appconfig.Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig secures your cloud from source to run. They believe, as do I, that DevOps and security are inextricably linked. If you wanna learn more about how they view this, check out their blog, it's definitely worth the read. To learn more about how they are absolutely getting it right from where I sit, visit Sysdig.com and tell them that I sent you. That's S Y S D I G.com. And my thanks to them for their continued support of this ridiculous nonsense.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I am joined today on this promoted episode, which is brought to us by our friends at FusionAuth by Dan Moore, who is their head of DevRel at same. Dan, thank you for joining me.Dan: Corey, thank you so much for having me.Corey: So, you and I have been talking for a while. I believe it predates not just you working over at FusionAuth but me even writing the newsletter and the rest. We met on a leadership Slack many years ago. We've kept in touch ever since, and I think, I haven't run the actual numbers on this, but I believe that you are at the top of the leaderboard right now for the number of responses I have gotten to various newsletter issues that I've sent out over the years.And it's always something great. It's “Here's a link I found that I thought that you might appreciate.” And we finally sat down and met each other in person, had a cup of coffee somewhat recently, and the first thing you asked was, “Is it okay that I keep doing this?” And at the bottom of the newsletter is “Hey, if you've seen something interesting, hit reply and let me know.” And you'd be surprised how few people actually take me up on it. So, let me start by thanking you for being as enthusiastic a contributor of the content as you have been.Dan: Well, I appreciate that. And I remember the first time I ran across your newsletter and was super impressed by kind of the breadth of it. And I guess my way of thanking you is to just send you interesting tidbits that I run across. And it's always fun when I see one of the links that I sent go into the newsletter because what you provide is just such a service to the community. So, thank you.Corey: The fun part, too, is that about half the time that you send a link in, I already have it in my queue, or I've seen it before, but not always. I talked to Jeff Barr about this a while back, and apparently, a big Amazonian theme that he lives by is two is better than zero. He'd rather two people tell him about a thing than no one tells him about the thing. And I've tried to embody that. It's the right answer, but it's also super tricky to figure out what people have heard or haven't heard. It leads to interesting places. But enough about my nonsense. Let's talk about your nonsense instead. So, FusionAuth; what do you folks do over there?Dan: So, FusionAuth is an auth provider, and we offer a Community Edition, which is downloadable for free; we also offer premium editions, but the space we play in is really CIAM, which is Customer Identity Access Management. Very similar to Auth0 or Cognito that some of your listeners might have heard of.Corey: If people have heard about Cognito, it's usually bracketed by profanity, in one direction or another, but I'm sure we'll get there in a minute. I will say that I never considered authentication to be a differentiator between services that I use. And then one day I was looking for a tool—I'm not going to name what it was just because I don't really want to deal with the angry letters and whatnot—but I signed up for this thing to test it out, and “Oh, great. So, what's my password?” “Oh, we don't use passwords. We just every time you want to log in, we're going to email you a link and then you go ahead and click the link.”And I hadn't seen something like that before. And my immediate response to that was, “Okay, this feels like an area they've decided to innovate in.” Their core business is basically information retention and returning it to you—basically any CRUD app. Yay. I don't think this is where I want them to be innovating.I want them to use the tried and true solutions, not build their own or be creative on this stuff, so it was a contributor to me wanting to go in a different direction. When you start doing things like that, there's no multi-factor authentication available and you start to wonder, how have they implemented this? What corners have they cut? Who's reviewed this? It just gave me a weird feeling.And that was sort of the day I realized that authentication for me is kind of like crypto, by which I mean cryptography, not cryptocurrency, I want to be very clear on, here. You should not roll your own cryptography, you should not roll your own encryption, you should buy off-the-shelf unless you're one of maybe five companies on the planet. Spoiler, if you're listening to this, you are almost certainly not one of them.Dan: [laugh]. Yeah. So, first of all, I've been at FusionAuth for a couple of years. Before I came to FusionAuth, I had rolled my own authentication a couple of times. And what I've realized working there is that it really is—there a couple of things worth unpacking here.One is you can now buy or leverage open-source libraries or other providers a lot more than you could 15 or 20 years ago. So, it's become this thing that can be snapped into your architecture. The second is, auth is the front door to application. And while it isn't really that differentiated—I don't think most applications, as you kind of alluded to, should innovate there—it is kind of critical that it runs all the time that it's safe and secure, that it's accessible, that it looks like your application.So, at the same time, it's undifferentiated, right? Like, at the end of the day, people just want to get through authentication and authorization schemes into your application. That is really the critical thing. So, it's undifferentiated, it's critical, it needs to be highly available. Those are all things that make it a good candidate for outsourcing.Corey: There are a few things to unpack there. First is that everything becomes commoditized in the fullness of time. And this is a good thing. Back in the original dotcom bubble, there were entire teams of engineers at all kinds of different e-commerce companies that were basically destroying themselves trying to build an online shopping cart. And today you wind up implementing Shopify or something like it—which is usually Shopify—and that solves the problem for you. This is no longer a point of differentiation.If I want to start selling physical goods on the internet, it feels like it'll take me half an hour or so to wind up with a bare-bones shopping cart thing ready to go, and then I just have to add inventory. Authentication feels like it was kind of the same thing. I mean, back in that song from early on in internet history “Code Monkey” talks about building a login page as part of it, and yeah, that was a colossal pain. These days, there are a bunch of different ways to do that with folks who spend their entire careers working on this exact problem so you can go and work on something that is a lot more core and central to the value that your business ostensibly provides. And that seems like the right path to go down.But this does lead to the obvious counter-question of how is it that you differentiate other than, you know, via marketing, which again, not the worst answer in the world, but it also turns into skeezy marketing. “Yes, you should use this other company's option, or you could use ours and we don't have any intentional backdoors in our version.” “Hmm. That sounds more suspicious and more than a little bit frightening. Tell me more.” “No, legal won't let me.” And it's “Okay.” Aside from the terrible things, how do you differentiate?Dan: I liked that. That was an oddly specific disclaimer, right? Like, whenever a company says, “Oh, yeah, no.” [laugh].Corey: “My breakfast cereal has less arsenic than leading brands.”Dan: Perfect. So yeah, so FusionAuth realizes that, kind of, there are a lot of options out there, and so we've chosen to niche down. And one of the things that we really focus on is the CIAM market. And that stands for Customer Identity Access Management. And we can dive into that a little bit later if you want to know more about that.We have a variety of deployment options, which I think differentiates us from a lot of the SaaS providers out there. You can run us as a self-hosted option with, by the way, professional-grade support, you can use us as a SaaS provider if you don't want to run it yourself. We are experts in operating this piece of software. And then thirdly, you can move between them, right? It's your data, so if you start out and you're bare bones and you want to save money, you can start with self-hosted, when you grow, move to the SaaS version.Or we actually have some bigger companies that kickstart on the SaaS version because they want to get going with this integration problem and then later, as they build out their capabilities, they want the option to move it in-house. So, that is a really key differentiator for us. The last one I'd say is we're really dev-focused. Who isn't, right? Everyone says they're dev-focused, but we live that in terms of our APIs, in terms of our documentation, in terms of our open development process. Like, there's actually a GitHub issues list you can go look on the FusionAuth GitHub profile and it shows exactly what we have planned for the next couple of releases.Corey: If you go to one of my test reference applications, lasttweetinaws.com, as of the time of this recording at least, it asks you to authenticate with your Twitter account. And you can do that, and it's free; I don't charge for any of these things. And once you're authenticated, you can use it to author Twitter threads because I needed it to exist, first off, and secondly, it makes a super handy test app to try out a whole bunch of different things.And one of the reasons you can just go and use it without registering an account for this thing or anything else was because I tried to set that up in an early version with Cognito and immediately gave the hell up and figured, all right, if you can find the URL, you can use this thing because the experience was that terrible. If instead, I had gone down the path of using FusionAuth, what would have made that experience different, other than the fact that Cognito was pretty clearly a tech demo at best rather than something that had any care, finish, spit and polish went into it.Dan: So, I've used Cognito. I'm not going to bag on Cognito, I'm going to leave that to—[laugh].Corey: Oh, I will, don't worry. I'll do all the bagging on Cognito you'd like because the problem is, and I want to be clear on this point, is that I didn't understand what it was doing because the interface was arcane, and the failure mode of everything in this entire sector, when the interface is bad, the immediate takeaway is not “This thing's a piece of crap.” It's, “Oh, I'm bad at this. I'm just not smart enough.” And it's insulting, and it sets me off every time I see it. So, if I feel like I'm coming across as relatively annoyed by the product, it's because it made me feel dumb. That is one of those cardinal sins, from my perspective. So, if you work on that team, please reach out. I would love to give you a laundry list of feedback. I'm not here to make you feel bad about your product; I'm here to make you feel bad about making your customers feel bad. Now please, Dan, continue.Dan: Sure. So, I would just say that one of the things that we've strived to do for years and years is translate some of the arcane IAM Identity Access Management jargon into what normal developers expect. And so, we don't have clients in our OAuth implementation—although they really are clients if you're an RFC junkie—we have applications, right? We have users, we have groups, we have all these things that are what users would expect, even though underlying them they're based on the same standards that, frankly, Cognito and Auth0 and a lot of other people use as well.But to get back to your question, I would say that, if you had chosen to use FusionAuth, you would have had a couple of advantages. The first is, as I mentioned, kind of the developer friendliness and the extensive documentation, example applications. The second would be a themeability. And this is something that we hear from our clients over and over again, is Cognito is okay if you stay within the lines in terms of your user interface, right? If you just want to login form, if you want to stay between lines and you don't want to customize your application's login page at all.We actually provide you with HTML templates. It's actually using a language called FreeMarker, but they let you do whatever the heck you want. Now, of course, with great power comes great responsibility. Now, you own that piece, right, and we do have some more simple customization you can do if all you want to do is change the color. But most of our clients are the kind of folks who really want their application login screen to look exactly like their application, and so they're willing to take on that slightly heavier burden. Unfortunately, Cognito doesn't give you that option at all, as far as I can tell when I've kicked the tires on it. The theming is—how I put this politely—some of our clients have found the theming to be lacking.Corey: That's part of the issue where when I was looking at all the reference implementations, I could find for Cognito, it went from “Oh, you have your own app, and its branding, and the rest,” and bam, suddenly, you're looking right, like, you're logging into an AWS console sub-console property because of course they have those. And it felt like “Oh, great. If I'm going to rip off some company's design aesthetic wholesale, I'm sorry, Amazon is nowhere near anywhere except the bottom 10% of that list, I've got to say. I'm sorry, but it is not an aesthetically pleasing site, full stop. So, why impose that on customers?”It feels like it's one of those things where—like, so many Amazon service teams say, “We're going to start by building a minimum lovable product.” And it's yeah, it's a product that only a parent could love. And the problem is, so many of them don't seem to iterate beyond that do a full-featured story. And this is again, this is not every AWS service. A lot of them are phenomenal and grow into themselves over time.One of the best rags-to-riches stories that I can recall is EFS, their Elastic File System, for an example. But others, like Cognito just sort of seem to sit and languish for so long that I've basically given up hope. Even if they wind up eventually fixing all of these problems, the reputation has been cemented at this point. They've got to give it a different terrible name.Dan: I mean, here's the thing. Like, EFS, if it looks horrible, right, or if it has, like, a toughest user experience, guess what? Your users are devs. And if they're forced to use it, they will. They can sometimes see the glimmers of the beauty that is kind of embedded, right, the diamond in the rough. If your users come to a login page and see something ugly, you immediately have this really negative association. And so again, the login and authentication process is really the front door of your application, and you just need to make sure that it shines.Corey: For me at least, so much of what's what a user experience or user takeaway is going to be about a company's product starts with their process of logging into it, which is one of the reasons that I have challenges with the way that multi-factor auth can be presented, like, “Step one, login to the thing.” Oh, great. Now, you have to fish out your YubiKey, or you have to go check your email for a link or find a code somewhere and punch it in. It adds friction to a process. So, when you have these services or tools that oh, your session will expire every 15 minutes and you have to do that whole thing again to log back in, it's ugh, I'm already annoyed by the time I even look at anything beyond just the login stuff.And heaven forbid, like, there are worse things, let's be very clear here. For example, if I log in to a site, and I'm suddenly looking at someone else's account, yeah, that's known as a disaster and I don't care how beautiful the design aesthetic is or how easy to use it is, we're done here. But that is job zero: the security aspect of these things. Then there's all the polish that makes it go from something that people tolerate because they have to into something that, in the context of a login page I guess, just sort of fades into the background.Dan: That's exactly what you want, right? It's just like the old story about the sysadmin. People only notice when things are going wrong. People only care about authentication when it stops them from getting into what they actually want to do, right? No one ever says, “Oh, my gosh, that login experience was so amazing for that application. I'm going to come back to that application,” right? They notice when it's friction, they noticed when it's sand in the gears.And our goal at FusionAuth, obviously, security is job zero because as you said, last thing you want is for a user to have access to some other user's data or to be able to escalate their privileges, but after that, you want to fade in the background, right? No one comes to FusionAuth and builds a whole application on top of it, right? We are one component that plugs into your application and lets you get on to the fundamentals of building the features that your users really care about, and then wraps your whole application in a blanket of security, essentially.Corey: I'll take even one more example before we just drive this point home in a way that I hope resonates with folks. Everyone has an opinion on logging into AWS properties because “Oh, what about your Amazon account?” At which point it's “Oh, sit down. We're going for a ride here. Are you talking about amazon.com account? Are you talking about the root account for my AWS account? Are you talking about an IAM user? Are you talking about the service formerly known as AWS SSO that's now IAM Identity Center users? Are you talking about their Chime user account? Are you talking about your repost forum account?” And so, on and so on and so on. I'm sure I'm missing half a dozen right now off the top of my head.Yeah, that's awful. I've been also developing lately on top of Google Cloud, and it is so far to the opposite end of that spectrum that it's suspicious and more than a little bit frightening. When I go to console.cloud.google.com, I am boom, there. There is no login approach, which on the one hand, I definitely appreciate, just from a pure perspective of you're Google, you track everything I do on the internet. Thank you for not insulting my intelligence by pretending you don't know who I am when I log into your Cloud Console.Counterpoint, when I log into the admin portal for my Google Workspaces account, admin.google.com, it always re-prompts for a password, which is reasonable. You'd think that stuff running production might want to do something like that, in some cases. I would not be annoyed if it asked me to just type in a password again when I get to the expensive things that have lasting repercussions.Although, given my personality, logging into Gmail can have massive career repercussions as soon as I hit send on anything. I digress. It is such a difference from user experience and ease-of-use that it's one of those areas where I feel like you're fighting something of a losing battle, just because when it works well, it's glorious to the point where you don't notice it. When authentication doesn't work well, it's annoying. And there's really no in between.Dan: I don't have anything to say to that. I mean, I a hundred percent agree that it's something that you could have to get right and no one cares, except for when you get it wrong. And if your listeners can take one thing away from this call, right, I know it's we're sponsored by FusionAuth, I want to rep Fusion, I want people to be aware of FusionAuth, but don't roll your own, right? There are a lot of solutions out there. I hope you evaluate FusionAuth, I hope you evaluate some other solutions, but this is such a critical thing and Corey has laid out [laugh] in multiple different ways, the ways it can ruin your user experience and your reputation. So, look at something that you can build or a library that you can build on top of. Don't roll your own. Please, please don't.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: So, tell me a little bit more about how it is that you folks think about yourselves in just in terms of the market space, for example. The idea of CIAM, customer IAM, it does feel viscerally different than traditional IAM in the context of, you know, AWS, which I use all the time, but I don't think I have the vocabulary to describe it without sounding like a buffoon. What is the definition between the two, please? Or the divergence, at least?Dan: Yeah, so I mean, not to go back to AWS services, but I'm sure a lot of your listeners are familiar with them. AWS SSO or the artist formerly known as AWS SSO is IAM, right? So, it's Workforce, right, and Workforce—Corey: And it was glorious, to the point where I felt like it was basically NDA'ed from other service teams because they couldn't talk about it. But this was so much nicer than having to juggle IAM keys and sessions that timeout after an hour in the console. “What do you doing in the console?” “I'm doing ClickOps, Jeremy. Leave me alone.”It's just I want to make sure that I'm talking about this the right way. It feels like AWS SSO—creature formerly known as—and traditional IAM feels like they're directionally the same thing as far as what they target, as far as customer bases, and what they empower you to do.Dan: Absolutely, absolutely. There are other players in that same market, right? And that's the market that grew up originally: it's for employees. So, employees have this very fixed lifecycle. They have complicated relationships with other employees and departments in organizations, you can tell them what to do, right, you can say you have to enroll your MFA key or you are no longer employed with us.Customers have a different set of requirements, and yet they're crucial to businesses because customers are, [laugh] who pay you money, right? And so, things that customers do that employees don't: they choose to register; they pick you, you don't pick them; they have a wide variety of devices and expectations; they also have a higher expectation of UX polish. Again, with an IAM solution, you can kind of dictate to your employees because you're paying them money. With a customer identity access management solution, it is part of your product, in the same way, you can't really dictate features unless you have something that the customer absolutely has to have and there are no substitutes for it, you have to adjust to the customer demands. CIAM is more responsive to those demands and is a smoother experience.The other thing I would say is CIAM, also, frankly, has a simpler model. Most customers have access to applications, maybe they have a couple of roles that you know, an admin role, an editor role, a viewer role if you're kind of a media conglomerate, for an example, but they don't have necessarily the thicket of complexity that you might have to have an eye on, so it's just simpler to model.Corey: Here's an area that feels like it's on the boundary between them. I distinctly remember being actively annoyed a while back that I had to roll my marketing person her own entire AWS IAM account solely so that she could upload assets into an S3 bucket that was driving some other stuff. It feels very much like that is a better use case for something that is a customer IAM solution. Because if I screw up those permissions even slightly, well, congratulations, now I've inadvertently given someone access to wind up, you know, taking production down. It feels like it is way too close to things that are going to leave a mark, whereas the idea of a customer authentication story for something like that is awesome.And no please if you're listening to this, don't email me with this thing you built and put on the Marketplace that “Oh, it uses signed URLs and whatnot to wind up automatically federating an identity just for this one per—” Yes. I don't want to build something ridiculous and overwrought so a single person can update assets within S3. I promise I don't want to do that. It just ends badly.Dan: Well, that was the promise of Cognito, right? And that is actually one of the reasons you should stick with Cognito if you have super-detailed requirements that are all about AWS and permissions to things inside AWS. Cognito has that tight integration. And I assume—I haven't looked at some of the other big cloud providers, but I assume that some of the other ones have that similar level of integration. So yeah, so that my answer there would be Cognito is the CIAM solution that AWS has, so that is what I would expect it to be able to handle, relatively smoothly.Corey: A question I have for you about the product itself is based on a frustration I originally had with Cognito, which is that once you're in there and you are using that for authentication and you have users, there's no way for me to get access to the credentials of my users. I can't really do an export in any traditional sense. Is that possible with FusionAuth?Dan: Absolutely. So, your data is your data. And because we're a self-hosted or SaaS solution, if you're running it self-hosted, obviously you have access to the password hashes in your database. If you are—Corey: The hashes, not the plaintext passwords to be explicitly clear on this. [laugh].Dan: Absolutely the hashes. And we have a number of guides that help you get hashes from other providers into ours. We have a written export guide ourselves, but it's in the database and the schema is public. You can go download our schema right now. And if—Corey: And I assume you've used an industry standard hashing algorithm for this?Dan: Yeah, we have a number of different options. You can bring your own actually, if you want, and we've had people bring their own options because they have either special needs or they have an older thing that's not as secure. And so, they still want their users to be able to log in, so they write a plugin and then they import the users' hashes, and then we transparently re-encrypt with a more modern one. The default for us is PDK.Corey: I assume you do the re-encryption at login time because there's no other way for you to get that.Dan: Exactly. Yeah yeah yeah—Corey: Yeah.Dan: —because that's the only time we see the password, right? Like we don't see it any other time. But we support Bcrypt and other modern algorithms. And it's entirely configurable; if you want to set a factor, which basically is how—Corey: I want to use MD5 because I'm still living in 2003.Dan: [laugh]. Please don't use MD5. Second takeaway: don't roll your own and don't use MD5. Yeah, so it's very tweakable, but we shipped with a secured default, basically.Corey: I just want to clarify as well why this is actively important. I don't think people quite understand that in many cases, picking an authentication provider is one of those lasting decisions where migrations take an awful lot of work. And they probably should. There should be no mechanism by which I can export the clear text passwords. If any authentication provider advertises or offers such a thing, don't use that one. I'm going to be very direct on that point.The downside to this is that if you are going to migrate from any other provider to any other provider, it has to happen either slowly as in, every time people log in, it'll check with the old system and then migrate that user to the new one, or you have to force password resets for your entire customer base. And the problem with that is I don't care what story you tell me. If I get an email from one of my vendors saying “You now have to reset your password because we're migrating to their auth thing,” or whatnot, there's no way around it, there's no messaging that solves this, people will think that you suffered a data breach that you are not disclosing. And that is a heavy, heavy lift. Another pattern I've seen is it for a period of three months or whatnot, depending on user base, you will wind up having the plug in there, and anyone who logs in after that point will, “Ohh you need to reset your password. And your password is expired. Click here to reset.” That tends to be a little bit better when it's not the proactive outreach announcement, but it's still a difficult lift and it adds—again—friction to the customer experience.Dan: Yep. And the third one—which you imply it—is you have access to your password hashes. They're hashed in a secure manner. And trust me, even though they're hashed securely, like, if you contact FusionAuth and say, “Hey, I want to move off FusionAuth,” we will arrange a way to get you your database in a secure manner, right? It's going to be encrypted, we're going to have a separate password that we communicate with you out-of-band because this is—even if it is hashed and salted and handled correctly, it's still very, very sensitive data because credentials are the keys to the kingdom.So, but those are the three options, right? The slow migration, which is operationally expensive, the requiring the user to reset their password, which is horribly expensive from a user interface perspective, right, and the customer service perspective, or export your password hashes. And we think that the third option is the least of the evils because guess what? It's your data, right? It's your user data. We will help you be careful with it, but you own it.Corey: I think that there's a lot of seriously important nuance to the whole world of authentication. And the fact that this is such a difficult area to even talk about with folks who are not deeply steeped in that ecosystem should be an indication alone that this is the sort of thing that you definitely want to outsource to a company that knows what the hell they're doing. And it's not like other areas of tech where you can basically stumble your way through something. It's like “Well, I'm going to write a Lambda to go ahead and post some nonsense on Twitter.” “Okay, are you good at programming?” “Not even slightly, but I am persistent and brute force is a viable strategy, so we're going to go with that one.” “Great. Okay, that's awesome.”But authentication is one of those areas where mistakes will show. The reputational impact of losing data goes from merely embarrassing to potentially life-ruining for folks. The most stressful job I've ever had from a data security position wasn't when I was dealing with money—because that's only money, which sounds like a weird thing to say—it was when I did a brief stint at Grindr where people weren't out. In some countries, users could have wound up in jail or have been killed if their sexuality became known. And that was the stuff that kept me up at night.Compared to that, “Okay, you got some credit card numbers with that. What the hell do I care about that, relatively speaking?” It's like, “Yeah, it's well, my credit card number was stolen.” “Yeah, but did you die, though?” “Oh, you had to make a phone call and reset some stuff.” And I'm not trivializing the importance of data security. Especially, like, if you're a bank, and you're listening to this, and you're terrified, yeah, that's not what I'm saying at all. I'm just saying there are worse things.Dan: Sure. Yeah. I mean, I think that, unfortunately, the pandemic showed us that we're living more and more of our lives online. And the identity online and making sure that safe and secure is just critical. And again, not just for your employees, although that's really important, too, but more of your customer interactions are going to be taking place online because it's scalable, because it makes people money, because it allows for capabilities that weren't previously there, and you have to take that seriously. So, take care of your users' data. Please, please do that.Corey: And one of the best ways you can do that is by not touching the things that are commoditized in your effort to apply differentiation. That's why I will never again write my own auth system, with a couple of asterisks next to it because some of what I do is objectively horrifying, intentionally so. But if I care about the authentication piece, I have the good sense to pay someone else to do it for me.Dan: From personal experience, you mentioned at the beginning that we go back aways. I remember when I first discovered RDS, and I thought, “Oh, my God. I can outsource all this scut work, all of the database backups, all of the upgrades, all of the availability checking, right? Like, I can outsource this to somebody else who will take this off my plate.” And I was so thankful.And I don't—outside of, again, with some asterisks, right, there are places where I could consider running a database, but they're very few and far between—I feel like auth has entered that category. There are great providers like FusionAuth out there that are happy to take this off your plate and let you move forward. And in some ways, I'm not really sure which is more dangerous; like, not running a database properly or not running an auth system properly. They both give me shivers and I would hate to [laugh] hate to be forced to choose. But they're comparable levels of risk, so I a hundred percent agree, Corey.Corey: Dan, I really want to thank you for taking so much time to talk to me about your view of the world. If people want to learn more because you're not in their inboxes responding to newsletters every week, where's the best place to find you?Dan: Sure, you can find more about me at Twitter. I'm @mooreds, M-O-O-R-E-D-S. And you can learn more about FusionAuth and download it for free at fusionauth.io.Corey: And we will put links to all of that in the show notes. I really want to thank you again for just being so generous with your time. It's deeply appreciated.Dan: Corey, thank you so much for having me.Corey: Dan Moore, Head of DevRel at FusionAuth. I'm Cloud Economist Corey Quinn. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry, insulting comment that will be attributed to someone else because they screwed up by rolling their own authentication.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

2022-03-01 Weekly News - Episode 137Watch the video version on YouTube at https://youtu.be/kRi3dMfLPxA Hosts: Gavin Pickin - Senior Developer for Ortus SolutionsDan Card  - Senior Developer for Ortus SolutionsThanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. A few ways  to say thanks back to Ortus Solutions: Like and subscribe to our videos on YouTube.  Help ORTUS reach for the Stars - Star and Fork our Repos https://github.com/coldbox/coldbox-platform https://github.com/Ortus-Solutions/ContentBox/ https://github.com/Ortus-Solutions/commandbox/ https://github.com/ortus-solutions/docker-commandbox https://github.com/Ortus-Solutions/testbox/ https://github.com/coldbox-modules/qb/ https://github.com/coldbox-modules/quick/ https://github.com/coldbox-modules/cbwire https://github.com/Ortus-Solutions/DocBox Star all of your Github Box Dependencies from CommandBox with https://www.forgebox.io/view/commandbox-github  Subscribe to our Podcast on your Podcast Apps and leave us a review Sign up for a free or paid account on CFCasts, which is releasing new content every week Buy Ortus's Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)  Patreon SupportWe have 36 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions. News and EventsICYMI - Lucee 5.3.9.80 Release Candidate 1 - This release removes all traces of Log4j1With the advent of Lucee 5.3.9 -RC, we now have a build of CommandBox (5.5.0-alpha) which is 100% FREE OF LOG4J 1.x! https://downloads.ortussolutions.com/#/ortussolutions/commandbox/5.5.0-alpha/ Please help us test and use it if you need to get those #infosec monkeys off your back!

Chris evaluates the pros and cons between using Sidekiq or Active Job with Sidekiq. He sees exceptions everywhere. Steph talks about an SSL error that she encountered recently. It's officially spooky season, y'all! sidekiq-symbols (https://github.com/aprescott/sidekiq-symbols) Transcript: CHRIS: Additional radiation just makes Spider-Man more powerful. STEPH: [laughs] Hello and welcome to another episode of The Bike Shed, a weekly podcast from your friends at thoughtbot about developing great software. I'm Steph Viccari. CHRIS: And I'm Chris Toomey. STEPH: And together, we're here to share a bit of what we've learned along the way. Hey, Chris, what's new in your world? CHRIS: Fall is in the air. It's one of those, like, came out of nowhere. I knew it was coming. I knew it was going to happen. But now it's time for pumpkin beer and pumpkin spice lattes, and exclusively watching the movie Hocus Pocus for the next month or so or some variation of those themes. But unrelated to that, I did a thing that I do once, let's call it every year or so, where I had to make the evaluation between Sidekiq or Active Job with Sidekiq, as the actual implementation as the background job engine that is running. And I just keep running through this same cycle. To highlight it, Active Job is the background job system within Rails. It is a nice abstraction that allows you to connect to any of a number of them, so I think Delayed Job is one. Sidekiq is one. Resque is probably another. I'm sure there's a bunch of others. But historically, I've almost always used Sidekiq. Every project I've worked on has used Sidekiq. But the question is do you use Active Job with the adapter set to Sidekiq and then you're sort of living in both worlds, or do you lean in entirely and you use Sidekiq? And so that would mean that your jobs are defined to include Sidekiq::Worker because that's the actual thing that provides the magic as opposed to inheriting from Application Job. And then do you accept all of the trade-offs therein? And every time I go back and forth. And I'm like, well, but I want this feature, but I don't want that feature. But I want these things. So I've made a decision, but I want to talk ever so briefly through the decision points that were part of it. Have you done this back and forth? Are you familiar with the annoying choice that exists here? STEPH: It's been a while since I've had the opportunity to make that choice. I'm usually joining projects where that decision has already been made. So I can't think of a recent time that I've thought through it. And my current project is using that combination of where we are using Active Job and Sidekiq. CHRIS: So I think there's even a middle ground there where that was the configuration that I'd set up on the project that I'm working on. But you can exist in both worlds. And you can selectively opt for certain background jobs to be fully Sidekiq. And if you do that, then instead of saying, "Performlater," You say, "Performasync." And there are a couple of other configurations. It gives you access to the full Sidekiq API. And you can do things like hey, Sidekiq, here's the maximum number of retries or a handful of other things. But then you have to trade away a bunch of the niceties that Active Job gives. So as an example, one thing that Active Job provides that's really nice is the use of GlobalID. So GlobalID is a feature that they added to Rails a while back. And it's a way to uniquely identify a given record within your system such that when you say performlater, you can say, InvitationMailer.performlater and then pass it a user record so like an instance of a user model. And what will happen in the background is that gets serialized, but instead of serializing the whole user object because we don't actually want that, it will do the GlobalID magic. And so it'll turn into, I think it's GID:// so almost like a URL. But then it'll be, I think, your application name/model name down the road. And the Perform method actually gets invoked via the background system. Then you will just get handed that user record back, but it's not the same instance of the user record. It sort of freezes and thaws it. It's really nice. It's a wonderful little feature. Sidekiq wants nothing to do with that. STEPH: I'm so glad that you highlighted that feature because that was on my mind; I think this week where I was reviewing...somebody had made the comment where they were concerned about passing a record to a job and saying how that wouldn't play nicely with Sidekiq. And in the back of my mind, I'm like, yeah, that's right. But then I was also I'm pretty sure this got addressed, though. And I couldn't recall specifically if it was a Sidekiq enhancement or if it was a Rails enhancement. So you just cleared something up for me that I had not had time to confirm myself. So thanks. CHRIS: Well, to be clear, this works if you are using Active Job with Sidekiq as the adapter, but not if you are using a true Sidekiq worker. So if you opt-out of the Active Job flow, then you have to say, "Perform_async," and if you pass it a record, that's not going to work out particularly nicely. The other similar thing is that Sidekiq does not allow the use of keyword args, which, I'm going, to be honest, I really like keyword arguments, especially for background jobs or shuttling data through your system. And there's almost a lazy evaluation. I want some nicety to make sure that when I am putting something into a background job that I'm actually using the correct call signature, essentially passing the correct data in the correct shape. Am I passing a record, or am I passing the ID? Am I passing a list of options or a single option? Those sort of trade-offs that are really easy to subtly get wrong. I came around on this one because I realized although Active Job does support keyword arguments, the way it does that is it just has a JSON serialization format for them. So a keyword argument turns into a positional array with an associated hash that allows for the lookup or whatever. Basically, again, they handle the details. You get to use keyword args, which is great, with the exception that when you're actually calling performlater, that method performlater is a method missing type magic method. So it does not actually check the keyword arguments at that point. You're basically just passing an options hash as opposed to true keyword arguments that would error because they don't match up. And so when I figured that out, I was like, oh, never mind. This doesn't actually do the thing that I care about. It's a little bit nicer in terms of the signature of the method when you're defining your background job itself, but it doesn't actually do any logical checking. It doesn't give me any safety or robustness within my system. So I don't care about that. I did find a project called sidekiq-symbols, which does some things under the hood to how Sidekiq serializes and deserializes jobs, which I think gives largely the same behavior as Active Job. So I can now define my Sidekiq jobs with keyword arguments. Things will work. I can't use GlobalID. That's still out. But that's fine. I can do a little helper method that basically does the same thing as GlobalID or at least close approximation. But sidekiq-symbols lets me have keyword arg-like signatures in my methods; basically, it is. But again, it doesn't actually do any check-in when I'm enqueueing a job, and I am sad about that. STEPH: Yeah, that's another interesting distinction. And I'm unsurprisingly with you that I would favor having keyword args and having that additional safety in place. Okay, so I've been keeping track. And so far, it sounds like we have two points because I'm doing a little scorecard here between Active Job and Sidekiq. And we have two points in favor of Active Job because they offer a GlobalID, which then allows us to pass in a record, and then it takes care of the serialization for us. And then also, keyword args, which I agree with you that's a really nice feature to have in place as well. So I'm curious, so it sounded like you're leaning towards Active Job, but I don't want to spoil the ending. CHRIS: Yes, I could see why that's what you would be taking away from the conversation thus far. So again, just to reiterate, Active Job and Sidekiq with this sidekiq-symbols extension they both support keyword args, kind of. They support defining your job with keyword args and then enqueueing a job passing something that looks like keyword args. But it ends up...nobody's actually checking anything, so it's mostly like a syntactic nicety as opposed to any sort of correctness, which is still nicer, but it's not the thing that I actually want. Either way, nobody supports it, so it is not available to me. Therefore, it is not a consideration point. The GlobalID thing is nice, but it is really, again, it's a nicety more than anything. I have gone, and I'm leaning in the direction of full Sidekiq and Sidekiq everywhere as opposed to Active Job in most cases, but then Sidekiq when we need it. And that's because Sidekiq just has a lot more power and a lot more functionality. So, in particular, Sidekiq has a feature which allows you to say...it's a block that you put at the top of your Sidekiq job that says retries exhausted or something. I think Sidekiq retries exhausted is the actual full name of that at that point, which is really unfortunate in my mind, but anyway, I'll deal. At that point, you know that Sidekiq has exhausted all of the retries, and you can treat it as failed. I'm going, to be honest, I went on a quest to find a way to say, hey, I'm going to put some work into the background. It's really important for me to know if this work succeeds or if it fails. It's very easy to know if it succeeds because that just happens in-line in the method. But we can have an exception raised at basically any point; Sidekiq does a great job of catching those, of retrying, of having fundamental mechanisms there. But this is the best that I can get for this job failed. And so Active Job, as far as I can tell, does not have anything for this in order to say, yep, we are done. We are not going to keep working on this. This work has failed. It is dead. Dead is; actually, I think the more correct term for where we're at because failed is a temporary state, and then you retry after a failure. Whereas dead is, this has gone through all of its retries, and it will never be run again. Therefore, we should treat this as not having run. And in my case, the thing that I want to do is inform the user that this operation that we were trying to do on their behalf has not succeeded, will not succeed. And please reach out or otherwise deal with the fact that we were unable to do the thing that they asked us to do. That feels like a really important thing for me to be able to do, to be able to communicate back to my users. This is one of those situations where I'm looking at the available options, and I'm like, I feel like I can't be the only one who wants to know when something goes wrong. This feels like a thing that's important. But this is the best example that I've found, the Sidekiq retries exhausted block. And unfortunately, when I'm using it, it gets yielded the Sidekiq JSON blob deserialized, so it's like Ruby hash. But it's still like this blob of data. It's not the same data that gets passed into perform. And so, as a result, when I want to look up the record that was associated with it, I have to do this nested dig into the available hash of data. And it just feels like this is not a well-paved path. This is not something that is a deeply thought about or recommended use case. But again, I don't feel like I'm doing something weird here. Am I doing something weird, Steph, wanting to tell my users when I was unable to do the thing they asked me to do? [chuckles] STEPH: That feels like a very rhetorical question. [laughs] CHRIS: It does. I apologize. I'm leading the witness. But in your sincere heart of hearts, what do you think? STEPH: No, that certainly doesn't sound weird. I'm actually thinking back to some of the jobs that cause me stress in regards to knowing when they failed and then having that communication of knowing that we've exhausted all the retries. And, of course, knowing when those retries are exhausted is incredibly helpful. I am intrigued, though,, because you're highlighting that Active Job doesn't have the same option around setting the retry. And I'm trying to recall exactly how it's set. But I feel like I have set the retry count for Active Job. And maybe, as you mentioned before, that's because it's an abstraction, or I'm not sure if Active Job actually has that native support. So I feel a little confused there where I think my default instinct would have been Active Job does have that retry capability. But it sounds like you've discovered otherwise. CHRIS: I'm not actually sure what Active Jobs core retry logic or option looks like. So fundamentally, as far as I understand it, Active Job is an abstraction. And under the hood, you're always connecting an adapter. So it's either going to be Sidekiq, or Resque, or Delayed Job, or other. And each of those systems, whichever system you have as the adapter, is the one that's actually going to be managing retries. And so I know Sidekiq happens to have as a default 25 retries. And that spans, I think it's a two-week exponential back off. And Sidekiq has some very robust logic that they have implemented as the way retries exist within Sidekiq. I'm not sure what that would look like if you're trying to express it abstractly because it is slightly different. I know there was some good work that was done on Sidekiq to allow the Sidekiq options that's a method at the top level of the job, even if it's an Active Job job to express the retries. So that may be what you've seen, or there may be truly an abstraction that exists within Active Job, and then each adapter needs to know how to handle retries. But frankly, the what can Sidekiq do that Active Job can't? There's a whole bunch of stuff around limiting when you would retry limiting, enqueuing a job if there already exists one, when and how do those records get locked. There's a whole bunch of stuff. Sidekiq has a lot of power under the hood. And so if we want to be leaning into that, that's why I'm leaning towards let's just be Sidekiq all the time. Let's become Sidekiq experts. Let's accept that as a deep architectural decision within the app as opposed to just relying on the abstraction. Because fundamentally, if we're just using Active Job, we're not going to have access to the full power of Sidekiq or whatever the underlying system is, so sort of that decision that I'm making, but I don't know specifically around the retries. STEPH: Okay, thanks. That's really helpful. It's been a while since I've had to make this decision. I'm really enjoying you sharing your adventure because I'm trying to think what's the risk? If you don't use Active Job, what are the trade-offs? And you'd mentioned some of them around the GlobalID and keyword args, which are some niceties. But overall, if you don't go with the abstraction, if you lean into Sidekiq, the risk is then you want to migrate to a different enqueuing service. And something that we talk about is mitigating that risk, so then you can swap it out. That's also something I have never done or encountered where we've had to make that change. And it feels like a very low risk in my mind. CHRIS: Sidekiq feels like the thing you would migrate to, not a thing you would migrate from. It feels like it is the most powerful. And if anything, I expect at some point we'll be upgrading to Sidekiq pro or enterprise or whatever the higher versions that you pay for, but you get more features there. So in that sense, that is the calculation. That's the risk trade-off in my mind is that we're leaning into this technology and coupling ourselves more closely to it. But I don't see that as one that will reassess in the same way that people talk about Active Record and it being an ORM. And it's like, oh, we're abstracting the database underneath, and I'm like, no, I'm not. I'm always using Postgres. Please do not take Postgres. I'm not going to switch over to MySQL next week. That's totally fine if you start on MySQL. It's unlikely you're going to port over to Postgres. We may port to an entirely…like it's a Cassandra column store with a Kafka queue, I don't know, something weird down the road. But it's not going to be swapping out Postgres for MySQL or vice versa. Like you said, that's probably not a change that's going to happen. But that I think is the consideration. The other consideration I have in my mind is Active Job is the abstraction that exists within Rails. And so I can treat it as the lowest common denominator, and folks joining the project, it's nice to have that familiarity. So perform_later is the method on the Active Job jobs, and it has a certain shape to it. People may be familiar with that. Mailers will automatically use Active Job just implicitly under the hood. And so there's a familiarity, a discoverability. It's just kind of up the middle choice. And so if I can stick with that, I think there's a nicety there. But in this case, I think I'm choosing I would like the power and consistency on the Sidekiq side, and so I'm leaning into that. STEPH: Yeah, that makes a lot of sense to me. And I liked the other example you provided around things that were not likely to swap out and Postgres, MySQL, your database being one of them. And in favor of an example that I do have for something that...I do enjoy wrapping. It's not something that I adhere to strictly, but I do enjoy it when I have the space to make this choice. So I do enjoy wrapping HTTPClients, not just because then I can swap it out for a different HTTPClient, which frankly, that's also rare that I do that. Once I choose an HTTPClient, I'm probably pretty happy, and I don't need to swap it out. But I really like being able to extend to the API specifically if they don't handle error responses in a way that I would like to or if they raise, and then I want to change the API to have a more thoughtful interface and where I don't have to rescue those errors. But instead, I can interact with this object that then represents an error state. So that was just one example that came to mind for things that I do enjoy having an abstraction around and not just so I can swap it out because that feels like a very low risk, but more frankly, so I can extend the API. CHRIS: I definitely share the I almost always wrap APIs, or I try and hide whatever the implementation detail whether it be HTTPParty, or Faraday or whatever it is that I'm using and trying to hide that deeply within the system. And then I have whatever API client that we define. And that's what we're interacting with. It's interesting that you bring up errors and exceptions there because that's the one other thing that has caused me this...what I'm describing now seems perhaps like, oh, here's just a list of pros and cons, a simple decision was made, and there we are. This represents some real soul searching on my part, if we will. And one of the last things that I ran into that was just so frustrating is that Sidekiq is explicitly built around the idea of exceptions; Sidekiq retries if there is an exception raised in the job, otherwise, it treats it as success, and that's it. That is the entirety of it. That is the story. But if you raise an exception in a job, then you can't test that job because now it's raising an exception. You can't test retries or this retry exhausted block that I'm trying to lean into. I'm like, I want to put that in a feature spec and say, oh, this job goes in the background, but it's in a failure state, and therefore, the user sees the failure message. Sorry, I can't do that because the only way to actually fail a job is via an exception. And I've actually gone to some links in this application to try to introduce more structured data flow. I've talked a bunch about the command objects and the dry-monads and all those things. And I've really loved them where I've gotten to use them. But then I run into one of these edge cases where Sidekiq is like, no, no, no, you can't do that. And so now I have parts of my system that very purposefully return data as opposed to raising an exception. And I just have to turn around and directly raise that failure as an exception, and it just feels less expressive. I actually just ran into the identical thing with Pundit. They have a little bit better control over it; I can choose whether or not I want the raising version or not. But I see exceptions everywhere, and I want a little more discrete data flow. [chuckles] That is my dream. So anyway, I chose Sidekiq is the summary here. And slowly, we're going to migrate entirely to Sidekiq. And I'm going to be totally fine with it. And I'm done griping now. STEPH: This is your own little October Halloween movie, that I see exceptions everywhere. CHRIS: They're so spooky. STEPH: [laughs] That's cool about Pundit. I'm not sure I knew that, that you get to essentially turn on or off that exception flow behavior. On one hand, I'm like, that's nice. You get the option. On the other hand, I'm like, well, let's just not do it. Let's just never raise on people. But at least they give people options; that seems really cool. CHRIS: They do give the option. I think you can choose different strategies there. And also, if we're being honest, I'm newer to Pundit. And I used a different thing, which was to get the Policy Object and ask it a question. I wanted to ask, is this enabled or not? Can a user do this or not? That should not raise an exception. I'm just asking a question. We're just being real chill about this. I just want to know some information. Let's flow some data through our system. We don't need exceptions for that. STEPH: Why are you yelling at me? I just have a question. [laughs] CHRIS: Yeah. I figured out how to be easy on that front. Sidekiq apparently has no be easy mode, but that's fine. You know what? We're going to make it work, and it's going to be fine. But it is interesting deciding which of these facets of the system that I'm building do I really care about? Which are the ones where I'm like, whatever, just pick something, and we'll move forward, it's not a big deal? Versus, we're actually going to be doing a lot of work in the background. This is the thing that I care about deeply. I want to know about failure and success. I want to really understand that and have a robust answer to what our architecture looks like there. Similarly, Pundit for authorization. I believe that authorization will be a critical aspect of our system. It's typically a pretty important thing. But for us, I think we're going to have different types of users who can log in and see different subsets of data and having a consistent and concrete way that we have chosen to implement that we are able to test, that we're able to verify. I think that's another core competency within the app. But you only get to have so many of those. You can only be really good at a couple of things. And so I'm in that place where I'm like, which are our top five when I say are the things that I care a lot about? And then which are the things where I'm like, I don't know, whatever, just run with it? STEPH: Just a little bit ago, I came so close to singing because you said the I want to know phrase again. And that, I'm realizing, [laughs] is a trigger for me and a song where I want to sing. I held it back this time. CHRIS: It's smart. You got to learn anytime you sing on mic that is part of the permanent record. STEPH: Edward Loveall at thoughtbot, since I sang in a recent episode, did the delightful thing where then he grabbed that clip of where you talk a little bit, and then I sing and then encouraged everyone to go listen to it. And in which I responded, like, I would highly recommend that you save your ears and don't listen to it. But yes, singing on the mic is a thing. I do it from time to time. I can't hold it back. CHRIS: We all do. But since it doesn't seem that you're going to sing in this moment, I think I can probably wrap up my Odyssey of choosing between Sidekiq and Active Job. I hope those details were useful to anyone other than me. It was an adventure, so I figured I'd share it. But yeah, that about wraps it up on my side. Mid-roll Ad And now a quick break to hear from today's sponsor, Scout APM. Scout APM is leading-edge application performance monitoring that's designed to help Rails developers quickly find and fix performance issues without having to deal with the headache or overhead of enterprise platform feature bloat. With a developer-centric UI and tracing logic that ties bottlenecks to source code, you can quickly pinpoint and resolve those performance abnormalities like N+1 queries, slow database queries, memory bloat, and much more. Scout's real-time alerting and weekly digest emails let you rest easy knowing Scout's on watch and resolving performance issues before your customers ever see them. Scout has also launched its new error monitoring feature add-on for Python applications. Now you can connect your error reporting and application monitoring data on one platform. See for yourself why developers call Scout their best friend and try our error monitoring and APM free for 14 days; no credit card needed. And as an added-on bonus for Bike Shed listeners, Scout will donate $5 to the open-source project of your choice when you deploy. Learn more at scoutapm.com/bikeshed. That's scoutapm.com/bikeshed. STEPH: So, I would love to talk about an SSL error that I encountered recently. So one of the important processes in our application is sending data to another system. And while sending data to that other system, we started seeing the following error that the read "Certificate verify failed." And then in parens, it states, "Unable to get local issuer certificate." So upon seeing that error, I initially thought, okay, something is wrong with their SSL certificate or their SSL configuration. And that's not something that I have control over and can fix. So we should reach out and let them know to take a look at their SSL config. But it turns out that their team already knew about the issue. They had recently updated or renewed their SSL cert, and they saw our messages were no longer being processed, and they were reaching out to us for help. So at that point, I'm still pretty sure that it's related to something on their end, and it's not something that I can really fix on our end. But we can help them troubleshoot. Maybe there's a workaround that we can add to still get messages processing while they're looking into their SSL config. It seemed like they still just needed help. So it was something that was still worth diving into. So going back to the first error, I want to talk a little bit about it because I realized that I understand SSL just enough, just the surface to get by as a developer. But then, every time that I run into a specific error with it, then I really have to refresh my understanding as to what could be wrong, so then I can troubleshoot more effectively. So for anyone that could use a refresher on that certificate verification process, when your browser or your server is connecting to a site that uses SSL, then your browser server, whichever one you're using, is going to download that site certificate and verify a couple of things. So it's going to check does the certificate contain the domain name of the website? So essentially, you gave us a certificate. Is this your certificate? Does it match the site that we're connecting to? Is this cert issued by a trusted certificate authority? So did someone that we trust give you this certificate? And is the cert still valid, or has it expired? So that part is pretty straightforward. The second part, "Unable to get local issuer certificate," so that's the part I was less certain about. And I took this to mean that they had passed two of those three checks that their cert included the site's name, and it had not expired. But for some reason, we aren't able to determine if their cert was issued by someone that we should trust. So following that journey, my next question was, so what are they giving us? So this is a tool that I don't get to use very often, but I reached for OpenSSL and, specifically, the s_client command, which connects to a specified domain and prints all certificates in the certificate chain. You may already know this, but the certificate chain is basically a fancy way of saying, show me all the certificates necessary to prove your site certificate was authorized by a trusted certificate authority. CHRIS: I did not know that. STEPH: Okay, I honestly didn't either. [laughs] CHRIS: I liked that you thought I would, though. So thank you, but no. [chuckles] STEPH: Yeah, it's one of those areas of SSL where I know just enough. But that was something that was new to me. I thought there was a site certificate, and I didn't realize that there is this chain of certificates that has to be honored. So going back and looking through that output of the certificate chain, that's what highlighted to me that their server was giving us their certificate and saying, hey, you should trust our site certificate. It's legit because it was authorized by, let's say, XYZ certificate. And so if it were a proper certificate chain, then they would give us that XYZ cert. And essentially, we can use this chain of certificates to get back to a trusted authority that then everybody knows that we can trust. However, they weren't actually giving us a reference certificate; they were giving us something else. So essentially, they were saying, "Hey, look at our certificate and look at this very trustworthy reference that we have." But they're actually failing to give us that reference. So to bring it all home, we can download that intermediate certificate that they reference; that is something that is publicly accessible. That's why we're able to then verify each certificate that's provided in that chain. We could go and download that intermediate certificate from that certificate authority. We could combine that with their site-specific certificate, include that in our request to their system, and then complete the certificate chain. And boom, we're back in business. But it was quite a journey. CHRIS: That is quite the journey. And yeah, I definitely knew very little of that, although everything you're saying makes sense. And I have a bunch of cubbyholes in my brain for SSL knowledge. And the words you said all fit into the spaces that I have in my brain, but I didn't know a bunch of those pieces. So thank you for sharing that. SSL and cryptography, more generally or password hashing or things like that, occupy this special place in my brain where I'm both really interested in them. And I will occasionally research them. If I see a blog article, I'll be like, oh yeah, I want to read more about this password hashing. And what's a Salt? And what's a Pepper? And what are we doing there? And what is BCrypt versus SCrypt? What are all these things? This is cool. And almost the arms race on the two sides of how do we demonstrate trust in a secure manner on the internet? But at the same time, I am not allowed to do anything with this information. I outsource this as much as humanly possible because it's one of those things that you just should not do yourself and SSL perhaps even more so. So I have configured aspects of my password hashing. But I 100% just lean on the fact that Let's Encrypt exists in the world. And prior to that, it was a little more work. But frankly, earlier on in my career, I wasn't dealing with the SSL parts of things. But I'm so grateful to Let's Encrypt as a project that exists. And now, on almost every platform that I work with, there's just a checkbox for please do the SSL work for me, make it good, make it work, and then I will be happy. And I'm so glad that that organization exists and really pushed the envelope also. I forget what it was, but it was only like three years ago where SSL was not actually nearly as common as it is now. And now it is pervasive and everywhere. And all of the sites have it, and so that is a wonderful thing. But I don't actually know much. I know that I should have it. I must have it. I should force it. That's true. So I push that out… STEPH: Hello. CHRIS: Are you trying to get me to sing? [chuckles] STEPH: [laughs] No, but I did want to know if you get the reference, the Salt-N-Pepa. CHRIS: Push It Real Good the song? Yeah, okay. STEPH: Yeah, you got it. [chuckles] CHRIS: I will just say the lyrics. I shall not sing the lyrics. I would say that, though, that yes, yes, they do that. STEPH: Thank you for acknowledging my very terrible reference. Circling back just a little bit too in regards to...I'm with you; this is a world that is not one that I am very deeply technical in and something that I learned a fair amount while troubleshooting this particular SSL error. And it was very interesting. But there's also that concern where it's like, that was interesting. And we worked around the issue, but this also feels very fragile. So we still haven't fixed it on their end where they are sending the wrong certificate. So then that's why we had to do more investigative work, and then download the certificate that they meant to send us, and then send back a complete certificate chain so that we don't have this error anymore. But should they change anything about their certificate, should they renew anything like that, then suddenly, we're going to break again. And then, the next developer is going to have to go through the same journey. And this wasn't a light journey. This was a good half-day journey to figure out what was going on and to spend the time, and then to also get that fix out to production. So it's a meaningful task that I don't want anyone else to have to go through. But we are relying on someone else updating their configuration. So, on one hand, we're in a good spot until they are able to update. But on the other hand, I wrote a heck of a commit message for the next person just describing like, friend, just grab some coffee if we're going to chat. It's a very small code change, but you need to know the scoop. So should you need to replicate this because they've changed something, or if this happens…because we work with a number of systems that we send data to. So if someone else should run into a similar issue, they will understand some of the troubleshooting techniques that I used and be able to look up that chain and find out if there's a missing cert or something else they need to provide. So it feels like a win, but I'm also nervous for future selves, future developers. So there's another approach that I haven't mentioned yet, but it was often a top recommendation for when dealing with SSL errors. And specifically, it was turning off SSL verification. And I saw that, and I was like, well, that won't work. I'm definitely sending sensitive, important data. And I need to verify that who I'm sending this to is really the person that I want to send this data to. So that was not an option for me. But it made me very nervous how often that was an approach that people would recommend and be like, oh, it's okay, just turn off SSL. You'll be fine. Like, don't worry about it. CHRIS: I feel like this so perfectly fits into the...some of our work is finding the information and connecting the pieces together and making it work. But some of it is that heuristic sense, that voice in the back of your head that is like, wait, I'm sorry, what? You want me to just turn off the security perimeter and hope that the velociraptors won't come in? That doesn't seem like it's going to end well. I get that that's an easy option that we have available to us right now and will solve the immediate problem but then let's play this out. There are four or five Jurassic Park movies now that tell the story of that. So let's be careful. STEPH: It always ends super well, though, right? Like, it's totally fine. [laughs] CHRIS: [laughs] Exclusively. Although it's funny that you mentioned OpenSSL no verify because just this past week, I used that very same configuration. I think it was okay in my case; I'm pretty sure. But it is interesting because when I saw it, I was like, oh no, can't do that. Certainly not that. Don't turn off the security feature. That's the wrong way to deal with the issue. But in the particular case that I'm working with, I'm using Redis, Heroku Redis, in particular, in a Heroku configuration. And the nature of how Heroku configures the Redis instances and the connectivity to our app into our dyno...I forget why. I read an article. They wrote it; Heroku wrote it. I trust them; they're good. I've outsourced my trust to people that I do trust. The trust chain actually maps really well to the certificate trust chain. I trust that Heroku has taken security deeply seriously. And for some reason, their configuration of Redis requires that I turn on OpenSSL no verify mode. So I'm using this now both in Sidekiq, and then we're using our Redis instance for our Rails cache as well. So in both cases, I said, "It's fine. Don't worry about it." I used the Don't worry about it configuration. And I didn't love it but I think it's okay. And partly, I'm trying to say this into the internet radio right now just in case anyone's listening who's like, no, no, no, you can't do that. That's bad. So I'm willing to be deeply wrong on the internet in favor of someone telling me and then I get to get out in front of it. But I think it's fine. Pretty sure it's fine. It should be fine. STEPH: I love love love that you gave a very visual example of velociraptors, and then you're like, oh, but I turned it off. [laughs] So I'm going to start sending you a velociraptor gif each day. CHRIS: I hope you do. I hope the internet holds you accountable to that. STEPH: [laughs] CHRIS: And I really look forward to [laughs] moving forward because that's a great way to start the day. Well, it doesn't need to start the day, but I look forward to them. STEPH: [laughs] I am really intrigued because I'm with you. Like you said, there are certain entities that are in our trust chain where it's like, hey, you are running this for us, and so I do have faith and trust in you that you wouldn't steer me wrong and provide a bad recommendation. Someone on Stack Overflow telling me to turn off SSL verify uh; that's not my trust chain. Heroku or someone else telling me I'm going to take it a little more seriously. And so I'm also interested in hearing from...what'd you say? You're speaking into the internet phone. [laughs] What'd you say? CHRIS: I think I said internet radio. But yeah, in a way. I mean, we're recording over Skype right now. So in a manner of speaking, we're on the internet phone to make our internet radio show. STEPH: [laughs] Oh goodness, the internet radio. I'm also intrigued to hear if other people are like, oh, no, no, no. Yeah, that sounds like an interesting scenario. Because I would think you'd still want your connection to...you said it's for Redis. So you still want that connection to be verified. But then if Redis itself can't have a specific...yeah, we're testing the boundaries of my SSL knowledge here as to how the heck you would even establish that SSL connection or the verification process. CHRIS: Me too. And it also exists in an interesting space where Heroku is rather clear in their documentation about this. And it was a surprising claim when I saw it. And so, I don't expect them to be flippant about a thing that is important. Like, if they're like, "No, no, no, it is okay. You can turn off the security thing, don't worry." I trust that they're not just like, oh, we didn't think about it too much. But we figured why not? It's not a big deal. I'm sure that they have thought about it deeply because it is an important thing. And so in a weird way, my trust of them and the severity of what this thing represents, I'm like, oh yeah, I super trust that because you're not going to get a major thing wrong. You might get a minor, small, subtle thing wrong. But this is a pretty major configuration change. As I say it, I'm now getting more worried. I'm now like, I feel fine about this. This doesn't seem like a problem at all. But then I keep saying stuff, and I'm like, oh no. That's why I love having a podcast; I find out things about myself as I talk into a microphone to you. STEPH: We come here to share our deep, dark developer secrets. Chris: Spooky developer therapy. STEPH: But just to clarify, even though you've turned off the SSL verify, you're still connecting over SSL. CHRIS: Yes, I believe that's the case. And if I'm remembering, I think the nature of how this works is they're using a self-signed certificate because of shared infrastructure or something, something that made sense when I read it. But it was the idea that they are doing a self-signed certificate. Therefore, to what you were talking about earlier, there isn't the certificate authority in the chain of those because it's self-signed. And so, they are not a trusted certificate authority. Therefore, that certificate that they have generated would not be trusted. But it does still allow for the SSL handshake and then communication to happen over SSL. It's just that fundamental question of trust. I'm saying, in this case, for reasons, it's okay. Trust me that I trust them. We're good. Which, again, I don't feel great about, but I think yes, it is still SSL, but it is a self-signed certificate. So we have to make this configuration change. STEPH: Yeah, all of that makes sense. And it certainly sounds like you have been very thoughtful about that change and put in some investigative work. So on that note, I have a very unrelated bad joke for you. CHRIS: I'm very excited. STEPH: All right, here we go. All right, so what do you call an alligator wearing a vest? CHRIS: I don't know. What do you call an alligator wearing a vest? STEPH: An investigator. [laughter] On that note, shall we wrap up? CHRIS: Oh, let's wrap up. We should also include a link in the show notes to the episode where you told the joke about the elephant hiding in the trees because that's one of my favorite jokes. You slayed me with that one. [laughs] But on that note, yes, let us wrap up. The show notes for this episode can be found at bikeshed.fm. STEPH: This show is produced and edited by Mandy Moore. CHRIS: If you enjoyed listening, one really easy way to support the show is to leave us a quick rating or even a review in iTunes,,as it really helps other folks find the show. STEPH: If you have any feedback for this or any of our other episodes, you can reach us at @_bikeshed or reach me on Twitter @SViccari. CHRIS: And I'm @christoomey STEPH: Or you can reach us at hosts@bikeshed.fm via email. CHRIS: Thanks so much for listening to The Bike Shed, and we'll see you next week. All: Byeeeeeeeeee!!! Announcer: This podcast was brought to you by thoughtbot. thoughtbot is your expert design and development partner. Let's make your product and team a success.

This week, the crew talks about passwords. Web applications store a great deal of sensitive information. But, there is something categorically different about storing passwords. Because—if compromised—a password from one application may grant a malicious actor access to another application. As such, it is essential that we store our customers' passwords using modern, one-way hashing algorithms that protect the underlying payload against increasingly powerful compute resources. And, that we have a way to evolve our password hashing strategies in order to stay a step ahead of potential attackers.Of course, sometimes the best password hashing strategies is to not store a password at all. Using a "passwordless login" allows you to defer the responsibility of password storage off to another, trusted vendor.Also, we've been doing this podcast for half-a-year! How awesome is that! Yay for us!Triumphs & FailuresAdam's Failure - While Adam has been quite keen on Testing code, he recently ran into a testing scenario that he found very challenging. And, he ended up taking half-a-day to refactor already working code just so that he could add the tests. In the long run, it wasn't a waste of time; but, it was a very humbling experience in the moment.Ben's Triumph - After weeks of struggling to debug an authentication issue within a Sketch plug-in, Ben and his team finally figured out what was going wrong! As fate would often have it, Ben was the engineer that originally wrote the problematic code - so, that was unfortunate. But, at least they figured out how to fix the user experience!Carol's Failure - Carol has been having trouble walking away from problems even when she feels stuck. So, instead of stepping back and clearing her head, she continues to beat it against the wall (often to no avail). She knows this is counterproductive; but, sometimes she gets lost in the details.Tim's Triumph / Failure - Tim finds himself coasting this week. Nothing has been all that note-worthy; either in triumph or in failure.Notes & LinksOWASP Password Cheat Sheet - industry standard best practices for storing passwords - covers Argon2, BCrypt, SCrypt, and PBKDF2.Have I Been Pwned - a service that tells you if your password has been exposed in a data breach.1Password - the world's most-loved password manager.Authy - a user-friendly two-factor authentication app.Shibboleth - an identity provider solution.OAuth - a standard for granting access to a website or application without having to provide it with your password.SAML - a standard for exchanging authentication between parties.Diceware - a method for generation secure, random passwords using playing dice.NIST Password Guidelines - Auth0 explains new passwords guidelines from NIST.Single Sign-On (SSO) - an authentication scheme in which one login grantes access to several, unrelated applications.Netlify Identity Management - a solution for user management in a Netlify app.Firebase Identity Management - a solution for user management in a Firebase app.XKCD: Password Strength - A web comic about how we make passwords hard for people but easy for computers.Follow the show! Our website is workingcode.dev and we're @WorkingCodePod on Twitter and Instagram. Or, leave us a message at (512) 253-2633‬ (that's 512-253-CODE). New episodes drop weekly on Wednesday.And, if you're feeling the love, support us on Patreon.

2021-06-01 Weekly News - Episode 106Watch the video version on YouTube at https://youtu.be/jmA7-rHjomk Hosts: Gavin Pickin - Software Consultant for Ortus SolutionsEric Peterson - Software Consultant for Ortus SolutionsThanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. A few ways  to say thanks back to Ortus Solutions: Like and subscribe to our videos on youtube.  Sign up for a free or paid account on CFCasts, which is releasing new content every week Buy Ortus's new Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips) Patreon SupportWe have 36 patreons providing 84% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions. If you love our podcasts and all we do for the #coldfusion #cfml community considers chipping in, we are almost there!https://www.ortussolutions.com/blog/we-need-your-help News and EventsLucee 5.3.8.179-RC4 (Final Release Candidate) ReleasedThis will be the Final RC before STABLE, available via your admin or via https://download.lucee.org/There are some improvements for MS SQL users since RC3. There is currently a problem with MS SQL extensions not being available for download, including 7.22, apologies, this will be fixed tomorrow.https://dev.lucee.org/t/lucee-5-3-8-179-rc4-final-release-candidate/8400 Adobe leaking Dev Week Sessions on TwitterAdobe has not added sessions to the Dev Week site yet, but Adobe is tweeting promos with the Session Name, Speaker, date and time on Twitter.https://twitter.com/coldfusionOnline CF Meetup - Getting Started with FusionReactor, with Brad WoodThursday Jun 3rd at 12pm US Eastern Time, UTC-4.New to FusionReactor? Perhaps you have a license but aren't sure how to tap into the features? We'll cover the basics of using FR to profile code, view your running and recent requests, and how to tell what is making a request slow. We'll cover tracking JDBC requests, HTTPS calls, and using the Profiler feature. There are many more features in FR, but we'll cover enough to get you started.https://www.meetup.com/coldfusionmeetup/events/278404050/ Ortus Webinar for June - Eric Peterson - Topic - Build a Blog in 30 minutes with QuickWebinars Page: https://www.ortussolutions.com/events/webinars Registration: coming soonICYMI TestBox v4.3 Released!We are excited to announce a new minor version release of TestBox version 4.3.x. To install just use CommandBox: install testbox --saveDev or to update your TestBox installation update testbox.This update includes several cool new features and improvements that will delight your testing life! For example, we have integrated your favorite code editors to the simple reporter so you can now open the line of code that failed your test or created and exception!https://www.ortussolutions.com/blog/testbox-v43-released  Reminder - State of the CF Union SurveyHelp us find out the state of the CF Union – what versions of CFML Engine do people use, what frameworks, tools etc. We will share the summary results with everyone who completes the survey so that you can see how you compare with other CF developers.Spread the news so we can get as many responses as possible.https://teratech.com/state-of-the-cf-union-2021-survey CFCasts Content Updateshttp://www.cfcasts.com New features alert

Mit Philipp und Christian haben wir uns heute über Security unterhalten und am Schluss noch einen kleinen Ausflug Richtung Youtube-DL unternommen. Wahrscheinlich werden wir auch zu diesem Thema noch ein paar Mal zusammen setzen müssen :).   Shownotes Unsere E-Mail für Fragen, Anregungen & Kommentare: hallo@python-podcast.de Security Vorlesung Netzwerksicherheit (HHU) Boxine (Toniebox..) Smashing The Stack For Fun And Profit Von-Neumann-Architektur / Harvard-Architektur Address space layout randomization / Executable space protection SQL injection psycopg Denial-of-service attack Ransomware-Befall Uniklinik Düsseldorf Adversarial machine learning Ada Ariane V88 Absturz Zertifizierung nach Common Criteria / Evaluation Assurance Level Pentest Web Application Firewall (WAF) xkcd zu security Common Vulnerabilities and Exposures (CVEs) Episode 18: Ten Years of Flask: Conversation With Creator Armin Ronacher Command injection etc Directory traversal attack graylog / kibana elk stack / sentry Django regex denial of service security advisory Indiauth für datasette / oauth2 / openid connect Defense in depth Password hashing via: scrypt / pbkdf2 Picks / Youtube-DL youtube-dl Origins of the youtube-dl project Musikindustrie schießt mit der Schrotflinte auf Open Source / Philipp Hagemeister, former YouTube-dl maintainer re: takedown Streisand-Effekt dateutil bcrypt Tonies - offene Stellen Öffentliches Tag auf konektom

Gavin and Eric host this weeks episode. They discuss this week's online conferences, Adobe ColdFusion Developer Week and MS Build. They announce the release of Ortus's newest online platforms, CFCasts.com - where you can watch all of Into the Box 2020 videos free if you were an attendee, or available for purchase soon if you were not. They discussed ColdBox 6 Release Candidate and they also give you a quick reminder to complete the State of the CF Union Survey. In addition to Microsoft Build and Adobe's ColdFusion Developer Week this week, they discuss Docker Con Online as well as the first 3 workshops from Into the Box announced for June. They spotlight a lot of great blog posts, tweets, videos and podcasts, too many to list, so listen to the show. They announce some jobs from twitter and getCfmlJobs.com They show off the ForgeBox module of the Week, Bcrypt after mentioning it in one of the blog posts of the week. This week's VS Code Tip of the week is the Prettier Formatter which now supports more languages and makes your life as a developer easier. For the show notes - visit the website https://cfmlnews.modernizeordie.io/episodes/modernize-or-die-cfml-news-for-may-19th-2020 Music from this podcast used under Royalty Free license from SoundDotCom https://www.soundotcom.com/ and BlueTreeAudio https://bluetreeaudio.com

As a data scientist, you will work on machine learning models that are deployed on websites - usually wrapped around a REST API, these days they also call this approach a “micro-service”. It is for this reason it is important to know how backends and front ends work and how to build them. In this episode, we talk about building a note app which is a Single Page Application or SPA using Pythons flask library for backend and Vue.js for frontend. We use REST API to communicate between them. We cover following topics in Q and A format: 1. Why should data scientists care about building frontend and backend and rest api? 2. What is a single page application? 3. Why Vue.js? 4. Why do we need server side code? 5. What is REST API? 6. How does Flask help with building rest api? Then we go into the exact mechanics of building the SPA: Step 1: Database setup Step 2: Write REST API in flask Step 3: Postman setup and testing of the API Step 4: Build frontend and write forms to get information Step 5: Build routing and login pages Step 6: Front end design and UI/UX Finally you can deploy both the server and client separately on AWS or Heroku so that other users can see it and use it. Dependencies: 1) Flask to build server side REST APIs 2) Sqlalchemy which is ORM to access database 3) Bcrypt for hashing user passwords to store in your database 4) Vue for building frontend 5) Bootstrap-Vue for using bootstrap with Vue.js 6) Axios to communicate via AJAX between client and server 7) Vue CLI 3 to manage the tooling of the client Really awesome resources: 1) Learn Vue.JS from scratch by the awesome teacher Net Ninja - YouTube https://www.youtube.com/watch?v=5LYrN_cAJoA&list=PL4cUxeGkcC9gQcYgjhBoeQH7wiAyZNrYa&index=1 2) Building book recording app using Vue and Flask https://testdriven.io/blog/developing-a-single-page-app-with-flask-and-vuejs/#bootstrap-vue 3) Managing state in Vue.js including Vuex and simple global store: https://medium.com/fullstackio/managing-state-in-vue-js-23a0352b1c87 4) Authenticating a Flask API Using JSON Web Tokens - YouTube https://www.youtube.com/watch?v=J5bIPtEbS0Q 5) Really nice tutorial for using databases with Flask by Corey Schafer - YouTube https://www.youtube.com/watch?v=cYWiDiIUxQc&list=PL-osiE80TeTs4UjLw5MM6OjgkjFeUxCYH&index=4 If this has been of value please consider supporting me by buying me a coffee at the Anchor link at the end. If you support, I will provide extra bonus content for you. Thanks for listening! --- Send in a voice message: https://anchor.fm/the-data-life-podcast/message Support this podcast: https://anchor.fm/the-data-life-podcast/support

Yan Zhu, AKA bcrypt, is the Chief Security Officer at Brave. Yan joins Leo Laporte to talk about her past dropping out of high school and earning a B.S. at MIT; her work on Brave's security-focused browser and other open-source projects like HTTPS Everywhere, SecureDrop, and Privacy Badger on Firefox; DJing and creating electronic music; and more. Host: Leo Laporte Guest: Yan Zhu Download or subscribe to this show at https://twit.tv/shows/triangulation.

Yan Zhu, AKA bcrypt, is the Chief Security Officer at Brave. Yan joins Leo Laporte to talk about her past dropping out of high school and earning a B.S. at MIT; her work on Brave's security-focused browser and other open-source projects like HTTPS Everywhere, SecureDrop, and Privacy Badger on Firefox; DJing and creating electronic music; and more. Host: Leo Laporte Guest: Yan Zhu Download or subscribe to this show at https://twit.tv/shows/triangulation.

Yan Zhu, AKA bcrypt, is the Chief Security Officer at Brave. Yan joins Leo Laporte to talk about her past dropping out of high school and earning a B.S. at MIT; her work on Brave's security-focused browser and other open-source projects like HTTPS Everywhere, SecureDrop, and Privacy Badger on Firefox; DJing and creating electronic music; and more. Host: Leo Laporte Guest: Yan Zhu Download or subscribe to this show at https://twit.tv/shows/triangulation.

Yan Zhu, AKA bcrypt, is the Chief Security Officer at Brave. Yan joins Leo Laporte to talk about her past dropping out of high school and earning a B.S. at MIT; her work on Brave's security-focused browser and other open-source projects like HTTPS Everywhere, SecureDrop, and Privacy Badger on Firefox; DJing and creating electronic music; and more. Host: Leo Laporte Guest: Yan Zhu Download or subscribe to this show at https://twit.tv/shows/triangulation.

On this week's episode, Chris is joined by Mike Burns, developer in our New York studio, to discuss the ins and outs of application security. Mike recently added a comprehensive Application Security Guide to the thoughtbot guides, and in this chat they discuss some of the high points of the guide, some of the low points of common security holes, and some of the fantastically specific workflows and approaches Mike has for his personal information and security management. Mike Burns on Mastodon Mike Burns on the thoughtbot blog Application Security Guide YAML JSON TOML Bcrypt Scrypt TLS Handshake explained with paint colors NIST - Digital Identity Guidelines Clearance DKIM & SPF for email verification PGP Signing of Emails PGP Signing git Commits Facebook Stored Millions Of Passwords In Plaintext PhishMe (now Cofense) Mutt email client YubiKey Pass pwgen LastPass Perfect Forward Secrecy Tarsnap

We reveal the shady password practices that are all too common at many utility providers, and hash out why salts are essential to proper password storage. Plus the benefits of passphrases, and what you can do to keep your local providers on the up and up.

Yesterday the chocolate spread company Nutella, tweeted some very bad password. I checked the password advice and found it had been involved in 20,833 data breaches.

Password leaks have become an unfortunately common occurrence, with billions of records leaked in the past few years. In this work we develop and economic model to help predict how many user passwords such an attacker will crack after such a breach. Our analysis indicates that currently deployed key stretching mechanisms such as PBKDF2 and BCRYPT provide insufficient protection for user passwords. In particular, our analysis shows that a rational attacker will crack 100% of passwords chosen from a Zipf's law distribution and that Zipf's Law accurately models the distribution of most user passwords. This dismal claim holds even if PBKDF2 is used with 100,000 hash iterations (10 times greater than NIST's minimum recommendation). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2. About the speaker: Ben Harsha is a Computer Science Ph.D. student advised by Jeremiah Blocki. He currently works on password security and cryptographic hash functions. Before coming to Purdue in 2015 he also worked on distributed sensor networks at Argonne National Lab, as well as neural network optimization and computer science education methods at DePauw University. He has received a Masters from Purdue and a Bachelors from DePauw University.

Password leaks have become an unfortunately common occurrence, with billions of records leaked in the past few years. In this work we develop and economic model to help predict how many user passwords such an attacker will crack after such a breach. Our analysis indicates that currently deployed key stretching mechanisms such as PBKDF2 and BCRYPT provide insufficient protection for user passwords. In particular, our analysis shows that a rational attacker will crack 100% of passwords chosen from a Zipf’s law distribution and that Zipf’s Law accurately models the distribution of most user passwords. This dismal claim holds even if PBKDF2 is used with 100,000 hash iterations (10 times greater than NIST’s minimum recommendation). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2.

Steven Swenson is encrypting and hashing with .NET. Show notes: Steven Swenson's blog Book: Cryptography Engineering, Design Principles and Practical Applications, by Bruce Schneier Adam Caudill Risky Business podcast libsodium crypto library Elliptic curve cryptography (ECC) CodeStock conference in Knoxville Azure Identity Services bcrypt is available on NuGet scrypt is available on GitHub and NuGet Steven Swenson is on Twitter Want to be on the next episode? You can! All you need is the willingness to talk about something technical. Theme music is "Crosscutting Concerns" by The Dirty Truckers, check out their music on Amazon or iTunes.

This week, we're joined by DHH and discuss microservices, monoliths, shared abstractions, and the fate of Action Cable. DHH's Keynote Microservices Sacrificial Architecture Scaling Mercurial at Facebook has_secure_password BCrypt Request Forgery Protection error_messages_for removed in Rails 3 Sandi Metz on the cost of the wrong abstraction WebSockets Event Machine Faye Basecamp

The long-awaited meetup is finally happening on today's show. We're going to be interviewing the original BSD podcaster, Will Backman, to discuss what he's been up to and what the future of BSD advocacy looks like. After that, we'll be showing you how to track (and even cross-compile!) the -CURRENT branch of NetBSD. We've got answers to user-submitted questions and the latest news, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines FreeBSD and OpenBSD in GSOC2014 (https://wiki.freebsd.org/SummerOfCode2014) The Google Summer of Code is a way to encourage students to write code for open source projects and make some money Both FreeBSD and OpenBSD were accepted, and we'd love for anyone listening to check out their GSOC pages The FreeBSD wiki has a list of things that they'd be interested in someone helping out with OpenBSD's want list was also posted (http://www.openbsdfoundation.org/gsoc2014.html) DragonflyBSD and NetBSD were sadly not accepted this year *** Yes, you too can be an evil network overlord (http://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html) A new blog post about monitoring your network using only free tools OpenBSD is a great fit, and has all the stuff you need in the base system or via packages It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf) There's also details about flowd and nfsen, more great tools to make network monitoring easy If you're listening, Peter... stop ignoring our emails and come on the show! We know you're watching! *** BSDMag's February issue is out (http://bsdmag.org/magazine/1858-openbsd-5-4-configure-openbsd-basic-services) The theme is "configuring basic services on OpenBSD 5.4" There's also an interview with Peter Hansteen (oh hey...) Topics also include locking down SSH, a GIMP lesson, user/group management, and... Linux and Solaris articles? Why?? *** Changes in bcrypt (http://marc.info/?l=openbsd-misc&m=139320023202696&w=2) Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation There is a bug in bcrypt when hashing long passwords - other OSes need to update theirs too! (FreeBSD already has) "The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor 'b'." As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward Lots of specifics in the email, check the full thing *** Interview - Will Backman - bitgeist@yahoo.com (mailto:bitgeist@yahoo.com) / @bsdtalk (https://twitter.com/bsdtalk) The BSDTalk podcast, BSD advocacy, various topics Tutorial Tracking and cross-compiling -CURRENT (NetBSD) (http://www.bsdnow.tv/tutorials/current-nbsd) News Roundup X11 no longer needs root (http://undeadly.org/cgi?action=article&sid=20140223112426) Xorg has long since required root privileges to run the main server With recent work (http://marc.info/?l=openbsd-cvs&;m=139245772023497&w=2) from the OpenBSD team, now everything (even KMS) can run as a regular user Now you can set the "machdep.allowaperture" sysctl to 0 and still use a GUI *** OpenSSH 6.6 CFT (https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-March/032259.html) Shortly after the huge 6.5 release, we get a routine bugfix update Test it out on as many systems as you can Check the mailing list for the full bug list *** Creating an OpenBSD USB drive (http://undeadly.org/cgi?action=article&sid=20140225072408) Since OpenBSD doesn't distribute any official USB images, here are some instructions on how to do it Step by step guide on how you can make your very own However, there's some recent emails (http://undeadly.org/cgi?action=article&sid=20140228231258) that suggest official USB images may be coming soon... oh wait (http://marc.info/?l=openbsd-cvs&m=139377587526463&w=2) *** PCBSD weekly digest (http://blog.pcbsd.org/2014/02/pc-bsd-weekly-feature-digest-19/) New PBI updates that allow separate ports from /usr/local You need to rebuild pbi-manager if you want to try it out Updates and changes to Life Preserver, App Cafe, PCDM *** Feedback/Questions espressowar writes in (http://slexy.org/view/s2JpJ5EaZp) Antonio writes in (http://slexy.org/view/s2QpPevJ3J) Christian writes in (http://slexy.org/view/s2EZLxDfWh) Adam writes in (http://slexy.org/view/s21gEBZbmG) Alex writes in (http://slexy.org/view/s2RnCO1p9c) ***

This time on the show, we'll be showing you how to do a fully-encrypted installation of FreeBSD and OpenBSD. We also have an interview with Damien Miller - one of the lead developers of OpenSSH - about some recent crypto changes in the project. If you're into data security, today's the show for you. The latest news and all your burning questions answered, right here on BSD Now - the place to B.. SD. This episode was brought to you by Headlines Secure communications with OpenBSD and OpenVPN (http://johnchapin.boostrot.net/blog/2013/12/07/secure-comms-with-openbsd-and-openvpn-part-1/) Starting off today's theme of encryption... A new blog series about combining OpenBSD and OpenVPN to secure your internet traffic Part 1 covers installing OpenBSD with full disk encryption (which we'll be doing later on in the show) Part 2 covers the initial setup of OpenVPN certificates and keys Parts 3 and 4 are the OpenVPN server and client configuration Part 5 is some updates and closing remarks *** FreeBSD Foundation Newsletter (https://www.freebsdfoundation.org/press/2013Dec-newsletter) The December 2013 semi-annual newsletter was sent out from the foundation In the newsletter you will find the president's letter, articles on the current development projects they sponsor and reports from all the conferences and summits they sponsored The president's letter alone is worth the read, really amazing Really long, with lots of details and stories from the conferences and projects *** Use of NetBSD with Marvell Kirkwood Processors (http://evertiq.com/design/33394) Article that gives a brief history of NetBSD and how to use it on an IP-Plug computer The IP-Plug is a "multi-functional mini-server was developed by Promwad engineers by the order of AK-Systems. It is designed for solving a wide range of tasks in IP networks and can perform the functions of a computer or a server. The IP-Plug is powered from a 220V network and has low power consumption, as well as a small size (which can be compared to the size of a mobile phone charger)." Really cool little NetBSD ARM project with lots of graphs, pictures and details *** Experimenting with zero-copy network IO (http://adrianchadd.blogspot.com/2013/12/experimenting-with-zero-copy-network-io.html) Long blog post from Adrian Chadd about zero-copy network IO on FreeBSD Discusses the different OS' implementations and options He's able to get 35 gbit/sec out of 70,000 active TCP sockets, but isn't stopping there Tons of details, check the full post *** Interview - Damien Miller - djm@openbsd.org (mailto:djm@openbsd.org) / @damienmiller (https://twitter.com/damienmiller) Cryptography in OpenBSD and OpenSSH Tutorial Full disk encryption in FreeBSD & OpenBSD (http://www.bsdnow.tv/tutorials/fde) News Roundup OpenZFS office hours (https://www.youtube.com/watch?v=wWmVW2R_uz8) Our buddy George Wilson (http://www.bsdnow.tv/episodes/2013_12_04-zettabytes_for_days) sat down to take some ZFS questions from the community You can see more info about it here (http://open-zfs.org/wiki/OpenZFS_Office_Hours) *** License summaries in pkgng (http://www.shiningsilence.com/dbsdlog/2013/12/09/12934.html) A discussion between Justin Sherill (http://www.bsdnow.tv/episodes/2013_11_13-the_gateway_drug) and some NYCBUG guys about license frameworks in pkgng Similar to pkgsrc's "ACCEPTABLE_LICENSES" setting, pkgng could let the user decide which software licenses he wants to allow Maybe we could get a "pkg licenses" command to display the license of all installed packages Ok bapt, do it *** The FreeBSD challenge continues (http://thelinuxcauldron.com/2013/12/08/freebsd-challenge/) Checking in with our buddy from the Linux foundation... The switching from Linux to FreeBSD blog series continues for his month-long trial Follow up from last week: "As a matter of fact, I did check out PC-BSD, and wanted the challenge. Call me addicted to pain and suffering, but the pride and accomplishment you feel from diving into FreeBSD is quite rewarding." Since we last mentioned it, he's decided to go from a VM to real hardware, got all of his common software installed, experimented with the Linux emulation, set up virtualbox, learned about slices/partitions/disk management, found BSD alternatives to his regularly-used commands and lots more *** Ports gets a stable branch (https://svnweb.freebsd.org/ports?view=revision&revision=336615) For the first time ever, FreeBSD's ports tree will have a maintained "stable" branch This is similar to how pkgsrc does things, with a rolling release for updated software and stable branch for only security and big fixes All commits to this branch require approval of portmgr, looks like it'll start in 2014Q1 *** Feedback/Questions John writes in (http://slexy.org/view/s2iRV1tOzB) Spencer writes in (http://slexy.org/view/s21gAR5lgf) Campbell writes in (http://slexy.org/view/s203iOnFh1) Sha'ul writes in (http://slexy.org/view/s2yUqj3vKW) Clint writes in (http://slexy.org/view/s2egcTPBXH) ***

This time on the show, we'll be looking at the new version of FreeNAS, a BSD-based network attached storage solution, as well as talking to Josh Paetzel - one of the key developers of FreeNAS. Actually, he's on the FreeBSD release engineering team too, and does quite a lot for the project. We've got answers to your viewer-submitted questions and plenty of news to cover, so get ready for some BSD Now - the place to B.. SD. This episode was brought to you by Headlines More faces of FreeBSD (http://freebsdfoundation.blogspot.com/2013/12/faces-of-freebsd-reid-linnemann.html) Another installment of the FoF series This time they talk with Reid Linnemann who works at Spectra Logic Gives a history of all the different jobs he's done, all the programming languages he knows Mentions how he first learned about FreeBSD, actually pretty similar to Kris' story "I used the system to build and install ports, and explored, getting actively involved in the mailing lists and forums, studying, passing on my own limited knowledge to those who could benefit from it. I pursued my career in the open source software world, learning the differences in BSD and GNU licensing and the fragmented nature of Linux distributions, realizing the FreeBSD community was more mature and well distributed about industry, education, and research. Everything steered me towards working with and on FreeBSD." Now works on FreeBSD as his day job The second one (http://freebsdfoundation.blogspot.com/2013/12/faces-of-freebsd-brooks-davis.html) covers Brooks Davis FreeBSD committer since 2001 and core team member from 2006 through 2012 He's helped drive our transition from a GNU toolchain to a more modern LLVM-based toolchain "One of the reasons I like FreeBSD is the community involved in the process of building a principled, technically-advanced operating system platform. Not only do we produce a great product, but we have fun doing it." Lots more in the show notes *** We cannot trust Intel and Via's chip-based crypto (https://www.freebsd.org/news/status/report-2013-09-devsummit.html#Security) We woke up to see FreeBSD on the front page of The Register (http://www.theregister.co.uk/2013/12/09/freebsd_abandoning_hardware_randomness/), Ars Technica (http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/), Slashdot (http://it.slashdot.org/story/13/12/11/1919201/freebsd-developers-will-not-trust-chip-based-encryption) and Hacker News (https://news.ycombinator.com/item?id=6880474) for their strong stance on security and respecting privacy At the EuroBSDCon dev summit, there was some discussion about removing support for hardware-based random number generators. FreeBSD's /dev/random got some updates and, for 10.0, will no longer allow the use of Intel or VIA's hardware RNGs as the sole point of entropy "It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more" *** OpenSMTPD 5.4.1 released (http://article.gmane.org/gmane.mail.opensmtpd.general/1146) The OpenBSD developers came out with major a new version Improved config syntax (please check your smtpd.conf before upgrading) Adds support for TLS Perfect Forward Secrecy and custom CA certificate MTA, Queue and SMTP server improvements SNI support confirmed for the next version Check the show notes for the full list of changes, pretty huge release Watch Episode 3 (http://www.bsdnow.tv/episodes/2013-09-18_mx_with_ttx) for an interview we did with the developers *** More getting to know your portmgr (http://blogs.freebsdish.org/portmgr/2013/12/02/getting-to-know-your-portmgr-thomas-abthorpe/) The portmgr secretary, Thomas Abthorpe, interviews... himself! Joined as -secretary in March 2010, upgraded to full member in March 2011 His inspiration for using BSD is "I wanted to run a webserver, and I wanted something free. I was going to use something linux, then met up with a former prof from university, and shared my story with him. He told me FreeBSD was the way to go." Mentions how he loves that anyone can contribute and watch it "go live" The second one (http://blogs.freebsdish.org/portmgr/2013/12/09/getting-to-know-your-portmgr-baptiste-daroussin/) covers Baptiste Daroussin The reason for his nick, bapt, is "Baptiste is too long to type" There's even a video (https://www.youtube.com/watch?v=tZk__K8rqOg) of bapt joining the team! *** Interview - Santa Clause - josh@ixsystems.com (mailto:josh@ixsystems.com) / @freenasteam (https://twitter.com/freenasteam) FreeNAS 9.2.0 (http://www.freenas.org/whats-new/2013/12/freenas-9-2-0-rc-available.html) Note: we originally scheduled the interview to be with Josh Paetzel, but Santa showed up instead. Tutorial FreeNAS walkthrough News Roundup Introducing configinit (http://www.daemonology.net/blog/2013-12-09-FreeBSD-EC2-configinit.html) CloudInit is "a system originally written for Ubuntu which performs configuration of a system at boot-time based on user-data provided via EC2" Wasn't ideal for FreeBSD since it requires python and is designed around the concept of configuring a system by running commands (rather than editing configuration files) Colin Percival came up with configinit, a FreeBSD alternative Alongside his new "firstboot-pkgs" port, it can spin up a webserver in 120 seconds from "launch" of the EC2 instance Check the show notes for full blog post *** OpenSSH support for Ed25519 and bcrypt keys (http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.key?rev=1.1;content-type=text%2Fx-cvsweb-markup) New Ed25519 key support (hostkeys and user identities) using the public domain ed25519 reference code SSH private keys were encrypted with a symmetric key that's just an MD5 of their password Now they'll be using bcrypt by default (http://marc.info/?l=openbsd-cvs&m=138633721618361&w=2) We'll get more into this in next week's interview *** The FreeBSD challenge (http://thelinuxcauldron.com/2013/12/08/freebsd-challenge/) A member of the Linux foundation blogs about using FreeBSD Goes through all the beginner steps, has to "unlearn" some of his Linux ways Only a few posts as of this time, but it's a continuing series that may be helpful for switchers *** PCBSD weekly digest (http://blog.pcbsd.org/2013/12/pc-bsd-weekly-feature-digest-111513-2/) GNOME3, cinnamon and mate desktops are in the installer Compat layer updated to CentOS 6, enables newest Skype Looking for people to test printers and hplip Continuing work on grub, but the ability to switch between bootloaders is back *** Feedback/Questions Bostjan writes in (http://slexy.org/view/s20k2gumbP) Jason writes in (http://slexy.org/view/s2PM8tfKfe) John writes in (http://slexy.org/view/s2KgXIKqrJ) Kjell-Aleksander writes in (http://slexy.org/view/s20DLk8bac) Alexy writes in (http://slexy.org/view/s2nmmJHvgR) ***

Enregistré le 25 février 2013 Téléchargement de l’épisode LesCastCodeurs-Episode–74.mp3 Sponsoring Intéressé pour sponsoriser les cast codeurs et voir ce que cela peut vous apporter ? Contactez nous à sponsors@lescastcodeurs.com Interview Introduction Eric Bottard @ebottard VMware http://www.vmware.com Définitions du PaaS PaaS http://en.wikipedia.org/wiki/Platform_as_a_service CloudFoundry http://cloudfoundry.com OpenShift https://openshift.redhat.com/app/ CloudBees http://www.cloudbees.com Heroku http://www.heroku.com Google App Engine https://cloud.google.com/products/ CloudFoundry CloudFoundry http://cloudfoundry.com AppFog https://www.appfog.com Tier3 http://www.tier3.com Node.js http://nodejs.org Spring Framework http://www.springsource.org/spring-framework Grails http://grails.org MySQL http://www.mysql.com PostgreSQL http://www.postgresql.org MongoDB http://www.mongodb.org Redis http://redis.io RabbitMQ http://www.rabbitmq.com Code Story http://code-story.net Pour le DevOps VMC http://docs.cloudfoundry.com/tools/vmc/installing-vmc.html Plugin Eclipse http://docs.cloudfoundry.com/tools/STS/configuring-STS.html Blog sur les deployments sur CloudFoundry http://blog.springsource.com/2011/09/22/rapid-cloud-foundry-deployments-with-maven/ Subversion http://subversion.tigris.org Git http://git-scm.com Etude Zero Turnaround http://zeroturnaround.com/labs/devprod-report-revisited-version-control-systems-in-2013/ SHA–1 http://en.wikipedia.org/wiki/SHA-1 BCrypt http://en.wikipedia.org/wiki/Bcrypt jBCrypt https://github.com/jeremyh/jBCrypt Jenkins http://jenkins-ci.org New Relic http://newrelic.com Business model OVH http://www.ovh.com/fr/vps/ Le moteur CloudFoundry Bosh https://github.com/cloudfoundry/bosh Micro CloudFoundry https://micro.cloudfoundry.com La communauté CloudFoundry.org http://cloudfoundry.org core.cloudfoundry.com http://core.cloudfoundry.org Le futur La roadmap Le blog CloudFoundry http://blog.cloudfoundry.com Nous contacter Contactez-nous via twitter http://twitter.com/lescastcodeurs sur le groupe Google http://groups.google.com/group/lescastcodeurs ou sur le site web http://lescastcodeurs.com/ Flattr-ez nous (dons) sur http://lescastcodeurs.com/