POPULARITY
In this episode of The Confident Commit, Rob Zuber sits down with Meg Adams, Senior Director of Engineering at The New York Times, for a deep dive into leading engineering teams through the AI revolution while staying true to organizational mission. Meg shares how the Times approaches AI adoption with a "measured but focused" strategy, emphasizing experimentation and opinion-formation over mandates, and why she believes AI serves as a force multiplier for what already exists in your organization and workflows.The conversation explores the unique challenges of product engineering in media, from building cooking products for users across the entire spectrum of culinary expertise to navigating digital transformations that honor legacy while embracing an uncertain future. Meg discusses the importance of mission-driven leadership through technological transitions, why she prioritizes helping her engineers stay valuable in the marketplace, and her unconventional path from elementary education to retail management to engineering leadership. Whether you're an engineering leader managing AI adoption or someone thinking about the intersection of technology and human-centered products, this episode delivers insights on building resilient teams that can adapt while maintaining their core purpose.Have someone you'd like to hear on the show? Reach out and let us know on X at @CircleCI!
In this episode of The Confident Commit, Rob Zuber sits down with Edreece Arghandiwal, CMO and Co-Founder of Oakland Roots Soccer Club, for an inspiring conversation about building purpose-driven organizations from the ground up. Edreece shares how the Roots challenged traditional sports business models by putting community first, turning a simple question—"Why isn't there professional soccer in Oakland?"—into a movement that raised $3.5 million from 6,000+ community investors with zero paid advertising.The conversation explores the parallels between building tech products and sports organizations, from using merchandise as a "landing page" to prove market demand, to the critical importance of obsessing over customer-facing touchpoints while maintaining operational flexibility behind the scenes. Edreece discusses the challenges of scaling while preserving authentic brand identity, why purpose should lead to profit (not the other way around), and how hiring good humans with strong moral compasses becomes the foundation for sustainable growth. Whether you're a startup founder looking to build authentic community engagement or a leader working to maintain organizational purpose at scale, this episode delivers actionable insights on creating brands that people proudly represent in their daily lives.Have someone you'd like to hear on the show? Reach out and let us know on X at @CircleCI!
In this episode of The Confident Commit, Rob Zuber sits down with Cate Huston, Engineering Director at DuckDuckGo and author of "The Engineering Leader," for a deep dive into career ownership and sustainable engineering leadership. Cate challenges the common misconception that career growth equals promotion, introducing the concept of being the "directly responsible individual" for your own career and the crucial difference between "buying" versus "renting" your skills in the marketplace.The conversation explores how to shift engineering teams from a "ticket factory" mindset to outcome-focused delivery, the tension between servant leadership and strategic leadership, and why the best engineering cultures encourage productive disagreement. Whether you're an individual contributor looking to take ownership of your trajectory or a leader working to create environments where people thrive, this episode delivers actionable wisdom for engineering professionals at every level.Have someone you'd like to hear on the show? Reach out and let us know on X at @CircleCI!
Engineering leadership has never been more challenging, or more critical. In this episode, Rob sits down with Pat Kua, seasoned technology leader, author of three books including Building Evolutionary Architectures, and creator of the popular Level Up newsletter for technical leaders.Pat reveals how today's engineering leaders are navigating unprecedented industry turbulence: from AI disruption and talent shifts to economic uncertainty and constant organizational change. Drawing from his 20+ years coaching CTOs, VPs of Engineering, and emerging tech leads, he shares practical strategies for making decisions without perfect information and building resilient, adaptable teams.Key insights include:Why embracing uncertainty is a defining leadership skill, not a weaknessHow to apply agile principles beyond code—from team structures to strategic decisionsThe critical importance of creating "forcing functions" that drive continuous learningWhy exposure to high-performing teams transforms your entire worldviewPractical approaches for leading through AI adoption and industry shiftsFrom small startups to global enterprises, Pat's guidance helps leaders focus on what they can control while building systems that thrive in constant change. Whether you're a first-time manager or seasoned executive, discover how to turn uncertainty into competitive advantage.Have someone in mind you'd like to hear on the show? Let us know on X at @CircleCI!
Engineering leadership isn't just about technical execution—it's about unlocking the creative potential that drives individual and team success. CircleCI CTO Rob Zuber sits down with Corey Latislaw, Head of Engineering at Trainline and executive coaching expert, to explore how creativity transforms both careers and team dynamics.Corey challenges the myth that creativity is just for artists, revealing how engineering workflows are fundamentally creative processes. Her "Ideas, Not Art" framework shows how visual communication, coaching techniques, and strategic problem-solving help engineers and leaders thrive. From sketch notes to systems thinking, discover practical approaches for building stronger teams and accelerating personal growth in engineering.Have someone in mind you'd like to hear on the show? Let us know on X at @CircleCI!
In an era where organizations depend heavily on commercial applications to run their operations, the integrity of those applications has become a top security concern. Saša Zdjelar, Chief Trust Officer at ReversingLabs and Operating Partner at Crosspoint Capital, shares how protecting the software supply chain now extends far beyond open source risk.Zdjelar outlines how modern applications are built from a mix of first-party, contracted, open source, and proprietary third-party components. By the time software reaches production, its lineage spans geographies, development teams, and sometimes even AI-generated code. Incidents like SolarWinds, Kaseya, and CircleCI demonstrate that trusted vendors are no longer immune to compromise, and commercial software can introduce critical vulnerabilities or malicious payloads deep into enterprise systems.Regulatory drivers are increasing scrutiny. Executive Order 14028, Europe's Cyber Resilience Act, DORA, and U.S. Department of Defense software sourcing restrictions all require greater transparency, such as a Software Bill of Materials (SBOM). However, Zdjelar cautions that SBOMs—while valuable—are like ingredient lists without recipes: they don't reveal if a product is secure, just what's in it.ReversingLabs addresses this gap with a no-compromise analysis engine capable of deconstructing any file, of any size or complexity, to assess its safety. This capability enables organizations to make risk-based decisions, continuously monitor for unexpected changes between software versions, and operationalize controls at points such as procurement, SCCM deployments, or file transfers into critical environments.For CISOs, this represents a true technical control where previously only contractual clauses, questionnaires, or insurance policies existed. By placing analysis at the front of the software lifecycle, organizations can reduce reliance on costly manual testing and sandboxing, improve detection of tampering or hidden behavior, and even influence cyber insurance rates.The takeaway is clear: software supply chain security is a board-level concern, and the focus must expand beyond open source. With the right controls, organizations can avoid becoming the next headline-making breach and maintain trust with customers, partners, and regulators.Learn more about ReversingLabs: https://itspm.ag/reversinglabs-v57bNote: This story contains promotional content. Learn more.Guest: Saša Zdjelar, Chief Trust Officer at ReversingLabs and Operating Partner at Crosspoint Capital | On Linkedin: https://www.linkedin.com/in/sasazdjelar/ResourcesLearn more and catch more stories from ReversingLabs: https://www.itspmagazine.com/directory/reversinglabsLearn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programsNewsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-upAre you interested in telling your story?https://www.itspmagazine.com/telling-your-storyKeywords: Black Hat 2025, Black Hat USA, sean martin, saša zdjelar, software supply chain security, commercial software risk, binary analysis, software bill of materials, sbom security, malicious code detection, ciso strategies, third party software risk, software tampering detection, malware analysis tools, devsecops security, application security testing, cybersecurity compliance
In the first episode of Occupied Tech, a new podcast brought to you by Tech for Palestine in collaboration with Palestine Deep Dive, Paul Biggar speaks to Hossam Nasr – a former Microsoft employee who was fired in 2024 after organising a vigil for Palestinians killed in Gaza. Nasr exposes the company's major role in Israel's genocide and apartheid and discusses efforts to organise workers and activists to resist its complicity. No Azure for Apartheid (Noaa) is a worker-led group of tech workers within Microsoft, co-founded by Nasr. Its members are committed to exposing the complicity of specific technologies, including Microsoft's AI software Azure. _________________________ Occupied Tech In each episode, Paul Biggar introduces a new guest to break down the mechanics of the tech industry and how it powers Israel's genocide, apartheid and occupation – looking at the companies, investors and individuals behind it. And most importantly, spotlighting the people resisting this oppression. _________________________ Episode 1. Microsoft: Powering Israel's Genocide? Nasr exposes the company's major role in Israel's genocide and apartheid and discusses efforts to organise workers and activists to resist its complicity through the organisation he co-founded No Azure for Apartheid (Noaa). Noaa is a worker-led group of tech workers within Microsoft. Its members are committed to exposing the complicity of specific technologies, including Microsoft's AI software Azure. More than just a profit-seeking organisation, Nasr identifies Microsoft as a genocidal digital weapons manufacturer – as the most trusted tech provider for the Israeli government and military, Nasr explains how Microsoft aids Israel's combat and intelligence activities, storing illegally collected data to surveil Palestinians and more. Episode 1. was recorded back in June 2025, but new revelations reported recently in The Guardian also expose how Microsoft Azure servers in Europe have been storing ‘a million calls an hour' in an expansive Israeli surveillance operation against Palestinians – data used by Israel to conduct lethal strikes in its ongoing genocide on Gaza. _________________________ Support Palestine Deep Dive from as little as £1 per moth: https://www.palestinedeepdive.com/support _________________________ Hossam Nasr is an Egyptian software engineer and an alumnus of Harvard's Computer Science programme. He is a former Microsoft employee and co-founder of No Azure for Apartheid, a movement of Microsoft workers demanding that Microsoft end its direct and indirect complicity in Israeli apartheid and genocide. https://www.noazureforapartheid.com Paul Biggar is the founder of Tech For Palestine, a coalition of thousands of founders, engineers, product marketers, investors and other professionals who are working in support of Palestinian liberation. He is an Irish software engineer who founded the unicorn company CircleCI in 2011, before being fired from its board in 2023 for support of Palestine. https://www.techforpalestine.org
Rob Zuber sits down with Tara Hernandez, VP of Developer Productivity at MongoDB and former Netscape engineer who helped create early continuous integration systems, to explore strategic frameworks for build vs. buy decisions in modern software delivery.Hernandez shares insights from scaling MongoDB's proprietary CI system—processing 10 engineer years of compute daily—and reveals how organizations can evaluate when custom infrastructure drives competitive advantage versus when strategic partnerships accelerate growth. Her perspective on navigating the evolving landscape of CI/CD tooling offers actionable guidance for engineering leaders balancing innovation with operational efficiency.Have someone in mind you'd like to hear on the show? Reach out to us on X at @CircleCI!
Karriere geht auch ohne Management?Genau das und noch viel mehr nehmen wir in dieser Episode auseinander. Kaum ein Thema erhitzt in Tech-Teams so sehr die Gemüter wie Karrierepfade für Softwareentwickler:innen. Muss ich in die Management-Laufbahn, um „aufzusteigen“? Warum brauchen so viele Firmen scheinbar eigene Karriereleitern, und wie sorgen wir eigentlich dafür, dass die nicht zur Motivationsfalle werden?Mit Lena Reinhardt, Leadership-Coach, Keynote-Speakerin, ehemalige VP of Engineering bei CircleCI und Travis CI, und nicht zuletzt Mitgestalterin der berühmten CircleCI Karrierematrix, gehen wir dem Phänomen der IC-Karrierepfade (Individual Contributor) auf den Grund. Wir klären, warum und wie Karriereleitern in Tech entstanden sind, wo die Unterschiede zu klassischen Job Descriptions liegen und weshalb sie echte Kulturarbeit in Firmen bedeuten. Außerdem schnappen wir uns den Netflix-Case, beleuchten die Do's & Don'ts beim Design solcher Frameworks und erfahren, ab wann so ein System wirklich sinnvoll ist (und wo es Unsinn wird!).Natürlich sprechen wir über Fallstricke bei der Einführung, wie wichtig partizipatives Setup, kalibrierte Einstufungen und ehrliche Kommunikation sind – auch, um Diversity und Gerechtigkeit wirklich im Alltag abzubilden. Lena teilt ihre besten Tipps zu Erwartungsmanagement, dem Umgang mit Glue Work und warum gute Engineers eben doch ein kleines Selbstmarketing betreiben sollten.Ganz nebenbei gibt's Einblicke in HR-Strategien, Performance-Reviews, die Macht von Jobtiteln und einen Schwank aus dem Leben einer ehemaligen Bankangestellten mit Open-Source-Faible.Unsere aktuellen Werbepartner findest du auf https://engineeringkiosk.dev/partnersDas schnelle Feedback zur Episode:
Speed isn't just about developer productivity—it's about market dominance. Rob sits down with Brian Guthrie, Director of Engineering at Justworks and former ThoughtWorks consultant, to explore why lead time from conception to production should be your organization's north star metric.Brian challenges conventional CI/CD wisdom, arguing that asynchronous pull request processes create hidden context transfer costs that cripple time-to-market. His "Move Faster Manifesto" reveals how continuous integration was originally designed for speed, the real cost of feature branching versus trunk-based development, and why reducing integration problems translates directly to competitive advantage.Have someone you'd like to hear on the show? Let us know on X at @CircleCI!
Join us for a fascinating episode where we explore the development of SaturnCI—a new and user-friendly Continuous Integration tool that arose from frustrations with existing solutions like CircleCI and GitHub Actions. Our guest, Jason Sweat, shares his passion for creating a platform that not only simplifies the user experience but actively incorporates feedback from early adopters. Through candid conversations, Jason recounts his journey as a content creator in the Ruby community, and how it inspired him to address the shortcomings he observed in CI tools.We delve into the technical challenges faced as SaturnCI grows, particularly those relating to user scalability as it onboarded new customers. Jason offers valuable insights into his tech stack choices while drawing attention to the importance of creating streamlined interfaces that cater to developers' needs. The conversation shifts to the foundation of community through his upcoming Sin City Ruby conference, showcasing the efforts made to facilitate connection among participants and ensure each attendee leaves with new friendships and knowledge.Toward the end of our episode, we touch upon Jason's unique approach to outreach through his snail mail newsletter, where he shares insights and stories beyond technology. This creative endeavor highlights how stepping away from screens can cultivate a deeper connection with the audience. With an inviting conversational tone and enriching discussions, this episode is packed with valuable insights for anyone interested in CI tools, community-building, and finding the courage to innovate within your space. Be sure to subscribe and share your thoughts with us!Send us some love.HoneybadgerHoneybadger is an application health monitoring tool built by developers for developers.HoneybadgerHoneybadger is an application health monitoring tool built by developers for developers.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Support the showReady to start your own podcast?This show is hosted on Buzzsprout and it's awesome, not to mention a Ruby on Rails application. Let Buzzsprout know we sent you and you'll get a $20 Amazon gift card if you sign up for a paid plan, and it helps support our show.
This week, Ben and Andrew dive into the (surprisingly?) complex world of calculator apps, analyze how AI is revolutionizing the technical interview, and dissect the emerging “two-tier” economy around AI. What side of the curve does your org fall on?Then, the conversation goes on site to San Francisco, where host Dan Lines hosts Rob Zuber (CTO, CircleCI) and Tara Hernandez (VP of Dev Productivity at MongoDB) for a discussion of LinearB's 2025 Software Engineering Benchmarks Report.We unpack the report's surprising findings on the PR lifecycle, project management hygiene, DORA metrics, code quality, and predictability, with key takeaways for optimizing your engineering team's performance.Be sure to grab your copy of the report to follow along with Dan, Rob & Tara.Check out:2025 Software Engineering Benchmarks ReportBeyond the DORA FrameworksIntroducing AI-Powered Code Review with gitStreamFollow the hosts:Follow BenFollow AndrewFollow today's guest(s):Rob ZuberTara HernandezReferenced in today's show:"A calculator app? Anyone could make that."‘Two-tier' AI economy is emerging between startups and corporations, with large organizations falling behind, AWS EMEA chief saysAI Killed The Tech Interview. Now What? | Kane Narraway New Junior Developers Can't Actually CodeSupport the show: Subscribe to our Substack Leave us a review Subscribe on YouTube Follow us on Twitter or LinkedIn Offers: Learn about Continuous Merge with gitStream Get your DORA Metrics free forever
In this episode, Rob sits down with Ger McMahon, Head of ALM Tools and Platforms at Fidelity Investments, to explore the unique challenges of delivering software rapidly in a large enterprise. They dive into strategies for fostering innovation and effectively sharing ideas across diverse teams within the organization.Ger highlights the delicate balance between building internal tools and creating customer-facing applications, emphasizing the critical role of keeping the customer at the center of decision-making. He also shares insights into why Fidelity prioritizes being a "technology company that delivers financial services," and how that mindset shapes their approach to software development.Whether you're part of a large organization or navigating the complexities of enterprise software delivery, this episode offers valuable perspectives and actionable ideas.Have a guest suggestion? Connect with us on X at @CircleCI!
In this episode of The Confident Commit, Rob sits down with Christine Yen, CEO of Honeycomb, to delve into the evolving role of observability in modern software development. They discuss how observability goes beyond traditional metrics and monitoring, and allows developers to be better prepared for the unknown and embrace the complexities of distributed systems. Christine shares insights on how observability not only boosts developer confidence but also enhances productivity by reducing toil and enabling teams to focus on delivering value for customers.The conversation shifts to the value of Service Level Objectives (SLOs) and why discussions around them often focus heavily on measurement tools and technical implementations. Christine offers valuable advice on steering these conversations towards healthier, more customer-centric perspectives. By reframing the conversation, developers and teams can focus on delivering real value, aligning technical goals with customer needs and driving meaningful outcomes.Have a guest you'd like to hear on the podcast? Reach out to us on X at @CircleCI!
In this episode, Rob is joined by Laura Tacho, CTO at DX, to explore the continuous rising focus on developer experience and its impact on both engineers and businesses. They discuss how investing in developer experince is not just about making life easier for developers; it's also a smart business move that cuts down on waste and boosts efficiency. Laura emphasizes the importance of trusting developers to identify their own challenges, as they're the ones navigating the daily complexities of their work.The conversation also touches on how recent global changes have influenced engineering leadership and made dev experience a higher priority. Laura shares her thoughts on the value of combining survey data with peer metrics to enhance developer experience.If there's anyone you'd like to hear on the show, please reach out to us on X at @CircleCI !
CircleCI's CEO, Jim Rose, and CTO, Rob Zuber, sit down to discuss a few of the lessons learned as they grew CircleCI to $100M+ in revenue. In this video, they share insights about how to build a winning team, the key to finding and keeping product-market fit, and what it takes to future-proof your business against new technology like Generative AI. While the risk for startups is high, there are many ways SaaS platforms can stay ahead of the competition to come out on top. --- Support this podcast: https://podcasters.spotify.com/pod/show/getu-chandler/support
In this episode of The Confident Commit, Rob is joined by Birgitta Böckeler, Global Lead for AI-assisted software delivery at Thoughtworks, to dive deep into the dynamic world of GenAI and its impact on software development. They explore the shifting landscape of GenAI usage and adoption over the last 18 months, tackling critical questions like how to leverage fast-moving advancements without building solutions that become obsolete in weeks.Birgitta shares her insights on when it might be better to build something yourself to avoid the instability of rapid technological change. They also discuss what aspects of AI she currently considers stable and which are still in flux. Birgitta issues a crucial warning: don't overestimate AI by using it as a band-aid to cover up deeper issues in your software pipeline.Whether you're a seasoned developer or just curious about the future of software delivery, this episode offers valuable perspectives on navigating the complexities of AI in today's fast-paced tech environment.Have someone in mind you'd like to hear on the show? Reach out to us on X at @CircleCI!
Discerning and Defining a product manager Role is S.10 E.2 n.142 of the FSG Messaging and Optics Podcast, Wait What Really OK hosted by Messaging and Optics Strategist Loren Weisman. Derrick is the guest on this episode of Wait What Really OK. Together Loren and Derrick dig in to the ins, outs, ups and downs of Product Managers. In this episode, Derrick helps with the discerning and defining when it comes to an effective product manager as well as some red flags to watch out for and many of the attributes to look for. This podcast is raw, real and true. Done in one take, a little EQ and up… Proud of the flubs, the ums and the uhs. This was unscripted and in the moment. Derrick did not have the questions in advance. Derrick Boudwin is a Qualified Director of Product Engineering with over 15 years experience leading international cross-functional teams, using people-centric strategies to develop software resulting in successful, patented, and disruptive products. Derrick is also versed in the Programming Languages of Python, Bash, Visual Basic, Powershell, SQL, Ruby, Java as well as being familiar with Tools and Technologies that include AWS, GCP, Azure, Tensorflow, Docker, Ansible, Terraform, Jenkins, CircleCI, Git, OpenCV, Pivotal, Jira, and ConfluenceTo talk to Derrick about any or all things Product Manager related or to get some help in your product manager search or assistance in interviewing or reviewing your candidates, email: Derrick@DerrickBoudwin.com *Loren Weisman is a Messaging and Optics Strategist. starting as a session/ghost drummer and then music producer, loren has 700 album credits across major and indie labels as drummer and producer. He then shifted to TV production with credits for ABC, NBC, FOX, CBS, TLC and more including reality shows, infomercials, movies and documentaries. Loren wrote three internationally published and distributed books, including Wiley and Sons, “Music Business for Dummies”, as well as GreenLeaf's “The Artists Guide to Success in the Music Business.” https:/lorenweisman.com/ * © 2024 Loren Weisman / Fish Stewarding Group All Rights Reserved ® ℗ *
In this episode of The Confident Commit, Rob is joined by Heidi Helfand, author of Dynamic Reteaming. Together, they explore the components of exceptional teams and strategies for building them to deliver better software faster.They delve into the definition of performance and the importance of aligning on what "high-performing" means for individual roles and the team as a whole. They also discuss the distinction between high-performing teams and high-performing individuals.The conversation covers how to structure great teams and the benefits of involving team members in the reteaming decision process.Heidi shares insights on why splitting up high-performing teams to create more high-performing teams often fails, and suggests alternative approaches for achieving better results.Have a guest in mind for the podcast? Reach out to us on X at @CircleCI!
In this episode, Rob sits down with Ken Rose, CTO of OpsLevel, to delve into the evolving landscape of platform teams and the pressing challenges they face. Together, they explore OpsLevel's mission to tackle the mounting complexities encountered by modern organizations.Ken sheds light on the pressing issue of accomplishing "more with less" amidst the backdrop of economic uncertainty. With organizations operating on leaner software teams, yet still expected to deliver value to customers, the discussion delves into strategies for simplifying operations and maximizing efficiency. From grappling with the complexities of growth through acquisitions to leveraging investments for streamlined processes, the conversation offers insights for leaders navigating these turbulent waters.The dialogue underscores the pivotal role of leadership in easing the burden of complexity for team members. How can leaders effectively support their teams in navigating these challenges and fostering a culture of efficiency and innovation?Eager to hear from a specific guest on the podcast? Reach out to us on X at @CircleCI!
Today Rich Steinmetz returns for a discussion that touches on switching between languages, both spoken and programming, structuring tests, getting the most out of reading a book, buying an existing business, struggles with CircleCI and GitHub Actions, my project SaturnCI, and the need for better APIs.The Beginning of Infinity by David DeutschThe SaaS Playbook by Rob WallingStart Small, Stay Small by Rob WallingAcquire.comFlippa.comRich Steinmetz on TwitterRich Stone.io
Emmanuel, Guillaume et Arnaud discutent des nouvelles de l'été. JEPs, transactional outbox pattern avec Spring, LLM dans Chrome, faille polyfill.io, TOTP, congés illimités et IDE payant ou pas payant ? Enregistré le 12 juillet 2024 Téléchargement de l'épisode LesCastCodeurs-Episode-314.mp3 News Langages Les fonctionnalités de JDK 23 ont été figées début Juin (release prévue en septembre) https://openjdk.org/projects/jdk/23/ https://www.youtube.com/watch?v=kzjGp7LmW0I JEPs finales: 467: Markdown Documentation Comments 471: Deprecate the Memory-Access Methods in sun.misc.Unsafe for Removal 474: ZGC: Generational Mode by Default JEPs en incubation / preview 455: Primitive Types in Patterns, instanceof, and switch (Preview) 466: Class-File API (Second Preview) 469: Vector API (Eighth Incubator) 473: Stream Gatherers (Second Preview) 476: Module Import Declarations (Preview) 477: Implicitly Declared Classes and Instance Main Methods (Third Preview) 480: Structured Concurrency (Third Preview) 481: Scoped Values (Third Preview) 482: Flexible Constructor Bodies (Second Preview) Librairies Le transactional outbox pattern avec Spring Boot https://www.wimdeblauwe.com/blog/2024/06/25/transactional-outbox-pattern-with-spring-boot/ transactional outbox permet d'éviter des 2PC ou des désynchronisations de resources: typiquement un commit dans une base et un envoie de message dans un bus on ecrit le message dans une table de la base de données, et un process séparé récupère les messages et les envoient dans le bus implémentation utilise Spring Integration dans l'article, la seconde resource est l'envoie d'email montre une approche de tests le flow descrit pas psring integration est pas super trivial a lire quand on est pas familier mais cela poll la table toutes les secondes et envoie email et si succes de l'appel de service, vide le message de la table Deuxieme exemple avec Spring modulith qui a un event bus interne qui peut être persisté décrit les differences avec spring integration et les limites de l'approche modulith (message order, retry etc) Comment tester des valeurs de propriétés différentes dans un test Quarkus https://quarkus.io/blog/overriding-configuration-from-test-code/ on a tendance a ne pas tester les propriétés de config ce blog montre 5 (enfin 4 utiles) façons de le faire avec Quarkus. les profils de test, mocker l'objet de config, les test components (experimental), l'injection dans les constructeurs Quarkus 3.12 https://quarkus.io/blog/quarkus-3-12-0-released/ centralisation des configs TLS support pour le load shedding (reject requests on service overload) événements JFR specific a Quarkus native image agent support Spring Boot 3 (compat layer) Support Kotlin 2 etc Cloud On vous parlait dans un épisode précédent de ce problème de coûts S3 sur des requêtes non autorisées. C'est Graphana Loki qui a mis ce problème sous les projecteurs https://grafana.com/blog/2024/06/27/grafana-security-update-grafana-loki-and-unintended-data-write-attempts-to-amazon-s3-buckets/ le problème venait des valeurs par défaut des buckets déclarés dans le chart helm de Loki, en particulier celui nommé ‘chunks' Data et Intelligence Artificielle Guillaume avait partagé l'information sur la disponibilité prochaine d'un mini modele LLM dans chrome. C'est maintenant une réalité et vous pouvez le tester. https://ai-sdk-chrome-ai.vercel.app/ Nécessite Chrome 127 (version stable à partir de mi-juillet) Utilise le SDK Vercel AI Guillaume nous parle de toutes les nouveautés liées au modèle Gemini de Google dans la dernière release de LangChain4j https://glaforge.dev/posts/2024/07/05/latest-gemini-features-support-in-langchain4j/ Outillage 1% des utilisateurs de Maven Central utilisent 83% de sa bande passante. Installez un repository manager qui fait proxy (et cela pour tous les types de dépendances)!!! https://www.sonatype.com/blog/maven-central-and-the-tragedy-of-the-commons rien n'est réellement gratuit et l'abus d'une minorité peut nuire à l'ensemble. Cela fait maintenant plus de 20 ans que les communautés le répète: installer un gestionnaire de dépendances dans votre infrastructure (nexus, artifactory, CodeArtifact, …). En plus de protéger le bien commun cela vous permet de raffiner le filtrage des dépendances, d'assurer la reproductibilité de vos builds, d'optimiser les performances (et réduire les coûts) en ne téléchargeant que depuis votre propre infrastructure, etc … Maven Central est un commun qui ne coute rien à l'utilisteur mais qui est indispensable à tous 1000 milliards de téléchargements l'année dernière 83% de la bande passante consommé par 1% des IPs Beaucoup des ces IP viennent des companies les plus larges proxy pour réduire charge sur central, réduire couts ingress/egress ils vont implementer un mécanisme de throttling question est-ce que la concentration des IPs veut juste dire que c'est le dernier noeud mais que cacher n'est pas effectif pour eux et qu'il y a des milliers de clients derrière une IP? le trotting ferait mal et le proxy ne marche plus dans un monde ou le dev est dans le cloud et distribue géographiquement Comment mettre en place backstage, ici avec un projet Spring Boot utilisant CircleCi, Renovate, SonarCloud… https://piotrminkowski.com/2024/06/13/getting-started-with-backstage/ Cet article explique comment utiliser backstage pour fournir à vos équipes un template d'une application spring-boot. Elle est automatiquement crée sous forme d'un repository git(hub) avec les integrations classiques pour gérer la CI (via CircleCI), la qualité (via SonarCloud), la mise à jour de dépendances (via Renovate) et bien sur son référencement sur le portail backstage. tutoriel tres complet tres facilement remplacable pour un project avec votre technologie preferee (pas specifique a Spring Boot, ou Java) Architecture Que se passe t'il quand vous faites un push sur GitHub? https://github.blog/2024-06-11-how-we-improved-push-processing-on-github/ GitHub explique comment ils ont amélioré leur architecture, notamment en mettant en place Kafka pour distribuer les actions qui découlent d'un push sur GitHub. paralelisation des taches (avant sequentiel) limitation des dependances entre etapes effectuées lors d'un push plus de taches peuvent faire un retry un classique de decoupling via un EDA Sécurité Attaque du CDN polyfill.io https://sansec.io/research/polyfill-supply-chain-attack polyfill c'est un support de nouvelles fonctionalites dans les ancien navigateurs servi par cdn notamment une societe chinoise a achete le domaine et le github et injecte du malware qui pointe sur des serveurs qui servent le malware selectivement (device, admin ou pas, heure de la journée) Fastly et Cloudflare on des deploiements alternatiuve Une faille de sécurité, de type Remote Code Execution, vieille de 10ans, dans CocoaPods, un gestionnaire de dépendances très utilisé dans le monde Apple (macOS et iOS) https://securityboulevard.com/2024/07/cocoapods-apple-vulns-richixbw/ https://cocoapods.org/ / https://cocoapods.org/ est un gestionnaire de dépendances pour les projets Xcode. Les dependances (Pods) sont publiées sous forme de Specs qui sont référencées dans un Specs Repo (une sorte de Maven central mais seulement avec des metadonnées) CVE-2024-38366 est une vulnérabilité de type remote code execution avec un score CVSS de 10 La faille existait depuis 10 ans et a été corrigée en Sept 2023. Elle permettait d'avoir un accès root sur trunk.cocoapods.org qui stock les Specs. Elles auraient donc pu être modifiées sans que les auteurs ne s'en apperçoivent. Pas de preuve pour l'instant que la faille ait été exploitée Mieux comprendre la double authentification avec TOTP https://hendrik-erz.de/post/understanding-totp-two-factor-authentication-eli5 Cet article revient sur le fonctionnement de TOTP et comment l'implementer avec des exemples en python the QR code est une URL qui contient: le secret en base 32. le nom du totp, qui a fournit le TOTP, combien de chiffres et la durée de vie du TOTP pour generer les chiffres, prends le secret, le temps et hash le tout, prendre 4 bytes et les convertir le chiffres typiquement le serveur genere les deux d'avant, les deux d'apres et le courant pour comparer Loi, société et organisation L'équipe Apache Maven gagne le troisième prix BlueHats https://nlnet.nl/bluehatsprize/2024/3.html le projet remporte un gain de 10000€. Ce prix est organisé par le gouvernement français afin de récompenser les projets open sources les plus impactants. La clause de congés illimités en Europe https://www.osborneclarke.com/insights/why-your-unlimited-vacation-policy-may-be-of-limited-use-in-europe Les politiques de congés illimités, populaires aux États-Unis, ne sont pas aussi avantageuses en Europe. En Europe, les employeurs doivent suivre les congés pris pour respecter les minima légaux de quatre semaines par an donc ils ne peuvent pas economiser sur le faire de ne plus les gérer. Les congés illimités permettent aux US de ne plus à devoir les payer au départ de l'employé. En Europe les employeurs doivent payer les congés non utilisés lors de la fin du contrat. Les employés européens pourraient prendre davantage de congés, car ils sont mieux protégés contre le licenciement. Les jours de maladie sont plus cadrés en europe. Un employé qui souffre d'une maladie longue pourrait utiliser les congés illimités mais ce ne sont pas les même règles qui s'appliquent OpenDNS n'est plus disponible en France et au Portugal https://support.opendns.com/hc/en-us/articles/27951404269204-OpenDNS-Service-Not-Available-To-Users-In-France-and-Portugal A priori Cisco qui opère openDNS en a marre des demandes de restrictions spécifiques à nos pays et préfère donc retirer entièrement l'accès au service plutôt que de se conformer à la nième demande de restrictions qui faisait suite à la plainte du groupe Canal+ portant sur l'accès à des sites illicites de streaming pour du sport Ask Me Anything Salut ! Êtes-vous plutôt IDE payants (ex : IJ Ultimate, ou des plugins payants), ou ne jurez-vous que par des outils gratuits ? Un peu des deux ? Si adaptes du payant, ça ne vous déprime pas qu'un nombre considérable d'employeurs rechignent à nous payer nos outils ? Que “de toute façon VSCode c'est gratuit” (à prononcer avec une voix méprisante) ? Quid du confort, ou de la productivité et/ou qualité accrue quand on maîtrise de tels outils ? Merci ! Conférences La liste des conférences provenant de Developers Conferences Agenda/List par Aurélie Vache et contributeurs : 6 septembre 2024 : JUG Summer Camp - La Rochelle (France) 6-7 septembre 2024 : Agile Pays Basque - Bidart (France) 17 septembre 2024 : We Love Speed - Nantes (France) 17-18 septembre 2024 : Agile en Seine 2024 - Issy-les-Moulineaux (France) 19-20 septembre 2024 : API Platform Conference - Lille (France) & Online 25-26 septembre 2024 : PyData Paris - Paris (France) 26 septembre 2024 : Agile Tour Sophia-Antipolis 2024 - Biot (France) 2-4 octobre 2024 : Devoxx Morocco - Marrakech (Morocco) 7-11 octobre 2024 : Devoxx Belgium - Antwerp (Belgium) 8 octobre 2024 : Red Hat Summit: Connect 2024 - Paris (France) 10 octobre 2024 : Cloud Nord - Lille (France) 10-11 octobre 2024 : Volcamp - Clermont-Ferrand (France) 10-11 octobre 2024 : Forum PHP - Marne-la-Vallée (France) 11-12 octobre 2024 : SecSea2k24 - La Ciotat (France) 16 octobre 2024 : DotPy - Paris (France) 16-17 octobre 2024 : NoCode Summit 2024 - Paris (France) 17-18 octobre 2024 : DevFest Nantes - Nantes (France) 17-18 octobre 2024 : DotAI - Paris (France) 30-31 octobre 2024 : Agile Tour Nantais 2024 - Nantes (France) 30-31 octobre 2024 : Agile Tour Bordeaux 2024 - Bordeaux (France) 31 octobre 2024-3 novembre 2024 : PyCon.FR - Strasbourg (France) 6 novembre 2024 : Master Dev De France - Paris (France) 7 novembre 2024 : DevFest Toulouse - Toulouse (France) 8 novembre 2024 : BDX I/O - Bordeaux (France) 13-14 novembre 2024 : Agile Tour Rennes 2024 - Rennes (France) 20-22 novembre 2024 : Agile Grenoble 2024 - Grenoble (France) 21 novembre 2024 : DevFest Strasbourg - Strasbourg (France) 21 novembre 2024 : Codeurs en Seine - Rouen (France) 27-28 novembre 2024 : Cloud Expo Europe - Paris (France) 28 novembre 2024 : Who Run The Tech ? - Rennes (France) 3-5 décembre 2024 : APIdays Paris - Paris (France) 4-5 décembre 2024 : DevOpsRex - Paris (France) 4-5 décembre 2024 : Open Source Experience - Paris (France) 6 décembre 2024 : DevFest Dijon - Dijon (France) 22-25 janvier 2025 : SnowCamp 2025 - Grenoble (France) 16-18 avril 2025 : Devoxx France - Paris (France) Nous contacter Pour réagir à cet épisode, venez discuter sur le groupe Google https://groups.google.com/group/lescastcodeurs Contactez-nous via twitter https://twitter.com/lescastcodeurs Faire un crowdcast ou une crowdquestion Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Tous les épisodes et toutes les infos sur https://lescastcodeurs.com/
Developer relations have gone through quite an evolution over the years. In this reissued episode, Corey talks with Jeremy Meiss, former Director of DevRel and Community at CircleCI, about how DevRel has transitioned from a focus on conference appearances to a more strategic alignment with business objectives. Corey and Jeremy also discuss navigating career complexities during economic downturns, emphasizing the importance of maintaining relevance. They also touch on fostering open communication within organizations and the enduring value of personal interactions in professional communities.Show Highlights:(1:39) How CircleCI is using DevRel to helping clients go from developer's laptops to production safely and sanely(6:23) What DevRel means to Jeremy and why it's a problem that most people can't define it(12:40) Why saying DevRel is part of product ignores much of what makes both roles unique(15:36) Combating burnout from being able to perform you're role but not feeling connected to what the company actually does(21:30) How Jeremy sees DevRel evolvingAbout Jeremy:Jeremy is the former Director of DevRel & Community at CircleCI, formerly at Solace, Auth0, and XDA. He is active in the DevRel Community, and is a co-creator of DevOpsPartyGames.com. A lover of all things coffee, community, open source, and tech, he is also house-broken, and (generally) plays well with others.Links Referenced:LinkedIn: https://www.linkedin.com/in/jeremymeiss/ Twitter: IAmJerdog - Jeremy's @DevOpsAms https://twitter.com/iamjerdog?lang=enSponsor:Panoptica: https://www.panoptica.app/
In today's episode, we discuss the recent Gitloker attacks affecting GitHub repositories, extorting users by wiping repos and demanding communication via Telegram. We also cover DuckDuckGo's new AI Chat service offering anonymous access to chatbots like OpenAI's GPT-3.5 Turbo and Meta's Llama 3, and how the Muhstik botnet is exploiting a critical Apache RocketMQ flaw to enhance its DDoS capabilities. Check out the full stories here: https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/, https://arstechnica.com/information-technology/2024/06/duckduckgo-offers-anonymous-access-to-ai-chatbots-through-new-service/, and https://thehackernews.com/2024/06/muhstik-botnet-exploiting-apache.html.Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: GitHub, extortions, Telegram, CronUp, cybersecurity, version control, hacking, ransomware, threat detection, security research, Germán Fernández, DuckDuckGo, AI Chat, privacy, OpenAI, Anthropic, Meta, Mistral, anonymous chat, Muhstik, botnet, Apache RocketMQ, CVE-2023-33246, vulnerability, DDoS, cryptocurrency mining, server security Search Phrases: Protect GitHub repositories from extortion attacks Telegram used in GitHub ransomware extortion CronUp reveals new GitHub security threat DuckDuckGo AI Chat service privacy concerns Muhstik botnet attacking Apache RocketMQ servers CVE-2023-33246 vulnerability in Apache RocketMQ Preventing cryptocurrency mining botnet attacks Cybersecurity for version control systems Anonymous AI chat services with privacy Protecting servers from DDoS and botnet attacks New Gitloker attacks wipe GitHub repos in extortion scheme https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/ ---`- GitHub Repositories Under Attack: Attackers are targeting and wiping GitHub repositories, then demanding victims contact them via Telegram. (Source: Sergiu Gatlan, June 6, 2024) Campaign Origin: Germán Fernández, a security researcher at CronUp, first spotted the ongoing campaign. Attackers use stolen credentials to compromise GitHub accounts and pose as cyber incident analysts. Modus Operandi: Attackers claim to steal data and create a backup. They rename repositories and add a README file instructing victims to reach out on Telegram for data recovery. GitHub Response: GitHub advises users to change passwords and enable two-factor authentication to secure their accounts. They recommend additional measures like passkeys for secure, passwordless logins, and reviewing account security logs for suspicious activity. Preventative Measures: Enable two-factor authentication. Add a passkey for secure, passwordless login. Review and revoke unauthorized access to SSH keys, deploy keys, and authorized integrations. Verify all email addresses associated with your account. Regularly review recent commits and collaborators for each repository. Manage webhooks on your repositories. Check for and revoke any new deploy keys. History of Attacks: This isn't the first time GitHub accounts have been compromised. In March 2020, hackers stole over 500GB of files from Microsoft's private repositories. In September 2020, a phishing campaign targeted GitHub users with fake CircleCI notifications to steal credentials and 2FA codes. Engagement Opportunity: Are you using all the recommended security measures for your GitHub account? Check your settings today and share your experience with us! Call to Action: Stay vigilant and regularly update your security practices. If you experience any suspicious activity, report it immediately to GitHub support. DuckDuckGo offers “anonymous” access to AI chatbots through new service https://arstechnica.com/information-technology/2024/06/duckduckgo-offers-anonymous-access-to-ai-chatbots-through-new-service/ ---`Sure thing! Here's your flash briefing in bullet points: DuckDuckGo Launches AI Chat Service: DuckDuckGo introduces a new "AI Chat" service, allowing users to converse with mid-range large language models (LLMs) from OpenAI, Anthropic, Meta, and Mistral. This service aims to preserve user privacy and anonymity while offering AI chatbot interactions. Privacy Measures in Place: DuckDuckGo ensures chats are anonymized by removing metadata and IP addresses. The company has agreements with model providers to delete any saved chats within 30 days and not use them for AI model training. Access and Usage: Users can access the AI Chat service for free within daily limits through the DuckDuckGo search engine, direct site links, or using "!ai" and "!chat" shortcuts. The AI Chat feature can be disabled in settings for users with accounts. Models Available: The service features OpenAI's GPT-3.5 Turbo, Anthropic's Claude 3 Haiku, Meta's Llama 3, and Mistral's Mixtral 8x7B. While these models are capable, they are known to produce inaccurate information, known as "confabulations." Utility and Limitations: Despite privacy protections, the utility of the service is questionable due to the tendency of available models to produce errors. More advanced models like GPT-4 are not included, potentially limiting the service's usefulness. Future Plans: DuckDuckGo hints at future paid plans that may include higher usage limits and access to more advanced AI models. Caution Advised: Users should verify the information produced by these AI chatbots, as they can generate text with limited and sometimes outdated information. DuckDuckGo advises against relying on AI Chat outputs for professional advice without additional verification. Muhstik Malware Targets Message Queuing Services Applications https://thehackernews.com/2024/06/muhstik-botnet-exploiting-apache.html ---`Flash Briefing: Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks Muhstik Botnet Overview: Muhstik targets IoT devices and Linux-based servers. Known for DDoS attacks and cryptocurrency mining. [Source: Aqua Security] Apache RocketMQ Vulnerability: CVE-2023-33246, a critical flaw with a CVSS score of 9.8. Allows remote code execution via RocketMQ protocol content or update configuration function. [Source: Aqua Security] Exploitation Process: Attackers gain initial access by exploiting the vulnerability. They execute a shell script from a remote IP, retrieving the Muhstik binary ("pty3"). [Source: Nitzan Yaakov, Security Researcher] Persistence Mechanisms: Malware binary copied to multiple directories. /etc/inittab file edited to restart processes during Linux server boot. Binary named "pty3" to masquerade as pseudoterminal and evade detection. Malware executed from memory (directories like /dev/shm, /var/tmp) to avoid leaving traces. [Source: Nitzan Yaakov] Capabilities and Objectives: Collects system metadata. Moves laterally over SSH. Establishes C2 communication via IRC for further instructions. Conducts flooding attacks to create denial-of-service conditions. Cryptomining detected as a secondary objective. [Sources: Aqua Security, Nitzan Yaakov] Current Exposure and Mitigation: 5,216 instances of Apache RocketMQ still vulnerable. Organizations should update to the latest version to mitigate threats. [Source: Aqua Security] Broader Security Advice: AhnLab Security Intelligence Center (ASEC) highlights poorly secured MS-SQL servers also targeted. Use strong, periodically changed passwords. Apply latest patches to prevent brute-force and vulnerability attacks. [Source: ASEC]
In this episode of Maintainable, Robby chats with Stig Brautaset, Staff Software Engineer at CircleCI. Stig shares his insights on maintaining well-documented but complex legacy code, the impact of team dynamics on software maintenance, and his experiences with the SBJSON library.Stig discusses the characteristics of well-maintained software, emphasizing the importance of team experience, domain knowledge, and risk appetite. He reflects on his own career journey, highlighting the transition from overconfidence to a balanced approach to risk-taking.A significant portion of the conversation delves into Stig's concept of "Alien Artifacts," which describes highly resistant legacy code written by highly skilled engineers. He explains the challenges of modifying such code and shares examples from his own experiences.Stig also talks about his work on the SBJSON library, addressing the complexities of handling multiple versions and dependency conflicts. He advocates for developers maintaining the software they ship and discusses the balance between shipping features quickly and maintaining long-term code quality.Key TakeawaysThe influence of team dynamics on software maintenanceUnderstanding the concept of "Alien Artifacts" in legacy codeStrategies for handling multiple versions of a software libraryThe importance of developers being on call for the software they shipManaging different types of technical debtBook Recommendation:The Scout Mindset by Julia GalefStig Brautaset on LinkedInAlien Artifacts Blog PostSBJSON Library CircleCIThe Confident Commit PodcastHelpful Links:Stig Brautaset on LinkedInAlien Artifacts Blog PostSBJSON Library CircleCIThe Confident Commit PodcastWant to share your thoughts on this episode? Reach out to Robby at robby@maintainable.fm.Thanks to Our Sponsor!Turn hours of debugging into just minutes! AppSignal is a performance monitoring and error tracking tool designed for Ruby, Elixir, Python, Node.js, Javascript, and soon, other frameworks. It offers six powerful features with one simple interface, providing developers with real-time insights into the performance and health of web applications. Keep your coding cool and error-free, one line at a time! Check them out! Subscribe to Maintainable on:Apple PodcastsSpotifyOr search "Maintainable" wherever you stream your podcasts.Keep up to date with the Maintainable Podcast by joining the newsletter.
We often talk about promotions and growth, but the moment the conversation shifts towards paths to staff or executive positions, the advice goes blank. There is very little actionable information out there that can tell you how you can get to the highest echelons of leadership. To get a clearer picture on this topic, I sat down with Lena Reinhard, a seasoned executive with an extensive track record at CircleCI, Travis CI, and more. Lena shares her insights on the best ways to accelerate career growth in the tech space, answer thorny questions, such as “Why are executives hired from the outside?” and provide some candid takes on why taking things slow sometimes can pay off in the end.
From malware developers targeting child exploiters with ransomware, to major cloud services exposing credentials, learn how digital vigilantes and technological oversights shape online security. Featuring insights on the United Nations' latest ransomware dilemma, uncover the intricate web of cybersecurity challenges faced globally. URLs for Reference: Malware Dev lures child exploiters into honeytrap to extort them AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs United Nations agency investigates ransomware attack, data theft Follow us on Instagram: https://www.instagram.com/the_daily_decrypt/ Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: cybersecurity, ransomware, malware, cloud security, digital threats, cyber vigilantes, tech giants, United Nations, cyber attack, data theft, CryptVPN, AWS, Google Cloud, Azure, CLI tools, BleepingComputer, The Hacker News Search Phrases: Cyber vigilante justice malware extortion Cloud CLI tools security vulnerabilities United Nations cyberattack investigation CryptVPN ransomware against child exploiters AWS, Google, and Azure CLI tools leaking credentials Impact of ransomware on global organizations Cybersecurity threats in cloud computing Cybersecurity tactics against illegal online activities Data breach at United Nations agency New trends in cyber threats and digital security Transcript: Apr22 Malware developers are now targeting individuals seeking child exploitation material, employing cryptVPN ransomware to extort them by locking their systems and demanding payment, as revealed by Bleeping Computer. What methods are these developers using, and why do I want them to succeed? Leaky CLI, a vulnerability discovered by Orca in AWS, Google, and Azure CLI tools, is exposing sensitive credentials in build logs, putting countless organizations at risk of cyber attacks. What measures can organizations take to prevent sensitive credentials from being exposed by build logs? Finally, hackers have infiltrated the United Nations Development Program's IT systems, stealing sensitive human resources data from its global network dedicated to fighting poverty and inequality. You're listening to the Daily Decrypt. Malware developers are now turning their tactics against individuals seeking child exploitation material, specifically targeting them with ransomware designed to extort money by feigning legal action. This new strain of malware, dubbed CryptVPN, was recently analyzed by Bleeping Computer after a sample was shared with the cybersecurity researcher MalwareHunterTeam. CryptVPN tricks users into downloading a seemingly harmless software, which then locks the user's desktop and changes their wallpaper to a menacing ransom note. The ploy begins with a decoy website that impersonates. Usenet Club, a purported subscription service offering uncensored access to downloadable content from Usenet, which is an established network used for various discussions, which unfortunately also includes illegal content. The site offers several subscription tiers, but the trap is set with the free tier, which requires the installation of the CryptVPN software to access the supposed free content. Now to be honest, I feel like I don't even want to give away these clues to any child predators that may be listening. So I'm going to stop there as far as how the attack works, but I'm really glad that attackers have found this vector because people who are partaking in illegal activities have a lot to lose and are often pretty scared, you know, unless they're complete psychopaths. And and so if someone's able to get the information or lure people into these websites You know, this reminds me of something that happened to me back in my single days. And those of you who know me personally can validate the authenticity of this story, but it might sound a little crazy to just an average listener. But swiping on Tinder, matched with someone, they didn't really want to chat too much, they just wanted to start sending nude photographs. And I personally, it's not my thing, but let's just say I'm not going to unmatch this person for offering. And so nude photographs came through, there was no exchange, but they did ask for photographs of myself, which I was not interested in sending. And in fact, I wasn't really interested in pursuing anyone who would just jump in and send nude photographs. So I stopped talking to them. And about a couple of days later, I got a phone call from a Someone claiming to be the police department, saying that they had gotten my number from this girl's dad, and she's underage, and now they have proof that I've been sending nude photographs to this underage person. Well, I don't know. They accused me of that and that never happened. So immediately I knew it was a scan. But let's just say hypothetically that I had sent pictures to this person. I would be pretty scared receiving this threat. Because my whole life would change, right? If I became a child predator or a sexual predator or whatever it's called, then like a lot of stuff changes. And at the time I was in the military, so that was the end of my military career or whatever. So it's a very similar to that. If you're doing something wrong. And you get caught in a trap, you're very likely to pay the ransom. So first of all, don't mess around with children online. Don't do illegal sexual things. And you have nothing to worry about with this scam. So please stop doing that. Don't do that. And you've got nothing to worry about, it's been recently unveiled that command line interface tools from the tech giants such as Amazon Web Services and Google Cloud are susceptible to exposing sensitive credentials in the build logs, presenting a substantial security hazard to enterprises. This vulnerability is a Which the cloud security firm Orca has dubbed Leaky CLI, involves certain commands on the Azure CLI, AWS CLI, and Google Cloud CLI that could reveal environment variables. Roy Nizmi, a prominent security researcher, highlights in a report to the Hacker News that, quote, some commands can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions. In response, Microsoft has proactively addressed this security lapse in its November 2023 update, designating it with the CVE identifier 2023 36052, which carries a critical CVSS score of 8. 6 out of 10. Conversely, Amazon and Google view the exposure of environment variables as an anticipated behavior, advising organizations to refrain from storing secrets within these variables. Instead, they recommend using specialized services like AWS Secrets Manager or Google Cloud Secret Manager, which is a great recommendation. Furthermore, Google has advised users of its CLI tools to employ the dash dash no dash user output enabled option, which prevents the printing of command output to the terminal, thereby mitigating the risk of data leaks. Orca has also identified several instances on GitHub where projects inadvertently leaked access tokens and other sensitive data through continuous integration and deployment tools, including GitHub actions, CircleCI, TravisCI, and CloudBuild, which is always going to be a problem. Take those. Pull request reviews, seriously. Nimzy warns, if bad actors get their hands on these environment variables, this could potentially lead to view sensitive information, including credentials, such as passwords, usernames, and keys, which could allow them to access any resources that the repository owners can. He added that CLI commands are by default assumed to be running in a secure environment. But coupled with CICD pipelines or continuous integration, continuous development, they may pose a security threat. This ongoing issue underscores the critical need for heightened security measures within cloud computing environments. Go out there, get you a new cloud job, my guys. Finally, the United Nations Development Program, or UNDP, has launched an investigation into a significant cyber attack where intruders compromised its IT systems, resulting in the theft of critical human resources data. So, human resources data sounds It's pretty benign to me, like, the way that that's framed seems like nothing, but think about what the data Human Resources has. It's the crown jewels. They've got your social security number for your W 2 form, they've got your previous jobs, they've got your address, they've got your email address, they've got everything. So Human Resources data is nothing to bat an eye at. The agency, which is a cornerstone of the United Nations efforts to combat poverty and inequality worldwide. Confirmed the breach occurred in late March within the local IT infrastructure for the United Nations. Following the detection of the breach on March 27th, thanks to a threat intelligence alert, UNDP acted swiftly. Quote, actions were immediately taken to identify a potential source and contain the effective server as well. As to determine the specifics of the exposed data and who was impacted. The ongoing investigation seeks to fully understand the incident's nature and scope, as well as its impact on individuals whose information was compromised, but to further complicate some matters, the eight base ransomware gang, a group known for its broad attacks on various industries, claimed responsibility for the data theft. On the same day as the breach, they added a new entry for UNDP on their dark web leak site. The documents leaked, according to the attackers, contain a huge amount of confidential information, ranging from personal data to financial records and employment contracts. This cyberattack is not the first the United Nations has suffered. Previous breaches have struck the United Nations Environmental Program and key United Nations networks in Geneva and Vienna, showcasing ongoing vulnerabilities within UNIT systems. Meanwhile, the 8Base group, which claims to target companies neglecting data privacy, continues its surge of attacks, having listed over 350 victims on its data leak site to date. So if you're listening and you know your company is rejecting some data privacy protocols, maybe use this story as incentive to get them to pay more attention to this. That's all we got for you today. Happy Monday. Thanks so much for listening. Please head over to our social media accounts, Instagram, Twitter, Twitter. com. Youtube Give us a follow, give us a like, and send us a comment. We'd love to talk. And we'll be back tomorrow with some more news.
In this episode, Rob is joined by Luis Ceze, CEO of OctoAI and a distinguished professor of computer science at the University of Washington. Together, they unpack the surge of interest in AI, attributing it to the convergence of factors like the unprecedented availability of data thanks to the internet boom and the accessibility of powerful computing resources.Their conversation delves into the pragmatic challenges developers face, such as striking the right balance between cost-effectiveness, inference speed, and ensuring scalability and availability. Luis explains how OctoAI is pioneering solutions to streamline this process, empowering developers to navigate these complexities automatically.Luis shares invaluable insights into the strategic benefits of diversifying AI models, likening the approach to the artistry of a skilled mixologist crafting a perfectly balanced cocktail.Have a guest recommendation for the podcast? Reach out to us on X at @CircleCI and let us know!
It doesn't matter if you have an innovative technical strategy if you're not solving problems the business cares about… This week, host Conor Bronsdon sits down with Rob Zuber, CTO at CircleCI. They delve into the evolving role of engineering leaders, and the importance of building a technical strategy that aligns with overarching business goals.Throughout the conversation, Rob emphasizes the importance of focusing on customer needs, gathering direct feedback and maintaining strategic flexibility. If you're interested in understanding the balance between technical strategy and business leadership, this episode provides a wealth of knowledge, strategies, and real-world examples.Episode Highlights:01:38 Crafting technical strategy for teams at CircleCI 07:26 How engineering leaders can make the most informed choices about their business17:47 Using postmortems to fuel a growth mindset 22:39 Applying hypotheses to be prepared for worst-case scenarios 27:43 Why CTOs need to focus on solving business problems first, then technical strategy30:30 Why engineering leaders need to form a close relationship with finance33:17 Advice for ICs or Directors on becoming a business leader39:17 Rob's approach to building trust and organizational design 44:36 How can I prepare for being a technical founder?55:12 What is CircleCI doing in ML?Show Notes:Modern Software EngineeringSupport the show: Subscribe to our Substack Leave us a review Subscribe on YouTube Follow us on Twitter or LinkedIn Offers: Learn about Continuous Merge with gitStream Get your DORA Metrics free forever
In this episode, Rob is joined by Carolyn Mooney, the CEO of Nextmv, a decision ops platform. As a seasoned expert in Decision Science, Carolyn delves into the nuanced differences in decision optimization and logistics across various industries, drawing from her experiences at Zoomer and Grubhub.The conversation unfolds around the decision maturity life cycle, exploring how companies progress from manual spreadsheet decisions to fully automated systems. They reflect on the impact of the pandemic on supply chain issues, emphasizing the heightened awareness of logistics' significance. Carolyn shares insightful perspectives on the fundamental role of optimization for efficiency in sustainability initiatives.With the transformative impact of increased AI awareness in logistics, Rob and Carolyn share the importance for all companies to contemplate the options and potential for enhancing their organizational efficiency.Have someone you'd like to hear on the podcast? Reach out to us on X at @CircleCI!
In this episode, Rob is joined by Patrick Debois, a seasoned industry expert and DevOps pioneer. Patrick shares his personal odyssey within the realm of DevOps, reflecting on the current state of the industry compared to his initial expectations. The conversation delves into the convergence of business analytics and technical analytics, exploring innovative approaches developers are adopting to integrate generative AI into their products.The two explore predictions for the year 2024, pondering whether the landscape will witness a pronounced shift towards applications or if other technical transformations will take precedence.If you have suggestions for future podcast guests, connect with us on X at @CircleCI!Get in touch with Patrick - Linkedin: https://www.linkedin.com/in/patrickdebois/YouTube: https://youtube.com/@jedi4ever
This episode of Software Engineering Daily is part of our on-site coverage of AWS re:Invent 2023, which took place from November 27th through December 1st in Las Vegas. In today's interview, host Jordi Mon Companys speaks with Rob Zuber who is the CTO at CircleCI. Jordi Mon Companys is a product manager and marketer that The post AWS re:Invent Special: CircleCI with Rob Zuber appeared first on Software Engineering Daily.
This episode of Software Engineering Daily is part of our on-site coverage of AWS re:Invent 2023, which took place from November 27th through December 1st in Las Vegas. In today's interview, host Jordi Mon Companys speaks with Rob Zuber who is the CTO at CircleCI. Jordi Mon Companys is a product manager and marketer that The post AWS re:Invent Special: CircleCI with Rob Zuber appeared first on Software Engineering Daily.
Welcome back to another episode of Content Amplified. In this episode, we interview Julia McClellan, Senior Content Marketing Manager at CircleCI. What you'll learn in this episode: Budget-Friendly Content Creation: Julia shares insights on producing high-quality, cost-effective content. She emphasizes learning essential tools like Adobe Premiere Pro for video and audio editing, especially when working with limited budgets. Prioritizing Quality over Quantity: The importance of focusing on creating high-quality content that resonates with your audience, rather than producing a high volume of mediocre content. Effective Use of Contractors: Julia talks about her experiences with contractors, highlighting the balance between speed and cost, and how to choose the right one based on your budget and project requirements. Content Recycling for Cost Savings: Discover how recycling content, like reusing animations or converting blog posts into videos, can be a significant budget saver. Investment in Successful Content: Julia recommends investing in content that shows proven success, using examples like product demos with high conversion rates. Distribution Strategies on a Tight Budget: Learn about the best practices for distributing content effectively without overspending, with a focus on SEO and organic social channels. Analyzing Success Metrics: Julia discusses different metrics for measuring content success, from brand awareness (impressions) to conversion rates, and how these metrics align with organizational goals. This episode is packed with valuable insights from Julia on making the most of your content marketing budget, especially in challenging economic times. Tune in for practical tips and strategic advice that can transform your approach to content creation and distribution.
In this episode Rob is joined by Dave Farley, software legend and author of books "Continuous Delivery" and "Modern Software Engineering”. The two tackle the essence of software development culture and the current state of software delivery. They unpack why it's important to prioritize problem-solving abilities over technical skills when it comes to hiring, emphasizing a healthy culture and the need for continuous learning on the job.Reflecting on the past 25 years in the industry, the conversation centers on acknowledging mistakes, aiming to shorten development cycles for rapid feedback and progress. Exploring the intersection of aviation history and modern software development, Dave draws parallels with the Wright Brothers' approach to engineering and iteration.Listen in as Dave shares insights on AI automated testing and its current inability to rival the human brain, and discover the must-read books he recommends for every software developer.Connect with us on Twitter/X at @CircleCI to share your thoughts or suggest future guests for the show!
In today's episode, Rob is joined by CircleCI's own Aisling Conroy. Aisling, a key player in CircleCI's product marketing and competitive intelligence, provides a window into the thoughts of analysts in the ever-evolving CI/CD space. Their discussion explores how the power of diverse perspectives in problem-solving can yield many different types of product offerings.They discuss the intricate nature of software developers as unique and discerning customers, recognizing developers' inherent problem-solving abilities. The episode unfolds with insights into emerging trends in the tooling space and the promising potential for increased collaboration between developers and customer-facing teams.Have someone you'd like to hear on the podcast, reach out to us on Twitter/X at @CircleCI!
In this episode, Rob sits down with Lewis Menelaws from Coding with Lewis, a prominent social media influencer and content creator specializing in entertaining and empowering software developers. Together, they explore the evolving landscape of learning the craft, drawing comparisons between the present day and the learning experiences of 25 years ago.The conversation delves into the transformative impact of AI on the learning process and Lewis shares valuable insights on how senior leaders and developers can effectively guide and empower the upcoming generation of developers. Tune in for a thoughtful discussion on the past, present, and future of software development education.Have someone you'd like to hear on the podcast, reach out to us on X/Twitter at @CircleCI!
In this episode, Rob explores the fascinating crossroads of machine learning and software engineering with Gideon Mendels, the co-founder and CEO of Comet ML. Gideon navigates the often ambiguous world of training ML models, focusing on building a common language between software engineers and data science teams.Gain valuable insights into fostering mutual understanding between these two disciplines and aligning the possibilities of ML with organizational needs in this thought-provoking episode.Have someone you'd like to hear on the podcast? Reach out to us on Twitter/X at @CircleCI!
It's easy to feel like you're on your own lonely marketing island. You're so focused on what you're doing that your process starts to feel stale. Wouldn't it be helpful to hear how other marketers are driving sales?Especially if those marketers are at companies like G2, Deel and Gigster; successful names in B2B that know what works, and are pushing the envelope for what B2B content could look like. That's what we're bringing to you this week. In this episode, we're wrapping up Season 3 by highlighting the winning content strategies from top B2B brands. You'll leave with new ideas and insights to use on your very next campaign. So all aboard, we're getting you off that lonely island on this episode of Remarkable.About our guestsKim Courvoisier, Senior Director of Content Marketing at LobGillian Jakob Kieser, Director of Content Marketing at CircleCIAnja Simic, Director of Content Marketing at DeelMartha Aviles, Vice President of Marketing at GigsterPalmer Houchins, VP and Head of Marketing at G2Meghan Barr, VP of Brand, Content and Communications at ZoomInfoJohann Wrede, CEO at EmburseChris Sheen, Director of Content and Social at CelonisJérôme Robert, CMO and Chief of Staff at TenableWhat B2B Companies Can Learn From Season 3 of Remarkable:Provide some free, valuable content to your audience. It proves that your product is worth the investment and helps you establish domain authority. Gillian Jakob Kieser, Director of Content Marketing at CircleCI says, “When we were smaller, we were really banking on utility. So we invested a lot in single pieces of content that people would share because there was nothing better than it. So once you saw it, you would have to pass it on. An example is our team open sourced our entire competency matrix and wrote about how we developed it. And that's a document that is like five years old and it's an open Google doc. Every time I go on there, there's still like 12 Anonymous Raptors on there using the content. And that was worth it because they've become tools. And that's been a great marketing strategy.”Create content for people at different points in the buying process. Your content should look different for people who are just exploring their options vs. people who are ready to make a purchase. Anja Simic, Director of Content Marketing at Deel says, “The readiness to purchase is very important when you think about content marketing.” She says you can think of it like the marketing funnel. “Top of the funnel content is informational, it's educational. It's a lot of articles or listicles, and lighter content. Closer to the middle of the funnel, your content needs to be a bit more product heavy. It needs to talk about specific solutions, specific questions that your prospects may have. But not all of it has to be salesy and pushy, because they're just considering. They're exploring their options. And then the very bottom of the funnel is where you really push them over the edge. They're really thinking about it. They're considering your product, and know enough about it.”Make something different. Get away from the B2B content formula. Jérôme Robert, CMO and Chief of Staff at Tenable says the risk in making something outside-the-box is overstated. He says, “Notably in an industry where marketing, the marketing practices are very mature and very identical from one company to another, there's very, very little downside in standing out, in doing something that is entirely different.” He says, “Worst case scenario, it's not going to get a lot of engagement. But I don't think anyone would laugh at you or discard you as a company because you did something different. I think people respect the originality, the boldness, in doing something entirely different.”Quotes*”A lot of what we think about with content marketing is how do we show a bit more of the heart behind what we do? How do we make us not just a brand, but show that there's a real company and people behind that? If you are choosing a provider, you're actually going to choose those guys, you're going to bet on them.” - Chris Sheen, Director of Content and Social at Celonis*”Without trust, you can't do business. And today, buyers are really sophisticated. If we don't produce excellent content that genuinely seeks to inform, educate and help the customer, then they're just going to ignore it and they're going to go somewhere else. If you can create content that authentically seeks to inform and to add value, then you start to move into the trusted advisor quadrant.” - Johann Wrede, CEO at Emburse*”We are all bombarded with content every day. And so we try to cut through the noise and provide content that can help our audience do their jobs better. That's the overarching goal of everything that we create.” - Meghan Barr, VP of Brand, Content and Communications at ZoomInfoTime Stamps[0:58] Introducing the Season 3 Roundup! Content strategies from…[1:22] Kim Courvoisier from Lob[2:38] Gillian Jakob Kieser of CircleCI[4:38] Anja Simic of Deel[7:17] Martha Aviles of Gigster[8:28] Palmer Houchins of G2[10:39] Meghan Barr of ZoomInfo[12:09] Johann Wrede of Emburse[16:44] Chris Sheen of Celonis[19:37] Jérôme Robert of TenableLinksListen to the full Season 3 episodes, featuring:Kim Courvoisier, Senior Director of Content Marketing at LobGillian Jakob Kieser, Director of Content Marketing at CircleCIAnja Simic, Director of Content Marketing at DeelMartha Aviles, Vice President of Marketing at GigsterPalmer Houchins, VP and Head of Marketing at G2Meghan Barr, VP of Brand, Content and Communications at ZoomInfoJohann Wrede, CEO at EmburseChris Sheen, Director of Content and Social at CelonisJérôme Robert, CMO and Chief of Staff at TenableAbout Remarkable!Remarkable! is created by the team at Caspian Studios, the premier B2B Podcast-as-a-Service company. Caspian creates both non-fiction and fiction series for B2B companies. If you want a fiction series check out our new offering - The Business Thriller - Hollywood style storytelling for B2B. Learn more at CaspianStudios.com. In today's episode, you heard from Ian Faison (CEO of Caspian Studios) and Meredith Gooderham (Senior Producer). Remarkable was produced this week by Meredith Gooderham, mixed by Scott Goodrich, and our theme song is “Solomon” by FALAK. Create something remarkable. Rise above the noise.
In this episode, dive deep into the world of AI-enabled products and the push to explore and integrate them at CircleCI. Rob is joined by Aakar Shroff, CircleCI's VP of product. Aakar shares valuable insights into AI product development and how AI tools can be leveraged to streamline software delivery processes.Rob and Aakar explore the fast-evolving AI landscape, including the convergence of different media formats and the future possibilities it holds for applications. Tune in to gain a deeper understanding of the potential of AI in software delivery and discover the exciting challenges and opportunities this ever-evolving field offers.
Michael Webster, principal engineer at CircleCI, talks to Rob about testing AI-enabled applications. In this episode, learn how to face the unique challenges posed by the probabilistic and non-deterministic nature of AI output, as well as the importance of subjective evaluation criteria. Webster covers how model graded evals can be used to test AI applications, and the importance of caution in using this approach. CircleCI gives AI/ML teams the tools they need to iterate quickly, deploy safely, and deliver value continuously. To learn more, visit: circleci.com/ai-ml/Have someone you'd like to hear on the podcast? Reach out to us on Twitter/X at @CircleCI!
Adnan Khan, Lead Security Engineer at Praetorian, joins Corey on Screaming in the Cloud to discuss software bill of materials and supply chain attacks. Adnan describes how simple pull requests can lead to major security breaches, and how to best avoid those vulnerabilities. Adnan and Corey also discuss the rapid innovation at Github Actions, and the pros and cons of having new features added so quickly when it comes to security. Adnan also discusses his view on the state of AI and its impact on cloud security. About AdnanAdnan is a Lead Security Engineer at Praetorian. He is responsible for executing on Red-Team Engagements as well as developing novel attack tooling in order to meet and exceed engagement objectives and provide maximum value for clients.His past experience as a software engineer gives him a deep understanding of where developers are likely to make mistakes, and has applied this knowledge to become an expert in attacks on organization's CI/CD systems.Links Referenced: Praetorian: https://www.praetorian.com/ Twitter: https://twitter.com/adnanthekhan Praetorian blog posts: https://www.praetorian.com/author/adnan-khan/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Are you navigating the complex web of API management, microservices, and Kubernetes in your organization? Solo.io is here to be your guide to connectivity in the cloud-native universe!Solo.io, the powerhouse behind Istio, is revolutionizing cloud-native application networking. They brought you Gloo Gateway, the lightweight and ultra-fast gateway built for modern API management, and Gloo Mesh Core, a necessary step to secure, support, and operate your Istio environment.Why struggle with the nuts and bolts of infrastructure when you can focus on what truly matters - your application. Solo.io's got your back with networking for applications, not infrastructure. Embrace zero trust security, GitOps automation, and seamless multi-cloud networking, all with Solo.io.And here's the real game-changer: a common interface for every connection, in every direction, all with one API. It's the future of connectivity, and it's called Gloo by Solo.io.DevOps and Platform Engineers, your journey to a seamless cloud-native experience starts here. Visit solo.io/screaminginthecloud today and level up your networking game.Corey: As hybrid cloud computing becomes more pervasive, IT organizations need an automation platform that spans networks, clouds, and services—while helping deliver on key business objectives. Red Hat Ansible Automation Platform provides smart, scalable, sharable automation that can take you from zero to automation in minutes. Find it in the AWS Marketplace.Corey: Welcome to Screaming in the Cloud, I'm Corey Quinn. I've been studiously ignoring a number of buzzword, hype-y topics, and it's probably time that I addressed some of them. One that I've been largely ignoring, mostly because of its prevalence at Expo Hall booths at RSA and other places, has been software bill of materials and supply chain attacks. Finally, I figured I would indulge the topic. Today I'm speaking with Adnan Khan, lead security engineer at Praetorian. Adnan, thank you for joining me.Adnan: Thank you so much for having me.Corey: So, I'm trying to understand, on some level, where the idea of these SBOM or bill-of-material attacks have—where they start and where they stop. I've seen it as far as upstream dependencies have a vulnerability. Great. I've seen misconfigurations in how companies wind up configuring their open-source presences. There have been a bunch of different, it feels almost like orthogonal concepts to my mind, lumped together as this is a big scary thing because if we have a big single scary thing we can point at, that unlocks budget. Am I being overly cynical on this or is there more to it?Adnan: I'd say there's a lot more to it. And there's a couple of components here. So first, you have the SBOM-type approach to security where organizations are looking at which packages are incorporated into their builds. And vulnerabilities can come out in a number of ways. So, you could have software actually have bugs or you could have malicious actors actually insert backdoors into software.I want to talk more about that second point. How do malicious actors actually insert backdoors? Sometimes it's compromising a developer. Sometimes it's compromising credentials to push packages to a repository, but other times, it could be as simple as just making a pull request on GitHub. And that's somewhere where I've spent a bit of time doing research, building off of techniques that other people have documented, and also trying out some attacks for myself against two Microsoft repositories and several others that have reported over the last few months that would have been able to allow an attacker to slip a backdoor into code and expand the number of projects that they are able to attack beyond that.Corey: I think one of the areas that we've seen a lot of this coming from has been the GitHub Action space. And I'll confess that I wasn't aware of a few edge-case behaviors around this. Most of my experience with client-side Git configuration in the .git repository—pre-commit hooks being a great example—intentionally and by design from a security perspective, do not convey when you check that code in and push it somewhere, or grab someone else's, which is probably for the best because otherwise, it's, “Oh yeah, just go ahead and copy your password hash file and email that to something else via a series of arcane shell script stuff.” The vector is there. I was unpleasantly surprised somewhat recently to discover that when I cloned a public project and started running it locally and then adding it to my own fork, that it would attempt to invoke a whole bunch of GitHub Actions flows that I'd never, you know, allowed it to do. That was… let's say, eye-opening.Adnan: [laugh]. Yeah. So, on the particular topic of GitHub Actions, the pull request as an attack vector, like, there's a lot of different forms that an attack can take. So, one of the more common ones—and this is something that's been around for just about as long as GitHub Actions has been around—and this is a certain trigger called ‘pull request target.' What this means is that when someone makes a pull request against the base repository, maybe a branch within the base repository such as main, that will be the workflow trigger.And from a security's perspective, when it runs on that trigger, it does not require approval at all. And that's something that a lot of people don't really realize when they're configuring their workflows. Because normally, when you have a pull request trigger, the maintainer can check a box that says, “Oh, require approval for all external pull requests.” And they think, “Great, everything needs to be approved.” If someone tries to add malicious code to run that's on the pull request target trigger, then they can look at the code before it runs and they're fine.But in a pull request target trigger, there is no approval and there's no way to require an approval, except for configuring the workflow securely. So, in this case, what happens is, and in one particular case against the Microsoft repository, this was a Microsoft reusable GitHub Action called GPT Review. It was vulnerable because it checked out code from my branch—so if I made a pull request, it checked out code from my branch, and you could find this by looking at the workflow—and then it ran tests on my branch, so it's running my code. So, by modifying the entry points, I could run code that runs in the context of that base branch and steal secrets from it, and use those to perform malicious Actions.Corey: Got you. It feels like historically, one of the big threat models around things like this is al—[and when 00:06:02] you have any sort of CI/CD exploit—is either falls down one of two branches: it's either the getting secret access so you can leverage those credentials to pivot into other things—I've seen a lot of that in the AWS space—or more boringly, and more commonly in many cases, it seems to be oh, how do I get it to run this crypto miner nonsense thing, with the somewhat large-scale collapse of crypto across the board, it's been convenient to see that be less prevalent, but still there. Just because you're not making as much money means that you'll still just have to do more of it when it's all in someone else's account. So, I guess it's easier to see and detect a lot of the exploits that require a whole bunch of compute power. The, oh by the way, we stole your secrets and now we're going to use that to lateral into an organization seem like it's something far more… I guess, dangerous and also sneaky.Adnan: Yeah, absolutely. And you hit the nail on the head there with sneaky because when I first demonstrated this, I made a test account, I created a PR, I made a couple of Actions such as I modified the name of the release for the repository, I just put a little tag on it, and didn't do any other changes. And then I also created a feature branch in one of Microsoft's repositories. I don't have permission to do that. That just sat there for about almost two weeks and then someone else exploited it and then they responded to it.So, sneaky is exactly the word you could describe something like this. And another reason why it's concerning is, beyond the secret disclosure for—and in this case, the repository only had an OpenAI API key, so… okay, you can talk to ChatGPT for free. But this was itself a Github Action and it was used by another Microsoft machine-learning project that had a lot more users, called SynapseML, I believe was the name of the other project. So, what someone could do is backdoor this Action by creating a commit in a feature branch, which they can do by stealing the built-in GitHub token—and this is something that all Github Action runs have; the permissions for it vary, but in this case, it had the right permissions—attacker could create a new branch, modify code in that branch, and then modify the tag, which in Git, tags are mutable, so you can just change the commit the tag points to, and now, every time that other Microsoft repository runs GPT Review to review a pull request, it's running attacker-controlled code, and then that could potentially backdoor that other repository, steal secrets from that repository.So that's, you know, one of the scary parts of, in particular backdooring a Github Action. And I believe there was a very informative Blackhat talk this year, that someone from—I'm forgetting the name of the author, but it was a very good watch about how Actions vulnerabilities can be vulnerable, and this is kind of an example of—it just happened to be that this was an Action as well.Corey: That feels like this is an area of exploit that is becoming increasingly common. I tie it almost directly to the rise of GitHub Actions as the default CI/CD system that a lot of folks have been using. For the longest time, it seemed like a poorly configured Jenkins box hanging out somewhere in your environment that was the exception to the Infrastructure as Code rule because everyone has access to it, configures it by hand, and invariably it has access to production was the way that people would exploit things. For a while, you had CircleCI and Travis-CI, before Travis imploded and Circle did a bunch of layoffs. Who knows where they're at these days?But it does seem that the common point now has been GitHub Actions, and a .github folder within that Git repo with a workflows YAML file effectively means that a whole bunch of stuff can happen that you might not be fully aware of when you're cloning or following along with someone's tutorial somewhere. That has caught me out in a couple of strange ways, but nothing disastrous because I do believe in realistic security boundaries. I just worry how much of this is the emerging factor of having a de facto standard around this versus something that Microsoft has actively gotten wrong. What's your take on it?Adnan: Yeah. So, my take here is that Github could absolutely be doing a lot more to help prevent users from shooting themselves in the foot. Because their documentation is very clear and quite frankly, very good, but people aren't warned when they make certain configuration settings in their workflows. I mean, GitHub will happily take the settings and, you know, they hit commit, and now the workflow could be vulnerable. There's no automatic linting of workflows, or a little suggestion box popping up like, “Hey, are you sure you want to configure it this way?”The technology to detect that is there. There's a lot of third-party utilities that will lint Actions workflows. Heck, for looking for a lot of these pull request target-type vulnerabilities, I use a Github code search query. It's just a regular expression. So, having something that at least nudges users to not make that mistake would go really far in helping people not make these mista—you know, adding vulnerabilities to their projects.Corey: It seems like there's also been issues around the GitHub Actions integration approach where OICD has not been scoped correctly a bunch of times. I've seen a number of articles come across my desk in that context and fortunately, when I wound up passing out the ability for one of my workflows to deploy to my AWS account, I got it right because I had no idea what I was doing and carefully followed the instructions. But I can totally see overlooking that one additional parameter that leaves things just wide open for disaster.Adnan: Yeah, absolutely. That's one where I haven't spent too much time actually looking for that myself, but I've definitely read those articles that you mentioned, and yeah, it's very easy for someone to make that mistake, just like, it's easy for someone to just misconfigure their Action in general. Because in some of the cases where I found vulnerabilities, there would actually be a commit saying, “Hey, I'm making this change because the Action needs access to these certain secrets. And oh, by the way, I need to update the checkout steps so it actually checks out the PR head so that it's [testing 00:12:14] that PR code.” Like, people are actively making a decision to make it vulnerable because they don't realize the implication of what they've just done.And in the second Microsoft repository that I found the bug in, was called Microsoft Confidential Sidecar Containers. That repository, the developer a week prior to me identifying the bug made a commit saying that we're making a change and it's okay because it requires approval. Well, it doesn't because it's a pull request target.Corey: Part of me wonders how much of this is endemic to open-source as envisioned through enterprises versus my world of open-source, which is just eh, I've got this weird side project in my spare time, and it seemed like it might be useful to someone else, so I'll go ahead and throw it up there. I understand that there's been an awful lot of commercialization of open-source in recent years; I'm not blind to that fact, but it also seems like there's a lot of companies playing very fast and loose with things that they probably shouldn't be since they, you know, have more of a security apparatus than any random contributors standing up a clone of something somewhere will.Adnan: Yeah, we're definitely seeing this a lot in the machine-learning space because of companies that are trying to move so quickly with trying to build things because OpenAI AI has blown up quite a bit recently, everyone's trying to get a piece of that machine learning pie, so to speak. And another thing of what you're seeing is, people are deploying self-hosted runners with Nvidia, what is it, the A100, or—it's some graphics card that's, like, $40,000 apiece attached to runners for running integration tests on machine-learning workflows. And someone could, via a pull request, also just run code on those and mine crypto.Corey: I kind of miss the days when exploiting computers is basically just a way for people to prove how clever they were or once in a blue moon come up with something innovative. Now, it's like, well, we've gone all around the mulberry bush just so we can basically make computers solve a sudoku form, and in return, turn that into money down the road. It's frustrating, to put it gently.Adnan: [laugh].Corey: When you take a look across the board at what companies are doing and how they're embracing the emerging capabilities inherent to these technologies, how do you avoid becoming a cautionary tale in the space?Adnan: So, on the flip side of companies having vulnerable workflows, I've also seen a lot of very elegant ways of writing secure workflows. And some of the repositories are using deployment environments—which is the GitHub Actions feature—to enforce approval checks. So, workflows that do need to run on pull request target because of the need to access secrets for pull requests will have a step that requires a deployment environment to complete, and that deployment environment is just an approval and it doesn't do anything. So essentially, someone who has permissions to the repository will go in, approve that environment check, and only then will the workflow continue. So, that adds mandatory approvals to pull requests where otherwise they would just run without approval.And this is on, particularly, the pull request target trigger. Another approach is making it so the trigger is only running on the label event and then having a maintainer add a label so the tests can run and then remove the label. So, that's another approach where companies are figuring out ways to write secure workflows and not leave their repositories vulnerable.Corey: It feels like every time I turn around, Github Actions has gotten more capable. And I'm not trying to disparage the product; it's kind of the idea of what we want. But it also means that there's certainly not an awareness in the larger community of how these things can go awry that has kept up with the pace of feature innovation. How do you balance this without becoming the Department of No?Adnan: [laugh]. Yeah, so it's a complex issue. I think GitHub has evolved a lot over the years. Actions, it's—despite some of the security issues that happen because people don't configure them properly—is a very powerful product. For a CI/CD system to work at the scale it does and allow so many repositories to work and integrate with everything else, it's really easy to use. So, it's definitely something you don't want to take away or have an organization move away from something like that because they are worried about the security risks.When you have features coming in so quickly, I think it's important to have a base, kind of like, a mandatory reading. Like, if you're a developer that writes and maintains an open-source software, go read through this document so you can understand the do's and don'ts instead of it being a patchwork where some people, they take a good security approach and write secure workflows and some people just kind of stumble through Stack Overflow, find what works, messes around with it until their deployment is working and their CI/CD is working and they get the green checkmark, and then they move on to their never-ending list of tasks that—because they're always working on a deadline.Corey: Reminds me of a project I saw a few years ago when it came out that Volkswagen had been lying to regulators. It was a framework someone built called ‘Volkswagen' that would detect if it was running inside of a CI/CD environment, and if so, it would automatically make all the tests pass. I have a certain affinity for projects like that. Another one was a tool that would intentionally degrade the performance of a network connection so you could simulate having a latent or stuttering connection with packet loss, and they call that ‘Comcast.' Same story. I just thought that it's fun seeing people get clever on things like that.Adnan: Yeah, absolutely.Corey: When you take a look now at the larger stories that are emerging in the space right now, I see an awful lot of discussion coming up that ties to SBOMs and understanding where all of the components of your software come from. But I chased some stuff down for fun once, and I gave up after 12 dependency leaps from just random open-source frameworks. I mean, I see the Dependabot problem that this causes as well, where whenever I put something on GitHub and then don't touch it for a couple of months—because that's how I roll—I come back and there's a whole bunch of terrifyingly critical updates that it's warning me about, but given the nature of how these things get used, it's never going to impact anything that I'm currently running. So, I've learned to tune it out and just ignore it when it comes in, which is probably the worst of all possible approaches. Now, if I worked at a bank, I should probably take a different perspective on this, but I don't.Adnan: Mm-hm. Yeah. And that's kind of a problem you see, not just with SBOMs. It's just security alerting in general, where anytime you have some sort of signal and people who are supposed to respond to it are getting too much of it, you just start to tune all of it out. It's like that human element that applies to so much in cybersecurity.And I think for the particular SBOM problem, where, yeah, you're correct, like, a lot of it… you don't have reachability because you're using a library for one particular function and that's it. And this is somewhere where I'm not that much of an expert in where doing more static source analysis and reachability testing, but I'm certain there are products and tools that offer that feature to actually prioritize SBOM-based alerts based on actual reachability versus just having an as a dependency or not.[midroll 00:20:00]Corey: I feel like, on some level, wanting people to be more cautious about what they're doing is almost shouting into the void because I'm one of the only folks I found that has made the assertion that oh yeah, companies don't actually care about security. Yes, they email you all the time after they failed to protect your security, telling you how much they care about security, but when you look at where they invest, feature velocity always seems to outpace investment in security approaches. And take a look right now at the hype we're seeing across the board when it comes to generative AI. People are excited about the capabilities and security is a distant afterthought around an awful lot of these things. I don't know how you drive a broader awareness of this in a way that sticks, but clearly, we haven't collectively found it yet.Adnan: Yeah, it's definitely a concern. When you see things on—like for example, you can look at Github's roadmap, and there's, like, a feature there that's, oh, automatic AI-based pull request handling. Okay, so does that mean one day, you'll have a GitHub-powered LLM just approve PRs based on whether it determines that it's a good improvement or not? Like, obviously, that's not something that's the case now, but looking forward to maybe five, six years in the future, in the pursuit of that ever-increasing velocity, could you ever have a situation where actual code contributions are reviewed fully by AI and then approved and merged? Like yeah, that's scary because now you have a threat actor that could potentially specifically tailor contributions to trick the AI into thinking they're great, but then it could turn around and be a backdoor that's being added to the code.Obviously, that's very far in the future and I'm sure a lot of things will happen before that, but it starts to make you wonder, like, if things are heading that way. Or will people realize that you need to look at security at every step of the way instead of just thinking that these newer AI systems can just handle everything?Corey: Let's pivot a little bit and talk about your day job. You're a lead security engineer at what I believe to be a security-focused consultancy. Or—Adnan: Yeah.Corey: If you're not a SaaS product. Everything seems to become a SaaS product in the fullness of time. What's your day job look like?Adnan: Yeah, so I'm a security engineer on Praetorian's red team. And my day-to-day, I'll kind of switch between application security and red-teaming. And that kind of gives me the opportunity to, kind of, test out newer things out in the field, but then also go and do more traditional application security assessments and code reviews, and reverse engineering to kind of break up the pace of work. Because red-teaming can be very fast and fast-paced and exciting, but sometimes, you know, that can lead to some pretty late nights. But that's just the nature of being on a red team [laugh].Corey: It feels like as soon as I get into the security space and start talking to cloud companies, they get a lot more defensive than when I'm making fun of, you know, bad service naming or APIs that don't make a whole lot of sense. It feels like companies have a certain sensitivity around the security space that applies to almost nothing else. Do you find, as a result, that a lot of the times when you're having conversations with companies and they figure out that, oh, you're a red team for a security researcher, oh, suddenly, we're not going to talk to you the way we otherwise might. We thought you were a customer, but nope, you can just go away now.Adnan: [laugh]. I personally haven't had that experience with cloud companies. I don't know if I've really tried to buy a lot. You know, I'm… if I ever buy some infrastructure from cloud companies as an individual, I just kind of sign up and put in my credit card. And, you know, they just, like, oh—you know, they just take my money. So, I don't really think I haven't really, personally run into anything like that yet [laugh].Corey: Yeah, I'm curious to know how that winds up playing out in some of these, I guess, more strategic, larger company environments. I don't get to see that because I'm basically a tiny company that dabbles in security whenever I stumble across something, but it's not my primary function. I just worry on some level one of these days, I'm going to wind up accidentally dropping a zero-day on Twitter or something like that, and suddenly, everyone's going to come after me with the knives. I feel like [laugh] at some point, it's just going to be a matter of time.Adnan: Yeah. I think when it comes to disclosing things and talking about techniques, the key thing here is that a lot of the things that I'm talking about, a lot of the things that I'll be talking about in some blog posts that have coming out, this is stuff that these companies are seeing themselves. Like, they recognize that these are security issues that people are introducing into code. They encourage people to not make these mistakes, but when it's buried in four links deep of documentation and developers are tight on time and aren't digging through their security documentation, they're just looking at what works, getting it to work and moving on, that's where the issue is. So, you know, from a perspective of raising awareness, I don't feel bad if I'm talking about something that the company itself agrees is a problem. It's just a lot of the times, their own engineers don't follow their own recommendations.Corey: Yeah, I have opinions on these things and unfortunately, it feels like I tend to learn them in some of the more unfortunate ways of, oh, yeah, I really shouldn't care about this thing, but I only learned what the norm is after I've already done something. This is, I think, the problem inherent to being small and independent the way that I tend to be. We don't have enough people here for there to be a dedicated red team and research environment, for example. Like, I tend to bleed over a little bit into a whole bunch of different things. We'll find out. So far, I've managed to avoid getting it too terribly wrong, but I'm sure it's just a matter of time.So, one area that I think seems to be a way that people try to avoid cloud issues is oh, I read about that in the last in-flight magazine that I had in front of me, and the cloud is super insecure, so we're going to get around all that by running our own infrastructure ourselves, from either a CI/CD perspective or something else. Does that work when it comes to this sort of problem?Adnan: Yeah, glad you asked about that. So, we've also seen open-s—companies that have large open-source presence on GitHub just opt to have self-hosted Github Actions runners, and that opens up a whole different Pandora's box of attacks that an attacker could take advantage of, and it's only there because they're using that kind of runner. So, the default GitHub Actions runner, it's just an agent that runs on a machine, it checks in with GitHub Actions, it pulls down builds, runs them, and then it waits for another build. So, these are—the default state is a non-ephemeral runner with the ability to fork off tasks that can run in the background. So, when you have a public repository that has a self-hosted runner attached to it, it could be at the organization level or it could be at the repository level.What an attacker can just do is create a pull request, modify the pull request to run on a self-hosted runner, write whatever they want in the pull request workflow, create a pull request, and now as long as they were a previous contributor, meaning you fixed a typo, you… that could be a such a, you know, a single character typo change could even cause that, or made a small contribution, now they create the pull request. The arbitrary job that they wrote is now picked up by that self-hosted runner. They can fork off it, process it to run in the background, and then that just continues to run, the job finishes, their pull request, they'll just—they close it. Business as usual, but now they've got an implant on the self-hosted runner. And if the runners are non-ephemeral, it's very hard to completely lock that down.And that's something that I've seen, there's quite a bit of that on GitHub where—and you can identify it just by looking at the run logs. And that's kind of comes from people saying, “Oh, let's just self-host our runners,” but they also don't configure that properly. And that opens them up to not only tampering with their repositories, stealing secrets, but now depending on where your runner is, now you potentially could be giving an attacker a foothold in your cloud environment.Corey: Yeah, that seems like it's generally a bad thing. I found that cloud tends to be more secure than running it yourself in almost every case, with the exception that once someone finds a way to break into it, there's suddenly a lot more eggs in a very large, albeit more secure, basket. So, it feels like it's a consistent trade-off. But as time goes on, it feels like it is less and less defensible, I think, to wind up picking out an on-prem strategy from a pure security point of view. I mean, there are reasons to do it. I'm just not sure.Adnan: Yeah. And I think that distinction to be made there, in particular with CI/CD runners is there's cloud, meaning you let your—there's, like, full cloud meaning you let your CI/CD provider host your infrastructure as well; there's kind of that hybrid approach you mentioned, where you're using a CI/CD provider, but then you're bringing your own cloud infrastructure that you think you could secure better; or you have your runners sitting in vCenter in your own data center. And all of those could end up being—both having a runner in your cloud and in your data center could be equally vulnerable if you're not segmenting builds properly. And that's the core issue that happens when you have a self-hosted runner is if they're not ephemeral, it's very hard to cut off all attack paths. There's always something an attacker can do to tamper with another build that'll have some kind of security impact. You need to just completely isolate your builds and that's essentially what you see in a lot of these newer guidances like the [unintelligible 00:30:04] framework, that's kind of the core recommendation of it is, like, one build, one clean runner.Corey: Yeah, that seems to be the common wisdom. I've been doing a lot of work with my own self-hosted runners that run inside of Lambda. Definitionally those are, of course, ephemeral. And there's a state machine that winds up handling that and screams bloody murder if there's a problem with it. So far, crossing fingers hoping it works out well.And I have a bounded to a very limited series of role permissions, and of course, its own account of constraint blast radius. But there's still—there are no guarantees in this. The reason I build it the way I do is that, all right, worst case someone can get access to this. The only thing they're going to have the ability to do is, frankly, run up my AWS bill, which is an area I have some small amount of experience with.Adnan: [laugh]. Yeah, yeah, that's always kind of the core thing where if you get into someone's cloud, like, well, just sit there and use their compute resources [laugh].Corey: Exactly. I kind of miss when that was the worst failure mode you had for these things.Adnan: [laugh].Corey: I really want to thank you for taking the time to speak with me today. If people want to learn more, where's the best place for them to find you?Adnan: I do have a Twitter account. Well, I guess you can call it Twitter anymore, but, uh—Corey: Watch me. Sure I can.Adnan: [laugh]. Yeah, so I'm on Twitter, and it's @adnanthekhan. So, it's like my first name with ‘the' and then K-H-A-N because, you know, my full name probably got taken up, like, years before I ever made a Twitter account. So, occasionally I tweet about GitHub Actions there.And on Praetorian's website, I've got a couple of blog posts. I have one—the one that really goes in-depth talking about the two Microsoft repository pull request attacks, and a couple other ones that are disclosed, will hopefully drop on the twenty—what is that, Tuesday? That's going to be the… that's the 26th. So, it should be airing on the Praetorian blog then. So, if you—Corey: Excellent. It should be out by the time this is published, so we will, of course, put a link to that in the [show notes 00:32:01]. Thank you so much for taking the time to speak with me today. I appreciate it.Adnan: Likewise. Thank you so much, Corey.Corey: Adnan Khan, lead security engineer at Praetorian. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an insulting comment that's probably going to be because your podcast platform of choice is somehow GitHub Actions.Adnan: [laugh].Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
In this episode, you'll learn how to empower your team to do the most challenging thing when it comes to AI - getting started! Rob is joined by Kira Muehlbauer and Ryan Hamilton, two engineers who worked on building a groundbreaking feature at CircleCI called the AI error summarizer. Discover their insights into the process of building AI products, the challenges they faced, and the valuable lessons they learned along the way.Have someone you'd like to hear on the podcast? Reach out to us on Twitter/X at @CircleCI!
Are you a chaos muppet or an order muppet? Knowing the answer to this very important question can help you unlock your B2B marketing potential. Here's why.There's magic chemistry that happens when a chaos muppet joins forces with an order muppet. (Replace the word “muppet” with “marketer” in this instance.) It's like a marketing power couple. You need the wildly outside-of-the-box thinking of the chaos side tempered with the composed, organized, planning mind of the order side to create truly remarkable content. It's these two energies that work synchronistically to create content worth talking about.So in this episode, we're looking back at nearly 70 years of Muppet history and one Slate article that made us ponder, “What kind of muppet am I?” And break down all of the wild and wondrous things muppets can teach us about B2B marketing with the help of CircleCI's Director of Content Marketing, Gillian Jakob Kieser. Together, we talk about allowing some of that chaos into your campaigns, developing useful and evergreen content, and how to work through the riskiness of creating something original in this episode of Remarkable.About CircleCICircleCI lets teams build fully-automated pipelines, from testing to deployment, allowing them to focus on the real work of innovation. Using CircleCI, engineers can automate their entire testing suite for new commits, reducing the potential for human error, while using orbs to automate deploys.About The Muppets and Muppet Chaos TheoryThe Muppets is an American television show featuring a cast of puppets performing various skits. The beloved characters include Kermit, Miss Piggy, Rowlf, Fozzie Bear, Gonzo, Beaker, Animal, The Swedish Chef, and more. It was created by Jim Henson in 1955, and has been around for nearly 7 decades. It was originally a short-form tv show called Sam and Friends, and it's now grown into a media franchise with lots of spin offs including movies, music, and tv appearances. The franchise was owned by The Jim Henson Company until 2004 when Disney bought it. Jim Henson once suggested that the term “muppet” comes from combining the words “puppet” and “marionette.”Muppet Theory is a theory posed by Slate writer Dahlia Lithwick that everyone in the world is either a chaos muppet or an order muppet. Chaos muppets are crazy, volatile, unpredictable. Like Animal, Cookie Monster, or The Swedish Chef. Order muppets are anxious, neurotic and don't like surprises. Like Kermit the Frog, Scooter, or Sam the Eagle. Order muppets often choose Chaos muppets as lifelong partners, like Bert the order muppet and Ernie the chaos muppet or Kermit as the order muppet and Miss Piggy as the chaos one.About our guest, Gillian Jakob KieserGillian Jakob Kieser is Director of Content Marketing at CircleCI. She has been with CircleCI for over six years, having started in June 2017 as Content Marketing Manager, and their first content hire as a growing startup. She has also served in marketing roles at companies like Prismatic and MAKE Magazine.What B2B Companies Can Learn From The Muppets and Muppet Theory: Incorporate both chaos and order into your marketing. Team up with your chaos or order counterpart to make new content. Or create some content that's very structured and some that's very unstructured. Gillian says that it's these different energies that make successful collaborations in marketing. “They really need to have both the order aspect and the chaos aspect to make something feel alive and authentic. If you over plan it, it's dead in the water. It's dry and predictable. And if it's too much chaos, you never can get it out the door because no one knows what time anything is happening. So you always need to have both order and chaos on a team or in a program.”Mix the real and the fantastical. This creates playful and captivating visuals, and engages the viewers' willing suspension of disbelief. Gillian says, “There's this aspect of these fantastical creatures in a real world scenario that appeals to adults as well as children. Because children really have a sense for the authentic, and they know that there's something about this world that is real and that they can learn from, that it's not just watered down and catered to them. There's something about that that I think has set them apart and has always been really appealing.”Trust the intelligence of your audience. The Muppet Show is not just for children. There were signs in the cigarette-smoking, Studebaker-driving scenes that Jim Henson was appealing to more mature viewers as well. Like Jim Henson, give your audience all the information you have for them, and don't oversimplify it. Gillian says, “Jim Henson and his crew never played down to their audience. There was so much intelligence and so many references, and it was very high reaching for something that could have conceivably been, ‘Oh, this is just for kids.' It feels like Jim Henson was the first one in exploring that space, of elevating this art form to something that had a lot of depth that you wouldn't expect to see coming from puppets.”Quotes*“[The Muppets is] a testament to taking risks, just going for it and not knowing. It might not have worked out, but it did in the long run. Some of our efforts at creative projects, branding or anything else like that are sometimes a little bit of a shot in the dark.” - Gillian Jakob Kieser*”I was thinking, ‘Okay, where is there order and chaos in our current content strategy?' The blog is very orderly. We've learned a lot about SEO and how to answer people's questions with technical tutorials. And then we've got a podcast with our CTO interviewing folks. That's much more of a chaos aspect because you never know where the conversation's gonna go, but he's standing in and asking the questions that the audience wants to ask. And it's very funny and we're not selling in that show at all. We're creating affinity, trust, informing, educating and being able to share our perspective on how our industry works with others.” - Gillian Jakob Kieser*”The ad copy is another place where we test wildly. There's been times when we throw in something that's ungrammatical because you know it's gonna catch someone's eye. Or put a question mark at the end of something to get their attention. And then you can make the connection. But that order and chaos marriage shows up everywhere.” - Gillian Jakob Kieser*”There's a time and a place for things. There's concentric circles of stuff that needs to be really on brand that the legal team needs to look at and everyone has to check off on it. And then stuff that as you get further out has more of a buffer of forgiveness for being off-brand at times.” - Gillian Jakob Kieser*”If you want to feel like your entire brand is super buttoned up always, and it's only on official channels, you have to know that your marketing is gonna be boring. Because there's no humanity in it. People buy people. If you're trying to get people to commit to you with emotion and you're using the opposite of that, how effective is it really gonna be?” - Ian FaisonTime Stamps[0:54] Introducing CircleCI Director of Content Marketing, Gillian Jakob Kieser[1:39] Why are we talking about The Muppets?[4:03] Learn more about Gillian's role as Director of Content Marketing at CircleCI[5:33] What are The Muppets?[8:37] How did Jim Henson create evergreen content in The Muppets?[10:54] How do you work through the riskiness of making original content?[15:04] What is Muppet Chaos Theory?[16:59] How does Muppet Chaos Theory apply to collaborative work and marketing?[21:00] How does CircleCI use chaos and order in their marketing strategy?[31:09] How to humanize your content, and the value of human-generated content in the age of AI[34:24] What's Gillian's content strategy at CircleCI?[37:30] The difference in making remarkable evergreen content versus sensational content[39:09] How did Gillian grow her team and advocate for the value of more content creators?[41:57] How do you choose the channels worth posting content to?LinksWatch The Muppet ShowRead the Slate articleConnect with Gillian on LinkedInLearn more about CircleCIAbout Remarkable!Remarkable! is created by the team at Caspian Studios, the premier B2B Podcast-as-a-Service company. Caspian creates both non-fiction and fiction series for B2B companies. If you want a fiction series check out our new offering - The Business Thriller - Hollywood style storytelling for B2B. Learn more at CaspianStudios.com. In today's episode, you heard from Ian Faison (CEO of Caspian Studios) and Meredith Gooderham (Senior Producer). Remarkable was produced this week by Meredith O'Neil, mixed by Scott Goodrich, and our theme song is “Solomon” by FALAK. Create something remarkable. Rise above the noise.
Summary Data engineering is all about building workflows, pipelines, systems, and interfaces to provide stable and reliable data. Your data can be stable and wrong, but then it isn't reliable. Confidence in your data is achieved through constant validation and testing. Datafold has invested a lot of time into integrating with the workflow of dbt projects to add early verification that the changes you are making are correct. In this episode Gleb Mezhanskiy shares some valuable advice and insights into how you can build reliable and well-tested data assets with dbt and data-diff. Announcements Hello and welcome to the Data Engineering Podcast, the show about modern data management RudderStack helps you build a customer data platform on your warehouse or data lake. Instead of trapping data in a black box, they enable you to easily collect customer data from the entire stack and build an identity graph on your warehouse, giving you full visibility and control. Their SDKs make event streaming from any app or website easy, and their extensive library of integrations enable you to automatically send data to hundreds of downstream tools. Sign up free at dataengineeringpodcast.com/rudderstack (https://www.dataengineeringpodcast.com/rudderstack) Your host is Tobias Macey and today I'm interviewing Gleb Mezhanskiy about how to test your dbt projects with Datafold Interview Introduction How did you get involved in the area of data management? Can you describe what Datafold is and what's new since we last spoke? (July 2021 and July 2022 about data-diff) What are the roadblocks to data testing/validation that you see teams run into most often? How does the tooling used contribute to/help address those roadblocks? What are some of the error conditions/failure modes that data-diff can help identify in a dbt project? What are some examples of tests that need to be implemented by the engineer? In your experience working with data teams, what typically constitutes the "staging area" for a dbt project? (e.g. separate warehouse, namespaced tables, snowflake data copies, lakefs, etc.) Given a dbt project that is well tested and has data-diff as part of the validation suite, what are the challenges that teams face in managing the feedback cycle of running those tests? In application development there is the idea of the "testing pyramid", consisting of unit tests, integration tests, system tests, etc. What are the parallels to that in data projects? What are the limitations of the data ecosystem that make testing a bigger challenge than it might otherwise be? Beyond test execution, what are the other aspects of data health that need to be included in the development and deployment workflow of dbt projects? (e.g. freshness, time to delivery, etc.) What are the most interesting, innovative, or unexpected ways that you have seen Datafold and/or data-diff used for testing dbt projects? What are the most interesting, unexpected, or challenging lessons that you have learned while working on dbt testing internally or with your customers? When is Datafold/data-diff the wrong choice for dbt projects? What do you have planned for the future of Datafold? Contact Info LinkedIn (https://www.linkedin.com/in/glebmezh/) Closing Announcements Thank you for listening! Don't forget to check out our other shows. Podcast.__init__ (https://www.pythonpodcast.com) covers the Python language, its community, and the innovative ways it is being used. The Machine Learning Podcast (https://www.themachinelearningpodcast.com) helps you go from idea to production with machine learning. Visit the site (https://www.dataengineeringpodcast.com) to subscribe to the show, sign up for the mailing list, and read the show notes. If you've learned something or tried out a project from the show then tell us about it! Email hosts@dataengineeringpodcast.com (mailto:hosts@dataengineeringpodcast.com)) with your story. To help other people find the show please leave a review on Apple Podcasts (https://podcasts.apple.com/us/podcast/data-engineering-podcast/id1193040557) and tell your friends and co-workers Parting Question From your perspective, what is the biggest gap in the tooling or technology for data management today? Links Datafold (https://www.datafold.com/) Podcast Episode (https://www.dataengineeringpodcast.com/datafold-proactive-data-quality-episode-205/) data-diff (https://github.com/datafold/data-diff) Podcast Episode (https://www.dataengineeringpodcast.com/data-diff-open-source-data-integration-validation-episode-303/) dbt (https://www.getdbt.com/) Dagster (https://dagster.io/) dbt-cloud slim CI (https://docs.getdbt.com/blog/intelligent-slim-ci) GitHub Actions (https://github.com/features/actions) Jenkins (https://www.jenkins.io/) Circle CI (https://circleci.com/) Dolt (https://github.com/dolthub/dolt) Malloy (https://github.com/malloydata/malloy) LakeFS (https://lakefs.io/) Planetscale (https://planetscale.com/) Snowflake Zero Copy Cloning (https://www.youtube.com/watch?v=uGCpwoQOQzQ) The intro and outro music is from The Hug (http://freemusicarchive.org/music/The_Freak_Fandango_Orchestra/Love_death_and_a_drunken_monkey/04_-_The_Hug) by The Freak Fandango Orchestra (http://freemusicarchive.org/music/The_Freak_Fandango_Orchestra/) / CC BY-SA (http://creativecommons.org/licenses/by-sa/3.0/) Special Guest: Gleb Mezhanskiy.
Software Engineering Radio - The Podcast for Professional Software Developers
Dave Cross, owner of Magnum Solutions and author of GitHub Actions Essentials (Clapham Technical Press), speaks with SE Radio host Gavin Henry about GitHub actions, the value they provide, and the best practices for using them in your projects. Cross describes the vast range of things that developers can do with GitHub Actions, including some use cases you might never have thought about. They start with some general discussion of CI/CD and then consider the three main types of events that drive GitHub actions before digging in to details about fine-grained action events, Action Marketplace, contexts, yaml, docker base images, self-hosted runners, and more. They further explore identity management, permissions, dependency management, saving money, and how to keep your secrets secret.
Today we have an episode of our newest podcast, Tech Titans. It features summary episodes of our best leadership advice from Modern CTO. Robert Zuber, CTO at CircleCI, joins us in this episode to share his greatest leadership advice on how to lead a team to connect value to the customer, and his own journey to the position of leadership he's in now. All of this right here, right now, on the Modern CTO Podcast! Check out more of Rob and CircleCI at https://circleci.com/ Check out more about Tech Titans on Spotify, Apple, and iHeart! Produced by ProSeries Media.
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Royal Mail attack was LockBit and GCHQ will probably “bust some heads” CircleCI's incident report and the problem with malwared endpoints in the Zero Trust age Cloudflare backs Mastodon Paul Nakasone: NSA did some great stuff! It was really good! Cisco won't patch SMB routers sold in 2020 Much, much more This week's show is brought to you by Material Security. Material co-founder Ryan Noon and Snowflake's head of cybersecurity strategy Omer Singer are this week's sponsor guests. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes Royal Mail cyberattack linked to LockBit ransomware operation Ransomware Diaries: Volume 1 | Analyst1 Congressman calls on CISA to investigate air travel vulnerabilities after outage - The Record from Recorded Future News Ransomware attack on maritime software impacts 1,000 ships - The Record from Recorded Future News CircleCI incident report for January 4, 2023 security incident Researchers: Large language models will revolutionize digital propaganda campaigns Nick Cave - The Red Hand Files - Issue #218 GitHub - cloudflare/wildebeest: Wildebeest is an ActivityPub and Mastodon-compatible server Meta sues Voyager Labs over scraping user data Twitter says leaked data on 200 million users was likely publicly available info - The Record from Recorded Future News A Police App Exposed Secret Details About Raids and Suspects | WIRED ODIN Intelligence website is defaced as hackers claim breach | TechCrunch Nakasone: Foreign surveillance program helped fend off cyberattacks - The Record from Recorded Future News The Guardian confirms criminals accessed staff data in ransomware attack - The Record from Recorded Future News Millions of Aflac, Zurich insurance customers in Japan have data leaked after breach - The Record from Recorded Future News Dark Pink, a newly discovered hacking campaign, threatens Southeast Asian military, government organizations The FBI Won't Say Whether It Hacked Dark Web ISIS Site Norton LifeLock says 925,000 accounts targeted by credential-stuffing attacks - The Record from Recorded Future News Cisco warns of two vulnerabilities affecting end-of-life routers - The Record from Recorded Future News Fortinet says hackers exploited critical vulnerability to infect VPN customers | Ars Technica Vulnerability with 9.8 severity in Control Web Panel is under active exploit | Ars Technica CISA adds recently-announced Microsoft zero-day to exploited vulnerability catalog - The Record from Recorded Future News Hundreds of SugarCRM servers infected with critical in-the-wild exploit | Ars Technica
On this week's show Patrick Gray and Adam Boileau discuss the news we missed while on break. Because it's the first show of the year, we split the discussion into themes: Attacks against critical online services like Okta, CircleCI, Slack and Lastpass will increase in volume All the latest global intrigue, from NSO being noped by the US Supreme Court to DDoS attacks in Serbia, Turla's latest campaign, supply chain attacks against Ukraine, why Russia has been more active than we realised and much more A ransomware wrap, a discussion about the rise of data extortion and why it's unlikely to remain a huge problem Why automotive security research will actually be interesting this year PLUS: A bunch of random news! This week's show is brought to you by Trail of Bits. Dan Guido is this week's sponsor guest and he joins us to talk about something they've developed – a zero knowledge proof of exploit technique. Very interesting stuff! Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes First LastPass, now Slack and CircleCI. The hacks go on (and will likely worsen) | Ars Technica Devs urged to rotate secrets after CircleCI suffers security breach | The Daily Swig LastPass: Hackers accessed and copied customers' password vaults - The Record from Recorded Future News GitHub incident allowed attacker to copy Okta's source code - The Record from Recorded Future News Supreme Court dismisses spyware company NSO Group's claim of immunity - The Record from Recorded Future News Serbian government reports ‘massive DDoS attack' amid heightened tensions in Balkans - The Record from Recorded Future News Iran's support of Russia draws attention of pro-Ukraine hackers - The Record from Recorded Future News Pro-Ukraine hackers leak Russian data in hopes someone will make sense of it - The Record from Recorded Future News CISA researchers: Russia's Fancy Bear infiltrated US satellite network Exclusive: Russian hackers targeted U.S. nuclear scientists | Reuters NSA cyber director warns of Russian digital assaults on global energy sector - CyberScoop Notorious Russian hacking group appears to resurface with fresh cyberattacks on Ukraine Military operations software in Ukraine was hit by Russian hackers - The Record from Recorded Future News New supply chain attack targeted Ukrainian government networks - The Record from Recorded Future News Moldovaʼs government hit by flood of phishing attacks - The Record from Recorded Future News Kremlin-backed hackers targeted a “large” petroleum refinery in a NATO nation | Ars Technica Cyber Command conducted offensive operations to protect midterm elections - The Record from Recorded Future News Guardian newspaper hit by suspected ransomware attack, staff told not to come to office - The Record from Recorded Future News British company that helps make semiconductors hit by cyber incident - The Record from Recorded Future News Port of Lisbon website still down as LockBit gang claims cyberattack - The Record from Recorded Future News SickKids: 80% of hospital priority systems back online after LockBit ransomware attack - The Record from Recorded Future News Canada's largest children's hospital struggles to recover from pre-Christmas ransomware attack - The Record from Recorded Future News Canadian copper mine suffers ransomware attack, shuts down mills - The Record from Recorded Future News Los Angeles housing authority says cyberattack disrupting systems - The Record from Recorded Future News The Guardian contacts data protection regulator after suspected ransomware incident - The Record from Recorded Future News Australian fire service operating 85 stations shuts down network after cyberattack - The Record from Recorded Future News San Francisco BART investigating ransomware attack - The Record from Recorded Future News Hackers leak sensitive files following attack on San Francisco transit police New U.S. cyber strategy will require critical infrastructure companies to protect against hacks - The Washington Post Car hackers discover vulnerabilities that could let them hijack millions of vehicles Compromised dispatch system helped move taxis to front of the line | Ars Technica Researcher Deepfakes His Voice, Uses AI to Demand Refund From Wells Fargo Armed With ChatGPT, Cybercriminals Build Malware And Plot Fake Girl Bots Cybercriminals' latest grift: powdered milk and sugar by the truckload - The Record from Recorded Future News This app will self-destruct: How Belarusian hackers created an alternative Telegram for activists - The Record from Recorded Future News Chinese researchers claim to have broken RSA with a quantum computer. Experts aren't so sure. - The Record from Recorded Future News Key bitcoin developer calls on FBI to recover $3.6M in digital coin | Ars Technica Chick-fil-A acknowledges customer account abuse but denies compromise of internal systems - The Record from Recorded Future News Microsoft ends Windows 7 security updates | TechCrunch
Security vulnerabilities in automobiles. CircleCI customers should "rotate their secrets." CISA Director Easterly notes Russian failures, but warns that shields should stay up. Attempted cyberespionage against US National Laboratories. Turla effectively recycles some commodity malware infrastructure. Robert M. Lee from Dragos shares his outlook on ICS for the new year. Our CyberWire Space correspondent Maria Varmazis interviews Diane Janosek from NSA about her research on space-cyber. And the Guardian continues to recover from last month's ransomware attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/4 Selected reading. Hitachi Energy UNEM (CISA) Hitachi Energy FOXMAN-UN (CISA) Hitachi Energy Lumada Asset Performance Management (CISA) Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More (Sam Curry) Toyota, Mercedes, BMW API flaws exposed owners' personal info (BleepingComputer) 16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure (SecurityWeek) Ferrari, BMW, Rolls Royce, Porsche and more fix vulnerabilities giving car takeover capabilities (The Record by Recorded Future) CircleCI security alert: Rotate any secrets stored in CircleCI (CircleCI). CircleCI warns of security breach — rotate your secrets! (BleepingComputer) CircleCI Urges Customers to Rotate Secrets Following Security Incident (The Hacker News) CISA director: US needs to be vigilant, ‘keep our shields up' against Russia (The Hill) Exclusive-Russian Hackers Targeted U.S. Nuclear Scientists (Reuters via US News) Notorious Russian Spies Piggybacked on Other Hackers' USB Infections (WIRED) Turla: A Galaxy of Opportunity | Mandiant (Mandiant) Fallout from Guardian cyber attack to last at least a month (ComputerWeekly) State of Ransomware Preparedness (Axio)
