Security bug in OpenSSL
POPULARITY
SAN FRANCISCO — RSA Conference 2025 "Sixty percent of the attacks we're tracking target low-profile vulnerabilities—things like privilege escalation and security bypasses, not the headline-making zero days," says Douglas McKee, Executive Director of Threat Research at SonicWall. Speaking live from the show floor at RSA 2025, McKee outlined how SonicWall is helping partners prioritize threats that are actually being exploited, not just those getting attention. In a fast-paced conversation with Technology Reseller News publisher Doug Green, McKee unveiled SonicWall's upcoming Managed Prevention Security Services (MPSS). The offering is designed to help reduce misconfigurations—a leading cause of breaches—by assisting with firewall patching and configuration validation. SonicWall is also collaborating with CySurance to package cyber insurance into this new managed service, providing peace of mind and operational relief to MSPs and customers alike. “Over 95% of the incidents we see are due to human error,” McKee noted. “With MPSS, we're stepping in as a partner to reduce that risk.” McKee also previewed an upcoming threat brief focused on Microsoft vulnerabilities, revealing an 11% year-over-year increase in attacks. Despite attention on high-profile CVEs, SonicWall's data shows attackers often rely on under-the-radar vulnerabilities with lower CVSS scores. For MSPs, McKee shared a stark warning: nearly 50% of the organizations SonicWall monitors are still vulnerable to decade-old exploits like Log4j and Heartbleed. SonicWall's telemetry-driven insights allow MSPs to focus remediation on widespread, high-impact threats. SonicWall's transformation from a firewall vendor to a full-spectrum cybersecurity provider was on display at RSA Booth #6353 (North Hall), where the company showcased its SonicSensory MDR, cloud offerings, and threat intelligence. "We've evolved into a complete cybersecurity partner," McKee said. "Whether it's in the cloud or on-prem, we're helping MSPs and enterprises defend smarter." Visitors to the SonicWall booth were treated to live presentations and fresh coffee—while those not attending can explore SonicWall's insights, including its February 2024 Threat Report and upcoming threat briefs, at www.sonicwall.com.
News includes the archiving of the “Phoenix Sync” project, a major update to Gettext that enhances compilation efficiency, the release of ErrorTracker v0.2.6 with new features like error pruning and ignoring, and José Valim highlighting UX issues with ChatGPT's new UI. We were also joined by Alistair Woodman, a board member of the EEF (Erlang Ecosystem Foundation), who explained the EEF's recent efforts to stay ahead of legislation and technical regulatory shifts that may impact developers soon. Alistair discussed the changing regulatory landscape in the US and the EU due to high-profile exploits, outages, and nation-state supply chain attacks. We learned how the EEF supports Elixir and BEAM developers and what they need from the community now, and more! Show Notes online - http://podcast.thinkingelixir.com/220 (http://podcast.thinkingelixir.com/220) Elixir Community News - https://github.com/josevalim/sync (https://github.com/josevalim/sync?utm_source=thinkingelixir&utm_medium=shownotes) – The "Phoenix Sync" project has been archived with no immediate explanation yet. - https://github.com/elixir-gettext/gettext/blob/main/CHANGELOG.md#v0260 (https://github.com/elixir-gettext/gettext/blob/main/CHANGELOG.md#v0260?utm_source=thinkingelixir&utm_medium=shownotes) – Gettext has a big update to version 0.26.0 which includes a more efficient compilation. - https://github.com/elixir-cldr/cldr (https://github.com/elixir-cldr/cldr?utm_source=thinkingelixir&utm_medium=shownotes) – Gettext feels similar to how ExCldr allows defining a custom backend. - https://elixirstatus.com/p/TvydI-errortracker-v026-has-been-released (https://elixirstatus.com/p/TvydI-errortracker-v026-has-been-released?utm_source=thinkingelixir&utm_medium=shownotes) – ErrorTracker v0.2.6 has been released with key improvements like a global error tracking disable flag, automatic resolved error pruning, and error ignorer. - https://github.com/mimiquate/tower (https://github.com/mimiquate/tower?utm_source=thinkingelixir&utm_medium=shownotes) – Tower is a flexible error tracker for Elixir applications that listens for errors and reports them to configured reporters like email, Rollbar, or Slack. - https://x.com/josevalim/status/1832509464240374127 (https://x.com/josevalim/status/1832509464240374127?utm_source=thinkingelixir&utm_medium=shownotes) – José highlighted some UX issues with ChatGPT's new UI, mentioning struggles with concurrent updates. - https://x.com/josevalim/status/1833176754090897665 (https://x.com/josevalim/status/1833176754090897665?utm_source=thinkingelixir&utm_medium=shownotes) – José postponed publishing a video on optimistic updates with LiveView due to an Apple announcement. - https://github.com/wojtekmach/mixinstallexamples (https://github.com/wojtekmach/mix_install_examples?utm_source=thinkingelixir&utm_medium=shownotes) – A new WebRTC example was added to the "Mix Install Examples" project. - https://github.com/wojtekmach/mixinstallexamples/pull/42 (https://github.com/wojtekmach/mix_install_examples/pull/42?utm_source=thinkingelixir&utm_medium=shownotes) – The WebRTC example shows how to use the ex_webrtc Elixir package in a small script, compatible with Mix.install/2. - https://github.com/elixir-webrtc/ex_webrtc (https://github.com/elixir-webrtc/ex_webrtc?utm_source=thinkingelixir&utm_medium=shownotes) – The Elixir package used for the WebRTC example. - https://x.com/taylorotwell/status/1831668872732180697 (https://x.com/taylorotwell/status/1831668872732180697?utm_source=thinkingelixir&utm_medium=shownotes) – Laravel raised a $57M Series A in partnership with Accel, likely related to their Laravel Cloud hosting platform. Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Discussion Resources - https://en.wikipedia.org/wiki/CyberResilienceAct (https://en.wikipedia.org/wiki/Cyber_Resilience_Act?utm_source=thinkingelixir&utm_medium=shownotes) - https://news.apache.org/foundation/entry/open-source-community-unites-to-build-cra-compliant-cybersecurity-processes (https://news.apache.org/foundation/entry/open-source-community-unites-to-build-cra-compliant-cybersecurity-processes?utm_source=thinkingelixir&utm_medium=shownotes) - https://www.cisa.gov/sites/default/files/2024-05/CISA%20Secure%20by%20Design%20Pledge_508c.pdf (https://www.cisa.gov/sites/default/files/2024-05/CISA%20Secure%20by%20Design%20Pledge_508c.pdf?utm_source=thinkingelixir&utm_medium=shownotes) - https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf (https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf?utm_source=thinkingelixir&utm_medium=shownotes) - https://www.infoworld.com/article/2336216/white-house-urges-developers-to-dump-c-and-c.html (https://www.infoworld.com/article/2336216/white-house-urges-developers-to-dump-c-and-c.html?utm_source=thinkingelixir&utm_medium=shownotes) - https://en.m.wikipedia.org/wiki/CE_marking (https://en.m.wikipedia.org/wiki/CE_marking?utm_source=thinkingelixir&utm_medium=shownotes) - https://www.cisco.com/c/en/us/services/acquisitions/tail-f.html (https://www.cisco.com/c/en/us/services/acquisitions/tail-f.html?utm_source=thinkingelixir&utm_medium=shownotes) - https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act (https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act?utm_source=thinkingelixir&utm_medium=shownotes) - https://www.nist.gov/ (https://www.nist.gov/?utm_source=thinkingelixir&utm_medium=shownotes) - https://en.wikipedia.org/wiki/XZUtilsbackdoor (https://en.wikipedia.org/wiki/XZ_Utils_backdoor?utm_source=thinkingelixir&utm_medium=shownotes) - https://en.wikipedia.org/wiki/Log4j (https://en.wikipedia.org/wiki/Log4j?utm_source=thinkingelixir&utm_medium=shownotes) - https://en.wikipedia.org/wiki/Heartbleed (https://en.wikipedia.org/wiki/Heartbleed?utm_source=thinkingelixir&utm_medium=shownotes) - https://en.wikipedia.org/wiki/2024CrowdStrikeincident (https://en.wikipedia.org/wiki/2024_CrowdStrike_incident?utm_source=thinkingelixir&utm_medium=shownotes) - https://news.stanford.edu/stories/2024/06/stanfords-deborah-sivas-on-scotus-loper-decision-overturning-chevrons-40-years-of-precedent-and-its-impact-on-environmental-law (https://news.stanford.edu/stories/2024/06/stanfords-deborah-sivas-on-scotus-loper-decision-overturning-chevrons-40-years-of-precedent-and-its-impact-on-environmental-law?utm_source=thinkingelixir&utm_medium=shownotes) - https://openssf.org/ (https://openssf.org/?utm_source=thinkingelixir&utm_medium=shownotes) - https://www.fcc.gov/broadbandlabels (https://www.fcc.gov/broadbandlabels?utm_source=thinkingelixir&utm_medium=shownotes) - https://www.cve.org/ (https://www.cve.org/?utm_source=thinkingelixir&utm_medium=shownotes) - https://erlef.org/wg/security (https://erlef.org/wg/security?utm_source=thinkingelixir&utm_medium=shownotes) Guest Information - https://www.linkedin.com/in/alistair-woodman-51934433 (https://www.linkedin.com/in/alistair-woodman-51934433?utm_source=thinkingelixir&utm_medium=shownotes) – Alistair Woodman on LinkedIn - awoodman@erlef.org - http://erlef.org/ (http://erlef.org/?utm_source=thinkingelixir&utm_medium=shownotes) – Erlang Ecosystem Foundation Website Find us online - Message the show - @ThinkingElixir (https://twitter.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen - @brainlid (https://twitter.com/brainlid) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel - @bernheisel (https://twitter.com/bernheisel) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)
Episode 0x7B Penta-pod! Five down, we should probably do some more. It seems like people enjoy these things. Or at least our subscribers say so. Why don't you tell your friends! Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag (or Deep Dive) And there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of (approximately) 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary No flaws like the old flaws. It's time to MOVEit, MOVEit... AGAIN RockYou2024: 10 billion passwords leaked in the largest compilation of all time Breaches Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers Neiman Marcus confirms data breach, claims Snowflake account was hacked SCADA / Cyber, cyber... etc A group of Rabbit R1 jailbreakers found a massive security flaw DERP regreSSHion - you're supposed to hold on to this until August. Also, cute name and logo is so 10 years ago (Heartbleed was TEN YEARS AGO) Mailbag Hei Liquidmatrix, Are you going to be keeping it up? Especially as it is now summer time. ~Your friends from the blue and yellow furniture store Briefly -- NO ARGUING OR DISCUSSION ALLOWED I did a podcast for work with another CISO who isn't a curmudgeon. You might enjoy. TeamViewer: Hackers copied employee directory and encrypted passwords Upcoming Appearances: -- more gratuitous self-promotion Dave: - Summer Camp, Singapore in October, IRISCON and Websummit in November James: - The other end of a Starlink connection... in a forest. :) Advertising - pay the bills... MattJay's Vulnerable U - he's got more subscribers than we do. And he's got sponsors and shit. Closing Thoughts Seacrest Says: I'm on a vacation. Leave me alone. Creative Commons license: BY-NC-SA
We delve into the top 3 open-source revenue streams, expose the pitfalls, and discuss what could be done quickly to improve the situation.
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Heartbleed 10th Anniversary https://heartbleed.com/ Possible Libarchive Backdoor Vulnerability https://github.com/libarchive/libarchive/pull/1609 Magento XML Backdoor https://sansec.io/research/magento-xml-backdoor Google Public DNS's approach to fight against cache poisoning attacks https://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html Remote code execution (RCE)vulnerability in Brocade Fabric OS (CVE-2023-3454) https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23215 SANS London April Evening Talk https://sans.zoom.us/webinar/register/WN_ZLLnQKCCQCywLGm-CM4xQg#/registration
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Heartbleed 10th Anniversary https://heartbleed.com/ Possible Libarchive Backdoor Vulnerability https://github.com/libarchive/libarchive/pull/1609 Magento XML Backdoor https://sansec.io/research/magento-xml-backdoor Google Public DNS's approach to fight against cache poisoning attacks https://security.googleblog.com/2024/03/google-public-dnss-approach-to-fight.html Remote code execution (RCE)vulnerability in Brocade Fabric OS (CVE-2023-3454) https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23215 SANS London April Evening Talk https://sans.zoom.us/webinar/register/WN_ZLLnQKCCQCywLGm-CM4xQg#/registration
In this Episode, Andy talks with OptConnect CEO Chris Baird, and National Sales Justin Nichols. www.OptConnect.com ========== Andy: For those of you listening that this might be the first time you've heard about OptConnect, I encourage you to go listen to Episode #73 that Justin and I recorded probably a year and a half ago. Something like that year and a half ago, two years ago, and that'll be kind of like level one cellular connectivity intro, how it works, the benefits, all those sorts of things. What I want to do today is kind of hear from both Justin and Chris on where things, where their business has evolved since kind of. Entering the irrigation market. Justin: Yeah, that's awesome. Uh, you know, we entered the irrigation market about three years ago and we knew that we had a very good value prop based on, you know, other markets that were very active in, in our market leaders. And, and over the last two and a half, three years, you know, we've really started to scale in the irrigation market. I think today we have about. Four out of five of the large, you know, national distributors set up to be able to supply OpConnect hardware and services and about a dozen, uh, regional distributors as well. So if you haven't heard of us, chances are it is locally available at your, you know, landscape irrigation supply house. Uh, also just recently during smart irrigation month. We launched our brand new Ascend Dura device. And what's really cool about the Ascend Dura is it basically functions like a wifi hotspot on your phone. And so for the last couple of years, you know, we've really, uh, tried to penetrate the central control market. Uh, and now we have a new tool in our tool belt that allows us to connect to wifi only type of controllers. So you're. Your Hydra wise, your beehives, your ratios and any other type of wifi only type of gateway, uh, to be able to provide the same type of high level managed service to be able to troubleshoot. Now, not only the cellular side of that, but also the wifi side of that. So you can now bring your own wifi solution, plug and play and let us. Hit the easy button for you. Andy: Okay. Wow. So there's a whole bunch happening there and some of this I wasn't quite aware of. So why don't we step back? Because I had always thought of OpConnect as, as cellular, but you just said a bunch of wifi. So how does cellular and wifi come together? Justin: Yeah. So basically the wifi allows you to connect locally to a piece of equipment, just like you would in your house. Uh, and so we're able to make a local network connection via wifi. to that wifi only irrigation controller that allows the user to connect with a cellular device when otherwise they would have no means or way of connecting that external device. So we collect connect locally via the wifi network. But then all the communication is done on the cellular side. So when you're trying to do remote management, uh, Monitoring of a site like this, that's using a wifi only controller, whether it's light commercial, your own personal property, a vacation rental. We're able to manage that now remotely over the cellular network. And because of our managed service value prop, we can actually troubleshoot. Both types of those connections with the wifi. Andy: So can we like get a tangible example? Let's name a controller just to give this some context. Could we say like a Hunter Hydrawise controller? Would that make sense to talk about that? And just to try to, you know, have it more tangible. Justin: Yeah, absolutely. So you have a Hunter Hydrawise controller. Uh, you know, has 48 plus zones. If I remember correctly, they can go on a lot of light commercial properties. The cost is a little bit less expensive than that commercial unit, but you're relying on that property owner or that site's wifi connection. Perhaps they won't let you on their network. Perhaps the wifi signal isn't strong enough. We're able to put a cellular device that acts as a Wi-Fi hotspot inside that controller or right next to it and allow any type of Hydrawise user to manage that system remotely over an OpConnect cellular network. Andy: Okay. So you bring another device, your brand new device, and let's talk about that device. Is it one device? Is it two devices? How do you get from the cellular cloud down to the Wi-Fi LAN or local Wi-Fi? Justin: Yeah, it's all it's just one device. So basically, we have the, the Wi-Fi technology and the cellular technology baked into a single device. It's fully plug and play, we can provide a NEMA 4x enclosure. So if it's You know, an outdoor install and you don't want to mount it inside that Hydrawise controller cabinet. We can just install it right next to it. There's no wiring that you would have to run between the two. And it's, it's very simple. It's, it's activated, ready to go out of the box. The Wi-Fi is turned on. We give you, you know, the SSID and password to manage that. We can change that on your behalf. Uh, you really don't have to worry about anything when it comes to setting up that local Wi-Fi network or managing it over the cellular network. Hmm. Andy: Wow. Wow. Okay. A couple of things I'm thinking, is this a single controller device or can you connect multiple controllers or even other devices to it? Justin: Yeah, absolutely. So just like you would with your iPhone, if you're traveling and you and your work colleague are trying to get on a Zoom call or check your email. We can connect multiple wifi devices to this single device. Uh, it also has four ethernet ports. So if we wanted to, we could actually hardwire four controllers into it as well. Uh, but yes, any type of wifi equipment that the landscape property manager or whoever it is. Uh, is, is utilizing at that site. We can connect everything that they have at that site, uh, within a, within a reasonable distance, obviously, uh, to the wifi, to the Ascendera device. Hmm. Andy: Does that change, you know, so thinking historically irrigation controllers don't really use a lot of bandwidth, right? There's just not a lot of bandwidth. What is the bandwidth of this device? And I ask because I'm just curious. Because somebody may want to, you know, get on their phone and watch YouTube, and from an irrigation perspective, that's a lot of data that historically hasn't been required. But how does that translate to the new device? Yeah, so the new Justin: device is called a LTE Cat 4. So that is kind of your baseline fast type of device, uh, similar speed to, you know, web browsing or, or app browsing on an iPhone. And so it's going to have the speed and bandwidth to connect multiple controllers or pieces of, you know, equipment that, that communicate via wifi. Simultaneously, so you're not going to have any lag, any delay, uh, any timeouts in your communication probably wouldn't, uh, advocate for them to use it as a hotspot to, to stream, you know, YouTube on just because there are data plans on the cellular side associated with that. Uh, and you don't want to, uh, get dinged for, for using a couple of gigs of data when your irrigation controllers are maybe set up for, you know. 250, 500 megabytes of data Andy: online. And I was kind of asking, not because I think someone's gonna get out their phone and start watching YouTube, but maybe there's an opportunity for a contractor to mention this to maybe, um, a municipality or a school district, something like that, so that they, the, you know, the client can get extra usage out of the device. Absolutely. And use it to operate other equipment that happens to be on the site. Yeah, Justin: absolutely. And so when you get into some of these commercial installs, you know, outside of just the wifi-only type controllers, you may have four or five, six controllers in a utility room, and we could connect all of those with a single device Andy: now. Wow. Cool. So I'm, I'm wondering if this would be a good time to discuss if a, if a contractor or a client, you know, is thinking of a control system, you know, XYZ, let's not name any names, controller XYZ, and that. The brand manufacturer offers on their own, both wifi and cellular, you know, how, what type of decision would they make or how would they make the decision to use OptConnect and choose, you know, this device that you're talking about the wifi hotspot or just your, you know, standard cellular device. Justin: Yeah, it would probably be a decision based on what their current infrastructure, you know, is in that area. Um, the device can support five Ethernet-based connections. No, I would probably still advocate for hardwiring it in. Um, but otherwise, yeah, uh, they would have the ability now with multiple tools in the tool belt to make an even more informed decision as to how they're going to connect their equipment or other equipment. Uh, in their room that they want to be able to remotely manage. Andy: Mm-hmm. Mm-hmm. Yeah. As well as I'm just thinking, uh, you know, my brain's just turning here. I'm thinking that there's a benefit to knowing that OptConnect is, you know, supporting the brand manufacturer with the installation so that the client doesn't have to worry about how reliable is the brand manufacturer's cellular. This takes that question away because now they can look at Your company OptConnect and see that this is what you do. So it almost like may reduce the risk of using, you know, an irrigation brand manufacturer. Cellular service. Chris: You, you bring up a really good point, Andy. And, and in our world, you know, we think of connectivity as more than just connecting it to a, uh, to a cellular tower and then allowing that to, to roam. If you were to use OptConnect over a different solution, say one of the brand manufacturers, there's an entire team at OptConnect that's dedicated to watching for certain events like overages and outages. We're watching to make sure that that device has a healthy connection. We're taking autonomous action. If it doesn't, uh, we're on the back end providing support in the event that, uh, the, the installer or the end user has additional questions or needs support. You know, anybody can pick up our phone and be talking to an agent in 30 seconds or less, get live technical support, single call resolution. There's the, uh, a layer that OpConnect brings, uh, professionalism. and satisfaction, if you will, to an operator that they might not get anywhere else so that they don't have to think about it. We know that in the world of IOT internet of things. If there is not a reliable eye, there is not a reliable tee. And we try to bring that stability so that an operator can go do what they're best. They're not best at sitting behind a computer screen watching for connectivity to drop. We are. They love to be out moving on to the next deal, making sure the grass is green, the client's happy and that everybody is, uh, is satisfied at knowing. That, that controller's connected reliably to the internet. Mm hmm, mm Andy: hmm. And I think as soon as, um, a contractor or client experiences an outage, uh, or when I say outage, I mean the controller's offline, let's, let's say it that way. The device is offline. A lot of the time, brand manufacturers can't tell the user why. It's just offline. You know, you got to roll a truck out there. It could be, uh, the power's out. It could be it lost, uh, uh, the connection and it timed out. You got to roll your truck out there. And from what I've experienced using OpConnect, one of the greatest benefits is to be able to explain, help explain why the controller is offline. Because just because the controller is offline doesn't mean it lost its cellular connection. Your device could be still connected and it's a great way to troubleshoot that remotely. Justin: Yeah, absolutely. We're able to eliminate a lot of variables without having to roll that truck roll, which is very costly. Andy: Well, Chris, since we have you joining us today, I would love for you to share, you know, I guess as much as you are willing to share in terms of how OpConnect kind of, um, got started or sort of the foundation of OpConnect, you know, before you guys entered this industry, could you share a little bit about that? Chris: Sure. It's a, it's a good story. I'll see if I condense it, can condense it here for us. Uh, there's a really interesting part of this story, which is, uh, I think there was some timing involved here and being a little bit lucky and having some, uh, some insights that were coming. We really cut our teeth. In another industry, uh, not in, uh, in agriculture, if you will, or in irrigation, we actually cut our teeth over in the retail industry, which, uh, specifically we were serving locations that were unattended, such as kiosks, ATMs, and signage. And what we learned in that space is that connectivity was becoming increasingly important, more and more difficult to procure and less and less reliable for people that were doing it themselves. So we set out to Perfect. A solution that ultimately became OptConnect. And over the course of a few years, we refined that and product ties that in a way that allowed us to take that same solution to dozens of industries, which we do today, we take each of these industries serious. We try to serve those industries in meaningful capacities. We try to be good stewards and participants of trade shows and organizations. We try to be thought leaders or partner with thought leaders to help enable them. But really what we learned through it all is that we had an opportunity to become an expert at something everybody else took for granted or thought as an afterthought. Thanks to the advent of the iPhone, everybody thinks that IOT connectivity can be as simple as an out of the box, powered on, uh, walk away solution. And we know the reality is, we've worked very, very hard to make that experience true. But otherwise, it generally doesn't happen, or it certainly doesn't scale to that, that capacity. So, when we started, uh, serving these various industries, our goal was simple. We want to make a out of the box experience, make it as easy as possible for anybody in any industry. to open a device, plug it into power, hook up the antenna, plug in the Ethernet cable and walk away. 30 second install. Uh, or we're not doing it right. And I'll tell you, it's taken a team pretty significant team. Uh, you know, a long time to perfect that to make that a reality. And that's what we've done today. Uh, the company really has evolved over, over the last couple of years, but we've really hit a stride as well. And we know where we provide value. We know where we sit in the supply chain, if you will, of our customers and how critical internet connectivity is. And, uh, you know, we just come to work every day loving what we do. Andy: That's great. I love how you mentioned, I think you use the word unmanned devices, something to that effect, and I couldn't agree more because there's a difference between something working all the time, or let me step back, there's a difference between when something fails, but there's a dude one door down that can just go, you know, restart it versus something that's unmanned. When it's unmanned, it really needs to work all the time because there's nobody around to fix it. And I think that's a, that's a great differentiator. And if you can achieve, uh, you know, close to a hundred percent success and an unmanned environment, that's, Chris: that's amazing. Yeah. You know, that's, that's just the reality of, uh, of where we're headed today. And especially if you fast forward in the history of the company through the pandemic. We learned that a lot of businesses turned to technology when the workforce sort of dried up, if you will. They turned to connectivity as a means by which they could be in multiple places at once. Uh, we learned through the pandemic as a nation and as a world, the importance of connection. And we certainly learned in the business world the importance of connectivity and OpConnect serves that and sits directly in that value proposition of being able to allow our customers to magnify their efforts and to be in multiple places at once, if you will, by essentially replacing the man on the edge with a device that allows our customers to see what's going on. And, uh, to, to trust and know that somebody's behind the scenes making sure everything's working how it needs to all the time. That's fantastic. Andy: I'd like to ask if you're willing to share how you came to the company, Chris: Chris. Yeah, I, that's a great story. I've actually been here since the beginning, since day one. And, uh, I was in a, an adjacent market, if you will, uh, working. Happily in that market, when the opportunity came about to take this, what we call our proverbial duct tape solution of a router, this is in 2006 when IOT wasn't even a word, right? Yeah. If you will, or even M to M it was all. what we would call telemetry, uh, and pull that together. And over the course of a couple of months, what we found is that there was a solution out there for the oil and gas industry that allowed for that remote telemetry to be collected. via a cellular gateway and transmitted to the cloud, if you will. Uh, and I, I think even then calling in a cloud was a big stretch. Uh, like I think about today, right? Very, very expensive solution. So I set out to, to, to find a way to get the cost down and to productize that, to standardize on what we did. And, and about two years later, after having some. Pretty phenomenal success, just word of mouth. We made the strategic decision that, that this could not only be a product, but it could actually be a business. And not only could it be a business, it could serve dozens of industries. And not only could it serve dozens of industries, but we saw the writing on the wall years and years ago that we were going to be moving towards an ever connected world that relied on the ability to connect ubiquitously anywhere, almost anywhere that you are. There's, we call them cellular deserts. There's very few of those that exist in the country these days. Uh, you know, connectivity is essentially everywhere. And, uh, we set out to. Find a way to to meaningfully connect our customers to the Internet, uh, and it's just it's been a lot of fun. We have had so many extreme use cases and different examples of things that have come to us over the years. And, uh, you know, irrigation is just one of dozens, but a perfect example of where we can add value to something that may have had a legacy solution that's either old, decaying or going away. You know, radio controllers and, and, uh, you know, traditional, uh, boring of, uh, and laying cable and, and copper underground, you know, those are days of past and, uh, with everything moved to connectivity wirelessly or cellularly, you were, we're in a perfect position to help. Andy: So over the last 15 years, has it just been smooth sailing, easy peasy, lemon squeezy, the business just grew, or were there times when. It was tough going and you questioned whether you were making the right decisions with the company. I love to hear kind of how the progression went. Chris: Yeah, you know, as we look back, it's really clear to see that we've always been under some meaningful growth tension. Whether we recognized it in the moment or not, uh, there were always things that we were learning and adjusting. And I've always been fond of a business that can, can look back in retrospect and make a statement, uh, something that's happened in the past. And for us, I, it's very clear to see that there were a few pivotal, what I call DNA altering moments that were make or break, lay it all on the line, uh, opportunities for the company to go after. Uh, I remember. Uh, particularly a number of years ago, a situation that occurred globally on on the Internet. There was a a vulnerability introduced to the Internet called Heartbleed in 2014. OpConnect was not personally, uh, you know, affected by Heartbleed directly. We didn't have any vulnerabilities in our system and there was no data exfiltrations. We never got hacked like was happening everywhere. to major companies. Uh, you know, if you had a online log in with the whether it was to an email account or social media account, almost everything was vulnerable. But what we saw as a result were a number of inbound inquiries, uh, testing our systems to see if they were vulnerable. And it was breaking the system. It was causing things to not be able to get out. And that was a make or break moment for us where we had to make a couple of decisions to move forward. 40, 000 customers to a new platform that was protected behind a firewall. We had to do that in the course of a couple of hours, which was unprecedented. That was like a six or a nine month effort that we, we got done in about a little over 24 hours. It's amazing what you can actually Andy: do when you constrain time. Isn't it? Chris: Oh yeah, Andy: absolutely. You tell your team to do something and they're going to tell you, Oh, six months. And you say, no, can you do it in 24 hours? Like, it's just amazing when you layer time onto something. Chris: Yeah. We, we learned that we're best when our backs against the wall. That's when, when the best in us comes out. Uh, you know, and then fast forward a number of years, I think every organization went through this reflective moment as. The reality of the pandemic was setting in quickly and, uh, you know, as businesses were getting shut down and people were getting sent home, you know, we, we look at that very, uh, very fortuitously. We had months earlier made the decision to enable a remote workforce. Everybody had a laptop. We had already fully adopted technology that allowed us to stay connected. Through, uh, back office systems and, and, uh, zoom and teams and, uh, and think chats, uh, chat tools. So it was a seamless transition for us that allowed us to get to a position where we could be not reactive to the situation, but actually helpful to our customers that they were trying to navigate, you know, sending remote employees home and figuring out how to keep them connected. You know, we quickly developed a solution that allowed our customers to send their. cut their employees home using our connectivity so that they could stay connected, get their job done. Every day. So there's there. It certainly has not been smooth sailing, Andy, but as we look back, we are also grateful for those experiences because they're where we stretched and learned the most. We have a saying on our wall that alludes to the fact that stretching is while it might be painful, it's where we learn the most. We believe that learning happens on the edge. And if we can keep our company on that edge of learning and catastrophe, but always stay to this side of it, we're always going to be in a helpful growth position. Andy: Fantastic words of wisdom. Love that. Thank you for, thank you for sharing that. Thank you for giving us a little bit of a history of the company. And I think maybe since we have Five minutes or so left. You could tell us, uh, what's on the horizon. Let's assume you guys got great market share and irrigation. Everybody's using your product. What's Chris: next? You know, I love this question and I love to put it into perspective too. If we kind of zoom out of the business world and just look at what's happening globally, the electrification of everything, uh, connectivity, you know, I knew that we were onto something at OpConnect in the business world. When I got a phone call from my parents saying they have a washer and dryer that needs to connect to the internet and needed help, I thought, okay, there's, there's the rest of the world kind of catching up and making it here. But if we look at fast forward, there's a couple of macro trends that we look at that I think are really important. Number one is the importance of scarce resources. Uh, as a country, for example, uh, it happens to be raining outside for us today, yesterday, we got an entire summer's worth of rain and about four hours, uh, people tend to think of water as free cause it falls from the sky. We know better if we look and step back. It's a scarce resource. We need to manage it appropriately. Where else does that happen? Well, it happens with energy. It happens, uh, in, in a number of, of different, uh, industries. It's going to happen with electricity. So if we can identify these macro trends. That are likely to either get regulated or just out of necessity be managed differently, and we can position ourselves to help facilitate the collection of data to help customers make actionable real time decisions that can be our guiding star on where we take the company next, um, as Thank you The world connects EVs. We're going to have to do that really smartly. There's just not enough electricity to supply. If you were to replace every, every internal combustion engine with electric vehicles today, we would be kind of crippled, if you will, as a nation. So we, that has to be built out as that's built out. It needs to be managed differently. It needs to be monitored. Uh, there may be times where it may need to be routed, certainly needs to be secure. So we know that's a macro trend that we can look at, uh, that will help, uh, drive, you know, not only growth, but meaningful adoption of connectivity and technology that allows us to use our resources better. We look at things like security, all types of applications of security, you know, regrettably, we live in a world where Where that is more important than it's perhaps ever been. There are more and more assets being deployed to more and more unattended locations that are vulnerable to various types of nefarious activity. Those need to be protected. They need to be monitored and, uh, and managed accordingly. So those, those are some of the ways that we try to think about. You know, macro tailwinds that could help guide us long term as an organization. Now, by no means does that mean we're willing to turn our back on some of the industries that we serve today. In fact, our plan is to continue to land and serve those industries long term, be experts, become a trusted household name, if you will. Um, the the OptConnected and the Kleenex of the of the world, if you will. And, uh, and that's our goal to just provide meaningful connectivity anywhere possible. It's great, Andy: uh, great plan and I think you guys are well on the way. I know I certainly trust your devices because I've used them and have experienced with them and the people that I've suggested to use them feel exactly the same way. It's kind of like once somebody tries one, they go, all right, I'm just using this. For all my stuff. I don't, I don't want to have to worry about brand manufacturer, ABCD ease devices. I just want one portfolio with all my devices. So I appreciate what you guys are doing and I appreciate how it is also kind of raising the bar in our industry and providing, you know, more contractors with more access to technology so that they can learn faster and maybe to use your words, you know, run their business on the edge a little bit as well. Absolutely. Awesome. Well, thank you guys so much. Uh, we are running out of time and Justin, maybe on another, maybe we can do a, a sequel to the second episode and talk a little bit more about some particular, some other industries that, um, that you're involved with that are also, you know, water related, looking Justin: forward to it. Andy, thanks for having us Andy: back. Thank you very Chris: much.
The worm is turning! C and C++ have ruled the core of our digital world for a long time and still do. But, they do not handle memory well, where we get buffer overflows (Morris Worm, SQL Slammer, and so many more) or buffer underflows (Heartbleed). This can involve a stack overflow attack, and where the program writes too much data to the stack that has been allocated for a given buffer, and for a heap overflow attack, where we overrun the memory into a space that is not allocated for a buffer. These problems often allow adversaries to write data into places that it was not intended for or can cause an exception in the handling of the code (and thus cause a problem to act unreliable). A typical area is to overwrite memory that is allocated for other purposes and then cause a Denial of Service (DoS) against the code — and where it just stops working. Along with this, developers often do not clean up their variables, so a garbage collector must come in and free up memory that is not being used anymore. But, Rust just doesn't allow you to do these things. It has strict checks on the usage of variables at compile time, and if you do something bad with them, it will tell you and refuse to compile the code. In 2015, Rust was born, and in eight short years, many of the major software companies have adopted it as the core of their systems. Google was one of the early adopters but is now joined by Microsoft, who are developing their core code with Rust. But, there are many questions … how long will it take to learn the language and will it make developers more productive? The following relates to research conducted in Google which answers these questions [here]. For this, Google did a survey of 1,000 of their developers. Some Rust and Cryptography is [here].
Which patches are critical? When do they really need to be applied? That's where our new PatchAware™ features come in. We're monitoring the thousands of patches that are issued every week, and will tell you which patches are the most critical to install right now. This week's tip, 9 years after it was discovered, is the “Heartbleed” bug. It is still one of the most significant threats to online security. It gives the bad guys access to sensitive information from affected systems. This article highlights the importance of upgrading software and keeping it up-to-date with regular security patches to protect against Heartbleed and other vulnerabilities. The Need for Upgrading Firewalls and IoT Devices The need for upgrading firewalls and IoT devices is a clear one. As the number of connected devices continues to grow, so do the risks associated with them. A lack of proper security can lead to a variety of problems: • Ransomware attacks on hospitals or other critical infrastructure • Hackers stealing sensitive information from companies and individuals alike • Cyber criminals compromising payment systems and draining bank accounts Understanding the Different Types of Patches There are three types of patches: • Critical Patches - These are security updates that address vulnerabilities that could allow an attacker to gain access to your system and steal sensitive data. They're important to install as soon as possible. • Non-Critical Patches - These usually fix minor bugs or add new features, but they don't affect your security. You can wait until you have time to install them later on in the day or week if you want! • Hotfixes - Hotfixes are temporary fixes for critical issues that arise after a patch has been released; they're only available while the issue is still occurring in the wild, so they may not be available for long periods of time Best Practices for Upgrading Firewalls and IoT Devices To ensure that your firewall and IoT devices are kept up-to-date, you should: • Keep track of patches. Use a patch management tool to monitor for updates, and deploy them as soon as they become available. • Ensure that all networked devices have an active subscription to the latest version of their operating system or firmware. This will ensure that you're protected against known vulnerabilities in these products' code base. If a vulnerability is discovered after an update has been released but before it has been applied, then users may be at risk until they apply the patch themselves (or their IT departments do so). The Benefits of Regularly Updating Firewalls and IoT Devices • Increased security: Updating a firewall's software is a great way to ensure that you're using the latest version of the software. This means that if there are any bugs or vulnerabilities in the old version, they'll be fixed and patched up before they can be exploited by hackers. • Improved performance: Another benefit of regularly updating your firewall is that it can improve its performance over time. This is because newer versions of firewalls often come with new features and functionality that weren't available in previous releases, so updating allows you access to these improvements without having to buy an entirely new device! • Reduced downtime: Finally, keeping up-to-date with all the latest patches will help reduce downtime due to hardware failure or other issues associated with older versions of software running on your network equipment (like routers). What to Do if You Encounter an Unpatched Vulnerability If you encounter an unpatched vulnerability, it's important to take action immediately. First, identify the affected devices and determine whether they are critical to your organization's operations. If so, consider shutting down those devices until they can be patched; otherwise, continue using them as usual but monitor their activity closely for signs of compromise. If you have any control over the patching process for these devices (for example if they belong to a third party), inform them about the problem and encourage them to prioritize fixing it as soon as possible. If there isn't anything else that can be done at this point besides waiting for patches from vendors or manufacturers before implementing them yourself--which may take weeks or even months--make sure all relevant parties understand how serious this issue is so that everyone knows what steps need taken next time something similar happens again in future!
Application security in the cloud is a crucial aspect of protecting data and preventing unauthorized access to applications hosted on cloud platforms. As cloud computing becomes more prevalent, ensuring the security of applications has become a top priority for organizations. This is because cloud environments present unique security challenges, such as shared resources, multi-tenancy, and a lack of physical control. Therefore, it is essential to implement security measures that are specific to cloud-based applications. Segment Resources: - https://www.youtube.com/@Infosecvandana/videos Lessons from an old 2008 JSON.parse vuln, opening garage doors with a password, stealing cars with CAN bus injection, manipulating Twitter's recommendation algorithm, engineering through complexity, successful tabletop exercises, and the anniversary of Heartbleed. Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw236
Lessons from an old 2008 JSON.parse vuln, opening garage doors with a password, stealing cars with CAN bus injection, manipulating Twitter's recommendation algorithm, engineering through complexity, successful tabletop exercises, and the anniversary of Heartbleed. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw236
Application security in the cloud is a crucial aspect of protecting data and preventing unauthorized access to applications hosted on cloud platforms. As cloud computing becomes more prevalent, ensuring the security of applications has become a top priority for organizations. This is because cloud environments present unique security challenges, such as shared resources, multi-tenancy, and a lack of physical control. Therefore, it is essential to implement security measures that are specific to cloud-based applications. Segment Resources: - https://www.youtube.com/@Infosecvandana/videos Lessons from an old 2008 JSON.parse vuln, opening garage doors with a password, stealing cars with CAN bus injection, manipulating Twitter's recommendation algorithm, engineering through complexity, successful tabletop exercises, and the anniversary of Heartbleed. Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw236
Lessons from an old 2008 JSON.parse vuln, opening garage doors with a password, stealing cars with CAN bus injection, manipulating Twitter's recommendation algorithm, engineering through complexity, successful tabletop exercises, and the anniversary of Heartbleed. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw236
Finanzierung von Open-Source-Projekten ist essentiell - Doch welche Möglichkeiten gibt es?Open-Source-Projekte sind wichtiger denn je, in unserer aktuellen Gesellschaft. Projekte wie cURL, OpenSSL, sqlite und Co. werden oft von wenigen Leuten maintained, doch Millionen Menschen nutzen diese jeden Tag, auch oft ohne es zu wissen. Die meisten Open-Source-Projekte werden in der Freizeit maintained. Doch wie passt das zusammen, besonders wenn die Miete gezahlt werden muss und auch Essen auf dem Tisch sein soll?Da kommt das (nicht ganz so einfache) Thema der Finanzierung von Open Source Projekten auf. In dieser Episode gehen wir genau darauf ein und stellen euch ein paar Möglichkeiten vor, wie du Geld mit bzw. für dein Open-Source-Projekt bekommen kannst. Dabei geht es nicht nur um den Platzhirsch GitHub Sponsors, sondern auch um professionelles Sponsoring von Firmen, dem Early-Access-Modell, staatliche Förderungen und so langweilige Themen wie Steuern.Bonus: Was Rundfunkgeräte mit Batterien mit Open-Source zu tun haben und ob Geld wirklich motivierend ist.Das schnelle Feedback zur Episode:
In today's podcast we cover four crucial cyber and technology topics, including: 1. CRITICAL OpenSSL patch coming November 1st 2. LinkedIn fights fake accounts with new features 3. U.S. charges British hacker for role in dark web marketplace 4. U.S. charges Ukrainian responsible for Raccoon Stealer malware I'd love feedback, feel free to send your comments and feedback to | cyberandtechwithmike@gmail.com
The Gen X Brothers have a long talk with the Bass Player of Peppermint Creeps – Billy Blade. They discuss the long awaited reunion in December and the very tragic and unfortunate passing a the Great Traci Michaelz. Its been over 14 years since his death but still very hard to believe that such a talented drummer and friend to all is no longer with us. Billy also talks about all the bands he's played in and his extensive collection including the night Bruce Kulick from KISS was shot in front of the Rainbow Bar and Grill on Sunset Blvd. and he was able to obtain something very strange… Glenn and Erik also talk about Horror Movies for Halloween, including Terrifier 2 with Elliot Fullam from Little Punk People. Intro Music by Peppermint Creeps: Just Another Day and Heartbleed. Mentioned in this episode: Edge of Life Designs www.edgeoflifedesigns.com Edge of Life Designs www.edgeoflifedesigns.com
Subhankar Bagchin seikkailut elokuvissa ja musiikkimaailmassahttps://twitter.com/prstb/status/1556181928407023616Laura Kankaalan IMDB sivuhttps://www.imdb.com/name/nm12013421/Tinder Swindlerhttps://www.netflix.com/title/81254340Eduskunnan sivut palvelunestohyökkäyksen kohteenahttps://www.hs.fi/politiikka/art-2000008994152.htmlZero Day Initiative on havainnut, että tietoturvapäivitykset, jotka eivät oikeasti korjaa haavoittuvuuksia, ovat lisääntyneet.https://www.wired.com/story/software-patch-flaw-uptick-zdi/
About BrandonBrandon West was raised in part by video games and BBSes and has been working on web applications since 1999. He entered the world of Developer Relations in 2011 as an evangelist for a small startup called SendGrid and has since held leadership roles at companies like AWS. At Datadog, Brandon is focused on helping developers improve the performance and developer experience of the things they build. He lives in Seattle where enjoys paddle-boarding, fishing, and playing music.Links Referenced: Datadog: https://www.datadoghq.com/ Twitter: https://twitter.com/bwest TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: This episode is sponsored in part by our friends at Fortinet. Fortinet's partnership with AWS is a better-together combination that ensures your workloads on AWS are protected by best-in-class security solutions powered by comprehensive threat intelligence and more than 20 years of cybersecurity experience. Integrations with key AWS services simplify security management, ensure full visibility across environments, and provide broad protection across your workloads and applications. Visit them at AWS re:Inforce to see the latest trends in cybersecurity on July 25-26 at the Boston Convention Center. Just go over to the Fortinet booth and tell them Corey Quinn sent you and watch for the flinch. My thanks again to my friends at Fortinet.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today is someone I've been trying to get on the show for years, but I'm very bad at, you know, following up and sending the messages and all the rest because we all struggle with our internal demons. My guest instead struggles with external demons. He is the team lead for developer experience and tools advocacy at what I can only assume is a Tinder for Pets style company, Date-A-Dog. Brendon West, thank you for joining me today.Brandon: Hey, Corey, thanks for having me. I'm excited to be here. Finally, like you said, it's been a couple of years. But glad that it's happening. And yeah, I'm on the DevRel team at Datadog.Corey: Yes, I'm getting a note here in the headset of breaking news coming in. Yes, you're not apparently a dog dating company, you are a monitoring slash observability slash whatever the cool kids are calling it today telemetry outputer dingus nonsense. Anyone who has ever been to a community or corporate event has no doubt been tackled by one of the badge scanners that you folks have orbiting your booth, but what is it that you folks do?Brandon: Well, the observability, the monitoring, the distributed tracing, all that stuff that you mentioned. And then a lot of other interesting things that are happening. Security is a big focus—InfoSec—so we're adding some products around that, automated security monitoring, very cool. And then the sort of stuff that I'm representing is stuff that helps developers provide a better experience to their end-users. So, things like front-end monitoring, real-time user monitoring, synthetic testing of your APIs, whatever it might be.Corey: Your path has been somewhat interesting because you—well, everyone's path has been somewhat interesting; yours has been really interesting because back in 2011, you entered the world of developer relations, or being a DevReloper as I insist on calling it. And you were in a—you call it a small startup called SendGrid. Which is, on some level, hilarious from my point of view. I've been working with you folks—you folks being SendGrid—for many years now. I cared a lot about email once upon a time.And now I send an email newsletter every week, that deep under the hood, through a couple of vendor abstraction layers is still SendGrid, and I don't care about email because that's something that I can pay someone else to worry about. You went on as well to build out DevRel teams at AWS. You decided okay, you're going to take some time off after that. You went to a small scrappy startup and ah, nice. You could really do things right and you have a glorious half of the year and then surprise, you got acquired by Datadog. Congratu-dolances on that because now you're right back in the thick of things at big company-style approaches. Have I generally nailed the trajectory of the past decade for you?Brandon: Yeah, I think the broad strokes are all correct there. SendGrid was a small company when I joined, you know? There were 30 of us or so. So, got to see that grow into what it is today, which was super, super awesome. But other than that, yeah, I think that's the correct path.Corey: It's interesting to me, in that you were more or less doing developer relations before that was really a thing in the ecosystem. And I understand the challenge that you would have in a place like SendGrid because that is large-scale email sending, transactional or otherwise, and that is something that by and large, has slipped below the surface level of awareness for an awful lot of folks in your target market. It's, “Oh, okay, and then we'll just have the thing send an email,” they say, hand-waving over what is an incredibly deep and murky pool. And understanding that is a hard thing requires a certain level of technical sophistication. So, you started doing developer relations for something that very clearly needed some storytelling chops. How did you fall into it originally?Brandon: Well, I wanted to do something that let me use those storytelling chops, honestly. I had been writing code at an agency for coal mines and gold mines and really actively inserting evil into the world, power plants, and that sort of thing. And, you know, I went to school for English literature. I loved writing. I played in thrash metal bands when I was a kid, so I've been up on stage being cussed at and told that I suck. So I—Corey: Oh, I get that conference talks all the time.Brandon: Yeah, right? So, that's why when people ask me to speak, I'm like, “Absolutely.” There's no way I can bomb harder than I've bombed before. No fear, right? So yeah, I wanted to use those skills. I wanted to do something different.And one of my buddies had a company that he had co-founded that was going through TechStars in Boulder. SendGrid was the first accelerator-backed company to IPO which is pretty cool. But they had gone through TechStars in 2009. They were looking for a developer evangelist. So, SendGrid was looking for developer evangelist and my friend introduced me said, “I think you'd be good at this. You should have a conversation.” My immediate thought was what the hell is a developer evangelist?Corey: And what might a SendGrid be? And all the rest. Yes, it's that whole, “Oh, how do I learn to swim?” Someone throws you off the end of the dock and then retrospect, it's, “I don't think they were trying to teach me how to swim.” Yeah. Hindsight.Brandon: Yeah. It worked out great. I will say, though, that I think DevRel has been around for a long time, you know? The title has been around since the original Macintosh at Apple in 1980-ish. There's a whole large part of the tech world that would like you to think that it's new because of all the terrible things that their DevRel team did at Microsoft in the late-90s.And you can go read all about this. There were trials about it. These documents were released to the public, James Plamondon is the lead architect of all of this nastiness. But I think there was then a concerted effort to memory-hole that and say, “No, DevRel is new and shiny.” And then Google came along and said, “Well, it's not evangelism anymore. It's advocacy.”Corey: It's not sysadmin work anymore. It's SRE. It's not on-prem, it's Sparkling Kubernetes, et cetera, et cetera.Brandon: Yeah, so there's this sense in a lot of places that DevRel is new, but it's actually been around a long time. And you can learn a lot from reading about the history and understanding it, something I've given a talk on and written a bit about. So.Corey: My philosophy around developer relations for a while has been that in many cases, its biggest obstacle is the way that it is great at telling stories about fantastically complex, deeply technical things; it can tell stories about almost anything except itself. And I keep seeing similar expressions of the same problem again, and again, and again. I mean, AWS, where you worked, as an example: they love to talk about their developer advocates, and you read the job descriptions and these are high-level roles with sweeping responsibilities, broad basis of experience being able to handle things at a borderline executive level. And then they almost neuter the entire thing by slapping a developer advocate title on top of those people, which means that some of the people that would be most effectively served by talking to them will dismiss them as, “Well, I'm a director”—or a VP—“What am I going to do talking to a developer advocate?” It feels like there's a swing and a miss as far as encapsulating the value that the function provides.I want to be clear, I am not sitting here shitting on DevRel or its practitioners, I see a problem with how it [laugh] is being expressed. Now, feel free to argue with me and just scream at me for the next 20 minutes, and this becomes a real short show. But—Brandon: [laugh].Corey: —It'll be great. Hit me.Brandon: No, you're correct in many ways, which makes me sad because these are the same conversations that I've been having for the 11, 12 years that I've been in DevRel now. And I thought we would have moved past this at some point, but the problem is that we are bad at advocating for advocacy. We do a bad job of relating to people about DevRel because we spend so much time worried about stuff that doesn't really matter. And we get very loud voices in the echo chamber screaming about titles and evangelism versus advocate versus community manager, and which department you should report up to, and all of these things that ultimately don't matter. And it just seems like bickering from the outside. I think that the core of what we do is super awesome. And I don't think it's very hard to articulate. It's just that we don't spend the time to do that.Corey: It's always odd to me when I talk to someone like, “Oh, you're in DevRel. What does that mean?” And their immediate response is, “Well, it's not marketing, I'll tell you that.” It's feels like there might be some trauma that is being expressed in some strange ways. I do view it as marketing, personally, and people who take umbrage at that don't generally tend to understand what marketing is.Yeah, you can look at any area of business or any function and judge it by some of the worst examples that we've all seen, but when someone tells me they work in sales, I don't automatically assume that they are sending me horrifyingly passive-aggressive drip campaigns, or trying to hassle me in a car lot. It's no, there's a broad spectrum of people. Just like I don't assume that you're an engineer. And I immediately think, oh, you can't solve FizzBuzz on a whiteboard. No, there's always going to be a broad spectrum of experience.Marketing is one of those awesome areas of business that's dramatically misunderstood a lot. Similarly to the fact that, you know, DevRel can't tell stories, you think marketing could tell stories about itself, but it's still struggles, too, in a bunch of ways. But I do believe that even if they're not one of the same, developer relations and marketing are aligned around an awful lot of things like being able to articulate value that is hard to quantify.Brandon: I completely agree with that. And if I meet someone in DevRel that starts off the conversation by saying that they're not in marketing, then I know they're probably not that great at their job. I mean, I think there's a place of tech hubris, where we want to disrespect anything that's not a hard skill where it's not putting zeros and ones into a chip—Corey: And spoiler, they're all very hard skills.Brandon: [laugh]. Yeah. And so, first off, like, stop disrespecting marketing. It's important; your business probably wouldn't survive if you didn't have it. And second of all, you're not immune to it, right?Like, Heartbleed had a logo and a name for vulnerability because tech people are so susceptible to it, right? People don't just wake up and wait in line for three days for a new iPhone because tech marketing doesn't work, right?Corey: “Oh, tech marketing doesn't work on me,” says someone who's devoted last five years of their life to working on Kubernetes. Yeah, sure it doesn't.Brandon: Yeah exactly. So, that whole perspective is silly. I think part of the problem is that they don't want to invest in learning how to communicate what they do to a marketing org. They don't want to spend the time to say, “Here's how the marketing world thinks, and here's how we can fit into that perspective.” They want to come in and say, “Well, you don't understand DevRel. Let me define DevRel for you and tell you what we do.” And all those sorts of things. It's too prescriptive and less collaborative.Corey: Anytime you start getting into the idea of metrics around how do you measure someone in a developer advocacy role, the answer is, “Well, your metrics that you're using are wrong, and any metrics you use are wrong, and there's no good way to do it.” And I am sympathetic to that. When I started this place, I knew that if I went to a bunch of events and did my thing, good things would happen for the business. And how did I articulate that? Gut feel, but when you own the place, you can do that.Whereas when you are a function inside of another org, inside of another org, and you start looking at from the executive leadership position at these things, it's, “Okay, so let me get this straight. You cost as much as an engineer, you cost as much as that again, in your expenses because you're traveling all the time, you write zero production code, whenever people ask you what it is you do here, you have a very strange answer, and from what we can tell, it looks like you hang out with your friends in exotic locations, give a 15-minute talk from time to time that mentions our name at the beginning, and nothing else relevant to our business, and then you go around and the entire story is ‘just trust me, I'm adding value.'” Yeah, when it's time to tighten belts and start cutting back, is it any wonder that the developer advocacy is often one of the first departments hit from that perspective?Brandon: It doesn't surprise me. I mean, I've been a part of DevRel teams where we had some large number of events that we had attended for the year—I think 450-something—and the director of the team was very excited to show that off, right, you should have seen the CFOs face when he heard that, right, because all he sees is outgoing dollar signs. Like, how much expense? What's the ROI on 450 events?Corey: Yeah, “450 events? That's more than one a day. Okay, great. That's a big number and I already know what we're spending. Great. How much business came out of that?”And that's when the hemming and hawing starts. Like, well, sort of, and yadda—and yeah, it doesn't present well in the language that they are prepared to speak. But marketing can tell those stories because they have for ages. Like, “Okay, how much business came from our Superbowl ad?” “I dunno. The point is, is that there's a brand awareness play, there's the chance to remain top of the mental stack when people think about this space. And over the next few months, we can definitely see there's been a dramatic uptick in our business. Now, how do we attribute that back? Well, I don't know.”There's a saying in marketing, that half of your marketing budget is wasted. Now, figuring out which half will spend the rest of your career, you'll never get even close. Because people don't know the journey that customers go through, not really. Even customers don't often see it.Take this podcast, for example. I have sponsors that I do love and appreciate who say things from time to time on this show. And people will hear it and occasionally will become customers of those sponsors. But very often, it's, “Oh, I heard about that on the podcast. I'll Google it when I get to work and then I'll have a conversation with my team and we'll agree to investigate that.”And any UTM tracking has long since fallen by the wayside. You might get to that from discussions with users in their interview process, but very often, they won't remember where it came up. And it's one of those impossible to quantify things. Now, I sound like one of those folks where I'm trying to say, “Oh, buy sponsorships that you can never prove add value.” But that is functionally how advertising tends to work, back in the days before it spied on you.Brandon: Yeah, absolutely. And we've added a bunch of instrumentation to allow us to try and put that multi-touch attribution model together after the fact, but I'm still not sure that that's worth the squeeze, right? You don't get much juice out. One of the problems with metrics in DevRel is that the things that you can measure are very production-focused. It's how many talks did you give? How many audience members did you reach?Some developer relations folks do actually write production code, so it might be how many of the official SDK that you support got downloaded? That can be more directly attributed to business impact, those sorts of things are fantastic. But a lot of it is kind of fuzzy and because it's production-focused, it can lead to burnout because it's disconnected from business impact. “It's how many widgets did your line produce today?” “Well, we gave all these talks and we had 150,000 engaged developer hours.” “Well, cool, what was the business outcome?” And if you can't answer that for your own team and for your own self in your role, that leads pretty quickly to burnout.Corey: Anytime you start measuring something and grading people based on it, they're going to optimize for what you measure. For example, I send an email newsletter out, at time of this recording, to 31,000 people every week and that's awesome. I also periodically do webinars about the joys of AWS bill optimization, and you know, 50 people might show up to one of those things. Okay, well, from a broad numbers perspective, yeah, I'd much rather go and send something out to those 31,000, folks until you realize that the kind of person that's going to devote half an hour, forty-five minutes to having a discussion with you about AWS bill optimization is far likelier to care about this to the point where they become a customer than someone who just happens to be in an audience for something that is orthogonally-related. And that is the trick because otherwise, we would just all be optimizing for the single biggest platforms out there if oh, I'm going to go talk at this conference and that conference, not because they're not germane to what we do, but because they have more people showing up.And that doesn't work. When you see that even on the podcast world, you have Joe Rogan, as the largest podcast in the world—let's not make too many comparisons in different ways because I don't want to be associated with that kind of tomfoolery—but there's a reason that his advertisers, by and large, are targeting a mass-market audience, whereas mine are targeting B2B SaaS, by and large. I'm not here shilling for various mattress companies. I'm instead talking much more about things that solve the kind of problem that listeners to this show are likely to have. It's the old-school of thought of advertising, where this is a problem that is germane to a certain type of audience, and that certain type of audience listens to shows like this. That was my whole school of thought.Brandon: Absolutely. I mean, the core value that you need to do DevRel, in my opinion is empathy. It's all about what Maya Angelou said, right? “People may not remember what you said, but they'll definitely remember how you made them feel.” And I found that to be incredibly true.Like, the moments that I regret the most in DevRel are the times when someone that I've met and spent time with before comes up to have a conversation and I don't remember them because I met 200 people that night. And then I feel terrible, right? So, those are the metrics that I use internally. It's hearts and minds. It's how do people feel? Am I making them feel empowered and better at their craft through the work that I do?That's why I love DevRel. If I didn't get that fulfillment, I'd go write code again. But I don't get that sense of satisfaction, and wow, I made an impact on this person's trajectory through their career that I do from DevRel. So.Corey: I come bearing ill tidings. Developers are responsible for more than ever these days. Not just the code that they write, but also the containers and the cloud infrastructure that their apps run on. Because serverless means it's still somebody's problem. And a big part of that responsibility is app security from code to cloud. And that's where our friend Snyk comes in. Snyk is a frictionless security platform that meets developers where they are - Finding and fixing vulnerabilities right from the CLI, IDEs, Repos, and Pipelines. Snyk integrates seamlessly with AWS offerings like code pipeline, EKS, ECR, and more! As well as things you're actually likely to be using. Deploy on AWS, secure with Snyk. Learn more at Snyk.co/scream That's S-N-Y-K.co/screamCorey: The way that I tend to see it, too, is that there's almost a bit of a broadening of DevRel. And let's be clear, it's a varied field with a lot of different ways to handle that approach. I'm have a terrible public speaker, so I'm not going to ever succeed in DevRel. Well, that's certainly not true. People need to write blog posts; people need to wind up writing some of the sample code, in some cases; people need to talk to customers in a small group environment, as opposed to in front of 3000 people and talk about the things that they're seeing, and the rest.There's a broad field and different ways that it applies. But I also see that there are different breeds of developer advocate as well. There are folks, like you for example. You and I have roughly the same amount of time in the industry working on different things, whereas there's also folks who it seems like they graduate from a boot camp, and a year later, they're working in a developer advocacy role. Does that mean that they're bad developer advocates?I don't think so, but I think that if they try and present things the same way that you were I do from years spent in the trenches working on these things, they don't have that basis of experience to fall back on, so they need to take a different narrative path. And the successful ones absolutely do.Brandon: Yeah.Corey: I think it's a nuanced and broad field. I wish that there was more acceptance and awareness of that.Brandon: That's absolutely true. And part of the reason people criticize DevRel and don't take it seriously, as they say, “Well, it's inconsistent. This org, it reports to product; or, this org, it reports up to marketing; this other place, it's part of engineering.” You know, it's poorly defined. But I think that's true of a lot of roles in tech.Like, engineering is usually done a different way, very differently at some orgs compared to others. Product teams can have completely different methodologies for how they track and manage and estimate their time and all of those things. So, I would like to see people stop using that as a cudgel against the whole profession. It just doesn't make any sense. At the same time, two of the best evangelist I ever hired were right out of university, so you're completely correct.The key thing to keep in mind there is, like, who's the audience, right, because ultimately, it's about building trust with the audience. There's a lot of rooms where if you and I walk into the room; if it's like a college hackathon, we're going to have a—[laugh], we're going to struggle.Corey: Yeah, we have some real, “Hello fellow kids,” energy going on when we do that.Brandon: Yeah. Which is also why I think it's incredibly important for developer relations teams to be aware of the makeup of their team. Like, how diverse is your team, and how diverse are the audiences you're speaking to? And if you don't have someone who can connect, whether it's because of age or lived experience or background, then you're going to fail because like I said that the number one thing you need to be successful in this role is empathy, in my opinion.Corey: I think that a lot of the efforts around a lot of this—trying to clarify what it is—some cases gone in well, I guess I'm going to call it the wrong direction. And I know that sounds judgy and I'm going to have to live with that, I suppose, but talk to me a bit about the, I guess, rebranding that we've seen in some recent years around developer advocates. Specifically, like, I like calling folks DevRelopers because it's cutesy, it's a bit of a portmanteau. Great. But it's also not something I seriously suggest most people put on business cards.But there are people who are starting to, I think, take a similar joke and actually identify with it where they call themselves developer avocados, which I don't fully understand. I have opinions on it, but again, having opinions that are not based in data is something I try not to start shouting from the rooftops wherever I can. You live in that world a lot more posted than I do, where do you stand?Brandon: So, I think it was well-intentioned and it was an attempt to do some of the awareness and brand building for DevRel, broadly, that we had lacked. But I see lots of problems with it. One, we already struggle to be taken seriously in many instances, as we've been discussing, and I don't think we do ourselves any favors by giving ourselves cutesy nicknames that sort of infantilize the role like I can't think of any other job that has a pet name for the work that they do.Corey: Yeah. The “ooh-woo accounting”. Yeah, I sort of don't see that happening very often in most business orgs.Brandon: Yeah. It's strange to me at the same time, a lot of the people who came up with it and popularized it are people that I consider friends and good colleagues. So hopefully, they won't be too offended, but I really think that it kind of set us back in many ways. I don't want to represent the work that I do with an emoji.Corey: Funny, you bring that up. As we record this through the first recording, I have on my new ridiculous desktop computer thing from Apple, which I have named after a—you know, the same naming convention that you would expect from an AWS region—it's us-shitpost-one. Instead of the word shit, it has the poop emoji. And you'd be amazed at the number of things that just melt when you start trying to incorporate that. GitHub has a problem with that being the name of an SSH key, for example.I don't know if I'll keep it or I'll just fall back to just spelling words out, but right now, at least, it really is causing all kinds of strange computer problems. Similarly, it causes strange cultural problems when you start having that dissonance and seeing something new and different like that in a business context. Because in some cases, yeah, it helps you interact with your audience and build rapport; in many others, it erodes trust and confidence that you know what you're talking about because people expect things to be cast a certain way. I'm not saying they're right. There's a shitload of bias that bakes into that, but at the same time, I'd like to at least bias for choosing when and where I'm going to break those expectations.There's a reason that increasingly, my Duckbillgroup.com website speaks in business terms, rather than in platypus metaphors, whereas lastweekinaws.com, very much leans into the platypus. And that is the way that the branding is breaking down, just because people expect different things in different places.Brandon: Yeah and, you know, this framing matters. And I've gone through two exercises now where I've helped rename an evangelism team to an advocacy team, not because I think it's important to me—it's a bunch of bikeshedding—but it has external implications, right? Especially evangelism, in certain parts of the world, has connotations. It's just easier to avoid those. And how we present ourselves, the titles that we choose are important.I wish we would spend way less time arguing about them, you know, advocacy has won evangelism, don't use it. DevRel, if you don't want to pick one, great. DevRel is broader umbrella. If you've got community managers, people who can't write code that do things involving your events or whatever, program managers, if they're on your team, DevRel, great description. I wish we could just settle that. Lots of wasted air discussing that one.Corey: Constantly. It feels like this is a giant distraction that detracts from the value of DevRel. Because I don't know about you, but when I pick what I want to do next in my career, the things I want to explain to people and spend that energy on are never, I want to explain what it is that I do. Like I've never liked those approaches where you have to first educate someone before they're going to be in a position where they want to become your customer.I think, honestly, that's one of the things that Datadog has gotten very right. One of the early criticisms lobbed against Datadog when it first came out was, “Oh, this is basically monitoring by Fisher-Price.” Like, “This isn't the deep-dive stuff.” Well yeah, but it turns out a lot of your buying audience are fundamentally toddlers with no visibility into what's going on. For an awful lot of what I do, I want it to be click, click, done.I am a Datadog customer for a reason. It's not because I don't have loud and angry opinions about observability; it's because I just want there to be a dashboard that I can look at and see what's working, what's not, and do I need to care about things today? And it solves that job admirably because if I have those kinds of opinions about every aspect, I'm never going to be your customer anyway, or anyone's customer. I'm going to go build my own and either launch a competitor or realize this is my what I truly love doing and go work at a company in this space, possibly yours. There's something to be said for understanding the customer journey that those customers do not look like you.And I think that's what's going on with a lot of the articulation around what developer relations is or isn't. The people on stage who go to watch someone in DevRel give a talk, do not care, by and large, what DevRel is. They care about the content that they're about to hear about, and when the first half of it is explaining what the person's job is or isn't, people lose interest. I don't even like intros at the beginning of a talk. Give me a hook. Talk for 45 seconds. Give me a story about why I should care before you tell me who you are, what your credentials are, what your job title is, who you work for. Hit me with something big upfront and then we'll figure it out from there.Brandon: Yeah, I agree with you. I give this speaking advice to people constantly. Do not get up on stage and introduce yourself. You're not a carnival hawker. You're not trying to get people to roll up and see the show.They're already sitting in the seat. You've established your credibility. If they had questions about it, they read your abstract, and then they went and checked you out on LinkedIn, right? So, get to the point; make it engaging and entertaining.Corey: I have a pet theory about what's going on in some cases where, I think, on some level, it's an outgrowth of an impostor-syndrome-like behavior, where people don't believe that they deserve to be onstage talking about things, so they start backing up their bona fides to almost reassure themselves because they don't believe that they should be up there and if they don't believe it, why would anyone else. It's the wrong approach. By holding the microphone, you inherently deserve to hold the microphone. And go ahead and tell your story. If people care enough to dig into you and who you are and well, “What is this person's background, really?” Rest assured the internet is pretty easy to use these days, people will find out. So, let them do that research if they care. If they don't, then there's an entire line of people in this world who are going to dislike you or say you're not qualified for what it is you're doing or you don't deserve it. Don't be in that line, let alone at the front of it.Brandon: So, you mentioned imposter syndrome and it got me thinking a little bit. And hopefully this doesn't offend anyone, but I kind of starting to think that imposter syndrome is in many ways invented by people to put the blame on you for something that's their fault. It's like a carbon footprint to the oil and gas industry, right? These companies can't provide you psychological safety and now they've gone and convinced you that it's your fault and that you're suffering from this syndrome, rather than the fact that they're not actually making you feel prepared and confident and ready to get up on that stage, even if it's your first time giving a talk, right?Corey: I hadn't considered it like that before. And again, I do tend to avoid straying into mental health territory on this show because I'm not an—Brandon: Yes.Corey: Expert. I'm a loud, confident white guy in tech. My failure mode is a board seat and a book deal, but I am not board-certified, let's be clear. But I think you're onto something here because early on in my career, I was very often faced with a whole lot of nebulous job description-style stuff and I was never sure if I was working on the right thing. Now that I'm at this stage of my career, and as you become more senior, you inherently find yourselves in roles, most of the time, that are themselves mired in uncertainty. That is, on some level, what seniority leads to.And that's fine, but early on in your career, not knowing if you're succeeding or failing, I got surprise-fired a number of times when I thought I was doing great. There are also times that I thought I was about to be fired on the spot and, “Come on in; shut the door.” And yeah, “Here's a raise because you're just killing it.” And it took me a few years after that point to realize, wait a minute. They were underpaying me. That's what that was, and they hope they didn't know.But it's that whole approach of just trying to understand your place in the world. Do I rock? Do I suck? And it's that constant uncertainty and unknowing. And I think companies do a terrible job, by and large, of letting people know that they're okay, they're safe, and they belong.Brandon: I completely agree. And this is why I would strongly encourage people—if you have the privilege—please do not work at a company that does not want you to bring your whole self to work, or that bans politics, or however they want to describe it. Because that's just a code word for we won't provide you psychological safety. Or if they're going to, it ends at a very hard border somewhere between work and life. And I just don't think anyone can be successful in those environments.Corey: I'm sure it's possible, but it does bias for folks who, frankly, have a tremendous amount of privilege in many respects where I mentioned about, like, I'm a white dude in tech—you are too—and when we say things, we are presumed competent and people don't argue with us by default. And that is a very easy to forget thing. Not everyone who looks like us is going to have very similar experiences. I have gotten it hilariously wrong before when I gave talks on how to wind up negotiating for salaries, for example, because well, it worked for me, what's the problem? Yeah, I basically burned that talk with fire, redid the entire thing and wound up giving it with a friend of mine who was basically everything that I am not.She was an attorney, she was a woman of color, et cetera, et cetera. And suddenly, it was a much stronger talk because it wasn't just, “How to Succeed for White Guys.” There's value in that, but you also have to be open to hearing that and acknowledging that you were born on third; you didn't hit a triple. There's a difference. And please forgive the sports metaphor. They do not sound natural coming from me.Brandon: [laugh]. I don't think I have anything more interesting to add on that topic.Corey: [laugh]. So, I really want to thank you for taking the time to speak with me today. If people want to learn more about what you're up to and how you view the world, what's the best place to find you.Brandon: So, I'm most active on Twitter at @bwest, but you know, it's a mix of things so you may or may not just get tech. Most recently, I've been posting about a—Corey: Oh, heaven forbid you bring your whole self to school.Brandon: Right? I think most recently, I've been posting about a drill press that I'm restoring. So, all kinds of fun stuff on there.Corey: I don't know it sounds kind of—wait for it—boring to me. Bud-dum-tiss.Brandon: [laugh]. [sigh]. I can't believe I missed that one.Corey: You're welcome.Brandon: Well, done. Well, done. And then I also will be hiring for a couple of developer relations folks at Datadogs soon, so if that's interesting and you like the words I say about how to do DevRel, then reach out.Corey: And you can find all of that in the show notes, of course. I want to thank you for being so generous with your time. I really appreciate it.Brandon: Hey, thank you, Corey. I'm glad that we got to catch up after all this time. And hopefully get to chat with you again sometime soon.Corey: Brandon West, team lead for developer experience and tools advocacy at Datadog. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry and insulting comment that is talking about how I completely misunderstand the role of developer advocacy. And somehow that rebuttal features no fewer than 400 emoji shoved into it.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
We look at this week's security news, then we reminisce about 15 years of the iPhone, which went on sale on June 29, 2007. It's been an interesting ride so far. Show Notes: A wide range of routers are under attack by new, unusually sophisticated malware ZuoRAT Hertzbleed: A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw FCC commissioner calls for Apple & Google to ban TikTok Attackers hit iOS and Android devices with spyware in Italy and Kazakhstan 15 Years Ago Today, the iPhone Went On Sale Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you're ready to buy.
A daily look at the relevant information security news from overnight - 27 June, 2022Episode 253 - 27 June 2022BBVA 2FA Clone- https://thehackernews.com/2022/06/new-android-banking-trojan-revive.html ICS ShadowPad - https://www.bleepingcomputer.com/news/security/microsoft-exchange-bug-abused-to-hack-building-automation-systems/LockBit Bounty- https://www.pcmag.com/news/ransomware-gang-offers-bug-bounty-promises-payouts-up-to-1-millionRaccoon 2.0 - https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with-a-new-version-to-steal-your-passwords/OpenSSL Bad Memory - https://www.theregister.com/2022/06/27/openssl_304_memory_corruption_bug/?td=rt-3aHi, I'm Paul Torgersen. It's Tuesday June 28th, 2022, and I want to say a quick thank you as I have just passed 100 subscribers on YouTube. Which is great, but let's not stop there. If you find this valuable, please share with your networks and colleagues. Let's see if we can't add a zero or two to that number. And now, this is a look at the information security news from overnight. From TheHackerNews.comA new Android banking trojan called Revive has been discovered specifically targeting users of the Spanish financial services company BBVA. Phishing campaigns push a look alike website where victims download an app which impersonates the bank's two factor authentication app. Italian cybersecurity firm Cleafy first spotted the malware in mid June, and says it appears to be in its early stages of development. From BleepingComputer.com:A new Chinese-speaking threat actor is hacking into the building automation systems of several Asian organizations and loading the ShadowPad backdoor. The group focused on devices that have not yet patched the Microsoft Exchange vulnerability collectively known as ProxyLogon. According to Dutch research, there are about 46,000 such machines. Kaspersky believes the group is ultimately hunting for sensitive information. From PCMag.com:In what seems to be a first, the LockBit ransomware group has launched a bug bounty program. Evidently they have been successful enough to be able to afford to buy new zero-days. Their current rates run from $1,000 to $1 million, although the million bucks for is you can dox the LockBit leader. If this is compelling to any of you, keep in mind that the main targets for this group are healthcare and education, two of the most vulnerable populations out there. Do you really want to help somebody like that? From BleepingComputer.com:I mentioned last week that the Raccoon Stealer group had temporarily shuttered operations after one of their leaders was killed in the Russian invasion of Ukraine. Well, they're back in action with 2.0, a new and completely re-coded version of their malware offering elevated password-stealing functionality and upgraded operational capacity. Details in the article. And last today, from TheRegister.comOpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability that they hadn't quite completely patched earlier. Unfortunately, the new release contains a memory corruption which can be triggered trivially by an attacker. This targets the Intel Advanced Vector Extensions 512, or AVX512. The researcher said that if this bug can be exploited remotely, and they are not certain yet that it can, it could be more severe than Heartbleed, at least from a purely technical point of view. Details in the link. That's all for me today. Have a great rest of your day. Like and subscribe, and until tomorrow, be safe out there.
Security-Lücken finden sich nicht nur in unsicheren Anwendungen, Websites und Apps. Besonders kritisch sind Angriffe über die Seitenlinien, die man nicht immer im Blick hat: Hardware oder kryptografische Verfahren. Lisa und Christoph erinnern sich im Angesicht von PACMAN an Heartbleed. Und schauen sich in der Tiefe an, wie solche Attacken entstehen. Denn nichts ist sicher, auch keine Kabel!
Hello and welcome to CHAOSScast Community podcast, where we share use cases and experiences with measuring open source community health. Elevating conversations about metrics, analytics, and software from the Community Health Analytics Open Source Software, or short CHAOSS Project, to wherever you like to listen. On today's episode, we have joining us as our guest, Dhruv Sachdev, who's an undergraduate Computer Engineering student at Mumbai University and was a Google Summer of Code 2021 student for CHAOSS. Dhruv is here to talk about his path to open source and the project he did with the Google Summer of Code 2021. We hear about his experience managing his time as a student and working on this project, what projects he's excited about doing in the near future, and he shares advice if you are new to open source or if you're looking to explore the world of open source. Download this episode now to find out much more, and don't forget to subscribe for free to this podcast on your favorite podcast app and share this podcast with your friends and colleagues! [00:02:00] Dhruv tells us his path to open source, when he started working on an open source project, how he found out about it, and what he finds cool about CHAOSS. [00:03:40] Sean wonders what it is about the measurement and analytics field that is so fascinating to Dhruv. [00:06:28] We hear more about Dhruv's project he did with the Google Summer of Code. [00:10:34] Dhruv tells us what resources really helped him when he started with the Augur team to better understand the software components and more about how CHAOSS was structured. [00:12:17] Sophia talks about a research article evaluating hackathons and how effective they are on open source projects, and Sean tells us about the benefits and impacts of Google Summer of Code. [00:15:33] Dhruv explains his experience as a student, how he thought about time management, and volunteering his time in this space while still in school. [00:21:00] Sean talks about Dhruv's pieces that he did of Augur that looked at metrics and wonders why dependencies are so important right now, and Sophia explains why. [00:25:45] Sean explains what happened in the OpenSSL security breach and talks about Heartbleed. Sophia brings up a previous episode with Avi Press, Founder of Scarf, which is an analytics tool, and explains about the vulnerabilities with tools. [00:29:50] Find out what Dhruv is most excited about doing in the near future with projects. [00:32:54] Dhruv shares advice if you are new to open source or students who are looking to explore the vast ecosystem of open source. Value Adds (Picks) of the week: [00:35:04] Sean's pick is Discord's emergence. [00:36:11] Sophia's pick is cats and daylight savings time. [00:38:11] Dhruv's pick is having so much fun at the MahaShivRatri festival. Panelists: Sean Goggins Sophia Vargas Guest: Dhruv Sachdev Sponsor: SustainOSS (https://sustainoss.org/) Links: CHAOSS (https://chaoss.community/) CHAOSS Project Twitter (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) podcast@chaoss.community (mailto:podcast@chaoss.community) Ford Foundation (https://www.fordfoundation.org/) Sean Goggins Twitter (https://twitter.com/sociallycompute) Sophia Vargas Twitter (https://twitter.com/sophia_iv?lang=en) Dhruv Sachdev Website (https://dhruvsachdev.me/) Dhruv Sachdev Twitter (https://twitter.com/dhruvhsachdev) Dhruv Sachdev LinkedIn (https://www.linkedin.com/in/dhruv-sachdev-19b1b3143/) Dhruv Sachdev project submission-Google Summer of Code 2021 for CHAOSS (https://github.com/Dhruv-Sachdev1313/GSoC-2021-CHAOSS) Security Scorecards (https://github.com/ossf/scorecard) CHAOSS Augur (https://github.com/chaoss/augur) CHAOSS Risk Metrics Working Group (https://github.com/chaoss/wg-risk) CHAOSS Community Handbook (https://handbook.chaoss.community/community-handbook/) CHAOSScast Podcast-Episode 53: Gathering Open Source Usage Data with Avi Press (https://podcast.chaoss.community/53) SwiftOnSecurity Twitter (https://twitter.com/SwiftOnSecurity?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Sam Stepanyan Twitter (https://twitter.com/securestep9) MahaShivRatri 2022 (https://isha.sadhguru.org/mahashivratri/?gclid=Cj0KCQjwuMuRBhCJARIsAHXdnqPHxLi6oWCF8vdEMzIo17gnKUEd4XThyD6zrMLlU2ohO6XCVIBG5ZUaAjDfEALw_wcB) Special Guest: Dhruv Sachdev.
In part two of this two-part episode on The DevOpsHandbook, Second Edition, Gene Kim speaks with coauthors Dr. Nicole Forsgren and Jez Humble about the past and current state of DevOps. Forsgren and Humble share with Kim their DevOps aha moments and what has been the most interesting thing they've learned since the book was released in 2016. Jez discusses the architectural properties of the programming language PHP and what it has in common with ASP.NET. He also talks about the anguish he felt when Mike Nygard's book, Release It!, was published while he was working on his book, Continuous Delivery. Forsgren talks about how it feels to see the findings from the State of DevOps research so widely used and cited within the technology community. She explains the importance of finding the link between technology performance and organizational performance as well as what she's learned about the importance of culture and how it can make or break an organization. Humble, Forsgren, and Kim each share their favorite case studies in The DevOps Handbook. ABOUT THE GUEST(S) Dr. Nicole Forsgren and Jez Humble are two of five coauthors of The DevOps Handbook along with Gene Kim, Patrick Debois and John Willis. Forsgren, PhD, is a Partner at Microsoft Research. She is coauthor of the Shingo Publication Award-winning book Accelerate: The Science of Lean Software and The DevOps Handbook, 2nd Ed., and is best known as lead investigator on the largest DevOps studies to date. She has been a successful entrepreneur (with an exit to Google), professor, performance engineer, and sysadmin. Her work has been published in several peer-reviewed journals. Humble is co-author of Lean Enterprise, the Jolt Award-winning Continuous Delivery, and The DevOps Handbook. He has spent his career tinkering with code, infrastructure, and product development in companies of varying sizes across three continents, most recently working for the US Federal Government at 18F. As well as serving as DORA's CTO, Jez teaches at UC Berkeley. YOU'LL LEARN ABOUT Projects Jez and Gene worked on together before The DevOps Handbook came out. What life is like for Jez as a site reliability engineer at Google and what he's learned. The story behind his DevOps aha moment in 2004, working on a large software project involving 70 developers. The architectural properties of his favorite programming language PHP, what it has in common with ASP.NET, and the importance of being able to get fast feedback while building something. The anguish that Jez felt when Mike Nygard's book, Release It!, came out, wondering if there was still a need for the book he was working on, which was Continuous Delivery. “Testing on the Toilet” and other structures for creating distributed learning across an organization and why this is important to create a genuine learning dynamic. What Dr. Forsgren is working on now as Partner of Microsoft Research. Some of Dr. Forsgren's goals as we work together on the State of DevOps research and how it feel to have those findings so widely used and cited within the technology community. The importance of finding the link between technology performance and organizational performance and why it probably was so elusive for at least 40 years in the research community. What Dr. Forsgren has learned about the importance of culture, how it can make or break an organization, and the importance of great leadership. RESOURCES Personal DevOps Aha Moments, the Rise of Infrastructure, and the DevOps Enterprise Scenius: Interviews with The DevOps Handbook Coauthors (Part 1 of 2: Patrick Debois and John Willis) The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations, Second Edition, by Gene Kim, Patrick Debois, John Willis, Jez Humble, and Dr. Nicole Forsgren Nudge: Improving Decisions About Health, Wealth, and Happiness by Richard H. Thaler and Cass R. Sunstein Nudge vs Shove: A Conversation With Richard Thaler The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps by Kevin Behr, Gene Kim and George Spafford FlowCon Elisabeth Hendrickson on the Idealcast: Part 1, Part 2 Cloud Run Beyond Goldilocks Reliability by Narayan Desai, Google Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation by Jez Humble and David Farley Release It!: Design and Deploy Production-Ready Software (Pragmatic Programmers) by Michael T. Nygard DevOps Days On the Care and Feeding of Feedback Cycles by Elisabeth Hendrickson at FlowCon San Francisco 2013 Bret Victor Inventing on Principle by Bret Victor Media for Thinking the Unthinkable Douglas Engelbart and The Mother of All Demos 18F Pain Is Over, If You Want It at DevOps Enterprise Summit - San Francisco 2015 Goto Fail, Heartbleed, and Unit Testing Culture by Mike Bland Do Developers Discover New Tools On The Toilet? by Emerson Murphy-Hill, Edward Smith, Caitlin Sadowski, Ciera Jaspan, Collin Winter, Matthew Jorde, Andrea Knight, Andrew Trenk and Steve Gross PDF Study: DevOps Can Create Competitive Advantage DevOps Means Business by Nicole Forsgren Velasquez, Jez Humble, Nigel Kersten and Gene Kim Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations by Nicole Forsgren, PhD, Jez Humble, and Gene Kim DevOps Research and Assessment (DORA) on Google Cloud GitLab Inc. takes The DevOps Platform public Paul Strassmann The Idealcast with Dr. Ron Westrum: Part 1, Part 2 Building the Circle of Faith: How Corporate Culture Builds Trust at Trajectory Conference 2021 The Truth About Burnout: How Organizations Cause Personal Stress and What to Do About It by Christina Maslach and Michael P. Leiter Maslach Burnout Inventory Understanding Job Burnout at DevOps Enterprise Summit - Las Vegas 2018 Understanding Job Burnout at DevOps Enterprise Summit - London 2019 Workplace Engagement Panel at DevOps Enterprise Summit - Las Vegas 2019 Expert Panel - Workplace Engagement & Countering Employee Burnout at DevOps Enterprise Summit - London 2019 The Idealcast with Trent Green Kelly Shortridge's tweets about Gitlab S-1 TIMESTAMPS [05:22] Intro [05:34] Meet Jez Humble [10:19] What Jez is working on these days [15:56] What inform his book, “Continuous Delivery” [24:02] Assembling the team for the project [26:30] At what point was PHP an important property [31:56] The most surprising thing since the DevOps Handbook came out [35:07] His favorite pattern that went into the DevOps Handbook [43:40] What DevOps worked on in 2021 [44:46] Meet Dr. Nicole Forsgren [50:32] What Dr. Forsgren is working on these days [52:18] What it's like working at Microsoft Research [55:58] The response to the state of DevOps findings [59:18] The most surprising finding since the findings release [1:05:59] Her favorite pattern that influence performance [1:08:49] How Dr. Forsgren met Dr. Ron Westrum [1:11:06] The most important thing she's learned in this journey [1:14:46] Her favorite case study in the DevOps Handbook [1:19:12] Dr. Christina Maslach and work burnout [1:20:46] More context about the case studies [1:25:32] The Navy case study [1:29:04] Outro
Are You Ready For the Next Hacker Wave? It's Going to Be Brutal! Right now, we're going to talk about this vulnerability, this huge vulnerability in almost the entire internet that will affect your life over the following number of years. And if you're a business, you better pay close attention. [Following is an automated transcript] [00:00:16] Well, we are looking at what is being called the single most significant, most critical vulnerability ever. [00:00:24] And if you want more information on this, have a look at last week's show, you'll find it up on my website. I talked quite a bit about it. You can email me M e@craigpeterson.com. I've put together a little cheat sheet that you can use to find out. What should I do? If you're an IT professional, this isn't something that you can do if you're a regular home user because you probably don't have any software your maintaining that has this log for J vulnerability. [00:00:59] But I do have to warn you that you probably do have a little bit of hardware that might have it in there. Many of these firewalls used in homes have it, not all of them, uh, I'm, a minority of them, but here's why this is the single most significant and most critical vulnerability ever. There is a programming lab library that is used in the job. [00:01:26] Programming language that logs events, if you're writing software and let's say their software is running a website, it could be almost anything. And do you notice a condition that's not quite right? What should you do while you should log it? And then, hopefully, the people that are running your software are monitoring the logs. [00:01:49] See the logs? No. Oh my gosh. Uh, there is something wrong here. One of the logs that I keep an eye on that just absolutely amazes me, frankly, is the SSH Daemon logs. Now SSH is a protocol. It uses encryption to get onto other machines using the command line. Now I've used a lot of protocols over the years to do this. [00:02:17] Telnet was the first, and SSH is something that I've been using for a very long time. You might remember the Heartbleed bug from a few years back. That nailed a lot of people, but I keep an eye on that SSH log because. If someone's trying to log into my system from the internet, that log will show it. [00:02:39] It's going to say that someone to try to use this username; they were coming from this IP address, and they failed to get in. And I have software that automatically monitors that log and says, well, if someone's coming from the same. Address multiple times. And they are unsuccessful at logging in add their internet address to my firewall blocking rules. [00:03:09] So what ends up happening is. Well, they just can't even get to my machine anymore. They're trying to hack me. same thing's true with the web blogs. If we have people who are trying to, for instance, kind of put us out of business doing what's called a denial of service attack, where they are sending us a lot of data. [00:03:31] Well, we can at our site or upstream from us have that IP address. Block. And that stops the attack, distributed denial of service attacks, or are a little bit more complicated. So all of this gets logged. It all gets written to a file, or it gets pushed off to a server that keeps track of the logs. And, and then there's analysis software, the looks at logs for. [00:03:57] Anomalies, all of that sort of stuff. It makes a lot of sense. Right. But this particular library that's used by Java programmers has a bug in it that allows a remote user to send just a small string, nothing fancy at all that can command. The web server that is using the logging function to go ahead and download malware. [00:04:28] Well, the easiest low-hanging fruit, when it comes to what kind of malware can we put onto a computer is quite simply crypto mining. So the bad guys they'll go ahead and they'll just send a small string, very simple. They don't have to compile a program. They don't have to do much of anything. They just send this little small. [00:04:50] And if that string gets logged, for instance, by my SSH, my remote access demon, or gets logged by the web server or something else, all of a sudden that wonderful little feature that allowed you to easily log things. Is your enemy because that feature is going to interpret that particular string that was sent to the log and try and be helpful. [00:05:18] But in fact, it could be given a command to download this remote file. Ran, then run that remote file. And that remote file initially here has primarily been crypto mining soft. So now your computer's being used by someone else. Your electricity's being used to mine. Things like Bitcoins or some of these other cryptocurrencies that are out. [00:05:45] Now the real reason, this is a huge, huge problem. Again, let me quote here. This is from Ahmad, a mate. I should say you're an over a tenable. It is by far the single biggest, most critical vulnerability ever. Why is that true? There's a couple of reasons. Ease of use is the obvious reason. It is so easy to use, not just for crypto mining, but for hacking any machine you would care to hack. [00:06:19] And then the second reason is it is in bedded everywhere. There are millions of computers that are vulnerable. We're seeing a hundred. Computers per minute, being hacked using this vulnerable. And if you are running, let's say a firewall that has this vulnerability. We have some clients that had this vulnerability and it is obviously a bit of a problem, right? [00:06:51] Well, that vulnerability now allows bad guys to get onto that firewall. And perhaps beyond that firewall, in order to do pretty much whatever they want. To do. This is huge, huge, huge, lots of software has flaws, and you need to be able to recover from the flaws. I've talked many times about how there are only two types of software. [00:07:23] There are software that has been hacked and there are software that will be hacked. So you need to make sure you know, that if someone gets into your network or gets into your computer, that you can restrict the damages, you can keep it under control. But with this log for J vulnerability, B. Everywhere in, not just that one library, but remember that one library is used all over the place. [00:07:52] It's in hundreds of thousands of pieces of software. Now, every one of these vendors has to grab the most recent version, recompile their software and send and re link it in deep pans. Right. I understand this is Java and then send it out to all of their customers to install the software. This is the second reason. [00:08:15] It is such a big. There will be sites. There will be pieces of software that have this vulnerability for years to come. And one of the biggest examples of this vulnerability is almost every Android device out there. Think of all of the phones. People have Androids being used for tablets it's in televisions, it's everywhere. [00:08:40] And with this particular vulnerability. Being everywhere. Every vendor that uses Android is going to have to release patches that you're going to have to install. Now it's one thing to have a brand new TV, and we've got a brand new Samsung TV and it's hooked up to the internet. It streams, Disney and discovery. [00:09:05] And it's just a wonderful thing. I love my TV, right then of course you probably realize I don't use smart TV features because of this particular type of person. What ends up happening? Well, how long is Samsung actually going to support updates for your television or Vizio who, by the way, one of the worst companies, when it comes to your privacy of your information on your television, how long, uh, how about your Android phones? [00:09:39] More than half of all Android smartphones out there, we'll never get another software. If you are still using Android smartphones now is the time to switch to an iPhone. I have been talking about this for years. I am not like the world's biggest apple fan. I'm not trying to make everybody an apple fan. I really don't care. [00:10:06] What I do care about is the ability of the software designers, those software implementers and the hardware manufacturers, the people that are in the supply chain on that Android device. I care that they do. Provide updates when it comes to security problems. And if you're using an iPhone, yeah. Again, two types of software right now, like phones have had vulnerabilities that can be vulnerable, but apple is supporting right now, still the iPhone six S which came out what five or six years. [00:10:46] With full security updates. They've even gone back further. Sometimes the Nat. So make the switch right now. If you are an it professional, I've got this whole list of resources that I vetted, I know are good that you can use to scan for this vulnerability in your network or on your. To where just email me M e@craigpeterson.com. [00:11:12] And if you have any questions about this or cybersecurity in general, just reach out again. me@craigpeterson.com. [00:11:21] Did you know that cyber flashing is a thing. We talked about it a couple of years ago, but it's back in the news this week and also apple air tags. They just released a new feature for our friends with Android. We'll tell you why. [00:11:38] Have you seen these air tags? Have you used them? They came from an idea that was really pioneered by company. Tile. And I guess they, I don't know what happened with the patent. I guess it didn't have one or apple wouldn't have been able to do this, but then again, you know, you've got a really big company you're up against a, it doesn't matter whether you're in the right. [00:12:02] Sometimes I'm not sure what happened there, but they have. These trackers called air tags. And I mentioned before on the show that my daughters have a total of five cats, well, actually six cats. Now I think of it. And what they've done is bought air tags and put them on. All of the cats callers. So they took them, they they've got them fastened on with this little holder. [00:12:31] You can get all kinds of holders. The air tags themselves are just little round buttons, really, and you can stick them into your wallet. For instance, in case you keep forgetting or losing your wallet, you can also put them into a holder. So they go on a key chain. I have a couple of flashlights at the house. [00:12:50] And if you're like me and you have other people around and it's dark and they know where your flashlight is, they'll take and borrow it right now. You don't get your flashlight back. It kind of bothers me. I probably shouldn't bother me as much as it does, but then when I need the flashlight, I just can't find this. [00:13:12] So, what did we put on the flashlight? We put an air tag on there. So the airtight ties into your iPhone. And if you have a newer iPhone, it's just absolutely amazing because the, the airtight will tell you where it is, but the newer iPhone, you can use it and it will walk you through. Up to the air tag, like, okay, it's a foot in front of you on the left-hand side or whatever, it'll take you there. [00:13:42] It's very cool. It's like these futuristic scifi movies. The problem with air tags that we discussed on the air here is that they have been used for evil. And what the bad guys have been doing is they'll take an air tag. They might drop it in your purse in order to follow you. Isn't that scary. They also have been taking the air tags and putting them on expensive cars so that they can follow you home. [00:14:16] Now, obviously nowadays it's extremely hard to steal one of the more expensive cars cause they've got all of this automation in them. The fancy systems do stop you from stealing it. Even my old F150 had a little chip built into the key so that it wouldn't start and less, that key that was starting. It actually had that RFID chip in it so that this technology. [00:14:45] Isn't being used so much to steal the car, but to know where you live and when you are home and when you're not home, you know, I've been warning everybody for many years, not to post on social media about vacation saying, oh, we're leaving. We're going to be gone in the Caribbean for two weeks. We're going for new year's party here, Christmas there, Hanukkah celebration, whatever it is you're doing, because the bad guys use that information to. [00:15:19] I'm break into your home and to steal things from your business. And I'm, I'm going to get into all of the details right now of how they do that. I've talked about it on the show before, and I'm sure I will talk about it again. And you'll even see some of the references on my website@craigpeterson.com. [00:15:36] If you're interested, there's some real interesting stories up there. What's happened to people. That particular problem of having an air tag and then having it put on to you to track you, or do you track your car or other devices is a huge potential problem. Now, apple built into the iPhone, a special little feature some time ago that when they, in fact, when they came out with the air. [00:16:11] So that when an airtight is following you, in other words, someone dropped it into your purse or your pocket or on your car. And that air tag is moving with you. It says, Hey guy, uh, there is an air tag following you. And at that point you can say, wait a minute, uh, what's going on here now? It's not going to warn you about your own air tags. [00:16:35] You know, the ones that you own. It's going to warn you about an, a foreign air tag one. That's not yours. In other words, someone's trying to track you so brilliant. Move on. Apple's part to get that out right away before there were any really scary, bad news stories about the same thing happened. How about Android users? [00:16:57] That's where the problem really is starting to come up. If you're an Android user, you don't have the ability to detect an air tag. Well until now. So if an air tag was following you, it wouldn't. Let you know, it couldn't let you know it didn't know. So apple is now offering what's called tracker detect. [00:17:21] It's an app on the Google play store, a free app that you can download if you using Android. And, you know, there are many, many, many, many reasons not to use Android and there's. Are almost as many to use iPhones. Okay. So if you use an Android switched to an iPhone, but if you're stuck on Android, because that's what your business gave you until you have to use it, have a look for tracker detect to end the apps description on the play store says tracker detect looks for item trackers that are separated from their owner, and that are compatible with Apple's find mine network. [00:18:02] These items, trackers include air tags and compatible devices from other companies. If you think someone is using air tag or another device to track your location, you can scan, scan to try and. So, I'm not sure that it's as good as the apple implementation, where the apple will pop up and say, even though you're not scanning for an air tag, say, Hey, somebody's tracking you. [00:18:31] It sounds like you have to actually use. Just scan for it. But Android users, according to Mac trust can scan the area to find nearby error tag trackers. If they think that there's an air tiger or other device that's being used to track their location, uh, an apple support document that you'll find online on support that apple.com. [00:18:57] Says, if you think someone is using an air tiger, other item tracking to track your location, you can scan to try and find it. If the app detects an air tag near you for at least 10 minutes, you can play a sound to help locate it. So that's the part that makes me think that it's always active. Okay. On your, on your Android device, it's free and you can get it right there in the Google play. [00:19:23] This next item is really, it applies to all of us here in the us, and it applies also to people over in the UK. And the UK is really getting kind of upset about this because apparently there are no laws against. Flashing now there are in the U S and it kind of depends on where you live, but cyber crap flashing is really a crime or should be a crime what's been happening. [00:19:58] Is people again who have iPhones have this ability to share files or websites, et cetera, with another person. It's fantastic. It's called airdrop. I just love this. And I use it all the time even to share files between my own devices. And what happens with air drop is you, you take the file and the use open up airdrop and you see, oh, okay. [00:20:26] There's my wife right there. So I click on the file. I drag it on top of it, a little Karen icon in airdrop, and now she gets a notice. Hey, there's a file from. Coming on in, and it does well, I always in my family and my business people, I always said to them, Error drop, uh, settings to only allow an airdrop from people that are in my contact list. [00:20:57] And that reason for that is this particular problem. People have been cited. Flashing. So what they do is they send obscene pictures to strangers through airdrop. And this term can also of course, apply to Bluetooth devices because you can also send these things via Bluetooth. I don't want to really talk a lot about what's really happening here. [00:21:28] Hopefully, you know what flashing is, or flasher is sending these obscene pictures, but the tone, the term was coined in August 25th. This female commuter was airdropped two pictures, obscene pictures, and they reported it to the British transport police. But we've seen, I have seen, and I've talked about cases where people are driving down the highway and all of a sudden on their phone come these obscene pictures because someone was driving past and they air dropped, or they use Bluetooth to send obscene. [00:22:09] There is an easy way to not allow that to happen. And that is the settings that I use, which is only allow airdrop from people in your contact list. You know, these are absolutely amazing features that they have, but there are some really weird people out there that think that this is the, this is a fun way, uh, to really mess with other people. [00:22:36] It's. It's just crazy. Okay. By the way, you can also turn air drop off. If you never use it, don't worry about it or a turn it on when you need it. And when someone's going to send something to you, Hey, I want you guys to take a couple of minutes here. If you go to Craig peterson.com/subscribe. You're going to find out about the bootcamps we have. [00:23:01] You're going to get my weekly trainings that I have. These are just an email. They just last a few minutes. You are going to love them. I get all kinds of compliments and this is in my free newsletter. Okay. It's not going to cost you anything. I'm not going to be hammering you on buying stuff. I want this information out. [00:23:24] That's why I am here today on. Everybody needs to understand this stuff. Craig peterson.com/subscribe, and I will be seeing you in the email world. [00:23:39] One of the things we wonder the most about is what's the future. What's the future of laptops and future of computers. We talked about some of these new chips that are out there, but this is an interesting story about what Dell is doing. Yeah. Dell. [00:23:55] I want to follow up a little bit about the 3g shutdown. We didn't quite get through the list. [00:24:02] All almost all of the Volvos from 2015 on to 2018, have this problem. There's only two automakers that told the drive.com that U S vehicles are unaffected by the end of 3g. So if you own a Ferrari or a McLaren, You're okay. Okay. Also what's interesting is what the different guys are doing. Subaru has an interesting little plan here going forward. [00:24:35] If you have what they call a connected vehicle plan. And this is according to a service bulletin filed with the national highway traffic safety administration. And then they will do a retrofit at no cost. How's that for nice. A lot of these manufacturers are upgrading to 4g. Yeah, the, uh, you know, LTE, the stuff that was really fast, you remember that I was remembering getting 50 megabits and that it was just incredible. [00:25:05] But at any rate, they're offering that and the option to purchase a subscription. To 4g. So you'll be able to get two gig of data per month at $10 a month. Now that's for some manufacturers, not all of them, have it $30 a month if you want unlimited data. So depending on how much you're driving GM started pushing a free over the air update in October to keep OnStar running. [00:25:32] After the 3g shut down though, some 2015 model year cars will need a ma a hardware worse. Tesla says it plans to charge $200 to upgrade older model S vehicles, but no additional fees are noted for it. Toyota, Toyota and Lexus are not planning to retrofit. Affected vehicles in its public FAQ Toyota sites, a clause and its disclosures that said certain connected services may change at any time without notice. [00:26:08] And when the drive ass Toyota, if it plans to offer an upgrade paid or otherwise for consumers who own effective vehicles, the answer was assumed. No. And Toyota, by the way, is one of the companies that has decided, Hey, um, we're just going to go ahead. And, uh, you, you, you know, that remote start that you got for those cold winters. [00:26:31] Yeah. W we've decided that, uh, even though you paid for, you know, what, three, four years ago, we're going to start charging you monthly to use your remote start. Uh, come on guys. So have a little. Um, try and find out, talk to your, uh, your automotive dealer or go to duck, duck, go and look up your car and type in three G uh, end of life at the same time and see what it comes up with at your model in there. [00:27:05] But I am very disappointed with Toyota. I have some friends that just loved Toyota. I bought a brand new one. Way back when, when would have been like 82, 3, something like that, a great little car Cresseta with a supra engine in it. And I drove that for quite a few years. The good, tough little car I had to keep replacing the water pump, but that was the only problem we ever had with it. [00:27:31] But I haven't owned a Toyota since then, but this is, and I've actually been thinking about it lately, but this is something that really turns me off. I don't know about. Let's get into our next, a little problem area. And that is fleet managers. If you are relying on electronic logging devices and other internet of things, devices to track your trucking fleet. [00:27:57] There's some problems. Uh, let's see here, here's a quote. This is from Czech Republic. Uh, John Nichols, executive vice president of sales for north America and mixed telematics estimated that about 80% of his customers are still using 3g devices. Now this was about a year ago. This is from a November, 2020 article. [00:28:22] So this is going to be a very. Problem for you as well. Uh, for any people who have fleet vehicles that they're trying to maintain, hopefully you know about this. Hopefully your vendors are going to take care of it for you. I'm impressed. The GM set their cars up with the hardware that can handle 3g and 4g. [00:28:44] And all you need is a software upgrade to have it switch. I think that was very smart of them. So. Kudos to GM for that particular thing. Dell led let's get into the future of computers and laptop design. Dell has been doing some interesting things. Now you probably heard me a couple of weeks ago be moan Dell because they have businesses. [00:29:06] Specialists and experts that you can call that really know almost nothing about what you really need. And it just drives me crazy because Dell has been selling my customers, hardware that doesn't meet the customer's needs because frankly, the customers don't really know what their needs are. And so that's something that I've helped them with. [00:29:28] And I, if you email me@craigpeterson.com, I written up. On what the best computers to buy are based on what it is you need, you know, what, what are the tricks that you need to follow? But what Dell is doing right now is something they're calling concept Luna, and I've seen things like this before. There was a, a cell phone that was being manufactured that allowed you to change modules. [00:29:58] They were literally just click and go and kind of like Lego. Almost and the phones weren't that popular. I don't even think they're in business anymore. I can't remember their name, but those particular clicking NGOs were clicked and gone is kind of the bottom line on it because they were kind of big. [00:30:19] They were kind of clumsy. They weren't released something people wanted to use. You know, Android comes from Google. And Google has their basic tests and says, this is what Android should look like, but every manufacturer puts their own look and feel on top of that Android operating system. And what that ends up doing for you is, you know, makes it a little more pleasant and also. [00:30:49] So that you don't really, really want to go and change your phones. Cause you're used to the way this particular phone works, but Dell is looking at doing kind of the same thing. They're looking at this electronic waste problem where you have a laptop, it gets old, you throw it away. And, but now it looks like there's more sustainability. [00:31:14] Built into things like this Luna design, they're trying to make the company's laptops more environmentally friendly and in the process are going to make them more repairable, which is kind of cool. If you look at what Apple's done in their laptops, there's basically nothing inside there. That's user replaced. [00:31:36] Okay, you can probably replace a battery. I use a company I've had their president on my show a few times. Uh, Larry, um, Connor, I think it is his last name, but OWC other world computing and they've got. Little upgrades and replacement parts and videos on how to do it and all the tools you need to, to upgrade your Mac. [00:32:00] But nowadays apple is soldering the memory on the motherboard, or even more recently using the apple chips. And by the way, this is part of the reason they're so fast. They are putting the memory right on the same silicone and. The CPU itself. So they're moving towards a one chip with everything on it. So if you buy an apple computer nowadays, I love them. [00:32:29] They are great. They've got great security built in, et cetera, et cetera, but you better buy a computer that has enough memory and enough storage on it to last you for some years. Because a lot of these computers I'm picking on apple right now, but there's a lot of other vendors the same way. They are not upgradeable, but concept Luna should work pretty well boring. [00:32:56] This idea from that's right. It was framework. That was the name of it. Anyways, stick around and visit me online. Craig peterson.com. [00:33:05] If you own a car and that car has been made, uh, all the way up to 2021 and your car is using. The internet by a 3g, which is most cars. I got a little news for you. [00:33:22] We are looking at a real big problem here that most people haven't heard of. [00:33:29] I was talking in fact, this week on the air with someone who has a car to Volvo and they have a remote little starter, which has been great for. And they were informed that they needed to do an upgrade. And that upgrade turned out to be very costly. I had another listener who has a solar panel on the roof of their house and their solar panel on that roof is designed to. [00:34:03] Be able to get updates, software updates, let you know, what's the charge like how much sun is there today? Maybe you should brush off some of the snow. All of that is communicated by the. But how, how was that working? The problem that most vendors have is, uh, how do they get the data to, and from their devices? [00:34:30] If you think about, for instance, Elon Musk, with the wonderful little Tesla cars, they want to push an update and we're seeing this more and more by. The older cars, most cars, non Tesla, as you take them into the dealer for service. And while it's there they go ahead and plug it in. They download new software firmware from the internet and install it on your car. [00:34:56] And you are often driving. Maybe you're none the wiser. Maybe you got some new features. So it's one thing for them. To have control over a basic network, uh, network that our car dealer might have where they say, okay, here's the specs you need this much. Download speed. You need that. You need the other thing simple enough. [00:35:20] But how about you and your home or you and your business? How does that time system keep track of the employees when they sign in and out? Does it upload it to the internet? Did you have to plug it into your network? Did you have to hook it up to your wifi? I can tell you from personal experience, anytime we touch your network and there is. [00:35:45] Problem later on, we own the problem, even if we had nothing to do with it. It's again, it's another Craig ism, whoever touched the computer last owns the next problem. So these vendors have decided, well, we can solve that problem. All we need to do is use cellular phone data. So they put effectively a little cell phone onto their devices. [00:36:13] Just like that Volvo we were talking about or other high-end luxury cars. So there's solar panel has a 3g modem in it. The cars have 3g modems in them to unlock the doors, to start the. In many cases, right? They also have updates that come down from the cloud, quote, unquote, over three G for your navigation system to let you know, Hey, there's heavy traffic. [00:36:45] I'm going to reroute you. We're rerouting all of that data coming from the 3g network, coming through it, or being pushed up via the 3g network. All of that data is in trouble and it's in trouble because. Every major carrier is eliminating three G next year. Yeah, it is really that bad. A T and T is shutting down 3g services in February. [00:37:16] Sprint's following in March and T-Mobile in July and Verizon. On December 31st, all of them, 2022, that is a very big deal and a very big problem. So what can you do about it? No, it depends. The roof, solar panels, we were just talking about their vendor, told them they could do the upgrade for them, and it would be $800. [00:37:47] Very very big deal. We also had other people who were talking about their cars and what had to happen with them. And the cars are look like they're tending to be more expensive. You can expect to pay between 520 $500 for an upgrade because many of them are saying, Hey, w you know, we're not going to just fix this one problem. [00:38:10] We have to replace the whole module. And that means. To replace your infotainment system in your car. Infotainment of course, being basically everything that has to do with your GPS navigation, your satellite radio, your, uh, your car play from apple or Android car or whatever it is you might be using. [00:38:33] That's why it gets so expensive. So. Keep an eye out. This is going to be a very, very big deal. We're looking at everything from owner applications, like going ahead and starting that engine to warm it up to emergency calls services to in navigation, functionality, reporting telematics, which is the data about your car back to the dealer. [00:39:02] Ultimately, so, you know, your car says, oh, uh, you need to go in and get your oil changed. And it's going to be a, you know, we can set up alarm and you want it. And you know, some of them are very, very fancy and all of that is going to go away and includes a lot of luxury cars all the way through. Some 2021 models, but many, many of them, if not most of them through 2019. [00:39:29] Okay. Is that a very, very big deal or what these 3g towers are going away? The companies, the cell phone companies are planning on reusing that bandwidth and they're going to put it into where yeah. 5g, exactly 5g. So here's a few. The cars that you might want to be concerned about Acura. They have something called link, uh, and they have, let's see the MDX ILX, RDX, uh, RLX TLX NSX, like kind of sounds like almost all of them. [00:40:06] So Acura is going to have a problem with almost all of their cars that were made between 2014 and 2017. Audi. They're going to have problems with, again, all their cars, a three, four or 5, 6, 7, 8, the RS Q3 five and seven. Yeah, pretty much all of their cars from 2012 through 2018. So I already saw this coming and decided to fix it early, so good for them. [00:40:39] So basically if your car is older than 2018 model year, you're going to have some problems, Bentley. A number of models produced prior to 2020. And if you're driving a Bentley and do you want to give it to some guy, you know, really great looking guy, you can just let me know Craig. Yeah. Yeah. [00:40:57] me@craigpeterson.com BMW number models produced before 2019 general motors. Models may between 2015 and 2021 across its fleet will be affected, but it's not breaking down with specific vehicles across it's brands of Buick Cadillac, Chevy, GMC, but they did in this case, it's the drive.com track down a technical service bulletin that indicates almost every post 2015 model is affected. [00:41:32] Okay. Yeah. Bu-bye a Honda again, pretty much everything. From 2018 to 2021 Lexus all models 2010 to 2017 Mazda. Pretty much everything. 2016 to 2019 Mitsubishi, every eclipse cross and Outlander Porsche 9 11, 18, 7 eighteens, et cetera, et cetera. All of them, 20 14, 20 19 Subaru. Pretty much everything. 2016 and on Tesla model as built before 2015 Toyota. [00:42:14] Ooh, they got some interesting problems, 2010 and on Volkswagen, much the same stick around. Visit me online. Craig peterson.com.
Bonjour à tous et bienvenue dans le ZD Tech, le podcast quotidien de la rédaction de ZDNet. Je m'appelle Louis Adam et aujourd'hui je vais vous parler de la faille Heartbleed, et de la façon dont celle-ci a posé à grande échelle la question de la sécurisation de l'open source. Alors, Heartbleed, qu'est-ce que c'est ? C'est le nom donné à une faille de sécurité découverte dans le projet OpenSSL. Et OpenSSL, c'est un logiciel libre fournissant des outils essentiels dans la mise en place du chiffrement des données sur internet. Créé en 1998, OpenSSL voit sa popularité grandir à mesure qu'internet se développe et que les échanges sécurisés prennent de l'importance. Au début des années 2010, tout le monde ou presque utilise OpenSSL. Le logiciel permet d'éviter par exemple que votre mot de passe ou vos données bancaires circulent en clair et sans protection sur le réseau. Mais, en 2014, un grain de sable vient faire dérailler cette belle machine. Des chercheurs découvrent une faille affectant OpenSSL depuis plus de trois ans. Identifiée officiellement comme CVE 20140160, elle écope du surnom de Heartbleed et d'un logo dédié. Un effort de marketing qui vise à attirer l'attention sur cette faille, jugée très grave par les chercheurs à l'origine de la découverte. Cette vulnérabilité permet à l'attaquant de récupérer des informations confidentielles sur les sites et services affectés. Dans la liste des concernés, on retrouve des sites web, des applications, des systèmes d'exploitation et autres firmwares utilisés par des équipements réseau. Ce genre de vulnérabilité, qui affecte un composant très populaire, n'est pas toujours facile à corriger. En 2019, soit un peu plus de cinq ans après la découverte de la faille, on trouve encore sur internet des systèmes vulnérables à Heartbleed. L'électrochoc Heartbleed a néanmoins poussé l'écosystème à s'interroger sur les origines du problème. De nombreux experts et journalistes ont ainsi rappelé que, malgré son immense popularité, le projet OpenSSL était un petit logiciel libre. En 2014, il ne pouvait compter que sur deux employés à plein temps et un peu moins de 2 000 dollars de dons annuels pour assurer son fonctionnement. Difficile dans ces conditions d'assurer un code dépourvu de bugs. Cette prise de conscience a poussé l'industrie du logiciel à réagir. C'est ainsi qu'est née la Core Infrastructure Initiative, aujourd'hui devenue l'Open Source Security Foundation. L'objectif de cette structure est d'empêcher l'arrivée du prochain Heartbleed : elle tente de sécuriser les projets open sources jugés essentiels, en s'appuyant sur les financements fournis par les géants du numérique tels que Google, Amazon ou Microsoft. Plus facile à dire qu'à faire : les moyens de ce type d'initiative restent maigres face à la profusion de petits projets qui reposent sur des ressources limitées et le bon vouloir de développeurs bénévoles. Et aujourd'hui, les projets open source peuvent rapidement devenir des briques essentielles pour de nombreux services majeurs. Et voilà, normalement on a fait le tour du sujet. Pour en savoir plus, rendez-vous sur ZDNet.fr, et retrouvez tous les jours un nouvel épisode du ZD Tech sur vos plateformes de podcast préférées.
Türchen #2 des Security Adventskalenders: Christoph erklärt, was es mit Heartbleed, der wohl schwerwiegendsten und bekanntesten Sicherheitslücke der Internetgeschichte auf sich hat.
https://twitter.com/Esquiring - Fred Jennings Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the best way for disclosure of 0day? (‘proper' is different and dependent) This show was inspired by this Tweet thread from @k8em0 and @_MG_https://twitter.com/k8em0/status/1459715464691535877 https://twitter.com/_MG_/status/1459718518346174465 Legal Safe Harbor? Copy-left for security researchers…? What is a VEP? Not a new concept (2014) https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities Context: Was written when Heartbleed came out. About transparency, but within reason From the blogpost:“We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability: How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems? Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability? How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it? Could we utilize the vulnerability for a short period of time before we disclose it? How likely is it that someone else will discover the vulnerability? Can the vulnerability be patched or otherwise mitigated?” Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter Companies have VEP (every time they issue a patch), but they aren't always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat https://xenproject.org/developers/security-policy/ (creates a caste system of ‘haves and not-haves'... important vs. not important) bad guys will target people not on the inside. 0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/ Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633 https://twitter.com/JimSycurity/status/1459152870490574854 Preferred patch 8.1.17, issued october 2020 VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml “The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs. In a perfect world, what does disclosure look like? Communication (easy, secure, detailed… pick 1) Separating wheat from chaff - ‘lol, i got root, pay me plz' Fear of NDAs and gag clauses Do people expect to be paid? Setup of a ‘cheap' program? What if you don't have a budget to pay out (or more accurately, mgmt won't pay out)? People won't disclose? Should you pay? Use a 3rd party?
https://twitter.com/Esquiring - Fred Jennings Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the a way for disclosure of 0day? (‘proper' is different and dependent) This show was inspired by this Tweet thread from @k8em0 and @_MG_https://twitter.com/k8em0/status/1459715464691535877 https://twitter.com/_MG_/status/1459718518346174465 Legal Safe Harbor? Copy-left for security researchers…? What is a VEP? Not a new concept (2014) https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities Context: Was written when Heartbleed came out. About transparency, but within reason From the blogpost:“We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability: How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems? Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability? How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it? Could we utilize the vulnerability for a short period of time before we disclose it? How likely is it that someone else will discover the vulnerability? Can the vulnerability be patched or otherwise mitigated?” Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter Companies have VEP (every time they issue a patch), but they aren't always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat https://xenproject.org/developers/security-policy/ (creates a caste system of ‘haves and not-haves'... important vs. not important) bad guys will target people not on the inside. 0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/ Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633 https://twitter.com/JimSycurity/status/1459152870490574854 Preferred patch 8.1.17, issued october 2020 VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml “The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs. In a perfect world, what does disclosure look like? Communication (easy, secure, detailed… pick 1) Separating wheat from chaff - ‘lol, i got root, pay me plz' Fear of NDAs and gag clauses Do people expect to be paid? Setup of a ‘cheap' program? What if you don't have a budget to pay out (or more accurately, mgmt won't pay out)? People won't disclose? Should you pay? Use a 3rd party?
Im April 2014 wurde ein Bug bekannt, der vom Experten Bruce Schneier als 11 auf der Skala von 1-10 bezeichnet wurde. Der Fehler, der als Heartbleed Bug bekannt wurde, betraf Millionen von Webseiten und erlaubte, vertrauliche Daten zu stehlen. Dazu gehörten Serverpasswörter oder private Schlüssel. Der Bug stecke in einer Erweiterung von OpenSSL - der de facto Standardbibliothek für sichere und verschlüsselte Kommunikation im Internet. Durch Heartbleed konnte man mit einem einfachen Aufruf bis zu 64k aus dem Hauptspeicher auslesen. Grund dafür war eine vergessene Überprüfung eines Parameters. Eigentlich ein Fehler, wie er täglich auftritt und normal genauso schnell wieder gefunden und behoben werden sollte. Doch bei Heartbleed dauerte es 27 Monate, bis der Fehler entdeckt und veröffentlicht wurde. Sprecher & Produktion: Wolfgang Schoch Musik: BACKPLATE von https://josephmcdade.com
Shortly after OpenSSL's Heartbleed, Shellshock was discovered lurking in Bash code two decades old. How could open source software be vulnerable for so long? This episode looks at how fuzz testing has evolved over the years, how open source projects have for the most part gone untested over time, and how new efforts to match fuzzing to software development are today helping to discover dangerous new vulnerabilities before they become the next Shellshock.
Virtual Reality, project prioritization, and smart but upset tummies 00:00 Intro 00:56 Syndicating makers.dev clips 03:35 Clips.marketing as a consultancy vs. SaaS 13:58 Avoidant attachment style 16:00 Virtual Reality and the Oculus Quest 2 19:21 Unity VR development 21:23 Chris's 17 projects from 2020 26:02 How do you prioritize what to work on next? 31:22 Optimizing for fun work is important 34:23 Runway anxiety and optimization 39:31 Kids are productively challenging 42:14 Is your stomach or your brain in charge? 43:00 Gotta make the monkey happy 44:43 Camhead.app as a profitable Tamagotchi 48:38 Clips.marketing architecture Timestamps created with https://clips.marketing by @cgenco
For two years Heartbleed was a zero-day in OpenSSL until fuzz testing exposed it. How many others are in the wild now? And how will we find the next one? In this episode I talk about how Heartbleed (CVE 2014-0160) was found and also interview Rauli Kaksonen, someone who was at Codenomicon at the time of its discovery and is now a senior security specialist at the University of Oulu in Finland, about how new security tools are still needed to find the next big zero day.
Resources:Eric's book, Security from ZeroEric's company, Brindle ConsultingEric's TwitterAmelia's TwitterNate's TwitterWelcome to the podcast. Our show is a conversation with experienced software engineers where we discuss new technology, career advice, and help you be amazing at work.I'm Nate Murray and I'm Amelia Wattenberger and today we're talking with ex-Google engineer Eric Higgins who is the founder of Brindle Consulting and co-author of the book Security from Zero.https://www.brindleco.com/In this episode we talk about how to think about security as developer and how to take the responsibility we have seriously. We talk about how to take a preventative and proactive approach to your security, and that means we cover:How to deal with extortion threats by having a bug bounty programHow to think about automation tools when it comes to securityWhat resources you should read if you want to get better at securityHow much does a web developer need to know about security, really?Eric has worked in security for a long time and he does a great job at being pragmatic to make sure the security goals are in line with the business goals. Amelia and I really enjoyed our conversation with Eric and I'm sure you will, too. Let's get started. Eric Higgins PodcastNate: [00:00:00] All right. So Eric, welcome to the show. Just kidding. Thanks for having me, Nate. Your company is brittle consulting, so tell us about it.Eric: [00:00:07] Brindle consulting. I basically help my clients who work in the tech sector and have customers, have been customers. They're profitable, but they've.Avoided working on security for a little bit too long, and now they are finally starting to realize that they have some problems that they need to address, and it's becoming overwhelming. So I help them create a very practical security program so they can start to address these things so that they stop from feeling like they're reacting to all this stuff and start taking some proactive approaches.Nate: [00:00:37] What kind of stage company are we talking about here? . On Bug BountiesEric: [00:00:39] the types of stages of clients that I thought I would get are very different than what I've actually had to work with.here's like the common denominator in all these cases.Usually they'll start to get emails to a gall, have like a security@mycompany.com email address set up where people can report security issues and they. Inevitably, we'll start to receive these emails from security researchers. I'm quoting here, security researchers, and it's usually people who are running these scripts that look for common vulnerabilities against like somebody's website, and.They're basically trying to extort these companies for money to pay out because they don't have a bug bounty program in place. And what that really means is that they don't have a policy in place to say that for these types of vulnerabilities that we're willing to, pay, you'd report to us responsibly.This is how much we pay, right? And this is the rules by which this game is played. So they start to get overwhelmed because they constantly get hit by all these things or all these emails from these researchers, and they start to feel overwhelmed. And it gets to the point where the individuals who are responding to all these emails or all of these security related issues start to realize that like they can't get any of their normal work done because they're just buried in all these security related requests and they realize like it just like, and any other company for any other position, you need somebody to be doing this stuff so that you're not the one doing it. So then they come to me and they say, how do we avoid this problem? Maybe we're not at the stage yet where we can hire somebody to work on security full time for a variety of reasons, but maybe we can do some things to make sure that we don't feel like we're buried in this work and we're not constantly getting distracted from working on our product, but still making sure that we maintain a certain level of security and know how to respond when these things come up.Nate: [00:02:26]Yeah. I want to talk about the bug bounty programs a little bit. So going back, you're saying you used air quotes around security researchers.The implication is they're maybe not really researchers, but maybe they, what's the idea that they have, they're using automated scripts or something to find these vulnerabilities and they're just trying to. Collect bounties? Are they actually trying to say like, we found the security hole and we're going to exploit it.You don't pay us a ransom. What are you implying here?Eric: [00:02:49] So it's a little bit more of the former, I mean, I guess there's a hint of the ladder in there. So here's what I really mean by this. So not to admonish anyone, because I think that there, I mean, I know that there are a lot of real security researchers out there who play by the rules, but there's a certain class of individuals.And there seems to be a network of them that they tend to come from like third world countries or where they have internet access and like they're just looking for some way to make money. Right. So, you know, it's noble cause I suppose, but they specifically seem to target companies that don't have a published.Responsible disclosure policy. So responsible disclosure is really like the umbrella term for what a bug bounty policy is, or a bug bounty program. It's a way to report security issues to accompany in a responsible way, which is the opposite, would be like they just publish about it on like Reddit or hacker news or a blog or something and make it public to the world without telling you first.Right? So the old school mentality. Or approach to this that a lot of companies used to take was if you reported security issues to us, we would assume that you were a hacker and we would start to litigate against you, right? We would take you to court and Sue you cause you're hacking us. So that approach doesn't really work like that stupid and nobody should do it.And I have a firm position on that instead. The way that the landscape has shifted is now there's actually companies. In existence that will help you create and run above bounty program where it's an incentivized responsible disclosure program. That's what the bug bounty is. And you basically say, like for this class of security issues, we'll pay you X amount of dollars.So just to give you some examples. So Google I think has different classes of bounties that they'll pay out. And I think the highest is something like $100,000 and that's if you can find a security, like a major security issue in like the Chrome browser or Android operating system for their phones.Right? So there's a very high level of payout for very like deeply technical and like widely exploitable type of security issue. More commonly for like the class of companies that I work with, they'll have some kind of web application. It will be vulnerable to like SQL injection or something else. It's like relatively common that these, I would say the lower tier of security researchers, they're looking for all these low hanging fruit that they can run some kind of software and scan for these things and find them pretty quickly.Then they contact the companies by email and say, Hey, I thought all these issues, I would love to get paid for my work. So the problem with this is that there's, I guess a few problems with this. The first is like they're not really. Doing a lot of work, right? They're bringing it to your attention, which is great.But as soon as those companies, and this has happened to a number of my clients, as soon as you pay out with one of them, they tell all of their friends and their network that this company pays out. Then like you start to get inundated, you get pile on with all these security reports and they may have run the scan once and like are sharing all these different security issues with their friends so they can all kind of get paid.So it's a little problematic and it's problematic because. The companies haven't said, these are the rules and here's what we're willing to pay. So when it comes time to like reward these researchers who are reporting these issues, they don't have any guidelines to follow to save. This is how much we're going to pay for this type of vulnerability or this type of vulnerabilities out of scope.You can't stalk our employees on Facebook or LinkedIn and try to extort us for higher payment because you disagree with, because there's no written policy to say, these are what the rules are and we use what the payments are. That's kind of where they get stuck, right? Like they. Not having the policy in place is really like the key driver to this and these researchers, the air quote, researchers are starting to target those kinds of companies because they know that they can get payment and kind of extort them for a little bit higher.Nate: [00:06:21] What are the types of classes of like the tiers for the types of bugs that the people typically pay out for? And also who gets to decide? Is it just like the company gets to decide somewhat arbitrary early and they say, like we said, that if you find SQL injection, we'll pay out, you know, $1,000 or there are many cases where it's ambiguous what the actual vulnerability was.Eric: [00:06:40] I would say it used to be more ambiguous than it is now because bug bounty programs are. Much more prolific than they used to be. It's become almost standardized to say, like for this class of vulnerability, this is the payment tier we're going to pay out. So here's the common case. So it is set by the companies.To answer your direct question, the payment tiers are set by the company and usually goes along with what stage they're at and like what their financials look like. So they'll set some kind of a budget for the year to say, this is the max we want to pay for security issues through this bug bounty program for the year.So let's say it's. I don't know, $10,000 or $30,000 whatever it happens to be, it's usually pretty low around that ballpark. So then they can say, well, we're going to expect in the first year to get, based on our priors, however many we've had from these researchers, maybe twice that many, because now we're like publishing that this thing's available.So we'll expect it to see more for a specific. Type of vulnerability, like let's say it's low hanging fruit, you're using an older version of some Java script library. Then maybe has some kind of weird vulnerability in it or the vulnerability one, its dependencies or something like that, but the effects of that aren't very great.Like the impact isn't great to your web application. It just happens to be like, Oh, this isn't a best practice. The threat level is pretty low. So thanks for reporting it. Here's like $100 like so the lower end is usually like maybe a hundred bucks, something like that, maybe $50 it all depends on the company, what they decide to set.So at the higher end of the types of security vulnerabilities that the companies are looking for are things like remote code execution. Like you can. Fill out some form on our web application and somehow run code on our server that we didn't expect you to run. Or you can somehow access everything that's in our database so you're not supposed to be able to access.So the classes for security issues. Are fairly well documented. There's like, you know, five or six general categories they fall into, but it's really the level of impact that that security vulnerability that the reporting has and whether or not it can be reproduced and it's well documents and all of a sudden things kind of play into whether or not it's actually granted as a true vulnerability or a valid report.So the level of impact that the security issue has is being recorded usually ties directly to the level of payment. So, you know, a company that's first starting off, I usually recommend a couple of things. First. your payment size pretty low, especially for the first year, because you're going to get a ton of low hanging fruit and you're not going to want to pay like $10,000 per whatever, weird JavaScript vulnerability that it's relatively low.So, so Kevin, pretty low for the first couple of years. And then the second piece of advice I usually give that they don't always follow is to use a managed bug bounty program. And what that means is you pay these companies who provide the software. It's almost like. I'll use get hub as an example, like their get hub.In this scenario, they're offering the software that hosts this bug bounty program. So that's where the security reports go to and are listed and are managed by teams of manage bug bounty program is where that company also provides. So their employees to review and triage the tickets and make sure that they're like written in the proper format, they're reproducible and all these things before they actually come to your teams.That really helps to reduce the amount of noise because especially at the very beginning, what you go public with, your bug bounty program. You tend to get a really, really poor signal to noise ratio and you want to try and improve that level. So I usually set the caps pretty low, make sure it's managed for like the first year because you're going to have to manage all the noise and then as time goes on, you start to increase your budget, you increase the tiers, you can increase the scope, and if you hire people who can manage this thing, then maybe you don't have to pay that company, whatever they charge for somebody to manage it for you.Managed Bug Bounty ProgramsNate: [00:10:19] What are the major players in that space? who are the companies that, or maybe the defaults to go to?Eric: [00:10:25] The two main ones right now at the time of recording our hacker one and the other is called bug crowd. For all intents and purposes, they offer nearly the exact same services. Their marketing material in their sales team will tell you that there is slight differences between them and there are, there are some differences.There's differences for the types of integrations their software provides. They'll tell you that there's a different number of. Security researchers in their platform, and in a lot of ways it's very similar to Uber versus Lyft. Hacker one was first in the same way that the Uber was first and Lyft came later.Same is true. Both crowded came later, and also in that same way, I would say that based on my experience, hacker one is a little bit more aggressive with like their sales and marketing techniques. In the same way that Uber is a little bit more aggressive with their sales and marketing techniques. That being said, it work successfully with both these companies.I'm not trying to like bash any of them by making a negative correlation between any of these companies based on, you know, whatever your predilections happened to be about Uber and Lyft. So those are the main players. Now, interestingly. At my previous role at Optimizely, we use a company called Cobolt who also did, or also offered a bug bounty program as software package, like as a service.And recently when I reached out to them to see if they're still doing this, they have transitioned away from that model and more towards almost like an automated model where it's. They scan your systems from the inside and try and look for these vulnerabilities. At least that's the way that I am remembering my understanding of it.It seemed kind of complicated and expensive when I talked to them. Maybe it's a great product, but it was interesting that they had completely pivoted away from the previous model where they were kind of competing with hacker one and bug crowd to something that's completely new. The Role of Automation in the Future of Cyber SecurityAmelia: [00:12:01] How much of this space do you think is going to be automated in the next few 10 years?Eric: [00:12:06] So my background, I should clarify, is as a software developer, so I tried to think of the question of automation in terms of a software developer, like what's possible to automate. And I'm like, what should be automated? So, so this is actually a really interesting question because I've started to see in the last couple of years a lot more tools that.Offer automation for all these kinds of problems. Like the security space is just like one aspect of this, and I'm sure that like, you know, by next year we're going to have all kinds of crazy blockchain distributed Kubernetes, AI driven security tools that are out there trying to sell us products.Whether or not they work, I think is a different question. And if you think about the last few years, like there was this huge push like, Oh man, machine learning is going to solve all these problems for us and is going to solve all these problems for us. And then a couple of years later people start to realize like, Oh, you machine learning is a cool tool for a specific set of problems, like finding patterns and making sure that you're including things in the same kind of pattern.So more for AI. Like there's certain things that they're really good at, but it is not like general AI. Like it doesn't. Do all of the things that a human being can do very simply. So you have to kind of back away from that. And like we've started to see people sort of backing away from these like very grandiose claims about what those things can do or what they're capable of.So I think to answer your question, I think the same is really true as it currently stands for security software. There's a lot of companies who are offering crazy AI driven, automated tools to do all these things, but whether or not they actually do the things they say, like I think is a different question.And. It's really up to the companies buying whether or not they want to go through a pilot program and see if it works for them. What are they willing to pay for it? I think fundamentally, the question for any kind of software as a service comes down to what am I paying for this and how does that correlate to the number of employees that I would normally have to hire to do that job?Right? Are they automating something that. Is easy to automate that we could do ourselves. Like is it, you know, just trying to match them patterns that we know and like could just add a filter to Splunk or whatever logging software we have, or they're doing something more advanced where we're like, we would have to build out a huge crazy complex platform, two ingress, all this data and then, you know, run a bunch of code against it to find like weird patterns that we would not normally see.How much time does that save us? Not only like at the initial, but also like over the longterm. And I think the same answer is true for a lot of software as a service. Like if you're going to charge a company $30,000 a year for software, but it would cost them an engineer. Per year to do that same job, like an engineer is going to cost them $100,000 or more.So they're saving a ton of money by using the software instead of hiring an engineer to do that job. So maybe that's a roundabout way of answering your question, but like that's the way that I think about these things. I don't have a lot of firsthand experience with a lot of the newer automation tools that are coming out.Maybe they're great. Maybe they're junk. I mean, I haven't seen evidence in either direction yet, but my gut reaction to me, I've just like worked in security too long, so I'm always like a little bit skeptical. I'm usually pretty skeptical about what they're offering, like whether or not it's worth the price that they're asking.How You Detect HacksNate: [00:15:03] You mentioned using Splunk to track logs and to find abnormal behavior. One of the things that I've noticed when I've seen blog posts about security incidents, they might say, you know, we had an employee who had their admin panel password hacked and the attacker had access to all these accounts for like three days and you know, we were able to track them down and shut them down. What tools would you use to actually detect that? Because for pretty much every company I've worked for, if a hacker got access to an admin's password, no one would ever know, like ever. Like we would never find out that that had happened.So like what tools and processes and monitoring do you put in place to catch something like that?Eric: [00:15:46] You opened that really interesting can of worms. And here's why. So the question that you asked is how do you detect this? Which. In the question itself, you're already telling me that it's too late because it's already happened.So this is really the type of thing that I focus on with my clients is How do you prevent this from happening? How do you make sure this doesn't happen? Because if you can make sure that it never happens or is nearly impossible to happen, or is such a great burden for an attacker. To go after that approach.They're going to do something else. They're going to do something that's easier instead so then like, maybe you don't need a crazy monitoring solution for this kind of hard problem in place because even if you had it now, you know it's too late. They already have it. Right? So how long would it take them if they had ad admin access to your systems to copy all that data?Right? Even if you can shut them out, maybe it took them 30 seconds and like it took 30 seconds just for you to get that email and read it. And they already have your data, so it's too late. Right. So I would rephrase the thought process too. How do you prevent these things from happening in the first place so that you don't have to worry about like, Oh my God, like what are we going to do if this happens?Cause that's a much harder problem. So I focused on the easy thing. So the easy thing is how do you keep people out of the admin. Handle it, of your systems to have access to everything. And just as a preface, I want to point out that I think a lot of my clients and a lot of people I talked to tend to think that attackers are going to try and go through your web application or your mobile application to try and hack your company.But that's a pretty limited approach. And I think threat actors in the space have already started to realize this. So the targets that they're choosing instead are developer machines or developer systems. So. If you have Jenkins running all your CIC CD systems, your continuous integration, continuous deployment, that system probably has keys for all of your servers as keys for all your source code.It probably has rewrite access to your database. It probably has admin level access to everything so that it isn't blocked. So that's a really ripe target. And usually when people set up. The systems, like they just set it up just to the point where it's working, but not necessarily secure. Right. And it's just like an admin.Yeah. Right. It's very common. And that's the thing. And that's kind of the reason, the realization I had when I started consulting is that everybody has the same problems. Everybody's making the same mistakes. So there's a pattern that's pretty easy to solve for in, it's really just a matter of education.So that's kind of what I focus on. So getting back to the question of how do you prevent this from happening. There's a variety of ways, like the easy one that I usually recommend is for anything that requires admin level access. I review who has access to it with my clients and say, do all of these people actually need admin level access on a day to day basis for their jobs?Often the answer's no. Right? There might be a couple people who day to day need admin level access to do their jobs in whatever that system happens to be. For everyone else, they can get a lower level. Admin privilege or whatever it happens to be, or lower level permission. But I admin like they don't need rewrite access to literally everything.So that's the first thing I focused on is who has access to this and this. So this model is called least privilege. So you're offering the least privilege to most people by default. So that one comes up a lot, right? And then the second thing is for the people who have admin access or any access at all, can you enable some type of multifactor off like two factor auth using, you know, the Google authenticator on your phone or like a YubiKey or some other kind of system to make sure that even if your admin password was published on the internet, nobody could really do anything with it.There's something else preventing them from logging in. Just those two things like limiting who has access to admin levels in systems. Enabling multi-factor off. Get you most of the way there. Like you're almost to the point where like it is a really hard target now to get into those systems. Now I could kind of fearmonger you and say like, well, you know, it's an had been a little system in like the person who's the admin is kind of sloppy and they set up SMS for their two factor auth instead of like a, you know, authentication app and maybe their phone gets spooked and now like it's possible it's a compromise that there's all these weird ways to kind of work around these things, but it's a much higher bar.Than it was before where maybe laptop got stolen, right? Or like somebody just like look over their shoulder and saw them log in, or you know, maybe they like sniff their cookie or something like that, and then now they have access to this system. So it raises the bar for that kind of thing just by putting these preventative measures in place.But to answer your question more directly, which was. How do you know about these things after the fact? Normally, any types of systems that have admin paddles, not always, but they will often offer some kind of like auditing system when it, any kind of administrator logs in, it will keep a separate log for all the actions of that person.So click, who logged in, where do they log in from? Like in the world, what was their IP address? What actions did they perform? So if you are talking about like the AWS. Council or like the Google cloud console, they usually offer this kind of system. I think Splunk does as well. So this gives you a couple of things, like you've prevented the ability or not the ability, but you've raised the bar for getting access to these admin systems, or if you've made it much harder to get in, and you also have some kind of system in place to say like for anybody that's in there.What are they doing? Like do we have some kind of record for what actions have been performed so that we know that if somehow one of those logins were compromised, we have some record of what actually took place act that happened. So hopefully that helps to answer your question. That gives you a little bit more insight into like the kind of things I'd be looking for.Amelia: [00:21:03] It kinda sounds like there is no incentive for actually monitoring the logs.Like you can only get bad news that you can't act on. So if I were a little bit more nefarious, I might just never look atthem.Eric: [00:21:16] That's a good point to bring up. I would say that it depends on the logs you're talking about. If we're talking about like the audit logs that are considered any action that is contained within Ottawa, we assume that it's somebody internal to our company, like somebody who should have access to this, except for the worst case where maybe somebody.Shouldn't have access, does have access to like they're doing something weird. Right? So the audit logs are, they're definitely going to be reactive in the, in that case. But if you think about logging more generally, like if you think about your server logs for your website, right? That actually can be a good leading indicator that an attack.Might be happening or somebody probing your systems. So you can look for all kinds of interesting things in your logs. You can look at like the login page, like all the login URLs and see like is one IP address trying a bunch of different logins and failing? Are they trying one login? And it's constantly feeling like they're trying to brute for somebody's password.So there's a lot of things you can do and get a signal that like. An attack is happening and understand what they're trying to attack in your systems just by looking at the log in without actually having been compromised. So let's say the, in that more general case, you're getting a leading indicator instead of a trailing indicator.So I think both of the things you said are true, but I think it depends on the system that you're talking about.Nate: [00:22:32] Looking at the logs after an attack is sort of reactive. Taking more proactive steps of making sure that you review who has admin access in your review that everyone has two factor auth.That's more of like a proactive approach. Would that fall under the more general umbrella of threat modeling? we're looking at this and saying, okay, how could we get attacked? We could be attacked by one of our employees losing their credentials somehow, or leaking their credentials. What are some of the other things we might look at to have a process to prevent things before they happen.Eric: [00:23:02] Oh, this is a great question and I'm glad that you brought up threat modeling. So threat modeling is an exercise, and by far, what are the best values for getting the most information to the least amount of time that I do with my clients. So I want to try to explain threat modeling to help you wrap your head around it and like give you some examples like what it is and what it means.It'll help you to answer this question for yourself and the way that you would sort of like think about. The general problem, which is like we have this system in place. What could possibly go wrong with it? Which is the shortest version of like what threat modeling is. So here's the most simple real world example of threat modeling, let's say, and this is something that people do on a day to day basis.So here's a simple example, like you want to go out to lunch from work. And meet up with a friend for lunch right now. There's a lot of considerations that your mind processes before you actually go out to lunch. Is it raining? Do I need to take an umbrella? Right? The thing that could go wrong is like, am I going to get rained on the preventative measures?Like, do I need a rain jacket? Do I need an umbrella or. Another thing that comes up is like, you know, are there any dietary restrictions I have to keep in mind for myself or the person I'm going out to lunch with. If there are like, how are we going to resolve that? Where are we going to choose to go to lunch?Do I have to be back at exactly one o'clock for a meeting with my boss and I can't be late? Like we can't go somewhere that's too far away. So it's really, this is this process by which you think about problems and think about all the different things that could possibly go wrong and then come up with.Different ways of solving them so that you avoid as many of those problems as possible. Now, some of the risks are. You don't want to get caught in like analysis process where you think like, Oh my God, whatever we're trying to do, there are so many things that could go wrong. Like maybe we should just not do it.My advice is to say like the approaches you take is usually the one that has the most pros and the fewest cons rather than no cons cause you'll just never get anything done. If you try and take that approach for threat modeling as it applies to security and it applies to software. Let's think about.Something that's a little bit more practical than like going out to lunch. So let's say we have. I dunno, a basic software system. There's some kind of web application running in production. It has a database somewhere, and we want to say like, what could possibly go wrong with this? Like how could it be compromised or abused?So the approach for this exercise is you get a bunch of. People who work at your company or work with you on this project in the same room together and you just have that conversation. Like I usually start with a different question though. I say like, what are the biggest risks for our company? What could really just ruin us or like put us in a bad situation?And it might be, we've got a lot of really bad PR at this point. We would really struggle to recover from it because we lose a lot of customer trust. We'd end up on the front page of the New York times with all this negative press, and like it would really hurt our brand and they'd go to our competitors and said, so that might be the worst case scenario.So like, how would an attacker. Compromise you in such a way that would make it a really bad PR campaign. Or it could be like, we have a lot of this really sensitive data in the database, like maybe it's personally identifiable information, PII, like people's credit card numbers, or it's their address along with their names and email addresses.All this stuff. Like we cannot allow this data to get leaked because like our customers, again, like they wouldn't trust us. It'd be a huge problem for our company. Going forward. And that's a hard problem to recover from. Like once I data's out on the internet, you can't unleash information. Like that's a hard one to recover from.So you really have to think about how you can prevent it in the first place. Similar to the problem of admin credentials, like after it's done, it's too late, right? You enough solve these problems before it's too late. So just to give you a third one, like maybe the worst case scenario for our company is.Financial, right? What would happen if these attackers got access to our bank accounts? Or you know, maybe we deal in like Bitcoin. Like what if people like could somehow compromise our system and like steal everybody's money. So that would also be problematic. So there's all these different scenarios you could think about that would be worst case scenarios or maybe like, not necessarily worst case, totally disaster, but like hard recover from problems.And then you think about like what ways would an attacker or a malicious actor. Achieve that goal based on everything that we know about how our systems and our software works today. And sometimes this goes beyond. Again, like as I said before, it isn't just your web application or just how your database works.It could be something much more sinister, like maybe you have. A bunch of laptops and people who work from home work from cafes, like you know, Starbucks and a laptop gets stolen and that laptop belonged to a cofounder and the drive wasn't encrypted. Right? So now an attacker like who stole this laptop?Maybe they didn't know what they stole, but they find out and now they have access to the bank account information and login four, your company's bank. Like it's a bad scenario. So how do you prevent that kind of thing from happening? Or maybe something else, like how would they get admin access to one of our systems?Can we prevent that in some way? So it's this way of sort of thinking about the problem and preventing it in advance. And then once you leave, you should have a list, Oh, here's all the things that an attacker could do. And it normally boils down into like a handful of very common things, like all these different threads of attacks.Have you a few things in common, like, you know. We don't have to factor off the Naval, not on all these systems, really, too many people have access to it or drives aren't encrypted or whatever it happens to be. It's usually a handful of things that are common amongst all those attacks. And those are the things that you focus on fixing first because you, I fixed one thing that solves three possible tax, right?So you're really like getting a great value for the time that you're spending and you're also focusing on the right problems instead of like the things that might happen. Maybe like it's a low. Likelihood and maybe low impact if they do happen. Like that's not really where you want to spend your time.You want to focus on the things that are potentially big problems for your company and take the least amount of effort to achieve. So hopefully that helps to answer the question. I would say that the one other thing about threat modeling is, I can give you a recent example from the news where like this kind of went horribly wrong.So I think this was maybe last year. There is a company called Strava who does like fitness trackers. The way that struggle works is like people attach them like a Fitbit and they run around it. It maps out like everywhere they run. So then like the people who were running King see where they ran, what their route was, and then they can keep track of their miles, which is great.But the other thing that Strava did was it would. Publish on a public map everywhere that you were running, which, you know, privacy concerns start to bubble up with this, but people start having fun with it, right? They start drawing like the Nike swoosh with their running patterns, or they draw, you know, spaceships or Darth Vader or tie fighters and all this stuff.People will start to do this more and more, and like this feature gets really popular. But the other thing that happens is that the U S military has soldiers. Who are using these fitness trackers while they're exercising, but they're doing it secret bases around the world. And now you look at Strava map and you have all these little hotspots that show up in the middle of Africa, or you know, somewhere where there's nothing else.And there's this little tiny hotspot and. The effect is that Strava has just now leaked the specific locations of all these secret us military bases around the world. So huge problem, right? How do they not think about this in advance? This ends up on the front page of the New York times, you know, Strava leaks, location of all these secret us military bases.If your Garmin, a competitors' Strava who offers nearly the identical product and has the same problem, you might think like we really dodged a bullet. Because we're not on the front page of the New York times. But three days later or whatever it happened to be like they also were, because they had the exact same issue.It's kind of interesting to me that like they didn't immediately like, we need to fix this now. I'm like, delete this from the internet so that we're not also caught in the same place, but it just goes to show that. I don't know what the root cause was that they both ended up having the exact same problem where they didn't think about what the consequences were, their actions.A more lighthearted example through our modeling is the Boaty McBoatface example. So there is this like online voting system in the UK where they're going to name some military ship or whatever happened to be, and the top voted ship name by far is. Boaty McBoatface right. And really like that's kind of an abuse of the platform.Those weren't the answers that they were hoping to get, but is the answers that they got, what the mitigations were for preventing that? Like maybe the consequences weren't that great for Boaty McBoatface but the consequences for leaking the secret location view as how us military bases is pretty high by comparison.So you have to think of these abuse patterns in addition to how could we actually be hacked. Like Strava wasn't hacked. They like leaked this information out because like. Like the system was working as designed by, it was a use case they hadn't thought about in advance and it was like it published on by default, I assume.So anyway, like those are just some simple examples of threat modeling and like the ways to think about these things from a larger perspective. And I think the last thing I would say about through modeling is it depends who you invite. To this meeting where you conducted the right modeling exercise.Because if I were to ask a database engineer, what's the worst thing that could happen to your company? A database engineer is going to tell you all about the worst things that can happen to their database. Cause like that's their world. So the best person to ask this question to and is usually somebody in executive leadership because they're going to have the best perspective.I'm like. What the company I'd a broader vision is doing, like what the real business risks are. They don't necessarily have to attend a meeting and hear all the nitty gritty details about how the database works with the web application works or two factor off, but they should provide those initial answers to the question of like, what's the worst case scenario for our company?And then everyone else who's more technical can think about their own systems. Either it. You know, managing all the laptops of the company or the database engineer, managing all the data storage systems or the web application engineer running all the Node.js Or Python code. Whatever happens, all those people should have one representative in the room to think about their own systems and how it can contribute to the threat modeling exercise.Security in Today's WebAmelia: [00:32:48] I feel like your examples have highlighted something about how the web itself has evolved over. I don't know, the past 30 years where it used to be this scrappy connection of people in different parts of the world and we get to do weird things and it's all fun and lighthearted and now it feels like we have to grow up because we can't just have fun anymore.People will use our fun.Yeah.Eric: [00:33:14] That's a really interesting way to phrase that. Arguably, fun has always been profitable to some degree, but I think we're not quite as carefree as we once were. It's certainly true that the old internet, as I remember it, like there were still plenty of problems, like security problems, the ability to really like.Make widespread chaos and the old school internet was much harder. And like there's a lot of ways I could speculate or reasons. I can speculate why that's true or more true now than it used to be. So one is like the way that you phrase it was like it was a bunch of small little interconnected websites, right?Like maybe people were hosting on their servers and like when they turn their computer off at night, that website went down until like the next morning when they turned it backAmelia: [00:33:55] on, the store is closed.Yeah.Eric: [00:33:57] The store is closed. Exactly like. And I've had that experience plenty of times when I've seen that for a website I was looking at at 3:00 AM, but now if you think about it, because of the way the industry has grown in evolves, there's servers run all the time and it's cheap.I mean, it's practically free to run a web service. And most of them, a lot of them are consolidated on three major platforms. . AWS and Google cloud, and they're on all the time. And you know, if there happens to be a fundamental security flaw in Google cloud or AWS or Azure, that affects almost everybody, right?And we've seen this come up a few times, I would say like the last seven years. So, you know, when I worked to optimize the is when we had. A number of industry-wide security vulnerabilities come to light. So Heartbleed was one of them. Shell shock was another, and if you were working at the time in the industry, you probably remember like it was all hands on deck.We had to patch all of our systems in like prevent this because the fundamental problem, these cases was that in some version of bashes insecure Nick, you could compromise it remotely. And then the other one was, there was some kind of. Underlying security vulnerability with open SSL, which is the library used by like every Linux server, which is most of the servers on the planet.And this is a huge problem. So everyone had to go out and like patch all servers the exact same time. So for a couple of weeks during these periods of time, nobody was writing code. Everyone is trying to patch their systems to make sure that they weren't the ones that were hacked. And the other thing that is.Also happened is not just that the targets have sort of like shifted from being, well, I could compromise this computer, but it's like off from midnight until 5:00 AM it's just one computer. Right? But now it can compromise all these computers. Right? So the, the targets are much bigger because connectivity has improved.The sharing of information has improved, which is like by far has. More positive effects than it has negative, like there's GitHub and all these ways to share code. But now like the things that can also be shared are, here's a tool called that allows you to just click on button in, like run some kind of crazy massive attack.Or here's the source code for the myriad worm, which shut off most of the internet. And when was this like 2015 I can't remember exactly. So they can share the, the nasty code, the dangerous code, as well as like the good code that, you know, people write day to day. And I think for the most part, people just want to do the right thing, but there's always going to be malicious actors out there.And it's certainly true that like now they have easier access to some of these tools and it's problematic. But. The good news is that everyone's getting smarter about security. They understand what the attacks are as technology improves, like the attacks, the types of attacks are going to also like mature and evolve with technology, but people are more wise to it now.As has always been true of history, we learned from the mistakes of our past, or at least we should, and hopefully like the technology we build tomorrow is better than the technology we built yesterday. How much should a responsible Web Developer know about security?Amelia: [00:36:51] I bet your experience of these attacks is a very different experience than the experience I as a software developer has.So when Heartbleed came out, I remember all I knew was it's a big deal. We're freaking out and everybody should be upset,Eric: [00:37:08] andAmelia: [00:37:09] maybe I can spend three hours reading up about it to try to understand. So as a software developer who doesn't work in security. How much should I know about security? What are some basic things that I know and how does that differ from, say someone who isn't a software developer?Do they need to know anything.Eric: [00:37:27] Oh, these are both excellent questions and thanks for sharing your experience about Heartbleed. I just want to clarify the, at that time I had a lot of different roles. What I worked to optimize the and security is just like one small portion of that. All of the things I had to focus my time on.And it was really like a group effort of everyone coming together at the company, all the engineers and it professionals to come together as this sort of like make sure that we did the right thing and patch our systems and like communicated to everyone that. patch things as quickly as we could and to the best of our knowledge, like nothing was compromised.So I think we did everything we could in that situation. We worked as a team to kind of solve the problem. Just like you said, it was kind of pants on fire, like everybody knew, like, Oh my God, this is everyone. It isn't just like some companies, it's everyone except for the few people out there who run Microsoft based servers out there.I'm sure they're laughing at us, but that's okay. We get to laugh at them the rest of the time, I would say. Yeah. So your question was, what should you think about as a software developer about security. On a maybe a regular basis or how do you learn more is, am I remembering correctly? Yeah.Amelia: [00:38:26] How much do I need to know?Like how much should I feel responsible to understand?Eric: [00:38:31] I would say that my general advice, which is less specific about security, is. Take in as much information as you're comfortable with, like, you know, read some more diverse sources. Like I think it's common for, for engineers, especially those who are like just starting out to really focus on how do I write better code.Like that's the one thing they kind of focus on is like, how do I write the best possible code? Like how can I learn all these interesting coding design patterns and like make my code run faster and like have fewer bugs. And I would say that the more diverse sources you can read, the better you'll be at your job on the whole.So. Here's some examples, like try to understand the perspective of like the product and program managers at your company or like the marketing departments. What is their job look like or the support team, what does their job look like? What kind of questions are they getting from your customers on the support team?How are they helping the customers? Like what does that system look like? How do they do their jobs? Do they have to provide technical support? And some companies I've worked at. We were allowed to sit on sales calls like with potential customers and just sit there and listen to the concerns, sometimes security concerns, but sometimes just like the product concerns about from potential customers.We could also sit in on calls with customer, like existing customers in here about their problems. And it really helps to like understand your perspective or a change of perspective to understand their perspective about like, you know, what are the things that actually concern them cause they're going to be different than what you assume they are.Which I think really helps. As far as security goes. Like the same thing is true if you have the opportunity to participate in your company's security program, if they have one, I would say the right way for a company to run a security program is one that's inclusive instead of exclusive, which is to say that like you have office hours, you invite people to join and participate.Instead of saying like security is our world. And like, we're trying to protect you. Just stay back and let us do our jobs. Right? I vehemently disagree with that approach by disagree with this exclusive approach where like they played the new sheriff in town to like, they're trying to protect everybody and no one else can really play the game because it, it has a number of problems with the main two that come to mind right now are nobody likes to be told what to do.They like to understand what they're being asked to do. They can comprehend like, okay, there is a good reason why I have to do this other work instead of like Joe over and it just like, you have to do this, whatever security thing is now. Like that's annoying. Okay. I guess I'll do it. Cause they wrote a new policy.And the other thing is that. By being inclusive, it helps to spread like education and awareness about security. So for example, if you worked at a company, they had an inclusive, you know, anybody contribute security program, you would probably have the opportunity to go in and maybe participate in the threat modeling exercise and you'd have a better understanding for like, you know, what are the threats our company actually faces?Which might inform you later on if you're creating a new feature or a new product for that company. Oh, I know that. If I, you know, create this web service, these are the kinds of threats that. It might face, cause you've experienced that threat modeling exercise before. So I know that I can't use X, Y, and Z type of database.I don't know. Just some random stupid example. So it's really just about like getting. More information in your mind, in a different perspectives in your mind, in all of this stuff will not necessarily be immediately useful. It'll just be one of those things like that later in your life it'll become apparent like, Oh man, I'm so glad that like I participated in that and I'm so glad I learned that thing.Cause like now it actually makes sense and I finally get it. So I would say like I could point you to several different security related blogs and you know, newsletters and Twitter accounts and all this stuff, but you're just going to get so inundated with all these like. Technical details and it's going to drag you down mentally.Cause a lot of them are just like aggregators for like, here's another company that got breached and here's how they got breached and you're going to think that the world is falling apart. I would say that like that's not going to like bring up your spirits about security and like the state of the world.So instead I would focus on like the things that you can learn in your most local community, your local environment. So if your company doesn't have a security program, there might be a local Oh wasp chapter. So ops is like a open security organization. They're around the world. Most cities have like some kind of local chapter.I know the here in Portland, there's like monthly meetings you can go and attend. They usually have some kind of like guest speaker who will give a talk about some thing related to security. So I think engaging those types of communities can be really beneficial as well. You know, if you want to, the other thing you could do is just like attend a security conference.I wouldn't necessarily, I recommend starting with black hat or Devcon in Las Vegas. Those are very intense and very like, I would say deeply technical and like. Culturally heavy. I would say that there's something a little bit more lightweight though. It'd be beneficial. Like if you went to a JavaScript conference and like somebody was talking about JavaScript security, attend that talk, see what you can learn.I think they would probably help you on a more on a day to day basis and going head first into like the deep rabbit hole of security.Amelia: [00:43:14] Right. Don't start with the black diamond ski slope.Eric: [00:43:18] Right? Exactly. Exactly. That's a great analogy. I don't ski, but I get the reference.Amelia: [00:43:23] I also love your answer because I realize that as a front end developer, I don't have to worry about what other people within my company know.Whereas within security. I feel like you have to worry about your coworkers, whether they open a malicious email or the security could be attacked through people, which I think I would find terrifying.Eric: [00:43:46] It's certainly true. So as far as like the nasty email example that you gave, that's such a great one.And like I've seen this firsthand where emails were sent to a company I worked for, there were spooks, so it looked like a legitimate email from one of my coworkers. It looked like any other. Email that you would get if they were like sharing a Google doc with you, right? It would say like, here's the name of the stock.Whatever happens to be in, there's a link in the email and you click on it, you open it. But the clever thing about it, there's two, like the one is like spoofing their email addresses, which is not technically challenging. It's pretty trivial. There's a few things you can do to mitigate that. The clever bit was.They make it look like a legitimate email. We're like, nobody would really be the wiser on a day to day basis. But you open it, you click on the link and it takes you to a page that looks exactly like the modern Google walkin. So now if you type in your password. They have your password and they know your email address.So it's a pretty clever way to fish people and they can get a whole bunch of logins and passwords relatively easily. And I think the other thing that you do that's kind of clever is they've gotten wise, they're not running from their home. Machines, like all these web servers and stuff they have to run are these scripts that they use to target different companies or servers.They just run them on like compromise AWS accounts. So you can't black list like the IP addresses for AWS because then all of your code shuts off. Right. So it's pretty clever the way that they're kind of using the same systems that we use to the right, normal white hat code. As far as your, the concern about, you know, if you work in security, you have to worry about everyone.I think that's true. Like you're going to be worried a lot like, but that's your job. Your job is to be the one worrying so that other people don't have to. But that's kind of the motivating factor. Like if it's keeping you awake at night, then that should lead you into action and like to do something to make sure that that one thing can't happen.So you can spend your nights being awake, worrying about something else, and maybe you can't control. Right. And then you think, you know, if I can't control this thing, what can I do.How Do We Think About Security and New Hardware?Amelia: [00:45:43] So you mentioned this example before, which is smartwatches, which haven't been around for that long. How much do you have to keep up to date with new technology? Like we have Google homes and our houses and their smartwatches, and there's something new every year.How much do you worry about new devices that come out or have to keep up to date with new tech?Eric: [00:46:05] Maybe you have a Google home in your house, but I don't have one in mind. Well, I guess there's a lot I could say on this, and I'll try and keep it. More succinct. So at a philosophical level, the same problems always persist in the security threats.Simply follow along and mature and evolve with the technological changes that we have. If you had a computer before and you didn't have an iPhone or you know, a smart home, there is still possibility that like your computer could be compromised remotely and the camera could be taken over. The microphone could be taken over and that could lead to.Some kind of disastrous result for you and I, the day to day, like that's not that big of a deal. Like if our computer gets compromised, like, okay, like what's really the worst case cap? If they see me okay. I don't often sit naked in front of my computer, but even if I did, like nobody really is going to want anything to do with that.Let me give another example though. The risks are much higher in the federal government in the Pentagon. They have a policy where if you go into a conference room, you cannot bring a cell phone. You cannot bring a laptop, you can't bring anything that has the ability to record information and has a battery in it or transmit information.It has a battery. Like that's the policy. What that means is. Is that if you want to give a presentation at the Pentagon, you have to print out all of the slides for your presentation on paper and then give a copy of that to every attendee that's in the meeting, and then at the end of the meeting, those all have to get shredded securely.I know this because I have a friend who works in the Pentagon one day. This person who was like. Very concerned because they had to give a presentation the next day. I think it was like right after, right before the government shutdown, all of the printers at the Pentagon, which is the only place they were allowed to print off these classified documents.All the printers at the Pentagon were out of ink. So how do they give their presentation? Right? So it's weird problems that you take on for the sake of security, where for the sake of national security, you can't take any kind of these types of devices that we take for granted. Like, you know, if you. Told somebody in Silicon Valley that you had to print off a proper presentation.They couldn't bring their laptops and phones into a meeting. You would get fired. They would think you're crazy and like kick you out of the company probably, or just tell you that you're paranoid. So I used to live in DC and I worked in a similar environment that, so for me, like having lived on both coasts and in both of the DC area, then also in Silicon Valley, the differences are so stark.It's really crazy. But it also goes to show like. The vast differences are the vast levels of security that people take on based on the level of risk. So I would say like that's the fundamental thing to keep in mind is what are the risks that you want to avoid if you're going to like enable internet of things devices in your home.I may not have a Google home in my house, but I do have a nest thermostat. And I know that the nest thermostat doesn't have a microphone in it and like, you know, could it be compromised remotely? Probably we're going to do make it too hot or cold in my house. Big deal. Right? But it's a nest thermostat is so much better than like a non nest thermostat.They're like, why would I not have a net service set? There's so great. Just a couple of days ago, the ring doorbell company, like it was published that there was like, these podcasts are so like taking over people's ring doorbells in their house and like harassing people across the country. With the ring doorbells.Right. Which is crazy. So I don't have a ring doorbell because I know that their security is pretty low. And that's really the problem with the internet of things stuff, is that they want to make these things cheap, which means they have to compromise on something. And the one thing they usually compromise is the security of their product.And that's actually how the myriad worm spread is. They didn't pay for a bunch of servers that had really high bandwidth. They compromised a bunch of internet of things devices and use them like a swarm to take down like internet servers around the world, which is crazy. It was just like people's cameras and stuff in their houses.They use it as like a zombie to like send more traffic to things. Those are the kinds of things I think about. Like, you know, you could have those things, no big deal, but just be aware of what the risks are and whether or not you trust the company behind the device that you were just right.Amelia: [00:50:00] It seems like it's so as a trade off between convenience.And money and security.Eric: [00:50:05] I'm glad that you said that. So at my first job back in 2001 I remember stating, and I don't know if I was just trying to be clever, but I said like security is inversely proportional to convenience, and I think that is still true today. But going back to the seatbelt example that I gave you earlier.It is, you could argue inconvenient to get into a car and have to book your seatbelt. It's inconvenient to have a seatbelt on. If you want to like take off your jacket or put a jacket on, you're too high or too cold. It's it convenient to have a seatbelt on if you are in the back seat and you dislike over, but it's a trade off between the level of security that provides.It might be inconvenient. You might be a little cold or a little hot early cancer site across the car or whatever. But it's better than flying out of the windshield if you happen to get an accent. Right. So it's constantly this trade off where like convenience versus security. I think it's still true. I would say that because technology is improving so much, they are lowering how inconvenient it is.So here's some good examples or recent examples. Like I have an Android phone and it has a fingerprint reader on the back and it's great. I can unlock that thing in a split second and it just, boom, there it is. I don't have to type in a password or put in a code. And same thing is true for like the neuro iPhones that are in like the new pixel phones is, they have like face unlock.So you just look at the thing and unlocks where you. If you're a James Bond and you are tied up on a chair somewhere and they want to like unlock your phone, they just pointed your face and now you know, if you're under arrest, like you can't prevent that from happening. But like, you know, most of us aren't James Bond.So I don't think that that isn't necessarily like the primary concern that you want you to have, but is the way that I would usually recommend thinking about these things. The Dangers of Wireless Security and SerendipityAmelia: [00:51:40] Your seatbelt example brings up the point of I think about how dangerous it is to drive versus how dangerous it is to take a flight cross country and driving is way more dangerous, but I still get really scared every time I take a long flight because it feels so much scarier.So I bet in the security world there are things that don't feel like big risks are and things that are big risks, but they feel like not a big deal when you think about them.Eric: [00:52:08] Here are a couple things that come to mind. The first one is wifi. So why fi wireless internet is like something that's so prevalent now.That we assume that when we go to the airport, there's going to be free wifi. We assume that when we go to a restaurant, there's going to be free wifi. We assume that what we go to work, there'll be a wifi. We can catch you. So our phones have service. We assume that there's going to be wifi, like everywhere we go and when there isn't, it seems like a huge problem.Because there's free wifi everywhere. That means there's a network that you're connecting to. Who knows who else is on that network, right? When you go to the airport, who knows who else is on the network at the airport? Who knows if they're monitoring all the traffic that's going through computer, who knows if they compromise the router at the airport.That's a bigger problem than I think people realize like wifi, security. Even though you have like your crazy long password on your router and you keep it up to date all the t
Today’s episode features a conversation between Ari Paul - the cryptocurrency investor and co-founder of BlockTower Capital who also serves as its Chief Investment Officer - and Muneeb Ali, co-founder & CEO of Blockstack PBC. Ari and Muneeb cover a variety of crypto developments from both a Political Science and Distributed Systems Engineering perspective. They focus particularly on the issues of scaling networks like Ethereum, whether sharding is a holy grail or not, the challenges of digital asset custody, and more. Show Notes 0:41 Muneeb: "How we met through Naval..." 2:33 There aren't many industries or asset classes where you can show up and be talking with the leaders almost immediately. 4:13 Muneeb: "What are you up to these days?" 7:10 Muneeb: "I'd love to get your Poli Sci perspective on a complex system being directly interacted with by users versus a very simple base layer being built on top of." 8:19 Ari: "One thing you see throughout time is some form of federalism." 10:31 Muneeb: "Imagine a mainframe computer for the entire world... it's not scalable by definition." 12:19 Muneeb: "Should you even be trying to attempt sharding at the blockchain layer?" 14:19 Muneeb: "Nodes would need near global information... which kind of kills the purpose of having shards in the first place." 16:52 Muneeb: "There's this notion - if you’re interacting with the blockchain - that smart contracts are the only interface available." 19:04 Muneeb: "Imagine a word processor... what parts do you want to hit the blockchain layer?" 24:24 Ari on how development of solutions like sharding gets going. 26:50 Muneeb: "We recently got pulled into some of the Ethereum scalability research... and recently did this public review of Casper's CBC." 29:04 Ari: "It's very frustrating to me when I discover the religion in politics of crypto." 30:03 Muneeb: "Sometimes people will ask me 'How is your Gaia storage system different FileCoin?'" 32:58 Ari: "Are you going to be integrating any Craig Wright innovations into Blockstack?" 35:34 Ari: "When you're playing poker, you want to play rational actors." 36:11 Ari: On custody and the value of vanishing. 37:07 Muneeb: "I do think [custody is] something that more and more people will start worrying about as our assets are in crypto currencies." 40:11 Ari: "Something that scares me in an existential sense: all tech is breakable." 42:30 Muneeb: "We really believe in the ability to exit." 45:32 Ari: "My concern is in the asymmetry." 47:57 Muneeb: "Look at SSL: maintained by one individual, then Heartbleed happened." 49:24 Ari: "I think it's wonderful we’ve had some Proof of Work attacks on the Ethereum Classic network... that's antifragile." 49:59 Ari: "The financial system doesn't worry about this because there's the fallback to legal." 50:57 Ari: "Andreas Antonopoulos would say Bitcoin is uncensorable because the network can block bad actors, but..." 51:28 Goodbyes. 51:52 Credits. See omnystudio.com/listener for privacy information.
We try to answer what happens to an open source project after a developers death, we tell you about the last bootstrapped tech company in Silicon Valley, we have an update to the NetBSD Thread sanitizer, and show how to use use cabal on OpenBSD This episode was brought to you by Headlines Life after death, for code (https://www.wired.com/story/giving-open-source-projects-life-after-a-developers-death/) YOU'VE PROBABLY NEVER heard of the late Jim Weirich or his software. But you've almost certainly used apps built on his work. Weirich helped create several key tools for Ruby, the popular programming language used to write the code for sites like Hulu, Kickstarter, Twitter, and countless others. His code was open source, meaning that anyone could use it and modify it. "He was a seminal member of the western world's Ruby community," says Justin Searls, a Ruby developer and co-founder of the software company Test Double. When Weirich died in 2014, Searls noticed that no one was maintaining one of Weirich's software-testing tools. That meant there would be no one to approve changes if other developers submitted bug fixes, security patches, or other improvements. Any tests that relied on the tool would eventually fail, as the code became outdated and incompatible with newer tech. The incident highlights a growing concern in the open-source software community. What happens to code after programmers pass away? Much has been written about what happens to social-media accounts after users die. But it's been less of an issue among programmers. In part, that's because most companies and governments relied on commercial software maintained by teams of people. But today, more programs rely on obscure but crucial software like Weirich's. Some open-source projects are well known, such as the Linux operating system or Google's artificial-intelligence framework TensorFlow. But each of these projects depend on smaller libraries of open-source code. And those libraries depend on other libraries. The result is a complex, but largely hidden, web of software dependencies. That can create big problems, as in 2014 when a security vulnerability known as "Heartbleed" was found in OpenSSL, an open-source program used by nearly every website that processes credit- or debit-card payments. The software comes bundled with most versions of Linux, but was maintained by a small team of volunteers who didn't have the time or resources to do extensive security audits. Shortly after the Heartbleed fiasco, a security issue was discovered in another common open-source application called Bash that left countless web servers and other devices vulnerable to attack. There are surely more undiscovered vulnerabilities. Libraries.io, a group that analyzes connections between software projects, has identified more than 2,400 open-source libraries that are used in at least 1,000 other programs but have received little attention from the open-source community. Security problems are only one part of the issue. If software libraries aren't kept up to date, they may stop working with newer software. That means an application that depends on an outdated library may not work after a user updates other software. When a developer dies or abandons a project, everyone who depends on that software can be affected. Last year when programmer Azer Koçulu deleted a tiny library called Leftpad from the internet, it created ripple effects that reportedly caused headaches at Facebook, Netflix, and elsewhere. The Bus Factor The fewer people with ownership of a piece of software, the greater the risk that it could be orphaned. Developers even have a morbid name for this: the bus factor, meaning the number of people who would have to be hit by a bus before there's no one left to maintain the project. Libraries.io has identified about 3,000 open-source libraries that are used in many other programs but have only a handful of contributors. Orphaned projects are a risk of using open-source software, though commercial software makers can leave users in a similar bind when they stop supporting or updating older programs. In some cases, motivated programmers adopt orphaned open-source code. That's what Searls did with one of Weirich's projects. Weirich's most-popular projects had co-managers by the time of his death. But Searls noticed one, the testing tool Rspec-Given, hadn't been handed off, and wanted to take responsibility for updating it. But he ran into a few snags along the way. Rspec-Given's code was hosted on the popular code-hosting and collaboration site GitHub, home to 67 million codebases. Weirich's Rspec-Given page on GitHub was the main place for people to report bugs or to volunteer to help improve the code. But GitHub wouldn't give Searls control of the page, because Weirich had not named him before he died. So Searls had to create a new copy of the code, and host it elsewhere. He also had to convince the operators of Ruby Gems, a “package-management system” for distributing code, to use his version of Rspec-Given, instead of Weirich's, so that all users would have access to Searls' changes. GitHub declined to discuss its policies around transferring control of projects. That solved potential problems related to Rspec-Given, but it opened Searls' eyes to the many things that could go wrong. “It's easy to see open source as a purely technical phenomenon,” Searls says. “But once something takes off and is depended on by hundreds of other people, it becomes a social phenomenon as well.” The maintainers of most package-management systems have at least an ad-hoc process for transferring control over a library, but that process usually depends on someone noticing that a project has been orphaned and then volunteering to adopt it. "We don't have an official policy mostly because it hasn't come up all that often," says Evan Phoenix of the Ruby Gems project. "We do have an adviser council that is used to decide these types of things case by case." Some package managers now monitor their libraries and flag widely used projects that haven't been updated in a long time. Neil Bowers, who helps maintain a package manager for the programming language Perl, says he sometimes seeks out volunteers to take over orphan projects. Bowers says his group vets claims that a project has been abandoned, and the people proposing to take it over. A 'Dead-Man's Switch' Taking over Rspec-Given inspired Searls, who was only 30 at the time, to make a will and a succession plan for his own open-source projects. There are other things developers can do to help future-proof their work. They can, for example, transfer the copyrights to a foundation, such as the Apache Foundation. But many open-source projects essentially start as hobbies, so programmers may not think to transfer ownership until it is too late. Searls suggests that GitHub and package managers such as Gems could add something like a "dead man's switch" to their platform, which would allow programmers to automatically transfer ownership of a project or an account to someone else if the creator doesn't log in or make changes after a set period of time. But a transition plan means more than just giving people access to the code. Michael Droettboom, who took over a popular mathematics library called Matplotlib after its creator John Hunter died in 2012, points out that successors also need to understand the code. "Sometimes there are parts of the code that only one person understands," he says. "The knowledge exists only in one person's head." That means getting people involved in a project earlier, ideally as soon as it is used by people other than the original developer. That has another advantage, Searls points out, in distributing the work of maintaining a project to help prevent developer burnout. The Last Bootstrapped Tech Company In Silicon Valley (https://www.forbes.com/sites/forbestechcouncil/2017/12/12/the-last-bootstrapped-tech-company-in-silicon-valley/2/#4d53d50f1e4d) My business partner, Matt Olander, and I were intimately familiar with the ups and downs of the Silicon Valley tech industry when we acquired the remnants of our then-employer BSDi's enterprise computer business in 2002 and assumed the roles of CEO and CTO. Fast-forward to today, and we still work in the same buildings where BSDi started in 1996, though you'd hardly recognize them today. As the business grew from a startup to a global brand, our success came from always ensuring we ran a profitable business. While that may sound obvious, keep in mind that we are in the heart of Silicon Valley where venture capitalists hunt for the unicorn company that will skyrocket to a billion-dollar valuation. Unicorns like Facebook and Twitter unquestionably exist, but they are the exception. Live By The VC, Die By The VC After careful consideration, Matt and I decided to bootstrap our company rather than seek funding. The first dot-com bubble had recently burst, and we were seeing close friends lose their jobs right and left at VC-funded companies based on dubious business plans. While we did not have much cash on hand, we did have a customer base and treasured those customers as our greatest asset. We concluded that meeting their needs was the surest path to meeting ours, and the rest would simply be details to address individually. This strategy ended up working so well that we have many of the same customers to this day. After deciding to bootstrap, we made a decision on a matter that has left egg on the face of many of our competitors: We seated sales next to support under one roof at our manufacturing facility in Silicon Valley. Dell's decision to outsource some of its support overseas in the early 2000s was the greatest gift it could have given us. Some of our sales and support staff have worked with the same clients for over a decade, and we concluded that no amount of funding could buy that mutual loyalty. While accepting venture capital or an acquisition may make you rich, it does not guarantee that your customers, employees or even business will be taken care of. Our motto is, “Treat your customers like friends and employees like family,” and we have an incredibly low employee turnover to show for it. Thanks to these principles, iXsystems has remained employee-owned, debt-free and profitable from the day we took it over -- all without VC funding, which is why we call ourselves the "last bootstrapped tech company in Silicon Valley." As a result, we now provide enterprise servers to thousands of customers, including top Fortune 500 companies, research and educational institutions, all branches of the military, and numerous government entities. Over time, however, we realized that we were selling more and more third-party data storage systems with every order. We saw this as a new opportunity. We had partnered with several storage vendors to meet our customers' needs, but every time we did, we opened a can of worms with regard to supporting our customers to our standards. Given a choice of risking being dragged down by our partners or outmaneuvered by competitors with their own storage portfolios, we made a conscious decision to develop a line of storage products that would not only complement our enterprise servers but tightly integrate with them. To accelerate this effort, we adopted the FreeNAS open-source software-defined storage project in 2009 and haven't looked back. The move enabled us to focus on storage, fully leveraging our experience with enterprise hardware and our open source heritage in equal measures. We saw many storage startups appear every quarter, struggling to establish their niche in a sea of competitors. We wondered how they'd instantly master hardware to avoid the partnering mistakes that we made years ago, given that storage hardware and software are truly inseparable at the enterprise level. We entered the storage market with the required hardware expertise, capacity and, most importantly, revenue, allowing us to develop our storage line at our own pace. Grow Up, But On Your Own Terms By not having the external pressure from VCs or shareholders that your competitors have, you're free to set your own priorities and charge fair prices for your products. Our customers consistently tell us how refreshing our sales and marketing approaches are. We consider honesty, transparency and responsible marketing the only viable strategy when you're bootstrapped. Your reputation with your customers and vendors should mean everything to you, and we can honestly say that the loyalty we have developed is priceless. So how can your startup venture down a similar path? Here's our advice for playing the long game: Relate your experiences to each fad: Our industry is a firehose of fads and buzzwords, and it can be difficult to distinguish the genuine trends from the flops. Analyze every new buzzword in terms of your own products, services and experiences, and monitor customer trends even more carefully. Some buzzwords will even formalize things you have been doing for years. Value personal relationships: Companies come and go, but you will maintain many clients and colleagues for decades, regardless of the hat they currently wear. Encourage relationship building at every level of your company because you may encounter someone again. Trust your instincts and your colleagues: No contractual terms or credit rating system can beat the instincts you will develop over time for judging the ability of individuals and companies to deliver. You know your business, employees and customers best. Looking back, I don't think I'd change a thing. We need to be in Silicon Valley for the prime customers, vendors and talent, and it's a point of pride that our customers recognize how different we are from the norm. Free of a venture capital “runway” and driven by these principles, we look forward to the next 20 years in this highly-competitive industry. Creating an AS for fun and profit (http://blog.thelifeofkenneth.com/2017/11/creating-autonomous-system-for-fun-and.html) At its core, the Internet is an interconnected fabric of separate networks. Each network which makes up the Internet is operated independently and only interconnects with other networks in clearly defined places. For smaller networks like your home, the interaction between your network and the rest of the Internet is usually pretty simple: you buy an Internet service plan from an ISP (Internet Service Provider), they give you some kind of hand-off through something like a DSL or cable modem, and give you access to "the entire Internet". Your router (which is likely also a WiFi access point and Ethernet switch) then only needs to know about two things; your local computers and devices are on one side, and the ENTIRE Internet is on the other side of that network link given to you by your ISP. For most people, that's the extent of what's needed to be understood about how the Internet works. Pick the best ISP, buy a connection from them, and attach computers needing access to the Internet. And that's fine, as long as you're happy with only having one Internet connection from one vendor, who will lend you some arbitrary IP address(es) for the extend of your service agreement, but that starts not being good enough when you don't want to be beholden to a single ISP or a single connection for your connectivity to the Internet. That also isn't good enough if you are an Internet Service Provider so you are literally a part of the Internet. You can't assume that the entire Internet is that way when half of the Internet is actually in the other direction. This is when you really have to start thinking about the Internet and treating the Internet as a very large mesh of independent connected organizations instead of an abstract cloud icon on the edge of your local network map. Which is pretty much never for most of us. Almost no one needs to consider the Internet at this level. The long flight of steps from DSL for your apartment up to needing to be an integral part of the Internet means that pretty much regardless of what level of Internet service you need for your projects, you can probably pay someone else to provide it and don't need to sit down and learn how BGP works and what an Autonomous System is. But let's ignore that for one second, and talk about how to become your own ISP. To become your own Internet Service Provider with customers who pay you to access the Internet, or be your own web hosting provider with customers who pay you to be accessible from the Internet, or your own transit provider who has customers who pay you to move their customer's packets to other people's customers, you need a few things: Your own public IP address space allocated to you by an Internet numbering organization Your own Autonomous System Number (ASN) to identify your network as separate from everyone else's networks At least one router connected to a different autonomous system speaking the Border Gateway Protocol to tell the rest of the Internet that your address space is accessible from your autonomous system. So... I recently set up my own autonomous system... and I don't really have a fantastic justification for it... My motivation was twofold: One of my friends and I sat down and figured it out that splitting the cost of a rack in Hurricane Electric's FMT2 data center marginally lowered our monthly hosting expenses vs all the paid services we're using scattered across the Internet which can all be condensed into this one rack. And this first reason on its own is a perfectly valid justification for paying for co-location space at a data center like Hurricane Electric's, but isn't actually a valid reason for running it as an autonomous system, because Hurricane Electric will gladly let you use their address space for your servers hosted in their building. That's usually part of the deal when you pay for space in a data center: power, cooling, Internet connectivity, and your own IP addresses. Another one of my friends challenged me to do it as an Autonomous System. So admittedly, my justification for going through the additional trouble to set up this single rack of servers as an AS is a little more tenuous. I will readily admit that, more than anything else, this was a "hold my beer" sort of engineering moment, and not something that is at all needed to achieve what we actually needed (a rack to park all our servers in). But what the hell; I've figured out how to do it, so I figured it would make an entertaining blog post. So here's how I set up a multi-homed autonomous system on a shoe-string budget: Step 1. Found a Company Step 2. Get Yourself Public Address Space Step 3. Find Yourself Multiple Other Autonomous Systems to Peer With Step 4. Apply for an Autonomous System Number Step 5. Source a Router Capable of Handling the Entire Internet Routing Table Step 6. Turn it All On and Pray And we're off to the races. At this point, Hurricane Electric is feeding us all ~700k routes for the Internet, we're feeding them our two routes for our local IPv4 and IPv6 subnets, and all that's left to do is order all our cross-connects to other ASes in the building willing to peer with us (mostly for fun) and load in all our servers to build our own personal corner of the Internet. The only major goof so far has been accidentally feeding the full IPv6 table to our first other peer that we turned on, but thankfully he has a much more powerful supervisor than the Sup720-BXL, so he just sent me an email to knock that off, a little fiddling with my BGP egress policies, and we were all set. In the end, setting up my own autonomous system wasn't exactly simple, it was definitely not justified, but some times in life you just need to take the more difficult path. And there's a certain amount of pride in being able to claim that I'm part of the actual Internet. That's pretty neat. And of course, thanks to all of my friends who variously contributed parts, pieces, resources, and know-how to this on-going project. I had to pull in a lot of favors to pull this off, and I appreciate it. News Roundup One year checkpoint and Thread Sanitizer update (https://blog.netbsd.org/tnf/entry/one_year_checkpoint_and_thread) The past year has been started with bugfixes and the development of regression tests for ptrace(2) and related kernel features, as well as the continuation of bringing LLDB support and LLVM sanitizers (ASan + UBsan and partial TSan + Msan) to NetBSD. My plan for the next year is to finish implementing TSan and MSan support, followed by a long run of bug fixes for LLDB, ptrace(2), and other related kernel subsystems TSan In the past month, I've developed Thread Sanitizer far enough to have a subset of its tests pass on NetBSD, started with addressing breakage related to the memory layout of processes. The reason for this breakage was narrowed down to the current implementation of ASLR, which was too aggressive and which didn't allow enough space to be mapped for Shadow memory. The fix for this was to either force the disabling of ASLR per-process, or globally on the system. The same will certainly happen for MSan executables. After some other corrections, I got TSan to work for the first time ever on October 14th. This was a big achievement, so I've made a snapshot available. Getting the snapshot of execution under GDB was pure hazard. ``` $ gdb ./a.out GNU gdb (GDB) 7.12 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64--netbsd". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./a.out...done. (gdb) r Starting program: /public/llvm-build/a.out [New LWP 2] WARNING: ThreadSanitizer: data race (pid=1621) Write of size 4 at 0x000001475d70 by thread T1: #0 Thread1 /public/llvm-build/tsan.c:4:10 (a.out+0x46bf71) Previous write of size 4 at 0x000001475d70 by main thread: #0 main /public/llvm-build/tsan.c:10:10 (a.out+0x46bfe6) Location is global 'Global' of size 4 at 0x000001475d70 (a.out+0x000001475d70) Thread T1 (tid=2, running) created by main thread at: #0 pthreadcreate /public/llvm/projects/compiler-rt/lib/tsan/rtl/tsaninterceptors.cc:930:3 (a.out+0x412120) #1 main /public/llvm-build/tsan.c:9:3 (a.out+0x46bfd1) SUMMARY: ThreadSanitizer: data race /public/llvm-build/tsan.c:4:10 in Thread1 Thread 2 received signal SIGSEGV, Segmentation fault. ``` I was able to get the above execution results around 10% of the time (being under a tracer had no positive effect on the frequency of successful executions). I've managed to hit the following final results for this month, with another set of bugfixes and improvements: check-tsan: Expected Passes : 248 Expected Failures : 1 Unsupported Tests : 83 Unexpected Failures: 44 At the end of the month, TSan can now reliably executabe the same (already-working) program every time. The majority of failures are in tests verifying sanitization of correct mutex locking usage. There are still problems with NetBSD-specific libc and libpthread bootstrap code that conflicts with TSan. Certain functions (pthreadcreate(3), pthreadkeycreate(3), _cxaatexit()) cannot be started early by TSan initialization, and must be deferred late enough for the sanitizer to work correctly. MSan I've prepared a scratch support for MSan on NetBSD to help in researching how far along it is. I've also cloned and adapted the existing FreeBSD bits; however, the code still needs more work and isn't functional yet. The number of passed tests (5) is negligible and most likely does not work at all. The conclusion after this research is that TSan shall be finished first, as it touches similar code. In the future, there will be likely another round of iterating the system structs and types and adding the missing ones for NetBSD. So far, this part has been done before executing the real MSan code. I've added one missing symbol that was missing and was detected when attempting to link a test program with MSan. Sanitizers The GCC team has merged the LLVM sanitizer code, which has resulted in almost-complete support for ASan and UBsan on NetBSD. It can be found in the latest GCC8 snapshot, located in pkgsrc-wip/gcc8snapshot. Though, do note that there is an issue with getting backtraces from libasan.so, which can be worked-around by backtracing ASan events in a debugger. UBsan also passes all GCC regression tests and appears to work fine. The code enabling sanitizers on the GCC/NetBSD frontend will be submitted upstream once the backtracing issue is fixed and I'm satisfied that there are no other problems. I've managed to upstream a large portion of generic+TSan+MSan code to compiler-rt and reduce local patches to only the ones that are in progress. This deals with any rebasing issues, and allows me to just focus on the delta that is being worked on. I've tried out the LLDB builds which have TSan/NetBSD enabled, and they built and started fine. However, there were some false positives related to the mutex locking/unlocking code. Plans for the next milestone The general goals are to finish TSan and MSan and switch back to LLDB debugging. I plan to verify the impact of the TSan bootstrap initialization on the observed crashes and research the remaining failures. This work was sponsored by The NetBSD Foundation. The NetBSD Foundation is a non-profit organization and welcomes any donations to help us continue funding projects and services to the open-source community. Please consider visiting the following URL, and chip in what you can: The scourge of systemd (https://blog.ungleich.ch/en-us/cms/blog/2017/12/10/the-importance-of-devuan/) While this article is actually couched in terms of promoting devuan, a de-systemd-ed version of debian, it would seem the same logic could be applied to all of the BSDs Let's say every car manufacturer recently discovered a new technology named "doord", which lets you open up car doors much faster than before. It only takes 0.05 seconds, instead of 1.2 seconds on average. So every time you open a door, you are much, much faster! Many of the manufacturers decide to implement doord, because the company providing doord makes it clear that it is beneficial for everyone. And additional to opening doors faster, it also standardises things. How to turn on your car? It is the same now everywhere, it is not necessarily to look for the keyhole anymore. Unfortunately though, sometimes doord does not stop the engine. Or if it is cold outside, it stops the ignition process, because it takes too long. Doord also changes the way your navigation system works, because that is totally related to opening doors, but leads to some users being unable to navigate, which is accepted as collateral damage. In the end, you at least have faster door opening and a standard way to turn on the car. Oh, and if you are in a traffic jam and have to restart the engine often, it will stop restarting it after several times, because that's not what you are supposed to do. You can open the engine hood and tune that setting though, but it will be reset once you buy a new car. Some of you might now ask themselves "Is systemd THAT bad?". And my answer to it is: No. It is even worse. Systemd developers split the community over a tiny detail that decreases stability significantly and increases complexity for not much real value. And this is not theoretical: We tried to build Data Center Light on Debian and Ubuntu, but servers that don't boot, that don't reboot or systemd-resolved that constantly interferes with our core network configuration made it too expensive to run Debian or Ubuntu. Yes, you read right: too expensive. While I am writing here in flowery words, the reason to use Devuan is hard calculated costs. We are a small team at ungleich and we simply don't have the time to fix problems caused by systemd on a daily basis. This is even without calculating the security risks that come with systemd. Using cabal on OpenBSD (https://deftly.net/posts/2017-10-12-using-cabal-on-openbsd.html) Since W^X became mandatory in OpenBSD (https://undeadly.org/cgi?action=article&sid=20160527203200), W^X'd binaries are only allowed to be executed from designated locations (mount points). If you used the auto partition layout during install, your /usr/local/ will be mounted with wxallowed. For example, here is the entry for my current machine: /dev/sd2g on /usr/local type ffs (local, nodev, wxallowed, softdep) This is a great feature, but if you build applications outside of the wxallowed partition, you are going to run into some issues, especially in the case of cabal (python as well). Here is an example of what you would see when attempting to do cabal install pandoc: qbit@slip[1]:~? cabal update Config file path source is default config file. Config file /home/qbit/.cabal/config not found. Writing default configuration to /home/qbit/.cabal/config Downloading the latest package list from hackage.haskell.org qbit@slip[0]:~? cabal install pandoc Resolving dependencies... ..... cabal: user error (Error: some packages failed to install: JuicyPixels-3.2.8.3 failed during the configure step. The exception was: /home/qbit/.cabal/setup-exe-cache/setup-Simple-Cabal-1.22.5.0-x86_64-openbsd-ghc-7.10.3: runProcess: runInteractiveProcess: exec: permission denied (Permission denied) The error isn't actually what it says. The untrained eye would assume permissions issue. A quick check of dmesg reveals what is really happening: /home/qbit/.cabal/setup-exe-cache/setup-Simple-Cabal-1.22.5.0-x86_64-openbsd-ghc-7.10.3(22924): W^X binary outside wxallowed mountpoint OpenBSD is killing the above binary because it is violating W^X and hasn't been safely kept in its /usr/local corral! We could solve this problem quickly by marking our /home as wxallowed, however, this would be heavy handed and reckless (we don't want to allow other potentially unsafe binaries to execute.. just the cabal stuff). Instead, we will build all our cabal stuff in /usr/local by using a symlink! doas mkdir -p /usr/local/{cabal,cabal/build} # make our cabal and build dirs doas chown -R user:wheel /usr/local/cabal # set perms rm -rf ~/.cabal # kill the old non-working cabal ln -s /usr/local/cabal ~/.cabal # link it! We are almost there! Some cabal packages build outside of ~/.cabal: cabal install hakyll ..... Building foundation-0.0.14... Preprocessing library foundation-0.0.14... hsc2hs: dist/build/Foundation/System/Bindings/Posix_hsc_make: runProcess: runInteractiveProcess: exec: permission denied (Permission denied) Downloading time-locale-compat-0.1.1.3... ..... Fortunately, all of the packages I have come across that do this all respect the TMPDIR environment variable! alias cabal='env TMPDIR=/usr/local/cabal/build/ cabal' With this alias, you should be able to cabal without issue (so far pandoc, shellcheck and hakyll have all built fine)! TL;DR # This assumes /usr/local/ is mounted as wxallowed. # doas mkdir -p /usr/local/{cabal,cabal/build} doas chown -R user:wheel /usr/local/cabal rm -rf ~/.cabal ln -s /usr/local/cabal ~/.cabal alias cabal='env TMPDIR=/usr/local/cabal/build/ cabal' cabal install pandoc FreeBSD and APRS, or "hm what happens when none of this is well documented.." (https://adrianchadd.blogspot.co.uk/2017/10/freebsd-and-aprs-or-hm-what-happens.html) Here's another point along my quest for amateur radio on FreeBSD - bring up basic APRS support. Yes, someone else has done the work, but in the normal open source way it was .. inconsistently documented. First is figuring out the hardware platform. I chose the following: A Baofeng UV5R2, since they're cheap, plentiful, and do both VHF and UHF; A cable to do sound level conversion and isolation (and yes, I really should post a circuit diagram and picture..); A USB sound device, primarily so I can whack it into FreeBSD/Linux devices to get a separate sound card for doing radio work; FreeBSD laptop (it'll become a raspberry pi + GPS + sensor + LCD thingy later, but this'll do to start with.) The Baofeng is easy - set it to the right frequency (VHF APRS sits on 144.390MHz), turn on VOX so I don't have to make up a PTT cable, done/done. The PTT bit isn't that hard - one of the microphone jack pins is actually PTT (if you ground it, it engages PTT) so when you make the cable just ensure you expose a ground pin and PTT pin so you can upgrade it later. The cable itself isn't that hard either - I had a baofeng handmic lying around (they're like $5) so I pulled it apart for the cable. I'll try to remember to take pictures of that. Here's a picture I found on the internet that shows the pinout: image (https://3.bp.blogspot.com/-58HUyt-9SUw/Wdz6uMauWlI/AAAAAAAAVz8/e7OrnRzN3908UYGUIRI1EBYJ5UcnO0qRgCLcBGAs/s1600/aprs-cable.png) Now, I went a bit further. I bought a bunch of 600 ohm isolation transformers for audio work, so I wired it up as follows: From the audio output of the USB sound card, I wired up a little attenuator - input is 2k to ground, then 10k to the input side of the transformer; then the output side of the transformer has a 0.01uF greencap capacitor to the microphone input of the baofeng; From the baofeng I just wired it up to the transformer, then the output side of that went into a 0.01uF greencap capacitor in series to the microphone input of the sound card. In both instances those capacitors are there as DC blockers. Ok, so that bit is easy. Then on to the software side. The normal way people do this stuff is "direwolf" on Linux. So, "pkg install direwolf" installed it. That was easy. Configuring it up was a bit less easy. I found this guide to be helpful (https://andrewmemory.wordpress.com/tag/direwolf/) FreeBSD has the example direwolf config in /usr/local/share/doc/direwolf/examples/direwolf.conf . Now, direwolf will run as a normal user (there's no rc.d script for it yet!) and by default runs out of the current directory. So: $ cd ~ $ cp /usr/local/share/doc/direwolf/examples/direwolf.conf . $ (edit it) $ direwolf Editing it isn't that hard - you need to change your callsign and the audio device. OK, here is the main undocumented bit for FreeBSD - the sound device can just be /dev/dsp . It isn't an ALSA name! Don't waste time trying to use ALSA names. Instead, just find the device you want and reference it. For me the USB sound card shows up as /dev/dsp3 (which is very non specific as USB sound devices come and go, but that's a later problem!) but it's enough to bring it up. So yes, following the above guide, using the right sound device name resulted in a working APRS modem. Next up - something to talk to it. This is called 'xastir'. It's .. well, when you run it, you'll find exactly how old an X application it is. It's very nostalgically old. But, it is enough to get APRS positioning up and test both the TCP/IP side of APRS and the actual radio radio side. Here's the guide I followed: (https://andrewmemory.wordpress.com/2015/03/22/setting-up-direwolfxastir-on-a-raspberry-pi/) So, that was it! So far so good. It actually works well enough to decode and watch APRS traffic around me. I managed to get out position information to the APRS network over both TCP/IP and relayed via VHF radio. Beastie Bits Zebras All the Way Down - Bryan Cantrill (https://www.youtube.com/watch?v=fE2KDzZaxvE) Your impact on FreeBSD (https://www.freebsdfoundation.org/blog/your-impact-on-freebsd/) The Secret to a good Gui (https://bsdmag.org/secret-good-gui/) containerd hits v1.0.0 (https://github.com/containerd/containerd/releases/tag/v1.0.0) FreeBSD 11.1 Custom Kernels Made Easy - Configuring And Installing A Custom Kernel (https://www.youtube.com/watch?v=lzdg_2bUh9Y&t=) Debugging (https://pbs.twimg.com/media/DQgCNq6UEAEqa1W.jpg:large) *** Feedback/Questions Bostjan - Backup Tapes (http://dpaste.com/22ZVJ12#wrap) Philipp - A long time ago, there was a script (http://dpaste.com/13E8RGR#wrap) Adam - ZFS Pool Monitoring (http://dpaste.com/3BQXXPM#wrap) Damian - KnoxBug (http://dpaste.com/0ZZVM4R#wrap) ***
This week on the show, we have all the latest news and stories! Plus we'll be hearing more about OpnSense from the man himself, Ike! This episode was brought to you by Headlines Regarding Embargoes (http://www.tedunangst.com/flak/post/regarding-embargoes) Our buddy TedU has a great thought piece today on the idea of “embargoes” for security advisories. This all stemmed from a recent incident with LibreSSL patches from embargoed OpenSSL vulns, that accidentally got committed too early. Ted makes a pretty good case on the difficulties of having embargos, and maybe the reason there shouldn't be. Couple of quotes to give you a taste: “There are several difficulties maintaining embargoes. Keeping secrets is against human nature. I don't want to be the one who leaks, but if I see something that looks like the secret is out, it's a relief to be able to speak freely. There is a bias towards recognizing such signs where they may not really exist. (Exacerbated by broad embargoes where some parts leak but other parts don't. It's actually very hard to tell what's not publicly known when you know everything.) The most thorough embargo and release timeline reconstruction is the heartbleed timeline. It's another great case study. Who exactly decided who were the haves and have nots? Was it determined by who needed to know or who you needed to know? Eventually the dam started to crack.” “When Cloudflare brags that they get advance notice of vulnerabilities, attracting more customers, and therefore requiring even more early access, how are smaller players to compete? What happens if you're not big enough to prenotify? Sometimes vulnerabilities are announced unplanned. Zero day cyber missiles are part of our reality, which means end users don't really have the luxury of only patching on Tuesday. They need to apply patches when they appear. If applying patches at inconvenient times is a problem, make it not a problem. Not really a gripe about embargoes per se, but the scheduled timing of coordinated release at the end of the embargo is catering to a problem that shouldn't exist.” I will admit that CloudFlare bragging around Heartbleed was upsetting The biggest issue here is the difficulty with coordinating so many open source projects, which are often done by volunteers, in different countries and time zones The other issue is determining when the secret is “out of the bag” *** MAJOR ABI BREAK: csu, ld.so, libc, libpthread update (http://www.openbsd.org/faq/current.html#r20160507) OpenBSD warns those following the -current (development) branch to be careful as they upgrade because of a major ABI break that will result in applications not working “Handling of single-threaded programs is now closer to multi-threaded, with ld.so and libc.a doing thread information base (TIB) allocation. Threaded programs from before the 2016/03/19 csu and ld.so update will no longer run. An updated ld.so must be built and installed before running make build.” A special note for those on PowerPC: “PowerPC has been updated to offset the TIB from the hardware register. As a result, all threaded programs are broken until they have been rebuilt with the new libc and libpthread. perl must be built after building the libraries and before building the rest of base.” “The definitions of environ and __progname for dynamically linked programs have been moved from the C startup code to ld.so(1). An updated ld.so must be built and installed before running make build.” The link provides instructions on how to update your system properly *** How to install FreeBSD 10.3 on VMWare Workstation 12 Pro (http://random-notes-of-a-sysadmin.blogspot.be/2016/04/howto-install-freebsd-103-on-vmware.html) This tutorial starts at the very basics, running through the FreeBSD installer But then it goes on to configuring the machine specifically for VMWare After the system has been booted, the tutorial walks through installing the VMWare tools Then networking is configured in both VMWare and FreeBSD A small hack is required to make the VMWare tools startup script wait until the network is up A very nice tutorial for people using VMWare I am working on a patch to bsdinstall to ensure that the swap partition is put before the main partition, so it can more easily be resized if you later decide you need more space in your VM the camcontrol reprobe subcommand has been added (https://svnweb.freebsd.org/base?view=revision&revision=299371), “This makes it possible to manually force updating capacity data after the disk got resized. Without it it might be necessary to reboot before FreeBSD notices updated disk size under eg VMWare.” *** BSD Router project releases v1.59 (https://sourceforge.net/projects/bsdrp/files/BSD_Router_Project/1.59/) We've talked about the BSD Router project a bit in the past, but today we have a brand new release to bring to you. For those who don't remember, the BSDrp is a router aimed at replacing more of your big-commercial type systems. First up in the new hotness, we have it based upon recently released FreeBSD 10.3! In addition, there is a new package: New package: mlvpn (aggregated network links in order to benefit from the bandwidth of multiple links) Other packages have gotten a bump with this release as well: bsnmp-ucd to 0.4.2 dma to 0.11 dmidecode to 3.0 exabgp to 3.4.15 iperf3 to 3.1.2 monit to 5.17 mpd5 to 5.8 openvpn to 2.3.10 python to 2.7.11 quagga to 1.0.20160315 strongswan to 5.4.0 What are you waiting for? Amd64 and i386 images are ready for you to download now. Interview - Isaac (.Ike) Levy - See Ike again at SEMIBug in Troy, Michigan on May 17th (http://semibug.org/) *** News Roundup Tredly - Prebuilt containers on FreeBSD (https://github.com/tredly/) Discussion regarding its GPLv3 licensing (https://www.reddit.com/r/freebsd/comments/4gggw8/introducing_tredly_containers_for_unix_freebsd/) A new “container” solution called “Trendly” has started making some news around various tech sites. In particular, this new project uses FreeBSD as its base OS and jail functionality in the backend. Their solution seems based around the idea of shipping containers as manifests, such as lists of packages to install and configuration knobs. The project is still rather new, and we'll be keeping an eye on it for the future. One notable change already though, it was (for some reason) released under GPLv3. Understandably this caused quite a ruckus with various folks in the community, since it's built specifically on BSD. Since this, the code has been re-licensed as MIT, which is far more in the spirit of a traditional BSD license. *** NVMe driver added to NetBSD - ported from OpenBSD (https://www.netbsd.org/changes/changes-8.0.html#nvme%284%29) NetBSD has gained support for Non-Volatile Memory Express, the new standard for PCIe attached Flash Memory The change of interface from SATA to NVMe offers a number of advantages, mostly, it doesn't require the device to pretend to be a spinning disk One of the biggest advantages is that it supports completing multiple operations at once, with the Intel hardware I have tested, 63 I/Os can happen concurrently, so a very large queue depth is required to keep the device busy. The 64th I/O channel is reserved for administrative commands, to keep them from being delayed by the large queue depth The device I tested could read at 3800 MB/s, and write 1700MB/s, something that wouldn't be possible with a normal SSD It is interesting that NetBSD took the NVMe support from OpenBSD, whereas the FreeBSD implementation was contributed directly by Intel This may have to do with that fact that OpenBSD's device model is closer to that of NetBSD Commit Log (http://mail-index.netbsd.org/source-changes/2016/05/01/msg074367.html) *** New BSDNow T-Shirts (https://teespring.com/bsdnow) By popular demand, we have created a more subtle BSDNow shirt Featuring only the smallish BSDNow logo over the left breast Available in a number of styles (T-Shirt, Women's T-Shirt, Long Sleeve, and Hoodie) as well as a number of colours: Black, Blue, Grey, and White The hope is that enough orders come though so we can get them shipped in and your sweaty little hands in time for BSDCan. (I'll be wearing mine, will you B...SD?) If you still want one of our now-famous “The Usual BSD's” t-shirts, you can also indicate your interest here, and once 10 or more shirts are ordered, a reprint will happen automatically (https://teespring.com/bsd105) *** PC-BSD 11-CURRENT with Package Base (http://lists.pcbsd.org/pipermail/testing/2016-May/010616.html) Looking for a way to play with the new FreeBSD base package system? This month's PC-BSD -CURRENT image now used packages for base system installation, and is asking for testers to help find bugs. Known issues so far: setuid binaries (Fix in works) Missing tzone files Distrib packages If all that doesn't scare you away, then give it a whirl! Upgrades for previous APRIL images are now online also. *** BeastieBits HardenedBSD + LibreSSL (https://hardenedbsd.org/article/shawn-webb/2016-05-05/libressl-hardenedbsd-base) Michael Dexter's talk at LFNW 2016 is the 2nd highest youtube views from this years conference (https://www.youtube.com/watch?v=6k1Mf0c6YW8) Why OpenBSD is important to me (http://ggr.com/why-openbsd-is-important-to-me.html) Study of nginx-1.9.12 performance/latency on DragonFlyBSD-g67a73 (http://lists.dragonflybsd.org/pipermail/users/2016-May/249581.html) Running FreeBSD / OpenBSD / NetBSD as a virtualised guest on Online.net (https://www.geeklan.co.uk/?p=2109) The interesting story of how IllumOS syscalls work (http://zinascii.com/2016/the-illumos-syscall-handler.html) The BeaST is the FreeBSD based dual-controller reliable storage system concept with aim to implement ZFS and in-memory cache. (https://mezzantrop.wordpress.com/portfolio/the-beast/) Francois Tigeot updates the drm/i915 driver to match what's in Linux kernel 4.3 (http://lists.dragonflybsd.org/pipermail/commits/2016-May/500352.html) FreeBSD is working on the update to Linux Kernel 4.6, we may finally get ahead of Dragonfly! (https://twitter.com/ed_maste/status/730450314889924608) Feedback/Questions Oskar - Torrent Jail (http://pastebin.com/RT7tVtQ7) Shane - ZFS Delete (http://pastebin.com/VkpMeims) Adam - Zimbra Port (http://pastebin.com/MmQ00Sv1) Ray - PC-BSD - FrameBuffer (http://pastebin.com/Xx9TkX7A) Richard - ZFS Backups (http://pastebin.com/ncYxqpg3) ***
Coming up this week, we'll be chatting with Bernard Spil about wider adoption of LibreSSL in other communities. He's been doing a lot of work with FreeBSD ports specifically, but also working with upstream projects. As usual, all this weeks news and answers to your questions, on BSD Now - the place to B.. SD. This episode was brought to you by Headlines EuroBSDCon 2015 call for papers (https://2015.eurobsdcon.org/call-for-papers/) The call for papers has been announced for the next EuroBSDCon (http://www.bsdnow.tv/episodes/2014_12_03-conference-connoisseur), which is set to be held in Sweden this year According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April If giving a full talk isn't your thing, there's also a call for tutorials - if you're comfortable teaching other people about something BSD-related, this could be a great thing too You're not limited to one proposal - several speakers gave multiple in 2014 - so don't hesitate if you've got more than one thing you'd like to talk about We'd like to see a more balanced conference schedule than BSDCan's having this year, but that requires effort on both sides - if you're doing anything cool with any BSD, we'd encourage you submit a proposal (or two) Check the announcement for all the specific details and requirements If your talk gets accepted, the conference even pays for your travel expenses *** Making security sausage (http://www.tedunangst.com/flak/post/making-security-sausage) Ted Unangst (http://www.bsdnow.tv/episodes/2014_02_05-time_signatures) has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD "Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!" The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug Following that, it leads to the topic of FreeType - and a much more complicated problem with backporting patches between versions The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release - it had to be redone at the last minute It was because of this that FreeBSD actually had to release a security update to their security update (https://lists.freebsd.org/pipermail/freebsd-security-notifications/2015-March/000237.html) He concludes with "My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note 'oh, and some security too' creates downstream mayhem." *** Running FreeBSD on the server, a sysadmin speaks (http://www.itwire.com/business-it-news/open-source/67420-running-freebsd-on-the-server-a-sysadmin-speaks) More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage) They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers If you've been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you *** NetBSD ported to Hardkernel ODROID-C1 (https://blog.netbsd.org/tnf/entry/netbsd_ported_to_hardkernel_odroid) In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1 (http://www.hardkernel.com/main/products/prdt_info.php?g_code=G141578608433) This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet... all for just $35 There's a special kernel config file for this board's hardware, available in both -current and the upcoming 7.0 More info can be found on their wiki page (https://wiki.netbsd.org/ports/evbarm/odroid-c1/) After this was written, basic framebuffer console support was also committed (http://mail-index.netbsd.org/source-changes/2015/03/21/msg064156.html), allowing a developer to run XFCE (https://pbs.twimg.com/media/CAqU5CnWEAAEhH2.png:large) on the device *** Interview - Bernard Spil - brnrd@freebsd.org (mailto:brnrd@freebsd.org) / @sp1l (https://twitter.com/sp1l) LibreSSL adoption in FreeBSD ports (https://wiki.freebsd.org/LibreSSL) and the wider software ecosystem News Roundup Monitoring pf logs with Gource (http://www.echothrust.com/blogs/monitoring-pf-logs-gource) If you're using pf (http://www.bsdnow.tv/tutorials/pf) on any of the BSDs, maybe you've gotten bored of grepping logs and want to do something more fancy This article will show you how to get set up with Gource for a cinematic-like experience If you've never heard of Gource, it's "an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories" When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend's phone had been compromised - graphical representations of traffic could be useful for detecting suspicious network activity *** pkgng 1.5.0 alpha1 released (https://svnweb.freebsd.org/ports?view=revision&revision=381573) The development version of pkgng was updated to 1.4.99.14, or 1.5.0 alpha1 This update introduces support for provides/requires, something that we've been wanting for a long time It will also now print which package is the reason for direct dependency change Another interesting addition is the "pkg -r" switch, allowing cross installation of packages Remember this isn't the stable version, so maybe don't upgrade to it just yet on any production systems DragonFly will also likely pick up this update once it's marked stable *** Welcome to OpenBSD (http://devio.us/~bcallah/rcos2015.pdf) We mentioned last week that our listener Brian was giving a talk in the Troy, New York area The slides from that talk are now online, and they've been generating quite a bit of discussion (https://news.ycombinator.com/item?id=9240533) online (https://www.reddit.com/r/openbsd/comments/2ztokc/welcome_to_openbsd/) It's simply titled "Welcome to OpenBSD" and gives the reader an introduction to the OS (and how easy it is to get involved with contributing) Topics include a quick history of the project, who the developers are and what they do, some proactive security techniques and finally how to get involved As you may know, NetBSD has almost 60 supported platforms (https://www.netbsd.org/ports/) and their slogan is "of course it runs NetBSD" - Brian says, with 17 platforms (http://www.openbsd.org/plat.html) over 13 CPU architectures, "it probably runs OpenBSD" No matter which BSD you might be interested in, these slides are a great read, especially for any beginners looking to get their feet wet Try to guess which font he used... *** BSDTalk episode 252 (http://bsdtalk.blogspot.com/2015/03/bsdtalk252-devious-with-brian-callahan.html) And somehow Brian has snuck himself into another news item this week He makes an appearance in the latest episode of BSD Talk (http://www.bsdnow.tv/episodes/2014_03_05-bsd_now_vs_bsdtalk), where he chats with Will about running a BSD-based shell provider If that sounds familiar, it's probably because we did the same thing (http://www.bsdnow.tv/episodes/2014_06_18-devious_methods), albeit with a different member of their team In this interview, they discuss what a shell provider does, hardware requirements and how to weed out the spammers in favor of real people They also talk a bit about the community aspect of a shared server, as opposed to just running a virtual machine by yourself *** Feedback/Questions Christian writes in (http://slexy.org/view/s2O81pixhq) Stefan writes in (http://slexy.org/view/s2dhr2WfVc) Possnfiffer writes in (http://slexy.org/view/s2Kisq2EqT) Ruudsch writes in (http://slexy.org/view/s2Xr0e5YAJ) Shane writes in (http://slexy.org/view/s2Xz7BNoJE) *** Mailing List Gold Accidental support (https://lists.freebsd.org/pipermail/svn-src-head/2015-March/069679.html) Larry's tears (https://www.marc.info/?l=openbsd-cvs&m=142686812913221&w=2) The boy who sailed with BSD (https://lists.freebsd.org/pipermail/freebsd-hardware/2015-March/007625.html) ***
Managing enterprise networks with thousands of users and endpoints has been hard enough. Now that large enterprise networks routinely include hundreds of thousands of nodes it's amazingly difficult and time-consuming (we're talking days often) to get definitive answers to seemingly simple questions like, how many PCs do I have running? Never mind, how many PCs do I have that could be at risk of the Heartbleed virus? Tanium, the most recent company to join the a16z portfolio, offers a systems management and security tool that allows administrators to ask virtually any question about the configuration, performance, and complexion of an enterprise network and get an answer in seconds. Tanium CTO and Co-founder Orion Hindawi and a16z Board Partner Steven Sinofsky discuss the origins of Tanium; the invention of the “linear peer-to-peer communications” architecture that turbo-charges the Tanium solution; and with Internet of Things coming online fast, the prospect of networks quickly going to millions and billions of nodes.
Hosts: Steve Goodman, Michel de Rooij, John Cook, Ståle Hansen, and Michael van Horenbeeck. MEC wrap up, Azure AD sync preview, IIS Log File cleanup, Heartbleed and HLBs, Exchange Online Protection enhancements, Digicert Heartbleed vulnerability scan and detection, Using Lync like a Lync pro, Monitoring peak call capacity, SIPFED address change, Windows Phone 8.1, Lync for Mac 2011 14.0.7 hotfix, BYOD in a WiFi infrastructure, Lync April 2014 Cumulative Update, Office of iPad, eNow's monitoring product - hybrid, and more. Download or subscribe to this show at TheUCArchitects.com. For additional show notes, visit the summary page for this episode. Running time: 01:55:08 Sponsor: This UC Architects episode is sponsored by Instant Technologies, experts in eDiscovery and compliance for your Lync IM archive. View a 2 minute demo or start a free trial at http://www.tryhrauditor.com or follow them on Twitter @teaminstant.
Au programme :Heartbleed, les explicationsLe FUTUR !!! (Imprimantes 3D, nouvel Asimo, etc)Et le reste...Pour soutenir l'émission, rendez-vous sur http://patreon.com/RDVTechLiens de l'épisode :Heartbleed et Les bonnes infos de LastPassL'imprimante M3DLe nouvel AsimoLa démo d'effet 3D sans écran 3DLe site de GuillaumePlus d'infos sur l'épisode :Les animateurs sont Guillaume Main et Patrick Beja.Le générique est composé par Daniel Beja. Ses morceaux libres de droit sont sur musicincloud.fr.La mise en ligne est assurée par Florent Berthelot. Voir Acast.com/privacy pour les informations sur la vie privée et l'opt-out.
Hi, welcome to the online marketing show, this is Joey Bushnell and this is today's online marketing news. As you may have heard already, there is a major security issue called Heartbleed which has affected some huge websites and it means you need to go and change your passwords. So many sites have been affected so there's no point trying to list them here, if I were you, just to be safe, change your passwords for all your most important websites that you use most regularly, or contains sensitive information such as online banking. Twitter has released app-install ads which will help advertisers to promote apps so that mobile users can directly download on their mobile device. Twitter UK have also launched their real time own the moment calendar for advertisers which will help them to tie their ads with events such as seasonal events, Christmas, easter, Halloween, TV events, the season finale of game of thrones, sporting events, the world cup final, cultural events, such as international pillow fight day, business events like the The business show and even Twitter events based around the live webinar trainings that Twitter hold regularly. Facebook have declared war on like and share baiting posts. If you use the word “like” or the word “share” or “comment” then their edge rank algorithm will give you less exposure in peoples newsfeeds. Great news for Facebook advertisers though, the facebook ads being shown in the right hand column on desktops and laptop users are going to be made bigger, more real estate to play with. Google have announced the full rollout of +post ads where your Google + posts can be turned into adverts on Google's display network. In previous shows I've mentioned this was in testing but now Google are rolling this out to all brands so go give it a try! LinkedIn has a new feature in their inbox, you now have the ability to write a note or set a reminder, if you do not have time to respond right away. This makes their inbox much more like a CRM tool, very handy. Klout have released their mobile app for IOS and say they will be releasing an Android version in the near future too. Groupon have announced in-store coupons to freebie offers. Major retailers can get floods of new traffic and custom by offering the coupon code over at groupon, which can be used on their own website. This is for big brands for the time being but groupon have said they plan to expand this to small businesses later this year. After recent updates from clickbank and JVzoo, the affiliate platform Deal Guardian have raised their game too by now offering custom affiliate commissions for specific affiliates and customized, branded checkout pages. Perhaps the most popular internet marketing forum on the web, The Warrior Forum has been sold to freelancer.com for 3.2 million dollars. This will hopefully lead to improvements and innovations over at warriorforum.com, let's wait and see. Wordpress 3.9 has just been released, if you have a wordpress site make sure you go and upgrade to the latest version asap. In events... The PR Summit is taking place in London, England the 29th of April. Mobile Marketing 2014 is taking place on the 30th of April in London, England. Brand us social are holding an online marketing event for those in the fashion and beauty industry, in London, England on the 1st of May The Data Summit, the data management and big data conference will be held in New York on the 12-14th of May. Clickz live in Toronto, Canada May 14th – 16th and in Shanghai, China 27th-29th May. For those of you in the network marketing industry Matt Lloyd is hosting The Home Business Summit in Seattle, Washington on the 30th May through to the 1st of June. Ray and Jessica Higdon will be holding Top Earner Academy 2 in Orlando, Florida on the 12th-15th of June. The Performance Marketing Summit is being held in Denver, Colorado, on June 17th. Jeremy Shoemaker will be amongst those speaking.
This week, Google Glass opens to the public for one day, Did the NSA know about Heartbleed...and exploit it?, Google invests in drones, nature docs come to the Oculus Rift, lab vaginas, space twins and much more... What We're Playing With Andy: Goat Simulator Dwayne: Dyson DC44 Animal Tosin: PAX East Headlines Google sells Glass to anyone in the US on April 15 Google Glass post sale report IRS misses XP deadline, pays Microsoft millions for patches NSA Said to Have Used Heartbleed Bug, Exposing Consumers Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say Adding Condoleezza Rice To Dropbox's Board Seems Incredibly Tone Deaf Following NSA Concerns Dropbox CEO defends adding Condoleezza Rice to board Health Secretary Resigns After Woes of HealthCare.gov Audible Book of the Week Hollow World by Michael J. Sullivan Sign up at AudibleTrial.com/TheDrillDown Music Break: Time Machine by Robyn More Headlines Google buys Titan Aerospace, the maker of high-altitude drones Facebook was considering Report: 44% of Twitter Accounts Have Never Sent a Tweet Sir David Attenborough shooting “Conquest of the Skies” documentary for Oculus Rift James Cameron on VR technology Finally, stats on what's really going on with Steam games Music Break: Space Oddity by David Bowie Final Word: Science Tech Laboratory-grown vaginas offer help for girls born with rare genetic condition NASA to conduct unprecedented twin experiment The Drill Down Videos of the Week Game Videos from PAX East Subscribe! The Drill Down on iTunes (Subscribe now!) Add us on Stitcher! The Drill Down on Facebook The Drill Down on Twitter Geeks Of Doom's The Drill Down is a roundtable-style audio podcast where we discuss the most important issues of the week, in tech and on the web and how they affect us all. Hosts are Geeks of Doom contributor Andrew Sorcini (Mr. BabyMan), marketing research analyst Dwayne De Freitas, and Box tech consultant Tosin Onafowokan. Occasionally joining them is Startup Digest CTO Christopher Burnor.
The so-called Heartbleed security flaw has revealed every user's worst nightmare about security on the Internet. Should somebody take charge?
This week, we sit down with Jim Brown from the BSD Certification group to talk about the BSD exams. Following that, we'll be showing you how to build OpenBSD binary packages in bulk, a la poudriere. There's a boatload of news and we've got answers to your questions, coming up on BSD Now - the place to B.. SD. This episode was brought to you by Headlines BSDCan schedule, speakers and talks (https://www.bsdcan.org/2014/schedule/) This year's BSDCan will kick off on May 14th in Ottawa The list of speakers (https://www.bsdcan.org/2014/schedule/speakers.en.html) is also out And finally the talks (https://www.bsdcan.org/2014/schedule/events.en.html) everyone's looking forward to Lots of great tutorials and talks, spanning a wide range of topics of interest Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts (https://twitter.com/bsdcan/status/454990067552247808) *** NYCBSDCon talks uploaded (https://www.youtube.com/watch?v=4bPduH6O7lI) The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon Jeff Rizzo's talk, "Releasing NetBSD: So Many Targets, So Little Time" Dru Lavigne's talk (https://www.youtube.com/watch?v=DAmZ3cbfigA), "ZFS Management Tools in FreeNAS and PC-BSD" Scott Long's talk (https://www.youtube.com/watch?v=FL5U4wr86L4), "Serving one third of the Internet via FreeBSD" Michael W. Lucas' talk (https://www.youtube.com/watch?v=buo5JlMnGPI), "BSD Breaking Barriers" *** FreeBSD Journal, issue 2 (http://freebsdfoundation.blogspot.com/2014/04/freebsd-journal-issue-2-is-now-available.html) The bi-monthly FreeBSD journal's second issue is out Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates In less than two months, they've already gotten over 1000 subscribers! It's available on Google Play, iTunes, Amazon, etc "We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD" Check our interview with GNN (http://www.bsdnow.tv/episodes/2014_01_29-journaled_news_updates) for more information about the journal *** OpenSSL, more like OpenSS-Hell (http://bsd.slashdot.org/story/200567) We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy There's been a pretty vicious response from security experts all across the internet and in all of the BSD projects - and rightfully so We finally have a timeline of events (http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140414-zqurk.html) Reactions from ISC (https://isc.sans.edu/diary/Testing+for+Heartbleed/17933), PCBSD (http://blog.pcbsd.org/2014/04/openssl-security-update/), Tarsnap (http://www.daemonology.net/blog/2014-04-09-tarsnap-no-heartbleed-here.html), the Tor (https://lists.torproject.org/pipermail/tor-talk/2014-April/thread.html) project (https://lists.torproject.org/pipermail/tor-relays/2014-April/thread.html), FreeBSD (https://lists.freebsd.org/pipermail/freebsd-security/2014-April/thread.html), NetBSD (http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-004.txt.asc), oss-sec (http://seclists.org/oss-sec/2014/q2/index.html), PHK (https://queue.acm.org/detail.cfm?id=2602816), Varnish (https://www.varnish-cache.org/docs/trunk/phk/dough.html) and Akamai (https://blogs.akamai.com/2014/04/heartbleed-update.html) pfSense (http://www.bsdnow.tv/episodes/2014_02_19-a_sixth_pfsense) released a new version to fix it (https://blog.pfsense.org/?p=1253) OpenBSD disabled heartbeat entirely (http://marc.info/?l=openbsd-cvs&m=139715336230455&w=2) and is very unforgiving of the IETF (https://news.ycombinator.com/item?id=7568921) Ted Unangst (http://www.bsdnow.tv/episodes/2014_02_05-time_signatures) has two good (http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf) write-ups (http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse) about the issue and how horrible the OpenSSL codebase is A nice quote from one of the OpenBSD lists: "Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL's bug tracker is only used to park bugs, not fix them" Sounds like someone else (http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html) was having fun with the bug for a while too There's also another OpenSSL bug that OpenBSD patched (http://marc.info/?l=openbsd-cvs&m=139732441810737&w=2) - it allows an attacker to inject data from one connection into another OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out - we're seeing a fork (http://undeadly.org/cgi?action=article&sid=20140415093252) in real time *** Interview - Jim Brown - info@bsdcertification.org (mailto:info@bsdcertification.org) The BSD Certification (http://bsdcertification.org/) exams Tutorial Building OpenBSD binary packages in bulk (http://www.bsdnow.tv/tutorials/dpb) News Roundup Portable signify (https://github.com/aperezdc/signify) Back in episode 23 (http://www.bsdnow.tv/episodes/2014_02_05-time_signatures) we talked with Ted Unangst about the new "signify" tool in OpenBSD Now there's a (completely unofficial) portable version of it on github If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems *** Foundation goals and updates (https://www.mail-archive.com/misc@openbsd.org/msg128240.html) The OpenBSD foundation has reached their 2014 goal of $150,000 You can check their activities and goals (http://www.openbsdfoundation.org/activities.html) to see where the money is going Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data The FreeBSD foundation has kicked off their spring fundraising (http://freebsdfoundation.blogspot.com/2014/04/freebsd-foundation-spring-fundraising.html) campaign There's also a list of their activities and goals available to read through Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet *** PCBSD weekly digest (http://blog.pcbsd.org/2014/04/pc-bsd-weekly-feature-digest-25/) New PBI runtime that fixes stability issues and decreases load times "Update Center" is getting a lot of development and improvements Lots of misc. bug fixes and updates *** Feedback/Questions There's a reddit thread (http://www.reddit.com/r/BSD/comments/22y497/i_need_a_bit_of_help_showing_my_friends_bsd_and/) we wanted to highlight - a user wants to show his friend BSD and why it's great Brad writes in (http://slexy.org/view/s20Tso9a6v) Sha'ul writes in (http://slexy.org/view/s21DfdV9yt) iGibbs writes in (http://slexy.org/view/s2di8XRt73) Matt writes in (http://slexy.org/view/s20m2g8UgV) ***
Dr Chris Smith discusses cures for jetlag, moons orbiting planets outside our solar system, a trip to the most remote marine protected area on Earth and the Heartbleed bug.
Google Glass and Google Ventures are the topic of interest for many and so we talk about it!! In addition, Amazon has an interesting way of weeding out the employees that don't want to work at the tech giant. Heartbleed is causing plenty of trouble for those in the IT field and Facebook decides to mix up things a bit on their mobile application.
Nesta semana, uma falha crítica de segurança afetou vários sites e serviços. Se você é usuário de um deles, suas informações podem ter vazado. Neste podcast damos algumas dicas de como proceder. Lista do Mashable de sites e serviços afetados: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ Podcasts no iTunes: https://itunes.apple.com/br/podcast/marchwill/id735290633?mt=2 Podcasts no Soundcloud: http://www.soundcloud.com/marchwill http://www.twitter.com/marchwill
This week, the heart of internet security is bleeding, stock traders game the system, a Twitter to destabilize Cuba, Game of Thrones pushes piracy to a new high, & are we at 3D printing's tipping point? All this and more... What We're Playing With Andy: Monument Valley, Silicon Valley Headlines Mozilla Co-Founder Brendan Eich Resigns as CEO, Leaves Foundation Board Brendan Eich resignation: Politics necessarily creates divisions The Heartbleed Bug, explained Bruce Schneier: Heartbleed is a 'catastrophic' bug Heartbleed vulnerable websites on the Alexa top 10000 The Heartbleed Hit List: The Passwords You Need to Change Right Now Attorney general announces investigation into high-speed stock trades On A 'Rigged' Wall Street, Milliseconds Make All The Difference Audible Book of the Week Flash Boys: A Wall Street Revolt by Michael Lewis Sign up at AudibleTrial.com/TheDrillDown Music Break: Chan Chanby Buena Vista Social Club Hot Topics US secretly created 'Cuban Twitter' to stir unrest Microsoft Goes Hollywood in Amazon-Like Programming Push Game of Thrones Premiere Triggers Piracy Craze Micro 3D printer Kickstarter funding: $1 million in just one day Uber announces UberRUSH, a bicycle courier service, launching first in Manhattan The Drill Down Video of the Week Silicon Valley, Season 1, Episode 1 Subscribe! The Drill Down on iTunes (Subscribe now!) Add us on Stitcher! The Drill Down on Facebook The Drill Down on Twitter Geeks Of Doom's The Drill Down is a roundtable-style audio podcast where we discuss the most important issues of the week, in tech and on the web and how they affect us all. Hosts are Geeks of Doom contributor Andrew Sorcini (Mr. BabyMan), marketing research analyst Dwayne De Freitas, and Box tech consultant Tosin Onafowokan. Occasionally joining them is Startup Digest CTO Christopher Burnor.
Bill Morgan talks about the Heartbleed bug; Naked FL woman McD's rampage; University says no to giving an honorary degree to a critic of Islam; The staff gets a talking to
Eric Holder whined about Louie Gohmert; Naked FL woman goes on rampage inside a McDonald's; Wild animals running loose in CA; Heartbleed bug; Archie comics is killing a character