Podcasts about exchange server

In this episode, we're joined by Greg Baribault, who leads the HP business and brings a 26-year legacy from Microsoft, offering unique insights into the evolution and future of collaborative technology.Greg reflects on his transition from Microsoft, where he worked across Exchange Server, Skype for Business, and Microsoft Teams, to leading hardware innovation at HP.He discusses the evolution of Skype Room Systems to Microsoft Teams Rooms and the importance of seamless, instant meeting starts.Greg shares how HP is integrating technologies from Polycom, Plantronics, HP, and now Vyoppta to create a cohesive, user-friendly experience in both physical and virtual meeting spaces.Thanks to Landis, this episode's sponsor, for their continued support and for helping to make content like this possible

Paul Robichaux and Steve Goodman discuss Exchange Server's 2025 H1 update and cut through the hype around AI agents, questioning whether they're living up to the marketing. Then, cybersecurity expert Paula Januszkiewicz shares fascinating red team stories, including modifying a water cooler to gain network access, and offers practical security advice for organizations of all sizes. Paula explains how AI is transforming both sides of the cybersecurity battlefield, warns about "productive script kiddies," and emphasizes why even small businesses need basic security measures like MFA. A must-listen for IT pros concerned about modern security threats.Want to stay up to date on all things Practical 365? Follow us on Twitter, Facebook, and Linkedin to stay up to date on all things Microsoft!

Week D - If a preview update falls in the woods and no one downloads it, did it really happen? Plus, what is going on with AI for free? Isn't this stuff expensive? Windows 23H2/24H2: Taskbar share, Spotlight updates, Windows Backup snooze in File Explorer, etc. Dev and Beta - Semantic search adds OneDrive photo search to Search (was in File Explorer previously), plus the Recall reboot no one is explaining. And Trim comes to Snipping Tool (Canary and Dev) Beta (23H2) - Share gets a drag tray and Start All apps gets new Grid and Category views Lenovo revenues surge 20 percent Framework announces Ryzen AI-based Laptop 13, plus Laptop 12 and Desktop Opera adds Bluesky, Discord, and Slack to the sidebar Microsoft 365 Microsoft confuses us with a test of a free, ad-supported core Office suite for Windows Amazon kills Chime, will use Zoom, Teams, and more Amazon kills Appstore for Android Google to drop SMS-based 2FA, move to QR codes Paul continues with his SSO removals, an update on whether this impacts account availability AI/Dev Following up the previous discussion with an interesting way to use an AI chatbot Alexa enters the AI era OpenAI now has 400 million weekly active users Microsoft cancels some AI datacenter leases, but it's not done spending billions on AI Anthropic releases first reasoning model, with a twist Gemini Code Assist is now free for individuals! ThinkDeeper and Voice in Copilot no longer have usage restrictions OpenAI makes Deep Research available to all paid customers Apple delays biggest Siri advances past iOS 18.4 - Math is hard, but AI is even harder Spotify expands into AI-narrated audiobooks NVIDIA partners to bring free ASL training to everyone .NET 10 Preview 1 arrives with the promise of LTS and not much else Xbox Xbox Cloud Gaming gets its first update in a while, and it's a big one Microsoft delays Fable reboot to 2026 Tips and Picks Tip of the week: You can view the source code for the oldest machine-readable version of Unix App pick of the week: Adobe Photoshop for iPhone RunAs Radio this week: Exchange Server in 2025 with Michel de Rooij Brown liquor pick of the week: Glenrothes 15 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/windowsweekly cachefly.com/twit

Week D - If a preview update falls in the woods and no one downloads it, did it really happen? Plus, what is going on with AI for free? Isn't this stuff expensive? Windows 23H2/24H2: Taskbar share, Spotlight updates, Windows Backup snooze in File Explorer, etc. Dev and Beta - Semantic search adds OneDrive photo search to Search (was in File Explorer previously), plus the Recall reboot no one is explaining. And Trim comes to Snipping Tool (Canary and Dev) Beta (23H2) - Share gets a drag tray and Start All apps gets new Grid and Category views Lenovo revenues surge 20 percent Framework announces Ryzen AI-based Laptop 13, plus Laptop 12 and Desktop Opera adds Bluesky, Discord, and Slack to the sidebar Microsoft 365 Microsoft confuses us with a test of a free, ad-supported core Office suite for Windows Amazon kills Chime, will use Zoom, Teams, and more Amazon kills Appstore for Android Google to drop SMS-based 2FA, move to QR codes Paul continues with his SSO removals, an update on whether this impacts account availability AI/Dev Following up the previous discussion with an interesting way to use an AI chatbot Alexa enters the AI era OpenAI now has 400 million weekly active users Microsoft cancels some AI datacenter leases, but it's not done spending billions on AI Anthropic releases first reasoning model, with a twist Gemini Code Assist is now free for individuals! ThinkDeeper and Voice in Copilot no longer have usage restrictions OpenAI makes Deep Research available to all paid customers Apple delays biggest Siri advances past iOS 18.4 - Math is hard, but AI is even harder Spotify expands into AI-narrated audiobooks NVIDIA partners to bring free ASL training to everyone .NET 10 Preview 1 arrives with the promise of LTS and not much else Xbox Xbox Cloud Gaming gets its first update in a while, and it's a big one Microsoft delays Fable reboot to 2026 Tips and Picks Tip of the week: You can view the source code for the oldest machine-readable version of Unix App pick of the week: Adobe Photoshop for iPhone RunAs Radio this week: Exchange Server in 2025 with Michel de Rooij Brown liquor pick of the week: Glenrothes 15 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/windowsweekly cachefly.com/twit

Week D - If a preview update falls in the woods and no one downloads it, did it really happen? Plus, what is going on with AI for free? Isn't this stuff expensive? Windows 23H2/24H2: Taskbar share, Spotlight updates, Windows Backup snooze in File Explorer, etc. Dev and Beta - Semantic search adds OneDrive photo search to Search (was in File Explorer previously), plus the Recall reboot no one is explaining. And Trim comes to Snipping Tool (Canary and Dev) Beta (23H2) - Share gets a drag tray and Start All apps gets new Grid and Category views Lenovo revenues surge 20 percent Framework announces Ryzen AI-based Laptop 13, plus Laptop 12 and Desktop Opera adds Bluesky, Discord, and Slack to the sidebar Microsoft 365 Microsoft confuses us with a test of a free, ad-supported core Office suite for Windows Amazon kills Chime, will use Zoom, Teams, and more Amazon kills Appstore for Android Google to drop SMS-based 2FA, move to QR codes Paul continues with his SSO removals, an update on whether this impacts account availability AI/Dev Following up the previous discussion with an interesting way to use an AI chatbot Alexa enters the AI era OpenAI now has 400 million weekly active users Microsoft cancels some AI datacenter leases, but it's not done spending billions on AI Anthropic releases first reasoning model, with a twist Gemini Code Assist is now free for individuals! ThinkDeeper and Voice in Copilot no longer have usage restrictions OpenAI makes Deep Research available to all paid customers Apple delays biggest Siri advances past iOS 18.4 - Math is hard, but AI is even harder Spotify expands into AI-narrated audiobooks NVIDIA partners to bring free ASL training to everyone .NET 10 Preview 1 arrives with the promise of LTS and not much else Xbox Xbox Cloud Gaming gets its first update in a while, and it's a big one Microsoft delays Fable reboot to 2026 Tips and Picks Tip of the week: You can view the source code for the oldest machine-readable version of Unix App pick of the week: Adobe Photoshop for iPhone RunAs Radio this week: Exchange Server in 2025 with Michel de Rooij Brown liquor pick of the week: Glenrothes 15 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/windowsweekly cachefly.com/twit

Week D - If a preview update falls in the woods and no one downloads it, did it really happen? Plus, what is going on with AI for free? Isn't this stuff expensive? Windows 23H2/24H2: Taskbar share, Spotlight updates, Windows Backup snooze in File Explorer, etc. Dev and Beta - Semantic search adds OneDrive photo search to Search (was in File Explorer previously), plus the Recall reboot no one is explaining. And Trim comes to Snipping Tool (Canary and Dev) Beta (23H2) - Share gets a drag tray and Start All apps gets new Grid and Category views Lenovo revenues surge 20 percent Framework announces Ryzen AI-based Laptop 13, plus Laptop 12 and Desktop Opera adds Bluesky, Discord, and Slack to the sidebar Microsoft 365 Microsoft confuses us with a test of a free, ad-supported core Office suite for Windows Amazon kills Chime, will use Zoom, Teams, and more Amazon kills Appstore for Android Google to drop SMS-based 2FA, move to QR codes Paul continues with his SSO removals, an update on whether this impacts account availability AI/Dev Following up the previous discussion with an interesting way to use an AI chatbot Alexa enters the AI era OpenAI now has 400 million weekly active users Microsoft cancels some AI datacenter leases, but it's not done spending billions on AI Anthropic releases first reasoning model, with a twist Gemini Code Assist is now free for individuals! ThinkDeeper and Voice in Copilot no longer have usage restrictions OpenAI makes Deep Research available to all paid customers Apple delays biggest Siri advances past iOS 18.4 - Math is hard, but AI is even harder Spotify expands into AI-narrated audiobooks NVIDIA partners to bring free ASL training to everyone .NET 10 Preview 1 arrives with the promise of LTS and not much else Xbox Xbox Cloud Gaming gets its first update in a while, and it's a big one Microsoft delays Fable reboot to 2026 Tips and Picks Tip of the week: You can view the source code for the oldest machine-readable version of Unix App pick of the week: Adobe Photoshop for iPhone RunAs Radio this week: Exchange Server in 2025 with Michel de Rooij Brown liquor pick of the week: Glenrothes 15 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/windowsweekly cachefly.com/twit

Week D - If a preview update falls in the woods and no one downloads it, did it really happen? Plus, what is going on with AI for free? Isn't this stuff expensive? Windows 23H2/24H2: Taskbar share, Spotlight updates, Windows Backup snooze in File Explorer, etc. Dev and Beta - Semantic search adds OneDrive photo search to Search (was in File Explorer previously), plus the Recall reboot no one is explaining. And Trim comes to Snipping Tool (Canary and Dev) Beta (23H2) - Share gets a drag tray and Start All apps gets new Grid and Category views Lenovo revenues surge 20 percent Framework announces Ryzen AI-based Laptop 13, plus Laptop 12 and Desktop Opera adds Bluesky, Discord, and Slack to the sidebar Microsoft 365 Microsoft confuses us with a test of a free, ad-supported core Office suite for Windows Amazon kills Chime, will use Zoom, Teams, and more Amazon kills Appstore for Android Google to drop SMS-based 2FA, move to QR codes Paul continues with his SSO removals, an update on whether this impacts account availability AI/Dev Following up the previous discussion with an interesting way to use an AI chatbot Alexa enters the AI era OpenAI now has 400 million weekly active users Microsoft cancels some AI datacenter leases, but it's not done spending billions on AI Anthropic releases first reasoning model, with a twist Gemini Code Assist is now free for individuals! ThinkDeeper and Voice in Copilot no longer have usage restrictions OpenAI makes Deep Research available to all paid customers Apple delays biggest Siri advances past iOS 18.4 - Math is hard, but AI is even harder Spotify expands into AI-narrated audiobooks NVIDIA partners to bring free ASL training to everyone .NET 10 Preview 1 arrives with the promise of LTS and not much else Xbox Xbox Cloud Gaming gets its first update in a while, and it's a big one Microsoft delays Fable reboot to 2026 Tips and Picks Tip of the week: You can view the source code for the oldest machine-readable version of Unix App pick of the week: Adobe Photoshop for iPhone RunAs Radio this week: Exchange Server in 2025 with Michel de Rooij Brown liquor pick of the week: Glenrothes 15 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/windowsweekly cachefly.com/twit

Week D - If a preview update falls in the woods and no one downloads it, did it really happen? Plus, what is going on with AI for free? Isn't this stuff expensive? Windows 23H2/24H2: Taskbar share, Spotlight updates, Windows Backup snooze in File Explorer, etc. Dev and Beta - Semantic search adds OneDrive photo search to Search (was in File Explorer previously), plus the Recall reboot no one is explaining. And Trim comes to Snipping Tool (Canary and Dev) Beta (23H2) - Share gets a drag tray and Start All apps gets new Grid and Category views Lenovo revenues surge 20 percent Framework announces Ryzen AI-based Laptop 13, plus Laptop 12 and Desktop Opera adds Bluesky, Discord, and Slack to the sidebar Microsoft 365 Microsoft confuses us with a test of a free, ad-supported core Office suite for Windows Amazon kills Chime, will use Zoom, Teams, and more Amazon kills Appstore for Android Google to drop SMS-based 2FA, move to QR codes Paul continues with his SSO removals, an update on whether this impacts account availability AI/Dev Following up the previous discussion with an interesting way to use an AI chatbot Alexa enters the AI era OpenAI now has 400 million weekly active users Microsoft cancels some AI datacenter leases, but it's not done spending billions on AI Anthropic releases first reasoning model, with a twist Gemini Code Assist is now free for individuals! ThinkDeeper and Voice in Copilot no longer have usage restrictions OpenAI makes Deep Research available to all paid customers Apple delays biggest Siri advances past iOS 18.4 - Math is hard, but AI is even harder Spotify expands into AI-narrated audiobooks NVIDIA partners to bring free ASL training to everyone .NET 10 Preview 1 arrives with the promise of LTS and not much else Xbox Xbox Cloud Gaming gets its first update in a while, and it's a big one Microsoft delays Fable reboot to 2026 Tips and Picks Tip of the week: You can view the source code for the oldest machine-readable version of Unix App pick of the week: Adobe Photoshop for iPhone RunAs Radio this week: Exchange Server in 2025 with Michel de Rooij Brown liquor pick of the week: Glenrothes 15 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly Check out Paul's blog at thurrott.com The Windows Weekly theme music is courtesy of Carl Franklin. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: 1password.com/windowsweekly cachefly.com/twit

What is it like to take care of an Exchange Server in 2025? Richard chats with Michel de Rooij about his work with Exchange, including the many scripts he has written and published over the years to help sysadmins solve problems. Michel discusses how staying on-premises with Exchange is getting harder - the new version will be subscription-based! The conversation also digs into the new version of Outlook, the challenges of securing email, and Michel's latest book Pro Exchange Administration.LinksRemove DuplicateItems ScriptUnarchive ScriptPro Exchange AdministrationOffice 365 for IT ProsMicrosoft Defender for Office 365Recorded January 9, 2025

Cybersecurity Today: GitHub Attacks & Microsoft's November Patch Tuesday Updates In this episode of Cybersecurity Today, host Jim Love highlights critical cybersecurity updates. The episode covers malicious attacks on GitHub projects, including an orchestrated attempt to frame Texas-based security researcher Mike Bell, and the associated impact on open-source repositories. Additionally, Microsoft's November Patch Tuesday is discussed in detail, with over 90 security issues disclosed, including four critical zero-day vulnerabilities. The episode also addresses a new ransomware strain exploiting vulnerabilities in Veeam backup software, and the disruptions caused by Microsoft's flawed Exchange Server security update. Stay informed on the latest cybersecurity trends and threats. 00:00 Introduction and Sponsor Message 00:29 Cybersecurity Headlines 00:46 GitHub Malicious Code Attack 03:24 Microsoft November Patch Tuesday 05:17 Veeam Backup Software Vulnerability 07:02 Microsoft Exchange Server Update Issues 08:47 Conclusion and Sign-Off

In our first of two Practical 365 Podcasts before Ignite begins, Steve Goodman and Paul Robichaux dive deep into what was best in Microsoft's Wave 2 release and chat about Copilot Pages - is it a good move from Microsoft?In other crucial news, we address the approaching end of support for Exchange Server 2016 and 2019, and what organizations need to consider as they plan their migration strategy. Plus, we look at the latest Teams meeting features, including new Copilot controls, meeting recap integrations with Outlook and new device support.Want to stay up to date on all things Practical 365? Follow us on Twitter, Facebook, and Linkedin to stay up to date on all things Microsoft!

"Wenn du mir ein Problem hinlegst und sagst, wir bräuchten da mal eine Lösung, wird es sehr schwer, mich von diesem Problem fernzuhalten", sagt Claudia Plattner mit einem Lächeln. Mit dieser analytischen Herangehensweise leitet die Diplom-Mathematikerin seit Juli 2023 das Bundesamt für Sicherheit in der Informationstechnik (BSI) und prägt den deutschen Kampf gegen Cyberbedrohungen.Plattner hat an der TU Darmstadt und auch in New Orleans studiert. Unter dem Motto "Cyber Nation Deutschland" sucht sie "Nerds mit Sinn für die gute Sache" und betont die Notwendigkeit von Geschwindigkeit und Kooperation: "Cybersecurity ist unglaublich vielfältig. Es ist Wahnsinn, wo man überall hingucken muss", sagt sie mit Verweis auf 17.000 verwundbare Exchange-Server, die tickenden Zeitbomben ähneln.Ein besonderes Anliegen ist Plattner der Schutz von Sicherheitsforschern. Dabei handelt es sich um Experten, die gezielt nach Schwachstellen in Systemen suchen, um diese zu melden und zu schließen. "Wir würden gerne, dass Sicherheitsforscher entsprechend geschützt sind in ihrer Arbeit", sagt die BSI-Präsidentin. "Statt die Menschen zu verklagen, sagt Danke. Das wäre mein Plädoyer."Plattner hebt eine erfolgreiche Initiative mit den DAX-40-Unternehmen hervor, bei der alle eine sogenannte "security.txt" eingeführt haben. Das ist eine standardisierte Methode, um Sicherheitsforschern einen sicheren Kanal zur Meldung von Schwachstellen zu bieten. "Jede Schwachstelle, die es gibt, wird früher oder später gegen uns verwendet", warnt die Mathematikerin. Deshalb sei ein koordinierter Prozess zur Schließung von Sicherheitslücken unbedingt erforderlich.Sie haben Fragen für Frauke Holzmeier und Andreas Laukat? Dann schreiben Sie eine E-Mail an sotechtdeutschland@ntv.deUnsere allgemeinen Datenschutzrichtlinien finden Sie unter https://datenschutz.ad-alliance.de/podcast.htmlAlle Rabattcodes und Infos zu unseren Werbepartnern finden Sie hier: https://linktr.ee/sotechtdeutschlandUnsere allgemeinen Datenschutzrichtlinien finden Sie unter https://art19.com/privacy. Die Datenschutzrichtlinien für Kalifornien sind unter https://art19.com/privacy#do-not-sell-my-info abrufbar.

Linux kernel developers were infected with malware for 2 years, another nail in the coffin of proper federated email as Exchange Server moves to a subscription model, followup on zfsbootmenu and IPv6, and learning unfamiliar topics.   Plug Support us on patreon and get an ad-free RSS feed with early episodes sometimes   News/discussion Linux […]

Linux kernel developers were infected with malware for 2 years, another nail in the coffin of proper federated email as Exchange Server moves to a subscription model, followup on zfsbootmenu and IPv6, and learning unfamiliar topics.   Plug Support us on patreon and get an ad-free RSS feed with early episodes sometimes   News/discussion Linux... Read More

 On this week's episode, Paul and Steve cover several major Microsoft announcements impacting the future of AI, Exchange Server, and identity solutions. We discuss Microsoft's development of a massive in-house AI model called MAI-1 to potentially reduce reliance on OpenAI. And, we break down the newly released roadmap for Exchange Server, including details on the upcoming Subscription Edition launch. Finally we chat about Microsoft's unveiling of external authentication methods for Entra ID, enabling third-party MFA integration. Want to stay up to date on all things Practical 365? Follow us on Twitter, Facebook, and Linkedin to stay up to date on all things Microsoft!

Microsoft warns of new Exchange Server zero-day Neuberger: Pace of ransomware takedown operations isn't enough Gold Pickaxe malware steals your face Huge thanks to our sponsor, Vanta From dozens of spreadsheets and screenshots to fragmented tools and manual security reviews, managing the requirements for modern compliance and security programs is increasingly challenging. Vanta is the leading Trust Management Platform that helps you centralize your efforts to establish trust and enable growth across your organization. Over 6,000 companies partner with Vanta to automate compliance, strengthen security posture, streamline security reviews, and reduce third-party risk. To learn more, go to vanta.com/ciso and watch their 3-minute product demo. For the stories behind the headlines, head to CISOseries.com.

Join us on this exciting episode of the Practical365.com podcast where hosts Steve Goodman and Paul Robichaux sit down with Tim McMichael, a seasoned Support Escalation Engineer at Microsoft. Known for his prowess in tackling complex issues, Tim will delve into the intricacies of identity management, shedding light on the challenges and solutions in the realm of Exchange Server, Exchange Online, and Azure AD.We'll explore his innovative contributions to the tech community, including his insightful blog and his groundbreaking GitHub projects. Tim will share the inspiration behind his modules for distribution list migrations, offering a glimpse into how these tools are facilitating seamless transitions to Office 365.But that's not all! We'll also discuss the future of identity management, the evolving landscape of cloud technology, and how professionals can equip themselves to navigate these changes. Plus, Tim will share some of his most challenging cases and how he managed to crack them.Don't miss this opportunity to gain invaluable insights from one of Microsoft's leading engineers. Want to stay up to date on all things Practical 365? Follow us on Twitter, Facebook, and Linkedin to stay up to date on all things Microsoft!

In this episode of the PowerShell Podcast, featuring guest Sam Erde, we delve into a myriad of topics starting with Andrew's successful acceptance of his talk at PowerShell Summit. The episode unfolds with a spotlight on community resources. Sam Erde, our esteemed guest, shares insights into his blogging journey and his contributions to open-source projects, with a particular focus on the Locksmith module designed to uncover misconfigurations in ADCS Certificate Services. Sam also provides his unique perspective on leveraging PowerShell for various tasks. The hosts engage in a discussion about the community ethos, underscoring the importance of creating more value than capturing, and Sam shares personal experiences that have shaped his approach to community involvement. Tune in for an episode packed with valuable insights, community highlights, and the power of PowerShell in action. Guest bio and Links:  Sam Erde is a senior yak shaver and semi-professional squirrel hunter with 20+ years of experience in IT. His preferred species of yak speaks PowerShell and the squirrels are most often found huddled around Microsoft bird feeders. Much of his career has had a strong focus on Active Directory, GPOs, Exchange Server, and Microsoft 356; however, it would not be complete without an equally strong focus on coffee, puns, Oxford commas, and cybersecurity. Sam's mission is to help IT teams grow towards operational maturity around these platforms. This includes a focus on culture, technical growth, and identifying not just as systems administrators, engineers, or analysts--but as infosec professionals who may happen to work in operations. He is incredibly grateful for everything the community has taught him and hopes to contribute back at least as much as he has learned from this amazing group of people.   Watch The PowerShell Podcast on YouTube: https://www.youtube.com/watch?v=8HEhXQE3GNw https://github.com/DanGough/PoshCVE https://powershellisfun.com/2023/11/23/using-a-specific-powershell-profile-for-a-console-session-windows-terminal-powershell-ise-or-visual-studio-code/ https://discord.gg/pdq https://day3bits.com/ https://github.com/SamErde/PowerShell-Pre-Workout https://github.com/trimarcJake/Locksmith https://www.youtube.com/watch?v=4yt_oIEq1wA https://github.com/PoshCode/PowerShellPracticeAndStyle https://github.com/cunninghamp https://www.powershellgallery.com/packages/ORCA/2.8.0 https://github.com/EvotecIT/GPOZaurr https://github.com/TrimarcJake/BlueTuxedo https://github.com/techspence/ScriptSentry https://twitter.com/SamErde https://linktr.ee/SamErde  

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

It's episode 900! Richard brings friend Dana Epp onto the show to talk a bit about the last one hundred episodes of RunAs Radio - and a little look to the future as well. With Dana around, you know there will be lots of security conversation. Over the past hundred shows, ransomware has had quite the story arc, especially around Exchange Server and other products. The conversation then turns to more future-looking topics, including the various Microsoft Copilots being built - could these be tools to help sysadmins? Probably a topic for episode 1000!Links:Windows SandboxMicrosoft VivaMicrosoft Purview Data Loss PreventionRecorded September 15, 2023

Analysis of RAR Exploit Files (CVE-2023-38831) https://isc.sans.edu/diary/Analysis+of+RAR+Exploit+Files+CVE202338831/30164 Juniper Exploit CVE-2023-36844 , CVE-2023-36845 , CVE-2023-36846 , CVE-2023-36847 https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/ Microsoft Will Enabled Extended Protection for Exchange Server by Default https://techcommunity.microsoft.com/t5/exchange-team-blog/coming-soon-enabling-extended-protection-on-exchange-server-by/ba-p/3911849 Rust Malware Stages on Crates.io https://blog.phylum.io/rust-malware-staged-on-crates-io/ SANS Community Night London Signup https://www.sans.org/mlp/community-night-cloud-security-london-september-2023

Analysis of RAR Exploit Files (CVE-2023-38831) https://isc.sans.edu/diary/Analysis+of+RAR+Exploit+Files+CVE202338831/30164 Juniper Exploit CVE-2023-36844 , CVE-2023-36845 , CVE-2023-36846 , CVE-2023-36847 https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/ Microsoft Will Enabled Extended Protection for Exchange Server by Default https://techcommunity.microsoft.com/t5/exchange-team-blog/coming-soon-enabling-extended-protection-on-exchange-server-by/ba-p/3911849 Rust Malware Stages on Crates.io https://blog.phylum.io/rust-malware-staged-on-crates-io/ SANS Community Night London Signup https://www.sans.org/mlp/community-night-cloud-security-london-september-2023

Levi McCormick, Cloud Architect at Jamf, joins Corey on Screaming in the Cloud to discuss his work modernizing baseline cloud infrastructure and his experience being on the compliance side of cloud engineering. Levi explains how he works to ensure the different departments he collaborates with are all on the same page so that different definitions don't end up in miscommunications, and why he feels a sandbox environment is an important tool that leads to a successful production environment. Levi and Corey also explore the ethics behind the latest generative AI craze. About LeviLevi is an automation engineer, with a focus on scalable infrastructure and rapid development. He leverages deep understanding of DevOps culture and cloud technologies to build platforms that scale to millions of users. His passion lies in helping others learn to cloud better.Links Referenced: Jamf: https://www.jamf.com/ Twitter: https://twitter.com/levi_mccormick LinkedIn: https://www.linkedin.com/in/levimccormick/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. A longtime friend and person has been a while since he's been on the show, Levi McCormick has been promoted or punished for his sins, depending upon how you want to slice that, and he is now the Director of Cloud Engineering at Jamf. Levi, welcome back.Levi: Thanks for having me, Corey.Corey: I have to imagine internally, you put that very pronounced F everywhere, and sometimes where it doesn't belong, like your IAMf policies and whatnot.Levi: It is fun to see how people like to interpret how to pronounce our name.Corey: So, it's been a while. What were you doing before? And how did you wind up stumbling your way into your current role?Levi: [laugh]. When we last spoke, I was a cloud architect here, diving into just our general practices and trying to shore up some of them. In between, I did a short stint as director of FedRAMP. We are pursuing some certifications in that area and I led, kind of, the engineering side of the compliance journey.Corey: That sounds fairly close to hell on earth from my particular point of view, just because I've dealt in the compliance side of cloud engineering before, and it sounds super interesting from a technical level until you realize just how much of it revolves around checking the boxes, and—at least in the era I did it—explaining things to auditors that I kind of didn't feel I should have to explain to an auditor, but there you have it. Has the state of that world improved since roughly 2015?Levi: I wouldn't say it has improved. While doing this, I did feel like I drove a time machine to work, you know, we're certifying VMs, rather than container-based architectures. There was a lot of education that had to happen from us to auditors, but once they understood what we were trying to do, I think they were kind of on board. But yeah, it was a [laugh] it was a journey.Corey: So, one of the things you do—in fact, the first line in your bio talking about it—is you modernize baseline cloud infrastructure provisioning. That means an awful lot of things depending upon who it is that's answering the question. What does that look like for you?Levi: For what we're doing right now, we're trying to take what was a cobbled-together part-time project for one engineer, we're trying to modernize that, turn it into as much self-service as we can. There's a lot of steps that happen along the way, like a new workload needs to be spun up, they decide if they need a new AWS account or not, we pivot around, like, what does the access profile look like, who needs to have access to it, which things does it need to connect to, and then you look at the billing side, compliance side, and you just say, you know, “Who needs to be informed about these things?” We apply tags to the accounts, we start looking at lower-level tagging, depending on if it's a shared workload account or if it's a completely dedicated account, and we're trying to wrap all of that in automation so that it can be as click-button as possible.Corey: Historically, I found that when companies try to do this, the first few attempts at it don't often go super well. We'll be polite and say their first attempts resemble something artisanal and handcrafted, which might not be ideal for this. And then in many cases, the overreaction becomes something that is very top-down, dictatorial almost, is the way I would frame that. And the problem people learn then is that, “Oh, everyone is going to route around us because they don't want to deal with us at all.” That doesn't quite seem like your jam from what I know of you and your approach to things. How do you wind up keeping the guardrails up without driving people to shadow IT their way around you?Levi: I always want to keep it in mind that even if it's not an option, I want to at least pretend like a given team could not use our service, right? I try to bring a service mentality to it, so we're talking Accounts as a Service. And then I just think about all of the things that they would have to solve if they didn't go through us, right? Like, are they managing their finances w—imagine they had to go in and negotiate some kind of pricing deal on their own, right, all of these things that come with being part of our organization, being part of our service offering. And then just making sure, like, those things are always easier than doing it on their own.Corey: How diverse would you say that the workloads are that are in your organization? I found that in many cases, you'll have a SaaS-style company where there's one primary workload that is usually bearing the name of the company, and that's the thing that they provide to everyone. And then you have the enterprise side of the world where they have 1500 or 2000 distinct application teams working on different things, and the only thing they really have in common is, well, that all gets billed to the same company, eventually.Levi: They are fairly diverse in how… they're currently created. We've gone through a few acquisitions, we've pulled a bunch of those into our ecosystem, if you will. So, not everything has been completely modernized or brought over to, you know, standards, if you will, if such a thing even exists in companies. You know [laugh], you may pretend that they do, but you're probably lying to yourself, right? But you know, there are varying platforms, we've got a whole laundry list of languages that are being used, we've got some containerized, some VM-based, some serverless workloads, so it's all over the place. But you nailed it. Like, you know, the majority of our footprint lives in maybe a handful of, you know, SaaS offerings.Corey: Right. It's sort of a fun challenge when you start taking a looser approach to these things because someone gets back from re:Invent, like, “Well, I went to the keynote and now I have my new shopping list of things I'm going to wind up deploying,” and ehh, that never goes well, having been that person in a previous life.Levi: Yeah. And you don't want to apply too strict of governance over these things, right? You want people to be able to play, you want them to be inspired and start looking at, like, what would be—what's something that's going to move the needle in terms of our cloud architecture or product offerings or whatever we have. So, we have sandbox accounts that are pretty much wide open, we've got some light governance over those, [laugh] moreso for billing than anything. And all of our internal tooling is available, you know, like if you're using containers or whatever, like, all of that stuff is in those sandbox accounts.And that's where our kind of service offering comes into play, right? Sandbox is still an account that we tried to vend, if you will, out of our service. So, people should be building in your sandbox environments just like they are in your production as much as possible. You know, it's a place where tools can get the tires kicked and smooth out bugs before you actually get into, you know, roadmap-impacting problems.Corey: One of the fun challenges you have is, as you said, the financial aspect of this. When you've got a couple of workloads that drive most things, you can reason about them fairly intelligently, but trying to predict the future—especially when you're dealing with multi-year contract agreements with large cloud providers—becomes a little bit of a guessing game, like, “Okay. Well, how much are we going to spend on generative AI over the next three years?” The problem with that is that if you listen to an awful lot of talking heads or executive types, like, “Oh, yeah, if we're spending $100 million a year, we're going to add another 50 on top of that, just in terms of generative AI.” And it's like, press X to doubt, just because it's… I appreciate that you're excited about these things and want to play with them, but let's make sure that there's some ‘there' there before signing contracts that are painful to alter.Levi: Yeah, it's a real struggle. And we have all of these new initiatives, things people are excited for. Meanwhile, we're bringing old architecture into a new platform, if you will, or a new footprint, so we have to constantly measure those against each other. We have a very active conversation with finance and with leadership every month, or even weekly, depending on the type of project and where that spend is coming from.Corey: One of the hard parts has always been, I think, trying to get people on the finance side of the world, the engineering side of the world, and the folks who are trying to predict what the business was going to do next, all speaking the same language. It just feels like it's too easy to wind up talking past each other if you're not careful.Levi: Yeah, it's really hard. Recently taken over the FinOps practice. It's been really important for me, for us to align on what our words mean, right? What are these definitions mean? How do we come to common consensus so that eventually the communication gets faster? But we can't talk past each other. We have to know what our words mean, we have to know what each person cares about in this conversation, or what does their end goal look like? What do they want out of the conversation? So, that's been—that's taken a significant amount of time.Corey: One of the problems I have is with the term FinOps as a whole, ignoring the fact entirely that it was an existing term of art within finance for decades; great, we're just going to sidestep past that whole mess—the problem you'll see is that it just seems like that it means something different to almost everyone who hears it. And it's sort of become a marketing term more so that it has an actual description of what people are doing. Just because some companies will have a quote-unquote, “FinOps team,” that is primarily going to be run by financial analysts. And others, “Well, we have one of those lying around, but it's mostly an engineering effort on our part.”And I've seen three or four different expressions as far as team composition goes and I'm not convinced any of them are right. But again, it's easy for me to sit here and say, “Oh, that's wrong,” without having an environment of my own to run. I just tend to look at what my clients do. And, “Well, I've seen a lot of things, and they all work poorly in different ways,” is not uplifting and helpful.Levi: Yeah. I try not to get too hung up on what it's called. This is the name that a lot of people inside the company have rallied around and as long as people are interested in saving money, cool, we'll call it FinOps, you know? I mean, DevOps is the same thing, right? In some companies, you're just a sysadmin with a higher pay, and in some companies, you're building extensive cloud architecture and pipelines.Corey: Honestly, for the whole DevOps side of the world, I maintain we're all systems administrators. The tools have changed, the methodologies have changed, the processes have changed, but the responsibility of ‘keep the site up' generally has not. But if you call yourself a sysadmin, you're just asking him to, “Please pay me less money in my next job.” No, thanks.Levi: Yeah. “Where's the Exchange Server for me to click on?” Right? That's the [laugh]—if you call yourself a sysadmin [crosstalk 00:11:34]—Corey: God. You're sending me back into twitching catatonia from my early days.Levi: Exactly [laugh].Corey: So, you've been paying attention to this whole generative AI hype monster. And I want to be clear, I say this as someone who finds the technology super neat and I'm optimistic about it, but holy God, it feels like people have just lost all sense. If that's you, my apologies in advance, but I'm still going to maintain the point.Levi: I've played with all the various toys out there. I'm very curious, you know? I think it's really fun to play with them, but to, like, make your entire business pivot on a dime and pursue it just seems ridiculous to me. I hate that the cryptocurrency space has pivoted so hard into it, you know? All the people that used to be shilling coins are now out there trying to cobble together a couple API calls and turn it into an AI, right?Corey: It feels like it's just a hype cycle that people are more okay with being a part of. Like, Andy Jassy, in the earnings call a couple of weeks ago saying that every Amazon team is working with generative AI. That's not great. That's terrifying. I've been playing with the toys as well and I've asked it things like, “Oh, spit out an IAM policy for me,” or, “Oh, great, what can I do to optimize my AWS bill?” And it winds up spitting out things that sound highly plausible, but they're also just flat-out wrong. And that, it feels like a lot of these spaces, it's not coming up with a plausible answer—that's the hard part—is coming up with the one that is correct. And that's what our jobs are built around.Levi: I've been trying to explain to a lot of people how, if you only have surface knowledge of the thing that it's telling you, it probably seems really accurate, but when you have deep knowledge on the topic that you're interacting with this thing, you're going to see all of the errors. I've been using GitHub's Copilot since the launch. You know, I was in one of the previews. And I love it. Like, it speeds up my development significantly.But there have been moments where I—you know, IAM policies are a great example. You know, I had it crank out a Lambda functions policy, and it was just frankly, wrong in a lot of places [laugh]. It didn't quite imagine new AWS services, but it was really [laugh] close. The API actions were—didn't exist. It just flat-out didn't exist.Corey: I love that. I've had some magic happen early on where it could intelligently query things against the AWS pricing API, but then I asked it the same thing a month later and it gave me something completely ridiculous. It's not deterministic, which is part of the entire problem with it, too. But it's also… it can help incredibly in some weird ways I didn't see coming. But it can also cause you to spend more time chasing that thing than just doing it yourself the first time.I found a great way to help it—you know, it helped me write blog posts with it. I tell it to write a blog post about a topic and give it some bullet points and say, “Write in my voice,” and everything it says I take issue with, so then I just copy that into a text editor and then mansplain-correct the robot for 20 minutes and, oh, now I've got a serviceable first draft.Levi: And how much time did you save [laugh] right? It is fun, you know?Corey: It does help because that's better for me at least and staring at an empty page of what am I going to write? It gets me past the writer's block problem.Levi: Oh, that's a great point, yeah. Just to get the ball rolling, right, once you—it's easier to correct something that's wrong, and you're almost are spite-driven at that point, right? Like, “Let me show this AI how wrong it was and I'll write the perfect blog post.” [laugh].Corey: It feels like the companies jumping on this, if you really dig into what we're talking about, it seems like they're all very excited about the possibility of we don't have to talk to customers anymore because the robots will all do that. And I don't think that's going to go the way you want to. We just have this minor hallucination problem. Yeah, that means that lies and tries to book customers to hotel destinations that don't exist. Think about this a little more. The failure mode here is just massive.Levi: It's scary, yeah. Like, without some kind of review process, I wouldn't ship that straight to my customers, right? I wouldn't put that in front of my customer and say, like, “This is”—I'm going to take this generative output and put it right in front of them. That scares me. I think as we get deeper into it, you know, maybe we'll see… I don't know, maybe we'll put some filters or review process, or maybe it'll get better. I mean, who was it that said, you know, “This is the worst it's ever going to be?” Right, it will only get better.Corey: Well, the counterargument to that is, it will get far worse when we start putting this in charge [unintelligible 00:16:08] safety-critical systems, which I'm sure it's just a matter of time because some of these boosters are just very, very convincing. It's just thinking, how could this possibly go the worst? Ehhh. It's not good.Levi: Yeah, well, I mean, we're talking impact versus quality, right? The quality will only ever get better. But you know, if we run before we walk, the impact can definitely get wider.Corey: From where I sit, I want to see this really excel within bounded problem spaces. The one I keep waiting for is the AWS bill because it's a vast space, yes, and it's complicated as all hell, but it is bounded. There are a finite—though large—number of things you can see in an AWS bill, and there are recommendations you can make based on top of that. But everything I've seen that plays in this space gets way overconfident far too quickly, misses a bunch of very obvious lines of inquiry. Ah, I'm skeptical.Then you pass that off to unbounded problem spaces like human creativity and that just turns into an absolute disaster. So, much of what I've been doing lately has been hamstrung by people rushing to put in safeguards to make sure it doesn't accidentally say something horrible that it's stripped out a lot of the fun and the whimsy and the sarcasm in the approach, of I—at one point, I could bully a number of these things into ranking US presidents by absorbency. That's getting harder to do now because, “Nope, that's not respectful and I'm not going to do it,” is basically where it draws the line.Levi: The one thing that I always struggle with is, like, how much of the models are trained on intellectual property or, when you distill it down, pure like human suffering, right? Like, this is somebody's art, they've worked hard, they've suffered for it, they put it out there in the world, and now it's just been pulled in and adopted by this tool that—you know, how many of the examples of, “Give me art in the style of,” right, and you just see hundreds and hundreds of pieces that I mean, frankly, are eerily identical to the style.Corey: Even down to the signature, in some cases. Yeah.Levi: Yeah, exactly. You know, and I think that we can't lose sight of that, right? Like, these tools are fun and you know, they're fun to play with, it's really interesting to explore what's possible, but we can't lose sight of the fact that there are ultimately people behind these things.Corey: This episode is sponsored in part by Panoptica.  Panoptica simplifies container deployment, monitoring, and security, protecting the entire application stack from build to runtime. Scalable across clusters and multi-cloud environments, Panoptica secures containers, serverless APIs, and Kubernetes with a unified view, reducing operational complexity and promoting collaboration by integrating with commonly used developer, SRE, and SecOps tools. Panoptica ensures compliance with regulatory mandates and CIS benchmarks for best practice conformity. Privacy teams can monitor API traffic and identify sensitive data, while identifying open-source components vulnerable to attacks that require patching. Proactively addressing security issues with Panoptica allows businesses to focus on mitigating critical risks and protecting their interests. Learn more about Panoptica today at panoptica.app.Corey: I think it matters, on some level, what the medium is. When I'm writing, I will still use turns of phrase from time to time that I first encountered when I was reading things in the 1990s. And that phrase stuck with me and became part of my lexicon. And I don't remember where I originally encountered some of these things; I just know I use those raises an awful lot. And that has become part and parcel of who and what I am.Which is also, I have no problem telling it to write a blog post in the style of Corey Quinn and then ripping a part of that out, but anything that's left in there, cool. I'm plagiarizing the thing that plagiarized from me and I find that to be one of those ethically just moments there. But written word is one thing depending on what exactly it's taking from you, but visual style for art, that's something else entirely.Levi: There's a real ethical issue here. These things can absorb far much more information than you ever could in your entire lifetime, right, so that you can only quote-unquote, you know, “Copy, borrow, steal,” from a handful of other people in your entire life, right? Whereas this thing could do hundreds or thousands of people per minute. I think that's where the calculus needs to be, right? How many people can we impact with this thing?Corey: This is also nothing new, where originally in the olden times, great, copyright wasn't really a thing because writing a book was a massive, massive undertaking. That was something that you'd have to do by hand, and then oh, you want a copy of the book? You'd have to have a scribe go and copy the thing. Well then, suddenly the printing press came along, and okay, that changes things a bit.And then we continue to evolve there to digital distribution where suddenly it's just bits on a disk that I can wind up throwing halfway around the internet. And when the marginal cost of copying something becomes effectively zero, what does that change? And now we're seeing, I think, another iteration in that ongoing question. It's a weird world and I don't know that we have the framework in place even now to think about that properly. Because every time we start to get a handle on it, off we go again. It feels like if they were doing be invented today, libraries would absolutely not be considered legal. And yet, here we are.Levi: Yeah, it's a great point. Humans just do not have the ethical framework in place for a lot of these things. You know, we saw it even with the days of Napster, right? It's just—like you said, it's another iteration on the same core problem. I [laugh] don't know how to solve it. I'm not a philosopher, right?Corey: Oh, yeah. Back in the Napster days, I was on that a fair bit in high school and college because I was broke, and oh, I wanted to listen to this song. Well, it came on an album with no other good songs on it because one-hit wonders were kind of my jam, and that album cost 15, 20 bucks, or I could grab the thing for free. There was no reasonable way to consume. Then they started selling individual tracks for 99 cents and I gorged myself for years on that stuff.And now it feels like streaming has taken over the world to the point where the only people who really lose on this are the artists themselves, and I don't love that outcome. How do we have a better tomorrow for all of this? I know we're a bit off-topic from you know, cloud management, but still, this is the sort of thing I think about when everything's running smoothly in a cloud environment.Levi: It's hard to get people to make good decisions when they're so close to the edge. And I think about when I was, you know, college-age scraping by on minimum wage or barely above minimum wage, you know, it was hard to convince me that, oh yeah, you shouldn't download an MP3 of that song; you should go buy the disc, or whatever. It was really hard to make that argument when my decision was buy an album or figure out where I'm going to, you know, get my lunch. So, I think, now that I'm in a much different place in my life, you know, these decisions are a lot easier to make in an ethical way because that doesn't impact my livelihood nearly as much. And I think that is where solutions will probably come out of. The more people doing better, the easier it is for them to make good decisions.Corey: I sure hope you're right, but something I found is that okay we made it easy for people to make good decisions. Like, “Nope, you've just made it easier for me to scale a bunch of terrible ones. I can make 300,000 more terrible decisions before breakfast time now. Thanks.” And, “No, that's not what I did that for.” Yet here we are. Have you been tracking lately what's been going on with the HashiCorp license change?Levi: Um, a little bit, we use—obviously use Terraform in the company and a couple other Hashi products, and it was kind of a wildfire of, you know, how does this impact us? We dove in and we realized that it doesn't, but it is concerning.Corey: You're not effectively wrapping Terraform and then using that as the basis for how you do MDM across your customer fleets.Levi: Yeah. You know, we're not deploying customers' written Terraform into their environments or something kind of wild like that. Yeah, it doesn't impact us. But it is… it is concerning to watch a company pivot from an open-source, community-based project to, “Oh, you can't do that anymore.” It doesn't impact a lot of people who use it day-to-day, but I'm really worried about just the goodwill that they've lit on fire.Corey: One of the problems, too, is that their entire write-up on this was so vague that it was—there is no way to get an actual… piece of is it aimed at us or is it not without very deep analysis, and hope that when it comes to court, you're going to have the same analysis as—that is sympathetic. It's, what is considered to be a competitor? At least historically, it was pretty obvious. Some of these databases, “Okay great. Am I wrapping their database technology and then selling it as a service? No? I'm pretty good.”But with HashiCorp, what they do is so vast in a few key areas that no one has the level of certainty. I was pretty freaking certain that I'm not shipping MongoDB with my own wrapper around it, but am I shipping something that looks like Terraform if I'm managing someone's environment for them? I don't know. Everything's thrown into question. And you're right. It's the goodwill that currently is being set on fire.Levi: Yeah, I think people had an impression of Hashi that they were one of the good guys. You know, the quote-unquote, “Good guys,” in the space, right? Mitchell Hashimoto is out there as a very prominent coder, he's an engineer at heart, he's in the community, pretty influential on Twitter, and I think people saw them as not one of the big, faceless corporations, so to see moves like this happen, it… I think it shook a lot of people's opinions of them and scared them.Corey: Oh, yeah. They've always been the good guys in this context. Mitch and Armon were fantastic folks. I'm sure they still are. I don't know if this is necessarily even coming from them. It's market forces, what are investors demanding? They see everyone is using Terraform. How does that compare to HashiCorp's market value?This is one of the inherent problems if I'm being direct, of the end-stages of capitalism, where it's, “Okay, we're delivering on a lot of value. How do we capture ever more of it and growing massively?” And I don't know. I don't know what the answer is, but I don't think anyone's thrilled with this outcome. Because, let's be clear, it is not going to meaningfully juice their numbers at all. They're going to be setting up a lot of ill will against them in the industry, but I don't see the upside for them. I really don't.Levi: I haven't really done any of the analysis or looked for it, I should say. Have you seen anything about what this might actually impact any providers or anything? Because you're right, like, what kind of numbers are we actually talking about here?Corey: Right. Well, there are a few folks that have done things around this that people have named for me: Spacelift being one example, Pulumi being another, and both of them are saying, “Nope, this doesn't impact us because of X, Y, and Z.” Yeah, whether it does or doesn't, they're not going to sit there and say, “Well, I guess we don't have a company anymore. Oh, well.” And shut the whole thing down and just give their customers over to HashiCorp.Their own customers would be incensed if that happened and would not go to HashiCorp if that were to be the outcome. I think, on some level, they're setting the stage for the next evolution in what it takes to manage large-scale cloud environments effectively. I think basically, every customer I've ever dealt with on my side has been a Terraform shop. I finally decided to start learning the ins and outs of it myself a few weeks ago, and well, it feels like I should have just waited a couple more weeks and then it would have become irrelevant. Awesome. Which is a bit histrionic, but still, this is going to plant seeds for people to start meaningfully competing. I hope.Levi: Yeah, I hope so too. I have always awaited releases of Terraform Cloud with great anticipation. I generally don't like managing my Terraform back-ends, you know, I don't like managing the state files, so every time Terraform Cloud has some kind of release or something, I'm looking at it because I'm excited, oh finally, maybe this is the time I get to hand it off, right? Maybe I start to get to use their product. And it has never been a really compelling answer to the problems that I have.And I've always said, like, the [laugh] cloud journey would be Google's if they just released a managed Terraform [laugh] service. And this would be one way for them to prevent that from happening. Because Google doesn't even have an Infrastructure as Code competitor. Not really. I mean, I know they have their, what, Plans or their Projects or whatever they… their Infrastructure as Code language was, but—Corey: Isn't that what Stackdriver was supposed to be? What happened with that? It's been so long.Levi: No, that's a logging solution [laugh].Corey: That's the thing. It all runs together. Not it was their operations suite that was—Levi: There we go.Corey: —formerly Stackdriver. Yeah. Now, that does include some aspects—yeah. You're right, it's still hanging out in the observability space. This is the problem is all this stuff conflates and companies are terrible at naming and Google likes to deprecate things constantly. And yeah, but there is no real competitor. CloudFormation? Please. Get serious.Levi: Hey, you're talking to a member of the CloudFormation support group here. So, I'm still a huge fan [laugh].Corey: Emotional support group, more like it, it seems these days.Levi: It is.Corey: Oh, good. It got for loops recently. We've been asking for basically that to make them a lot less wordy only for, what, ten years?Levi: Yeah. I mean, my argument is that I'm operating at the account level, right? I need to deploy to 250, 300, 500 accounts. Show me how to do that with Terraform that isn't, you know, stab your eyes out with a fork.Corey: It can be done, but it requires an awful lot of setting things up first.Levi: Exactly.Corey: That's sort of a problem. Like yeah, once you have the first 500 going, the rest are just like butter. But that's a big step one is massive, and then step two becomes easy. Yeah… no, thank you.Levi: [laugh]. I'm going to stick with my StacksSets, thank you.Corey: [laugh]. I really want to thank you for taking the time to come back on and honestly kibitz about the state of the industry with me. If people want to learn more, where's the best place for them to find you?Levi: Well, I'm still active on the space normally known as—formerly known as Twitter. You can reach out to me there. DMs are open. I'm always willing to help people learn how to cloud better. Hopefully trying to make my presence known a little bit more on LinkedIn. If you happen to be over there, reach out.Corey: And we will, of course, put links to that in the [show notes 00:30:16]. Thank you so much for taking the time to speak with me again. It's always a pleasure.Levi: Thanks, Corey. I always appreciate it.Corey: Levi McCormick, Director of Cloud Engineering at Jamf. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, and along with an insulting comment that tells us that we completely missed the forest for the trees and that your programmfing is going to be far superior based upon generative AI.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.

Microsoft's recent decision to throttle traffic from old and outdated versions of On-Premises Exchange has sent shockwaves through the tech community. In today's episode, Andy and Paul Schnackenburg delve into the details of Microsoft's plans to protect Exchange Online against persistently vulnerable on-premises Exchange Servers by throttling and blocking emails from these unsupported servers.  Tune in to understand the reasoning behind Microsoft's strategy with this change, how organizations can keep themselves protected through process, and where third-party vendors can plug in and provide value.  Timestamps: 4:00 – Microsoft's plan details and communication  10:50 – Paul and Andy's thoughts on why Microsoft is making this change  18:40 – Is it “Ethical” for Microsoft to block on-prem Exchange traffic?  26:31 – What should affected organizations do?  Episode Resources: Microsoft's Announcement SMB1 Changes at Microsoft Hornetsecurity's 365 Total Protection Find Andy on LinkedIn, Twitter or Mastadon Find Paul on LinkedIn or Twitter

Nelumbo nucifera, or the sacred lotus, is a plant that grows in flood plains, rivers, and deltas. Their seeds can remain dormant for years and when floods come along, blossom into a colony of plants and flowers. Some of the oldest seeds can be found in China, where they're known to represent longevity. No surprise, given their level of nitrition and connection to the waters that irrigated crops by then. They also grow in far away lands, all the way to India and out to Australia. The flower is sacred in Hinduism and Buddhism, and further back in ancient Egypt. Padmasana is a Sanskrit term meaning lotus, or Padma, and Asana, or posture. The Pashupati seal from the Indus Valley civilization shows a diety in what's widely considered the first documented yoga pose, from around 2,500 BCE. 2,700 years later (give or take a century), the Hindu author and mystic Patanjali wrote a work referred to as the Yoga Sutras. Here he outlined the original asanas, or sitting yoga poses. The Rig Veda, from around 1,500 BCE, is the oldest currently known Vedic text. It is also the first to use the word “yoga”. It describes songs, rituals, and mantras the Brahmans of the day used - as well as the Padma. Further Vedic texts explore how the lotus grew out of Lord Vishnu with Brahma in the center. He created the Universe out of lotus petals. Lakshmi went on to grow out of a lotus from Vishnu as well. It was only natural that humans would attempt to align their own meditation practices with the beautiful meditatios of the lotus. By the 300s, art and coins showed people in the lotus position. It was described in texts that survive from the 8th century. Over the centuries contradictions in texts were clarified in a period known as Classical Yoga, then Tantra and and Hatha Yoga were developed and codified in the Post-Classical Yoga age, and as empires grew and India became a part of the British empire, Yoga began to travel to the west in the late 1800s. By 1893, Swami Vivekananda gave lectures at the Parliament of Religions in Chicago.  More practicioners meant more systems of yoga. Yogendra brought asanas to the United States in 1919, as more Indians migrated to the United States. Babaji's kriya yoga arrived in Boston in 1920. Then, as we've discussed in previous episodes, the United States tightened immigration in the 1920s and people had to go to India to get more training. Theos Bernard's Hatha Yoga: The Report of a Personal Experience brought some of that knowledge home when he came back in 1947. Indra Devi opened a yoga studio in Hollywood and wrote books for housewives. She brought a whole system, or branch home. Walt and Magana Baptiste opened a studio in San Francisco. Swamis began to come to the US and more schools were opened. Richard Hittleman began to teach yoga in New York and began to teach on television in 1961. He was one of the first to seperate the religious aspect from the health benefits. By 1965, the immigration quotas were removed and a wave of teachers came to the US to teach yoga. The Beatles went to India in 1966 and 1968, and for many Transcendental Meditation took root, which has now grown to over a thousand training centers and over 40,000 teachers. Swamis opened meditation centers, institutes, started magazines, and even magazines. Yoga became so big that Rupert Holmes even poked fun of it in his song “Escape (The Piña Colada Song)” in 1979. Yoga had become part of the counter-culture, and the generation that followed represented a backlash of sorts. A common theme of the rise of personal computers is that the early pioneers were a part of that counter-culture. Mitch Kapor graduated high school in 1967, just in time to be one of the best examples of that. Kapor built his own calculator in as a kid before going to camp to get his first exposure to programming on a Bendix. His high school got one of the 1620 IBM minicomputers and he got the bug. He went off to Yale at 16 and learned to program in APL and then found Computer Lib by Ted Nelson and learned BASIC. Then he discovered the Apple II.  Kapor did some programming for $5 per hour as a consultant, started the first east coast Apple User Group, and did some work around town. There are generations of people who did and do this kind of consulting, although now the rates are far higher. He met a grad student through the user group named Eric Rosenfeld who was working on his dissertation and needed some help programming, so Kapor wrote a little tool that took the idea of statistical analysis from the Time Shared Reactive Online Library, or TROLL, and ported it to the microcomputer, which he called Tiny Troll.  Then he enrolled in the MBA program at MIT. He got a chance to see VisiCalc and meet Bob Frankston and Dan Bricklin, who introduced him to the team at Personal Software. Personal Software was founded by Dan Fylstra and Peter Jennings when they published Microchips for the KIM-1 computer. That led to ports for the 1977 Trinity of the Commodore PET, Apple II, and TRS-80 and by then they had taken Bricklin and Franston's VisiCalc to market. VisiCalc was the killer app for those early PCs and helped make the Apple II successful. Personal Software brought Kapor on, as well as Bill Coleman of BEA Systems and Electronic Arts cofounder Rich Mellon. Today, software developers get around 70 percent royalties to publish software on app stores but at the time, fees were closer to 8 percent, a model pulled from book royalties. Much of the rest went to production of the box and disks, the sales and marketing, and support. Kapor was to write a product that could work with VisiCalc. By then Rosenfeld was off to the world of corporate finance so Kapor moved to Silicon Valley, learned how to run a startup, moved back east in 1979, and released VisiPlot and VisiTrend in 1981. He made over half a million dollars in the first six months in royalties.  By then, he bought out Rosenfeld's shares in what he was doing, hired Jonathan Sachs, who had been at MIT earlier, where he wrote the STOIC programming language, and then went to work at Data General. Sachs worked on spreadsheet ideas at Data General with a manager there, John Henderson, but after they left Data General, and the partnership fell apart, he worked with Kapor instead. They knew that for software to be fast, it needed to be written in a lower level language, so they picked the Intel 8088 assembly language given that C wasn't fast enough yet. The IBM PC came in 1981 and everything changed. Mitch Kapor and Jonathan Sachs started Lotus in 1982. Sachs got to work on what would become Lotus 1-2-3. Kapor turned out to be a great marketer and product manager. He listened to what customers said in focus groups. He pushed to make things simpler and use less jargon. They released a new spreadsheet tool in 1983 and it worked flawlessly on the IBM PC and while Microsoft had Multiplan and VisCalc was the incumbent spreadsheet program, Lotus quickly took market share from then and SuperCalc. Conceptually it looked similar to VisiCalc. They used the letter A for the first column, B for the second, etc. That has now become a standard in spreadsheets. They used the number 1 for the first row, the number 2 for the second. That too is now a standard. They added a split screen, also now a standard. They added macros, with branching if-then logic. They added different video modes, which could give color and bitmapping. They added an underlined letter so users could pull up a menu and quickly select the item they wanted once they had those orders memorized, now a standard in most menuing systems. They added the ability to add bar charts, pie charts, and line charts. One could even spread their sheet across multiple monitors like in a magazine. They refined how fields are calculated and took advantage of the larger amounts of memory to make Lotus far faster than anything else on the market. They went to Comdex towards the end of the year and introduced Lotus 1-2-3 to the world. The software could be used as a spreadsheet, but the 2 and 3 referred to graphics and database management. They did $900,000 in orders there before they went home. They couldn't even keep up with the duplication of disks. Comdex was still invitation only. It became so popular that it was used to test for IBM compatibility by clone makers and where VisiCalc became the app that helped propel the Apple II to success, Lotus 1-2-3 became the app that helped propel the IBM PC to success. Lotus was rewarded with $53 million in sales for 1983 and $156 million in 1984. Mitch Kapor found himself. They quickly scaled from less than 20 to 750 employees. They brought in Freada Klein who got her PhD to be the Head of Employee Relations and charged her with making them the most progressive employer around. After her success at Lotus, she left to start her own company and later married. Sachs left the company in 1985 and moved on to focus solely on graphics software. He still responds to requests on the phpBB forum at dl-c.com. They ran TV commercials. They released a suite of Mac apps they called Lotus Jazz. More television commercials. Jazz didn't go anywhere and only sold 20,000 copies. Meanwhile, Microsoft released Excel for the Mac, which sold ten times as many. Some blamed the lack os sales on the stringent copy protection. Others blamed the lack of memory to do cool stuff. Others blamed the high price. It was the first major setback for the young company.  After a meteoric rise, Kapor left the company in 1986, at about the height of their success. He  replaced himself with Jim Manzi. Manzi pushed the company into network applications. These would become the center of the market but were just catching on and didn't prove to be a profitable venture just yet. A defensive posture rather than expanding into an adjacent market would have made sense, at least if anyone knew how aggressive Microsoft was about to get it would have.  Manzi was far more concerned about the millions of illegal copies of the software in the market than innovation though. As we turned the page to the 1990s, Lotus had moved to a product built in C and introduced the ability to use graphical components in the software but not wouldn't be ported to the new Windows operating system until 1991 for Windows 3. By then there were plenty of competitors, including Quattro Pro and while Microsoft Excel began on the Mac, it had been a showcase of cool new features a windowing operating system could provide an application since released for Windows in 1987. Especially what they called 3d charts and tabbed spreadsheets. There was no catching up to Microsoft by then and sales steadily declined. By then, Lotus released Lotus Agenda, an information manager that could be used for time management, project management, and as a database. Kapor was a great product manager so it stands to reason he would build a great product to manage products. Agenda never found commercial success though, so was later open sourced under a GPL license. Bill Gross wrote Magellan there before he left to found GoTo.com, which was renamed to Overture and pioneered the idea of paid search advertising, which was acquired by Yahoo!. Magellan cataloged the internal drive and so became a search engine for that. It sold half a million copies and should have been profitable but was cancelled in 1990. They also released a word processor called Manuscript in 1986, which never gained traction and that was cancelled in 1989, just when a suite of office automation apps needed to be more cohesive.  Ray Ozzie had been hired at Software Arts to work on VisiCalc and then helped Lotus get Symphony out the door. Symphony shipped in 1984 and expanded from a spreadsheet to add on text with the DOC word processor, and charts with the GRAPH graphics program, FORM for a table management solution, and COM for communications. Ozzie dutifully shipped what he was hired to work on but had a deal that he could build a company when they were done that would design software that Lotus would then sell. A match made in heaven as Ozzie worked on PLATO and borrowed the ideas of PLATO Notes, a collaboration tool developed at the University of Illinois Champagne-Urbana  to build what he called Lotus Notes.  PLATO was more more than productivity. It was a community that spanned decades and Control Data Corporation had failed to take it to the mass corporate market. Ozzie took the best parts for a company and built it in isolation from the rest of Lotus. They finally released it as Lotus Notes in 1989. It was a huge success and Lotus bought Iris in 1994. Yet they never found commercial success with other socket-based client server programs and IBM acquired Lotus in 1995. That product is now known as Domino, the name of the Notes 4 server, released in 1996. Ozzie went on to build a company called Groove Networks, which was acquired by Microsoft, who appointed him one of their Chief Technology Officers. When Bill Gates left Microsoft, Ozzie took the position of Chief Software Architect he vacated. He and Dave Cutler went on to work on a project called Red Dog, which evolved into what we now know as Microsoft Azure.  Few would have guessed that Ozzie and Kapor's handshake agreement on Notes could have become a real product. Not only could people not understand the concept of collaboration and productivity on a network in the late 1980s but the type of deal hadn't been done. But Kapor by then realized that larger companies had a hard time shipping net-new software properly. Sometimes those projects are best done in isolation. And all the better if the parties involved are financially motivated with shares like Kapor wanted in Personal Software in the 1970s before he wrote Lotus 1-2-3. VisiCalc had sold about a million copies but that would cease production the same year Excel was released. Lotus hung on longer than most who competed with Microsoft on any beachhead they blitzkrieged. Microsoft released Exchange Server in 1996 and Notes had a few good years before Exchange moved in to become the standard in that market. Excel began on the Mac but took the market from Lotus eventually, after Charles Simonyi stepped in to help make the product great.  Along the way, the Lotus ecosystem created other companies, just as they were born in the Visi ecosystem. Symantec became what we now call a “portfolio” company in 1985 when they introduced NoteIt, a natural language processing tool used to annotate docs in Lotus 1-2-3. But Bill Gates mentioned Lotus by name multiple times as a competitor in his Internet Tidal Wave memo in 1995. He mentioned specific features, like how they could do secure internet browsing and that they had a web publisher tool - Microsoft's own FrontPage was released in 1995 as well. He mentioned an internet directory project with Novell and AT&T. Active Directory was released a few years later in 1999, after Jim Allchin had come in to help shepherd LAN Manager. Notes itself survived into the modern era, but by 2004 Blackberry released their Exchange connector before they released the Lotus Domino connector. That's never a good sign. Some of the history of Lotus is covered in Scott Rosenberg's 2008 book, Dreaming in Code. Others are documented here and there in other places. Still others are lost to time. Kapor went on to invest in UUNET, which became a huge early internet service provider. He invested in Real Networks, who launched the first streaming media service on the Internet. He invested in the creators of Second Life. He never seemed vindictive with Microsoft but after AOL acquired Netscape and Microsoft won the first browser war, he became the founding chair of the Mozilla Foundation and so helped bring Firefox to market. By 2006, Firefox took 10 percent of the market and went on to be a dominant force in browsers. Kapor has also sat on boards and acted as an angel investor for startups ever since leaving the company he founded. He also flew to Wyoming in 1990 after he read a post on The WELL from John Perry Barlow. Barlow was one of the great thinkers of the early Internet. They worked with Sun Microsystems and GNU Debugging Cypherpunk John Gilmore to found the Electronic Frontier Foundation, or EFF. The EFF has since been the nonprofit who leads the fight for “digital privacy, free speech, and innovation.” So not everything is about business.    

On the show, we get into the detail on Microsoft 365 Copilot announcements - what is the Semantic Index and how does it relate to the content-generation features? We decipher and  dissect where the value in Copilot lies both for a user of the software and for Microsoft; and we discuss the capabilities of more Copilot features announced too. In other news - SharePoint has some really useful features on the way; Loop gets it's hooks into Outlook, and.. two, big new features in Exchange Server on-premises. Plus there's even a few new Microsoft Teams features coming your way on the roadmap too.Want to stay up to date on all things Practical 365? Follow us on Twitter, Facebook, and Linkedin to stay up to date on all things Microsoft!

On this week's episode, Adam and Andy talk about some Microsoft news including the newly unveiled Security Co-Pilot. They also talk about Microsoft's Incident Response Retainer and their takes on the new that the Exchange team is throttling and blocking emails from on-premises Exchange servers. ------------------------------------------- Youtube Video Link: https://youtu.be/hl6YddFqxpo ------------------------------------------- Documentation: ⁠https://blogs.microsoft.com/blog/2023/03/28/introducing-microsoft-security-copilot-empowering-defenders-at-the-speed-of-ai/ https://www.microsoft.com/en-us/security/blog/2023/03/27/microsoft-incident-response-retainer-is-generally-available/ https://techcommunity.microsoft.com/t5/exchange-team-blog/throttling-and-blocking-email-from-persistently-vulnerable/ba-p/3762078 ------------------------------------------- Contact Us: Website: ⁠⁠⁠⁠⁠https://bluesecuritypod.com⁠⁠⁠⁠⁠ Twitter: ⁠⁠⁠⁠⁠https://twitter.com/bluesecuritypod⁠⁠⁠⁠⁠ Linkedin: ⁠⁠⁠⁠⁠https://www.linkedin.com/company/bluesecpod⁠⁠⁠⁠⁠ Youtube: ⁠⁠⁠⁠⁠https://www.youtube.com/c/BlueSecurityPodcast⁠⁠⁠⁠⁠ Twitch: ⁠⁠⁠⁠⁠https://www.twitch.tv/bluesecuritypod⁠⁠⁠⁠⁠ ------------------------------------------- Andy Jaw Mastodon: ⁠⁠⁠⁠⁠https://infosec.exchange/@ajawzero⁠⁠⁠⁠⁠ Twitter: ⁠⁠⁠⁠⁠https://twitter.com/ajawzero⁠⁠⁠⁠⁠ LinkedIn: ⁠⁠⁠⁠⁠https://www.linkedin.com/in/andyjaw/⁠⁠⁠⁠⁠ Email: ⁠⁠⁠⁠⁠andy@bluesecuritypod.com⁠⁠⁠⁠⁠ ------------------------------------------- Adam Brewer Twitter: ⁠⁠⁠⁠⁠https://twitter.com/ajbrewer⁠⁠⁠⁠⁠ LinkedIn: ⁠⁠⁠⁠⁠https://www.linkedin.com/in/adamjbrewer/⁠⁠⁠⁠⁠ Email: ⁠⁠⁠⁠⁠adam@bluesecuritypod.com --- Send in a voice message: https://podcasters.spotify.com/pod/show/blue-security-podcast/message

For many companies, the pretenses of separation between work and home have completely disappeared. This has huge security implications for organizations, but creates some opportunities as well. How should organizations and vendors approach the new paradigm of shared devices and identities?   Economic tides are changing, making profitability and identifying efficiencies a priority for many IT teams. Reducing IT costs by modernizing and migrating identity infrastructure to the cloud is one of those projects to be considered. No more wasted time and effort on maintenance, patching, and upgrades. Join us as VP of Product Management at Ping Identity, Jason Oeltjen, will discuss cloud migration benefits, timelines, and how you can improve TCO by migrating your identity to the cloud as leadership seeks the most critical initiatives to fund. Segment Resources: https://www.pingidentity.com/en/lp/migrate-to-pings-cloud.html   This segment is sponsored by Ping. Visit https://securityweekly.com/ping to learn more about them!   Finally, in the enterprise security news, The company behind Basecamp and the Hey.com email service pulls anchor and exits the cloud, Your self-hosted Exchange Server might be a problem…Is Confidential Computing for suckers? Gen Z and Millennials found not taking things seriously in, survey fielded by Boomers, Industrial Cybersecurity Market expected to take off, Github adds fine-grained personal access tokens, Australia not playing around anymore, jacks up breach fines more than 20x, Layoffs and exit troubles, & more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw294

For many companies, the pretenses of separation between work and home have completely disappeared. This has huge security implications for organizations, but creates some opportunities as well. How should organizations and vendors approach the new paradigm of shared devices and identities?   Economic tides are changing, making profitability and identifying efficiencies a priority for many IT teams. Reducing IT costs by modernizing and migrating identity infrastructure to the cloud is one of those projects to be considered. No more wasted time and effort on maintenance, patching, and upgrades. Join us as VP of Product Management at Ping Identity, Jason Oeltjen, will discuss cloud migration benefits, timelines, and how you can improve TCO by migrating your identity to the cloud as leadership seeks the most critical initiatives to fund. Segment Resources: https://www.pingidentity.com/en/lp/migrate-to-pings-cloud.html   This segment is sponsored by Ping. Visit https://securityweekly.com/ping to learn more about them!   Finally, in the enterprise security news, The company behind Basecamp and the Hey.com email service pulls anchor and exits the cloud, Your self-hosted Exchange Server might be a problem…Is Confidential Computing for suckers? Gen Z and Millennials found not taking things seriously in, survey fielded by Boomers, Industrial Cybersecurity Market expected to take off, Github adds fine-grained personal access tokens, Australia not playing around anymore, jacks up breach fines more than 20x, Layoffs and exit troubles, & more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw294

Finally, in the enterprise security news, The company behind Basecamp and the Hey.com email service pulls anchor and exits the cloud, Your self-hosted Exchange Server might be a problem…Is Confidential Computing for suckers? Gen Z and Millennials found not taking things seriously in, survey fielded by Boomers, Industrial Cybersecurity Market expected to take off, Github adds fine-grained personal access tokens, Australia not playing around anymore, jacks up breach fines more than 20x, Layoffs and exit troubles, & more!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw294

Endless vulnerabilities. Widespread hacking campaigns. Slow and technically tough patching. It's time to say goodbye to on-premise Exchange.

On this week’s Cyber Security Brief podcast, Brigid O Gorman and Dick O’Brien discuss a recent blog we published on the Witchetty (aka LookingFrog) espionage group, which has been progressively updating its toolset, using new malware in attacks on targets in the Middle East and Africa, including a new tool that employs steganography. We also discuss the recently discovered Microsoft Exchange Server zero days, the U.S. defense sector being targeted by multiple APT groups, and a newly discovered espionage actor called Metador, which was spotted operating in recent weeks. We also discuss the breach of Australian telecoms giant Optus, and some new information that has emerged about the takedown of the REvil/Sodinokibi ransomware gang.

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: More Exchange 0days cause more havoc A look at some earlier Exchange hack incidents How the CIA got its agents killed with its truly awful online opsec Ex NSA staffer arrested for espionage Much, much more This week's show is brought to you by Proofpoint. Ryan Kalember, Proofpoint's EVP of cybersecurity strategy, joins the show this week to talk about some overlooked detection opportunities – some simple stuff you can look for in your environment that should raise gigantic flashing red flags. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Microsoft confirms two Exchange Server zero days are being used in cyberattacks - The Record by Recorded Future CISA: Multiple government hacking groups had ‘long-term' access to defense company - The Record by Recorded Future Mexican president confirms ‘Guacamaya' hack targeting regional militaries - The Record by Recorded Future Mexican journalists targeted by zero-click spyware infections - The Record by Recorded Future Ex-NSA employee charged with violating Espionage Act, selling U.S. cyber secrets Putin grants citizenship to Edward Snowden, who disclosed US eavesdropping - The Washington Post U.S. fails in bid to extradite Brit for helping North Korea evade sanctions with cryptocurrency - The Record by Recorded Future Bill Marczak on Twitter: "NEW REPORT today from @Reuters @JoelSchectman providing more detail about fatal flaws in the CIA's defunct communications network. Iran and China compromised the network in 2011, and killed dozens of CIA assets https://t.co/AwN8pQtWL2" / Twitter Numerous orgs hacked after installing weaponized open source apps | Ars Technica 'Poisoned' Tor Browser tracks Chinese users' online history, location Mystery Hackers Are ‘Hyperjacking' Targets for Insidious Spying | WIRED A Matrix Update Patches Serious End-to-End Encryption Flaws | WIRED LA officials confirm ransomware group leaked students' personal data - The Record by Recorded Future Nearly 700 ransomware incidents traced back to wholesale access markets: report - The Record by Recorded Future Semiconductor industry faced 8 attacks from ransomware groups, extortion gangs in 2022 - The Record by Recorded Future CISA directs federal agencies to track software and vulnerabilities - The Record by Recorded Future Fake CISO Profiles on LinkedIn Target Fortune 500s – Krebs on Security House Democrats debut new bill to limit US police use of facial recognition | TechCrunch EP000: Operation Aurora | HACKING GOOGLE - YouTube

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: More Exchange 0days cause more havoc A look at some earlier Exchange hack incidents How the CIA got its agents killed with its truly awful online opsec Ex NSA staffer arrested for espionage Much, much more This week's show is brought to you by Proofpoint. Ryan Kalember, Proofpoint's EVP of cybersecurity strategy, joins the show this week to talk about some overlooked detection opportunities – some simple stuff you can look for in your environment that should raise gigantic flashing red flags. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Microsoft confirms two Exchange Server zero days are being used in cyberattacks - The Record by Recorded Future CISA: Multiple government hacking groups had ‘long-term' access to defense company - The Record by Recorded Future Mexican president confirms ‘Guacamaya' hack targeting regional militaries - The Record by Recorded Future Mexican journalists targeted by zero-click spyware infections - The Record by Recorded Future Ex-NSA employee charged with violating Espionage Act, selling U.S. cyber secrets Putin grants citizenship to Edward Snowden, who disclosed US eavesdropping - The Washington Post U.S. fails in bid to extradite Brit for helping North Korea evade sanctions with cryptocurrency - The Record by Recorded Future Bill Marczak on Twitter: "NEW REPORT today from @Reuters @JoelSchectman providing more detail about fatal flaws in the CIA's defunct communications network. Iran and China compromised the network in 2011, and killed dozens of CIA assets https://t.co/AwN8pQtWL2" / Twitter Numerous orgs hacked after installing weaponized open source apps | Ars Technica 'Poisoned' Tor Browser tracks Chinese users' online history, location Mystery Hackers Are ‘Hyperjacking' Targets for Insidious Spying | WIRED A Matrix Update Patches Serious End-to-End Encryption Flaws | WIRED LA officials confirm ransomware group leaked students' personal data - The Record by Recorded Future Nearly 700 ransomware incidents traced back to wholesale access markets: report - The Record by Recorded Future Semiconductor industry faced 8 attacks from ransomware groups, extortion gangs in 2022 - The Record by Recorded Future CISA directs federal agencies to track software and vulnerabilities - The Record by Recorded Future Fake CISO Profiles on LinkedIn Target Fortune 500s – Krebs on Security House Democrats debut new bill to limit US police use of facial recognition | TechCrunch EP000: Operation Aurora | HACKING GOOGLE - YouTube

Two Microsoft Exchange zero-days exploited in the wild. A supply chain attack, possibly from Chinese intelligence services. There's new Lazarus activity: bring-your-own-vulnerable-driver. The Mexican government falls victim to apparent hacktivism. Flying under partial mobilization's radar. Betsy Carmelite from Booz Allen Hamilton talks about addressing the cyber workforce skills gap. Our guest Rachel Tobac from SocialProof Security brings a musical approach to security awareness training. How's your off-boarding program working out? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/190 Selected reading. Microsoft Releases Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server (CISA)  Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server (Microsoft Security Response Center) Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server (GTSC) URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different” (Naked Security) Microsoft confirms two Exchange Server zero days are being used in cyberattacks (The Record by Recorded Future)Microsoft confirms new Exchange zero-days are used in attacks (BleepingComputer)  Two Microsoft Exchange zero-days exploited in the wild. (CyberWre)  CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA) Suspected Chinese hackers tampered with widely used customer chat program, researchers say (Reuters) Report: Commercial chat provider hijacked to spread malware in supply chain attack (The Record by Recorded Future)  CrowdStrike Falcon Platform Identifies Supply Chain Attack via a Trojanized Comm100 Chat Installer (crowdstrike.com) Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium (WeLiveSecurity) Lazarus & BYOVD: evil to the Windows core (Virus Bulletin) Lazarus hackers abuse Dell driver bug using new FudModule rootkit (BleepingComputer) Mexican government suffers major data hack, president's health issues revealed (Reuters) Mexican president confirms ‘Guacamaya' hack targeting regional militaries (The Record by Recorded Future) Analysis: Mexico data hack exposes government cybersecurity vulnerability (Reuters) Russians dodging mobilization behind flourishing scam market (BleepingComputer)  Honolulu Man Pleads Guilty to Sabotaging Former Employer's Computer Network (US Department of Justice)

This episode reports on fixes for Exchange Server, the Comm100  support chat application, a survey of Canadian post-secondary students' attitudes towards cybersecurity and more  

Microsoft confirms two Exchange Server zero days are being used in cyberattacks Lazarus hackers abuse Dell driver bug using new FudModule rootkit Ex-NSA employee charged with violating Espionage Act, selling U.S. cyber secrets Thanks to today's episode sponsor, Hunters Hunters is a SaaS platform, purpose built for Security Operation teams. Providing unlimited dataingestion and normalization at a predictable cost, Hunters helps SOC teams mitigate real threats faster and more reliably than SIEM. Visit Hunters.ai to learn more. For the stories behind the headlines, head to CISOseries.com.

Alex Kipman leaves Microsoft, Windows 11 gets updates, Microsoft unions  Report: Toxicity Continues at Nadella's Microsoft  HoloLens chief Kipman is out. So what's next for Microsoft's metaverse strategy?  Microsoft is Leaving Russia  Microsoft Will Respect Unionization Efforts from its Employees Windows 11  Microsoft begins rolling out Windows 11 22H2 to testers in the Release Preview channel  Microsoft Releases Windows 11 Insider Build 25131 and ARM64 Microsoft Store  Windows 11 Version 22H2 is Showing Up on Some Unsupported PCs Microsoft 365  Microsoft: Next version of Exchange Server not until 2025  Apple Revamps the iPad Multitasking Experience with iPadOS 16 Dev Microsoft Releases Windows App SDK 1.1 Xbox Minecraft: Java & Bedrock Edition Launches on PC Today E3 is Coming Back as a Physical and Digital Event Next Year  Announcing Call of Duty: Modern Warfare II - Xbox Wire Tips and Picks Tip of the week: Learn about the new features in Windows 11 Tip of the week: Add Windows 11 visual style to Microsoft Edge Tip of the week: Transcribe any audio or video file with Word for Web Enterprise pick of the week: Windows Customer Connection Program Enterprise pick of the week: IE users — June 15 is the day Beer pick of the week: Hudson Valley Demiurge sour IPA Hosts: Leo Laporte, Mary Jo Foley, and Paul Thurrott Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com Check out Mary Jo's blog at AllAboutMicrosoft.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: plextrac.com/twit Nuvei.com hover.com/twit

Alex Kipman leaves Microsoft, Windows 11 gets updates, Microsoft unions  Report: Toxicity Continues at Nadella's Microsoft  HoloLens chief Kipman is out. So what's next for Microsoft's metaverse strategy?  Microsoft is Leaving Russia  Microsoft Will Respect Unionization Efforts from its Employees Windows 11  Microsoft begins rolling out Windows 11 22H2 to testers in the Release Preview channel  Microsoft Releases Windows 11 Insider Build 25131 and ARM64 Microsoft Store  Windows 11 Version 22H2 is Showing Up on Some Unsupported PCs Microsoft 365  Microsoft: Next version of Exchange Server not until 2025  Apple Revamps the iPad Multitasking Experience with iPadOS 16 Dev Microsoft Releases Windows App SDK 1.1 Xbox Minecraft: Java & Bedrock Edition Launches on PC Today E3 is Coming Back as a Physical and Digital Event Next Year  Announcing Call of Duty: Modern Warfare II - Xbox Wire Tips and Picks Tip of the week: Learn about the new features in Windows 11 Tip of the week: Add Windows 11 visual style to Microsoft Edge Tip of the week: Transcribe any audio or video file with Word for Web Enterprise pick of the week: Windows Customer Connection Program Enterprise pick of the week: IE users — June 15 is the day Beer pick of the week: Hudson Valley Demiurge sour IPA Hosts: Leo Laporte, Mary Jo Foley, and Paul Thurrott Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com Check out Mary Jo's blog at AllAboutMicrosoft.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: plextrac.com/twit Nuvei.com hover.com/twit

Alex Kipman leaves Microsoft, Windows 11 gets updates, Microsoft unions  Report: Toxicity Continues at Nadella's Microsoft  HoloLens chief Kipman is out. So what's next for Microsoft's metaverse strategy?  Microsoft is Leaving Russia  Microsoft Will Respect Unionization Efforts from its Employees Windows 11  Microsoft begins rolling out Windows 11 22H2 to testers in the Release Preview channel  Microsoft Releases Windows 11 Insider Build 25131 and ARM64 Microsoft Store  Windows 11 Version 22H2 is Showing Up on Some Unsupported PCs Microsoft 365  Microsoft: Next version of Exchange Server not until 2025  Apple Revamps the iPad Multitasking Experience with iPadOS 16 Dev Microsoft Releases Windows App SDK 1.1 Xbox Minecraft: Java & Bedrock Edition Launches on PC Today E3 is Coming Back as a Physical and Digital Event Next Year  Announcing Call of Duty: Modern Warfare II - Xbox Wire Tips and Picks Tip of the week: Learn about the new features in Windows 11 Tip of the week: Add Windows 11 visual style to Microsoft Edge Tip of the week: Transcribe any audio or video file with Word for Web Enterprise pick of the week: Windows Customer Connection Program Enterprise pick of the week: IE users — June 15 is the day Beer pick of the week: Hudson Valley Demiurge sour IPA Hosts: Leo Laporte, Mary Jo Foley, and Paul Thurrott Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com Check out Mary Jo's blog at AllAboutMicrosoft.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: plextrac.com/twit Nuvei.com hover.com/twit

Alex Kipman leaves Microsoft, Windows 11 gets updates, Microsoft unions  Report: Toxicity Continues at Nadella's Microsoft  HoloLens chief Kipman is out. So what's next for Microsoft's metaverse strategy?  Microsoft is Leaving Russia  Microsoft Will Respect Unionization Efforts from its Employees Windows 11  Microsoft begins rolling out Windows 11 22H2 to testers in the Release Preview channel  Microsoft Releases Windows 11 Insider Build 25131 and ARM64 Microsoft Store  Windows 11 Version 22H2 is Showing Up on Some Unsupported PCs Microsoft 365  Microsoft: Next version of Exchange Server not until 2025  Apple Revamps the iPad Multitasking Experience with iPadOS 16 Dev Microsoft Releases Windows App SDK 1.1 Xbox Minecraft: Java & Bedrock Edition Launches on PC Today E3 is Coming Back as a Physical and Digital Event Next Year  Announcing Call of Duty: Modern Warfare II - Xbox Wire Tips and Picks Tip of the week: Learn about the new features in Windows 11 Tip of the week: Add Windows 11 visual style to Microsoft Edge Tip of the week: Transcribe any audio or video file with Word for Web Enterprise pick of the week: Windows Customer Connection Program Enterprise pick of the week: IE users — June 15 is the day Beer pick of the week: Hudson Valley Demiurge sour IPA Hosts: Leo Laporte, Mary Jo Foley, and Paul Thurrott Download or subscribe to this show at https://twit.tv/shows/windows-weekly Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Check out Paul's blog at thurrott.com Check out Mary Jo's blog at AllAboutMicrosoft.com The Windows Weekly theme music is courtesy of Carl Franklin. Sponsors: plextrac.com/twit Nuvei.com hover.com/twit

About TimTimothy William Bray is a Canadian software developer, environmentalist, political activist and one of the co-authors of the original XML specification. He worked for Amazon Web Services from December 2014 until May 2020 when he quit due to concerns over the terminating of whistleblowers. Previously he has been employed by Google, Sun Microsystemsand Digital Equipment Corporation (DEC). Bray has also founded or co-founded several start-ups such as Antarctica Systems.Links Referenced: Textuality Services: https://www.textuality.com/ laugh]. So, the impetus for having this conversation is, you had a [blog post: https://www.tbray.org/ongoing/When/202x/2022/01/30/Cloud-Lock-In @timbray: https://twitter.com/timbray tbray.org: https://tbray.org duckbillgroup.com: https://duckbillgroup.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at Vultr. Spelled V-U-L-T-R because they're all about helping save money, including on things like, you know, vowels. So, what they do is they are a cloud provider that provides surprisingly high performance cloud compute at a price that—while sure they claim its better than AWS pricing—and when they say that they mean it is less money. Sure, I don't dispute that but what I find interesting is that it's predictable. They tell you in advance on a monthly basis what it's going to going to cost. They have a bunch of advanced networking features. They have nineteen global locations and scale things elastically. Not to be confused with openly, because apparently elastic and open can mean the same thing sometimes. They have had over a million users. Deployments take less that sixty seconds across twelve pre-selected operating systems. Or, if you're one of those nutters like me, you can bring your own ISO and install basically any operating system you want. Starting with pricing as low as $2.50 a month for Vultr cloud compute they have plans for developers and businesses of all sizes, except maybe Amazon, who stubbornly insists on having something to scale all on their own. Try Vultr today for free by visiting: vultr.com/screaming, and you'll receive a $100 in credit. Thats V-U-L-T-R.com slash screaming.Corey: Couchbase Capella Database-as-a-Service is flexible, full-featured and fully managed with built in access via key-value, SQL, and full-text search. Flexible JSON documents aligned to your applications and workloads. Build faster with blazing fast in-memory performance and automated replication and scaling while reducing cost. Capella has the best price performance of any fully managed document database. Visit couchbase.com/screaminginthecloud to try Capella today for free and be up and running in three minutes with no credit card required. Couchbase Capella: make your data sing.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today has been on a year or two ago, but today, we're going in a bit of a different direction. Tim Bray is a principal at Textuality Services.Once upon a time, he was a Distinguished Engineer slash VP at AWS, but let's be clear, he isn't solely focused on one company; he also used to work at Google. Also, there is scuttlebutt that he might have had something to do, at one point, with the creation of God's true language, XML. Tim, thank you for coming back on the show and suffering my slings and arrows.Tim: Oh, you're just fine. Glad to be here.Corey: [laugh]. So, the impetus for having this conversation is, you had a blog post somewhat recently—by which I mean, January of 2022—where you talked about lock-in and multi-cloud, two subjects near and dear to my heart, mostly because I have what I thought was a fairly countercultural opinion. You seem to have a very closely aligned perspective on this. But let's not get too far ahead of ourselves. Where did this blog posts come from?Tim: Well, I advised a couple of companies and one of them happens to be using GCP and the other happens to be using AWS and I get involved in a lot of industry conversations, and I noticed that multi-cloud is a buzzword. If you go and type multi-cloud into Google, you get, like, a page of people saying, “We will solve your multi-cloud problems. Come to us and you will be multi-cloud.” And I was not sure what to think, so I started writing to find out what I would think. And I think it's not complicated anymore. I think the multi-cloud is a reality in most companies. I think that many mainstream, non-startup companies are really worried about cloud lock-in, and that's not entirely unreasonable. So, it's a reasonable thing to think about and it's a reasonable thing to try and find the right balance between avoiding lock-in and not slowing yourself down. And the issues were interesting. What was surprising is that I published that blog piece saying what I thought were some kind of controversial things, and I got no pushback. Which was, you know, why I started talking to you and saying, “Corey, you know, does nobody disagree with this? Do you disagree with this? Maybe we should have a talk and see if this is just the new conventional wisdom.”Corey: There's nothing worse than almost trying to pick a fight, but no one actually winds up taking you up on the opportunity. That always feels a little off. Let's break it down into two issues because I would argue that they are intertwined, but not necessarily the same thing. Let's start with multi-cloud because it turns out that there's just enough nuance to—at least where I sit on this position—that whenever I tweet about it, I wind up getting wildly misinterpreted. Do you find that as well?Tim: Not so much. It's not a subject I have really had too much to say about, but it does mean lots of different things. And so it's not totally surprising that that happens. I mean, some people think when you say multi-cloud, you mean, “Well, I'm going to take my strategic application, and I'm going to run it in parallel on AWS and GCP because that way, I'll be more resilient and other good things will happen.” And then there's another thing, which is that, “Well, you know, as my company grows, I'm naturally going to be using lots of different technologies and that might include more than one cloud.” So, there's a whole spectrum of things that multi-cloud could mean. So, I guess when we talk about it, we probably owe it to our audiences to be clear what we're talking about.Corey: Let's be clear, from my perspective, the common definition of multi-cloud is whatever the person talking is trying to sell you at that point in time is, of course, what multi-cloud is. If it's a third-party dashboard, for example, “Oh, yeah, you want to be able to look at all of your cloud usage on a single pane of glass.” If it's a certain—well, I guess, certain not a given cloud provider, well, they understand if you go all-in on a cloud provider, it's probably not going to be them so they're, of course, going to talk about multi-cloud. And if it's AWS, where they are the 8000-pound gorilla in the space, “Oh, yeah, multi-clouds, terrible. Put everything on AWS. The end.” It seems that most people who talk about this have a very self-serving motivation that they can't entirely escape. That bias does reflect itself.Tim: That's true. When I joined AWS, which was around 2014, the PR line was a very hard line. “Well, multi-cloud that's not something you should invest in.” And I've noticed that the conversation online has become much softer. And I think one reason for that is that going all-in on a single cloud is at least possible when you're a startup, but if you're a big company, you know, a insurance company, a tire manufacturer, that kind of thing, you're going to be multi-cloud, for the same reason that they already have COBOL on the mainframe and Java on the old Sun boxes, and Mongo running somewhere else, and five different programming languages.And that's just the way big companies are, it's a consequence of M&A, it's a consequence of research projects that succeeded, one kind or another. I mean, lots of big companies have been trying to get rid of COBOL for decades, literally, [laugh] and not succeeding and doing that. So—Corey: It's ‘legacy' which is, of course, the condescending engineering term for, “It makes money.”Tim: And works. And so I don't think it's realistic to, as a matter of principle, not be multi-cloud.Corey: Let's define our terms a little more closely because very often, people like to pull strange gotchas out of the air. Because when I talk about this, I'm talking about—like, when I speak about it off the cuff, I'm thinking in terms of where do I run my containers? Where do I run my virtual machines? Where does my database live? But you can also move in a bunch of different directions. Where do my Git repositories live? What Office suite am I using? What am I using for my CRM? Et cetera, et cetera? Where do you draw the boundary lines because it's very easy to talk past each other if we're not careful here?Tim: Right. And, you know, let's grant that if you're a mainstream enterprise, you're running your Office automation on Microsoft, and they're twisting your arm to use the cloud version, so you probably are. And if you have any sense at all, you're not running your own Exchange Server, so let's assume that you're using Microsoft Azure for that. And you're running Salesforce, and that means you're on Salesforce's cloud. And a lot of other Software-as-a-Service offerings might be on AWS or Azure or GCP; they don't even tell you.So, I think probably the crucial issue that we should focus our conversation on is my own apps, my own software that is my core competence that I actually use to run the core of my business. And typically, that's the only place where a company would and should invest serious engineering resources to build software. And that's where the question comes, where should that software that I'm going to build run? And should it run on just one cloud, or—Corey: I found that when I gave a conference talk on this, in the before times, I had to have a ever lengthier section about, “I'm speaking in the general sense; there are specific cases where it does make sense for you to go in a multi-cloud direction.” And when I'm talking about multi-cloud, I'm not necessarily talking about Workload A lives on Azure and Workload B lives on AWS, through mergers, or weird corporate approaches, or shadow IT that—surprise—that's not revenue-bearing. Well, I guess we have to live with it. There are a lot of different divisions doing different things and you're going to see that a fair bit. And I'm not convinced that's a terrible idea as such. I'm talking about the single workload that we're going to spread across two or more clouds, intentionally.Tim: That's probably not a good idea. I just can't see that being a good idea, simply because you get into a problem of just terminology and semantics. You know, the different providers mean different things by the word ‘region' and the word ‘instance,' and things like that. And then there's the people problem. I mean, I don't think I personally know anybody who would claim to be able to build and deploy an application on AWS and also on GCP. I'm sure some people exist, but I don't know any of them.Corey: Well, Forrest Brazeal was deep in the AWS weeds and now he's the head of content at Google Cloud. I will credit him that he probably has learned to smack an API around over there.Tim: But you know, you're going to have a hard time hiring a person like that.Corey: Yeah. You can count these people almost as individuals.Tim: And that's a big problem. And you know, in a lot of cases, it's clearly the case that our profession is talent-starved—I mean, the whole world is talent-starved at the moment, but our profession in particular—and a lot of the decisions about what you can build and what you can do are highly contingent on who you can hire. And you can't hire a multi-cloud expert, well, you should not deploy, [laugh] you know, a multi-cloud application.Now, having said that, I just want to dot this i here and say that it can be made to kind of work. I've got this one company I advise—I wrote about it in the blog piece—that used to be on AWS and switched over to GCP. I don't even know why; this happened before I joined them. And they have a lot of applications and then they have some integrations with third-party partners which they implemented with AWS Lambda functions. So, when they moved over to GCP, they didn't stop doing that.So, this mission-critical latency-sensitive application of theirs runs on GCP that calls out to AWS to make calls into their partners' APIs and so on. And works fine. Solid as a rock, reliable, low latency. And so I talked to a person I know who knows over on the AWS side, and they said, “Oh, yeah sure, you know, we talked to those guys. Lots of people do that. We make sure, you know, the connections are low latency and solid.” So, technically speaking, it can be done. But for a variety of business reasons—maybe the most important one being expertise and who you can hire—it's probably just not a good idea.Corey: One of the areas where I think is an exception case is if you are a SaaS provider. Let's pick a big easy example: Snowflake, where they are a data warehouse. They've got to run their data warehousing application in all of the major clouds because that is where their customers are. And it turns out that if you're going to send a few petabytes into a data warehouse, you really don't want to be paying cloud egress rates to do it because it turns out, you can just bootstrap a second company for that much money.Tim: Well, Zoom would be another example, obviously.Corey: Oh, yeah. Anything that's heavy on data transfer is going to be a strange one. And there's being close to customers; gaming companies are another good example on this where a lot of the game servers themselves will be spread across a bunch of different providers, just purely based on latency metrics around what is close to certain customer clusters.Tim: I can't disagree with that. You know, I wonder how large a segment that is, of people who are, I think you're talking about core technology companies. Now, of the potential customers of the cloud providers, how many of them are core technology companies, like the kind we're talking about, who have such a need, and how many people who just are people who just want to run their manufacturing and product design and stuff. And for those, buying into a particular cloud is probably a perfectly sensible choice.Corey: I've also seen regulatory stories about this. I haven't been able to track them down specifically, but there is a pervasive belief that one interpretation of UK banking regulations stipulates that you have to be able to get back up and running within 30 days on a different cloud provider entirely. And also, they have the regulatory requirement that I believe the data remain in-country. So, that's a little odd. And honestly, when it comes to best practices and how you should architect things, I'm going to take a distinct backseat to legal requirements imposed upon you by your regulator. But let's be clear here, I'm not advising people to go and tell their auditors that they're wrong on these things.Tim: I had not heard that story, but you know, it sounds plausible. So, I wonder if that is actually in effect, which is to say, could a huge British banking company, in fact do that? Could they in fact, decamp from Azure and move over to GCP or AWS in 30 days? Boy.Corey: That is what one bank I spoke to over there was insistent on. A second bank I spoke to in that same jurisdiction had never heard of such a thing, so I feel like a lot of this is subject to auditor interpretation. Again, I am not an expert in this space. I do not pretend to be—I know I'm that rarest of all breeds: A white guy with a microphone in tech who admits he doesn't know something. But here we are.Tim: Yeah, I mean, I imagine it could be plausible if you didn't use any higher-level services, and you just, you know, rented instances and were careful about which version of Linux you ran and we're just running a bunch of Java code, which actually, you know, describes the workload of a lot of financial institutions. So, it should be a matter of getting… all the right instances configured and the JVM configured and launched. I mean, there are no… architecturally terrifying barriers to doing that. Of course, to do that, it would mean you would have to avoid using any of the higher-level services that are particular to any cloud provider and basically just treat them as people you rent boxes from, which is probably not a good choice for other business reasons.Corey: Which can also include things as seemingly low-level is load balancers, just based upon different provisioning modes, failure modes, and the rest. You're probably going to have a more consistent experience running HAProxy or nginx yourself to do it. But Tim, I have it on good authority that this is the old way of thinking, and that Kubernetes solves all of it. And through the power of containers and powers combining and whatnot, that frees us from being beholden to any given provider and our workloads are now all free as birds.Tim: Well, I will go as far as saying that if you are in the position of trying to be portable, probably using containers is a smart thing to do because that's a more tractable level of abstraction that does give you some insulation from, you know, which version of Linux you're running and things like that. The proposition that configuring and running Kubernetes is easier than configuring and running [laugh] JVM on Linux [laugh] is unsupported by any evidence I've seen. So, I'm dubious of the proposition that operating at the Kubernetes-level at the [unintelligible 00:14:42] level, you know, there's good reasons why some people want to do that, but I'm dubious of the proposition that really makes you more portable in an essential way.Corey: Well, you're also not the target market for Kubernetes. You have worked at multiple cloud providers and I feel like the real advantage of Kubernetes is people who happen to want to protect that they do so they can act as a sort of a cosplay of being their own cloud provider by running all the intricacies of Kubernetes. I'm halfway kidding, but there is an uncomfortable element of truth to that to some of the conversations I've had with some of its more, shall we say, fanatical adherents.Tim: Well, I think you and I are neither of us huge fans of Kubernetes, but my reasons are maybe a little different. Kubernetes does some really useful things. It really, really does. It allows you to take n VMs, and pack m different applications onto them in a way that takes reasonably good advantage of the processing power they have. And it allows you to have different things running in one place with different IP addresses.It sounds straightforward, but that turns out to be really helpful in a lot of ways. So, I'm actually kind of sympathetic with what Kubernetes is trying to be. My big gripe with it is that I think that good technology should make easy things easy and difficult things possible, and I think Kubernetes fails the first test there. I think the complexity that it involves is out of balance with the benefits you get. There's a lot of really, really smart people who disagree with me, so this is not a hill I'm going to die on.Corey: This is very much one of those areas where reasonable people can disagree. I find the complexity to be overwhelming; it has to collapse. At this point, it's finding someone who can competently run Kubernetes in production is a bit hard to do and they tend to be extremely expensive. You aren't going to find a team of those people at every company that wants to do things like this, and they're certainly not going to be able to find it in their budget in many cases. So, it's a challenging thing to do.Tim: Well, that's true. And another thing is that once you step onto the Kubernetes slope, you start looking about Istio and Envoy and [fabric 00:16:48] technology. And we're talking about extreme complexity squared at that point. But you know, here's the thing is, back in 2018 I think it was, in his keynote, Werner said that the big goal is that all the code you ever write should be application logic that delivers business value, which you know rep—Corey: Didn't CGI say the same thing? Didn't—like, isn't there, like, a long history dating back longer than I believe either of us have been alive have, “With this, all you're going to write is business logic.” That was the Java promise. That was the Google App Engine promise. Again, and again, we've had that carrot dangled in front of us, and it feels like the reality with Lambda is, the only code you will write is not necessarily business logic, it's getting the thing to speak to the other service you're trying to get it to talk to because a lot of these integrations are super finicky. At least back when I started learning how this stuff worked, they were.Tim: People understand where the pain points are and are indeed working on them. But I think we can agree that if you believe in that as a goal—which I still do; I mean, we may not have got there, but it's still a worthwhile goal to work on. We can agree that wrangling Istio configurations is not such a thing; it's not [laugh] directly value-adding business logic. To the extent that you can do that, I think serverless provides a plausible way forward. Now, you can be all cynical about, “Well, I still have trouble making my Lambda to talk to my other thing.” But you know, I've done that, and I've also deployed JVM on bare metal kind of thing.You know what? I'd rather do things at the Lambda level. I really rather would. Because capacity forecasting is a horribly difficult thing, we're all terrible at it, and the penalties for being wrong are really bad. If you under-specify your capacity, your customers have a lousy experience, and if you over-specify it, and you have an architecture that makes you configure for peak load, you're going to spend bucket-loads of money that you don't need to.Corey: “But you're then putting your availability in the cloud providers' hands.” “Yeah, you already were. Now, we're just being explicit about acknowledging that.”Tim: Yeah. Yeah, absolutely. And that's highly relevant to the current discussion because if you use the higher-level serverless function if you decide, okay, I'm going to go with Lambda and Dynamo and EventBridge and that kind of thing, well, that's not portable at all. I mean, APIs are totally idiosyncratic for AWS and GCP's equivalent, and Azure's—what do they call it? Permanent functions or something-a-rather functions. So yeah, that's part of the trade-off you have to think about. If you're going to do that, you're definitely not going to be multi-cloud in that application.Corey: And in many cases, one of the stated goals for going multi-cloud is that you can avoid the downtime of a single provider. People love to point at the big AWS outages or, “See? They were down for half a day.” And there is a societal question of what happens when everyone is down for half a day at the same time, but in most cases, what I'm seeing, your instead of getting rid of a single point of failure, introducing a second one. If either one of them is down your applications down, so you've doubled your outage surface area.On the rare occasions where you're able to map your dependencies appropriately, great. Are your third-party critical providers all doing the same? If you're an e-commerce site and Stripe processes your payments, well, they're public about being all-in on AWS. So, if you can't process payments, does it really matter that your website stays up? It becomes an interesting question. And those are the ones that you know about, let alone the third, fourth-order dependencies that are almost impossible to map unless everyone is as diligent as you are. It's a heavy, heavy lift.Tim: I'm going to push back a little bit. Now, for example, this company I'm advising that running GCP and calling out to Lambda is in that position; either GCP or Lambda goes off the air. On the other hand, if you've got somebody like Zoom, they're probably running parallel full stacks on the different cloud providers. And if you're doing that, then you can at least plausibly claim that you're in a good place because if Dynamo has an outage—and everything relies on Dynamo—then you shift your load over to GCP or Oracle [laugh] and you're still on the air.Corey: Yeah, but what is up as well because Zoom loves to sign me out on my desktop whenever I log into it on my laptop, and vice versa, and I wonder if that authentication and login system is also replicated full-stack to everywhere it goes, and what the fencing on that looks like, and how the communication between all those things works? I wouldn't doubt that it's possible that they've solved for this, but I also wonder how thoroughly they've really tested all of the, too. Not because I question them any; just because this stuff is super intricate as you start tracing it down into the nitty-gritty levels of the madness that consumes all these abstractions.Tim: Well, right, that's a conventional wisdom that is really wise and true, which is that if you have software that is alleged to do something like allow you to get going on another cloud, unless you've tested it within the last three weeks, it's not going to work when you need it.Corey: Oh, it's like a DR exercise: The next commit you make breaks it. Once you have the thing working again, it sits around as a binder, and it's a best guess. And let's be serious, a lot of these DR exercises presume that you're able to, for example, change DNS records on the fly, or be able to get a virtual machine provisioned in less than 45 minutes—because when there's an actual outage, surprise, everyone's trying to do the same things—there's a lot of stuff in there that gets really wonky at weird levels.Tim: A related similar exercise, which is people who want to be on AWS but want to be multi-region. It's actually, you know, a fairly similar kind of problem. If I need to be able to fail out of us-east-1—well, God help you, because if you need to everybody else needs to as well—but you know, would that work?Corey: Before you go multi-cloud go multi-region first. Tell me how easy it is because then you have full-feature parity—presumably—between everything; it should just be a walk in the park. Send me a postcard once you get that set up and I'll eat a bunch of words. And it turns out, basically, no one does.Tim: Mm-hm.Corey: Another area of lock-in around a lot of this stuff, and I think that makes it very hard to go multi-cloud is the security model of how does that interface with various aspects. In many cases, I'm seeing people doing full-on network overlays. They don't have to worry about the different security group models and VPCs and all the rest. They can just treat everything as a node sitting on the internet, and the only thing it talks to is an overlay network. Which is terrible, but that seems to be one of the only ways people are able to build things that span multiple providers with any degree of success.Tim: Well, that is painful because, much as we all like to scoff and so on, in the degree of complexity you get into there, it is the case that your typical public cloud provider can do security better than you can. They just can. It's a fact of life. And if you're using a public cloud provider and not taking advantage of their security offerings, infrastructure, that's probably dumb. But if you really want to be multi-cloud, you kind of have to, as you said.In particular, this gets back to the problem of expertise because it's hard enough to hire somebody who really understands IAM deeply and how to get that working properly, try and find somebody who can understand that level of thing on two different cloud providers at once. Oh, gosh.Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I'm going to just guess that it's awful because it's always awful. No one loves their deployment process. What if launching new features didn't require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren't what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.Corey: Another point you made in your blog post was the idea of lock-in, of people being worried that going all-in on a provider was setting them up to be, I think Oracle is the term that was tossed around where once you're dependent on a provider, what's to stop them from cranking the pricing knobs until you squeal?Tim: Nothing. And I think that is a perfectly sane thing to worry about. Now, in the short term, based on my personal experience working with, you know, AWS leadership, I think that it's probably not a big short-term risk. AWS is clearly aware that most of the growth is still in front of them. You know, the amount of all of it that's on the cloud is still pretty small and so the thing to worry about right now is growth.And they are really, really genuinely, sincerely focused on customer success and will bend over backwards to deal with the customers problems as they are. And I've seen places where people have negotiated a huge multi-year enterprise agreement based on Reserved Instances or something like that, and then realize, oh, wait, we need to switch our whole technology stack, but you've got us by the RIs and AWS will say, “No, no, it's okay. We'll tear that up and rewrite it and get you where you need to go.” So, in the short term, between now and 2025, would I worry about my cloud provider doing that? Probably not so much.But let's go a little further out. Let's say it's, you know, 2030 or something like that, and at that point, you know, Andy Jassy decided to be a full-time sports mogul, and Satya Narayana has gone off to be a recreational sailboat owner or something like that, and private equity operators come in and take very significant stakes in the public cloud providers, and get a lot of their guys on the board, and you have a very different dynamic. And you have something that starts to feel like Oracle where their priority isn't, you know, optimizing for growth and customer success; their priority is optimizing for a quarterly bottom line, and—Corey: Revenue extraction becomes the goal.Tim: That's absolutely right. And this is not a hypothetical scenario; it's happened. Most large companies do not control the amount of money they spend per year to have desktop software that works. They pay whatever Microsoft's going to say they pay because they don't have a choice. And a lot of companies are in the same situation with their database.They don't get to budget, their database budget. Oracle comes in and says, “Here's what you're going to pay,” and that's what you pay. You really don't want to be in a situation with your cloud, and that's why I think it's perfectly reasonable for somebody who is doing cloud transition at a major financial or manufacturing or service provider company to have an eye to this. You know, let's not completely ignore the lock-in issue.Corey: There is a significant scale with enterprise deals and contracts. There is almost always a contractual provision that says if you're going to raise a price with any cloud provider, there's a fixed period of time of notice you must give before it happens. I feel like the first mover there winds up getting soaked because everyone is going to panic and migrate in other directions. I mean, Google tried it with Google Maps for their API, and not quite Google Cloud, but also scared the bejesus out of a whole bunch of people who were, “Wait. Is this a harbinger of things to come?”Tim: Well, not in the short term, I don't think. And I think you know, Google Maps [is absurdly 00:26:36] underpriced. That's hellishly expensive service. And it's supposed to pay for itself by, you know, advertising on maps. I don't know about that.I would see that as the exception rather than the rule. I think that it's reasonable to expect cloud prices, nominally at least, to go on decreasing for at least the short term, maybe even the medium term. But that's—can't go on forever.Corey: It also feels to me, like having looked at an awful lot of AWS environments that if there were to be some sort of regulatory action or some really weird outage for a year that meant that AWS could not onboard a single new customer, their revenue year-over-year would continue to increase purely by organic growth because there is no forcing function that turns the thing off when you're done using it. In fact, they can migrate things around to hardware that works, they can continue building you for the things sitting there idle. And there is no governance path on that. So, on some level, winding up doing a price increase is going to cause a massive company focus on fixing a lot of that. It feels on some level like it is drawing attention to a thing that they don't really want to draw attention to from a purely revenue extraction story.When CentOS back-walked their ten-year support line two years, suddenly—and with an idea that it would drive [unintelligible 00:27:56] adoption. Well, suddenly, a lot of people looked at their environment, saw they had old [unintelligible 00:28:00] they weren't using. And massively short-sighted, massively irritated a whole bunch of people who needed that in the short term, but by the renewal, we're going to be on to Ubuntu or something else. It feels like it's going to backfire massively, and I'd like to imagine the strategist of whoever takes the reins of these companies is going to be smarter than that. But here we are.Tim: Here we are. And you know it's interesting you should mention regulatory action. At the moment, there are only three credible public cloud providers. It's not obvious the Google's really in it for the long haul, as last time I checked, they were claiming to maybe be breaking even on it. That's not a good number, you know? You'd like there to be more than that.And if it goes on like that, eventually, some politician is going to say, “Oh, maybe they should be regulated like public utilities,” because they kind of are right? And I would think that anybody who did get into Oracle-izing would be—you know, accelerate that happening. Having said that, we do live in the atmosphere of 21st-century capitalism, and growth is the God that must be worshiped at all costs. Who knows. It's a cloudy future. Hard to see.Corey: It really is. I also want to be clear, on some level, that with Google's current position, if they weren't taking a small loss at least, on these things, I would worry. Like, wait, you're trying to catch AWS and you don't have anything better to invest that money into than just well time to start taking profits from it. So, I can see both sides of that one.Tim: Right. And as I keep saying, I've already said once during this slot, you know, the total cloud spend in the world is probably on the order of one or two-hundred billion per annum, and global IT is in multiple trillions. So, [laugh] there's a lot more space for growth. Years and years worth of it.Corey: Yeah. The challenge, too, is that people are worried about this long-term strategic point of view. So, one thing you talked about in your blog post is the idea of using hosted open-source solutions. Like, instead of using Kinesis, you'd wind up using Kafka or instead of using DynamoDB you use their managed Cassandra service—or as I think of it Amazon Basics Cassandra—and effectively going down the path of letting them manage this thing, but you then have a theoretical Exodus path. Where do you land on that?Tim: I think that speaks to a lot of people's concerns, and I've had conversations with really smart people about that who like that idea. Now, to be realistic, it doesn't make migration easy because you've still got all the CI and CD and monitoring and management and scaling and alarms and alerts and paging and et cetera, et cetera, et cetera, wrapped around it. So, it's not as though you could just pick up your managed Kafka off AWS and drop a huge installation onto GCP easily. But at least, you know, your data plan APIs are the same, so a lot of your code would probably still run okay. So, it's a plausible path forward. And when people say, “I want to do that,” well, it does mean that you can't go all serverless. But it's not a totally insane path forward.Corey: So, one last point in your blog post that I think a lot of people think about only after they get bitten by it is the idea of data gravity. I alluded earlier in our conversation to data egress charges, but my experience has been that where your data lives is effectively where the rest of your cloud usage tends to aggregate. How do you see it?Tim: Well, it's a real issue, but I think it might perhaps be a little overblown. People throw the term petabytes around, and people don't realize how big a petabyte is. A petabyte is just an insanely huge amount of data, and the notion of transmitting one over the internet is terrifying. And there are lots of enterprises that have multiple petabytes around, and so they think, “Well, you know, it would take me 26 years to transmit that, so I can't.”And they might be wrong. The internet's getting faster all time. Did you notice? I've been able to move some—for purely personal projects—insane amounts of data, and it gets there a lot faster than you did. Secondly, in the case of AWS Snowmobile, we have an existence proof that you can do exabyte-ish scale data transfers in the time it takes to drive a truck across the country.Corey: Inbound only. Snowmobiles are not—at least according to public examples—are valid for Exodus.Tim: But you know, this is kind of place where regulatory action might come into play if what the people were doing was seen to be abusive. I mean, there's an existence proof you can do this thing. But here's another point. So, I suppose you have, like, 15 petabytes—that's an insane amount of data—displayed in your corporate application. So, are you actually using that to run the application, or is a huge proportion of that stuff just logs and data gathered of various kinds that's being used in analytics applications and AI models and so on?Do you actually need all that data to actually run your app? And could you in fact, just pick up the stuff you need for your app, move it to a different cloud provider from there and leave your analytics on the first one? Not a totally insane idea.Corey: It's not a terrible idea at all. It comes down to the idea as well of when you're trying to run a query against a bunch of that data, do you need all the data to transit or just the results of that query, as well? It's a question of, can you move the compute closer to the data as opposed to the data to where the compute lives?Tim: Well, you know and a lot of those people who have those huge data pools have it sitting on S3, and a lot of it migrated off into Glacier, so it's not as if you could get at it in milliseconds anyhow. I just ask myself, “How much data can anybody actually use in a day? In the course of satisfying some transaction requests from a customer?” And I think it's not petabyte. It just isn't.Now, there are—okay, there are exceptions. There's the intelligence community, there's the oil drilling community, there are some communities who genuinely will use insanely huge seas of data on a routine basis, but you know, I think that's kind of a corner case, so before you shake your head and say, “Ah, they'll never move because the data gravity,” you know… you need to prove that to me and I might be a little bit skeptical.Corey: And I think that is probably a very fair request. Just tell me what it is you're going to be doing here to validate the idea that is in your head because the most interesting lies I've found customers tell isn't intentionally to me or anyone else; it's to themselves. The narrative of what they think they're doing from the early days takes root, and never mind the fact that, yeah, it turns out that now that you've scaled out, maybe development isn't 80% of your cloud bill anymore. You learn things and your understanding of what you're doing has to evolve with the evolution of the applications.Tim: Yep. It's a fun time to be around. I mean, it's so great; right at the moment lock-in just isn't that big an issue. And let's be clear—I'm sure you'll agree with me on this, Corey—is if you're a startup and you're trying to grow and scale and prove you've got a viable business, and show that you have exponential growth and so on, don't think about lock-in; just don't go near it. Pick a cloud provider, pick whichever cloud provider your CTO already knows how to use, and just go all-in on them, and use all their most advanced features and be serverless if you can. It's the only sane way forward. You're short of time, you're short of money, you need growth.Corey: “Well, what if you need to move strategically in five years?” You should be so lucky. Great. Deal with it then. Or, “Well, what if we want to sell to retail as our primary market and they hate AWS?”Well, go all-in on a provider; probably not that one. Pick a different provider and go all in. I do not care which cloud any given company picks. Go with what's right for you, but then go all in because until you have a compelling reason to do otherwise, you're going to spend more time solving global problems locally.Tim: That's right. And we've never actually said this probably because it's something that both you and I know at the core of our being, but it probably needs to be said that being multi-cloud is expensive, right? Because the nouns and verbs that describe what clouds do are different in Google-land and AWS-land; they're just different. And it's hard to think about those things. And you lose the capability of using the advanced serverless stuff. There are a whole bunch of costs to being multi-cloud.Now, maybe if you're existentially afraid of lock-in, you don't care. But for I think most normal people, ugh, it's expensive.Corey: Pay now or pay later, you will pay. Wouldn't you ideally like to see that dollar go as far as possible? I'm right there with you because it's not just the actual infrastructure costs that's expensive, it costs something far more dear and expensive, and that is the cognitive expense of having to think about both of these things, not just how each cloud provider works, but how each one breaks. You've done this stuff longer than I have; I don't think that either of us trust a system that we don't understand the failure cases for and how it's going to degrade. It's, “Oh, right. You built something new and awesome. Awesome. How does it fall over? What direction is it going to hit, so what side should I not stand on?” It's based on an understanding of what you're about to blow holes in.Tim: That's right. And you know, I think particularly if you're using AWS heavily, you know that there are some things that you might as well bet your business on because, you know, if they're down, so is the rest of the world, and who cares? And, other things, eh, maybe a little chance here. So, understanding failure modes, understanding your stuff, you know, the cost of sharp edges, understanding manageability issues. It's not obvious.Corey: It's really not. Tim, I want to thank you for taking the time to go through this, frankly, excellent post with me. If people want to learn more about how you see things, and I guess how you view the world, where's the best place to find you?Tim: I'm on Twitter, just @timbray T-I-M-B-R-A-Y. And my blog is at tbray.org, and that's where that piece you were just talking about is, and that's kind of my online presence.Corey: And we will, of course, put links to it in the [show notes 00:37:42]. Thanks so much for being so generous with your time. It's always a pleasure to talk to you.Tim: Well, it's always fun to talk to somebody who has shared passions, and we clearly do.Corey: Indeed. Tim Bray principal at Textuality Services. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry comment that you then need to take to all of the other podcast platforms out there purely for redundancy, so you don't get locked into one of them.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.