POPULARITY
Join us for a fascinating episode where we explore the development of SaturnCI—a new and user-friendly Continuous Integration tool that arose from frustrations with existing solutions like CircleCI and GitHub Actions. Our guest, Jason Sweat, shares his passion for creating a platform that not only simplifies the user experience but actively incorporates feedback from early adopters. Through candid conversations, Jason recounts his journey as a content creator in the Ruby community, and how it inspired him to address the shortcomings he observed in CI tools.We delve into the technical challenges faced as SaturnCI grows, particularly those relating to user scalability as it onboarded new customers. Jason offers valuable insights into his tech stack choices while drawing attention to the importance of creating streamlined interfaces that cater to developers' needs. The conversation shifts to the foundation of community through his upcoming Sin City Ruby conference, showcasing the efforts made to facilitate connection among participants and ensure each attendee leaves with new friendships and knowledge.Toward the end of our episode, we touch upon Jason's unique approach to outreach through his snail mail newsletter, where he shares insights and stories beyond technology. This creative endeavor highlights how stepping away from screens can cultivate a deeper connection with the audience. With an inviting conversational tone and enriching discussions, this episode is packed with valuable insights for anyone interested in CI tools, community-building, and finding the courage to innovate within your space. Be sure to subscribe and share your thoughts with us!Send us some love.HoneybadgerHoneybadger is an application health monitoring tool built by developers for developers.HoneybadgerHoneybadger is an application health monitoring tool built by developers for developers.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Support the showReady to start your own podcast?This show is hosted on Buzzsprout and it's awesome, not to mention a Ruby on Rails application. Let Buzzsprout know we sent you and you'll get a $20 Amazon gift card if you sign up for a paid plan, and it helps support our show.
This week, Ben and Andrew dive into the (surprisingly?) complex world of calculator apps, analyze how AI is revolutionizing the technical interview, and dissect the emerging “two-tier” economy around AI. What side of the curve does your org fall on?Then, the conversation goes on site to San Francisco, where host Dan Lines hosts Rob Zuber (CTO, CircleCI) and Tara Hernandez (VP of Dev Productivity at MongoDB) for a discussion of LinearB's 2025 Software Engineering Benchmarks Report.We unpack the report's surprising findings on the PR lifecycle, project management hygiene, DORA metrics, code quality, and predictability, with key takeaways for optimizing your engineering team's performance.Be sure to grab your copy of the report to follow along with Dan, Rob & Tara.Check out:2025 Software Engineering Benchmarks ReportBeyond the DORA FrameworksIntroducing AI-Powered Code Review with gitStreamFollow the hosts:Follow BenFollow AndrewFollow today's guest(s):Rob ZuberTara HernandezReferenced in today's show:"A calculator app? Anyone could make that."‘Two-tier' AI economy is emerging between startups and corporations, with large organizations falling behind, AWS EMEA chief saysAI Killed The Tech Interview. Now What? | Kane Narraway New Junior Developers Can't Actually CodeSupport the show: Subscribe to our Substack Leave us a review Subscribe on YouTube Follow us on Twitter or LinkedIn Offers: Learn about Continuous Merge with gitStream Get your DORA Metrics free forever
In this episode, Rob sits down with Ger McMahon, Head of ALM Tools and Platforms at Fidelity Investments, to explore the unique challenges of delivering software rapidly in a large enterprise. They dive into strategies for fostering innovation and effectively sharing ideas across diverse teams within the organization.Ger highlights the delicate balance between building internal tools and creating customer-facing applications, emphasizing the critical role of keeping the customer at the center of decision-making. He also shares insights into why Fidelity prioritizes being a "technology company that delivers financial services," and how that mindset shapes their approach to software development.Whether you're part of a large organization or navigating the complexities of enterprise software delivery, this episode offers valuable perspectives and actionable ideas.Have a guest suggestion? Connect with us on X at @CircleCI!
In this episode of The Confident Commit, Rob sits down with Christine Yen, CEO of Honeycomb, to delve into the evolving role of observability in modern software development. They discuss how observability goes beyond traditional metrics and monitoring, and allows developers to be better prepared for the unknown and embrace the complexities of distributed systems. Christine shares insights on how observability not only boosts developer confidence but also enhances productivity by reducing toil and enabling teams to focus on delivering value for customers.The conversation shifts to the value of Service Level Objectives (SLOs) and why discussions around them often focus heavily on measurement tools and technical implementations. Christine offers valuable advice on steering these conversations towards healthier, more customer-centric perspectives. By reframing the conversation, developers and teams can focus on delivering real value, aligning technical goals with customer needs and driving meaningful outcomes.Have a guest you'd like to hear on the podcast? Reach out to us on X at @CircleCI!
In this episode, Rob is joined by Laura Tacho, CTO at DX, to explore the continuous rising focus on developer experience and its impact on both engineers and businesses. They discuss how investing in developer experince is not just about making life easier for developers; it's also a smart business move that cuts down on waste and boosts efficiency. Laura emphasizes the importance of trusting developers to identify their own challenges, as they're the ones navigating the daily complexities of their work.The conversation also touches on how recent global changes have influenced engineering leadership and made dev experience a higher priority. Laura shares her thoughts on the value of combining survey data with peer metrics to enhance developer experience.If there's anyone you'd like to hear on the show, please reach out to us on X at @CircleCI !
CircleCI's CEO, Jim Rose, and CTO, Rob Zuber, sit down to discuss a few of the lessons learned as they grew CircleCI to $100M+ in revenue. In this video, they share insights about how to build a winning team, the key to finding and keeping product-market fit, and what it takes to future-proof your business against new technology like Generative AI. While the risk for startups is high, there are many ways SaaS platforms can stay ahead of the competition to come out on top. --- Support this podcast: https://podcasters.spotify.com/pod/show/getu-chandler/support
Pisanie dobrej dokumentacji dla deweloperów oprócz wysoko rozwiniętego warsztatu językowego wymaga również umiejętności technicznych, takich jak kodowanie. Czy teoretyczna znajomość pewnych zagadnień jest wystarczająca czy trzeba również posiadać doświadczenie praktyczne? Rozmawiamy o tym jak bardzo zaawansowane umiejętności techniczne powinien posiadać technoskryba w świecie rozwoju oprogramowania i czego powinien się nauczyć, żeby brylować na deweloperskich salonach i tworzyć dokumentację o wysokiej jakości i wiarygodności. Dźwięki wykorzystane w audycji pochodzą z kolekcji "107 Free Retro Game Sounds" dostępnej na stronie https://dominik-braun.net, udostępnianej na podstawie licencji Creative Commons license CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/). Informacje dodatkowe: React.js: https://react.dev/ "Git (oprogramowanie)", Wikipedia: https://pl.wikipedia.org/wiki/Git_(oprogramowanie) "Git Amend", W3Schools: https://www.w3schools.com/git/git_amend.asp?remote=github GitHub: https://github.com/ "JavaScript", Wikipedia: https://pl.wikipedia.org/wiki/JavaScript "Java", Wikipedia: https://pl.wikipedia.org/wiki/Java Docker: https://www.docker.com/ Docker Compose overview: https://docs.docker.com/compose/ "Docker image vs container: What are the differences?", CircleCI: https://circleci.com/blog/docker-image-vs-container/ "Why is Python a dynamic language and also a strongly typed language": https://wiki.python.org/moin/Why%20is%20Python%20a%20dynamic%20language%20and%20also%20a%20strongly%20typed%20language Kubernetes: https://kubernetes.io/ "How to Launch an HTTP Server in One Line of Python Code", Real Python: https://realpython.com/python-http-server/ Npm serve: https://www.npmjs.com/package/serve REST Client, VS Code: https://marketplace.visualstudio.com/items?itemName=humao.rest-client HTTP Client, IntelliJ IDEA: https://www.jetbrains.com/help/idea/http-client-in-product-code-editor.html curl: https://curl.se/ Postman: https://www.postman.com/ "bash", Wikipedia: https://pl.wikipedia.org/wiki/Bash
In this episode of The Confident Commit, Rob is joined by Birgitta Böckeler, Global Lead for AI-assisted software delivery at Thoughtworks, to dive deep into the dynamic world of GenAI and its impact on software development. They explore the shifting landscape of GenAI usage and adoption over the last 18 months, tackling critical questions like how to leverage fast-moving advancements without building solutions that become obsolete in weeks.Birgitta shares her insights on when it might be better to build something yourself to avoid the instability of rapid technological change. They also discuss what aspects of AI she currently considers stable and which are still in flux. Birgitta issues a crucial warning: don't overestimate AI by using it as a band-aid to cover up deeper issues in your software pipeline.Whether you're a seasoned developer or just curious about the future of software delivery, this episode offers valuable perspectives on navigating the complexities of AI in today's fast-paced tech environment.Have someone in mind you'd like to hear on the show? Reach out to us on X at @CircleCI!
Discerning and Defining a product manager Role is S.10 E.2 n.142 of the FSG Messaging and Optics Podcast, Wait What Really OK hosted by Messaging and Optics Strategist Loren Weisman. Derrick is the guest on this episode of Wait What Really OK. Together Loren and Derrick dig in to the ins, outs, ups and downs of Product Managers. In this episode, Derrick helps with the discerning and defining when it comes to an effective product manager as well as some red flags to watch out for and many of the attributes to look for. This podcast is raw, real and true. Done in one take, a little EQ and up… Proud of the flubs, the ums and the uhs. This was unscripted and in the moment. Derrick did not have the questions in advance. Derrick Boudwin is a Qualified Director of Product Engineering with over 15 years experience leading international cross-functional teams, using people-centric strategies to develop software resulting in successful, patented, and disruptive products. Derrick is also versed in the Programming Languages of Python, Bash, Visual Basic, Powershell, SQL, Ruby, Java as well as being familiar with Tools and Technologies that include AWS, GCP, Azure, Tensorflow, Docker, Ansible, Terraform, Jenkins, CircleCI, Git, OpenCV, Pivotal, Jira, and ConfluenceTo talk to Derrick about any or all things Product Manager related or to get some help in your product manager search or assistance in interviewing or reviewing your candidates, email: Derrick@DerrickBoudwin.com *Loren Weisman is a Messaging and Optics Strategist. starting as a session/ghost drummer and then music producer, loren has 700 album credits across major and indie labels as drummer and producer. He then shifted to TV production with credits for ABC, NBC, FOX, CBS, TLC and more including reality shows, infomercials, movies and documentaries. Loren wrote three internationally published and distributed books, including Wiley and Sons, “Music Business for Dummies”, as well as GreenLeaf's “The Artists Guide to Success in the Music Business.” https:/lorenweisman.com/ * © 2024 Loren Weisman / Fish Stewarding Group All Rights Reserved ® ℗ *
In this episode of The Confident Commit, Rob is joined by Heidi Helfand, author of Dynamic Reteaming. Together, they explore the components of exceptional teams and strategies for building them to deliver better software faster.They delve into the definition of performance and the importance of aligning on what "high-performing" means for individual roles and the team as a whole. They also discuss the distinction between high-performing teams and high-performing individuals.The conversation covers how to structure great teams and the benefits of involving team members in the reteaming decision process.Heidi shares insights on why splitting up high-performing teams to create more high-performing teams often fails, and suggests alternative approaches for achieving better results.Have a guest in mind for the podcast? Reach out to us on X at @CircleCI!
In this episode, Rob sits down with Ken Rose, CTO of OpsLevel, to delve into the evolving landscape of platform teams and the pressing challenges they face. Together, they explore OpsLevel's mission to tackle the mounting complexities encountered by modern organizations.Ken sheds light on the pressing issue of accomplishing "more with less" amidst the backdrop of economic uncertainty. With organizations operating on leaner software teams, yet still expected to deliver value to customers, the discussion delves into strategies for simplifying operations and maximizing efficiency. From grappling with the complexities of growth through acquisitions to leveraging investments for streamlined processes, the conversation offers insights for leaders navigating these turbulent waters.The dialogue underscores the pivotal role of leadership in easing the burden of complexity for team members. How can leaders effectively support their teams in navigating these challenges and fostering a culture of efficiency and innovation?Eager to hear from a specific guest on the podcast? Reach out to us on X at @CircleCI!
Today Rich Steinmetz returns for a discussion that touches on switching between languages, both spoken and programming, structuring tests, getting the most out of reading a book, buying an existing business, struggles with CircleCI and GitHub Actions, my project SaturnCI, and the need for better APIs.The Beginning of Infinity by David DeutschThe SaaS Playbook by Rob WallingStart Small, Stay Small by Rob WallingAcquire.comFlippa.comRich Steinmetz on TwitterRich Stone.io
Emmanuel, Guillaume et Arnaud discutent des nouvelles de l'été. JEPs, transactional outbox pattern avec Spring, LLM dans Chrome, faille polyfill.io, TOTP, congés illimités et IDE payant ou pas payant ? Enregistré le 12 juillet 2024 Téléchargement de l'épisode LesCastCodeurs-Episode-314.mp3 News Langages Les fonctionnalités de JDK 23 ont été figées début Juin (release prévue en septembre) https://openjdk.org/projects/jdk/23/ https://www.youtube.com/watch?v=kzjGp7LmW0I JEPs finales: 467: Markdown Documentation Comments 471: Deprecate the Memory-Access Methods in sun.misc.Unsafe for Removal 474: ZGC: Generational Mode by Default JEPs en incubation / preview 455: Primitive Types in Patterns, instanceof, and switch (Preview) 466: Class-File API (Second Preview) 469: Vector API (Eighth Incubator) 473: Stream Gatherers (Second Preview) 476: Module Import Declarations (Preview) 477: Implicitly Declared Classes and Instance Main Methods (Third Preview) 480: Structured Concurrency (Third Preview) 481: Scoped Values (Third Preview) 482: Flexible Constructor Bodies (Second Preview) Librairies Le transactional outbox pattern avec Spring Boot https://www.wimdeblauwe.com/blog/2024/06/25/transactional-outbox-pattern-with-spring-boot/ transactional outbox permet d'éviter des 2PC ou des désynchronisations de resources: typiquement un commit dans une base et un envoie de message dans un bus on ecrit le message dans une table de la base de données, et un process séparé récupère les messages et les envoient dans le bus implémentation utilise Spring Integration dans l'article, la seconde resource est l'envoie d'email montre une approche de tests le flow descrit pas psring integration est pas super trivial a lire quand on est pas familier mais cela poll la table toutes les secondes et envoie email et si succes de l'appel de service, vide le message de la table Deuxieme exemple avec Spring modulith qui a un event bus interne qui peut être persisté décrit les differences avec spring integration et les limites de l'approche modulith (message order, retry etc) Comment tester des valeurs de propriétés différentes dans un test Quarkus https://quarkus.io/blog/overriding-configuration-from-test-code/ on a tendance a ne pas tester les propriétés de config ce blog montre 5 (enfin 4 utiles) façons de le faire avec Quarkus. les profils de test, mocker l'objet de config, les test components (experimental), l'injection dans les constructeurs Quarkus 3.12 https://quarkus.io/blog/quarkus-3-12-0-released/ centralisation des configs TLS support pour le load shedding (reject requests on service overload) événements JFR specific a Quarkus native image agent support Spring Boot 3 (compat layer) Support Kotlin 2 etc Cloud On vous parlait dans un épisode précédent de ce problème de coûts S3 sur des requêtes non autorisées. C'est Graphana Loki qui a mis ce problème sous les projecteurs https://grafana.com/blog/2024/06/27/grafana-security-update-grafana-loki-and-unintended-data-write-attempts-to-amazon-s3-buckets/ le problème venait des valeurs par défaut des buckets déclarés dans le chart helm de Loki, en particulier celui nommé ‘chunks' Data et Intelligence Artificielle Guillaume avait partagé l'information sur la disponibilité prochaine d'un mini modele LLM dans chrome. C'est maintenant une réalité et vous pouvez le tester. https://ai-sdk-chrome-ai.vercel.app/ Nécessite Chrome 127 (version stable à partir de mi-juillet) Utilise le SDK Vercel AI Guillaume nous parle de toutes les nouveautés liées au modèle Gemini de Google dans la dernière release de LangChain4j https://glaforge.dev/posts/2024/07/05/latest-gemini-features-support-in-langchain4j/ Outillage 1% des utilisateurs de Maven Central utilisent 83% de sa bande passante. Installez un repository manager qui fait proxy (et cela pour tous les types de dépendances)!!! https://www.sonatype.com/blog/maven-central-and-the-tragedy-of-the-commons rien n'est réellement gratuit et l'abus d'une minorité peut nuire à l'ensemble. Cela fait maintenant plus de 20 ans que les communautés le répète: installer un gestionnaire de dépendances dans votre infrastructure (nexus, artifactory, CodeArtifact, …). En plus de protéger le bien commun cela vous permet de raffiner le filtrage des dépendances, d'assurer la reproductibilité de vos builds, d'optimiser les performances (et réduire les coûts) en ne téléchargeant que depuis votre propre infrastructure, etc … Maven Central est un commun qui ne coute rien à l'utilisteur mais qui est indispensable à tous 1000 milliards de téléchargements l'année dernière 83% de la bande passante consommé par 1% des IPs Beaucoup des ces IP viennent des companies les plus larges proxy pour réduire charge sur central, réduire couts ingress/egress ils vont implementer un mécanisme de throttling question est-ce que la concentration des IPs veut juste dire que c'est le dernier noeud mais que cacher n'est pas effectif pour eux et qu'il y a des milliers de clients derrière une IP? le trotting ferait mal et le proxy ne marche plus dans un monde ou le dev est dans le cloud et distribue géographiquement Comment mettre en place backstage, ici avec un projet Spring Boot utilisant CircleCi, Renovate, SonarCloud… https://piotrminkowski.com/2024/06/13/getting-started-with-backstage/ Cet article explique comment utiliser backstage pour fournir à vos équipes un template d'une application spring-boot. Elle est automatiquement crée sous forme d'un repository git(hub) avec les integrations classiques pour gérer la CI (via CircleCI), la qualité (via SonarCloud), la mise à jour de dépendances (via Renovate) et bien sur son référencement sur le portail backstage. tutoriel tres complet tres facilement remplacable pour un project avec votre technologie preferee (pas specifique a Spring Boot, ou Java) Architecture Que se passe t'il quand vous faites un push sur GitHub? https://github.blog/2024-06-11-how-we-improved-push-processing-on-github/ GitHub explique comment ils ont amélioré leur architecture, notamment en mettant en place Kafka pour distribuer les actions qui découlent d'un push sur GitHub. paralelisation des taches (avant sequentiel) limitation des dependances entre etapes effectuées lors d'un push plus de taches peuvent faire un retry un classique de decoupling via un EDA Sécurité Attaque du CDN polyfill.io https://sansec.io/research/polyfill-supply-chain-attack polyfill c'est un support de nouvelles fonctionalites dans les ancien navigateurs servi par cdn notamment une societe chinoise a achete le domaine et le github et injecte du malware qui pointe sur des serveurs qui servent le malware selectivement (device, admin ou pas, heure de la journée) Fastly et Cloudflare on des deploiements alternatiuve Une faille de sécurité, de type Remote Code Execution, vieille de 10ans, dans CocoaPods, un gestionnaire de dépendances très utilisé dans le monde Apple (macOS et iOS) https://securityboulevard.com/2024/07/cocoapods-apple-vulns-richixbw/ https://cocoapods.org/ / https://cocoapods.org/ est un gestionnaire de dépendances pour les projets Xcode. Les dependances (Pods) sont publiées sous forme de Specs qui sont référencées dans un Specs Repo (une sorte de Maven central mais seulement avec des metadonnées) CVE-2024-38366 est une vulnérabilité de type remote code execution avec un score CVSS de 10 La faille existait depuis 10 ans et a été corrigée en Sept 2023. Elle permettait d'avoir un accès root sur trunk.cocoapods.org qui stock les Specs. Elles auraient donc pu être modifiées sans que les auteurs ne s'en apperçoivent. Pas de preuve pour l'instant que la faille ait été exploitée Mieux comprendre la double authentification avec TOTP https://hendrik-erz.de/post/understanding-totp-two-factor-authentication-eli5 Cet article revient sur le fonctionnement de TOTP et comment l'implementer avec des exemples en python the QR code est une URL qui contient: le secret en base 32. le nom du totp, qui a fournit le TOTP, combien de chiffres et la durée de vie du TOTP pour generer les chiffres, prends le secret, le temps et hash le tout, prendre 4 bytes et les convertir le chiffres typiquement le serveur genere les deux d'avant, les deux d'apres et le courant pour comparer Loi, société et organisation L'équipe Apache Maven gagne le troisième prix BlueHats https://nlnet.nl/bluehatsprize/2024/3.html le projet remporte un gain de 10000€. Ce prix est organisé par le gouvernement français afin de récompenser les projets open sources les plus impactants. La clause de congés illimités en Europe https://www.osborneclarke.com/insights/why-your-unlimited-vacation-policy-may-be-of-limited-use-in-europe Les politiques de congés illimités, populaires aux États-Unis, ne sont pas aussi avantageuses en Europe. En Europe, les employeurs doivent suivre les congés pris pour respecter les minima légaux de quatre semaines par an donc ils ne peuvent pas economiser sur le faire de ne plus les gérer. Les congés illimités permettent aux US de ne plus à devoir les payer au départ de l'employé. En Europe les employeurs doivent payer les congés non utilisés lors de la fin du contrat. Les employés européens pourraient prendre davantage de congés, car ils sont mieux protégés contre le licenciement. Les jours de maladie sont plus cadrés en europe. Un employé qui souffre d'une maladie longue pourrait utiliser les congés illimités mais ce ne sont pas les même règles qui s'appliquent OpenDNS n'est plus disponible en France et au Portugal https://support.opendns.com/hc/en-us/articles/27951404269204-OpenDNS-Service-Not-Available-To-Users-In-France-and-Portugal A priori Cisco qui opère openDNS en a marre des demandes de restrictions spécifiques à nos pays et préfère donc retirer entièrement l'accès au service plutôt que de se conformer à la nième demande de restrictions qui faisait suite à la plainte du groupe Canal+ portant sur l'accès à des sites illicites de streaming pour du sport Ask Me Anything Salut ! Êtes-vous plutôt IDE payants (ex : IJ Ultimate, ou des plugins payants), ou ne jurez-vous que par des outils gratuits ? Un peu des deux ? Si adaptes du payant, ça ne vous déprime pas qu'un nombre considérable d'employeurs rechignent à nous payer nos outils ? Que “de toute façon VSCode c'est gratuit” (à prononcer avec une voix méprisante) ? Quid du confort, ou de la productivité et/ou qualité accrue quand on maîtrise de tels outils ? Merci ! Conférences La liste des conférences provenant de Developers Conferences Agenda/List par Aurélie Vache et contributeurs : 6 septembre 2024 : JUG Summer Camp - La Rochelle (France) 6-7 septembre 2024 : Agile Pays Basque - Bidart (France) 17 septembre 2024 : We Love Speed - Nantes (France) 17-18 septembre 2024 : Agile en Seine 2024 - Issy-les-Moulineaux (France) 19-20 septembre 2024 : API Platform Conference - Lille (France) & Online 25-26 septembre 2024 : PyData Paris - Paris (France) 26 septembre 2024 : Agile Tour Sophia-Antipolis 2024 - Biot (France) 2-4 octobre 2024 : Devoxx Morocco - Marrakech (Morocco) 7-11 octobre 2024 : Devoxx Belgium - Antwerp (Belgium) 8 octobre 2024 : Red Hat Summit: Connect 2024 - Paris (France) 10 octobre 2024 : Cloud Nord - Lille (France) 10-11 octobre 2024 : Volcamp - Clermont-Ferrand (France) 10-11 octobre 2024 : Forum PHP - Marne-la-Vallée (France) 11-12 octobre 2024 : SecSea2k24 - La Ciotat (France) 16 octobre 2024 : DotPy - Paris (France) 16-17 octobre 2024 : NoCode Summit 2024 - Paris (France) 17-18 octobre 2024 : DevFest Nantes - Nantes (France) 17-18 octobre 2024 : DotAI - Paris (France) 30-31 octobre 2024 : Agile Tour Nantais 2024 - Nantes (France) 30-31 octobre 2024 : Agile Tour Bordeaux 2024 - Bordeaux (France) 31 octobre 2024-3 novembre 2024 : PyCon.FR - Strasbourg (France) 6 novembre 2024 : Master Dev De France - Paris (France) 7 novembre 2024 : DevFest Toulouse - Toulouse (France) 8 novembre 2024 : BDX I/O - Bordeaux (France) 13-14 novembre 2024 : Agile Tour Rennes 2024 - Rennes (France) 20-22 novembre 2024 : Agile Grenoble 2024 - Grenoble (France) 21 novembre 2024 : DevFest Strasbourg - Strasbourg (France) 21 novembre 2024 : Codeurs en Seine - Rouen (France) 27-28 novembre 2024 : Cloud Expo Europe - Paris (France) 28 novembre 2024 : Who Run The Tech ? - Rennes (France) 3-5 décembre 2024 : APIdays Paris - Paris (France) 4-5 décembre 2024 : DevOpsRex - Paris (France) 4-5 décembre 2024 : Open Source Experience - Paris (France) 6 décembre 2024 : DevFest Dijon - Dijon (France) 22-25 janvier 2025 : SnowCamp 2025 - Grenoble (France) 16-18 avril 2025 : Devoxx France - Paris (France) Nous contacter Pour réagir à cet épisode, venez discuter sur le groupe Google https://groups.google.com/group/lescastcodeurs Contactez-nous via twitter https://twitter.com/lescastcodeurs Faire un crowdcast ou une crowdquestion Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Tous les épisodes et toutes les infos sur https://lescastcodeurs.com/
Developer relations have gone through quite an evolution over the years. In this reissued episode, Corey talks with Jeremy Meiss, former Director of DevRel and Community at CircleCI, about how DevRel has transitioned from a focus on conference appearances to a more strategic alignment with business objectives. Corey and Jeremy also discuss navigating career complexities during economic downturns, emphasizing the importance of maintaining relevance. They also touch on fostering open communication within organizations and the enduring value of personal interactions in professional communities.Show Highlights:(1:39) How CircleCI is using DevRel to helping clients go from developer's laptops to production safely and sanely(6:23) What DevRel means to Jeremy and why it's a problem that most people can't define it(12:40) Why saying DevRel is part of product ignores much of what makes both roles unique(15:36) Combating burnout from being able to perform you're role but not feeling connected to what the company actually does(21:30) How Jeremy sees DevRel evolvingAbout Jeremy:Jeremy is the former Director of DevRel & Community at CircleCI, formerly at Solace, Auth0, and XDA. He is active in the DevRel Community, and is a co-creator of DevOpsPartyGames.com. A lover of all things coffee, community, open source, and tech, he is also house-broken, and (generally) plays well with others.Links Referenced:LinkedIn: https://www.linkedin.com/in/jeremymeiss/ Twitter: IAmJerdog - Jeremy's @DevOpsAms https://twitter.com/iamjerdog?lang=enSponsor:Panoptica: https://www.panoptica.app/
In today's episode, we discuss the recent Gitloker attacks affecting GitHub repositories, extorting users by wiping repos and demanding communication via Telegram. We also cover DuckDuckGo's new AI Chat service offering anonymous access to chatbots like OpenAI's GPT-3.5 Turbo and Meta's Llama 3, and how the Muhstik botnet is exploiting a critical Apache RocketMQ flaw to enhance its DDoS capabilities. Check out the full stories here: https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/, https://arstechnica.com/information-technology/2024/06/duckduckgo-offers-anonymous-access-to-ai-chatbots-through-new-service/, and https://thehackernews.com/2024/06/muhstik-botnet-exploiting-apache.html.Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: GitHub, extortions, Telegram, CronUp, cybersecurity, version control, hacking, ransomware, threat detection, security research, Germán Fernández, DuckDuckGo, AI Chat, privacy, OpenAI, Anthropic, Meta, Mistral, anonymous chat, Muhstik, botnet, Apache RocketMQ, CVE-2023-33246, vulnerability, DDoS, cryptocurrency mining, server security Search Phrases: Protect GitHub repositories from extortion attacks Telegram used in GitHub ransomware extortion CronUp reveals new GitHub security threat DuckDuckGo AI Chat service privacy concerns Muhstik botnet attacking Apache RocketMQ servers CVE-2023-33246 vulnerability in Apache RocketMQ Preventing cryptocurrency mining botnet attacks Cybersecurity for version control systems Anonymous AI chat services with privacy Protecting servers from DDoS and botnet attacks New Gitloker attacks wipe GitHub repos in extortion scheme https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/ ---`- GitHub Repositories Under Attack: Attackers are targeting and wiping GitHub repositories, then demanding victims contact them via Telegram. (Source: Sergiu Gatlan, June 6, 2024) Campaign Origin: Germán Fernández, a security researcher at CronUp, first spotted the ongoing campaign. Attackers use stolen credentials to compromise GitHub accounts and pose as cyber incident analysts. Modus Operandi: Attackers claim to steal data and create a backup. They rename repositories and add a README file instructing victims to reach out on Telegram for data recovery. GitHub Response: GitHub advises users to change passwords and enable two-factor authentication to secure their accounts. They recommend additional measures like passkeys for secure, passwordless logins, and reviewing account security logs for suspicious activity. Preventative Measures: Enable two-factor authentication. Add a passkey for secure, passwordless login. Review and revoke unauthorized access to SSH keys, deploy keys, and authorized integrations. Verify all email addresses associated with your account. Regularly review recent commits and collaborators for each repository. Manage webhooks on your repositories. Check for and revoke any new deploy keys. History of Attacks: This isn't the first time GitHub accounts have been compromised. In March 2020, hackers stole over 500GB of files from Microsoft's private repositories. In September 2020, a phishing campaign targeted GitHub users with fake CircleCI notifications to steal credentials and 2FA codes. Engagement Opportunity: Are you using all the recommended security measures for your GitHub account? Check your settings today and share your experience with us! Call to Action: Stay vigilant and regularly update your security practices. If you experience any suspicious activity, report it immediately to GitHub support. DuckDuckGo offers “anonymous” access to AI chatbots through new service https://arstechnica.com/information-technology/2024/06/duckduckgo-offers-anonymous-access-to-ai-chatbots-through-new-service/ ---`Sure thing! Here's your flash briefing in bullet points: DuckDuckGo Launches AI Chat Service: DuckDuckGo introduces a new "AI Chat" service, allowing users to converse with mid-range large language models (LLMs) from OpenAI, Anthropic, Meta, and Mistral. This service aims to preserve user privacy and anonymity while offering AI chatbot interactions. Privacy Measures in Place: DuckDuckGo ensures chats are anonymized by removing metadata and IP addresses. The company has agreements with model providers to delete any saved chats within 30 days and not use them for AI model training. Access and Usage: Users can access the AI Chat service for free within daily limits through the DuckDuckGo search engine, direct site links, or using "!ai" and "!chat" shortcuts. The AI Chat feature can be disabled in settings for users with accounts. Models Available: The service features OpenAI's GPT-3.5 Turbo, Anthropic's Claude 3 Haiku, Meta's Llama 3, and Mistral's Mixtral 8x7B. While these models are capable, they are known to produce inaccurate information, known as "confabulations." Utility and Limitations: Despite privacy protections, the utility of the service is questionable due to the tendency of available models to produce errors. More advanced models like GPT-4 are not included, potentially limiting the service's usefulness. Future Plans: DuckDuckGo hints at future paid plans that may include higher usage limits and access to more advanced AI models. Caution Advised: Users should verify the information produced by these AI chatbots, as they can generate text with limited and sometimes outdated information. DuckDuckGo advises against relying on AI Chat outputs for professional advice without additional verification. Muhstik Malware Targets Message Queuing Services Applications https://thehackernews.com/2024/06/muhstik-botnet-exploiting-apache.html ---`Flash Briefing: Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks Muhstik Botnet Overview: Muhstik targets IoT devices and Linux-based servers. Known for DDoS attacks and cryptocurrency mining. [Source: Aqua Security] Apache RocketMQ Vulnerability: CVE-2023-33246, a critical flaw with a CVSS score of 9.8. Allows remote code execution via RocketMQ protocol content or update configuration function. [Source: Aqua Security] Exploitation Process: Attackers gain initial access by exploiting the vulnerability. They execute a shell script from a remote IP, retrieving the Muhstik binary ("pty3"). [Source: Nitzan Yaakov, Security Researcher] Persistence Mechanisms: Malware binary copied to multiple directories. /etc/inittab file edited to restart processes during Linux server boot. Binary named "pty3" to masquerade as pseudoterminal and evade detection. Malware executed from memory (directories like /dev/shm, /var/tmp) to avoid leaving traces. [Source: Nitzan Yaakov] Capabilities and Objectives: Collects system metadata. Moves laterally over SSH. Establishes C2 communication via IRC for further instructions. Conducts flooding attacks to create denial-of-service conditions. Cryptomining detected as a secondary objective. [Sources: Aqua Security, Nitzan Yaakov] Current Exposure and Mitigation: 5,216 instances of Apache RocketMQ still vulnerable. Organizations should update to the latest version to mitigate threats. [Source: Aqua Security] Broader Security Advice: AhnLab Security Intelligence Center (ASEC) highlights poorly secured MS-SQL servers also targeted. Use strong, periodically changed passwords. Apply latest patches to prevent brute-force and vulnerability attacks. [Source: ASEC]
In this episode of Maintainable, Robby chats with Stig Brautaset, Staff Software Engineer at CircleCI. Stig shares his insights on maintaining well-documented but complex legacy code, the impact of team dynamics on software maintenance, and his experiences with the SBJSON library.Stig discusses the characteristics of well-maintained software, emphasizing the importance of team experience, domain knowledge, and risk appetite. He reflects on his own career journey, highlighting the transition from overconfidence to a balanced approach to risk-taking.A significant portion of the conversation delves into Stig's concept of "Alien Artifacts," which describes highly resistant legacy code written by highly skilled engineers. He explains the challenges of modifying such code and shares examples from his own experiences.Stig also talks about his work on the SBJSON library, addressing the complexities of handling multiple versions and dependency conflicts. He advocates for developers maintaining the software they ship and discusses the balance between shipping features quickly and maintaining long-term code quality.Key TakeawaysThe influence of team dynamics on software maintenanceUnderstanding the concept of "Alien Artifacts" in legacy codeStrategies for handling multiple versions of a software libraryThe importance of developers being on call for the software they shipManaging different types of technical debtBook Recommendation:The Scout Mindset by Julia GalefStig Brautaset on LinkedInAlien Artifacts Blog PostSBJSON Library CircleCIThe Confident Commit PodcastHelpful Links:Stig Brautaset on LinkedInAlien Artifacts Blog PostSBJSON Library CircleCIThe Confident Commit PodcastWant to share your thoughts on this episode? Reach out to Robby at robby@maintainable.fm.Thanks to Our Sponsor!Turn hours of debugging into just minutes! AppSignal is a performance monitoring and error tracking tool designed for Ruby, Elixir, Python, Node.js, Javascript, and soon, other frameworks. It offers six powerful features with one simple interface, providing developers with real-time insights into the performance and health of web applications. Keep your coding cool and error-free, one line at a time! Check them out! Subscribe to Maintainable on:Apple PodcastsSpotifyOr search "Maintainable" wherever you stream your podcasts.Keep up to date with the Maintainable Podcast by joining the newsletter.
We often talk about promotions and growth, but the moment the conversation shifts towards paths to staff or executive positions, the advice goes blank. There is very little actionable information out there that can tell you how you can get to the highest echelons of leadership. To get a clearer picture on this topic, I sat down with Lena Reinhard, a seasoned executive with an extensive track record at CircleCI, Travis CI, and more. Lena shares her insights on the best ways to accelerate career growth in the tech space, answer thorny questions, such as “Why are executives hired from the outside?” and provide some candid takes on why taking things slow sometimes can pay off in the end.
From malware developers targeting child exploiters with ransomware, to major cloud services exposing credentials, learn how digital vigilantes and technological oversights shape online security. Featuring insights on the United Nations' latest ransomware dilemma, uncover the intricate web of cybersecurity challenges faced globally. URLs for Reference: Malware Dev lures child exploiters into honeytrap to extort them AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs United Nations agency investigates ransomware attack, data theft Follow us on Instagram: https://www.instagram.com/the_daily_decrypt/ Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: cybersecurity, ransomware, malware, cloud security, digital threats, cyber vigilantes, tech giants, United Nations, cyber attack, data theft, CryptVPN, AWS, Google Cloud, Azure, CLI tools, BleepingComputer, The Hacker News Search Phrases: Cyber vigilante justice malware extortion Cloud CLI tools security vulnerabilities United Nations cyberattack investigation CryptVPN ransomware against child exploiters AWS, Google, and Azure CLI tools leaking credentials Impact of ransomware on global organizations Cybersecurity threats in cloud computing Cybersecurity tactics against illegal online activities Data breach at United Nations agency New trends in cyber threats and digital security Transcript: Apr22 Malware developers are now targeting individuals seeking child exploitation material, employing cryptVPN ransomware to extort them by locking their systems and demanding payment, as revealed by Bleeping Computer. What methods are these developers using, and why do I want them to succeed? Leaky CLI, a vulnerability discovered by Orca in AWS, Google, and Azure CLI tools, is exposing sensitive credentials in build logs, putting countless organizations at risk of cyber attacks. What measures can organizations take to prevent sensitive credentials from being exposed by build logs? Finally, hackers have infiltrated the United Nations Development Program's IT systems, stealing sensitive human resources data from its global network dedicated to fighting poverty and inequality. You're listening to the Daily Decrypt. Malware developers are now turning their tactics against individuals seeking child exploitation material, specifically targeting them with ransomware designed to extort money by feigning legal action. This new strain of malware, dubbed CryptVPN, was recently analyzed by Bleeping Computer after a sample was shared with the cybersecurity researcher MalwareHunterTeam. CryptVPN tricks users into downloading a seemingly harmless software, which then locks the user's desktop and changes their wallpaper to a menacing ransom note. The ploy begins with a decoy website that impersonates. Usenet Club, a purported subscription service offering uncensored access to downloadable content from Usenet, which is an established network used for various discussions, which unfortunately also includes illegal content. The site offers several subscription tiers, but the trap is set with the free tier, which requires the installation of the CryptVPN software to access the supposed free content. Now to be honest, I feel like I don't even want to give away these clues to any child predators that may be listening. So I'm going to stop there as far as how the attack works, but I'm really glad that attackers have found this vector because people who are partaking in illegal activities have a lot to lose and are often pretty scared, you know, unless they're complete psychopaths. And and so if someone's able to get the information or lure people into these websites You know, this reminds me of something that happened to me back in my single days. And those of you who know me personally can validate the authenticity of this story, but it might sound a little crazy to just an average listener. But swiping on Tinder, matched with someone, they didn't really want to chat too much, they just wanted to start sending nude photographs. And I personally, it's not my thing, but let's just say I'm not going to unmatch this person for offering. And so nude photographs came through, there was no exchange, but they did ask for photographs of myself, which I was not interested in sending. And in fact, I wasn't really interested in pursuing anyone who would just jump in and send nude photographs. So I stopped talking to them. And about a couple of days later, I got a phone call from a Someone claiming to be the police department, saying that they had gotten my number from this girl's dad, and she's underage, and now they have proof that I've been sending nude photographs to this underage person. Well, I don't know. They accused me of that and that never happened. So immediately I knew it was a scan. But let's just say hypothetically that I had sent pictures to this person. I would be pretty scared receiving this threat. Because my whole life would change, right? If I became a child predator or a sexual predator or whatever it's called, then like a lot of stuff changes. And at the time I was in the military, so that was the end of my military career or whatever. So it's a very similar to that. If you're doing something wrong. And you get caught in a trap, you're very likely to pay the ransom. So first of all, don't mess around with children online. Don't do illegal sexual things. And you have nothing to worry about with this scam. So please stop doing that. Don't do that. And you've got nothing to worry about, it's been recently unveiled that command line interface tools from the tech giants such as Amazon Web Services and Google Cloud are susceptible to exposing sensitive credentials in the build logs, presenting a substantial security hazard to enterprises. This vulnerability is a Which the cloud security firm Orca has dubbed Leaky CLI, involves certain commands on the Azure CLI, AWS CLI, and Google Cloud CLI that could reveal environment variables. Roy Nizmi, a prominent security researcher, highlights in a report to the Hacker News that, quote, some commands can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions. In response, Microsoft has proactively addressed this security lapse in its November 2023 update, designating it with the CVE identifier 2023 36052, which carries a critical CVSS score of 8. 6 out of 10. Conversely, Amazon and Google view the exposure of environment variables as an anticipated behavior, advising organizations to refrain from storing secrets within these variables. Instead, they recommend using specialized services like AWS Secrets Manager or Google Cloud Secret Manager, which is a great recommendation. Furthermore, Google has advised users of its CLI tools to employ the dash dash no dash user output enabled option, which prevents the printing of command output to the terminal, thereby mitigating the risk of data leaks. Orca has also identified several instances on GitHub where projects inadvertently leaked access tokens and other sensitive data through continuous integration and deployment tools, including GitHub actions, CircleCI, TravisCI, and CloudBuild, which is always going to be a problem. Take those. Pull request reviews, seriously. Nimzy warns, if bad actors get their hands on these environment variables, this could potentially lead to view sensitive information, including credentials, such as passwords, usernames, and keys, which could allow them to access any resources that the repository owners can. He added that CLI commands are by default assumed to be running in a secure environment. But coupled with CICD pipelines or continuous integration, continuous development, they may pose a security threat. This ongoing issue underscores the critical need for heightened security measures within cloud computing environments. Go out there, get you a new cloud job, my guys. Finally, the United Nations Development Program, or UNDP, has launched an investigation into a significant cyber attack where intruders compromised its IT systems, resulting in the theft of critical human resources data. So, human resources data sounds It's pretty benign to me, like, the way that that's framed seems like nothing, but think about what the data Human Resources has. It's the crown jewels. They've got your social security number for your W 2 form, they've got your previous jobs, they've got your address, they've got your email address, they've got everything. So Human Resources data is nothing to bat an eye at. The agency, which is a cornerstone of the United Nations efforts to combat poverty and inequality worldwide. Confirmed the breach occurred in late March within the local IT infrastructure for the United Nations. Following the detection of the breach on March 27th, thanks to a threat intelligence alert, UNDP acted swiftly. Quote, actions were immediately taken to identify a potential source and contain the effective server as well. As to determine the specifics of the exposed data and who was impacted. The ongoing investigation seeks to fully understand the incident's nature and scope, as well as its impact on individuals whose information was compromised, but to further complicate some matters, the eight base ransomware gang, a group known for its broad attacks on various industries, claimed responsibility for the data theft. On the same day as the breach, they added a new entry for UNDP on their dark web leak site. The documents leaked, according to the attackers, contain a huge amount of confidential information, ranging from personal data to financial records and employment contracts. This cyberattack is not the first the United Nations has suffered. Previous breaches have struck the United Nations Environmental Program and key United Nations networks in Geneva and Vienna, showcasing ongoing vulnerabilities within UNIT systems. Meanwhile, the 8Base group, which claims to target companies neglecting data privacy, continues its surge of attacks, having listed over 350 victims on its data leak site to date. So if you're listening and you know your company is rejecting some data privacy protocols, maybe use this story as incentive to get them to pay more attention to this. That's all we got for you today. Happy Monday. Thanks so much for listening. Please head over to our social media accounts, Instagram, Twitter, Twitter. com. Youtube Give us a follow, give us a like, and send us a comment. We'd love to talk. And we'll be back tomorrow with some more news.
In this episode, Rob is joined by Luis Ceze, CEO of OctoAI and a distinguished professor of computer science at the University of Washington. Together, they unpack the surge of interest in AI, attributing it to the convergence of factors like the unprecedented availability of data thanks to the internet boom and the accessibility of powerful computing resources.Their conversation delves into the pragmatic challenges developers face, such as striking the right balance between cost-effectiveness, inference speed, and ensuring scalability and availability. Luis explains how OctoAI is pioneering solutions to streamline this process, empowering developers to navigate these complexities automatically.Luis shares invaluable insights into the strategic benefits of diversifying AI models, likening the approach to the artistry of a skilled mixologist crafting a perfectly balanced cocktail.Have a guest recommendation for the podcast? Reach out to us on X at @CircleCI and let us know!
It doesn't matter if you have an innovative technical strategy if you're not solving problems the business cares about… This week, host Conor Bronsdon sits down with Rob Zuber, CTO at CircleCI. They delve into the evolving role of engineering leaders, and the importance of building a technical strategy that aligns with overarching business goals.Throughout the conversation, Rob emphasizes the importance of focusing on customer needs, gathering direct feedback and maintaining strategic flexibility. If you're interested in understanding the balance between technical strategy and business leadership, this episode provides a wealth of knowledge, strategies, and real-world examples.Episode Highlights:01:38 Crafting technical strategy for teams at CircleCI 07:26 How engineering leaders can make the most informed choices about their business17:47 Using postmortems to fuel a growth mindset 22:39 Applying hypotheses to be prepared for worst-case scenarios 27:43 Why CTOs need to focus on solving business problems first, then technical strategy30:30 Why engineering leaders need to form a close relationship with finance33:17 Advice for ICs or Directors on becoming a business leader39:17 Rob's approach to building trust and organizational design 44:36 How can I prepare for being a technical founder?55:12 What is CircleCI doing in ML?Show Notes:Modern Software EngineeringSupport the show: Subscribe to our Substack Leave us a review Subscribe on YouTube Follow us on Twitter or LinkedIn Offers: Learn about Continuous Merge with gitStream Get your DORA Metrics free forever
In this episode, Rob is joined by Carolyn Mooney, the CEO of Nextmv, a decision ops platform. As a seasoned expert in Decision Science, Carolyn delves into the nuanced differences in decision optimization and logistics across various industries, drawing from her experiences at Zoomer and Grubhub.The conversation unfolds around the decision maturity life cycle, exploring how companies progress from manual spreadsheet decisions to fully automated systems. They reflect on the impact of the pandemic on supply chain issues, emphasizing the heightened awareness of logistics' significance. Carolyn shares insightful perspectives on the fundamental role of optimization for efficiency in sustainability initiatives.With the transformative impact of increased AI awareness in logistics, Rob and Carolyn share the importance for all companies to contemplate the options and potential for enhancing their organizational efficiency.Have someone you'd like to hear on the podcast? Reach out to us on X at @CircleCI!
In this episode, Rob is joined by Patrick Debois, a seasoned industry expert and DevOps pioneer. Patrick shares his personal odyssey within the realm of DevOps, reflecting on the current state of the industry compared to his initial expectations. The conversation delves into the convergence of business analytics and technical analytics, exploring innovative approaches developers are adopting to integrate generative AI into their products.The two explore predictions for the year 2024, pondering whether the landscape will witness a pronounced shift towards applications or if other technical transformations will take precedence.If you have suggestions for future podcast guests, connect with us on X at @CircleCI!Get in touch with Patrick - Linkedin: https://www.linkedin.com/in/patrickdebois/YouTube: https://youtube.com/@jedi4ever
This episode of Software Engineering Daily is part of our on-site coverage of AWS re:Invent 2023, which took place from November 27th through December 1st in Las Vegas. In today's interview, host Jordi Mon Companys speaks with Rob Zuber who is the CTO at CircleCI. Jordi Mon Companys is a product manager and marketer that The post AWS re:Invent Special: CircleCI with Rob Zuber appeared first on Software Engineering Daily.
This episode of Software Engineering Daily is part of our on-site coverage of AWS re:Invent 2023, which took place from November 27th through December 1st in Las Vegas. In today's interview, host Jordi Mon Companys speaks with Rob Zuber who is the CTO at CircleCI. Jordi Mon Companys is a product manager and marketer that The post AWS re:Invent Special: CircleCI with Rob Zuber appeared first on Software Engineering Daily.
This episode of Software Engineering Daily is part of our on-site coverage of AWS re:Invent 2023, which took place from November 27th through December 1st in Las Vegas. In today's interview, host Jordi Mon Companys speaks with Rob Zuber who is the CTO at CircleCI. Jordi Mon Companys is a product manager and marketer that The post AWS re:Invent Special: CircleCI with Rob Zuber appeared first on Software Engineering Daily.
Please join us at patreon.com/tortoiseshack When (now former) founder of Circle CI, Paul Biggar wrote his blog "I can't sleep' about the Israeli "war" on Gaza, and the fear of many in the tech and venture capital industry to speak up, he knew it would have repercussions. But he did it anyway because he believed it was the right thing to do and that silence was a form of complicity. He joins us from New York to explain his reason, the overwhelmingly positive (if sadly privately expressed) response he's received and the maybe worse than expected reaction of his peers in an industry where he has build startups valued in the hundreds of millions of dollars. The piece is available here:https://blog.paulbiggar.com/i-cant-sleep/ The Echo Chamber 1 to 1 with comedian, satirist, actor and activist, Tadgh Hickey, is out now here:https://www.patreon.com/posts/patron-exclusive-94992441
Welcome back to another episode of Content Amplified. In this episode, we interview Julia McClellan, Senior Content Marketing Manager at CircleCI. What you'll learn in this episode: Budget-Friendly Content Creation: Julia shares insights on producing high-quality, cost-effective content. She emphasizes learning essential tools like Adobe Premiere Pro for video and audio editing, especially when working with limited budgets. Prioritizing Quality over Quantity: The importance of focusing on creating high-quality content that resonates with your audience, rather than producing a high volume of mediocre content. Effective Use of Contractors: Julia talks about her experiences with contractors, highlighting the balance between speed and cost, and how to choose the right one based on your budget and project requirements. Content Recycling for Cost Savings: Discover how recycling content, like reusing animations or converting blog posts into videos, can be a significant budget saver. Investment in Successful Content: Julia recommends investing in content that shows proven success, using examples like product demos with high conversion rates. Distribution Strategies on a Tight Budget: Learn about the best practices for distributing content effectively without overspending, with a focus on SEO and organic social channels. Analyzing Success Metrics: Julia discusses different metrics for measuring content success, from brand awareness (impressions) to conversion rates, and how these metrics align with organizational goals. This episode is packed with valuable insights from Julia on making the most of your content marketing budget, especially in challenging economic times. Tune in for practical tips and strategic advice that can transform your approach to content creation and distribution.
In this episode Rob is joined by Dave Farley, software legend and author of books "Continuous Delivery" and "Modern Software Engineering”. The two tackle the essence of software development culture and the current state of software delivery. They unpack why it's important to prioritize problem-solving abilities over technical skills when it comes to hiring, emphasizing a healthy culture and the need for continuous learning on the job.Reflecting on the past 25 years in the industry, the conversation centers on acknowledging mistakes, aiming to shorten development cycles for rapid feedback and progress. Exploring the intersection of aviation history and modern software development, Dave draws parallels with the Wright Brothers' approach to engineering and iteration.Listen in as Dave shares insights on AI automated testing and its current inability to rival the human brain, and discover the must-read books he recommends for every software developer.Connect with us on Twitter/X at @CircleCI to share your thoughts or suggest future guests for the show!
In today's episode, Rob is joined by CircleCI's own Aisling Conroy. Aisling, a key player in CircleCI's product marketing and competitive intelligence, provides a window into the thoughts of analysts in the ever-evolving CI/CD space. Their discussion explores how the power of diverse perspectives in problem-solving can yield many different types of product offerings.They discuss the intricate nature of software developers as unique and discerning customers, recognizing developers' inherent problem-solving abilities. The episode unfolds with insights into emerging trends in the tooling space and the promising potential for increased collaboration between developers and customer-facing teams.Have someone you'd like to hear on the podcast, reach out to us on Twitter/X at @CircleCI!
In this episode, Rob sits down with Lewis Menelaws from Coding with Lewis, a prominent social media influencer and content creator specializing in entertaining and empowering software developers. Together, they explore the evolving landscape of learning the craft, drawing comparisons between the present day and the learning experiences of 25 years ago.The conversation delves into the transformative impact of AI on the learning process and Lewis shares valuable insights on how senior leaders and developers can effectively guide and empower the upcoming generation of developers. Tune in for a thoughtful discussion on the past, present, and future of software development education.Have someone you'd like to hear on the podcast, reach out to us on X/Twitter at @CircleCI!
In this episode, Rob explores the fascinating crossroads of machine learning and software engineering with Gideon Mendels, the co-founder and CEO of Comet ML. Gideon navigates the often ambiguous world of training ML models, focusing on building a common language between software engineers and data science teams.Gain valuable insights into fostering mutual understanding between these two disciplines and aligning the possibilities of ML with organizational needs in this thought-provoking episode.Have someone you'd like to hear on the podcast? Reach out to us on Twitter/X at @CircleCI!
It's easy to feel like you're on your own lonely marketing island. You're so focused on what you're doing that your process starts to feel stale. Wouldn't it be helpful to hear how other marketers are driving sales?Especially if those marketers are at companies like G2, Deel and Gigster; successful names in B2B that know what works, and are pushing the envelope for what B2B content could look like. That's what we're bringing to you this week. In this episode, we're wrapping up Season 3 by highlighting the winning content strategies from top B2B brands. You'll leave with new ideas and insights to use on your very next campaign. So all aboard, we're getting you off that lonely island on this episode of Remarkable.About our guestsKim Courvoisier, Senior Director of Content Marketing at LobGillian Jakob Kieser, Director of Content Marketing at CircleCIAnja Simic, Director of Content Marketing at DeelMartha Aviles, Vice President of Marketing at GigsterPalmer Houchins, VP and Head of Marketing at G2Meghan Barr, VP of Brand, Content and Communications at ZoomInfoJohann Wrede, CEO at EmburseChris Sheen, Director of Content and Social at CelonisJérôme Robert, CMO and Chief of Staff at TenableWhat B2B Companies Can Learn From Season 3 of Remarkable:Provide some free, valuable content to your audience. It proves that your product is worth the investment and helps you establish domain authority. Gillian Jakob Kieser, Director of Content Marketing at CircleCI says, “When we were smaller, we were really banking on utility. So we invested a lot in single pieces of content that people would share because there was nothing better than it. So once you saw it, you would have to pass it on. An example is our team open sourced our entire competency matrix and wrote about how we developed it. And that's a document that is like five years old and it's an open Google doc. Every time I go on there, there's still like 12 Anonymous Raptors on there using the content. And that was worth it because they've become tools. And that's been a great marketing strategy.”Create content for people at different points in the buying process. Your content should look different for people who are just exploring their options vs. people who are ready to make a purchase. Anja Simic, Director of Content Marketing at Deel says, “The readiness to purchase is very important when you think about content marketing.” She says you can think of it like the marketing funnel. “Top of the funnel content is informational, it's educational. It's a lot of articles or listicles, and lighter content. Closer to the middle of the funnel, your content needs to be a bit more product heavy. It needs to talk about specific solutions, specific questions that your prospects may have. But not all of it has to be salesy and pushy, because they're just considering. They're exploring their options. And then the very bottom of the funnel is where you really push them over the edge. They're really thinking about it. They're considering your product, and know enough about it.”Make something different. Get away from the B2B content formula. Jérôme Robert, CMO and Chief of Staff at Tenable says the risk in making something outside-the-box is overstated. He says, “Notably in an industry where marketing, the marketing practices are very mature and very identical from one company to another, there's very, very little downside in standing out, in doing something that is entirely different.” He says, “Worst case scenario, it's not going to get a lot of engagement. But I don't think anyone would laugh at you or discard you as a company because you did something different. I think people respect the originality, the boldness, in doing something entirely different.”Quotes*”A lot of what we think about with content marketing is how do we show a bit more of the heart behind what we do? How do we make us not just a brand, but show that there's a real company and people behind that? If you are choosing a provider, you're actually going to choose those guys, you're going to bet on them.” - Chris Sheen, Director of Content and Social at Celonis*”Without trust, you can't do business. And today, buyers are really sophisticated. If we don't produce excellent content that genuinely seeks to inform, educate and help the customer, then they're just going to ignore it and they're going to go somewhere else. If you can create content that authentically seeks to inform and to add value, then you start to move into the trusted advisor quadrant.” - Johann Wrede, CEO at Emburse*”We are all bombarded with content every day. And so we try to cut through the noise and provide content that can help our audience do their jobs better. That's the overarching goal of everything that we create.” - Meghan Barr, VP of Brand, Content and Communications at ZoomInfoTime Stamps[0:58] Introducing the Season 3 Roundup! Content strategies from…[1:22] Kim Courvoisier from Lob[2:38] Gillian Jakob Kieser of CircleCI[4:38] Anja Simic of Deel[7:17] Martha Aviles of Gigster[8:28] Palmer Houchins of G2[10:39] Meghan Barr of ZoomInfo[12:09] Johann Wrede of Emburse[16:44] Chris Sheen of Celonis[19:37] Jérôme Robert of TenableLinksListen to the full Season 3 episodes, featuring:Kim Courvoisier, Senior Director of Content Marketing at LobGillian Jakob Kieser, Director of Content Marketing at CircleCIAnja Simic, Director of Content Marketing at DeelMartha Aviles, Vice President of Marketing at GigsterPalmer Houchins, VP and Head of Marketing at G2Meghan Barr, VP of Brand, Content and Communications at ZoomInfoJohann Wrede, CEO at EmburseChris Sheen, Director of Content and Social at CelonisJérôme Robert, CMO and Chief of Staff at TenableAbout Remarkable!Remarkable! is created by the team at Caspian Studios, the premier B2B Podcast-as-a-Service company. Caspian creates both non-fiction and fiction series for B2B companies. If you want a fiction series check out our new offering - The Business Thriller - Hollywood style storytelling for B2B. Learn more at CaspianStudios.com. In today's episode, you heard from Ian Faison (CEO of Caspian Studios) and Meredith Gooderham (Senior Producer). Remarkable was produced this week by Meredith Gooderham, mixed by Scott Goodrich, and our theme song is “Solomon” by FALAK. Create something remarkable. Rise above the noise.
In this episode, dive deep into the world of AI-enabled products and the push to explore and integrate them at CircleCI. Rob is joined by Aakar Shroff, CircleCI's VP of product. Aakar shares valuable insights into AI product development and how AI tools can be leveraged to streamline software delivery processes.Rob and Aakar explore the fast-evolving AI landscape, including the convergence of different media formats and the future possibilities it holds for applications. Tune in to gain a deeper understanding of the potential of AI in software delivery and discover the exciting challenges and opportunities this ever-evolving field offers.
Michael Webster, principal engineer at CircleCI, talks to Rob about testing AI-enabled applications. In this episode, learn how to face the unique challenges posed by the probabilistic and non-deterministic nature of AI output, as well as the importance of subjective evaluation criteria. Webster covers how model graded evals can be used to test AI applications, and the importance of caution in using this approach. CircleCI gives AI/ML teams the tools they need to iterate quickly, deploy safely, and deliver value continuously. To learn more, visit: circleci.com/ai-ml/Have someone you'd like to hear on the podcast? Reach out to us on Twitter/X at @CircleCI!
Adnan Khan, Lead Security Engineer at Praetorian, joins Corey on Screaming in the Cloud to discuss software bill of materials and supply chain attacks. Adnan describes how simple pull requests can lead to major security breaches, and how to best avoid those vulnerabilities. Adnan and Corey also discuss the rapid innovation at Github Actions, and the pros and cons of having new features added so quickly when it comes to security. Adnan also discusses his view on the state of AI and its impact on cloud security. About AdnanAdnan is a Lead Security Engineer at Praetorian. He is responsible for executing on Red-Team Engagements as well as developing novel attack tooling in order to meet and exceed engagement objectives and provide maximum value for clients.His past experience as a software engineer gives him a deep understanding of where developers are likely to make mistakes, and has applied this knowledge to become an expert in attacks on organization's CI/CD systems.Links Referenced: Praetorian: https://www.praetorian.com/ Twitter: https://twitter.com/adnanthekhan Praetorian blog posts: https://www.praetorian.com/author/adnan-khan/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Are you navigating the complex web of API management, microservices, and Kubernetes in your organization? Solo.io is here to be your guide to connectivity in the cloud-native universe!Solo.io, the powerhouse behind Istio, is revolutionizing cloud-native application networking. They brought you Gloo Gateway, the lightweight and ultra-fast gateway built for modern API management, and Gloo Mesh Core, a necessary step to secure, support, and operate your Istio environment.Why struggle with the nuts and bolts of infrastructure when you can focus on what truly matters - your application. Solo.io's got your back with networking for applications, not infrastructure. Embrace zero trust security, GitOps automation, and seamless multi-cloud networking, all with Solo.io.And here's the real game-changer: a common interface for every connection, in every direction, all with one API. It's the future of connectivity, and it's called Gloo by Solo.io.DevOps and Platform Engineers, your journey to a seamless cloud-native experience starts here. Visit solo.io/screaminginthecloud today and level up your networking game.Corey: As hybrid cloud computing becomes more pervasive, IT organizations need an automation platform that spans networks, clouds, and services—while helping deliver on key business objectives. Red Hat Ansible Automation Platform provides smart, scalable, sharable automation that can take you from zero to automation in minutes. Find it in the AWS Marketplace.Corey: Welcome to Screaming in the Cloud, I'm Corey Quinn. I've been studiously ignoring a number of buzzword, hype-y topics, and it's probably time that I addressed some of them. One that I've been largely ignoring, mostly because of its prevalence at Expo Hall booths at RSA and other places, has been software bill of materials and supply chain attacks. Finally, I figured I would indulge the topic. Today I'm speaking with Adnan Khan, lead security engineer at Praetorian. Adnan, thank you for joining me.Adnan: Thank you so much for having me.Corey: So, I'm trying to understand, on some level, where the idea of these SBOM or bill-of-material attacks have—where they start and where they stop. I've seen it as far as upstream dependencies have a vulnerability. Great. I've seen misconfigurations in how companies wind up configuring their open-source presences. There have been a bunch of different, it feels almost like orthogonal concepts to my mind, lumped together as this is a big scary thing because if we have a big single scary thing we can point at, that unlocks budget. Am I being overly cynical on this or is there more to it?Adnan: I'd say there's a lot more to it. And there's a couple of components here. So first, you have the SBOM-type approach to security where organizations are looking at which packages are incorporated into their builds. And vulnerabilities can come out in a number of ways. So, you could have software actually have bugs or you could have malicious actors actually insert backdoors into software.I want to talk more about that second point. How do malicious actors actually insert backdoors? Sometimes it's compromising a developer. Sometimes it's compromising credentials to push packages to a repository, but other times, it could be as simple as just making a pull request on GitHub. And that's somewhere where I've spent a bit of time doing research, building off of techniques that other people have documented, and also trying out some attacks for myself against two Microsoft repositories and several others that have reported over the last few months that would have been able to allow an attacker to slip a backdoor into code and expand the number of projects that they are able to attack beyond that.Corey: I think one of the areas that we've seen a lot of this coming from has been the GitHub Action space. And I'll confess that I wasn't aware of a few edge-case behaviors around this. Most of my experience with client-side Git configuration in the .git repository—pre-commit hooks being a great example—intentionally and by design from a security perspective, do not convey when you check that code in and push it somewhere, or grab someone else's, which is probably for the best because otherwise, it's, “Oh yeah, just go ahead and copy your password hash file and email that to something else via a series of arcane shell script stuff.” The vector is there. I was unpleasantly surprised somewhat recently to discover that when I cloned a public project and started running it locally and then adding it to my own fork, that it would attempt to invoke a whole bunch of GitHub Actions flows that I'd never, you know, allowed it to do. That was… let's say, eye-opening.Adnan: [laugh]. Yeah. So, on the particular topic of GitHub Actions, the pull request as an attack vector, like, there's a lot of different forms that an attack can take. So, one of the more common ones—and this is something that's been around for just about as long as GitHub Actions has been around—and this is a certain trigger called ‘pull request target.' What this means is that when someone makes a pull request against the base repository, maybe a branch within the base repository such as main, that will be the workflow trigger.And from a security's perspective, when it runs on that trigger, it does not require approval at all. And that's something that a lot of people don't really realize when they're configuring their workflows. Because normally, when you have a pull request trigger, the maintainer can check a box that says, “Oh, require approval for all external pull requests.” And they think, “Great, everything needs to be approved.” If someone tries to add malicious code to run that's on the pull request target trigger, then they can look at the code before it runs and they're fine.But in a pull request target trigger, there is no approval and there's no way to require an approval, except for configuring the workflow securely. So, in this case, what happens is, and in one particular case against the Microsoft repository, this was a Microsoft reusable GitHub Action called GPT Review. It was vulnerable because it checked out code from my branch—so if I made a pull request, it checked out code from my branch, and you could find this by looking at the workflow—and then it ran tests on my branch, so it's running my code. So, by modifying the entry points, I could run code that runs in the context of that base branch and steal secrets from it, and use those to perform malicious Actions.Corey: Got you. It feels like historically, one of the big threat models around things like this is al—[and when 00:06:02] you have any sort of CI/CD exploit—is either falls down one of two branches: it's either the getting secret access so you can leverage those credentials to pivot into other things—I've seen a lot of that in the AWS space—or more boringly, and more commonly in many cases, it seems to be oh, how do I get it to run this crypto miner nonsense thing, with the somewhat large-scale collapse of crypto across the board, it's been convenient to see that be less prevalent, but still there. Just because you're not making as much money means that you'll still just have to do more of it when it's all in someone else's account. So, I guess it's easier to see and detect a lot of the exploits that require a whole bunch of compute power. The, oh by the way, we stole your secrets and now we're going to use that to lateral into an organization seem like it's something far more… I guess, dangerous and also sneaky.Adnan: Yeah, absolutely. And you hit the nail on the head there with sneaky because when I first demonstrated this, I made a test account, I created a PR, I made a couple of Actions such as I modified the name of the release for the repository, I just put a little tag on it, and didn't do any other changes. And then I also created a feature branch in one of Microsoft's repositories. I don't have permission to do that. That just sat there for about almost two weeks and then someone else exploited it and then they responded to it.So, sneaky is exactly the word you could describe something like this. And another reason why it's concerning is, beyond the secret disclosure for—and in this case, the repository only had an OpenAI API key, so… okay, you can talk to ChatGPT for free. But this was itself a Github Action and it was used by another Microsoft machine-learning project that had a lot more users, called SynapseML, I believe was the name of the other project. So, what someone could do is backdoor this Action by creating a commit in a feature branch, which they can do by stealing the built-in GitHub token—and this is something that all Github Action runs have; the permissions for it vary, but in this case, it had the right permissions—attacker could create a new branch, modify code in that branch, and then modify the tag, which in Git, tags are mutable, so you can just change the commit the tag points to, and now, every time that other Microsoft repository runs GPT Review to review a pull request, it's running attacker-controlled code, and then that could potentially backdoor that other repository, steal secrets from that repository.So that's, you know, one of the scary parts of, in particular backdooring a Github Action. And I believe there was a very informative Blackhat talk this year, that someone from—I'm forgetting the name of the author, but it was a very good watch about how Actions vulnerabilities can be vulnerable, and this is kind of an example of—it just happened to be that this was an Action as well.Corey: That feels like this is an area of exploit that is becoming increasingly common. I tie it almost directly to the rise of GitHub Actions as the default CI/CD system that a lot of folks have been using. For the longest time, it seemed like a poorly configured Jenkins box hanging out somewhere in your environment that was the exception to the Infrastructure as Code rule because everyone has access to it, configures it by hand, and invariably it has access to production was the way that people would exploit things. For a while, you had CircleCI and Travis-CI, before Travis imploded and Circle did a bunch of layoffs. Who knows where they're at these days?But it does seem that the common point now has been GitHub Actions, and a .github folder within that Git repo with a workflows YAML file effectively means that a whole bunch of stuff can happen that you might not be fully aware of when you're cloning or following along with someone's tutorial somewhere. That has caught me out in a couple of strange ways, but nothing disastrous because I do believe in realistic security boundaries. I just worry how much of this is the emerging factor of having a de facto standard around this versus something that Microsoft has actively gotten wrong. What's your take on it?Adnan: Yeah. So, my take here is that Github could absolutely be doing a lot more to help prevent users from shooting themselves in the foot. Because their documentation is very clear and quite frankly, very good, but people aren't warned when they make certain configuration settings in their workflows. I mean, GitHub will happily take the settings and, you know, they hit commit, and now the workflow could be vulnerable. There's no automatic linting of workflows, or a little suggestion box popping up like, “Hey, are you sure you want to configure it this way?”The technology to detect that is there. There's a lot of third-party utilities that will lint Actions workflows. Heck, for looking for a lot of these pull request target-type vulnerabilities, I use a Github code search query. It's just a regular expression. So, having something that at least nudges users to not make that mistake would go really far in helping people not make these mista—you know, adding vulnerabilities to their projects.Corey: It seems like there's also been issues around the GitHub Actions integration approach where OICD has not been scoped correctly a bunch of times. I've seen a number of articles come across my desk in that context and fortunately, when I wound up passing out the ability for one of my workflows to deploy to my AWS account, I got it right because I had no idea what I was doing and carefully followed the instructions. But I can totally see overlooking that one additional parameter that leaves things just wide open for disaster.Adnan: Yeah, absolutely. That's one where I haven't spent too much time actually looking for that myself, but I've definitely read those articles that you mentioned, and yeah, it's very easy for someone to make that mistake, just like, it's easy for someone to just misconfigure their Action in general. Because in some of the cases where I found vulnerabilities, there would actually be a commit saying, “Hey, I'm making this change because the Action needs access to these certain secrets. And oh, by the way, I need to update the checkout steps so it actually checks out the PR head so that it's [testing 00:12:14] that PR code.” Like, people are actively making a decision to make it vulnerable because they don't realize the implication of what they've just done.And in the second Microsoft repository that I found the bug in, was called Microsoft Confidential Sidecar Containers. That repository, the developer a week prior to me identifying the bug made a commit saying that we're making a change and it's okay because it requires approval. Well, it doesn't because it's a pull request target.Corey: Part of me wonders how much of this is endemic to open-source as envisioned through enterprises versus my world of open-source, which is just eh, I've got this weird side project in my spare time, and it seemed like it might be useful to someone else, so I'll go ahead and throw it up there. I understand that there's been an awful lot of commercialization of open-source in recent years; I'm not blind to that fact, but it also seems like there's a lot of companies playing very fast and loose with things that they probably shouldn't be since they, you know, have more of a security apparatus than any random contributors standing up a clone of something somewhere will.Adnan: Yeah, we're definitely seeing this a lot in the machine-learning space because of companies that are trying to move so quickly with trying to build things because OpenAI AI has blown up quite a bit recently, everyone's trying to get a piece of that machine learning pie, so to speak. And another thing of what you're seeing is, people are deploying self-hosted runners with Nvidia, what is it, the A100, or—it's some graphics card that's, like, $40,000 apiece attached to runners for running integration tests on machine-learning workflows. And someone could, via a pull request, also just run code on those and mine crypto.Corey: I kind of miss the days when exploiting computers is basically just a way for people to prove how clever they were or once in a blue moon come up with something innovative. Now, it's like, well, we've gone all around the mulberry bush just so we can basically make computers solve a sudoku form, and in return, turn that into money down the road. It's frustrating, to put it gently.Adnan: [laugh].Corey: When you take a look across the board at what companies are doing and how they're embracing the emerging capabilities inherent to these technologies, how do you avoid becoming a cautionary tale in the space?Adnan: So, on the flip side of companies having vulnerable workflows, I've also seen a lot of very elegant ways of writing secure workflows. And some of the repositories are using deployment environments—which is the GitHub Actions feature—to enforce approval checks. So, workflows that do need to run on pull request target because of the need to access secrets for pull requests will have a step that requires a deployment environment to complete, and that deployment environment is just an approval and it doesn't do anything. So essentially, someone who has permissions to the repository will go in, approve that environment check, and only then will the workflow continue. So, that adds mandatory approvals to pull requests where otherwise they would just run without approval.And this is on, particularly, the pull request target trigger. Another approach is making it so the trigger is only running on the label event and then having a maintainer add a label so the tests can run and then remove the label. So, that's another approach where companies are figuring out ways to write secure workflows and not leave their repositories vulnerable.Corey: It feels like every time I turn around, Github Actions has gotten more capable. And I'm not trying to disparage the product; it's kind of the idea of what we want. But it also means that there's certainly not an awareness in the larger community of how these things can go awry that has kept up with the pace of feature innovation. How do you balance this without becoming the Department of No?Adnan: [laugh]. Yeah, so it's a complex issue. I think GitHub has evolved a lot over the years. Actions, it's—despite some of the security issues that happen because people don't configure them properly—is a very powerful product. For a CI/CD system to work at the scale it does and allow so many repositories to work and integrate with everything else, it's really easy to use. So, it's definitely something you don't want to take away or have an organization move away from something like that because they are worried about the security risks.When you have features coming in so quickly, I think it's important to have a base, kind of like, a mandatory reading. Like, if you're a developer that writes and maintains an open-source software, go read through this document so you can understand the do's and don'ts instead of it being a patchwork where some people, they take a good security approach and write secure workflows and some people just kind of stumble through Stack Overflow, find what works, messes around with it until their deployment is working and their CI/CD is working and they get the green checkmark, and then they move on to their never-ending list of tasks that—because they're always working on a deadline.Corey: Reminds me of a project I saw a few years ago when it came out that Volkswagen had been lying to regulators. It was a framework someone built called ‘Volkswagen' that would detect if it was running inside of a CI/CD environment, and if so, it would automatically make all the tests pass. I have a certain affinity for projects like that. Another one was a tool that would intentionally degrade the performance of a network connection so you could simulate having a latent or stuttering connection with packet loss, and they call that ‘Comcast.' Same story. I just thought that it's fun seeing people get clever on things like that.Adnan: Yeah, absolutely.Corey: When you take a look now at the larger stories that are emerging in the space right now, I see an awful lot of discussion coming up that ties to SBOMs and understanding where all of the components of your software come from. But I chased some stuff down for fun once, and I gave up after 12 dependency leaps from just random open-source frameworks. I mean, I see the Dependabot problem that this causes as well, where whenever I put something on GitHub and then don't touch it for a couple of months—because that's how I roll—I come back and there's a whole bunch of terrifyingly critical updates that it's warning me about, but given the nature of how these things get used, it's never going to impact anything that I'm currently running. So, I've learned to tune it out and just ignore it when it comes in, which is probably the worst of all possible approaches. Now, if I worked at a bank, I should probably take a different perspective on this, but I don't.Adnan: Mm-hm. Yeah. And that's kind of a problem you see, not just with SBOMs. It's just security alerting in general, where anytime you have some sort of signal and people who are supposed to respond to it are getting too much of it, you just start to tune all of it out. It's like that human element that applies to so much in cybersecurity.And I think for the particular SBOM problem, where, yeah, you're correct, like, a lot of it… you don't have reachability because you're using a library for one particular function and that's it. And this is somewhere where I'm not that much of an expert in where doing more static source analysis and reachability testing, but I'm certain there are products and tools that offer that feature to actually prioritize SBOM-based alerts based on actual reachability versus just having an as a dependency or not.[midroll 00:20:00]Corey: I feel like, on some level, wanting people to be more cautious about what they're doing is almost shouting into the void because I'm one of the only folks I found that has made the assertion that oh yeah, companies don't actually care about security. Yes, they email you all the time after they failed to protect your security, telling you how much they care about security, but when you look at where they invest, feature velocity always seems to outpace investment in security approaches. And take a look right now at the hype we're seeing across the board when it comes to generative AI. People are excited about the capabilities and security is a distant afterthought around an awful lot of these things. I don't know how you drive a broader awareness of this in a way that sticks, but clearly, we haven't collectively found it yet.Adnan: Yeah, it's definitely a concern. When you see things on—like for example, you can look at Github's roadmap, and there's, like, a feature there that's, oh, automatic AI-based pull request handling. Okay, so does that mean one day, you'll have a GitHub-powered LLM just approve PRs based on whether it determines that it's a good improvement or not? Like, obviously, that's not something that's the case now, but looking forward to maybe five, six years in the future, in the pursuit of that ever-increasing velocity, could you ever have a situation where actual code contributions are reviewed fully by AI and then approved and merged? Like yeah, that's scary because now you have a threat actor that could potentially specifically tailor contributions to trick the AI into thinking they're great, but then it could turn around and be a backdoor that's being added to the code.Obviously, that's very far in the future and I'm sure a lot of things will happen before that, but it starts to make you wonder, like, if things are heading that way. Or will people realize that you need to look at security at every step of the way instead of just thinking that these newer AI systems can just handle everything?Corey: Let's pivot a little bit and talk about your day job. You're a lead security engineer at what I believe to be a security-focused consultancy. Or—Adnan: Yeah.Corey: If you're not a SaaS product. Everything seems to become a SaaS product in the fullness of time. What's your day job look like?Adnan: Yeah, so I'm a security engineer on Praetorian's red team. And my day-to-day, I'll kind of switch between application security and red-teaming. And that kind of gives me the opportunity to, kind of, test out newer things out in the field, but then also go and do more traditional application security assessments and code reviews, and reverse engineering to kind of break up the pace of work. Because red-teaming can be very fast and fast-paced and exciting, but sometimes, you know, that can lead to some pretty late nights. But that's just the nature of being on a red team [laugh].Corey: It feels like as soon as I get into the security space and start talking to cloud companies, they get a lot more defensive than when I'm making fun of, you know, bad service naming or APIs that don't make a whole lot of sense. It feels like companies have a certain sensitivity around the security space that applies to almost nothing else. Do you find, as a result, that a lot of the times when you're having conversations with companies and they figure out that, oh, you're a red team for a security researcher, oh, suddenly, we're not going to talk to you the way we otherwise might. We thought you were a customer, but nope, you can just go away now.Adnan: [laugh]. I personally haven't had that experience with cloud companies. I don't know if I've really tried to buy a lot. You know, I'm… if I ever buy some infrastructure from cloud companies as an individual, I just kind of sign up and put in my credit card. And, you know, they just, like, oh—you know, they just take my money. So, I don't really think I haven't really, personally run into anything like that yet [laugh].Corey: Yeah, I'm curious to know how that winds up playing out in some of these, I guess, more strategic, larger company environments. I don't get to see that because I'm basically a tiny company that dabbles in security whenever I stumble across something, but it's not my primary function. I just worry on some level one of these days, I'm going to wind up accidentally dropping a zero-day on Twitter or something like that, and suddenly, everyone's going to come after me with the knives. I feel like [laugh] at some point, it's just going to be a matter of time.Adnan: Yeah. I think when it comes to disclosing things and talking about techniques, the key thing here is that a lot of the things that I'm talking about, a lot of the things that I'll be talking about in some blog posts that have coming out, this is stuff that these companies are seeing themselves. Like, they recognize that these are security issues that people are introducing into code. They encourage people to not make these mistakes, but when it's buried in four links deep of documentation and developers are tight on time and aren't digging through their security documentation, they're just looking at what works, getting it to work and moving on, that's where the issue is. So, you know, from a perspective of raising awareness, I don't feel bad if I'm talking about something that the company itself agrees is a problem. It's just a lot of the times, their own engineers don't follow their own recommendations.Corey: Yeah, I have opinions on these things and unfortunately, it feels like I tend to learn them in some of the more unfortunate ways of, oh, yeah, I really shouldn't care about this thing, but I only learned what the norm is after I've already done something. This is, I think, the problem inherent to being small and independent the way that I tend to be. We don't have enough people here for there to be a dedicated red team and research environment, for example. Like, I tend to bleed over a little bit into a whole bunch of different things. We'll find out. So far, I've managed to avoid getting it too terribly wrong, but I'm sure it's just a matter of time.So, one area that I think seems to be a way that people try to avoid cloud issues is oh, I read about that in the last in-flight magazine that I had in front of me, and the cloud is super insecure, so we're going to get around all that by running our own infrastructure ourselves, from either a CI/CD perspective or something else. Does that work when it comes to this sort of problem?Adnan: Yeah, glad you asked about that. So, we've also seen open-s—companies that have large open-source presence on GitHub just opt to have self-hosted Github Actions runners, and that opens up a whole different Pandora's box of attacks that an attacker could take advantage of, and it's only there because they're using that kind of runner. So, the default GitHub Actions runner, it's just an agent that runs on a machine, it checks in with GitHub Actions, it pulls down builds, runs them, and then it waits for another build. So, these are—the default state is a non-ephemeral runner with the ability to fork off tasks that can run in the background. So, when you have a public repository that has a self-hosted runner attached to it, it could be at the organization level or it could be at the repository level.What an attacker can just do is create a pull request, modify the pull request to run on a self-hosted runner, write whatever they want in the pull request workflow, create a pull request, and now as long as they were a previous contributor, meaning you fixed a typo, you… that could be a such a, you know, a single character typo change could even cause that, or made a small contribution, now they create the pull request. The arbitrary job that they wrote is now picked up by that self-hosted runner. They can fork off it, process it to run in the background, and then that just continues to run, the job finishes, their pull request, they'll just—they close it. Business as usual, but now they've got an implant on the self-hosted runner. And if the runners are non-ephemeral, it's very hard to completely lock that down.And that's something that I've seen, there's quite a bit of that on GitHub where—and you can identify it just by looking at the run logs. And that's kind of comes from people saying, “Oh, let's just self-host our runners,” but they also don't configure that properly. And that opens them up to not only tampering with their repositories, stealing secrets, but now depending on where your runner is, now you potentially could be giving an attacker a foothold in your cloud environment.Corey: Yeah, that seems like it's generally a bad thing. I found that cloud tends to be more secure than running it yourself in almost every case, with the exception that once someone finds a way to break into it, there's suddenly a lot more eggs in a very large, albeit more secure, basket. So, it feels like it's a consistent trade-off. But as time goes on, it feels like it is less and less defensible, I think, to wind up picking out an on-prem strategy from a pure security point of view. I mean, there are reasons to do it. I'm just not sure.Adnan: Yeah. And I think that distinction to be made there, in particular with CI/CD runners is there's cloud, meaning you let your—there's, like, full cloud meaning you let your CI/CD provider host your infrastructure as well; there's kind of that hybrid approach you mentioned, where you're using a CI/CD provider, but then you're bringing your own cloud infrastructure that you think you could secure better; or you have your runners sitting in vCenter in your own data center. And all of those could end up being—both having a runner in your cloud and in your data center could be equally vulnerable if you're not segmenting builds properly. And that's the core issue that happens when you have a self-hosted runner is if they're not ephemeral, it's very hard to cut off all attack paths. There's always something an attacker can do to tamper with another build that'll have some kind of security impact. You need to just completely isolate your builds and that's essentially what you see in a lot of these newer guidances like the [unintelligible 00:30:04] framework, that's kind of the core recommendation of it is, like, one build, one clean runner.Corey: Yeah, that seems to be the common wisdom. I've been doing a lot of work with my own self-hosted runners that run inside of Lambda. Definitionally those are, of course, ephemeral. And there's a state machine that winds up handling that and screams bloody murder if there's a problem with it. So far, crossing fingers hoping it works out well.And I have a bounded to a very limited series of role permissions, and of course, its own account of constraint blast radius. But there's still—there are no guarantees in this. The reason I build it the way I do is that, all right, worst case someone can get access to this. The only thing they're going to have the ability to do is, frankly, run up my AWS bill, which is an area I have some small amount of experience with.Adnan: [laugh]. Yeah, yeah, that's always kind of the core thing where if you get into someone's cloud, like, well, just sit there and use their compute resources [laugh].Corey: Exactly. I kind of miss when that was the worst failure mode you had for these things.Adnan: [laugh].Corey: I really want to thank you for taking the time to speak with me today. If people want to learn more, where's the best place for them to find you?Adnan: I do have a Twitter account. Well, I guess you can call it Twitter anymore, but, uh—Corey: Watch me. Sure I can.Adnan: [laugh]. Yeah, so I'm on Twitter, and it's @adnanthekhan. So, it's like my first name with ‘the' and then K-H-A-N because, you know, my full name probably got taken up, like, years before I ever made a Twitter account. So, occasionally I tweet about GitHub Actions there.And on Praetorian's website, I've got a couple of blog posts. I have one—the one that really goes in-depth talking about the two Microsoft repository pull request attacks, and a couple other ones that are disclosed, will hopefully drop on the twenty—what is that, Tuesday? That's going to be the… that's the 26th. So, it should be airing on the Praetorian blog then. So, if you—Corey: Excellent. It should be out by the time this is published, so we will, of course, put a link to that in the [show notes 00:32:01]. Thank you so much for taking the time to speak with me today. I appreciate it.Adnan: Likewise. Thank you so much, Corey.Corey: Adnan Khan, lead security engineer at Praetorian. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an insulting comment that's probably going to be because your podcast platform of choice is somehow GitHub Actions.Adnan: [laugh].Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
In this episode, you'll learn how to empower your team to do the most challenging thing when it comes to AI - getting started! Rob is joined by Kira Muehlbauer and Ryan Hamilton, two engineers who worked on building a groundbreaking feature at CircleCI called the AI error summarizer. Discover their insights into the process of building AI products, the challenges they faced, and the valuable lessons they learned along the way.Have someone you'd like to hear on the podcast? Reach out to us on Twitter/X at @CircleCI!
In this podcast episode, Jerome Hardaway and Rob Ocel explore AI-powered development. They discuss the importance of active engagement in tech communities and the value of skill development. Jerome highlights the changing landscape for junior developers and the availability of free online resources for learning. The episode also emphasizes AI's practical benefits, such as boosting productivity and aiding job readiness. It dispels misconceptions about AI hindering creativity, presenting it as a valuable tool for developers. This episode is sponsored by CircleCI.
Are you a chaos muppet or an order muppet? Knowing the answer to this very important question can help you unlock your B2B marketing potential. Here's why.There's magic chemistry that happens when a chaos muppet joins forces with an order muppet. (Replace the word “muppet” with “marketer” in this instance.) It's like a marketing power couple. You need the wildly outside-of-the-box thinking of the chaos side tempered with the composed, organized, planning mind of the order side to create truly remarkable content. It's these two energies that work synchronistically to create content worth talking about.So in this episode, we're looking back at nearly 70 years of Muppet history and one Slate article that made us ponder, “What kind of muppet am I?” And break down all of the wild and wondrous things muppets can teach us about B2B marketing with the help of CircleCI's Director of Content Marketing, Gillian Jakob Kieser. Together, we talk about allowing some of that chaos into your campaigns, developing useful and evergreen content, and how to work through the riskiness of creating something original in this episode of Remarkable.About CircleCICircleCI lets teams build fully-automated pipelines, from testing to deployment, allowing them to focus on the real work of innovation. Using CircleCI, engineers can automate their entire testing suite for new commits, reducing the potential for human error, while using orbs to automate deploys.About The Muppets and Muppet Chaos TheoryThe Muppets is an American television show featuring a cast of puppets performing various skits. The beloved characters include Kermit, Miss Piggy, Rowlf, Fozzie Bear, Gonzo, Beaker, Animal, The Swedish Chef, and more. It was created by Jim Henson in 1955, and has been around for nearly 7 decades. It was originally a short-form tv show called Sam and Friends, and it's now grown into a media franchise with lots of spin offs including movies, music, and tv appearances. The franchise was owned by The Jim Henson Company until 2004 when Disney bought it. Jim Henson once suggested that the term “muppet” comes from combining the words “puppet” and “marionette.”Muppet Theory is a theory posed by Slate writer Dahlia Lithwick that everyone in the world is either a chaos muppet or an order muppet. Chaos muppets are crazy, volatile, unpredictable. Like Animal, Cookie Monster, or The Swedish Chef. Order muppets are anxious, neurotic and don't like surprises. Like Kermit the Frog, Scooter, or Sam the Eagle. Order muppets often choose Chaos muppets as lifelong partners, like Bert the order muppet and Ernie the chaos muppet or Kermit as the order muppet and Miss Piggy as the chaos one.About our guest, Gillian Jakob KieserGillian Jakob Kieser is Director of Content Marketing at CircleCI. She has been with CircleCI for over six years, having started in June 2017 as Content Marketing Manager, and their first content hire as a growing startup. She has also served in marketing roles at companies like Prismatic and MAKE Magazine.What B2B Companies Can Learn From The Muppets and Muppet Theory: Incorporate both chaos and order into your marketing. Team up with your chaos or order counterpart to make new content. Or create some content that's very structured and some that's very unstructured. Gillian says that it's these different energies that make successful collaborations in marketing. “They really need to have both the order aspect and the chaos aspect to make something feel alive and authentic. If you over plan it, it's dead in the water. It's dry and predictable. And if it's too much chaos, you never can get it out the door because no one knows what time anything is happening. So you always need to have both order and chaos on a team or in a program.”Mix the real and the fantastical. This creates playful and captivating visuals, and engages the viewers' willing suspension of disbelief. Gillian says, “There's this aspect of these fantastical creatures in a real world scenario that appeals to adults as well as children. Because children really have a sense for the authentic, and they know that there's something about this world that is real and that they can learn from, that it's not just watered down and catered to them. There's something about that that I think has set them apart and has always been really appealing.”Trust the intelligence of your audience. The Muppet Show is not just for children. There were signs in the cigarette-smoking, Studebaker-driving scenes that Jim Henson was appealing to more mature viewers as well. Like Jim Henson, give your audience all the information you have for them, and don't oversimplify it. Gillian says, “Jim Henson and his crew never played down to their audience. There was so much intelligence and so many references, and it was very high reaching for something that could have conceivably been, ‘Oh, this is just for kids.' It feels like Jim Henson was the first one in exploring that space, of elevating this art form to something that had a lot of depth that you wouldn't expect to see coming from puppets.”Quotes*“[The Muppets is] a testament to taking risks, just going for it and not knowing. It might not have worked out, but it did in the long run. Some of our efforts at creative projects, branding or anything else like that are sometimes a little bit of a shot in the dark.” - Gillian Jakob Kieser*”I was thinking, ‘Okay, where is there order and chaos in our current content strategy?' The blog is very orderly. We've learned a lot about SEO and how to answer people's questions with technical tutorials. And then we've got a podcast with our CTO interviewing folks. That's much more of a chaos aspect because you never know where the conversation's gonna go, but he's standing in and asking the questions that the audience wants to ask. And it's very funny and we're not selling in that show at all. We're creating affinity, trust, informing, educating and being able to share our perspective on how our industry works with others.” - Gillian Jakob Kieser*”The ad copy is another place where we test wildly. There's been times when we throw in something that's ungrammatical because you know it's gonna catch someone's eye. Or put a question mark at the end of something to get their attention. And then you can make the connection. But that order and chaos marriage shows up everywhere.” - Gillian Jakob Kieser*”There's a time and a place for things. There's concentric circles of stuff that needs to be really on brand that the legal team needs to look at and everyone has to check off on it. And then stuff that as you get further out has more of a buffer of forgiveness for being off-brand at times.” - Gillian Jakob Kieser*”If you want to feel like your entire brand is super buttoned up always, and it's only on official channels, you have to know that your marketing is gonna be boring. Because there's no humanity in it. People buy people. If you're trying to get people to commit to you with emotion and you're using the opposite of that, how effective is it really gonna be?” - Ian FaisonTime Stamps[0:54] Introducing CircleCI Director of Content Marketing, Gillian Jakob Kieser[1:39] Why are we talking about The Muppets?[4:03] Learn more about Gillian's role as Director of Content Marketing at CircleCI[5:33] What are The Muppets?[8:37] How did Jim Henson create evergreen content in The Muppets?[10:54] How do you work through the riskiness of making original content?[15:04] What is Muppet Chaos Theory?[16:59] How does Muppet Chaos Theory apply to collaborative work and marketing?[21:00] How does CircleCI use chaos and order in their marketing strategy?[31:09] How to humanize your content, and the value of human-generated content in the age of AI[34:24] What's Gillian's content strategy at CircleCI?[37:30] The difference in making remarkable evergreen content versus sensational content[39:09] How did Gillian grow her team and advocate for the value of more content creators?[41:57] How do you choose the channels worth posting content to?LinksWatch The Muppet ShowRead the Slate articleConnect with Gillian on LinkedInLearn more about CircleCIAbout Remarkable!Remarkable! is created by the team at Caspian Studios, the premier B2B Podcast-as-a-Service company. Caspian creates both non-fiction and fiction series for B2B companies. If you want a fiction series check out our new offering - The Business Thriller - Hollywood style storytelling for B2B. Learn more at CaspianStudios.com. In today's episode, you heard from Ian Faison (CEO of Caspian Studios) and Meredith Gooderham (Senior Producer). Remarkable was produced this week by Meredith O'Neil, mixed by Scott Goodrich, and our theme song is “Solomon” by FALAK. Create something remarkable. Rise above the noise.
Summary Data engineering is all about building workflows, pipelines, systems, and interfaces to provide stable and reliable data. Your data can be stable and wrong, but then it isn't reliable. Confidence in your data is achieved through constant validation and testing. Datafold has invested a lot of time into integrating with the workflow of dbt projects to add early verification that the changes you are making are correct. In this episode Gleb Mezhanskiy shares some valuable advice and insights into how you can build reliable and well-tested data assets with dbt and data-diff. Announcements Hello and welcome to the Data Engineering Podcast, the show about modern data management RudderStack helps you build a customer data platform on your warehouse or data lake. Instead of trapping data in a black box, they enable you to easily collect customer data from the entire stack and build an identity graph on your warehouse, giving you full visibility and control. Their SDKs make event streaming from any app or website easy, and their extensive library of integrations enable you to automatically send data to hundreds of downstream tools. Sign up free at dataengineeringpodcast.com/rudderstack (https://www.dataengineeringpodcast.com/rudderstack) Your host is Tobias Macey and today I'm interviewing Gleb Mezhanskiy about how to test your dbt projects with Datafold Interview Introduction How did you get involved in the area of data management? Can you describe what Datafold is and what's new since we last spoke? (July 2021 and July 2022 about data-diff) What are the roadblocks to data testing/validation that you see teams run into most often? How does the tooling used contribute to/help address those roadblocks? What are some of the error conditions/failure modes that data-diff can help identify in a dbt project? What are some examples of tests that need to be implemented by the engineer? In your experience working with data teams, what typically constitutes the "staging area" for a dbt project? (e.g. separate warehouse, namespaced tables, snowflake data copies, lakefs, etc.) Given a dbt project that is well tested and has data-diff as part of the validation suite, what are the challenges that teams face in managing the feedback cycle of running those tests? In application development there is the idea of the "testing pyramid", consisting of unit tests, integration tests, system tests, etc. What are the parallels to that in data projects? What are the limitations of the data ecosystem that make testing a bigger challenge than it might otherwise be? Beyond test execution, what are the other aspects of data health that need to be included in the development and deployment workflow of dbt projects? (e.g. freshness, time to delivery, etc.) What are the most interesting, innovative, or unexpected ways that you have seen Datafold and/or data-diff used for testing dbt projects? What are the most interesting, unexpected, or challenging lessons that you have learned while working on dbt testing internally or with your customers? When is Datafold/data-diff the wrong choice for dbt projects? What do you have planned for the future of Datafold? Contact Info LinkedIn (https://www.linkedin.com/in/glebmezh/) Closing Announcements Thank you for listening! Don't forget to check out our other shows. Podcast.__init__ (https://www.pythonpodcast.com) covers the Python language, its community, and the innovative ways it is being used. The Machine Learning Podcast (https://www.themachinelearningpodcast.com) helps you go from idea to production with machine learning. Visit the site (https://www.dataengineeringpodcast.com) to subscribe to the show, sign up for the mailing list, and read the show notes. If you've learned something or tried out a project from the show then tell us about it! Email hosts@dataengineeringpodcast.com (mailto:hosts@dataengineeringpodcast.com)) with your story. To help other people find the show please leave a review on Apple Podcasts (https://podcasts.apple.com/us/podcast/data-engineering-podcast/id1193040557) and tell your friends and co-workers Parting Question From your perspective, what is the biggest gap in the tooling or technology for data management today? Links Datafold (https://www.datafold.com/) Podcast Episode (https://www.dataengineeringpodcast.com/datafold-proactive-data-quality-episode-205/) data-diff (https://github.com/datafold/data-diff) Podcast Episode (https://www.dataengineeringpodcast.com/data-diff-open-source-data-integration-validation-episode-303/) dbt (https://www.getdbt.com/) Dagster (https://dagster.io/) dbt-cloud slim CI (https://docs.getdbt.com/blog/intelligent-slim-ci) GitHub Actions (https://github.com/features/actions) Jenkins (https://www.jenkins.io/) Circle CI (https://circleci.com/) Dolt (https://github.com/dolthub/dolt) Malloy (https://github.com/malloydata/malloy) LakeFS (https://lakefs.io/) Planetscale (https://planetscale.com/) Snowflake Zero Copy Cloning (https://www.youtube.com/watch?v=uGCpwoQOQzQ) The intro and outro music is from The Hug (http://freemusicarchive.org/music/The_Freak_Fandango_Orchestra/Love_death_and_a_drunken_monkey/04_-_The_Hug) by The Freak Fandango Orchestra (http://freemusicarchive.org/music/The_Freak_Fandango_Orchestra/) / CC BY-SA (http://creativecommons.org/licenses/by-sa/3.0/) Special Guest: Gleb Mezhanskiy.
Software Engineering Radio - The Podcast for Professional Software Developers
Dave Cross, owner of Magnum Solutions and author of GitHub Actions Essentials (Clapham Technical Press), speaks with SE Radio host Gavin Henry about GitHub actions, the value they provide, and the best practices for using them in your projects. Cross describes the vast range of things that developers can do with GitHub Actions, including some use cases you might never have thought about. They start with some general discussion of CI/CD and then consider the three main types of events that drive GitHub actions before digging in to details about fine-grained action events, Action Marketplace, contexts, yaml, docker base images, self-hosted runners, and more. They further explore identity management, permissions, dependency management, saving money, and how to keep your secrets secret.
Today we have an episode of our newest podcast, Tech Titans. It features summary episodes of our best leadership advice from Modern CTO. Robert Zuber, CTO at CircleCI, joins us in this episode to share his greatest leadership advice on how to lead a team to connect value to the customer, and his own journey to the position of leadership he's in now. All of this right here, right now, on the Modern CTO Podcast! Check out more of Rob and CircleCI at https://circleci.com/ Check out more about Tech Titans on Spotify, Apple, and iHeart! Produced by ProSeries Media.
No one wants to fall prey to a security breach, but in the event that it does occur, it's important to have systems in place to manage it. In episode 132 of The Secure Developer, we are joined by the CTO of CircleCI, Rob Zuber to discuss the security incident CircleCI announced on January 4th. Rob shares insight into what CircleCI does, how the incident affected customers, and how they communicated it to the public. We find out how the industry responded and adapted to the incident, as well as how it was dealt with internally at CircleCI. Rob opens up about what he learned in the process and shares advice for others facing a security breach. Tune in to find out how best to prevent and manage a security incident, should this happen to you.
Robby has a chat with Executive and Leadership Coach, Lena Reinhard (she/her/hers). Lena is a speaker, writer, and Founder of Lena Reinhard Leadership Coaching and Consulting. Previously, Lena served as the VP of Engineering with CircleCI and TravisCI, as well as the startup Founder and CEO of The Neighbourhoodie Software GmbH.From Lena's perspective, well-maintained software is supposed to serve a business's goals and continuously improve not just reactively. She highlights the importance of organizations investing in their engineering team's skills. Lena will also talk about software as a team sport, strategies for managing technical debt, how technical debt is a loaded term, challenges teams have faced with micro-services, and what engineers might be encountering after teammates have been laid off. Tune in for that and so much more.Book Recommendations:Into The Planet by Jill HeinerthHelpful Links:The lettuce pact
Episode SummaryChris Farris, Cloud Security Nerd at Turbot, joins Corey on Screaming in the Cloud to discuss the latest events in cloud security, which leads to an interesting analysis from Chris on how legal departments obscure valuable information that could lead to fewer security failures in the name of protecting company liability, and what the future of accountability for security failures looks like. Chris and Corey also discuss the newest dangers in cloud security and billing practices, and Chris describes his upcoming cloud security conference, fwd:cloudsec. About ChrisChris Farris has been in the IT field since 1994 primarily focused on Linux, networking, and security. For the last 8 years, he has focused on public-cloud and public-cloud security. He has built and evolved multiple cloud security programs for major media companies, focusing on enabling the broader security team's objectives of secure design, incident response and vulnerability management. He has developed cloud security standards and baselines to provide risk-based guidance to development and operations teams. As a practitioner, he's architected and implemented multiple serverless and traditional cloud applications focused on deployment, security, operations, and financial modeling.Chris now does cloud security research for Turbot and evangelizes for the open source tool Steampipe. He is one of the organizers of the fwd:cloudsec conference (https://fwdcloudsec.org) and has given multiple presentations at AWS conferences and BSides events.When not building things with AWS's building blocks, he enjoys building Legos with his kid and figuring out what interesting part of the globe to travel to next. He opines on security and technology on Mastodon, Twitter and his website https://www.chrisfarris.comLinks Referenced: Turbot: https://turbot.com/ fwd:cloudsec: https://fwdcloudsec.org/ Mastodon: https://infosec.exchange/@jcfarris Personal website: https://chrisfarris.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn and we are here today to learn exciting things, steal exciting secrets, and make big trouble for Moose and Squirrel. Maybe that's the podcast; maybe that's the KGB, we're not entirely sure. But I am joined once again by Chris Farris, cloud security nerd at Turbot, which I will insist on pronouncing as ‘Turbo.' Chris, thanks for coming back.Chris: Thanks for having me.Corey: So, it's been a little while and it's been an uneventful time in cloud security with nothing particularly noteworthy happening, not a whole lot of things to point out, and honestly, we're just sort of scraping the bottom of the barrel for news… is what I wish I could say, but it isn't true. Instead, it's, “Oh, let's see what disastrous tire fire we have encountered this week.” What's top of mind for you as we record this?Chris: I think the most interesting one I thought was, you know, going back and seeing the guilty plea from Nickolas Sharp, who formerly was an employee at Ubiquiti and apparently had, like, complete access to everything there and then ran amok with it.Corey: Mm-hm.Chris: The details that were buried at the time in the indictment, but came out in the press releases were he was leveraging root keys, he was leveraging lifecycle policies to suppress the CloudTrail logs. And then of course, you know, just doing dumb things like exfiltrating all of this data from his home IP address, or exfiltrating it from his home through a VPN, which have accidentally dropped and then exposed his home IP address. Oops.Corey: There's so much to dive into there because I am not in any way shape or form, saying that what he did was good, or I endorse any of those things. And yeah, I think he belongs in prison for what he did; let's be very clear on this. But I personally did not have a business relationship with him. I am, however, Ubiquiti's customer. And after—whether it was an insider threat or whether it was someone external breaching them, Krebs On Security wound up doing a whole write-up on this and was single-sourcing some stuff from the person who it turned out, did this.And they made a lot of hay about this. They sued him at one point via some terrible law firm that's entire brand is suing media companies. And yeah, just wonderful, wonderful optics there and brilliant plan. But I don't care about the sourcing. I don't care about the exact accuracy of the reporting because what I'm seeing here is that what is not disputed is this person, who whether they were an employee or not was beside the point, deleted all of the audit logs and then as a customer of Ubiquiti, I received an email saying, “We have no indication or evidence that any customer data was misappropriated.” Yeah, you just turn off your logs and yeah, you could say that always and forever and save money on logging costs. [unintelligible 00:03:28] best practice just dropped, I guess. Clowns.Chris: So, yeah. And there's definitely, like, compliance and standards and everything else that say you turn on your logs and you protect your logs, and service control policies should have been able to detect that. If they had a security operations center, you know, the fact that somebody was using root keys should have been setting off red flags and causing escalations to occur. And that wasn't happening.Corey: My business partner and I have access to our AWS org, and when I was setting this stuff up for what we do here, at a very small company, neither of us can log in with root credentials without alarms going off that alert the other. Not that I don't trust the man; let's be very clear here. We both own the company.Chris: In business together. Yes.Corey: Ri—exactly. It is, in many ways, like a marriage in that one of us can absolutely ruin the other without a whole lot of effort. But there's still the idea of separation of duties, visibility into what's going on, and we don't use root API keys. Let me further point out that we are not pushing anything that requires you to send data to us. We're not providing a service that is software powered to people, much less one that is built around security. So, how is it that I have a better security posture than Ubiquiti?Chris: You understand AWS and in-depth cloud better. You know, it really comes down to how do you, as an AWS customer, understand all of the moving parts, all of the security tooling, all of the different ways that something can happen. And Amazon will say, “Well, it's in the documentation,” but you know, they have, what, 357 services? Are you reading the security pages of all of those? So, user education, I agree, you should have, and I have on all of my accounts, if anything pops up, if any IAM change happens, I'm getting text messages. Which is great if my account got compromised, but is really annoying when I'm actually making a change and my phone is blowing up.Corey: Yeah. It's worth pointing out as well that yes, Ubiquiti is publicly traded—that is understood and accepted—however, 93% of it is owned by their CEO-founder god-king. So, it is effectively one person's personal fiefdom. And I tend to take a very dim view as a direct result. When you're in cloud and you have suffered a breach, you have severely screwed something up somewhere. These breaches are never, “Someone stole a whole bunch of drives out of an AWS data center.” You have misconfigured something somewhere. And lashing out at people who reported on it is just a bad look.Chris: Definitely. Only error—now, of course, part of the problem here is that our legal system encourages people to not come forward and say, “I screwed up. Here's how I screwed up. Everybody come learn from my mistakes.” The legal professions are also there to manage risk for the company and they're like, “Don't say anything. Don't say anything. Don't even tell the government. Don't say anything.”Whereas we all need to learn from these errors. Which is why I think every time I do see a breach or I do see an indictment, I start diving into it to learn more. I did a blog post on some of the things that happened with Drizly and GitHub, and you know, I think the most interesting thing that came out of Drizly case was the ex-CEO of Drizly, who was CEO at the time of the breach, now has following him, for the rest of his life, an FTC order that says he must implement a security program wherever he goes and works. You know, I don't know what happens when he becomes a Starbucks barista or whatever, but that is on him. That is not on the company; that is on him.And I do think that, you know, we will start seeing more and more chief executive officers, chief security or information security officers becoming accountable to—or for the breaches and being personally accountable or professionally accountable for it. I think we kind of need it, even though, you know, there's only so much a CISO can do.Corey: One of the things that I did when I started consulting independently on AWS bills back in 2016 was, while I was looking at customer environments, I also would do a quick check for a few security baseline things. And I stopped doing it because I kept encountering a bunch of things that needed attention and it completely derailed the entire stated purpose of the engagement. And, frankly, I don't want to be running a security consultancy. There's a reason I focus on AWS bills. And people think I'm kidding, but I swear to you I'm not, when I say that the reason is in part because no one has a middle-of-the-night billing emergency. It is strictly a business-hours problem. Whereas with security, wake up.In fact, the one time I have been woken up in the middle of the night by a customer phone call, they were freaking out because it was a security incident and their bill had just pegged through the stratosphere. It's, “Cool. Fix the security problem first, then we'll worry about the bill during business hours. Bye.” And then I stopped leaving my phone off of Do Not Disturb at night.Chris: Your AWS bill is one of your indicators of compromise. Keep an eye on it.Corey: Oh, absolutely. We've had multiple engagements discover security issues on that. “So, what are these instances in Australia doing?” “We don't have anything there.” “I believe you're being sincere when you say this.”Chris: Yes.Corey: However.Chris: “Last month, you're at $1,000 and this month, you're at $50,000. And oh, by the way, it's the ninth, so you might want to go look at that.”Corey: Here's the problem that you start seeing in large-scale companies though. You or I wind up posting our IAM credentials on GitHub somewhere in public—and I do this from time to time, intentionally with absolutely no permissions attached to a thing—and I started look at the timeline of, “Okay 3, 2, 1, go,” with the push and now I start counting. What happens? At what time does the quarantine policy apply? When do I get an email alert? When do people start trying to exploit it? From where are they trying to exploit it?It's a really interesting thing to look into, just from the position of how this stuff all fits together and works. And that's great, but there's a whole ‘nother piece to it where if you or I were to do such a thing and actually give it admin credentials, okay, my, I don't know, what, $50, $100 a month account that I use for a lot of my test stuff now starts getting charged enormous piles of money that winds up looking like a mortgage in San Francisco, I'm going to notice that. But if you have a company that spending, I don't know, between ten and $20 million a month, do you have any idea how much Bitcoin you've got to be mining in that account to even make a slight dent in the overall trajectory of those accounts?Chris: In the overall bill, a lot. And in a particularly mismanaged account, my experience is you will notice it if you're monitoring billing anomalies on a per-account basis. I think it's important to note, you talked about that quarantine policy. If you look at what actually Amazon drops a deny on, it's effectively start EC2 instances and change IAM policies. It doesn't prevent anybody from listing all your buckets and exfiltrating all your data. It doesn't prevent anybody from firing up Lambdas and other less commonly used resources. Don't assume oh, Amazon dropped the quarantine policy. I'm safe.Corey: I was talking to somebody who spends $4 a month on S3 and they wound up suddenly getting $60 grand a day and Lambda charges, because max out the Lambda concurrency in every region and set it to mine crypto for 15 minutes apiece, yeah, you'll spend $60,000 a day to get, what $500 in crypto. But it's super economical as long as it's in someone else's account. And then Amazon hits them with a straight face on these things, where, “Please pay the bill.” Which is horrifying when there's several orders of magnitude difference between your normal bill and what happens post-breach. But what I did my whole post on “17 Ways to Run Containers on AWS,” followed by “17 More Ways to Run Containers on AWS,” and [unintelligible 00:12:00] about three services away from having a third one ready to go on that, the point is not, “Too many ways to run containers,” because yes, that is true and it's also amusing to me—less so to the containers team at AWS which does not have a sense of humor or sense of self-awareness of which they have been alerted—and fine, but every time you're running a container, it is a way to turn it into a crypto mining operation, in some way shape or form, which means there are almost 40-some-odd services now that can reasonably be used to spin up cryptocurrency mining. And that is the best-case breach scenario in a bunch of ways. It costs a bunch of money and things to clean up, but ‘we lost customer data.' That can destroy companies.Chris: Here's the worst part. Crypto mining is no longer profitable even when I've got stolen API keys because bitcoin's in the toilet. So, now they are going after different things. Actually, the most recent one is they look to see if your account is out of the SCS sandbox and if so, they go back to the tried-and-true way of doing internet scams, which is email spam.Corey: For me, having worked in operations for a very long time, I've been in situations where I worked at Expensify and had access to customer data there. I have worked in other finance companies—I worked at Blackrock. Where I work now, I have access to customer billing data. And let me be serious here for a second, I take all of these things seriously, but I also in all of those roles slept pretty well at night. The one that kept me up was a brief stint I did as the Director of Tech Ops at Grindr over ten years ago because unlike the stuff where I'm spending the rest of my career and my time now, it's not just money anymore.Whereas today, if I get popped, someone can get access to what a bunch of companies are paying AWS. It's scandalous, and I will be sued into oblivion and my company will not exist anymore and I will have a cloud hanging over my head forever. So, I have to be serious about it—Chris: But nobody will die.Corey: Nobody dies. Whereas, “Oh, this person is on Grindr and they're not out publicly,” or they live in a jurisdiction where that is punishable by imprisonment or death, you have blood on your hands, on some level, and I have never wanted that kind of responsibility.Chris: Yeah. It's reasonably scary. I've always been happy to say that, you know, the worst thing that I had to do was keep the Russians off CNN and my friends from downloading Rick and Morty.Corey: Exactly. It's, “Oh, heavens, you're winding up costing some giant conglomerate somewhere theoretical money on streaming subscriptions.” It's not material to the state of the world. And part of it, too, is—what's always informed my approach to things is, I'm not a data hoarder in the way that it seems our entire industry is. For the Last Week in AWS newsletter, the data that I collect and track is pretty freaking small.It's, “You want to sign up for the lastweekinaws.com newsletter. Great, I need your email address.” I don't need your name, I don't need the company you work at. You want to give me a tagged email address? Fine. You want to give me some special address that goes through some anonymizing thing? Terrific. I need to know where I'm sending the newsletter. And then I run a query on that for metrics sometimes, which is this really sophisticated database query called a count. How many subscribers do I have at any given point because that matters to our sponsors. But can we get—you give us any demographic? No, I cannot. I can't. I have people who [unintelligible 00:15:43] follow up surveys sometimes and that's it.Chris: And you're able to make money doing that. You don't have to collect, okay, you know, Chris's zip code is this and Bob's zip code is that and Frank's zip code is the other thing.Corey: Exactly.Chris: Or job titles, or you know, our mother's maiden name or anything else like that.Corey: I talk about what's going on in the world of AWS, so it sort of seems to me that if you're reading this stuff every week, either because of the humor or in spite of the humor, you probably are in a position where services and goods tied to that ecosystem would be well-received by you or one of the other 32,000 people who happen to be reading the newsletter or listening to the podcast or et cetera, et cetera, et cetera. It's an old-timey business model. It's okay, I want to wind up selling, I don't know, expensive wristwatches. Well, maybe I'll advertise in a magazine that caters to people who have an interest in wristwatches, or caters to a demographic that traditionally buys those wristwatches. And okay, we'll run an ad campaign and see if it works.Chris: It's been traditional advertising, not the micro-targeting stuff. And you know, television was the same way back in the broadcast era, you know? You watched a particular show, people of that demographic who watched that particular show had certain advertisers they wanted.Corey: That part of the challenge I've seen too, from sponsors of this show, for example, is they know it works, but they're trying to figure out how to do any form of attribution on this. And my answer—which sounds self-serving, but it's true—is, there's no effective way to do it because every time you try, like, “Enter this coupon code,” yeah, I assure you, some of these things wind up costing millions of dollars to deploy at large companies at scale and they provide value for doing it. No one's going to punch in a coupon code to get 10% off or something like that. Procurement is going to negotiate custom contracts and it's going to be brought up maybe by someone who heard the podcast ad. Maybe it just sits in the back of their mind until they hear something and it just winds of contributing to a growing awareness of these things.You're never going to do attribution that works on things like that. People try sometimes to, “Oh, you'll get $25 in credit,” or, “We'll give you a free t-shirt if you fill out the form.” Yeah, but now you're biasing for people who find that a material motivator. When I'm debating what security suite I'm going to roll out at my enterprise I don't want a free t-shirt for that. In fact, if I get a free t-shirt and I wear that shirt from the vendor around the office while I'm trying to champion bringing that thing in, I look a little compromised.Chris: Yeah. Yeah, I am—[laugh] I got no response to that [laugh].Corey: No, no. I hear you. One thing I do want to talk about is the last time we spoke, you mentioned you were involved in getting fwd:cloudsec—a conference—off the ground. Like all good cloud security conferences, it's named after an email subject line.It is co-located with re:Inforce this year in Anaheim, California. Somewhat ominously enough, I used to live a block-and-a-half away from the venue. But I don't anymore and in fact, because nobody checks the global event list when they schedule these things, I will be on the other side of the world officiating a wedding the same day. So, yet again, I will not be at re:Inforce.Chris: That is a shame because I think you would have made an excellent person to contribute to our call for papers and attend. So yes, fwd:cloudsec is deliberately actually named after a subject line because all of the other Amazon conferences seem to be that way. And we didn't want to be going backwards and thinking, you know, past tense. We were looking forward to our conference. Yeah, so we're effectively a vendor-neutral cloud security conference. We liked the idea of being able to take the talks that Amazon PR would never allow on stage at re:Inforce and run with it.Corey: I would question that. I do want to call that out because I gave a talk at re:Invent one year about a vulnerability I found and reported, with the help of two other people, Scott Piper and Brandon Sherman, to the AWS security team. And we were able to talk about that on stage with Zack Glick, who at the time, was one of basically God's own prototypes, working over in the AWS environment next to Dan [Erson 00:19:56]. Now, Dan remains the salt of the earth, and if he ever leaves basically just short the entire US economy. It's easier. He is amazing. I digress. The point being is that they were very open about talking about an awful lot of stuff that I would never have expected that they would be okay with.Chris: And last year at re:Inforce, they had an excellent, excellent chalk talk—but it was a chalk talk, not recorded—on how ransomware attacks operate. And they actually, like, revealed some internal, very anonymized patterns of how attacks are working. So, they're starting to realize what we've been saying in the cloud security community for a while, which is, we need more legitimate threat intelligence. On the other hand, they don't want to call it threat intelligence because the word threat is threatening, and therefore, you know, we're going to just call it, you know, patterns or whatever. And our conference is, again, also multi-cloud, a concept that until recently, AWS, you know, didn't really want to acknowledge that there were other clouds and that people would use both of them [crosstalk 00:21:01]—Corey: Multi-cloud security is a nightmare. It's just awful.Chris: Yeah, I don't like multi-cloud, but I've come to realize that it is a thing. That you will either start at a company that says, “We're AWS and we're uni-cloud,” and then next thing, you know, either some rogue developer out there has gone and spun up an Azure subscription or your acquire somebody who's in GCP, or heaven forbid, you have to go into some, you know, tinhorn dictator's jurisdiction and they require you to be on-prem or leverage Oracle Cloud or something. And suddenly, congratulations, you're now multi-cloud. So yes, our goal is really to be the things that aren't necessarily onstage or aren't all just, “It's great.” Even your talk was how great the incident response and vulnerability remediation process was.Corey: How great my experience with it was at the time, to be clear. Because I also have gotten to a point where I am very aware that, in many cases when dealing with AWS, my reputation precedes me. So, when I wind up tweeting about a problem or opening a support case, I do not accept as a given that my experience is what everyone is going to experience. But a lot of the things they did made a lot of sense and I was frankly, impressed that they were willing to just talk about anything that they did internally. Because previously that had not been a thing that they did in open forums like that.Chris: But you go back to the Glue incident where somebody found a bug and they literally went and went to every single CloudTrail event going back to the dawn of the service to validate that, okay, the, only two times we ever saw this happen were between the two researcher's accounts who disclosed it. And so, kudos to them for that level of forward communication to their customers because yeah, I think we still haven't heard anything out of Azure for last year's—or a year-and-a-half ago's Wiz findings.Corey: Well, they did do a broad blog post about this that they put out, which I thought, “Okay, that was great. More of this please.” Because until they start talking about security issues and culture and the remediation thereof, I don't give a shit what they have to say about almost anything else because it all comes back to security. The only things I use Azure for, which admittedly has some great stuff; their computer vision API? Brilliant—but the things I use them for are things that I start from a premise of security is not important to that service.The thing I use it for on the soon-to-be-pivoted to Mastodon Twitter thread client that I built, it writes alt-text for images that are about to be put out publicly. Yeah, there's no security issue from that perspective. I am very hard-pressed to imagine a scenario in which that were not true.Chris: I can come up with a couple, but you know—Corey: It feels really contrived. And honestly, that's the thing that concerns me, too: the fact that I finally read, somewhat recently, an AWS white paper talking about—was it a white paper or was it blog post? I forget the exact media that it took. But it was about how they are seeing ransomware attacks on S3, which was huge because before that, I assumed it was something that was being made up by vendors to sell me something.Chris: So, that was the chalk talk.Corey: Yes.Chris: They finally got the chalk talk from re:Inforce, they gave it again at re:Invent because it was so well received and now they have it as a blog post out there, so that, you know, it's not just for people who show up in the room, they can hear it; it's actually now documented out there. And so, kudos to the Amazon security team for really getting that sort of threat intelligence out there to the community.Corey: Now, it's in writing, and that's something that I can cite as opposed to, “Well, I was at re:Invent and I heard—” Yeah, we saw the drink tab. We know what you might have thought you heard or saw at re:Invent. Give us something we can take to the board.Chris: There were a lot of us on that bar tab, so it's not all you.Corey: Exactly. And it was my pleasure to do it, to be clear. But getting back to fwd:cloudsec, I'm going to do you a favor. Whether it's an actual favor or the word favor belongs in quotes, the way that I submit CFPs, or conference talks, is optimized because I don't want to build a talk that is never going to get picked up. Why bother to go through all the work until I have to give it somewhere?So, I start with a catchy title and then three to five sentences. And if people accept it, great, then I get to build the talk. This is a forcing function in some ways because if you get a little delayed, they will not move the conference for you. I've checked. But the title of a talk that I think someone should submit for fwd:cloudsec is, “I Am Smarter Than You, so Cloud Security is Easy.”And the format and the conceit of the talk is present it with sort of a stand-it-up-to-take-it-down level of approach where you are over-confident in the fact that you are smarter than everyone else and best practices don't apply to you and so much of this stuff is just security theater designed as a revenue extraction mechanism as opposed to something you should actually be doing. And talk about why none of these things matter because you use good security and you know, it's good because you came up with it and there's no way that you could come up with something that you couldn't break because you're smart. It says so right in the title and you're on stage and you have a microphone. They don't. Turn that into something. I feel like there's a great way to turn that in a bunch of different directions. I'd love to see someone give that talk.Chris: I think Nickolas Sharp thought that too.Corey: [laugh]. Exactly. In fact, that will be a great way to bring it back around at the end. And it's like, “And that's why I'm better at security than you are. If you have any questions beyond this, you can reach me at whatever correctional institute I go in on Thursday.” Exactly. There's ways to make it fun and engaging. Because from my perspective, talks have to be entertaining or people don't pay attention.Chris: They're either entertaining, or they're so new and advanced. We're definitely an advanced cloud security practice thing. They were 500 levels. Not to brag or anything, but you know, you want the two to 300-level stuff, you can go CCJ up the street. We're hitting and going above and beyond what a lot of the [unintelligible 00:27:18]—Corey: I am not as advanced on that path as you are; I want to be very clear on this. You speak, I listen. You're one of those people when it comes to security. Because again, no one's life is hanging in the balance with respect to what I do. I am confident in our security posture here, but nothing's perfect. Everything is exploitable, on some level.It's also not my core area of focus. It is yours. And if you are not better than I am at this, then I have done something sort of strange, or so of you, in the same way that it is a near certainty—but not absolute—that I am better at optimizing AWS bills than you are. Specialists exist for a reason and to discount that expertise is the peak of hubris. Put that in your talk.Chris: Yeah. So, one talk I really want to see, and I've been threatening to give it for a while, is okay, if there's seventeen ways—or sorry, seventeen times two, soon to be seventeen times three ways to run containers in AWS, there's that many ways to exfiltrate credentials from those containers. What are all of those things? Do we have a holistic way of understanding, this is how credentials can be exfiltrated so that we then as defenders can go figure out, okay, how do we build detections and mitigations for this?Corey: Yeah. I'm a huge fan of Canarytokens myself, for that exact purpose. There are many devices I have where the only credentials in plain text on disk are things that as soon as they get used, I wind up with a bunch of things screaming at me that there's been a problem and telling me where it is. I'm not saying that my posture is impenetrable. Far from it. But you're going to have to work for it a little bit harder than running some random off-the-shelf security scanner against my AWS account and finding, oops, I forgot to turn on a bucket protection.Chris: And the other area that I think is getting really interesting is, all of the things that have credentials into your Cloud account, whether it's something like CircleCI or GitHub. I was having a conversation with somebody just this morning and we were talking about Roles Anywhere, and I was like, “Roles Anywhere is great if you've got a good strong PKI solution and can keep that private certificate or that certificate you need safe.” If you just put it on a disk, like, you would have put your AKIA and secret on a desk, congratulations, you haven't really improved security. You've just gotten rid of the IAM users that are being flagged in your CSPM tool, and congratulations, you have, in fact, achieved security theater.Corey: It's obnoxious, on some level. And part of the problem is cost and security are aligned and that people care about them right after they really should have cared about them. The difference is you can beg, cry, whine, et cetera to AWS for concessions, you can raise another round of funding; there have solutions with money. But security? That ship has already sailed.Chris: Yeah. Once the data is out, the data is out. Now, I will say on the bill, you get reminded of it every month, about three or four days after. It's like, “Oh. Crap, yeah, I should have turned off that EC2 instance. I just burned $100.” Or, “Oh hey, we didn't turn off that application. I just burned $100,000.” That doesn't happen on security. Security events tend to be few and far between; they're just much bigger when they happen.Corey: I really want to thank you for taking the time to chat with me. I'm sure I'll have you back on between now and re:Inforce slash fwd:cloudsec or anything else we come up with that resembles an email subject line. If people want to learn more and follow along with your adventures—as they should—where's the best place for him to find you these days?Chris: So, I am now pretty much living on Mastodon on the InfoSec Exchange. And my website, chrisfarris.com is where you can find the link to that because it's not just at, you know, whatever. You have to give the whole big long URL in Mastodon. It's no longer—Corey: Yeah. It's like a full-on email address with weird domains.Chris: Exactly, yeah. So, find me at http colon slash slash infosec dot exchange slash at jcfarris. Or just hit Chris Farris and follow the links. For fwd:cloudsec, we are conveniently located at fwdcloudsec.org, which is F-W-D cloud sec dot org. No colons because I don't think those are valid in whois.Corey: Excellent choice. And of course, links to that go in the [show notes 00:31:32], so click the button. It's easier. Thanks again for your time. I really appreciate it.Chris: Thank you.Corey: Chris Farris, Cloud Security Nerd at Turbot slash Turbo. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment that resembles a lawsuit being filed, and then have it processed-served to me because presumably, you work at Ubiquiti.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Royal Mail attack was LockBit and GCHQ will probably “bust some heads” CircleCI's incident report and the problem with malwared endpoints in the Zero Trust age Cloudflare backs Mastodon Paul Nakasone: NSA did some great stuff! It was really good! Cisco won't patch SMB routers sold in 2020 Much, much more This week's show is brought to you by Material Security. Material co-founder Ryan Noon and Snowflake's head of cybersecurity strategy Omer Singer are this week's sponsor guests. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes Royal Mail cyberattack linked to LockBit ransomware operation Ransomware Diaries: Volume 1 | Analyst1 Congressman calls on CISA to investigate air travel vulnerabilities after outage - The Record from Recorded Future News Ransomware attack on maritime software impacts 1,000 ships - The Record from Recorded Future News CircleCI incident report for January 4, 2023 security incident Researchers: Large language models will revolutionize digital propaganda campaigns Nick Cave - The Red Hand Files - Issue #218 GitHub - cloudflare/wildebeest: Wildebeest is an ActivityPub and Mastodon-compatible server Meta sues Voyager Labs over scraping user data Twitter says leaked data on 200 million users was likely publicly available info - The Record from Recorded Future News A Police App Exposed Secret Details About Raids and Suspects | WIRED ODIN Intelligence website is defaced as hackers claim breach | TechCrunch Nakasone: Foreign surveillance program helped fend off cyberattacks - The Record from Recorded Future News The Guardian confirms criminals accessed staff data in ransomware attack - The Record from Recorded Future News Millions of Aflac, Zurich insurance customers in Japan have data leaked after breach - The Record from Recorded Future News Dark Pink, a newly discovered hacking campaign, threatens Southeast Asian military, government organizations The FBI Won't Say Whether It Hacked Dark Web ISIS Site Norton LifeLock says 925,000 accounts targeted by credential-stuffing attacks - The Record from Recorded Future News Cisco warns of two vulnerabilities affecting end-of-life routers - The Record from Recorded Future News Fortinet says hackers exploited critical vulnerability to infect VPN customers | Ars Technica Vulnerability with 9.8 severity in Control Web Panel is under active exploit | Ars Technica CISA adds recently-announced Microsoft zero-day to exploited vulnerability catalog - The Record from Recorded Future News Hundreds of SugarCRM servers infected with critical in-the-wild exploit | Ars Technica
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Royal Mail attack was LockBit and GCHQ will probably “bust some heads” CircleCI's incident report and the problem with malwared endpoints in the Zero Trust age Cloudflare backs Mastodon Paul Nakasone: NSA did some great stuff! It was really good! Cisco won't patch SMB routers sold in 2020 Much, much more This week's show is brought to you by Material Security. Material co-founder Ryan Noon and Snowflake's head of cybersecurity strategy Omer Singer are this week's sponsor guests. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes Royal Mail cyberattack linked to LockBit ransomware operation Ransomware Diaries: Volume 1 | Analyst1 Congressman calls on CISA to investigate air travel vulnerabilities after outage - The Record from Recorded Future News Ransomware attack on maritime software impacts 1,000 ships - The Record from Recorded Future News CircleCI incident report for January 4, 2023 security incident Researchers: Large language models will revolutionize digital propaganda campaigns Nick Cave - The Red Hand Files - Issue #218 GitHub - cloudflare/wildebeest: Wildebeest is an ActivityPub and Mastodon-compatible server Meta sues Voyager Labs over scraping user data Twitter says leaked data on 200 million users was likely publicly available info - The Record from Recorded Future News A Police App Exposed Secret Details About Raids and Suspects | WIRED ODIN Intelligence website is defaced as hackers claim breach | TechCrunch Nakasone: Foreign surveillance program helped fend off cyberattacks - The Record from Recorded Future News The Guardian confirms criminals accessed staff data in ransomware attack - The Record from Recorded Future News Millions of Aflac, Zurich insurance customers in Japan have data leaked after breach - The Record from Recorded Future News Dark Pink, a newly discovered hacking campaign, threatens Southeast Asian military, government organizations The FBI Won't Say Whether It Hacked Dark Web ISIS Site Norton LifeLock says 925,000 accounts targeted by credential-stuffing attacks - The Record from Recorded Future News Cisco warns of two vulnerabilities affecting end-of-life routers - The Record from Recorded Future News Fortinet says hackers exploited critical vulnerability to infect VPN customers | Ars Technica Vulnerability with 9.8 severity in Control Web Panel is under active exploit | Ars Technica CISA adds recently-announced Microsoft zero-day to exploited vulnerability catalog - The Record from Recorded Future News Hundreds of SugarCRM servers infected with critical in-the-wild exploit | Ars Technica
Founder sued by JP Morgan for faking customers Cyberattackers targeting enterprise tools CircleCI, Lastpass, Okta, and Slack FAA giving airlines another year to fix altimeters incompatible with 5G signals Critical flight safety system grounds airlines ChatGPT - disrupter or parlor trick? Becky Trevino, Executive Vice President of product for Snow Software talks about enabling CIOs and IT staff with complete visibility into your full technology stack from software and hardware to infrastructure and applications. Hosts: Louis Maresca, Brian Chee, and Curtis Franklin Guest: Becky Trevino Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: acilearning.com ZipRecruiter.com/twiet
On this week's show Patrick Gray and Adam Boileau discuss the news we missed while on break. Because it's the first show of the year, we split the discussion into themes: Attacks against critical online services like Okta, CircleCI, Slack and Lastpass will increase in volume All the latest global intrigue, from NSO being noped by the US Supreme Court to DDoS attacks in Serbia, Turla's latest campaign, supply chain attacks against Ukraine, why Russia has been more active than we realised and much more A ransomware wrap, a discussion about the rise of data extortion and why it's unlikely to remain a huge problem Why automotive security research will actually be interesting this year PLUS: A bunch of random news! This week's show is brought to you by Trail of Bits. Dan Guido is this week's sponsor guest and he joins us to talk about something they've developed – a zero knowledge proof of exploit technique. Very interesting stuff! Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes First LastPass, now Slack and CircleCI. The hacks go on (and will likely worsen) | Ars Technica Devs urged to rotate secrets after CircleCI suffers security breach | The Daily Swig LastPass: Hackers accessed and copied customers' password vaults - The Record from Recorded Future News GitHub incident allowed attacker to copy Okta's source code - The Record from Recorded Future News Supreme Court dismisses spyware company NSO Group's claim of immunity - The Record from Recorded Future News Serbian government reports ‘massive DDoS attack' amid heightened tensions in Balkans - The Record from Recorded Future News Iran's support of Russia draws attention of pro-Ukraine hackers - The Record from Recorded Future News Pro-Ukraine hackers leak Russian data in hopes someone will make sense of it - The Record from Recorded Future News CISA researchers: Russia's Fancy Bear infiltrated US satellite network Exclusive: Russian hackers targeted U.S. nuclear scientists | Reuters NSA cyber director warns of Russian digital assaults on global energy sector - CyberScoop Notorious Russian hacking group appears to resurface with fresh cyberattacks on Ukraine Military operations software in Ukraine was hit by Russian hackers - The Record from Recorded Future News New supply chain attack targeted Ukrainian government networks - The Record from Recorded Future News Moldovaʼs government hit by flood of phishing attacks - The Record from Recorded Future News Kremlin-backed hackers targeted a “large” petroleum refinery in a NATO nation | Ars Technica Cyber Command conducted offensive operations to protect midterm elections - The Record from Recorded Future News Guardian newspaper hit by suspected ransomware attack, staff told not to come to office - The Record from Recorded Future News British company that helps make semiconductors hit by cyber incident - The Record from Recorded Future News Port of Lisbon website still down as LockBit gang claims cyberattack - The Record from Recorded Future News SickKids: 80% of hospital priority systems back online after LockBit ransomware attack - The Record from Recorded Future News Canada's largest children's hospital struggles to recover from pre-Christmas ransomware attack - The Record from Recorded Future News Canadian copper mine suffers ransomware attack, shuts down mills - The Record from Recorded Future News Los Angeles housing authority says cyberattack disrupting systems - The Record from Recorded Future News The Guardian contacts data protection regulator after suspected ransomware incident - The Record from Recorded Future News Australian fire service operating 85 stations shuts down network after cyberattack - The Record from Recorded Future News San Francisco BART investigating ransomware attack - The Record from Recorded Future News Hackers leak sensitive files following attack on San Francisco transit police New U.S. cyber strategy will require critical infrastructure companies to protect against hacks - The Washington Post Car hackers discover vulnerabilities that could let them hijack millions of vehicles Compromised dispatch system helped move taxis to front of the line | Ars Technica Researcher Deepfakes His Voice, Uses AI to Demand Refund From Wells Fargo Armed With ChatGPT, Cybercriminals Build Malware And Plot Fake Girl Bots Cybercriminals' latest grift: powdered milk and sugar by the truckload - The Record from Recorded Future News This app will self-destruct: How Belarusian hackers created an alternative Telegram for activists - The Record from Recorded Future News Chinese researchers claim to have broken RSA with a quantum computer. Experts aren't so sure. - The Record from Recorded Future News Key bitcoin developer calls on FBI to recover $3.6M in digital coin | Ars Technica Chick-fil-A acknowledges customer account abuse but denies compromise of internal systems - The Record from Recorded Future News Microsoft ends Windows 7 security updates | TechCrunch
On this week's show Patrick Gray and Adam Boileau discuss the news we missed while on break. Because it's the first show of the year, we split the discussion into themes: Attacks against critical online services like Okta, CircleCI, Slack and Lastpass will increase in volume All the latest global intrigue, from NSO being noped by the US Supreme Court to DDoS attacks in Serbia, Turla's latest campaign, supply chain attacks against Ukraine, why Russia has been more active than we realised and much more A ransomware wrap, a discussion about the rise of data extortion and why it's unlikely to remain a huge problem Why automotive security research will actually be interesting this year PLUS: A bunch of random news! This week's show is brought to you by Trail of Bits. Dan Guido is this week's sponsor guest and he joins us to talk about something they've developed – a zero knowledge proof of exploit technique. Very interesting stuff! Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes First LastPass, now Slack and CircleCI. The hacks go on (and will likely worsen) | Ars Technica Devs urged to rotate secrets after CircleCI suffers security breach | The Daily Swig LastPass: Hackers accessed and copied customers' password vaults - The Record from Recorded Future News GitHub incident allowed attacker to copy Okta's source code - The Record from Recorded Future News Supreme Court dismisses spyware company NSO Group's claim of immunity - The Record from Recorded Future News Serbian government reports ‘massive DDoS attack' amid heightened tensions in Balkans - The Record from Recorded Future News Iran's support of Russia draws attention of pro-Ukraine hackers - The Record from Recorded Future News Pro-Ukraine hackers leak Russian data in hopes someone will make sense of it - The Record from Recorded Future News CISA researchers: Russia's Fancy Bear infiltrated US satellite network Exclusive: Russian hackers targeted U.S. nuclear scientists | Reuters NSA cyber director warns of Russian digital assaults on global energy sector - CyberScoop Notorious Russian hacking group appears to resurface with fresh cyberattacks on Ukraine Military operations software in Ukraine was hit by Russian hackers - The Record from Recorded Future News New supply chain attack targeted Ukrainian government networks - The Record from Recorded Future News Moldovaʼs government hit by flood of phishing attacks - The Record from Recorded Future News Kremlin-backed hackers targeted a “large” petroleum refinery in a NATO nation | Ars Technica Cyber Command conducted offensive operations to protect midterm elections - The Record from Recorded Future News Guardian newspaper hit by suspected ransomware attack, staff told not to come to office - The Record from Recorded Future News British company that helps make semiconductors hit by cyber incident - The Record from Recorded Future News Port of Lisbon website still down as LockBit gang claims cyberattack - The Record from Recorded Future News SickKids: 80% of hospital priority systems back online after LockBit ransomware attack - The Record from Recorded Future News Canada's largest children's hospital struggles to recover from pre-Christmas ransomware attack - The Record from Recorded Future News Canadian copper mine suffers ransomware attack, shuts down mills - The Record from Recorded Future News Los Angeles housing authority says cyberattack disrupting systems - The Record from Recorded Future News The Guardian contacts data protection regulator after suspected ransomware incident - The Record from Recorded Future News Australian fire service operating 85 stations shuts down network after cyberattack - The Record from Recorded Future News San Francisco BART investigating ransomware attack - The Record from Recorded Future News Hackers leak sensitive files following attack on San Francisco transit police New U.S. cyber strategy will require critical infrastructure companies to protect against hacks - The Washington Post Car hackers discover vulnerabilities that could let them hijack millions of vehicles Compromised dispatch system helped move taxis to front of the line | Ars Technica Researcher Deepfakes His Voice, Uses AI to Demand Refund From Wells Fargo Armed With ChatGPT, Cybercriminals Build Malware And Plot Fake Girl Bots Cybercriminals' latest grift: powdered milk and sugar by the truckload - The Record from Recorded Future News This app will self-destruct: How Belarusian hackers created an alternative Telegram for activists - The Record from Recorded Future News Chinese researchers claim to have broken RSA with a quantum computer. Experts aren't so sure. - The Record from Recorded Future News Key bitcoin developer calls on FBI to recover $3.6M in digital coin | Ars Technica Chick-fil-A acknowledges customer account abuse but denies compromise of internal systems - The Record from Recorded Future News Microsoft ends Windows 7 security updates | TechCrunch
Security vulnerabilities in automobiles. CircleCI customers should "rotate their secrets." CISA Director Easterly notes Russian failures, but warns that shields should stay up. Attempted cyberespionage against US National Laboratories. Turla effectively recycles some commodity malware infrastructure. Robert M. Lee from Dragos shares his outlook on ICS for the new year. Our CyberWire Space correspondent Maria Varmazis interviews Diane Janosek from NSA about her research on space-cyber. And the Guardian continues to recover from last month's ransomware attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/4 Selected reading. Hitachi Energy UNEM (CISA) Hitachi Energy FOXMAN-UN (CISA) Hitachi Energy Lumada Asset Performance Management (CISA) Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More (Sam Curry) Toyota, Mercedes, BMW API flaws exposed owners' personal info (BleepingComputer) 16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure (SecurityWeek) Ferrari, BMW, Rolls Royce, Porsche and more fix vulnerabilities giving car takeover capabilities (The Record by Recorded Future) CircleCI security alert: Rotate any secrets stored in CircleCI (CircleCI). CircleCI warns of security breach — rotate your secrets! (BleepingComputer) CircleCI Urges Customers to Rotate Secrets Following Security Incident (The Hacker News) CISA director: US needs to be vigilant, ‘keep our shields up' against Russia (The Hill) Exclusive-Russian Hackers Targeted U.S. Nuclear Scientists (Reuters via US News) Notorious Russian Spies Piggybacked on Other Hackers' USB Infections (WIRED) Turla: A Galaxy of Opportunity | Mandiant (Mandiant) Fallout from Guardian cyber attack to last at least a month (ComputerWeekly) State of Ransomware Preparedness (Axio)