Opening Session - "My Spirit Given Function" Online Retreat with David Hoffmeister and Frances XuIn the work with A Course in Miracles you start to realize it's more about undoing than doing. It's more about emptying the mind of everything you think you think and think you know and everything you believe is true. It's like all the Mystics and Saints of all the centuries have told us. Empty your mind and you will know the truth. It's very simple. And with this topic of My Spirit-given function, we can say that, in order to know the function that God gave you, and God gave you eternity, then you will have to unlearn a lot. Function in this world is associated with form and also associated with the body. And I can tell you that has to be forgotten. We have to unlearn all of that, in order to live the truth, because this world was made as a veil to keep us from knowing the truth. Find your Spirit-given function with David Hoffmeister and Frances Xu and listen to the sweet interaction between David and the retreat participants.You can watch the beginning of the session here on YouTube.https://youtu.be/dSVrzNQUc80If you are interested to know more about David Hoffmeister and Living Miracles events, here is more information: https://circle.livingmiraclescenter.org/events.Recorded on July 1, 2022, at La Casa Quantico, Chapala, Mexico.
Sweeping The Country: Derik & Jimmy talk about WHAT IS THE TRUTH and who's gonna tell us...oh & by the way Happy 4th of JULY!!!!! Here comes Independence Day are you ready to celebrate? I AM!
Links: Azure has another security issue around its Synapse offering; this one was discovered by Tenable. Sysdig has a dive into the real threats to SSH on EC2. Tailscale has announced the ability to support Tailscale SSH. Chris Farris has a treatise on the The Philosphy of Prevention when it comes to cloud security. Google Cloud CISO Phil Venables asks whether security analogies are counterproductive. A security issue of sorts was discovered around sts:GetSessionToken Role Chaining in AWS The person responsible for the giant Capital One hack that took advantage of a series of small AWS misconfigurations has been convicted. Rogue GitHub apps could have hijacked countless repos for a week or two earlier this year. Wickr for Government achieves FedRAMP Ready designation It takes an open source project like trackiam to collate IAM actions, AWS APIs, and managed policies from all over the place Passwordle lets you guess commonly used passwords.
About ChrisChris is a robotics engineer turned cloud security practitioner. From building origami robots for NASA, to neuroscience wearables, to enterprise software consulting, he is a passionate builder at heart. Chris is a cofounder of Common Fate, a company with a mission to make cloud access simple and secure.Links: Common Fate: https://commonfate.io/ Granted: https://granted.dev Twitter: https://twitter.com/chr_norm TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Let's face it, on-call firefighting at 2am is stressful! So there's good news and there's bad news. The bad news is that you probably can't prevent incidents from happening, but the good news is that incident.io makes incidents less stressful and a lot more valuable. incident.io is a Slack-native incident management platform that allows you to automate incident processes, focus on fixing the issues and learn from incident insights to improve site reliability and fix your vulnerabilities. Try incident.io, recover faster and sleep more.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. It doesn't matter where you are on your journey in cloud—you could never have heard of Amazon the bookstore—and you encounter AWS and you spin up an account. And within 20 minutes, you will come to the realization that everyone in this space does. “Wow, logging in to AWS absolutely blows goats.”Today, my guest, obviously had that reaction, but unlike most people I talked to, decided to get up and do something about it. Chris Norman is the co-founder of Common Fate and most notably to how I know him is one of the original authors of the tool, Granted. Chris, thank you so much for joining me.Chris: Hey, Corey, thank you for having me.Corey: I have done podcasts before; I have done a blog post on it; I evangelize it on Twitter constantly, and even now, it is challenging in a few ways to explain holistically what Granted is. Rather than trying to tell your story for you, when someone says, “Oh, Granted, that seems interesting and impossible to Google for in isolation, so therefore, we know it's going to be good because all the open-source projects with hard to find names are,” what is Granted and what does it do?Chris: Granted is a command-line tool which makes it really easy for you to get access and assume roles when you're working with AWS. For me, when I'm using Granted day-to-day, I wake up, go to my computer—I'm working from home right now—crack open the MacBook and I log in and do some development work. I'm going to go and start working in the cloud.Corey: Oh, when I start first thing in the morning doing development work and logging into the cloud, I know. All right, I'm going to log in to AWS and now I know that my day is going downhill from here.Chris: [laugh]. Exactly, exactly. I think maybe the best days are when you don't need to log in at all. But when you do, I go and I open my terminal and I run this command. Using Granted, I ran this assume command and it authenticates me with single-sign-on into AWS, and then it opens up a console window in a particular account.Now, you might ask, “Well, that's a fairly standard thing.” And in fact, that's probably the way that the console and all of the tools work by default with AWS. Why do you need a third-party tool for this?Corey: Right. I've used a bunch of things that do varying forms of this and unlike Granted, you don't see me gushing about them. I want to be very clear, we have no business relationship. You're not sponsoring anything that I do. I'm not entirely clear on what your day job entails, but I have absolutely fallen in love with the Granted tool, which is why I'm dragging you on to this show, kicking and screaming, mostly to give me an excuse to rave about it some more.Chris: [laugh]. Exactly. And thank you for the kind words. And I'd say really what makes it special or why I've been so excited to be working on it is that it makes this access, particularly when you're working with multiple accounts, really, really easy. So, when I run assume and I open up that console window, you know, that's all fine and that's very similar to how a lot of the other tools and projects that are out there work, but when I want to open that second account and that second console window, maybe because I'm looking at like a development and a staging account at the same time, then Granted allows me to view both of those simultaneously in my browser. And we do that using some platform sort of tricks and building into the way that the browser works.Corey: Honestly, one of the biggest differences in how you describe what Granted is and how I view it is when you describe it as a CLI application because yes, it is that, but one of the distinguishing characteristics is you also have a Firefox extension that winds up leveraging the multi-container functionality extension that Firefox has. So, whenever I wind up running a single command—assume with a-c' flag, then I give it the name of my AWS profile, it opens the web console so I can ClickOps my heart's content inside of a tab that is locked to a container, which means I can have one or two or twenty different AWS accounts and/or regions up running simultaneously side-by-side, which is basically impossible any other way that I've ever looked at it.Chris: Absolutely, yeah. And that's, like, the big differentiating factor right now between Granted and between this sort of default, the native experience, if you're just using the AWS command line by itself. With Granted, you can—with these Firefox containers, all of your cookies, your profile, everything is all localized into that one container. It's actually it's a privacy features that are built into Firefox, which keeps everything really separate between your different profiles. And what we're doing with Granted is that we make it really easy to open a specific profiles that correspond with different AWS profiles that you're using.So, you'd have one which could be your development account, one which could be production or staging. And you can jump between these and navigate between them just as separate tabs in your browser, which is a massive improvement over, you know, what I've previously had to use in the past.Corey: The thing that really just strikes me about this is first, of course, the functionality and the rest, so I saw this—I forget how I even came across it—and immediately I started using it. On my Mac, it was great. I started using it when I was on the road, and it was less great because you built this thing in Go. It can compile and install on almost anything, but there were some assumptions that you had built into this in its early days that did not necessarily encompass all of the use cases that I use. For example, it hadn't really occurred to you that some lunatic would try and only use an iPad when they're on the road, so they have to be able to run this to get federated login links via SSHing into an EC2 instance running somewhere and not have it open locally.You seemed almost taken aback when I brought it up. Like, “What lunatic would do that?” Like, “Hi, I'm such a lunatic. Let's talk about this.” And it does that now, and it's awesome. It does seem to me though, and please correct me if I'm wrong on this assumption slash assessment that this is first and foremost aimed at desktop users, specifically people running Mac on the desktop, is that the genesis of it?Chris: It is indeed. And I think part of the cause behind that is that we originally built a tool for ourselves. And as we were building things and as we were working using the cloud, we were running things—you know, we like to think that we're following best practices when we're using AWS, and so we'd set up multiple accounts, we'd have a special account for development, a separate one for staging, a separate one for production, even internal tools that we would build, we would go and spin up an individual account for those. And then you know, we had lots of accounts. and to go and access those really easily was quite difficult.So, we definitely, we built it for ourselves first and I think that that's part of when we released it, it actually a little bit of cause for some of the initial problems. And some of the feedback that we had was that it's great to build tools for yourself, but when you're working in open-source, there's a lot of different diversity with how people are using things.Corey: We take different approaches. You want to try to align with existing best practices, whereas I am a loudmouth white guy who works in tech. So, what I do definitionally becomes a best practice in the ecosystem. It's easier to just comport with the ones that are already existing that smart people put together rather than just trying to competence your way through it, so you took a better path than I did.But there's been a lot of evolution to Granted as I've been using it for a while. I did a whole write-up on it and that got a whole bunch of eyes onto the project, which I can now admit was a nefarious plan on my part because popping into your community Slack and yelling at you for features I want was all well and good, but let's try and get some people with eyes on this who are smarter than me—which is not that high of a bar when it comes to SSO, and IAM, and federated login, and the rest—and they can start finding other enhancements that I'll probably benefit from. And sure enough, that's exactly what happened. My sneaky plan has come to fruition. Thanks for being a sucker, I guess. I mean—[laugh] it worked. I'm super thrilled by the product.Chris: [laugh]. I guess it's a great thing I think that the feedback and particularly something that's always been really exciting is just seeing new issues come through on GitHub because it really shows the kinds of interesting use cases and the kinds of interesting teams and companies that are using Granted to make their lives a little bit easier.Corey: When I go to the website—which again is impossible to Google—the website for those wondering is granted.dev. It's short, it's concise, I can say it on a podcast and people automatically know how to spell it. But at the top of the website—which is very well done by the way—it mentions that oh, you can, “Govern access to breakglass roles with Common Fate Cloud,” and it also says in the drop shadow nonsense thing in the upper corner, “Brought to you by Common Fate,” which is apparently the name of your company.So, the question I'll get to in a second is what does your company do, but first and foremost, is this going to be one of those rug-pull open-source projects where one day it's, “Oh, you want to log into your AWS accounts? Insert quarter to continue.” I'm mostly being a little over the top with that description, but we've all seen things that we love turn into molten garbage. What is the plan around this? Are you about to ruin this for the rest of us once you wind up raising a round or something? What's the deal?Chris: Yeah, it's a great question, Corey. And I think that to a degree, releasing anything like this that sits in the access workflow and helps you assume roles and helps you day-to-day, you know, we have a responsibility to uphold stability and reliability here and to not change things. And I think part of, like, not changing things includes not [laugh] rug-pulling, as you've alluded to. And I think that for some companies, it ends up that open-source becomes, like, a kind of a lead-generation tool, or you end up with, you know, now finally, let's go on add another login so that you have to log into Common Fate to use Granted. And I think that, to be honest, a tool like this where it's all about improving the speed of access, the incentives for us, like, it doesn't even make sense to try and add another login for to try to get people to, like, to say, login to Common Fate because that would make your signing process for AWS take even longer than it already does.Corey: Yeah, you decided that you know, what's the biggest problem? Oh, you can sleep at night, so let's go ahead and make it even worse, by now I want you to be this custodian of all my credentials to log into all of my accounts. And now you're going to be critical path, so if you're down, I'm not able to log into anything. And oh, by the way, I have to trust you with full access to my bank stuff. I just can't imagine that is a direction that you would be super excited about diving head-first into.Chris: No, no. Yeah, certainly not. And I think that the, you know, building anything in this space, and with what we're doing with Common Fate, you know, we're building a cloud platform to try to make IAM a little bit easier to work with, but it's really sensitive around granting any kind of permission and I think that you really do need that trust. So, trying to build trust, I guess, with our open-source projects is really important for us with Granted and with this project, that it's going to continue to be reliable and continue to work as it currently does.Corey: The way I see it, one of the dangers of doing anything that is particularly open-source—or that leans in the direction of building in Amazon's ecosystem—it leads to the natural question of, well, isn't this just going to be some people say stolen—and I don't think those people understand how open-source works—by AWS themselves? Or aren't they going to build something themselves at AWS that's going to wind up stomping this thing that you've built? And my honest and remarkably cynical answer is that, “You have built a tool that is a joy to use, that makes logging into AWS accounts streamlined and efficient in a variety of different patterns. Does that really sound like something AWS would do?” And followed by, “I wish they would because everyone would benefit from that rising tide.”I have to be very direct and very clear. Your product should not exist. This should be something the provider themselves handles. But nope. Instead, it has to exist. And while I'm glad it does, I also can't shake the feeling that I am incredibly annoyed by the fact that it has to.Chris: Yeah. Certainly, certainly. And it's something that I think about a little bit. I like to wonder whether there's maybe like a single feature flag or some single sort of configuration setting in AWS where they're not allowing different tabs to access different accounts, they're not allowing this kind of concurrent access. And maybe if we make enough noise about Granted, maybe one of the engineers will go and flick that switch and they'll just enable it by default.And then Granted itself will be a lot less relevant, but for everybody who's using AWS, that'll be a massive win because the big draw of using Granted is mainly just around being able to access different accounts at the same time. If AWS let you do that out of the box, hey, that would be great and, you know, I'd have a lot less stuff to maintain.Corey: Originally, I had you here to talk about Granted, but I took a glance at what you're actually building over at Common Fate and I'm about to basically hijack slash derail what probably is going to amount the rest of this conversation because you have a quick example on your site for by developers, for developers. You show a quick Python script that tries to access a S3 bucket object and it's denied. You copy the error message, you paste it into what you're building over a Common Fate, and in return, it's like, “Oh. Yeah, this is the policy that fixes it. Do you want us to apply it for you?”And I just about fell out of my chair because I have been asking for this explicit thing for a very long time. And AWS doesn't do it. Their IAM access analyzer claims to. Like, “Oh, just go look at CloudTrail and see what permissions it uses and we'll build a policy to scope it down.” “Okay. So, it's S3 access. Fair enough. To what object or what bucket?” “Guess,” is what it tells you there.And it's, this is crap. Who thinks this is a good user experience? You have built the thing that I wish AWS had built in natively. Because let's be honest here, I do what an awful lot of people do and overscope permissions massively just because messing around with the bare minimum set of permissions in many cases takes more time than building the damn thing in the first place.Chris: Oh, absolutely. Absolutely. And in fact, this—was a few years ago when I was consulting—I had a really similar sort of story where one of the clients that we were working with, the CTO of this company, he was needing to grant us access to AWS and we were needing to build a particular service. And he said, “Okay, can you just let me know the permissions that you will need and I'll go and deploy the role for this.” And I came back and I said, “Wait. I don't even know the permissions that I'm going to need because the damn thing isn't even built yet.”So, we went sort of back and forth around this. And the compromise ended up just being you know, way too much access. And that was sort of part of the inspiration for, you know, really this whole project and what we're building with Common Fate, just trying to make that feedback loop around getting to the right level of permissions a lot faster.Corey: Yeah, I am just so overwhelmingly impressed by the fact that you have built—and please don't take this as a criticism—but a set of very simple tools. Not simple in the terms of, “Oh, that's, like, three lines of bash, and a fool could write that on a weekend.” No. Simple in the sense of it solves a problem elegantly and well and it's straightforward—well, straightforward as anything in the world of access control goes—to wrap your head around exactly what it does. You don't tend to build these things by sitting around a table brainstorming with someone you met at co-founder dating pool or something and wind up figuring out, “Oh, we should go and solve that. That sounds like a billion-dollar problem.”This feels very much like the outcome of when you're sitting around talking to someone and let's start by drinking six beers so we become extraordinarily honest, followed immediately by let's talk about what sucks. What pisses you off the most? It feels like this is sort of the low-hanging fruit of things that upset people when it comes to AWS. I mean, if things had gone slightly differently, instead of focusing on AWS bills, IAM was next on my list of things to tackle just because I was tired of smacking my head into it.This is very clearly a problem space that you folks have analyzed deeply, worked within, and have put a lot of thought into. I want to be clear, I've thrown a lot of feature suggestions that you for Granted from start to finish. But all of them have been around interface stuff and usability and expanding use cases. None of them have been, “Well, that seems screamingly insecure.” Because it hasn't been.Chris: [laugh].Corey: It has been effective, start to finish, I think that from a security posture, you make terrific choices, in many cases better than ones I would have made a starting from scratch myself. Everything that I'm looking at in what you have built is from a position of this is absolutely amazing and it is transformative to my own workflows. Now, how can we improve it?Chris: Mmm. Thank you, Corey. And I'll say as well, maybe around the security angle, that one of the goals with Granted was to try and do things a little bit better than the default way that AWS does them when it comes to security. And it's actually been a bit of a source for challenges with some of the users that we've been working with with Granted because one of the things we wanted to do was encrypt the SSO token. And this is the token that when you sign in to AWS, kind of like, it allows you to then get access to all of the rest of the accounts.So, it's like a pretty—it's a short-lived token, but it's a really sensitive one. And you know, by default, it's just stored in plain text on your disk. So, we dump to a file and, you know, anything that can go and read that, they can go and get it. It's also a little bit hard to revoke and to lock people out. There's not really great workflows around that on AWS's side.So, we thought, “Okay, great. One of the goals for Granted can be that we will go and store this in your keychain in your system and we'll work natively with that.” And that's actually been a cause for a little bit of a hassle for some users, though, because by doing that and by storing all of this information in the keychain, it's actually broken some of the integrations with the rest of the tooling, which kind of expects tokens and things to be in certain places. So, we've actually had to, as part of dealing with that with Granted, we've had to give users the ability to opt out for that.Corey: DoorDash had a problem. As their cloud-native environment scaled and developers delivered new features, their monitoring system kept breaking down. In an organization where data is used to make better decisions about technology and about the business, losing observability means the entire company loses their competitive edge. With Chronosphere, DoorDash is no longer losing visibility into their applications suite. The key? Chronosphere is an open-source compatible, scalable, and reliable observability solution that gives the observability lead at DoorDash business, confidence, and peace of mind. Read the full success story at snark.cloud/chronosphere. That's snark.cloud slash C-H-R-O-N-O-S-P-H-E-R-E.Corey: That's why I find this so, I think, just across the board, fantastic. It's you are very clearly engaged with your community. There's a community Slack that you have set up for this. And I know, I know, too many Slacks; everyone has this problem. This is one of those that is worth hanging in, at least from my perspective, just because one of the problems that you have, I suspect, is on my Mac it's great because I wind up automatically updating it to whatever the most recent one is every time I do a brew upgrade.But on the Linux side of the world, you've discovered what many of us have discovered, and that is that packaging things for Linux is a freaking disaster. The current installation is, “Great. Here's basically a curl bash.” Or, “Here, grab this tarball and install it.” And that's fine, but there's no real way of keeping that updated and synced.So, I was checking the other day, oh wow, I'm something like eight versions behind on this box. But it still just works. I upgraded. Oh, wow. There's new functionality here. This is stuff that's actually really handy. I like this quite a bit. Let's see what else we can do.I'm just so impressed, start to finish, by just how receptive you've been to various community feedbacks. And as well—I want to be very clear on this point, too—I've had folks who actually know what they're doing in an InfoSec sense look at what you're up to, and none of them had any issues of note. I'm sure that they have a pile of things like, with that curl bash, they should really be doing a GPG check. Yes, yes, fine. Whatever. If that's your target threat model, okay, great. Here in reality-land for what I do, this is awesome.And they don't seem to have any problems with, “Oh, yeah. By the way, sending analytics back up”—which, okay, fine, whatever. “And it's not disclosing them.” Okay, that's bad. “And it's including the contents of your AWS credentials.”Ahhhh. I did encounter something that was doing that on the back-end once. [cough]—Serverless Framework—sorry, something caught in my throat for a second.Chris: [laugh].Corey: No faster way I can think of to erode trust in that. But everything you're doing just makes sense.Chris: Oh, I do remember that. And that was a little bit of a fiasco, really, around all of that, right? And it's great to hear actually around that InfoSec folks and security people being, you know, not unhappy, I guess, with a tool like this. It's been interesting for me personally. We've really come from a practitioner's background.You know, I wouldn't call myself a security engineer at all. I would call myself as a sometimes a software developer, I guess. I have been hacking my way around Go and definitely learning a lot about how the cloud has worked over the past seven, eight years or so, but I wouldn't call myself a security engineer, so being very cautious around how all of these things work. And we've really tried to defer to things like the system keychain and defer to things that we know are pretty safe and work.Corey: The thing that I also want to call out as well is that your licensing is under the MIT license. This is not one of those, “Oh, you're required to wind up doing a bunch of branding stuff around it.” And, like some people say, “Oh, you have to own the trademark for all of these things.” I mean, I'm not an expert in international trademark law, let's be very clear, but I also feel that trademarking a term that is already used heavily in the space such as the word ‘Granted,' feels like kind of an uphill battle. And let's further be clear that it doesn't matter what you call this thing.In fact, I will call attention to an oddity that I've encountered a fair bit. After installing it, the first thing you do is you run the command ‘granted.' That sets it up, it lets you configure your browser, what browser you want to use, and it now supports standard out for that headless, EC2 use case. Great. Awesome. Love it. But then the other binary that ships with it is Assume. And that's what I use day-to-day. It actually takes me a minute sometimes when it's been long enough to remember that the tool is called Granted and not Assume what's up with that?Chris: So, part of the challenge that we ran into when we were building the Granted project is that we needed to export some environment variables. And these are really important when you're logging into AWS because you have your access key, your secret key, your session token. All of those, when you run the assume command, need to go into the terminal session that you called it. This doesn't matter so much when you're using the console mode, which is what we mentioned earlier where you can open 100 different accounts if you want to view all of those at the same time in your browser. But if you want to use it in your terminal, we wanted to make it look as really smooth and seamless as possible here.And we were really inspired by this approach from—and I have to shout them out and kind of give credit to them—a tool called AWSume—they're spelled A-W-S-U-M-E—Python-based tool that they don't do as much with single-sign-on, but we thought they had a really nice, like, general approach to the way that they did the scripting and aliasing. And we were inspired by that and part of that means that we needed to have a shell script that called this executable, which then will export things back out into the shell script. And we're doing all this wizardry under the hood to make the user experience really smooth and seamless. Part of that meant that we separated the commands into granted and assume and the other part of the naming for everything is that I felt Granted had a far better ring to it than calling the whole project Assume.Corey: True. And when you say assume, is it AWS or not? I've used the AWSume project before; I've used AWS Vault out of 99 Designs for a while. I've used—for three minutes—the native AWS SSO config, and that is just trash. Again, they're so good at the plumbing, so bad at the porcelain, I think is the criticism that I would levy toward a lot of this stuff.Chris: Mmm.Corey: And it's odd to think there's an entire company built around just smoothing over these sharp, obnoxious edges, but I'm saying this as someone who runs a consultancy and have five years that just fixes the bill for this one company. So, there's definitely a series of cottage industries that spring up around these things. I would be thrilled, on some level, if you wound up being completely subsumed by their product advancements, but it's been 15 years for a lot of this stuff and we're still waiting. My big failure mode that I'm worried about is that you never are.Chris: Yeah, exactly, exactly. And it's really interesting when you think about all of these user experience gaps in AWS being opportunities for, I guess, for companies like us, I think, trying to simplify a lot of the complexity for things. I'm interested in sort of waiting for a startup to try and, like, rebuild the actual AWS console itself to make it a little bit faster and easier to use.Corey: It's been done and attempted a bunch of different times. The problem is that the console is a lot of different things to a lot of different people, and as you step through that, you can solve for your use case super easily. “Yeah, what do I care? I use RDS, I use some VPC nonsense, and I use EC2. The end.” “Great. What about IAM?”Because I promise you're using that whether you know it or not. And okay, well, I'm talking to someone else who's DynamoDB, and someone else is full-on serverless, and someone else has more money than sense, so they mostly use SageMaker, and so on and so forth. And it turns out that you're effectively trying to rebuild everything. I don't know if that necessarily works.Chris: Yeah, and I think that's a good point around maybe while we haven't seen anything around that sort of space so far. You go to the console, and you click down, you see that list of 200 different services and all of those have had teams go and actually, like, build the UI and work with those individual APIs. Yeah.Corey: Any ideas as far as what's next for features on Granted?Chris: I think that, for us, it's continuing to work with everybody who's using it, and with a focus of stability and performance. We actually had somebody in the community raise an issue because they have an AWS config file that's over 7000 lines long. And I kind of pity that person, potentially, for their day-to-day. They must deal with so much complexity. Granted is currently quite slow when the config files get very big. And for us, I think, you know, we built it for ourselves; we don't have that many accounts just yet, so working to try to, like, make it really performant and really reliable is something that's really important.Corey: If you don't mind a feature request while we're at it—and I understand that this is more challenging than it looks like—I'm willing to fund this as a feature bounty that makes sense. And this also feels like it might be a good first project for a very particular type of person, I would love to get tab completion working in Zsh. You have it—Chris: Oh.Corey: For Fish because there's a great library that automatically populates that out, but for the Zsh side of it, it's, “Oh, I should just wind up getting Zsh completion working,” and I fell down a rabbit hole, let me tell you. And I come away from this with the perception of yeah, I'm not going to do it. I have not smart enough to check those boxes. But a lot of people are so that is the next thing I would love to see. Because I will change my browser to log into the AWS console for you, but be damned if I'm changing my shell.Chris: [laugh]. I think autocomplete probably should be higher on our roadmap for the tool, to be honest because it's really, like, a key metric and what we're focusing on is how easy is it to log in. And you know, if you're not too sure what commands to use or if we can save you a few keystrokes, I think that would be the, kind of like, reaching our goals.Corey: From where I'm sitting, you definitely have. I really want to thank you for taking the time to not only build this in the first place, but also speak with me about it. If people want to learn more, where's the best place to find you?Chris: So, you can find me on Twitter, I'm @chr_norm, or you can go and visit granted.dev and you'll have a link to join the Slack community. And I'm very active on the Slack.Corey: You certainly are, although I will admit that I fall into the challenge of being in just the perfectly opposed timezone from you and your co-founder, who are in different time zones to my understanding; one of you is on Australia and one of you was in London; you're the London guy as best I'm aware. And as a result, invariably, I wind up putting in feature requests right when no one's around. And, for better or worse, in the middle of the night is not when I'm usually awake trying to log into AWS. That is Azure time.Chris: [laugh]. Yeah, no, we don't have the US time zone properly covered yet for our community support and help. But we do have a fair bit of the world timezone covered. The rest of the team for Common Fate is all based in Australia and I'm out here over in London.Corey: Yeah. I just want to thank you again, for just being so accessible and, like, honestly receptive to feedback. I want to be clear, there's a way to give feedback and I do strive to do it constructively. I didn't come crashing into your Slack one day with a, “You know what your problem is?” I prefer to take the, “This is awesome. Here's what I think would be even better. Does that make sense?” As opposed to the imperious demands and GitHub issues and whatnot? It's, “I'd love it if it did this thing. Doesn't do this thing. Can you please make it do this thing?” Turns out that's the better way to drive change. Who knew?Chris: Yeah. [laugh]. Yeah, definitely. And I think that one of the things that's been the best around our journey with Granted so far has been listening to feedback and hearing from people how they would like to use the tool. And a big thank you to you, Corey, for actually suggesting changes that make it not only better for you, but better for everybody else who's using Granted.Corey: Well, at least as long as we're using my particular byzantine workload patterns in some way, or shape, or form, I'll hear that. But no, it's been an absolute pleasure and I really want to thank you for your time as well.Chris: Yeah, thank you for having me.Corey: Chris Norman, co-founder of Common Fate, as well as one of the two primary developers originally behind the Granted project that logs you into AWS without you having to lose your mind. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry, incensed, raging comment that talks about just how terrible all of this is once you spend four hours logging into your AWS account by hand first.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
Please join us as we welcome Pastor Sof Vae'ena to guide us through Psalm 47. If you'd like to join us, please visit us at 4218 Boston Ave. Lubbock Texas. You can also call us at (806) 799-2227, email us at email@example.com, or visit us online at CalvaryChapelLubbock.church. Please feel free to let us know about your walk with Jesus. If you'd like to donate to help us bring the Gospel to the world, just click on the donate button on our website.
When it comes to sports legends, they don't get much bigger than Jonny Wilkinson. He's one of the most decorated rugby players and famously represented England in the 2003 World Cup Final, when his drop goal clinched victory for the nation in the last 30 seconds. However, in recent years he's branched out: today he is a mental health advocate and motivational speaker. He hosts his own podcast, I Am, which features thought leaders and pioneers talking honestly about their challenges and inspirations. And he's passionate about healthy eating, with his own range of fermented food products, No.1 Living, on sale at Holland & Barrett.In this deep and spiritual chat, Jonny and Gemma discuss the importance of living in the now, and how it feels to reach your goals, only to have the experience not live up to your expectations. Jonny talks about how health isn't a goal you can ever achieve, but a work in progress. He recalls how his passion for gut health started and what it means now, and how it's part of his overall journey in terms of how his perception and appreciation of his body has changed since being a sportsman. This is a really rich conversation with so much for everybody to take from it, as well as Jonny's practical tips for wellbeing.ResourcesFollow us here https://www.instagram.com/hollandandbarrett/?hl=enDr Gemma Newmanhttps://www.instagram.com/plantpowerdoctor/?hl=enhttps://gemmanewman.com/ Jonny Wilkinsonhttp://www.jonnywilkinson.com/@jonnywilkinsonofficial https://www.no1living.com/H&B products No.1 Living Gut & Brain Kombucha Health ShotNo.1 Living Gut & Immune Kombucha Health ShotNo. 1 Living Passion Fruit Sugar Free KombuchaNo. 1 Living Raspberry Sugar Free KombuchaNo.1 Living Ginger Sugar Free KombuchaNo.1 Living Water Kefir Lemon with Yuzu & MintNo.1 Living Water Kefir Strawberry with Rhubarb See acast.com/privacy for privacy and opt-out information.
Whether I like it or not, the truth is... I AM the cause and solution for everything I have and don't have in my life. And that my dear friend, is the same for you. Join me today as I share how I tell that voice to "shut the hell up" and make big bold moves that support the attainment of my lofty goals as I launch the Millionaire Mompreneur Project into the next stratosphere. I have a feeling today's episode is just the powerful pep-talk you need. If you enjoyed this episode, please LEAVE A REVIEW so we can inspire other motivated mamas! Alone we are strong but together, we are UNSTOPPABLE.Connect with Jessie on Instagram: @jessieharrisboutonThe Millionaire Mompreneur Online Coach Accelerator is accepting applications: www.millionairemompreneur.com/applicationOverwhelmed with all the things you're "supposed to do" to grow your biz? I was too!Get my free Clarity Cashflow Checklist to learn the exact things I do every single day to run a 7-figure business as a mom of 5 in less than 20 hours/week: www.millionairemompreneur.com/claritycashflowchecklistWant to learn how how to make $1Million with 1 program in 1 year working less than part-time hours? Watch this free training showing you exactly how to create, sell and scale your signature high-ticket group coaching program on autopilot without sales calls: www.millionairemompreneur.com/7figurecoachsecrets
This week we will study John 8:13-20. In John 8:13-20, the religious leaders responded to Jesus' I AM statement and they challenged His authority and once again they debated Him. -Vlog for June 28, 2022 #Biblestudy #christian #John -Social links Check out our website: https://wbem.org Check out our Facebook: https://www.facebook.com/weeklybiblicalencouragement Check out our Instagram: https://www.instagram.com/weeklybiblicalencouragement/ Check out our Tiktok: https://www.tiktok.com/@wbencouragment Check out our Twitter: https://www.twitter.com/WBEncouragement Check out our Pinterest: https://www.pinterest.com/WeeklyBiblicalEncouragement/ -Design, produced, and audio by Cas Medlin (firstname.lastname@example.org)
A set of services for managing identity and access management, or IAM across all of an organization's data islands. CyberWire Glossary link: https://thecyberwire.com/glossary/identity-fabric Audio reference link: “Leadership Compass Identity Fabrics - Analyst Chat 126,” by KuppingerCole, YouTube, 30 May 2022.
Christians Meditation is entering a solitary place. If not physically, then at least let it be so mentally. This is a quiet time for you to re-integrate and re-calibrate your mind with your body. And re-integrate and re-calibrate your mind and body with God‘s presence with you and in you. This is a time for you to be alone. And to be alone with God. Remember the quote from the apostle Paul in Acts 17:28 – In him you live and move and have your being.If your podcast app is set to skip the silent sections, disable that for this podcast.Psalms 27:1 (NIV)The LORD is my light and my salvation —whom shall I fear?The LORD is the stronghold of my life—of whom shall I be afraid? The logic of the imagery is that if this is the unseen reality your life is in — that Yahweh is YOUR light and YOUR salvation and the stronghold of YOUR life — then what is there to actually be afraid of? Of whom shall you be afraid exactly? Well, there are 1000 things actually. But none of them are stronger than the I AM, who is always surrounding you as your light/life, your salvation, your stronghold/fortress. Which means that none of them are really in control of things. When difficult things are happening to you, the difficult things are not in control of the situation. The One who is your Light is in control. The One who is your Salvation is in control. The One who is the Stronghold of your life is in control. The Almighty LORD of Heaven and Earth is ultimately in power over any other threat to you. There is that phrase — Fear God and you won't have to fear anything or anyone else. The unseen reality always surrounding your life is that HE IS is your light — your salvation/healing/rescuer — your stronghold/fortress. There is nothing and no one else over you to fear.Whenever you feel threatened in any way – anxious in any way – feel tension in your body in any way – whenever you sense an overreaction in you to some social or work or family situation — you can say…“Lord, YOU ARE present, and you are in this, and I can trust you.“YOU ARE my light/life. YOU ARE my restoration. YOU ARE the stronghold of my life. You can rest in a calm confidence. You can replace anxiety with imagining the reality of God‘s presence and that God is in this situation and in this moment with you. You can replace all your multi-layered insecurities and the way they manifest themselves in your life and in your relationships and in your mind and body with the security that the God who created this universe is also 100% with you and focused on you as your light and your rescuer and your fortress. He is the stronghold of your life.“Lord, you are present, and you are in this, and I can trust you.“YOU ARE my light/life. YOU ARE my restoration. YOU ARE the stronghold of my life. You can just let go of so much anxiety and fear and insecurity and anger and fight or flight central nervous system living. Rest in God's lordship. Power. Presence. Love. Release your clenched muscles. Let go of the tension. Let your muscles soften.Timestamps:00:39 - 14:27 Body Meditation14:28 - 24:57 Bible Meditation: Psalm 27:1Who can you share this podcast with? If you found this episode helpful, consider sharing it on social media or texting it to a friend you think might benefit from it.Follow Dave Cover on Twitter @davecoverFollow A Bigger Life on Twitter @ABiggerLifePodOur audio engineer is Diego Huaman.This podcast is a ministry of The Crossing, a church in Columbia, Missouri, a college town where the flagship campus of the University of Missouri is located.
A set of solutions for ensuring that the right users can only access the appropriate resources. CyberWire Glossary link: https://thecyberwire.com/glossary/identity-and-access-management Audio reference link: “The Wrath of Khan (1982) ‘Kirk's Response,'” by Russell, YouTube, 16 May 2017.
Tonight we discuss the explosion of cults, gurus and new age decievers that have gained much attention via Internet popularity and instagram yogadom. From Teal Swan to Nature Boy to Osho to Sadhguru to many, many more, difficult times lead to people seeking mystical & religious solace in alternative viewpoints and movements when the "mainstream" religions fail and collapse due to their heresies and dead works.
Comedian Sarah Halstead talks career, the art of good comedy and performing standup across the country. Her Comedy Special, "RVs and Cats,” is streaming on Amazon Prime with a widely popular comedy album released last year. Also host of the “Drinking During Business Hours" podcast, her "Bottle Shock Comedy" is featured at Hollywood Improv every month.Along with appearing in over ninety commercials, her film and TV credits include: "I Got The Hook Up 2," "I Am the Night," "Betrayed," Group-Ease," "The Album," "Baskets," "Blood Relatives," "Cry Wolfe," "A Chorus Line," "Deadly Sins," "Meet the Roommate" and "Walk the Past.”
This message is part of the messages of the I Am's of apostle Paul as have been taught in our Sunday School. One of the greatest servants of our Lord was the apostle Paul who was fully surrendered to the Lord Jesus Christ.
How much unease can a film pack into 68 minutes? A great amount, as Mike and Dan discuss in this week's episode on Detour (1945), Edgar G. Ulmer's noir masterpiece and certainly one of the best examples of the genre. The guys talk about the ways in which the film dramatizes the whims of whatever malevolent force controls the universe and Ann Savage's unpredictable, electrifying performance. I Am a Fugitive from a Chain Gang, Seinfeld, The Third Man, Raging Bull, Out of the Past, The Shining, Double Indemnity King Lear, and Goodfellas all enter the conversation about a man without any plot armor longing to escape into another movie. So stick out that thumb and see who picks you up--just be sure to listen to this episode in the car. Please subscribe to the show wherever you get your podcasts and follow us on Twitter and Letterboxd @15MinFilm. Please rate and review the show on Apple podcasts and contact us at FifteenMinuteFilm@gmail.com. Incredible bumper music by John Deley. Twitter: https://twitter.com/15minfilm Letterboxd: https://letterboxd.com/15MinFilm/ Website: https://fifteenminutefilm.podbean.com/
Within this powerful and enlightening group channelling session, Source through Kimberley, explains the nature of the Universe in terms of vibration and frequency, and how you, the I AM, reflects throughout All That Is. This session also explains the energy connection between and throughout the Universe, and how it connects and communicates through this energetic thread to you. This session also discusses brain & heart coherence, how our energy field expands, and how our DNA and physical expression reflects shifts in consciousness. The session also explains the difference of vibration and frequency and how they relate to one another, as well as how density relates to consciousness dimensions and our relationship with them. The session also explains our relationship to cosmic events, the Earth, and how we evolve through cycles of climate events, plus more! If you would like to participate in our group channelling sessions or access other exclusive content, you are invited to join our Patreon community! Join here ~ https://www.patreon.com/kimberleyleite For more info on Kimberley and her work please see the following links ~ Kimberley's website: https://www.kimberleyleite.com All platforms: https://linktr.ee/KimberleyLeite Free Light Language Meditation ~ https://www.kimberleyleite.com/newsletter-signup You can donate to Kimberley and the Beings of The Light Projects at: https://www.paypal.me/beingsofthelight For information on services, email Kimberley at email@example.com Much gratitude to you in following this podcast. Please leave a review and add a comment to spread these teachings further
Película «Enredados» - ¡Deja de buscar la validación fuera de ti mismo!, con David Hoffmeister - Taller de película semanal en líneaSi buscamos la validación de nuestra valía en las imágenes que nos rodean y en el mundo de las sombras, emocionalmente estaremos en problemas. El amor de Dios es mi sustento, pero el mundo que veo es una forma de venganza. Mientras busques la validación externa en las imágenes, el mundo que ves será una forma de venganza. En realidad no es un mundo vengativo, aunque haya sido creado en odio por el ego. Pero no tenemos que verlo de esa manera. Puedes aceptarlo y ser feliz si no lo juzgas. No importa lo que esté pasando. ¡No lo juzgues! Si juzgas las imágenes y el mundo de las sombras que nos rodea como buenas o malas, entonces te parecerá vengativa en tu conciencia. A fuego lento se cocinarán la venganza y el odio si sigues buscando valía en lo externo.Disfruta de contenido y comentarios profundos de Un curso de milagros en la película «Enredados» por el maestro de UCDM David Hoffmeister y aprende a cómo dejar de buscar validación fuera de Ti mismo.Puedes ver la introducción de la película en YouTube: https://youtu.be/COQFIf0M4tc.Si quieres saber más sobre Living Miarcles, y los Talleres de Película Semanales, mira aquí: https://bit.ly/Taller-de-peliculaBusca más información sobre David Hoffmeister y los próximos eventos aquí: https://un-curso-en-milagros.org/eventos/Taller de película grabado el sábado 25 de junio de 2022 en Chapala, México.
This worship service will include hymns sung by the Congregation (Power of Your Love and I Am the Bread of Life), respectively.The message, "VOWS", for the Third Sunday After Pentecost Sunday follows the scriptures recorded in 1 Kings 19:9b-21; Psalm 1; Galatians 5:1, 13-25; and the Gospel according to St. Luke, Chapter 9, verses 51-62. The message begins at about the 9-minute, 54-second mark.If you would like to watch the complete Service, click on the link below:https://youtu.be/xb-x39KyZow
The Movie "Tangled" - Let go of seeking validation outside your Self! with David Hoffmeister - Weekly Online Movie WorkshopIf we look for validation of our worth in the images and the shadowland around us, we will be emotionally in trouble. The love of God sustains me, but the world I see is a form of vengeance. As long as you're looking for external validation in images, the world you see will be a form of vengeance. It's not really a vengeful world, even though it was made in hate by the ego. But we don't have to see it that way. You can embrace it and be happy if you don't judge it. No matter what's happening. Don't judge it! If you judge the images and the shadowland around us, good or bad, then it will seem vengeful to you in your awareness. Vengeance and hatred will simmer underneath if you keep seeking value in externals.Enjoy the profound A Course in Miracles content and commentary on the movie Tangled by David Hoffmeister, ACIM teacher, and find out how to let go of seeking validation outside yourself! You can watch the introduction to the movie on YouTube: https://youtu.be/U1lk1vHpCo8.If you want to know more about Living Miracles, and the Weekly Movie Workshops, look here: https://bit.ly/ACIM-Movie-Workshop.Look for more info on David Hoffmeister and upcoming events: https://circle.livingmiraclescenter.org/events.The movie workshop was recorded Saturday, June 25, 2022, in Chapala, Mexico.
We all know what it feels like to be physically hungry. But our hunger in life is much deeper than our need for the next meal. Our greatest hunger is spiritual. This hunger is what drives all of life. It impacts our search, our ambition, our goals, and our direction in life. We will do just about anything in our search to satisfy this hunger, and it can get us into a lot of trouble.Main Points:Jesus is saying instead of putting all your focus and energy into the search for temporary fulfillment, and temporary satisfaction, we should focus on the food that endures.In the NT we learn that crowds wildly pursued Jesus because he supplied them with material things. They like the idea of a Jesus who could give them fish and bread – someone who could give them the material things they wanted. But they failed to take a step farther and realize that a man who could miraculously supply bread was also the One who could meet the deep spiritual needs of their lives.Jesus came to meet a need in our lives that we cannot meet ourselves. But oh how we try. There is not a person here today who hasn't tried to fill this inner hunger and thirst that we all have. As you look back over your life perhaps you can see how futile your attempts were. You always came up empty.Jesus doesn't say, “I can give you the bread of life” or “I know where you can find the bread of life” or even “I have the recipe for the bread of life.” He says, “I AM the bread of life.” He is what we need. Jesus said I am the bread of life and this bread satisfies our spiritual search, our spiritual hunger. What bread is to hunger, Jesus claims to be for the soul. Today's Scripture Verses:John 6:27 - “Do not work for food that spoils, but for food that endures to eternal life, which the Son of Man will give you.”John 6:35 - “Jesus declared, “I am the bread of life. Whoever comes to me will never go hungry, and whoever believes in me will never be thirsty.”Quick Links:Subscribe to The 5 Minute Discipleship NewsletterDonate to support this podcastLeave a review on Apple PodcastsGet a copy of The 5 Minute Discipleship JournalConnect on SocialJoin The 5 Minute Discipleship Facebook Group5 Minute Discipleship on Instagram
First Hour Ambré ft BEAM & Destin Conrad – Illusionz Album: 3000 TT Got It – Tippin’ Single: Nick, I AM – Dear Daddy Single: Reverie – No Chaser (5 Wks, Last #40, Pk #17) Single: Gam3Time – Competition (5 Wks, Last #37, Pk #21) Single: PlayBoii Red ft Macc – Print (10 Wks, […]
Mark Gober's new book, An End to Upside-Down Contact, answers the question, "are we alone?" with a resounding "NO!" Humans exist among a variety of advanced species, sometimes identified as aliens, spirits, beings of light, and beyond. In fact, our civilization seems to be regularly influenced by such nonhuman intelligences, even if we're not always aware of it. Mark Gober is the author of An End to Upside Down Thinking (2018), which was awarded the IPPY award for best science book of 2019. He is also the author of An End to Upside Down Living (2020), An End to Upside Down Liberty (2021), and An End to Upside Down Contact (2022); and he is the host of the podcast Where Is My Mind? (2019). Additionally, he serves on the board of the Institute of Noetic Sciences and the School of Wholeness and Enlightenment. Previously, Gober was a partner at Sherpa Technology Group in Silicon Valley and worked as an investment banking analyst with UBS in New York. He has been named one of IAM's Strategy 300: The World's Leading Intellectual Property Strategists. Gober graduated magna cum laude from Princeton University, where he wrote an award-winning thesis on Daniel Kahneman's Nobel Prize–winning “Prospect Theory” and was elected a captain of Princeton's Division I tennis team.Learn more at https://markgober.com and buy the book at https://www.amazon.com/gp/product/B0B43TH5JZHave you ever wondered about different supernatural creatures, what they are really like, what they do, and if and how you need to protect yourself from them? Check out Laura's Supernatural Survival Guide, available in paperback and eBook. https://www.amazon.com/Supernatural-Survival-Guide-Laura-Powers/dp/0997508752For more information about Laura and her work you can go to her website www.healingpowers.net or find her on Twitter @thatlaurapowers, on Facebook at @realhealingpowers and @mllelaura, and on Instagram and TikTok @laurapowers44.
Link to Blog Post This week's Cyber Security Headlines – Week in Review, June 6-10, is hosted by Rich Stroffolino with our guest, Marnie Wilking, CISO, Wayfair Thanks to today's episode sponsor, Optiv Modernizing your identity control plane from AD to the cloud is complex. Ralph Martino, who is leading the identity and access management (IAM) group for Optiv, discusses what challenges CISOs are facing in today's ever-changing climate: • Increasing security • Decreasing risk • Lowering cost Learn more at www.optiv.com/IAM-Microsoft. All links and the video of this episode can be found on CISO Series.com
On this episode I was honoured to talk to former Corporal Of Horse Craig Harrison. Craig held the record for longest confirmed sniper kill in combat from 2009 - 2017. We talk about his journey as a lad growing up, his time in the British Army right upto the challenges he suffers on a daily basis with PTSD. Iam also currently in talks with Craig about taking part in his new survival school, where he teaches lots of bushcraft & survival techniques over a weekend. Please check out his web page for more details www.themavericksurvivalschool.co.uk/
In this episode we will be discussing the esoteric meaning behind the words I Am. We will go over on why we should be more careful and become more aware of what you say after those words and how it can be used against us. The words "I Am" can also be related to astrology. So if you're intrigued, Join Us! Also, Do you have a story to share? If you email me and share your story I will gladly, with your permission of course, feature it on a future episode for the rest of us to listen and enjoy. Check out our website at www.MysteriesBeyond.com and/or email us at LauraLavender.firstname.lastname@example.org Check us out on social media on Facebook at Mysteries Beyond and/or on Instagram @LauraLavender.mb Website: www.mysteriesbeyond.com Email: email@example.com Instagram: @lauralavender.mb TikTok: lauralavender.mb Facebook: Mysteries Beyond My Linktree: https://linktr.ee/LauraLavender.mb Intro Music by: Mystery by GoSoundtrack http://www.gosoundtrack.com/Creative Commons — Attribution 4.0 International — CC BY 4.0 Free Download / Stream: http://bit.ly/mystery-gosoundtrackMusic promoted by Audio Library https://youtu.be/8TKy9bzrk24 --- Send in a voice message: https://anchor.fm/mysteriesbeyond/message
Sermon Overview Scripture Passage: John 6:16-21 John 6:16-21 tells the story of Jesus walking on the water to His disciples' boat in the midst of a treacherous storm. Sooner or later, you are going to find yourself in a storm—not like the storm depicted in this passage; rather, one far more terrifying. Things could be going fine, then suddenly you could get a life-changing phone call, or face a shocking diagnosis. How can we find peace in the midst of the storm? We remember what God has promised to us now, in the stillness. Peace is not the subtraction of problems from life. Peace is the addition of power to meet those problems; the power being the promises of God. “I am governed by His providence.” In this story, the storm did not take Jesus by surprise. When difficulty comes, remember God's providence is over it all. “I am growing by His plan.” God's plan is not to indulge you; it is to enlarge you. If you are in a storm, it is your privilege to grow and become more like Jesus Christ. “I am graced by His prayers.” Did you know that He sees you right now? He is not far away. He sees right through the dark, sees you in the storm, and He prays for you. “I am gladdened by His presence.” Sometimes, God waits upon you to wait on Him; but just know… He is coming. “I am guarded by His power.” Adrian Rogers says, “The will of God will never take you where the grace of God cannot keep you.” “I am guided by His purpose.” God has not promised smooth sailing, but He has promised you a safe landing. Your destiny is already determined. He will see you to the shore. South African minister Andrew Murray once said, “God is willing to assume full responsibility for the life that is totally yielded to Him.” Jesus said, “In this world, you'll have tribulation. But take heart! I've overcome the world.” (John 16:33) In the midst of your storm, see Jesus, the great I AM, walking on the water, straight to you. Apply it to your life Are you in the midst of a storm? Remember the promises of God! Take heart; He has overcome the world, and He is walking on the water, headed straight for you.
Cloud email threats soar 101% in a year NHS warns of scam COVID-19 text messages Fancy Bear uses nuke threat lure to exploit 1-click bug Thanks to today's episode sponsor, Optiv Modernizing your identity control plane from AD to the cloud is complex. Ralph Martino, who is leading the identity and access management (IAM) group for Optiv, discusses what challenges CISOs are facing in today's ever-changing climate: • Increasing security • Decreasing risk • Lowering cost Learn more at www.optiv.com/IAM-Microsoft. For the stories behind the headlines, head to CISOseries.com.
Hello True Creators! As an awakening guide, I am often asked about sexuality and porn. What is ok to explore? How do we navigate this sexual landscape as awakening beings? Because of these questions, I invited The Empress, an erotic content creator and sexuality coach, to be my guest for this episode - and I had SO much fun recording this, and hearing The Empress's insights on what her world of sexual content creation is like!The Erotic Empress is an erotic artist, content creator, muse and courtesan. As a lover of life and eroticism, she creates workshops, play parties, photoshoots and adult content that reflect her passion for play.CONNECT WITH THE EMPRESS HERE:Website: Onlyfans.com/erotic-empressIG: https://www.instagram.com/the_erotic_empress/----FREE download: "I Am a Channel": https://allisonholley.com/free-download/Join the True Creator Channeling Community! Visit allisonholley.com or this link: https://true-creator-community.mn.co/landing?from=https%3A%2F%2Ftrue-creator-community.mn.co%2FfeedLink to The Era of the True Creator book: https://www.amazon.com/Era-True-Creator-Ascending-Consciousness/dp/198420789XAllison's Instagram: http://instagram.com/allisonholleycreator
Vote to join AppleCore union with IAM. Today's labor quote: AppleCORE. Today's labor history: Circus workers killed in train accident. @wpfwdc #1u #unions #LaborRadioPod @AFLCIO @MachinistsUnion @Apple @acoreunion Proud founding member of the Labor Radio Podcast Network.
Full Description / Show Notes Steren and Corey talk about how Google Cloud Run got its name (00:49) Corey talks about his experiences using Google Cloud (2:42) Corey and Steven discuss Google Cloud's cloud run custom domains (10:01) Steren talks about Cloud Run's high developer satisfaction and scalability (15:54) Corey and Steven talk about Cloud Run releases at Google I/O (23:21) Steren discusses the majority of developer and customer interest in Google's cloud product (25:33) Steren talks about his 20% projects around sustainability (29:00) About SterenSteren is a Senior Product Manager at Google Cloud. He is part of the serverless team, leading Cloud Run. He is also working on sustainability, leading the Google Cloud Carbon Footprint product.Steren is an engineer from École Centrale (France). Prior to joining Google, he was CTO of a startup building connected objects and multi device solutions.Links Referenced: Google Cloud Run: https://cloud.run sheets-url-shortener: https://github.com/ahmetb/sheets-url-shortener snark.cloud/run: https://snark.cloud/run Twitter: https://twitter.com/steren TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I'm joined today by Steren Giannini, who is a senior product manager at Google Cloud, specifically on something called Google Cloud Run. Steren, thank you for joining me today.Steren: Thanks for inviting me, Corey.Corey: So, I want to start at the very beginning of, “Oh, a cloud service. What are we going to call it?” “Well, let's put the word cloud in it.” “Okay, great. Now, it is cloud, so we have to give it a vague and unassuming name. What does it do?” “It runs things.” “Genius. Let's break and go for work.” Now, it's easy to imagine that you spent all of 30 seconds on a name, but it never works that way. How easy was it to get to Cloud Run as a name for the service?Steren: [laugh]. Such a good question because originally it was not named Cloud Run at all. The original name was Google Serverless Engine. But a few people know that because they've been helping us since the beginning, but originally it was Google Serverless Engine. Nobody liked the name internally, and I think at one point, we wondered, “Hey, can we drop the engine structure and let's just think about the name. And what does this thing do?” “It runs things.”We already have Cloud Build. Well, wouldn't it be great to have Cloud Run to pair with Cloud Build so that after you've built your containers, you can run them? And that's how we ended up with this very simple Cloud Run, which today seems so obvious, but it took us a long time to get to that name, and we actually had a lot of renaming to do because we were about to ship with Google Serverless Engine.Corey: That seems like a very interesting last-minute change because it's not just a find and replace at that point, it's—Steren: No.Corey: —“Well, okay, if we call it Cloud Run, which can also be a verb or a noun, depending, is that going to change the meaning of some sentences?” And just doing a find and replace without a proofread pass as well, well, that's how you wind up with funny things on Twitter.Steren: API endpoints needed to be changed, adding weeks of delays to the launch. That is why we—you know, [laugh] announced in 2018 and publicly launched in 2019.Corey: I've been doing a fair bit of work in cloud for a while, and I wound up going down a very interesting path. So, the first native Google Cloud service—not things like WP Engine that ride on top of GCP—but my first native Google Cloud Service was done in service of this podcast, and it is built on Google Cloud Run. I don't think I've told you part of this story yet, but it's one of the reasons I reached out to invite you onto the show. Let me set the stage here with a little bit of backstory that might explain what the hell I'm talking about.As listeners of this show are probably aware, we have sponsors whom we love and adore. In the early days of this show, they would say, “Great, we want to tell people about our product”—which is the point of a sponsorship—“And then send them to a URL.” “Great. What's the URL?” And they would give me something that was three layers deep, then with a bunch of UTM tracking parameters at the end.And it's, “You do realize that no one is going to be sitting there typing all of that into a web browser?” At best, you're going to get three words or so. So, I built myself a URL redirector, snark.cloud. I can wind up redirecting things in there anywhere it needs to go.And for a long time, I did this on top of S3 and then put CloudFront in front of it. And this was all well and good until, you know, things happened in the fullness of time. And now holy crap, I have an operations team involved in things, and maybe I shouldn't be the only person that knows how to work on all of these bits and bobs. So, it was time to come up with something that had a business user-friendly interface that had some level of security, so I don't wind up automatically building out a spam redirect service for anything that wants to, and it needs to be something that's easy to work with. So, I went on an exploration.So, at first it showed that there were—like, I have an article out that I've spoken about before that there are, “17 Ways to Run Containers on AWS,” and then I wrote the sequel, “17 More Ways to Run Containers on AWS.” And I'm keeping a list, I'm almost to the third installation of that series, which is awful. So, great. There's got to be some ways to build some URL redirect stuff with an interface that has an admin panel. And I spent three days on this trying a bunch of different things, and some were running on deprecated versions of Node that wouldn't build properly and others were just such complex nonsense things that had got really bad. I was starting to consider something like just paying for Bitly or whatnot and making it someone else's problem.And then I stumbled upon something on GitHub that really was probably one of the formative things that changed my opinion of Google Cloud for the better. And within half an hour of discovering this thing, it was up and running. I did the entire thing, start to finish, from my iPad in a web browser, and it just worked. It was written by—let me make sure I get his name correct; you know, messing up someone's name is a great way to say that we don't care about them—Ahmet Balkan used to work at Google Cloud; now he's over at Twitter. And he has something up on GitHub that is just absolutely phenomenal about this, called sheets-url-shortener.And this is going to sound wild, but stick with me. The interface is simply a Google Sheet, where you have one column that has the shorthand slug—for example, run; if you go to snark.cloud/run, it will redirect to Google Cloud Run's website. And the second column is where you want it to go. The end.And whenever that gets updated, there's of course some caching issues, which means it can take up to five seconds from finishing that before it will actually work across the entire internet. And as best I can tell, that is fundamentally magic. But what made it particularly useful and magic, from my perspective, was how easy it was to get up and running. There was none of this oh, but then you have to integrate it with Google Sheets and that's a whole ‘nother team so there's no way you're going to be able to figure that out from our Docs. Go talk to them and then come back in the day.They were the get started, click here to proceed. It just worked. And it really brought back some of the magic of cloud for me in a way that I hadn't seen in quite a while. So, all which is to say, amazing service, I continue to use it for all of these sponsored links, and I am still waiting for you folks to bill me, but it fits comfortably in the free tier because it turns out that I don't have hundreds of thousands of people typing it in every week.Steren: I'm glad it went well. And you know, we measure tasks success for Cloud Run. And we do know that most new users are able to deploy their apps very quickly. And that was the case for you. Just so you know, we've put a lot of effort to make sure it was true, and I'll be glad to tell you more about all that.But for that particular service, yes, I suppose Ahmet—who I really enjoyed working with on Cloud Run, he was really helpful designing Cloud Run with us—has open-sourced this side project. And basically, you might even have clicked on a deploy to Cloud Run button on GitHub, right, to deploy it?Corey: That is exactly what I did and it somehow just worked and—Steren: Exactly.Corey: And it knew, even logging into the Google Cloud Console because it understands who I am because I use Google Docs and things, I'm already logged in. None of this, “Oh, which one of these 85 credential sets is it going to be?” Like certain other clouds. It was, “Oh, wow. Wait, cloud can be easy and fun? When did that happen?”Steren: So, what has happened when you click that deploy to Google Cloud button, basically, the GitHub repository was built into a container with Cloud Build and then was deployed to Cloud Run. And once on Cloud Run, well, hopefully, you have forgotten about it because that's what we do, right? We—give us your code, in a container if you know containers if you don't just—we support, you know, many popular languages, and we know how to build them, so don't worry about that. And then we run it. And as you said, when there is low traffic or no traffic, it scales to zero.When there is low traffic, you're likely going to stay under the generous free tier. And if you have more traffic for, you know, Screaming in the Cloud suddenly becoming a high destination URL redirects, well, Cloud Run will scale the number of instances of this container to be able to handle the load. Cloud Run scales automatically and very well, but only—as always—charging you when you are processing some requests.Corey: I had to fork and make a couple of changes myself after I wound up doing some testing. The first was to make the entire thing case insensitive, which is—you know, makes obvious sense. And the other was to change the permanent redirect to a temporary redirect because believe it or not, in the fullness of time, sometimes sponsors want to change the landing page in different ways for different campaigns and that's fine by me. I just wanted to make sure people's browser cache didn't remember it into perpetuity. But it was easy enough to run—that was back in the early days of my exploring Go, which I've been doing this quarter—and in the couple of months this thing has been running it has been effectively flawless.It's set it; it's forget it. The only challenges I had with it are it was a little opaque getting a custom domain set up that—which is still in beta, to be clear—and I've heard some horror stories of people saying it got wedged. In my case, no, I deployed it and I started refreshing it and suddenly, it start throwing an SSL error. And it's like, “Oh, that's not good, but I'm going to break my own lifestyle here and be patient for ten minutes.” And sure enough, it cleared itself and everything started working. And that was the last time I had to think about any of this. And it just worked.Steren: So first, Cloud Run is HTTPS only. Why? Because it's 2020, right? It's 2022, but—Corey: [laugh].Steren: —it's launched in 2020. And so basically, we have made a decision that let's just not accept HTTP traffic; it's only HTTPS. As a consequence, we need to provision a cert for your custom domain. That is something that can take some time. And as you said, we keep it in beta or in preview because we are not yet satisfied with the experience or even the performance of Cloud Run custom domains, so we are actively working on fixing that with a different approach. So, expect some changes, hopefully, this year.Corey: I will say it does take a few seconds when people go to a snark.cloud URL for it to finish resolving, and it feels on some level like it's almost like a cold start problem. But subsequent visits, the same thing also feel a little on the slow and pokey side. And I don't know if that's just me being wildly impatient, if there's an optimization opportunity, or if that's just inherent to the platform that is not under current significant load.Steren: So, it depends. If the Cloud Run service has scaled down to zero, well of course, your service will need to be started. But what we do know, if it's a small Go binary, like something that you mentioned, it should really take less than, let's say, 500 milliseconds to go from zero to one of your container instance. Latency can also be due to the way the code is running. If it occurred is fetching things from Google Sheets at every startup, that is something that could add to the startup latency.So, I would need to take a look, but in general, we are not spinning up a virtual machine anytime we need to scale horizontally. Like, our infrastructure is a multi-tenant, rapidly scalable infrastructure that can materialize a container in literally 300 milliseconds. The rest of the latency comes from what does the container do at startup time?Corey: Yeah, I just ran a quick test of putting time in front of a curl command. It looks like it took 4.83 seconds. So, enough to be perceptive. But again, for just a quick redirect, it's generally not the end of the world and there's probably something I'm doing that is interesting and odd. Again, I did not invite you on the show to file a—Steren: [laugh].Corey: Bug report. Let's be very clear here.Steren: Seems on the very high end of startup latencies. I mean, I would definitely expect under the second. We should deep-dive into the code to take a look. And by the way, building stuff on top of spreadsheets. I've done that a ton in my previous lives as a CTO of a startup because well, that's the best administration interface, right? You just have a CRUD UI—Corey: [unintelligible 00:12:29] world and all business users understand it. If people in Microsoft decided they were going to change Microsoft Excel interface, even a bit, they would revert the change before noon of the same day after an army of business users grabbed pitchforks and torches and marched on their headquarters. It's one of those things that is how the world runs; it is the world's most common IDE. And it's great, but I still think of databases through the lens of thinking about it as a spreadsheet as my default approach to things. I also think of databases as DNS, but that's neither here nor there.Steren: You know, if you have maybe 100 redirects, that's totally fine. And by the way, the beauty of Cloud Run in a spreadsheet, as you mentioned is that Cloud Run services run with a certain identity. And this identity, you can grant it permissions. And in that case, what I would recommend if you haven't done so yet, is to give an identity to your Cloud Run service that has the permission to read that particular spreadsheet. And how you do that you invite the email of the service account as a reader of your spreadsheet, and that's probably what you did.Corey: The click button to the workflow on Google Cloud automatically did that—Steren: Oh, wow.Corey: —and taught me how to do it. “Here's the thing that look at. The end.” It was a flawless user-onboarding experience.Steren: Very nicely done. But indeed, you know, there is this built-in security which is the principle of minimal permission, like each of your Cloud Run service should basically only be able to read and write to the backing resources that they should. And by default, we give you a service account which has a lot of permissions, but our recommendation is to narrow those permissions to basically only look at the cloud storage buckets that the service is supposed to look at. And the same for a spreadsheet.Corey: Yes, on some level, I feel like I'm going to write an analysis of my own security approach. It would be titled, “My God, It's Full Of Stars” as I look at the IAM policies of everything that I've configured. The idea of least privilege is great. What I like about this approach is that it made it easy to do it so I don't have to worry about it. At one point, I want to go back and wind up instrumenting it a bit further, just so I can wind up getting aggregate numbers of all right, how many times if someone visited this particular link? It'll be good to know.And I don't know… if I have to change permissions to do that yet, but that's okay. It's the best kind of problem: future Corey. So, we'll deal with that when the time comes. But across the board, this has just been a phenomenal experience and it's clear that when you were building Google Cloud Run, you understood the assignment. Because I was looking for people saying negative things about it and by and large, all of its seem to come from a perspective of, “Well, this isn't going to be the most cost-effective or best way to run something that is hyperscale, globe-spanning.”It's yes, that's the thing that Kubernetes was originally built to run and for some godforsaken reason people run their blog on it instead now. Okay. For something that is small, scales to zero, and has long periods where no one is visiting it, great, this is a terrific answer and there's absolutely nothing wrong with that. It's clear that you understood who you were aiming at, and the migration strategy to something that is a bit more, I want to say robust, but let's be clear what I mean when I'm saying that if you want something that's a little bit more impressive on your SRE resume as you're trying a multi-year project to get hired by Google or pretend you got hired by Google, yeah, you can migrate to something else in a relatively straightforward way. But that this is up, running, and works without having to think about it, and that is no small thing.Steren: So, there are two things to say here. The first is yes, indeed, we know we have high developer satisfaction. You know, we measure this—in Google Cloud, you might have seen those small satisfaction surveys popping up sometimes on the user interface, and you know, we are above 90% satisfaction score. We hire third parties to help us understand how usable and what satisfaction score would users get out of Cloud Run, and we are constantly getting very, very good results, in absolute but also compared to the competition.Now, the other thing that you said is that, you know, Cloud Run is for small things, and here while it is definitely something that allows you to be productive, something that strives for simplicity, but it also scales a lot. And contrary to other systems, you do not have any pre-provisioning to make. So, we have done demos where we go from zero to 10,000 container instances in ten seconds because of the infrastructure on which Cloud Run runs, which is fully managed and multi-tenant, we can offer you this scale on demand. And many of our biggest customers have actually not switched to something like Kubernetes after starting with Cloud Run because they value the low maintenance, the no infrastructure management that Cloud Run brings them.So, we have like Ikea, ecobee… for example ecobee, you know, the smart thermostats are using Cloud Run to ingest events from the thermostat. I think Ikea is using Cloud Run more and more for more of their websites. You know, those companies scale, right? This is not, like, scale to zero hobby project. This is actually production e-commerce and connected smart objects production systems that have made the choice of being on a fully-managed platform in order to reduce their operational overhead.[midroll 00:17:54]Corey: Let me be clear. When I say scale—I think we might be talking past each other on a small point here. When I say scale, I'm talking less about oh tens or hundreds of thousands of containers running concurrently. I'm talking in a more complicated way of, okay, now we have a whole bunch of different microservices talking to one another and affinity as far as location to each other for data transfer reasons. And as you start beginning to service discovery style areas of things, where we build a really complicated applications because we hired engineers and failed to properly supervise them, and that type of convoluted complex architecture.That's where it feels like Cloud Run increasingly, as you move in that direction, starts to look a little bit less like the tool of choice. Which is fine, I want to be clear on that point. The sense that I've gotten of it is a great way to get started, it's a great way to continue running a thing you don't have to think about because you have a day job that isn't infrastructure management. And it is clear to—as your needs change—to either remain with the service or pivot to a very close service without a whole lot of retooling, which is key. There's not much of a lock-in story to this, which I love.Steren: That was one of the key principles when we started to design Cloud Run was, you know, we realized the industry had agreed that the container image was the standard for the deployment artifact of software. And so, we just made the early choice of focusing on deploying containers. Of course, we are helping users build those containers, you know, we have things called build packs, we can continuously deploy from GitHub, but at the end of the day, the thing that gets auto-scaled on Cloud Run is a container. And that enables portability.As you said. You can literally run the same container, nothing proprietary in it, I want to be clear. Like, you're just listening on a port for some incoming requests. Those requests can be HTTP requests, events, you know, we have products that can push events to Cloud Run like Eventarc or Pub/Sub. And this same container, you can run it on your local machine, you can run it on Kubernetes, you can run it on another cloud. You're not locked in, in terms of API of the compute.We even went even above and beyond by having the Cloud Run API looks like a Kubernetes API. I think that was an extra effort that we made. I'm not sure people care that much, but if you look at the Cloud Run API, it is actually exactly looking like Kubernetes, Even if there is no Kubernetes at all under the hood; we just made it for portability. Because we wanted to address this concern of serverless which was lock-in. Like, when you use a Function as a Service product, you are worried that the architecture that you are going to develop around this product is going to be only working in this particular cloud provider, and you're not in control of the language, the version that this provider has decided to offer you, you're not in control of more of the complexity that can come as you want to scan this code, as you want to move this code between staging and production or test this code.So, containers are really helping with that. So, I think we made the right choice of this new artifact that to build Cloud Run around the container artifact. And you know, at the time when we launched, it was a little bit controversial because back in the day, you know, 2018, 2019, serverless really meant Functions as a Service. So, when we launched, we little bit redefined serverless. And we basically said serverless containers. Which at the time were two worlds that in the same sentence were incompatible. Like, many people, including internally, had concerns around—Corey: Oh, the serverless versus container war was a big thing for a while. Everyone was on a different side of that divide. It's… containers are effectively increasingly—and I know, I'll get email for this, and I don't even slightly care, they're a packaging format—Steren: Exactly.Corey: —where it solves the problem of how do I build this thing to deploy on Debian instances? And Ubuntu instances, and other instances, God forbid, Windows somewhere, you throw a container over the wall. The end. Its DevOps is about breaking down the walls between Dev and Ops. That's why containers are here to make them silos that don't have to talk to each other.Steren: A container image is a glorified zip file. Literally. You have a set of layers with files in them, and basically, we decided to adopt that artifact standard, but not the perceived complexity that existed at the time around containers. And so, we basically merged containers with serverless to make something as easy to use as a Function as a Service product but with the power of bringing your own container. And today, we are seeing—you mentioned, what kind of architecture would you use Cloud Run for?So, I would say now there are three big buckets. The obvious one is anything that is a website or an API, serving public internet traffic, like your URL redirect service, right? This is, you have an API, takes a request and returns a response. It can be a REST API, GraphQL API. We recently added support for WebSockets, which is pretty unique for a service offering to support natively WebSockets.So, what I mean natively is, my client can open a socket connection—a bi-directional socket connection—with a given instance, for up to one hour. This is pretty unique for something that is as fully managed as Cloud Run.Corey: Right. As we're recording this, we are just coming off of Google I/O, and there were a number of announcements around Cloud Run that were touching it because of, you know, strange marketing issues. I only found out that Google I/O was a thing and featured cloud stuff via Twitter at the time it was happening. What did you folks release around Cloud Run?Steren: Good question, actually. Part of the Google I/O Developer keynote, I pitched a story around how Cloud Run helps developers, and the I/O team liked the story, so we decided to include that story as part of the live developer keynote. So, on stage, we announced Cloud Run jobs. So now, I talked to you about Cloud Run services, which can be used to expose an API, but also to do, like, private microservice-to-microservice communication—because cloud services don't have to be public—and in that case, we support GRPC and, you know, a very strong security mechanism where only Service A can invoke Service B, for example, but Cloud Run jobs are about non-request-driven containers. So, today—I mean, before Google I/O a few days ago, the only requirement that we imposed on your container image was that it started to listen for requests, or events, or GRPC—Corey: Web requests—Steren: Exactly—Corey: It speaks [unintelligible 00:24:35] you want as long as it's HTTP. Yes.Steren: That was the only requirement we asked you to have on your container image. And now we've changed that. Now, if you have a container that basically starts and executes to completion, you can deploy it on a Cloud Run job. So, you will use Cloud Run jobs for, like, daily batch jobs. And you have the same infrastructure, so on-demand, you can go from zero to, I think for now, the maximum is a hundred tasks in parallel, for—of course, you can run many tasks in sequence, but in parallel, you can go from zero to a hundred, right away to run your daily batch job, daily admin job, data processing.But this is more in the batch mode than in streaming mode. If you would like to use a more, like, streaming data processing, than a Cloud Run service would still be the best fit because you can literally push events to it, and it will auto-scale to handle any number of events that it receives.Corey: Do you find that the majority of customers are using Cloud Run for one-off jobs that barely will get more than a single container, like my thing, or do you find that they're doing massively parallel jobs? Where's the lion's share of developer and customer interest?Steren: It's both actually. We have both individual developers, small startups—which really value the scale to zero and pay per use model of Cloud Run. Your URL redirect service probably is staying below the free tier, and there are many, many, many users in your case. But at the same time, we have big, big, big customers who value the on-demand scalability of Cloud Run. And for these customers, of course, they will probably very likely not scale to zero, but they value the fact that—you know, we have a media company who uses Cloud Run for TV streaming, and when there is a soccer game somewhere in the world, they have a big spike of usage of requests coming in to their Cloud Run service, and here they can trust the rapid scaling of Cloud Run so they don't have to pre-provision things in advance to be able to serve that sudden traffic spike.But for those customers, Cloud Run is priced in a way so that if you know that you're going to consume a lot of Cloud Run CPU and memory, you can purchase Committed Use Discounts, which will lower your bill overall because you know you are going to spend one dollar per hour on Cloud Run, well purchase a Committed Use Discount because you will only spend 83 cents instead of one dollar. And also, Cloud Run and comes with two pricing model, one which is the default, which is the request-based pricing model, which is basically you only have CPU allocated to your container instances if you are processing at least one request. But as a consequence of that, you are not paying outside of the processing of those requests. Those containers might stay up for you, one, ready to receive new requests, but you're not paying for them. And so, that is—you know, your URL redirect service is probably in that mode where yes when you haven't used it for a while, it will scale down to zero, but if you send one request to it, it will serve that request and then it will stay up for a while until it decides to scale down. But you the user only pays when you are processing these specific requests, a little bit like a Function as a Service product.Corey: Scales to zero is one of the fundamental tenets of serverless that I think that companies calling something serverless, but it always charges you per hour anyway. Yeah, that doesn't work. Storage, let's be clear, is a separate matter entirely. I'm talking about compute. Even if your workflow doesn't scale down to zero ever as a workload, that's fine, but if the workload does, you don't get to keep charging me for it.Steren: Exactly. And so, in that other mode where you decide to always have CPU allocated to your Cloud Run container instances, then you pay for the entire lifecycle of this container instances. You still benefit from the auto-scaling of Cloud Run, but you will pay for the lifecycle and in that case, the price points are lower because you pay for a longer period of time. But that's more the price model that those bigger customers will take because at their scale, they basically always receive requests, so they already to pay always, basically.Corey: I really want to thank you for taking the time to chat with me. Before you go, one last question that we'll be using as a teaser for the next episode that we record together. It seems like this is a full-time job being the product manager on Cloud Run, but no Google, contrary to popular opinion, does in fact, still support 20% projects. What's yours?Steren: So, I've been looking to work on Cloud Run since it was a prototype, and you know, for a long time, we've been iterating privately on Cloud Run, launching it, seeing it grow, seeing it adopted, it's great. It's my full-time job. But on Fridays, I still find the time to have a 20% project, which also had quite a bit of impact. And I work on some sustainability efforts for Google Cloud. And notably, we've released two things last year.The first one is that we are sharing some carbon characteristics of Google Cloud regions. So, if you have seen those small leaves in the Cloud Console next to the regions that are emitting the less carbon, that's something that I helped bring to life. And the second one, which is something quite big, is we are helping customers report and reduce their gross carbon emissions of their Google Cloud usage by providing an out of the box reporting tool called Google Cloud Carbon Footprint. So, that's something that I was able to bootstrap with a team a little bit on the side of my Cloud Run project, but I was very glad to see it launched by our CEO at the last Cloud Next Conference. And now it is a fully-funded project, so we are very glad that we are able to help our customers better meet their sustainability goals themselves.Corey: And we will be talking about it significantly on the next episode. We're giving a teaser, not telling the whole story.Steren: [laugh].Corey: I really want to thank you for being as generous with your time as you are. If people want to learn more, where can they find you?Steren: Well, if they want to learn more about Cloud Run, we talked about how simple was that name. It was obviously not simple to find this simple name, but the domain is https://cloud.run.Corey: We will also accept snark.cloud/run, I will take credit for that service, too.Steren: [laugh]. Exactly.Corey: There we are.Steren: And then, people can find me on Twitter at @steren, S-T-E-R-E-N. I'll be happy—I'm always happy to help developers get started or answer questions about Cloud Run. And, yeah, thank you for having me. As I said, you successfully deployed something in just a few minutes to Cloud Run. I would encourage the audience to—Corey: In spite of myself. I know, I'm as surprised as anyone.Steren: [laugh].Corey: The only snag I really hit was the fact that I was riding shotgun when we picked up my daughter from school and went through a dead zone. It's like, why is this thing not loading in the Google Cloud Console? Yeah, fix the cell network in my area, please.Steren: I'm impressed that you did all of that from an iPad. But yeah, to the audience give Cloud Run the try. You can really get started connecting your GitHub repository or deploy your favorite container image. And we've worked very hard to ensure that usability was here, and we know we have pretty strong usability scores. Because that was a lot of work to simplicity, and product excellence and developer experience is a lot of work to get right, and we are very proud of what we've achieved with Cloud Run and proud to see that the developer community has been very supportive and likes this product.Corey: I'm a big fan of what you've built. And well, of course, it links to all of that in the show notes. I just want to thank you again for being so generous with your time. And thanks again for building something that I think in many ways showcases the best of what Google Cloud has to offer.Steren: Thanks for the invite.Corey: We'll talk again soon. Steren Giannini is a senior product manager at Google Cloud, on Cloud Run. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice. If it's on YouTube, put the thumbs up and the subscribe buttons as well, but in the event that you hated it also include an angry comment explaining why your 20% project is being a shithead on the internet.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
Daycare apps found insecure Encryption flaws found in Mega Microsoft retires cloud facial recognition Thanks to today's episode sponsor, Optiv Modernizing your identity control plane from AD to the cloud is complex. Ralph Martino, who is leading the identity and access management (IAM) group for Optiv, discusses what challenges CISOs are facing in today's ever-changing climate: • Increasing security • Decreasing risk • Lowering cost Learn more at www.optiv.com/IAM-Microsoft.
Want to see the video version of this podcast? Please visit Youtube here: https://buff.ly/3ydv72q Gary W. Goldstein has produced some of Hollywood's biggest box-office hits (Pretty Woman, Under Siege, The Mothman Prophecies and more), generating well over One Billion Dollars in worldwide revenue, receiving multiple Academy Award nominations, People's Choice Awards, a Golden Globe and other honors. Before moving to Los Angeles, Gary practiced as an attorney in San Francisco. He later served as president of two divisions of IAM.com, an internet entertainment company successfully funded at $50MM. Gary's passion as a storyteller goes beyond producing the work of gifted screenwriters. He's committed to sharing with everyone who desires real success and enduring careers as a creative professional his smart, simple strategies that magically transform talent into business success more rapidly and with greater ease. Gary's spoken at TEDx La Jolla, been published by the Huffington Post, and was a contributing author for the Napoleon Hill Foundation's newest publication "Stickability". Gary also regularly speaks to creative audiences and has given talks at American Film Institute, UCLA, Emerson College, De Anza College, the Dallas Screenwriters Association, the Great American Pitchfest and beyond. MORE VIDEOS WITH GARY W. GOLDSTEIN https://bit.ly/3kVkYjs CONNECT WITH GARY W. GOLDSTEIN http://garywgoldstein.com http://www.imdb.com/name/nm0326214/ https://www.facebook.com/garywgoldstein https://www.instagram.com/garywgoldstein https://twitter.com/garywgoldstein http://www.youtube.com/garywgoldstein RELATED VIDEOS A Professional Writer Doesn't Wait For Inspiration - Danny Strong [FULL INTERVIEW] - https://youtu.be/iSsBYP9atGE The Screenwriter's Blueprint for Career Success - Gary W. Goldstein [FULL INTERVIEW] - https://youtu.be/A5JfcTifiE8 Beginners Guide To Screenwriting - Shannan E. Johnson [FULL INTERVIEW] - https://youtu.be/pwcTge9iF0E Writing A Great Movie: Key Tools For Successful Screenwriting - Jeff Kitchen [FULL INTERVIEW] - https://youtu.be/xCCzm4n506o Conquering Hollywood: The Screenwriter's Blueprint For Career Success - Gary W. Goldstein Interview - https://youtu.be/yWh9Wgur9hI SUPPORT FILM COURAGE BY BECOMING A MEMBER https://www.youtube.com/channel/UCs8o1mdWAfefJkdBg632_tg/join CONNECT WITH FILM COURAGE http://www.FilmCourage.com http://twitter.com/#!/FilmCourage https://www.facebook.com/filmcourage https://www.instagram.com/filmcourage http://filmcourage.tumblr.com http://pinterest.com/filmcourage SUBSCRIBE TO THE FILM COURAGE YOUTUBE CHANNEL http://bit.ly/18DPN37 LISTEN TO THE FILM COURAGE PODCAST https://soundcloud.com/filmcourage-com Stuff we use: LENS - Most people ask us what camera we use, no one ever asks about the lens which filmmakers always tell us is more important. This lens was a big investment for us and one we wish we could have made sooner. Started using this lens at the end of 2013 - http://amzn.to/2tbtmOq AUDIO Rode VideoMic Pro - The Rode mic helps us capture our backup audio. It also helps us sync up our audio in post http://amzn.to/2t1n2hx Audio Recorder - If we had to do it all over again, this is probably the first item we would have bought - http://amzn.to/2tbFlM9 LIGHTS - Although we like to use as much natural light as we can, we often enhance the lighting with this small portable light. We have two of them and they have saved us a number of times - http://amzn.to/2u5UnHv COMPUTER - Our favorite computer, we each have one and have used various models since 2010 - http://amzn.to/2t1M67Z EDITING - We upgraded our editing suite this year and we're glad we did! This has improved our workflow and the quality of our work. Having new software also helps when we have a problem, it's easy to search and find a solution - https://goo.gl/56LnpM *These are affiliate links, by using them you can help support this channel.
"I didn't need to find an empty room to get into the silence. The stillness is always with me. It is me. The immovable rock of my salvation. My I Amness. The I Am never changes. My states do. But as long as I continued to believe I am the state I am presently entertaining, I could get lost in it. Just breathe. Loosen my focus for a moment..."
Bien différents des opérateurs télécoms, les opérateurs d'infrastructures télécoms ne sont toujours pas autorisés d'exercer aujourd'hui au Maroc. Mais la donne pourrait bientôt changer. A quoi s'attendre ? Qui sont ses opérateurs et les télécoms seraient-ils forcement gagnants ? Dans Le Scan, le podcast actu de TelQuel, Landry Benoit reçoit Khalid Ziani, expert télécom. Aidez-nous à améliorer Le Scan en répondant à ce formulaire : https://forms.gle/FdZr23H1a3Zoyoyh9 L'équipe "Le Scan" par TelQuel Média : Présentation, écriture : Landry Benoit Montage et réalisation : Adam El Harchaoui Archives sonores : Abdelmoughit Aboumejd Soutenez un média indépendant. Abonnez-vous à Telquel : https://telquel.ma/abonnement/
Caller Mckenna's Question: "What if I AM my husband's addiction? This is the simplest version of my question, but obviously there is SOOOOO much more to it! My husband is not addicted to pornography, alcohol or drugs, etc. He is addicted to me. It is the strangest thing to navigate. We are currently separated because I am drowning. I feel like I can't breathe with him in my life. And trying to get space from him has only made him try to cling tighter." Tyler Patrick, "The Wandering Therapist", is co-founder of Love Strong (lovestrong.com), a Christian-based Recovery + WHOLEHEARTED living therapy practice. If you'd like to work with Love Strong via telehealth or in-person, reach out to us at firstname.lastname@example.org or go to our website: https://lovestrong.com. We have a great online Foundations Of Recovery Class starting soon. This class is for sex addiction recovery and healing from betrayal trauma. Go to https://lovestrong.com/services/foundations-group/ to learn more and sign up. Brannon Patrick, "The Expert", is co-founder of Therapy Utah (therapyutah.org). You can follow Brannon on Instagram @brannon_patrick. He has some really great online courses available at brannonpatrick.com like his Boundary Bootcamp course. Brannon has a program called L.I.F.T. for betrayal trauma and addiction recovery available online starting soon. Go to https://www.liftforrecovery.com/ for more info! Join us for one of our "Life-Changing" retreats. therapybros.com/events Radiant Dawn Women's Conference: https://radiantdawnconference.com Rising Son Men's Conference: https://risingsonconference.com Couple's Conference TBA We would love to have you as a guest on the podcast. Go to realtalkrecovery.com to submit your question and schedule your call! --- Send in a voice message: https://anchor.fm/therapy-brothers/message
Cloudflare outage impacts crypto exchanges Biden signs a pair of cybersecurity bills 7-zip now supports Windows ‘Mark-of-the-Web' security feature Thanks to today's episode sponsor, Optiv Modernizing your identity control plane from AD to the cloud is complex. Ralph Martino, who is leading the identity and access management (IAM) group for Optiv, discusses what challenges CISOs are facing in today's ever-changing climate: • Increasing security • Decreasing risk • Lowering cost Learn more at www.optiv.com/IAM-Microsoft. For the stories behind the headlines, head to CISOseries.com
Seriah welcomes author, researcher and experiencer Steve Stockton. Topics include Dogman, Yosemite National Park, missing persons, anomalous lightning strikes, a victim of bizarre repeated lightning strikes, experienced outdoorspeople vanishing seemingly instantly, a cover-up of a missing child, Missing 411 and David Paulides, past disappearances now solved, pre-1940 cryptid reports, wild men, anomalous "gorillas" in the U.S., Timothy Renner, feral chickens, Native American lore, fish women, entities that push people with unnatural winds, a mysterious mist, the Superstition Mountains in Arizona, the Indian Removal Act, little people and Bigfoot across cultures, Cry Baby Bridges, ghostly hitchhikers, a legendary Filipino vampire, Joshua Tree National Park, Graham Parsons, U2, Bill Melder, strange beings in the wilderness, being Fae-led and anomalously disoriented, hallucinogenic plants, incidents of sudden total silence, Mount Shasta, power spots, people drawn to certain areas, unmarked graves in the desert, Mafia activity in Los Angeles and Los Vegas, Paul Miller, Bill Ewasko, the Joshua Tree Inn, profiles and circumstances of people who go missing, boulder fields, search and rescue mysteries, shadow figures speaking in the voices of loved ones, Laura Bradbury, law-enforcement cover-ups vs. incompetence, Steve's personal experiences and encounters, a séance for Graham Parsons, Guy and Edna Ballard, "I AM" movement, Count of Saint Germain, Lemuria, lava tube caves in Mount Shasta, the "Robot Granny" incident, unusual Bigfoot mother and child encounters, Atlantis and Mu, Russian exploration/colonization on the west coast, the Great Smokey Mountains, Pluto Cave, hidden residents of Mount Shasta, earth lights, and much more! This content-packed episode leaves me waiting for the patreon!- Vincent TreewellOutro Music Haishen with Leviathan live on The Last Exit for the Lost
Full Description / Show Notes Gafnit explains how she found a vulnerability in RDS, an Amazon database service (1:40) Gafnit and Corey discuss the concept of not being able to win in cloud security (7:20) Gafnit talks about transparency around security breaches (11:02) Corey and Gafnit discuss effectively communicating with customers about security (13:00) Gafnit answers the question “Did you come at the RDS vulnerability exploration from a perspective of being deeper on the Postgres side or deeper on the AWS side? (18:10) Corey and Gafnit talk about the risk of taking a pre-existing open source solution and offering it as a managed service (19:07) Security measures in cloud-native approaches versus cloud-hosted (22:41) Gafnit and Corey discuss the security community (25:04) About GafnitGafnit Amiga is the Director of Security Research at Lightspin. Gafnit has 7 years of experience in Application Security and Cloud Security Research. Gafnit leads the Security Research Group at Lightspin, focused on developing new methods to conduct research for new cloud native services and Kubernetes. Previously, Gafnit was a lead product security engineer at Salesforce focused on their core platform and a security researcher at GE Digital. Gafnit holds a Bs.c in Computer Science from IDC Herzliya and a student for Ms.c in Data Science.Links Referenced: Lightspin: https://www.lightspin.io/ Twitter: https://twitter.com/gafnitav LinkedIn: https://www.linkedin.com/in/gafnit-amiga-b1357b125/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. We've taken a bit of a security bent to the conversations that we've been having on this show and over the past year or so and, well, today's episode is no different. In fact, we're going a little bit deeper than we normally tend to. My guest today is Gafnit Amiga, who's the Director of Security Research at Lightspin. Gafnit, thank you for joining me.Gafnit: Hey, Corey. Thank you for inviting me to the show.Corey: You sort of burst onto the scene—and by ‘scene,' I of course mean the cloud space, at least to the level of community awareness—back, I want to say in April of 2022 when you posted a very in-depth blog post about exploiting RDS and some misconfigurations on AWS's side to effectively display internal service credentials for the RDS service itself. Now, that sounds like it's one of those incredibly deep, incredibly murky things because it is, let's be clear. At a high level, can you explain to me exactly what it is that you found and how you did it? Gafnit: Yes, so, RDS is database service of Amazon. It's a managed service where you can choose the engine that you prefer. One of them is Postgres. There, I found the vulnerability. The vulnerability was in the extension in the log_fdw—so it's for—like, stands for Foreign Data Wrapper—where this extension is, therefore reading the logs directly of the engine, and then you can query it using SQL queries, which should be simpler and easy to use.And this extension enables you to provide a path. And there was a path traversal, but the traversal happened only when you dropped a validation of the wrapper. And this is how I managed to read local files from the database EC2 machine, which shouldn't happen because this is a managed service and you shouldn't have any access to the underlying host.Corey: It's always odd when the abstraction starts leaking, from an AWS perspective. I know that a friend of mine was on Aurora during the beta and was doing some high-performance work and suddenly started seeing SQL errors about /var/temp filling up, which is, for those who are not well versed in SQL, and even for those who are, that's not the sort of thing you tend to expect to show up on there. It feels like the underlying system tends to leak in—particularly in RDS sense—into what is otherwise at least imagined to be a fully-managed service.Gafnit: Yes because sometimes they want to give you an informative error so you will be able to realize what happened and what caused to the error, and sometimes they prefer not to give you too many information because they don't want you to get to the underlying machine. This is why, for example, you don't get a regular superuser; you have an RDS superuser in the database.Corey: It seems to me that this is sort of a problem of layering different security models on top of each other. If you take a cloud-native database that they designed, start to finish, themselves, like DynamoDB, the entire security model for Dynamo, as best I can determine, is wrapped up within IAM. So, if you know IAM—spoiler, nobody knows IAM completely, it seems—but if you have that on lock you've got it; there's nothing else you need to think about. Whereas with RDS, you have to layer on IAM to get access to the database and what you're allowed to do with it.But then there's an entirely separate user management system, in many respects, of local users for other Postgres or MySQL or any other systems that were using, to a point where even when they started supporting IRM for authentication to RDS at the database user level. It was flagged in the documentation with a bunch of warnings of, “Don't do this for high-volume stuff; only do this in development style environments.” So, it's clear that it has been a difficult marriage, for lack of a better term. And then you have to layer on all the other stuff that if God forbid, you're in a multi-cloud style environment or working with Kubernetes on top of all of this, and it seems like you're having to pick and choose between four or five different levels of security modeling, as well as understand how all of those things interplay together. How come we don't see things like this happening four times a day as a result?Gafnit: Well, I guess that there are more issues being found, but not always published but I think that this is what makes it more complex for both sides. Creating managed services with resources and third parties that everybody knows. To make it easy for them to use requires a deep understanding of the existing permission models of the service where you want to integrate it with your permission model and how the combination works. So, you actually need to understand how every change is going to affect the restrictions that you want to have. So, for example, if you don't want the database users to be able to read-write or do a network activity, so you really need to understand the permission model of the Postgres itself. So, it makes it more complicated for development, but it's also good for researchers because they already know Postgres and they have a good starting point.Corey: My philosophy has always been when you're trying to secure something, you need to have at least a topical level of understanding of the entire system, start to finish. One of the problems I've had with the idea of microservices as is frequently envisioned is that there's separation, but not real separation, so you have to hand-wave over a whole bunch of the security model. If you don't understand something, I believe it's very difficult to secure it. And let's be honest, even if you do understand [laugh] something, it can be very difficult to secure it. And the cloud vendors with IAM and similar systems don't seem to be doing themselves any favors, given the sheer complexity and the capabilities that they're demanding of themselves, even for having one AWS service talk to another one, but in the right way.And it's finicky, and it's nuanced, and debugging it becomes a colossal pain. And finally, at least those of us who are bad at these things, finally say, “The hell with it,” and they just grant full access from Service A to Service B—in the confines of a test environment. I'm not quite that nuts myself, most days. And then it's the biggest lie we always tell ourselves is once we have something overscoped like that, usually for CI/CD, it's, “Oh, todo: I'll go back and fix that later.” Yeah, I'm looking back five years ago and that's still on my todo list.For some reason, it's never been the number one priority. And in all likelihood, it won't be until right after it really should have been my number one priority. It feels like in cloud security particularly, you can't win, you can only not lose. I always found that to be something of a depressing perspective and I didn't accept it for the longest time. But increasingly, these days, it started to feel like that is the state of the world. Am I wrong on that? Am I just being too dour?Gafnit: What do you mean by you cannot lose?Corey: There's no winning in security from my perspective because no one is going to say, “All right. We won the security. Problem solved. The end.” Companies don't view security as a value-add. It is only about a downside risk mitigation play.It's, “Yay, another day of not getting breached.” And the failure mode from there is, “Okay, well, we got breached, but we found out about it ourselves immediately internally, rather than reading about it in The New York Times in two weeks.” The winning is just the steady-state, the status quo. It's just all different flavors of losing beyond that.Gafnit: So, I don't think it's quite the case because I can tell that they do do always an active work on securing the services and their structure because I went over other extensions before reaching to the log foreign data wrapper, and they actually excluded high-risk functionalities that could help me to achieve privileged access to the underlying host. And they do it with other services as well because they do always do the security review before having it integrated externally. But you know, it's an endless zone. You can always have something. Security vulnerabilities are always [arrays 00:09:06]. So everyone, whenever they can help and to search and to give their value, it's appreciated.Corey: I feel like I need to clarify a bit of nuance. When your blog post first came out talking about this, I was, well let's say a little irritated toward AWS on Twitter and other places. And Twitter is not a place for nuance, it is easy to look at that and think, “Oh, I was upset at AWS for having a vulnerability.” I am not, I want to be very clear on that. Now, it's certainly not good, but these are computers; that is the nature of how they work.If you want to completely secure computer, cut the power to it, sink it in concrete and then drop it in the ocean. And even then, there are exceptions to all of that. So, it's always a question of not blocking all risk; it's about trade-offs and what risk is acceptable. And to AWS is credit, they do say that they practice defense-in-depth. Being able to access the credentials for the running RDS service on top of the instance that it was running on, while that's certainly not good, isn't as if you'd suddenly had keys to everything inside of AWS and all their security model crumbles away before you.They do the right thing and the people working on these things are incredibly good. And they work very hard at these things. My concern and my complaint is, as much as I enjoy the work that you do and reading these blog posts talking about how you did it, it bothers me that I have to learn about a vulnerability in a service for which I pay not small amounts of money—RDS is the number one largest charge in my AWS bill every month—and I have to hear about it from a third-party rather than the vendor themselves. In this case, it was a full day later, where after your blog post went up, and they finally had a small security disclosure on AWS's site talking about it. And that pattern feels to me like it leads nowhere good.Gafnit: So, transparency is a key word here. And when I wrote the post, I asked if they want to add anything from their side, and they told that they already reached out to the vulnerable customers and they helped them to migrate to their fixed version. So, from their side, it didn't felt it's necessary to add it over there. But I did mention the fact that I did the investigation and no customer data was hurt. Yeah, but I think that if there will be maybe a more organized process for any submission of any vulnerability that where all the steps are aligned, it will help everyone and anyone can be informed with everything that happens.Corey: I have always been extraordinarily impressed by people who work at AWS and handle a lot of the triaging of vulnerability reports. Zack Glick, before he left, was doing an awful lot of that Dan [Erson 00:12:05] continues to be a one of the bright lights of AWS, from my perspective, just as far as customer communication and understanding exactly what the customer perspective is. And as individuals, I see nothing but stars over at AWS. To be clear, ‘Nothing but Stars' is also the name of most of my IAM policies, but that's neither here nor there.It seems like, on some level, there's a communications and policy misalignment, on some level, because I look at this and every conversation I ever have with AWS's security folks, they are eminently reasonable, they're incredibly intelligent, and they care. There's no mistaking that they legitimately care. But somewhere at the scale of company they're at, incentives get crossed, and everyone has a different position they're looking at these things from, and it feels like that disjointedness leads to almost a misalignment as far as how to effectively communicate things like this to customers.Gafnit: Yes, it looks like this is the case, but if more things will be discovered and published, I think that they will have eventually an organized process for that. Because I guess the researchers do find things over there, but they're not always being published for several reasons. But yes, they should work on that. [laugh].Corey: And that is part of the challenge as well, where AWS does not have a public vulnerability disclosure program. [unintelligible 00:13:30] hacker one, they don't have a public bug bounty program. They have a vulnerability disclosure email address, and the people working behind that are some of the hardest working folks in tech, but there is no unified way of building a community of researchers around the idea of exploring this. And that is a challenge because you have reported vulnerabilities, I have reported significantly fewer vulnerabilities, but it always feels like it's a hurry up and wait scenario where the communication is not always immediate and clear. And at best, it feels like we often get a begrudging, “Thank you.”Versus all right, if we just throw ethics completely out the window and decide instead that now we're going to wind up focusing on just effectively selling it to the highest bidder, the value of, for example, a hypervisor escape on EC2 for example, is incalculable. There is no amount of money that a bug bounty program could offer for something like that compared to what it is worth to the right bad actor at the right time. So, the vulnerabilities that we hear about are already we're starting from a basis of people who have a functioning sense of ethics, people who are not deeply compromised trying to do something truly nefarious. What worries me is the story of—what are the stories that we aren't seeing? What are the things that are being found where instead of fighting against the bureaucracy around disclosure and the rest, people just use them for their own ends? And I'm gratified by the level of response I see from AWS on the things that they do find out about, but I always have to wonder, what aren't we seeing?Gafnit: That's a good question. And it really depends on their side if they choose to expose it or not.Corey: Part of the challenge too, is the messaging and the communication around it and who gets credit and the rest. And it's weird, whenever they release some additional feature to one of their big headline services, there are blog posts, there are keynote speeches, there are customer references, they go on speaking tours, and the emails, oh, God, they never stopped the emails talking about how amazing all of these things are. But whenever there's a security vulnerability or a disclosure like this—and to be fair, AWS's response to this speaks very well of them—it's like you have to go sneak down into the dark sub-basement, with the filing cabinet behind the leopard sign and the rest, to even find out that these things exist. And I feel like they're not doing themselves any favors by developing that reputation for lack of transparency around these things. “Well, while there was no customer impact, so why would we talk about it?”Because otherwise, you're setting up a myth that there never is a vulnerability on the side of—what is it that you're building as a cloud provider. And when there is a problem down the road—because there always is going to be; nothing is perfect—people are going to say, “Hey, wait a minute. You didn't talk about this. What else haven't you talked about?”And it rebounds on them with sometimes really unfortunate side effects. With Azure as a counterexample here, we see a number of Azure exploits where, “Yeah, turned out that we had access to other customers' data and Azure had no idea until we told them.” And Azure does it statements about, “Oh, we have no evidence of any of this stuff being used improperly.” Okay, that can mean that you've either check your logs and things are great or you don't have logging. I don't know that necessarily is something I trust.Conversely, AWS has said in the past, “We have looked at the audit logs for this service dating back to its launch years ago, and have validated that none of that has never been used like this.” One of those responses breeds an awful lot of customer trust. The other one doesn't. And I just wish AWS knew a little bit more how good crisis communication around vulnerabilities can improve customer trust rather than erode it.Gafnit: Yes, and I think that, as you said, there will always be vulnerabilities. And I think that we are expecting to find more, so being able to communicate as clearly as you can and to expose things about maybe the fakes and how the investigation is being done, even in a high level, for all the vulnerabilities can gain more trust from the customer side.Corey: DoorDash had a problem. As their cloud-native environment scaled and developers delivered new features, their monitoring system kept breaking down. In an organization where data is used to make better decisions about technology and about the business, losing observability means the entire company loses their competitive edge. With Chronosphere, DoorDash is no longer losing visibility into their applications suite. The key? Chronosphere is an open-source compatible, scalable, and reliable observability solution that gives the observability lead at DoorDash business, confidence, and peace of mind. Read the full success story at snark.cloud/chronosphere. That's snark.cloud slash C-H-R-O-N-O-S-P-H-E-R-E.Corey: You have experience in your background specifically around application security and cloud security research. You've been doing this for seven years at this point. When you started looking into this, did you come at the RDS vulnerability exploration from a perspective of being deeper on the Postgres side or deeper on the AWS side of things?Gafnit: So, it was both. I actually came to the RDS lead from another service where there was something [about 00:18:21] in the application level. But then I reached to an RDS and thought, well, it will be really nice to find thing over here and to reach the underlying machine. And when I entered to the RDS zone, I started to look at it from the application security eyes, but you have to know the cloud as well because there are integrations with S3, you need to understand the IAM model. So, you need a mix of both to exploit specifically this kind of issue. But you can also be database experts because the payload is a pure SQL.Corey: It always seems to me that this is an inherent risk in trying to take something that is pre-existing is an open-source solution—Postgres is one example but there are many more—and offer it as a managed service. Because I think one of the big misunderstandings is that when—well, AWS is just going to take something like Redis and offer that as a managed service, it's okay, I accept that they will offer a thing that respects the endpoints and then acts as if it were Redis, but under the hood, there is so much in all of these open-source projects that is built for optionality of wherever you want to run this thing, it will run there; whatever type of workload you want to throw at it, it can work. Whereas when you have a cloud provider converting these things into a managed service, they are going to strip out an awful lot of those things. An easy example might be okay, there's this thing that winds up having to calculate for the way the hard drives on a computer work and from a storage perspective.Well, all the big cloud providers already have interesting ways that they have solved storage. Every team does not reimplement that particular wheel; they use in-house services. Chubby's file locking, for example, over on Google side is a classic example of this that they've talked about an awful lot so every team building something doesn't have to rediscover all of that. So, the idea that, oh, we're just going to take up this open-source thing, clone it off a GitHub, fork it, and then just throw it into production as a managed service seems more than a little naive. What's your experience around seeing, as you get more [laugh] into the weeds of these things than most customers are allowed to get, what's your take on this?Do you find that this looks an awful lot like the open-source version that we all use? Or is it something that looks like it has been heavily customized to take advantage of what AWS is offering internally as underlying bedrock services?Gafnit: So, from what I saw until now, they do want to save the functionality so you will have the same experience as you're working with the same service that not on AWS because you're you are used to that. So, they are not doing dramatic changes, but they do want to reduce the risk in the security space. So, there will be some functionalities that they will not let you to do. And this is because of the managed party in areas where the full workload is deployed in your account and you can access it anyway, so they will not have the same security restrictions because you can access the workload anyway. But when it's managed, they need to prevent you from accessing the underlying host, for example. And they do the changes, but they're really picked to the specific actions that can lead you to that.Corey: It also feels like RDS is something of a, I don't want to call it a legacy service because it is clearly still very much actively developed, but it's what we'll call it a ‘classic service.' When I look at a new AWS launch, I tend to mentally bucket them into two things. There's the cloud-native approach, and we've already talked about DynamoDB. That would be one example of this. And there's the cloud-hosted model where you have to worry about things like instances and security groups and the networking stuff, and so on and so forth, where it's basically feels like they're running their thing on top of a pile of EC2 instances, and that abstraction starts leaking.Part of me wonders if looking at some of these older services like RDS, they made decisions in the design and build out of these things that they might not if they were to go ahead and build it out today. I mean, Aurora is an example of what that might look like. Have you found as you start looking around the various security foibles of different cloud services, that the security posture of some of the more cloud-native approaches is better or worse or the same as the cloud-hosted world?Gafnit: Well, so for example, in the several issues that were found, and also here in the RDS where you can see credentials in a file, this is not a best practice in security space. And so, definitely there are things to improve, even if it's developed on the provider side. But it's really hard to answer this question because in a managed area where you don't have any access, it's hard to tell how it's configured and if it's configured properly. So, you need to have some certification from their side.Corey: This is, on some level, part of the great security challenge, especially for something that is not itself open-source, where they obviously have terrific security teams, don't get me wrong. At no point do I want to ever come across a saying, “Oh, those AWS people don't know how security works.” That is provably untrue. But there is something to be said for the value of having a strong community in the security space focusing on this from the outside of looking at these things, of even helping other people contextualize these things. And I'm a little disheartened that none of the major cloud providers seem to have really embraced the idea of a cloud security community, to the point where the one that I'm most familiar with, the cloud security forum Slack team seems to be my default place where I go for context on things.Because I dabble. I keep my hand in when it comes to security, but I'm certainly no expert. That's what people like you are for. I make fun of clouds and I work on the billing parts of it and that's about as far as it goes for me. But being able to get context around is this a big deal? Is this description that a company is giving, is it accurate?For example, when your post came out, I had not heard of Lightspin in this context. So, reaching out to a few people I trusted, is this legitimate? The answer was, “Yes. It's legitimate and it's brilliant. That's a company that keep your eye on.” Great. That's useful context and there's no way to buy that. It has to come from having those conversations with people in the [broader 00:24:57] sense of the community. What's your experience been looking at the community side of the world of security?Gafnit: Well, so I think that the cloud security has a great community, and this is one of the things that we at Lightspin really want to increase and push forward. And we see ourselves as a security-driven company. We always do the best to publish a post, even detailed posts, not about vulnerabilities, about how things works in the cloud and how things are being evaluated, to release open-source tools where you can use them to check your environment even if you're not a customer. And I think that the community is always willing to explain and to investigate together. And it's a welcome effort, but I think that the messaging should be also for all layers, you know, also for the DevOps and the developers because it can really help if it will start from this point from their side, as well.Corey: It needs to be baked in, from start to finish.Gafnit: Yeah, exactly.Corey: I really want to thank you for taking the time out of your day to speak with me today. If people want to learn more about what you're up to, where's the best place for them to find you?Gafnit: So, you can find me on Twitter and on LinkedIn, and feel free to reach out.Corey: We will, of course, put links to that in the [show notes 00:26:25]. Thank you so much for being so generous with your time today. I appreciate it.Gafnit: Thank you, Corey.Corey: Gafnit Amiga, Director of Security Research at Lightspin. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, and if it's on the YouTubes, smash the like and subscribe buttons, which I'm told are there. Whereas if you've hated this podcast, same story, like and subscribe and the buttons, leave a five-star review on a various platform, but also leave an insulting, angry comment about how my observation that our IAM policies are all full of stars is inaccurate. And then I will go ahead and delete that comment later because you didn't set a strong password.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.