Podcasts about MD5

Send us a textEver wondered how your sensitive messages stay secure in an increasingly dangerous digital landscape? The answer lies in message integrity controls, digital signatures, and certificate validation – the core components of modern cybersecurity we tackle in this episode.We begin with a timely breakdown of Microsoft's recent security breach by Russian hackers who stole source code by exploiting a test environment. This real-world example perfectly illustrates why proper security controls must extend beyond production environments – a lesson many organizations learn too late.Diving into the technical foundation of message security, we explore how basic checksums evolved into sophisticated hashing algorithms like MD5, SHA-2, and SHA-3. You'll understand what makes these algorithms effective at detecting tampering and why longer digests provide better protection against collision attacks.Digital signatures emerge as the cornerstone of secure communication, providing the crucial trifecta of integrity verification, sender authentication, and non-repudiation. Through practical examples with our fictional users Alice and Bob, we demonstrate exactly how public and private keys work together to safeguard information exchange.The episode culminates with an exploration of digital certificates and S/MIME protocols – the technologies that make secure email possible. You'll learn how certificate authorities establish chains of trust, what happens when certificates are compromised, and how the revocation process protects the entire ecosystem.Whether you're preparing for the CISSP exam or simply want to understand how your sensitive communications remain protected, this episode provides clear, actionable knowledge about the cryptographic building blocks that secure our digital world.Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Sebuah sesi untuk menguji apakah AI LLM dapat disuruh memecahkan hasil dari MD5 hash? Ternyata kalau katanya gampang, misal dalam kasus ini adalah "admin", maka ChatGPT dapat menemukannya. Yang lainnya tidak bisa.

Ivan Damgard is a professor in the Department of Computer Science at Aarhus University in Denmark.  He is the co-inventor of the Merkle-Damgard construction, and which was used in MD5, SHA-1 and SHA-2. In 2020, he received the Test of Time Award for a paper entitled "A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System", and in 2021 he received an ACM award for the Test of Time for a paper entitled "Multiparty unconditionally secure protocols. In 2010, he was elected as a Fellow of the International Association for Cryptologic Research.  Ivan has also co-founded two cryptography companies: Cryptomathic and Partisia. Web: here. Video: here.

Matchday 5 in the UEFA Women's Champions League offered further clarification on the eight teams making the knockout stage and where they'll land in their groups. But there are still a few things to be decided, as well as some intriguing matchups to get excited about. In this episode, we lock in on Real Madrid hosting Chelsea in a match to decide who will win Group B. We go over the squads' recent form, the tiebreakers to consider, and then make our predictions. After that, we discussed Lyon vs. Wolfsburg. Even though the group has been decided after Wolfsburg's MD5 victory over Roma, we're still psyched to watch these two powerhouses compete. 0:00 - Intro and Real Madrid vs. Chelsea discussion 9:25 - Lyon vs. Wolfsburg Subscribe now to catch all of our women's football talk, including our ongoing coverage of the UEFA Women's Champions League. Check us out: YouTube: ⁠www.youtube.com/@intothechannelpod⁠ Bluesky: ⁠@intothechannel.bsky.social⁠ Threads: ⁠⁠@intothechannelpod⁠⁠ Instagram: ⁠@intothechannelpod⁠ Tik Tok: ⁠@intothechannel⁠ X/Twitter: ⁠⁠@itc_pod

Send us a textWhat if quantum computing could unravel today's most secure encryption methods? Discover the potential future of cryptography on the CISSP Cyber Training Podcast, as we explore the profound impact of advanced quantum capabilities on public key systems like RSA and elliptic curve algorithms. This episode breaks down the "harvest now, decrypt later" strategy, revealing how adversaries might exploit encrypted data in the future. Cybersecurity professionals will gain essential insights into transforming their organization's cryptography practices to anticipate and counteract these emerging threats effectively. Our deep dive into cryptographic concepts and best practices offers a comprehensive Q&A session that highlights AES as the gold standard of symmetric encryption and examines the vulnerabilities of legacy algorithms like MD5. Get to grips with the advantages of ECC for devices with limited resources and unravel the complexities of asymmetric cryptography, from key exchanges to the power of digital signatures. We also unveil a tailored mentoring and coaching program, designed to guide you through passing the CISSP exam and mapping a successful career path in cybersecurity. Tune in for expert insights and strategies that equip you to excel in the ever-evolving world of cybersecurity.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Jude Bellingham & Carlo Ancelotti Pre-Match Press Conference | Liverpool v Real Madrid Jude Bellingham & Carlo Ancelotti speak to the media at Anfield ahead of Liverpool v Real Madrid in MD5 of the Champions League.Support this show http://supporter.acast.com/redmentv. Hosted on Acast. See acast.com/privacy for more information.

We are still on the Mars Maryland 5* Presented by Brown Advisory high! Karen and Robby were part of the MD5* Radio and for the next 2 weeks we will be bringing you all the great interviews that were done. Part 1 has interviews with Sinead Maynard, Harry Meade, David Doel, Crosby Green, Allie Knowles, Boyd Martin, Felix Parker from Fairfax & Favor, Tiana Coudray and Lainey Ashker. We want to thank everyone at the MD5* for trusting us to bring the audience content and also to our social media team Hannah Keegan, Caroline Brooke and Emily Murphy for all the fun Tik Tok videos that were done. In the next couple weeks, we will also release the interviews and press conference interviews that Hannah did. We hope you enjoy!Please support our sponsors:https://cowboymagic.com/https://manentailequine.com/https://exhibitorlabs.com/https://www.triplecrownfeed.com/Patricia Scott Insurance (484)319-8923Sign up for our mailing list!https://mailchi.mp/b232b86de7e5/majorleagueeventingllc?fbclid=IwAR2Wp0jijRKGwGU3TtPRN7wMo-UAWBwrUy2nYz3gQXXJRmSJVLIzswvtClECheckout the Major League Eventing store!https://www.majorleagueeventing.com/shop 

Os campeões do Americas Challengers 2024 estão entre nós! Depois de um Md5 emocionante, o time Academy da paiN Gaming levou o título e consagrou Hidan, Tatu, Qats, Marvin e Guigs. O MD3 de hoje vai bater um papo com os campeões sobre o título, CBLOL Academy, o futuro e muito mais. Corre aqui pra ver que a painzuda chegou detonando!

Hear from Steve Cooper & Sean Dyche as Owynn Palmer-Atkin looks ahead to MD5.

A widely-used login system is still using MD5 which is bad news, miscreants took over some domains when they moved from Google to Squarespace, Linksys' sloppy app isn't a huge problem but is a bad sign, and why backing up an Android phone in one go is pretty much impossible without root.   Plug Support […]

A widely-used login system is still using MD5 which is bad news, miscreants took over some domains when they moved from Google to Squarespace, Linksys' sloppy app isn't a huge problem but is a bad sign, and why backing up an Android phone in one go is pretty much impossible without root.   Plug Support... Read More

The conversation discusses a recent article about a new attack on a 30-year-old protocol called RADIUS. The protocol is widely used in networks for client-server interactions, including VPN access, DSL and fiber connections, and 5G authentication. The attack, called Blast Radius, exploits vulnerabilities in the MD5 hash used in the protocol. The attack allows adversaries to elicit a response from the Radius server and gain unauthorized access to the network. The conversation highlights the importance of identifying and mitigating the vulnerabilities in the protocol to protect networks. Article: New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere https://arstechnica.com/security/2024/07/new-blast-radius-attack-breaks-30-year-old-protocol-used-in-networks-everywhere/?fbclid=IwZXh0bgNhZW0CMTAAAR24e6Catk5kfoECwbCrkcWDlpHdNmajX4dWBn5rw1ZIq4tfFw1nkXFY_4g_aem_EMmWxbRvyOaRTCMQchyQiQ Please LISTEN

Alex, sviluppatore e videomaker, durante un viaggio verso l'ufficio, racconta di essere in ritardo a causa della moglie e introduce la possibilità di essere incaricato da un'azienda terza per sviluppare un'applicazione custom per macOS.Descrive tre livelli di complessità e costi crescenti dell'app, valutando la probabilità che ogni livello venga scelto dall'azienda.Discute anche le sfide tecniche, incluso l'uso di algoritmi di hashing per gestire i file, e come mira a ottimizzare l'elaborazione dei dati.Infine, condivide frustrazioni personali su vari aspetti della vita quotidiana, tra cui il traffico e la planimetria della città, mentre si dirige a un appuntamento.[00:14:42] Spot[00:41:04] Il riassunto di Sciatta GPTTechnoPillzFlusso di coscienza digitale.Vieni a chiacchierare sul riot:https://t.me/TechnoPillzRiotSono su Mastodon: @shylock74@mastodon.unoI video di The Morning Rant sul canale YouTube di Runtime:https://www.youtube.com/playlist?list=PLgGSK_Rq9Xdh1ojZ_Qi-rCwwae_n2LmztAscoltaci live tutti i giorni 24/7 su: http://runtimeradio.itScarica l'app per iOS: https://bit.ly/runtAppContribuisci alla Causa andando su:http://runtimeradio.it/ancheio/

Ep 238Marques Brownlee superstar sequencePravila Ultimate frizbijaSamsung: Hey Apple, can I copy your homework?@TrungTPhan on X: Steve Ballmer's net worth ($157.2B) just passed Bill Gates ($156.7B) for the first time ever.Exclusive: India antitrust probe finds Apple abused position in apps marketArs Technica — New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere. Ubiquitous RADIUS scheme uses homegrown authentication based on MD5. Yup, you heard right.Intel is selling defective CPUs - Alderon GamesJason Snell: Here's a thing I noticed today. macOS Sequoia changes how non-notarized apps are handled on first launch.@hrolnd on X: holy shit you guys werent kidding, the latest mac + Airpods firmware beta is black fucking magic.(fix explaned)Fatih Arslan — Automating my gate doorOn the origins of DS_storeDEVONtechnologies | Welcome (Back) Network UtilityZahvalniceSnimano 13.7.2024.Uvodna muzika by Vladimir Tošić, stari sajt je ovde.Logotip by Aleksandra Ilić.Artwork epizode by Saša Montiljo, njegov kutak na DevianartuTajna / Mystery33 x 45 cmulje / oil on canvas2014.privatno vlasništvo /private collection

Eldorado ransomware claims 16 victims in short timeframe.Free decryptor released by Avast for DoNex ransomware strain.Blast Radius attacks leverage MD5 collisions to gain admin.

Chris, Sam and Tom react to Day One of MD5 in EURO Fantasy. France and Spain progressed at the expense of Portugal and Germany. They also discuss captaincy plans for today's fixtures. ━━━━━━━━━━━━━ Get your At-Home Testosterone Blood Test from Manual! Promo code: FFS45 CLICK: https://www.manual.co/testosterone-replacement-therapy/initial-testosterone-blood-test?coupon=FFS45&utm_source=podcast&utm_medium=sspn&utm_campaign=FantasyFootballScout   ━━━━━━━━━━━━━ WIN AT EURO FANTASY with Opta Data + Team reveals!

Ed reveals his Team Selection for EURO Fantasy 2024 MD5!━━━━━━━━━━━━━ Get your At-Home Testosterone Blood Test from Manual! Promo code: FFS45 Link: https://www.manual.co/testosterone-replacement-therapy/initial-testosterone-blood-test?coupon=FFS45&utm_source=podcast&utm_medium=sspn&utm_campaign=FantasyFootballScout ━━━━━━━━━━━━━ WIN AT EURO FANTASY with Opta Data + Team reveals!

Chris and Tom react to the final day of Round of 16 matches as Netherlands and Turkey triumph! The team also look ahead to MD5 of EURO Fantasy!━━━━━━━━━━━━━ Get your At-Home Testosterone Blood Test from Manual! Promo code: FFS45 CLICK: https://www.manual.co/testosterone-replacement-therapy/initial-testosterone-blood-test?coupon=FFS45&utm_source=podcast&utm_medium=sspn&utm_campaign=FantasyFootballScout   ━━━━━━━━━━━━━ WIN AT EURO FANTASY with Opta Data + Team reveals!

Join us as we recount our recent travels to Argentina and the Techno Security & Digital Forensics conference. We'll share the highlights of our trips before diving into the core content.What could possibly go wrong with a feature designed for user convenience? We'll scrutinize Microsoft's controversial "Recall" feature, exploring its significant privacy concerns and implications for digital forensics. From unencrypted data to automatic opt-ins, we speculate on the potential user backlash. We'll also dive into the latest tech updates, including CCL Solutions Group's enhancements to the Rabbit Hole tool and how these advancements can revolutionize data analysis processes.Discover the capabilities of VFC from MD5 and the latest tools for examining data from platforms like Snapchat and Facebook. We'll introduce new and updated blogs, innovative Python scripts, and the latest additions to the LEAPPS in this packed episode. Stick around for an insightful discussion and a sneak peek at what's coming in future episodes.Notes- Rabbit Hole Updates and SQLite Blog/Cheatsheethttps://vimeo.com/948752153https://www.cclsolutionsgroup.com/post/time-travelling-with-sqlite-journals-and-walhttps://vimeo.com/953570512https://cdn.prod.website-files.com/5f02f2c93eab87a6ea84e2f3/665ed5e6ec5ef877d9d74dd2_sqlite-journal-cheatsheet.pdfCopilot+ Recall disaster & Forensic Applications of Microsoft Recall https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465ehttps://cybercx.com.au/blog/forensic-applications-of-microsoft-recall/Rising Star Jeremy McBroomhttps://yeahihaveaquestion.com/Analysis of Browser Artefacts from File Sharing Serviceshttps://us5.campaign-archive.com/?u=a5a2a1131e612711f02b96e2c&id=9555c3f865https://github.com/cclgroupltd/ccl_chromium_readerSQLite Freelist Page Checkerhttps://github.com/SpyderForensics/SQLite_ForensicsForensics StartMe Pagehttps://start.me/p/q6mw4Q/forensics?locale=en

Today we unravel the second ransomware extortion of Change Healthcare by RansomHub, the cunning malvertising campaign targeting IT pros with malware-laden ads for PuTTY and FileZilla, and the deceptive tactics on GitHub fooling developers into downloading malware. Discover protective strategies and engage with expert insights on bolstering defenses against these evolving cyber threats. Original URLs: https://www.securityweek.com/second-ransomware-group-extorting-change-healthcare/ https://www.helpnetsecurity.com/2024/04/10/malvertising-putty-filezilla/ https://thehackernews.com/2024/04/beware-githubs-fake-popularity-scam.html https://www.bleepingcomputer.com/news/security/malicious-visual-studio-projects-on-github-push-keyzetsu-malware/ Follow us on Instagram: https://www.instagram.com/the_daily_decrypt/ Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: cybersecurity, ransomware, malvertising, GitHub scams, Change Healthcare, IT professionals, data protection, cybercrime, malware, software development Search Phrases: How to protect against ransomware attacks Strategies to combat malvertising campaigns Tips for IT professionals on avoiding malicious ads Safeguarding software development from GitHub scams Change Healthcare ransomware extortion case study Cybersecurity advice for IT administrators Dealing with malware in system utilities ads Best practices for data protection in healthcare Understanding cybercrime tactics on GitHub Preventing repeated ransomware extortions Transcript: Transition (Long) 2 Welcome back to the Daily Decrypt. Change Healthcare falls victim to a second ransomware extortion in just a month, now at the hands of the Emergent Ransom Hub Group, wielding over 4 terabytes of sensitive data stolen in the February 2024 cyberattack. Which comes as a result from the Black Cat Exit Scam. Next, we're turning over to a new malvertising campaign where searching for essential utilities for IT professionals like Putty and Filezilla leads to malware laden ads, and you all know what I'm going to say about this. Don't click Google Ads. And finally, GitHub becomes a battlefield as cybercriminals exploit its search functionality to trick developers into downloading repositories full of malware. How can developers ensure the repositories they download from GitHub are safe and not just traps set by cybercriminals? All right, so at the end of February of this year, you may remember that Change Healthcare, which is a subsidiary of UnitedHealthcare, was the victim of a ransomware attack by the notorious and since disbanded ransomware group named Black Cat. Well, Change Healthcare finds itself in the crosshairs of a ransomware extortion scheme for the second time in just over a month, coming from a new ransomware group called Ransom Hub. There hasn't been a second attack. But this is believed to be a result of the exit scam that Black Cat pulled, where they kept all of the ransom payment that Change Healthcare had made. Allegedly, Optum, which is a subsidiary of Change Healthcare, paid Black Cat 22 million in ransom after the attack. Black Cat then pulled an apparent exit scam and disappeared without paying the affiliate who carried out the attack. And according to Qualys Cyber Threat Director Ken Dunham, it's not uncommon for companies that give in and pay these ransoms to quickly become additional targets or soft targets where their information is extorted again and again and again. Paying and giving into these ransomware artists might seem like a quick fix to your problems, but once you've proven that you will and can pay, they're gonna come after you again. The data doesn't just disappear or get deleted. It's very valuable, and in this case it's worth 22 million dollars, so even if the attackers say they're gonna delete it, maybe they won't and maybe they'll come hit you again. So even though Black Cat has disbanded, whether or not they were taken down by the FBI or performed an exit scam, The data that they pillaged from Change Healthcare is now in the hands, or supposedly in the hands, of a group called Ransomhub, which is extorting Change Healthcare all over again. IT professionals have found themselves at the crosshairs of an ongoing malvertising campaign. These attackers are using malicious Google Ads to disguise malware as popular system utilities, like Putty, which is a free SSH IntelNet client. And FileZilla, which is a FTP application. This research comes from Malwarebytes researcher Jerome Segura, and he points out that even after alerting Google about these malicious ads, the campaign continues unabated. This sophisticated scheme begins when IT administrators search for these utilities on Google. The top search results, or sponsored ads, lead them through a series of cloaking pages. These pages are designed to filter out non target traffic such as bots or security researchers, directing only potential victims to imitation sites. Unwittingly, when these IT administrators download what they believe to be legitimate software, they instead receive nitrogen malware, which is a dangerous software for cybercriminals, enabling them to infiltrate private networks or steal data, deploy ransomware attacks, and was used by the notorious Black Cat from the previous story. The method of infiltration is known as DLL sideloading, which involves the malware masquerading as a legitimate and signed executable to launch a DLL, thereby avoiding detection. So what this essentially means is these IT professionals are probably getting the tool, FileZilla, Putty, that they're looking for, The functionality might remain exactly the same, which only serves to benefit the attackers because once the IT professionals download the software, there's no indicators that it's incorrect or fake, but this software such as Putty or FileZilla will then launch a separate DLL, which is just an executable that contains the malware. So one way you can prevent this as someone downloading software from the web, is to find what's called an MD5 hash, which is essentially a signature of sorts that verifies the integrity of the file you've downloaded. Now, hashing isn't necessarily something we need to get into, Right now on this podcast, but all you need to know is it's sort of like math where you multiply the data from within this piece of software or do algebra or something to create this long string of characters. that can't be replicated if the files have been altered. So as soon as the files are altered, the mathematical equation puts out a different set of characters, right? So the creators of the software release this hash, they display it on their website, and then when you download the software, you run the same algorithm against that software to see if those two hashes match. Now I personally am guilty of Not always checking the hash for softwares. And I know a lot of other IT professionals are guilty of that as well, but it's time to set up a new good habit and consistently check these hashes, maybe even develop a web scraper that will go grab the hash and also run the software through it, comparing it, reducing the amount of work you have to do on the other end, but in summary, as I always say, do not click Google ads unless you absolutely have to, unless the thing you're searching for down below. Unless the thing you're specifically searching for is not in the search results below, and is only present in the advertisement, which will probably only be for things like thedailydecrypt. com, where I haven't been around long enough to boost my search result ranking naturally, so eventually maybe I'll start buying ad space, trying to get to people who are looking for the content that we're providing. But if you're going to download some software, there's no need to click the ads, especially something as popular as FileZilla or PuTTY, VS Code, whatever you're trying to download, go find it in the search results. Do not click the ad. And in a similar vein, let's talk about a scam on GitHub that's fooling developers into downloading dangerous malware. Cybercriminals are exploiting GitHub's search features, luring users into downloading fake yet seemingly popular repositories. This scheme has been identified to distribute malware hidden within Microsoft Visual Studio Code project files, which are cunningly designed to fetch further malicious payloads from remote URLs, as reported by checkmarks. So the attackers are mimicking popular repositories and employing automated updates and fake stars to climb GitHub's search rankings. So unlike Google, I don't believe there are ads you can buy in GitHub search to boost your search rankings. So attackers are becoming a little more creative. Making the repository look like it's consistently updated, helps boost the search rankings, and then naming the repositories, things that developers are constantly searching for will also help boost its rankings in its SEO. So since many of these repositories are disguised legitimate projects, it can be pretty tricky to identify them, but among the discoveries, some repositories were found downloading an encrypted file named feedbackapi. exe. which is an executable and is notably large at 750 megabytes. This executable is designed to bypass antivirus detection and deploy malware, similar to the Kizetsu Clipper, a notorious tool known for hijacking cryptocurrency transactions. And unlike softwares downloaded from the internet by clicking on Google ads in the previous story, there may or may not be hashes for these repositories. Most likely not. Sometimes if they're an executable or a package, they'll provide a hash. But if you're on the GitHub repository, you think it's legit, they might list the hash, but that's just the hash to their malware, giving you a false sense of security, just be extra vigilant when you're downloading anything to your computer, especially open source things that are generally found on GitHub, it can't be that hard to create. A thousand GitHub accounts, or maybe even you can buy them online. And that immediately gives your repo a thousand stars, making it look legitimate. So if you're looking for a tool, it's best to find it on the web within, from within a reputable website. GitHub search feature is not the most reliable. And that's all I've got for you today. Thanks so much for tuning in. Today I'll be traveling to Florida to Participate in the Hackspace conference where I'm really excited to learn a little bit more about how cybersecurity and satellites and other spacecraft intertwine. I'll also be meeting up with dogespan where we'll hopefully do a joint episode, our first ever one in person. So be sure to tune in tomorrow for that episode.

In this episode of the Micro Binfie Podcast, hosts Dr. Andrew Page and Dr. Lee Katz delve into the fascinating world of hash databases and their application in cgMLST (core genome Multilocus Sequence Typing) for microbial bioinformatics. The discussion begins with the challenges faced by bioinformaticians due to siloed MLST databases across the globe, which hinder synchronization and effective genomic surveillance. To address these issues, the concept of using hash databases for allele identification is introduced. Hashing allows for the creation of unique identifiers for genetic sequences, enabling easier database synchronization without the need for extensive system support or resources. Dr. Katz explains the principle of hashing and its application in genomics, where even a single nucleotide polymorphism (SNP) can result in a different hash, making it a perfect solution for distinguishing alleles. Various hashing algorithms, such as MD5 and SHA-256, are discussed, along with their advantages and potential risks of hash collisions. Despite these risks, the use of more complex hashes has been shown to significantly reduce the probability of such collisions. The episode also explores practical aspects of implementing hash databases in bioinformatics software, highlighting the need for exact matching algorithms due to the nature of hashing. Existing tools like eToKi and upcoming software are mentioned as examples of applications that can utilize hash databases. Furthermore, the conversation touches on the concept of sequence types in cgMLST and the challenges associated with naming and standardizing them in a decentralized database system. Alternatives like allele codes are mentioned, which could potentially simplify the representation of sequence types. Finally, the potential for adopting this hashing approach within larger bioinformatics organizations like Phage or GMI is discussed, with an emphasis on the need for a standardized and community-supported framework to ensure the longevity and effectiveness of hash databases in microbial genomics. This episode provides a comprehensive overview of how hash databases can revolutionize microbial genomics by solving long-standing issues of database synchronization and allele identification, paving the way for more efficient and collaborative genomic surveillance worldwide.

Could your passwords withstand a cyber siege by expert Russian hackers? My latest podcast episode serves as a wakeup call to the cyber threats looming over us, showcasing the recent breach of Microsoft's test environment. As Sean Gerber, I dissect the pivotal missteps in password management and underscore the lifesaving grace of multi-factor authentication. We then shift gears to the bedrock of cyber training, examining message authenticity and integrity controls. By unpacking the intricacies of message digests and hashing algorithms, I highlight how they are the unsung heroes in maintaining data sanctity from sender to receiver.The digital realm's trust hinges on the integrity of digital signatures and certificates—crucial allies in the war against data manipulation. Tune in as I break down how hash functions like MD5 and SHA are your first line of defense on file-sharing platforms. But there's more: I pull back the curtain on the encrypted world of digital signatures, revealing their role in sender verification and message security. Diving into the complex trust web spun by Certificate Authorities and the X.509 standard, we explore how digital certificates serve as digital passports in the online world. Brace yourself for an enlightening journey through the landscape of email protection with S/MIME, ensuring that your virtual conversations are sealed, secure, and verifiably authentic.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

Sapete come si memorizzano le password? Criptate sui server! Quindi, il sito non ha effettivamente idea di quale password voi abbiate utilizzato, ma usa un algoritmo di polverizzazione dei contenuti. Questo fa si che riesca comunque a verificare se la avete inserita correttamente senza conoscerla.Queste cose si chiamano hash e oggi ne parliamo perché in pratica sono dei codici segreti che stanno dietro a tutto, senza che ce ne rendiamo conto.Tutti i miei link: https://linktr.ee/br1brownFonti:Cos'è la firma digitale? | FAQ DigiCertPanoramica tecnica sulle password | Microsoft LearnTELEGRAM - INSTAGRAMSe ti va supportami https://it.tipeee.com/br1brown

Pablos: People are pissed off about social media all the time. They think that Facebook is making people vote for the wrong person. It's still very difficult to find somebody who thinks they voted for the wrong person because of Facebook, but they think everyone else did. Never mind that, there's this kind of, uh, very popular sensibility, which is to blame Facebook for all the problems in the world. They're doing fake news, they're doing, disinformation they're doing , every possible thing that could be wrong. Everybody wants to blame Facebook for getting wrong or Twitter or, any of the other social platforms. So if you think about it, in one sense, , yeah, Facebook got everybody together. I'm just going to use them as the example, we can extrapolate. They got everybody together. They, ended up getting too much content. you and your friends are posting too much shit. Nobody has time to see all of it. So you need the magical algorithm, which you should do like triple air quotes every time I say algorithm. They're like, the algorithm is supposed to figure out, okay, of all the shit that's supposed to be showing up on your feed, what's the coolest, or what's the stuff that you're gonna like the most? That's the job of the algorithm. And of course, we all believe the algorithm is tainted. And so, it's not really trying to find the things I care about the most or like the most. It's just gonna find the things that piss me off the most so that I get my, outrage, dopamine hit and keep coming back. So, which may all be true. We don't know. But, the point is, there's a fundamental problem, which is you cannot see everything that gets posted from all the people you follow. So, there does have to be some ranking. And then the second, thing is that you want that ranking to be tuned for you. And I think the thing that people, are missing about this is that you've got to have, a situation where it is very personalized because, not everybody's the same. Even if you and I followed the same thousand people, it doesn't mean we have identical interests. There are other factors that need to play into determining like what I want to see and what you want to see. And then I think that there's a whole bunch of things that, are classified as societal evils, that Facebook has to decide are not okay for anybody to follow. So if you have posts about Hitler, nobody should get to see those. Even if you're a World War II historian, nope, you don't get to see it. So there's a kind of, problem here, which is that all of this flies in the face of actual diversity, actual multiculturalism, we have 190 countries in the world. We have a lot of different peoples, different cultures, you and I just had a huge conversation about, different cultures and how they drive, we don't agree about these things. We have different ideas in different places in the world, even whole societies have different ideas about what's okay, and what's not okay, and that is the definition of Culture that is the definition of multiculturalism is valuing that that exists and letting everybody have their own ideas And and make let these different people operate in the way that suits them And when you travel, you get beaten over the head with that because, I can appreciate that people drive like this in Bangkok. That's not how I want to do it , that's kind of the fundamental point here. So anyway, what I'm trying to get at is you cannot create one set of rules for the entire world. That is not okay. Ash: 100% Pablos: And so what Facebook has chosen to do is try to create one set of rules for the entire world, at least the two billion people that are on Facebook. Ash: But then you become the government of Facebook. Pablos: You become the government of Facebook. And it's and we're all pissed off because they keep choosing rules that some people don't like or whatever. And so I think this is untenable and I don't think there's a solution there. I think it is a fool's errand and what I believe is, has gone wrong is that Facebook made the wrong choice long ago and they chose to control the knobs and dials and now they're living with the flack that comes with, every choice they make about where to set those knobs and dials. And what they should have done is given the user the knobs and dials. They should let me have buried six pages deep in the settings, have control over. What do you want more of? What do you want less of? Ash: More or less rant. Pablos: Yeah, They try to placate you with the like button and unfollow and all that, but it's not really control. So, contrast that with, the other fork in history that we didn't take, go back to like 2006, in the years before Facebook, We had this beautiful moment on the internet, with RSS. So RSS, which stands for Really Simple Syndication, that hardly matters, RSS was an open standard that allowed any website to publish the content in the form of posts in a kind of machine readable way. And then you could have an RSS reader that could subscribe to any website. So we didn't have the walled garden of Facebook, but, you remember all this, of course, but I'm just trying to break it down here. What we had was, this kind of open standard. , anybody in the world could publish on RSS using their website, all the blog software did this out of the box. WordPress does it out of the box. In fact, most websites, would support RSS. And then you had a reader app, that could be any reader app. This is again, open standards so get any reader you want. And if you just subscribe to any website in the world, you are following them directly. When they publish a post, it show up in your feed. And when you followed too many people, you could start making filters. So I've been making filters. I still do RSS. So by the way, all this machinery still works 15 years later. The machinery still works almost any website if you just put /RSS or / feed on the domain name you'll see an RSS feed and you can subscribe to that so it goes into my reader app And then I've been building filters over the years. So I have filters like -Trump because I got sick and tired of all this bullshit about Trump regardless what you think about Trump I just wanted to think about other things and it was painful to have a feed filled with Trump during the election So I have also -Biden, I have -Kanye, I have -Disney, I have minus all kinds of shit that I don't want to see, I still follow the publishers, but it's weeding out articles that are about those things. And so I get this feed that's pretty curated for me and my interests, and I get more of the stuff I like and less of the stuff I don't like, but I'm responsible for the knobs and dials, I'm controlling the settings, and I get to have my own autonomy about what I think is cool and not cool. And if I don't want Hitler, I can easily just -Hitler. And what we did instead is we kind of signed up for this sort of, babysitter culture of having Facebook make those choices for us. And people not, taking responsibility for their own choices has put us in this situation where we just have an internet full of people want to blame somebody else for everything that they think is going wrong. What we need to do is, figure out a way to, shift the world back to RSS. And out of the walled garden. So that's my, that's where I'm at, and I have ideas about that. Ash: And it's interesting, go back to Delphi, So Delphi internet... Pablos: One of the first, before, before internet, this was like an ISP, like a, like AOL. Centralized ISP. Ash: Right. So, so Delphi was sold to Murdoch, to News Corp and, and then the founder, Dan Burns brought that back. He purchased it, he re acquired the company and then invited a couple of ragtag individuals, myself and, and Palle again, and Rusty Williams. Chip Matthes, and we had like, you know, a room with a VAX in the back. I was doing a lot of the stuff, but we were running forums. Dan had this crazy idea. It was like, Hey, what if you could just make your own forum? And this would be like way pre Facebook, it's like 97, 98. And 98, we started supplying that ability to websites. And the first one we did was a guy named Gil . And like we said to him, it's like, Hey Gil, like you guys really should have some forums, like, yeah, we totally should be. Wait, so how do we do that? And we wrote like a little contract, right? like the first, I think, business development contract that you could probably make. He was head of, , business development, eBay. Right. So he did that. I mean, he's very well known sort of angel kind of lead syndicate guy. Now I like an angel is for like for, for ages. Pablos: Oh, Penchina. I know who you're talking about. Yeah. Ash: We still have like the first document, you will do this. I will do this. I will give you a forum. You will use it for people to talk about, I don't know, the, the, their beanie baby or whatever they were selling back then. And the, the reality was that that took off and then we started supplying this technology, which we then enabled, we RSS enabled it, by the way, of course, at some point, right. When it was, when the, when the XML feeds were like ready to go, we upgraded from XML And then we, we, we took that and we said, all right, let's go, let's go for it. And at some point we're doing 30 million a month, 30 million people a month. Unique. We're like on this thing and we never governed. You could, you could go hidden, right? Kind of like your locked Instagram page versus not, but we didn't govern anything. Forums had moderators, they were self appointed moderators of that domain of, of madness. So if you didn't like that person's moderation, You know, like, all right, screw this guy. You know, like, I don't, I don't want to listen to you. You're crazy. And what we found, and this was the piece of data that I think that was the wildest. Servers are expensive back then. You actually have to have servers. Or in our case we were beating everyone else. Cause we had a VAX that was locked in a, Halon secure room. No, because it came when we repurchased it for a dollar. Like the VAX was still there and Lachlan Murdoch's, office became our like conference room. No, I'm not kidding. It was, it was really crazy. There was a, it was just a VAX sitting there and, Hey, look, you could run UNIX on it. We were good. We didn't care. It loved threads and it was good. And it could do many, many, many, many threads. So we were running this, this thing highly efficiently. There's six people in a company doing that much. That was the company, literally six. I look today and how many people we hire and I'm like, there were six of us. It was wild, the iceberg effect took place. So what ended up happening is the percent, and this is where I think Facebook can't do or doesn't want to do, is how do you advertise below the waterline? And when we were sitting there with the traffic, we're like, dude, why is there so much traffic, but we can't see it, right? It looked like we only had 20, 000 forums or something, and there was like all this mad traffic going on. And. It was something like the 80, 20 rule the other way. It was like 20 percent was indexable that you could see that you could join a forum. And it was 80 percent were, were insane things like Misty's fun house. That by the way, is a legitimate. Forum at one point, right? It was Misty's fun house. So I'm just saying, cause we're trying to figure out what was going on. Where were the people chatting and talking? And that's what we did. We let them bury themselves deeper and deeper and deeper. Usenet did that. If you just go back in time, what do you think BBSs were? It's the same. Pablos: Exactly. Ash: We always love talking. Pablos: Yeah. People love talking. Ash: You just figure out which one you want to dial into. Pablos: Nobody's pissed off about who they're talking to really. Usually they're pissed off about who other people are talking. They're pissed off about some conversation they're not really a part of. Or a conversation they can be a spectator on, but doesn't match their culture. That's one of the big problems with Twitter it's like BBSs, and it's BBS culture. Elon was the winner of the Twitter game long before he bought Twitter, because, that's just BBS culture that he had in his mind, IRC or whatever. All kinds of people who are not part of that culture, are observing it and think that it's a horrible state, of society that people could be trolling each other and shit. And that's just part of the fun. You have this problem when you try to cram too many cultures into one place, it takes a lot of struggle to work that out if you're in, Jamaica, Queens, then you're gonna, you're gonna work it out over time, with a lot of struggle, you're going to work it out and the cultures are going to learn to get along. But in, but on Twitter, there's no incentive. Ash: That's why we still have states. The EU still has, like, how many languages? That's why we have Jersey for New Yorkers. Pablos: The EU in their way has figured out how these cultures can get along. I think there's a real simple fix to this. The big death blow to RSS in some sense was that the winning reader app was Google Reader. And so the vast majority, of the world that was using RSS was using Google Reader. And then I don't totally have insight on how this happened, but, Google chose to shut down Google Reader. And I don't know if they were trying to steer people into their, Facebook knockoff products or whatever at the time. in a lot of ways I think what it did is it just handed the internet over to Facebook. Because anybody who was being satisfied by that, and just ended up getting, into their Facebook news feed instead. So it just kind of ran into a walled garden. I don't really blame Facebook for this, the way a lot of people want to. I blame the users. You've got to take some responsibility, make your own choice, choose something that's good for you, and most people are not willing to do that. But, I think to make it easier for them, and there is a case to be made that , people got better things to do than architect their own rSS reader process, but we could kind of do it for them. And so I think there's one, one big kingpin missing, which is you could make a reader app that would be like an iPhone app now. And you could think of it as like open source Instagram. It's just an Instagram knockoff, but instead of following, other people on a centralized platform by Instagram, it just follows RSS. And then it only picks up RSS posts that have at least one picture, right? So any RSS post that has one picture and then the first time you post it automatically makes a WordPress blog for you, that's free. And then, posts your shit as RSS compliant blog posts, but the reader experience is still just very Instagramesque. So now it's completely decentralized in the sense that like you own your blog, yeah, WordPress is hosting it, but that's all open source. You could download it, move it to Guam if you want, whatever you want to do. So now all publishers have their own direct feeds. All users are publishers, which is kind of the main thing that Facebook solved. Ash: Content is no longer handed over to someone, right? That's the other big thing. Pablos: Exactly. The content is yours and then your followers are yours, right? When they follow you, they follow you at your URL. And so you can take them with you wherever you go. And then to make this thing more compelling, you just add a few tabs. You add the Twitteresque tab. You add the TikTokesque tab for videos. And, add, the podcast tab. So now, posts are just automatically sorted into the tab for the format that matches them. Because people have different modalities for, for consuming this shit. So, depending on what you're in the mood for, you might want to just look at pictures because you're on a conference call. Fine. Instagram. Or, you know, you might want to watch videos because you're on a flight. Who knows? So, the point being, all of this is easy to do. You and I could build that in a weekend. And then the reason that this works, the reason this will win is because you can win over the creators, right? Because the sales pitch to a creator, and those are the people who drive the following anyway, you see TikTok and everybody else kissing the ass of creators because that's who attracts the following. The creators win because they're not giving anything up to the platform. Because they make money off advertising. So fine. We make an advertising business and we still, take some cut of what the creators push out. But if they don't like us, there's a market for that, right? The market is I'm just pushing ads out along with my content to my followers. Some of them watch the ads. Some of them don't. I have this much of an impact. And so now you get the platforms out of the way. Ash: If you do it right, Google has ad networks that they drop everywhere. Pablos: Everybody has ad networks already for websites. You could just use that. Amazon has one. So you can sign up for that if you want. Or the thing that creators want to do, which is go do collabs, go do direct deals with brands. Now you're getting 100 percent of that income. You pump it out to your fans. And there's no ad network in the middle. Nobody's taking a cut. Alright, if you could cut your own deals, then great, but you're in control and you can't be shadow banned, you can't be deprioritized in the feed, because that's the game that's happening. These platforms, they figure out you're selling something, you immediately get deprioritized. And so the creators are all pissed off anyway. So I think we can win them over easily enough. And then the last piece of it is, there's one thing that doesn't exist, which is you still need to prioritize your feed. You still need an advanced algorithm to do it. You don't want to be twiddling knobs and dials all day. You might put in -Hitler if you want. But what should happen is you should also be able to subscribe to feed ranking services. So that could be, the ACLU, or the EFF, or the KKK, whoever you think should be ranking your feed. Ash: Well, I was actually thinking you could subscribe to a persona. So people could create their own recipes. So this is the world according to Ash, right? Here you go. Like, I've got my own thing. I've done my dials, my tuning, my tweaks, my stuff. And you want to see how I see the world. Here we go. The class I teach, that's the first day I tell people, take Google news and sit down and start tuning it. And everyone's like, well, let me just start to just add, put ups and downs, ups and downs, add Al Jazeera, do whatever you want. Just do everything that you want, just make them fight and put all of that in and then go down the rabbit hole. But there's no way to export that. When we start class, I always talk about viewpoints And how all content needs a filter because we are filter. But if I want to watch the world as Pablos, I can't, there's no, you can't give me your lens. So if we look at the lens concept, today you can tune Google News, there is a little subscribe capability, but you could tune it and poke it a little bit, and it will start giving you info. It's not the same, quite the same as RSS, but it's giving you all the news feeds from different places, right? Could get Breitbart, you could get, Al Jazeera, you could get all the stuff that you want. And if you go back in time to, to when I was working with the government, that was actually my sort of superpower, writing these little filters and getting, Afghani conversations in real time translated. And then find the same village, in the same way. So then I would have two viewpoints at the same time. The good thing was that when you did that what I haven't seen, and I would love, love this take place, is for someone to build a, Pablos filter,? And I could be like, "all right, let me, let me go see the world the way he sees it." his -Hitler, his minus, minus, -election, - Trump, -Biden, that's fine. And then, and now I have a little Pablos recipe. I can like click my glasses, and then, then suddenly I see the world, meaning I filter the world through Pablos's. Pablos: Yeah, I think that, I think we're saying a similar thing because then what you could do is you could, subscribe to that. You could subscribe to the Pablos filter. You could subscribe to the... Ash: exactly, I'm taking your ACLU thing one step further. I think ACLU is like narrow, but you could go into like personality. Pablos: You could even just reverse engineer the filter by watching what I read. My reader could figure out my filter by seeing the choices that I make. Ash: Yeah, if it's stored it right, if we had another format, but let's just say that we had an RSS feed filter format. 'cause it's there. It's really the parameters of your RSS anyway. But if you could somehow save that, config file, go back thousand years, right? If you could save the config.ini, that's what you want? And I could be like, Hey, Pablo, so I can hand that over. Let's share that with me. And now what's interesting is works really well. And it also helps because each person owning their own content, the, the beauty of that becomes, you never, you never filtered, you never blocked you, you, you're self filtering. Pablos: That's right. Ash: We're self subscribing to each other's filters. Pablos: Publishers become the masters of their domain. If you've got a problem with a publisher, you've got to go talk to them, not some intermediary. The problem is on a large scale, control is being exercised by these intermediaries. And they have their own ideas and agendas and things. The job here is to disintermediate - which was the whole point of the internet in the first place - communication between people. Ash: Then the metadata of that becomes pretty cool, by the way. If I figured out that, okay, now it looks like 85 percent of the population has, has gone -Biden, -Trump. Let's think about that. Suddenly you've got other info, right? Suddenly you're like, Oh, wait a minute. and if you're an advertiser or you're a product creator, or you're a, like just sitting there trying to figure out how can I get into the world, that becomes really valuable, right? Because you could. Go in and say, people just don't give a shit about this stuff, guys. I don't know what you're talking about. Whereas when you have one algorithmic machine somewhere in Meta/Facebook, whatever we want to call it, pushing things up, it could be pushing sand uphill, right? It could be like stimulating things that you don't necessarily know you want. The structure that you just described flips that on its head because it says, Hey, I just don't want to listen to this shit, guys. Like, I just could not give a crap about what you're saying. Pablos: Right. Ash: And if enough people happen to do that, then the content creators also have some, some idea of what's going on. We try to decode lenses all day long,? We spend our life, like you said, in meetings or in collaborations or business development. What do you think we do? We sit there, we're trying to figure out the other person's view. We're trying to understand if you're a salesperson, "Hey, can I walk a mile in that guy's shoes" or speak like that person, I've never heard of anyone sort of selling me, lending me, letting me borrow their RSS, like, their filter. That would be phenomenal, that'd be great. And I bet you, if you did it right, you might even solve a lot of problems in the world because then you could see what they see, you know, I don't want to touch the topics that we know are just absolute powder kegs, but every time we get to these topics, I always tell the person, can you show me what you, what are you reading? Pablos: Yeah. Ash: Like, where did you get? Pablos: Yeah. Ash: You ever, you ever asked someone like, "where did you get that?" and then they show you, they show you kind of their, feed. And you're just like, what is going on? Like, if you, if you go to someone, whether they're pro or anti vax, it doesn't matter where it is. And just look at their feed, look at what they're listening to, because it's not the same thing I'm listening to, because the mothership has, has decreed which, which one we each get. But you look at it and then you're like, okay, maybe the facts that they were presented with were either incomplete and maybe not maliciously? I get it in the beginning of this, you started like, okay, is it malicious and didn't do it would get changed. But if you just cut out, I don't know, let's just say there's like 10 pieces of news, but I only give you five and I give the other person the other five. And they're not synchronous, you're going to start a fight. There's no question. What we don't have is the ability to say, Hey, like, let me, let me be Pablos for a second before I start screaming, let me see what he sees. that will probably change that could change a lot. Pablos: Think it could. That and certainly there's a cognitive bias that feels comfortable in an echo chamber. This is one of the issues that we're really experiencing is that, the process of civilization, literally means "to become civil" to do that. It's sort of the long history of humans figuring out how to control obsolete biological instincts. We've been evolved to want to steal each other's food and girlfriends. That's not specifically valuable or relevant at this point. We've had to learn how to get along with more people, we've had to learn to become less violent, we've had to learn to, play the long game socially, those things. And, there's work to do on that as far as like how we consume all this, this information, all the media. You're using the wrong part of your brain to tune your feed right now. You're using the lazy Netflix part of your brain to tune your news, and that's not really , how are you going to get good results. There's work to do to evolve the tools and work to do to evolve the sensibilities around these things. And so, you know, what I'm suggesting is like, we're not going to get there by handing it over to the big wall garden. You got to get there through this, again, sort of. Darwinian process of trying a lot of things and so you've described some really cool things that we'd want to be able to try that are impractical to try because things are architected wrong and using Facebook is the central switchboard of these conversations or Twitter or whatever and so you know what we need is a more open platform where like you know we can all take a stab at figuring out how to design cool filters that express our point of view and share them. And that's not possible in the current architecture. I think the last thing is, there are certainly other frustrations and attempts to go solve some class of these, some subset of these problems. You've got Mastodon, of course, and the Fediverse, and you've got Blue Sky trying in their way to make a sort of open Twitter thing. And then you've got, these other attempts, but a lot of them are pretty heavy handed architecturally. As far as I can tell, most of them end up just being some suburb of people who are pissed off about one thing or another that they get its adoption, right? So, Mastodon is basically a place for people who are, backlashing against Twitter. As far as I can tell. Ash: Yeah, and we even worked on one, right? Called Ourglass. Pablos: I don't know that one. Ash: It was coming out and we actually did an entire session on it. I actually worked on some of the product thought design on, on how that works. , it was like, it's all on chain. Part of the, the thing that, we did was very similar to what you're talking about. You wanted the knobs and the controls, and you wanted people to rant in their space. I know it gets pretty dark when you say, okay, but what are they allowed to talk about in in the dark depths of that sort of internet and and I say, "well, they already talk about it, guys" Whether they get into a smoky back room or, there's somewhere else that if they don't say it, I feel we get more frustrated. Pablos: The fundamental difference here is between centralized services. That's certainly Facebook and Twitter, but it's also Delphi and AOL, versus open, decentralized protocols and the protocols in time win over the services like TCP/IP won over AOL, AOL was centralized service, TCP/IP, decentralized protocol. At the beginning it was a worse user experience, harder to use, but It's egalitarian and it won and I think that that's kind of the moment we're in right now with with the social media. We're still on centralized service mode and it needs to be architected as decentralized protocol and we had a chance to do that before Facebook and we lost and so now there's just like the next battle is like how do we get back on the track of decentralized protocol, and I think if we just define them... That's why I think RSS won because it's called Really Simple Syndication for a reason. Because it's really simple. It was easy for any developer to integrate. Everybody could do it. And so it just became ubiquitous almost overnight. You could design something cooler with the blockchain and whatnot. But it's probably over engineered for the job. And the job right now is just like, get adoption. Ash: We started going down that path. So Delphi's sort of twin. Was, called Prospero. So Prospero was, little Tempest reference, was designed. As a way that you could just adopt it. That was that, that first eBay deal. And then we did about.com and most of the stuff. And right now you see Discuss. It's at the bottom of, of some comments. It's a supported service where, you had one party taking care of all of the threads and handles and display methods and posts and logins. And, you were seamlessly logged into the other sites. MD5 sort of hash and we did the first single sign on type nonsense, and we used to build gateways between the two, you're going to go from one to another, but the whole idea was that you provide, the communication tool, As a, as an open or available service. And you could charge for for storing it. And then what happens is you don't do the moderation as a tool. That's your problem. You strip it back to "look, I'm going to provide you the car and I don't care how you drive it." Go back to our story, whether you're in Vietnam or Riyadh or whatever you're doing, we're going to, we're not there to tell you which lane to go into, but that's, that's your problem. I think that one of the challenges with like RSS, cause we were RSS compliant, by the way. I'm pretty sure Prospero and I'm sure it's still around because it went XML to RSS. And I remember the fact that you could subscribe to any forum that was Prospero powered. You could subscribe to it a lot, like directly through your RSS reader. And I remember what was great about it is that people were like, "we don't want, your viewer." Just like we didn't want your AOL view of like, "you've got mail." I want my own POP server and then IMAP or whatever it is. I think there does need to be, like you said, someone putting together a little toolkit that's super easy. They don't need to know it's got RSS. They don't need to know anything. But it's like, "own your post." it can be like an Own Your Post service. And then the Own Your Post service happens to publish RSS and everything else, and it's compliant. Pablos: I think you just make an iPhone app and when you set up the app it just automatically makes you a WordPress blog and if you want you can go move it later. Ash: You got it. All that other stuff is just automated. Pablos: You don't even have to know it's WordPress. It's behind the scenes. Ash: If you were going to do this, what you would do is you'd launch and I would launch it like three different companies. Like three different tools. I've got a, "keep your content" tool and the keep your content guys are something compliant, RSS. You keep bringing it back. It's published, it's out there and then some new company, Meta Two, Son of Meta, creates a reader. Anyone that's got a RSS tag on it, we're a reader for it. So anyone using Keep Your Content or, whatever. the idea being that now you're showing that there's some adoption. You almost don't have to rig it. There is a way to do this because no one wants to download a reader if there aren't sources. Pablos: The thing can bootstrap off of existing sources because there's so much RSS compliant content. You could imagine like day one. If you downloaded this reader today. You could follow Wall Street Journal and just everything online. And some of it you have to charge for it. Like Substack has RSS. I follow Substacks. You could just follow those things in the app Substack has a reader, but it only does Substacks, and probably Medium has one that only does Medium. But we have one that does both, plus New York Times and everything else. So now, like any other thing, you just follow a bunch of stuff. And then, there's a button that's like post. Sure, post. Boom. Now that fires up your own WordPress blog. Now you're posting. All your content's being saved. You control it. You got some followers or if you have this many followers, here's how much you can make in ad revenue. Boom, sign up for ad network. Now you're pushing ads out. All This could be done with existing stuff, just glued together, I think, and with the possible exception of the filter thing, which, needs to be more advanced probably worth revisiting. Ash: I think what You could do is maybe the very first thing you do, create the filter company, like your RSS glasses. So instead of having to do that heavy lift, curate Pablos's, I would love to get your RSS feed list. How do you give it to me? How could you give me your RSS configured viewer? Pablos: A lot of RSS readers make it really easy to like republish your own feed. So like all the things I subscribe to, then go into feed... Ash: But then, that's blended, right? Pablos: Oh, it's blended. Yeah, for sure. Ash: Is blended, right? So now it becomes your feed. I'm saying, can I get your configuration? Pablos: I don't know if there's a standard for that. Ash: I'm saying that's maybe the thing you create a meta, Meta. Pablos: Honestly, I think these days what you would do is just have a process that looks at everything I read, feeds it into an LLM, and tries to figure out like how do you define what Pablos is interested in that way. You probably would get a lot more nuance. Ash: That's to find out what you're interested in. Pablos: It's almost like you want your feed filtered through my lens. Ash: That's exactly what I want. I want to read the same newspaper you're reading, so to speak. So if you assume that that feed that you get is a collection of stories. That's your newspaper, the Pablos newspaper, right? That's what it is, Times of Pablos and you have a collection of stories that land on your page, right? It's been edited. Like you're the editor, you're the editor in chief of your little newspaper. If you think of all your RSS feeds ripped down your, your own newspaper, I'd like to read that newspaper. How do I do that? That doesn't exist. I don't think that's easy to do. And if I can do that, that'd be great. Pablos: If you're looking on Twitter and people are reposting, if I go look at your Twitter feed and all you do is repost stuff and then occasionally make a snarky comment, that's kind of what I'm getting. I'm getting the all the stuff you thought was interesting enough to repost and I think that's a big part of like why reposting merits having a button in Twitter because that's the signal you're getting out of it. I don't love it because it's part of what I don't like about Twitter is I'm not seeing a lot of unique thought from the people I follow. I'm just seeing shit they repost. And so my Twitter feed is kind of this amalgamation of all the things that were reposted by all the people I follow and and to me, that's what I don't want. I would rather just see the original post by those people. Twitter doesn't let me do that, so I'm scrolling a lot just to get to the, first person content. I think it is a way of substantiating what you're saying, though, which is "There's a value in being able to see the world through someone else's eyes." Repost might just be kind of a budget version of that. Ash: The reason I say that it's valuable, it's like the old days you'd sit on train and maybe even today and you had a physical copy of the New York Times, and everyone, and you could see who reads the New York Times and who reads the Journal. Right. And who reads The Post and The Daily News, that's what you can tell. And those people had their lenses, you go to the UK and everyone, this is the guardian, the independent, whatever. And you were like, Oh, that's a time, Times reader. That's a Guardian reader or someone looking at page three of the sun. I have no idea what they're doing, but, you knew immediately where they were. Pablos: It's the editorial layer. Ash: You got it. Pablos: it's what's missing in today's context. What's missing now is you got publishers, and you got the readers. but the editor is gone. Ash: Well, it's not gone, that's the problem, right? So what we did is , in the, in the world of press, there was a printing press and an editorial group took stories and they shoved them through the printing press. And then, the next minute, another editorial group came in and ran it through the printing press. so if you went out , and you were making your sort of manifestos, the printing press probably didn't care, right? The guy at like quickie print or whatever it was didn't care. Today, Facebook claims it's the place to publish, but it's not. Because it's editorial and publish so that so what they're doing is they're taking your IP They're taking a content and then there's putting their editorial layer on it. Even if it's a light touch or heavy touch, whatever it is. But it's sort of like if the guy that was the printing press like "I don't really like your font." " Dude, that's how I designed it." I want the font. Like I like Minion, Minion Pro is my thing, right? That's what I'm going to do. But, but if they just decided to change it, you'd be really pissed off. Now, Facebook claims to be an agnostic platform, but they're not an ISP. They're not a, an open architecture. like we would have had in the past where like you host what you wanted to host. There, you host what you want to host, but they're going to down promote you. They're going to boost you. They're going to unboost you. So wait a minute, hold on a second. You're, you're not really an open platform. And I think that's what you're getting at, which is, either you're a tool to publish or you're the editorial, the minute you're both. You're an editorial. You're actually no longer a tool. Pablos: That's exactly right. I think, that's the key thing, we've got to separate those things. Ash: That's the element. And I think that that tells you a lot about why we get frustrated. If Twitter was just a fast way to shove 140 characters across multiple SMS, which we didn't have, because we're in the U.S. We were silly and we didn't have GSM. That's what Twitter was, right? Twitter was kind of like the first version of like a unified messaging platform. Cause it was like, you could broadcast 140 characters and it would work on the lowest common denominator, which was your StarTAC flip phone. So the point was that Twitter was a not unmoderated open tool. Then it got editorial. And now it's then it's no longer. And I think that's the problem, right? It used to be, you had a wall on Facebook and you did whatever the hell you wanted to. And then Facebook said I need to make money and it became the publisher, became the editorial board. Pablos: Okay, so we have a lightweight plan to save the internet. Let's see if we can find somebody to go build this stuff. Ash: If you could build that last thing, I think it's not a, it's not a complicated one, but they, I think they just need to sit down and, grab your feed. Or someone can come up with a collection of, Mixtapes, let's call it. Pablos: Yeah, cool. Mixtapes, I like that. Ash: Internet Mixtapes. There you go.

Unlock the mysteries of modern cryptography and quantum computing's future impact on security protocols with your guide, Sean Gerber. Our CISSP Cyber Training Podcast takes you through an intricate journey, ensuring you're armed with the expertise needed to conquer the CISSP exam and remain ahead in the ever-evolving landscape of cybersecurity. We promise to transform your understanding of cryptographic concepts, from the supremacy of AES in symmetric encryption to the vulnerabilities plaguing older algorithms like MD5 and DES. Prepare to grasp the significance of ECC for devices with limited resources, and the pivotal roles of RSA and hashing algorithms in maintaining the integrity and authenticity of digital communications.Step up your career with the guidance and insight offered in our dedicated mentoring program chapter, a treasure trove for those navigating the complex paths of cybersecurity. Through CISSPcybertraining.com, we celebrate real success stories—like the one who aced the CISSP exam on their first attempt—attributing triumphs to the tailored mentoring and coaching strategies drawn from years of security experience. You'll get exclusive access to comprehensive CISSP training resources and one-on-one conversations with me, all designed to steer you towards a successful and fulfilling cybersecurity career. Embrace this episode as your beacon to a quantum-safe future and a robust understanding of digital security's best practices.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

Sandworm was in Kyivstar's networks for months. Museums face online outages. Emsisoft suggests a ransomware payment ban. An ambulance service suffers a data breach. Mandiant's social media gets hacked. GXC Team's latest offerings in the C2C underground market. 23andMe blames their breach on password reuse. Lawyers are using outdated encryption.  On today's Threat Vector segment, David Moulton chats with Garrett Boyd,  senior consultant at Palo Alto Networks Unit 42  about the importance of internal training and mentorship in cybersecurity. And in Russia, holiday cheers turn to political jeers.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today's Threat Vector segment with David Moulton features Garrett Boyd, a senior consultant at Unit 42 by Palo Alto Networks with a background as a Marine and professor, discusses the importance of internal training and mentorship in cybersecurity. He provides insights into how training prepares professionals for industry challenges and how mentorship fosters professional growth and innovation. Garrett emphasizes the need for a mentorship culture in organizations and the responsibility of both mentors and mentees in this dynamic. The episode highlights the transformative impact of mentorship through personal experiences and concludes with an invitation for listeners to share their stories and a reminder to stay vigilant in the digital world. Threat Vector To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin.  Selected Reading Compromised accounts and C2C markets. Cyberespionage and state-directed hacktivism. (CyberWire) Exclusive: Russian hackers were inside Ukraine telecoms giant for months (Reuters) Hackers linked to Russian spy agency claim cyberattack on Ukrainian cell network (reuters) Museum World Hit by Cyberattack on Widely Used Software (The New York Times) The State of Ransomware in the U.S.: Report and Statistics 2023 (Emsisoft) Nearly 1 million affected by ambulance service data breach (The Record) Mandiant's account on X hacked to push cryptocurrency scam (Bleeping Computer) Cybercriminals Implemented Artificial Intelligence (AI) For Invoice Fraud (Resecurity) 23andMe tells victims it's their fault that their data was breached (TechCrunch+) The Curious Case of MD5 (katelynsills) Firmware prank causes LED curtain in Russia to display ‘Slava Ukraini' — police arrest apartment owner (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

EPISODE #13: UCL Fantasy MD5: Preview & Team RevealsLouis & Dan chat all things UCL Fantasy. In this episode we preview MD5 and reveal our teams.A must listen for UCL Fantasy players! JOIN OUR MINI-LEAGUE! CODE: 49AFB3VR03Or click this link: Join Mini-League Learn more about your ad choices. Visit podcastchoices.com/adchoices

EPISODE #12: UCL Fantasy MD4 review.Ed, Louis & Dan chat all things UCL Fantasy. In this episode we review matchday 4 and answer some questions as we briefly look ahead to MD5. A must listen for UCL Fantasy players! JOIN OUR MINI-LEAGUE! CODE: 49AFB3VR03Or click this link: Join Mini-League Learn more about your ad choices. Visit podcastchoices.com/adchoices

And, so, if you could pick one or two people who have contributed most to our online security, who would it be? Ron Rivest? Shafi Goldwasser? Ralph Merkle? Marty Hellman? Whitfield Diffie? Neal Koblitz? Well, in terms of the number of data bytes protected, that prize is likely to go to Joan Daemen and Vincent Rijmen, and who created the Rijndael method that became standardized by NIST as AES (Advanced Encryption Standard). If you are interested, Rijndael (“rain-doll”) comes from the names of its creators: Rijmen and Daemen (but don't ask me about the rogue “l” at the end). And, so, Joan Daemen was awarded the Levchin Prize at the Real World Symposium conference in 2016: Now, his co-researcher, Vincent Rijmen — a Professor at KU Leuven — has been awarded the Levchin Prize at the Real-World Crypto Symposium [here]: This follows illustrious past winners, including Paul Kocher (for work on SSL and side-channels), Dan Coppersmith (on cryptoanalysis), Neal Koblitz and Victor Miller (for their co-invention of ECC) and Ralph Merkle (for work on digital signatures and hashing trees). Vincent's track record in high-quality research work is exceptional and especially in the creation of the Rijndael approach to symmetric key encryption [here]: Before AES, we had many symmetric key encryption methods, including DES, 3DES, TwoFish, BlowFish, RC4, and CAST. But AES came along and replaced these. Overall, ChaCha20 is the only real alternative to AES, and where it is used in virtually every web connection that we have and is by far the most popular method in encrypting data. And, it has stood the test of time — with no known significant vulnerabilities in the method itself. Whilst we might use weak keys and have poor implementations, Rijndael has stood up well. AES method With AES, we use symmetric key encryption, and where Bob and Alice share the same secret key: In 2000/2001, NIST ran a competition on the next-generation symmetric key method, and Rijndael won. But in second place was Serpent, which was created by Ross Anderson, Eli Biham, and Lars Knudsen. Let's have a look at the competition and then outline an implementation of Serpent in Go lang. In the end, it was the speed of Rijndael that won over the enhanced security of Serpent. If NIST had seen security as more important, we might now be using Serpent than Rijndael for AES. NIST created the race for AES (Advanced Encryption Standard). It would be a prize that the best in the industry would join, and the winner would virtually provide the core of the industry. So, in 1997, NIST announced the open challenge for a block cipher that could support 128-bit, 192-bit, and 256-bit encryption keys. The key evaluation factors were: Security: They would rate the actual security of the method against the others submitted. This would method the entropy in the ciphertext — and show that it was random for a range of input data. The mathematical foundation of the method. A public evaluation of the methods and associated attacks. Cost: The method would provide a non-exclusive, royalty-free basis licence across the world; It would be computationally and memory efficient. Algorithm and implementation characteristics: It would be flexible in its approach, and possibly offer different block sizes, key sizes, convertible into a stream cipher, and so on. Be ready for both hardware and software implementation for a range of platforms. Be simple to implement. Round 1 The call was issued on 12 Sept 1997 with a deadline of June 1998, and a range of leading industry players rushed to either create methods or polish down their existing ones. NIST announced the shortlist of candidates at a conference in August 1998, and which included some of the key leaders in the field, such as Ron Rivest, Bruce Schneier, and Ross Anderson (University of Cambridge) [report]: Australia LOKI97 (Lawrie Brown, Josef Pieprzyk, Jennifer Seberry). Belgium RIJNDAEL (Joan Daemen, Vincent Rijmen). Canada: CAST-256 (Entrust Technologies, Inc), DEAL (Richard Outerbridge, Lars Knudsen). Costa Rica FROG (TecApro Internacional S.A.). France DFC (Centre National pour la Recherche Scientifique). Germany MAGENTA (Deutsche Telekom AG). Japan E2 (Nippon Telegraph and Telephone Corporation) Korea CRYPTON (Future Systems, Inc.) USA: HPC (Rich Schroeppel), MARS IBM, RC6(TM) RSA Laboratories [try here], SAFER+ Cylink Corporation, TWOFISH (Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson) [try here]. UK, Israel, Norway SERPENT (Ross Anderson, Eli Biham, Lars Knudsen). One country, the USA, had five short-listed candidates, and Canada has two. The odds were thus on the USA to come through in the end and define the standard. The event, too, was a meeting of the stars of the industry. Ron Rivest outlined that RC6 was based on RC5 but highlighted its simplicity, speed, and security. Bruce Schneier outlined that TWOFISH had taken a performance-driven approach to its design, and Eli Biham outlined that SERPENT and taken an ultra-conservative philosophy for security in order for it to be secure for decades. Round 2 And so the second conference was arranged for 23 March 1999, after which, on 9 August 1999, the five AES finalists were announced: Belgium RIJNDAEL (Joan Daemen, Vincent Rijmen). USA: MARS IBM, RC6(TM) RSA Laboratories, TWOFISH (Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson) UK, Israel, Norway SERPENT (Ross Anderson, Eli Biham, Lars Knudsen). Canada: CAST-256 (Entrust Technologies, Inc), The big hitters were now together in the final, and the money was on them winning through. Ron Rivest, Ross Anderson and Bruce Schiener all made it through, and with half of the candidates being sourced from the USA, the money was on MARS, TWOFISH or RC6 winning the coveted prize. While the UK and Canada both had a strong track record in the field, it was the nation of Belgium that surprised some and had now pushed itself into the final [here]. While the other cryptography methods which tripped off the tongue, the RIJNDAEL method took a bit of getting used to, with its name coming from the surnames of the creators: Vincent Rijmen and Joan Daemen. Ron Rivest — the co-creator of RSA, had a long track record of producing industry-standard symmetric key methods, including RC2, and RC5, along with creating one of the most widely used stream cipher methods: RC4. His name was on standard hashing methods too, including MD2, MD4, MD5, and MD6. Bruce Schneier, too, was one of the stars of the industry, with a long track record of creating useful methods, including TWOFISH and BLOWFISH. Final After nearly two years of review, NIST opened up to comments on the method, which ran until May 2000. A number of submissions were taken, and the finalist seemed to be free from attacks, with only a few simplified method attacks being possible: Table 1: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4863838/ As we can see in Table 1, the methods had different numbers of rounds: 16 (Twofish), 32 (Serpent), 10, 12, or 14 (Rijndael), 20 (RC6), and 16 (MARS). Rijndael had a different number of rounds for different key sizes, with 10 rounds for 128-bit keys and 14 for 256-bit keys. Its reduced number of rounds made it a strong candidate for being a winner. In the AES conference to decide the winner, Rijndael received 86 votes, Serpent got 59 votes, Twofish 31 votes, RC6 23 votes, and MARS 13 votes. Although Rijndael and Serpent were similar, and where both used S-boxes, Rijndael had fewer rounds and was faster, but Serpent had better security. The NIST scoring was: Conclusions AES has advanced cybersecurity more that virtually all the other methods put together. Without it, the Internet would be a rats-nest of spying, person-in-the-middle attacks, and, would be a complete mess.

Here are my 100 interesting things to learn about cryptography: For a 128-bit encryption key, there are 340 billion billion billion billion possible keys. [Calc: 2**128/(1e9**4)] For a 256-bit encryption key, there are 115,792 billion billion billion billion billion billion billion billion possible keys. [Calc: 2**256/(1e9**8)] To crack a 128-bit encryption with brute force using a cracker running at 1 Teracracks/second, will take — on average — 5 million million million years to crack. Tera is 1,000 billion. [Calc: 2**128/100e9/2/60/60/24/365/(1e6**3)] For a 256-bit key this is 1,835 million million million million million million million million million years. For the brute force cracking of a 35-bit key symmetric key (such as AES), you only need to pay for the boiling of a teaspoon of energy. For a 50-bit key, you just need to have enough money to pay to boil the water for a shower. For a 90-bit symmetric key, you would need the energy to boil a sea, and for a 105-bit symmetric key, you need the energy to boil and ocean. For a 128-bit key, there just isn't enough water on the planet to boil for that. Ref: here. With symmetric key encryption, anything below 72 bits is relatively inexpensive to crack with brute force. One of the first symmetric key encryption methods was the LUCIFER cipher and was created by Horst Feistel at IBM. It was further developed into the DES encryption method. Many, at the time of the adoption of DES, felt that its 56-bit key was too small to be secure and that the NSA had a role in limiting them. With a block cipher, we only have to deal with a fixed size of blocks. DES and 3DES use a 64-bit (eight-byte) block size, and AES uses a 128-bit block size (16 bytes). With symmetric key methods, we either have block ciphers, such as DES, AES CBC and AES ECB, or stream ciphers, such as ChaCha20 and RC4. In order to enhance security, AES has a number of rounds where parts of the key are applied. With 128-bit AES we have 10 rounds, and 14 rounds for 256-bit AES. In AES, we use an S-box to scramble the bytes, and which is applied for each round. When decrypting, we have the inverse of the S-box used in the encrypting process. A salt/nonce or Initialisation Vector (IV) is used with an encryption key in order to change the ciphertext for the same given input. Stream ciphers are generally much faster than block cipers, and can generally be processed in parallel. With the Diffie-Hellman method. Bob creates x and shares g^x (mod p), and Alice creates y, and shares g^y (mod p). The shared key is g^{xy} (mod p). Ralph Merkle — the boy genius — submitted a patent on 5 Sept 1979 and which outlined the Merkle hash. This is used to create a block hash. Ralph Merkle's PhD supervisor was Martin Hellman (famous as the co-creator of the Diffie-Hellman method). Adi Shamir defines a secret share method, and which defines a mathematical equation with the sharing of (x,y), and where a constant value in the equation is the secret. With Shamir Secret Shares (SSS), for a quadratic equation of y=x²+5x+6, the secret is 6. We can share three points at x=1, x=2 and y=3, and which gives y=12, y=20, and y=20, respectively. With the points of (1,12), (2,20), and (3,20), we can recover the value of 6. Adi Shamir broke the Merkle-Hellman knapsack method at a live event at a rump session of a conference. With secret shares, with the highest polynomial power of n, we need n+1 points to come together to regenerate the secret. For example, y=2x+5 needs two points to come together, while y=x²+15x+4 needs three points. The first usable public key method was RSA — and created by Rivest, Shamir and Adleman. It was first published in 1979 and defined in the RSA patent entitled “Cryptographic Communications System and Method”. In public key encryption, we use the public key to encrypt data and the private key to decrypt it. In digital signing, we use the private key to sign a hash and create a digital signature, and then the associated public key to verify the signature. Len Adleman — the “A” in the RSA method — thought that the RSA paper would be one of the least significant papers he would ever publish. The RSA method came to Ron Rivest while he slept on a couch. Martin Gardner published information on the RSA method in his Scientific American article. Initially, there were 4,000 requests for the paper (which rose to 7,000), and it took until December 1977 for them to be posted. The security of RSA is based on the multiplication of two random prime numbers (p and q) to give a public modulus (N). The difficulty of RSA is the difficulty in factorizing this modulus. Once factorized, it is easy to decrypt a ciphertext that has been encrypted using the related modulus. In RSA, we have a public key of (e,N) and a private key of (d,N). e is the public exponent and d is the private exponent. The public exponent is normally set at 65,537. The binary value of 65,537 is 10000000000000001 — this number is efficient in producing ciphertext in RSA. In RSA, the ciphertext is computed from a message of M as C=M^e (mod N), and is decrypted with M=C^d (mod N). We compute the the private exponent (d) from the inverse of the public exponent (e) modulus PHI, and where PHI is (p-1)*(q-1). If we can determine p and q, we can compute PHI. Anything below a 738-bit public modulus is relatively inexpensive to crack for RSA. To crack 2K RSA at the current time, we would need the energy to boil ever ocean on the planet to break it. RSA requires padding is required for security. A popular method has been PCKS#1v1.5 — but this is not provably secure and is susceptible to Bleichenbacher's attack. An improved method is Optimal Asymmetric Encryption Padding (OAEP) and was defined by Bellare and Rogaway and standardized in PKCS#1 v2. The main entity contained in a digital certificate is the public key of a named entity. This is either an RSA or an Elliptic Curve key. A digital certificate is signed with the private key of a trusted entity — Trent. The public key of Trent is then used to prove the integrity and trust of the associated public key. For an elliptic curve of y²=x³+ax+b (mod p), not every (x,y) point is possible. The total number of points is defined as the order (n). ECC (Elliptic Curve Cryptography) was invented by Neal Koblitz and Victor S. Miller in 1985. Elliptic curve cryptography algorithms did not take off until 2004. In ECC, the public key is a point on the elliptic curve. For secp256k1, we have a 256-bit private key and a 512-bit (x,y) point for the public key. A “04” in the public key is an uncompressed public key, and “02” and “03” are compressed versions with only the x-co-ordinate and whether the y coordinate is odd or even. Satoshi selected the secp256k1 curve for Bitcoin, and which gives the equivalent of 128-bit security. The secp256k1 curve uses the mapping of y²=x³ + 7 (mod p), and is known as a Short Weierstrass (“Vier-strass”) curve. The prime number used with secp256k1 is 2²⁵⁶-2³²-2⁹-2⁸-2⁷-2⁶-2⁴-1. An uncompressed secp256k1 public key has 512 bits and is an (x,y) point on the curve. The point starts with a “04”. A compressed secp256k1 public key only stores the x-co-ordinate value and whether the y coordinate is odd or even. It starts with a “02” if the y-co-ordinate is even; otherwise, it starts with a “03”. In computing the public key in ECC of a.G, we use the Montgomery multiplication method and which was created by Peter Montgomery in 1985, in a paper entitled, “Modular Multiplication without Trial Division.” Elliptic Curve methods use two basic operations: point address (P+Q) and point doubling (2.P). These can be combined to provide the scalar operation of a.G. In 1999, Don Johnson Alfred Menezes published a classic paper on “The Elliptic Curve Digital Signature Algorithm (ECDSA)”. It was based on the DSA (Digital Signature Algorithm) — created by David W. Kravitz in a patent which was assigned to the US. ECDSA is a digital signature method and requires a random nonce value (k), and which should never be reused or repeated. ECDSA is an elliptic curve conversion of the DSA signature method. Digital signatures are defined in FIPS (Federal Information Processing Standard) 186–5. NIST approved the Rijndael method (led by Joan Daemen and Vincent Rijmen) for Advanced Encryption Standard (AES). Other contenders included Serpent (led by Ross Anderson), TwoFish (led by Bruce Schneier), MARS (led by IBM), and RC6 (led by Ron Rivest). ChaCha20 is a stream cipher that is based on Salsa20 and developed by Daniel J. Bernstein. MD5 has a 128-bit hash, SHA-1 has 160 bits and SHA-256 has 256-bits. It is relatively easy to create a hash collision with MD5. Google showed that it was possible to create a signature collision for a document with SHA-1. It is highly unlikely to get a hash collision for SHA-256. In 2015, NIST defined SHA-3 as a standard, and which was built on the Keccak hashing family — and which used a different method to SHA-2. The Keccak hash family uses a sponge function and was created by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche and standardized by NIST in August 2015 as SHA-3. Hash functions such as MD5, SHA-1 and SHA-256 have a fixed hash length, whereas an eXtendable-Output Function (XOF) produces a bit string that can be of any length. Examples are SHAKE128, SHAKE256, BLAKE2XB and BLAKE2XS. BLAKE 3 is the fastest cryptographically secure hashing method and was created by Jack O'Connor, Jean-Philippe Aumasson, Samuel Neves, and Zooko Wilcox-O'Hearn. Hashing methods can be slowed down with a number of rounds. These slower hashing methods include Bcrypt, PBKDF2 and scrypt. Argon 2 uses methods to try and break GPU cracking, such as using a given amount of memory and defining the CPU utlization. To speed up the operation of the SHA-3 hash, the team reduced the security of the method and reduce the number of rounds. The result is the 12 Kangaroo's hashing method. The number of rounds was reduced from 24 to 12 (with a security level of around 128 bits). Integrated Encryption Scheme (IES) is a hybrid encryption scheme which allows Alice to get Bob's public key and then generate an encryption key based on this public key, and she will use her private key to recover the symmetric. With ECIES, we use elliptic curve methods for the public key part. A MAC (Message Authentication Code) uses a symmetric key to sign a hash, and where Bob and Alice share the same secret key. The most popular method is HMAC (hash-based message authentication code). The AES block cipher can be converted into a stream cipher using modes such as GCM (Galois Counter Mode) and CCM (counter with cipher block chaining message authentication code; counter with CBC-MAC). A MAC is added to a symmetric key method in order to stop the ciphertext from being attacked by flipping bits. GCM does not have a MAC, and is thus susceptible to this attack. CCM is more secure, as it contains a MAC. With symmetric key encryption, we must remove the encryption keys in the reverse order they were applied. Commutative encryption overcomes this by allowing the keys to be removed in any order. It is estimated that Bitcoin miners consume 17.05 GW of electrical power per day and 149.46 TWh per year. A KDF (Key Derivation Function) is used to convert a passphrase or secret into an encryption key. The most popular methods are HKDF, PBKDF2 and Bcrypt. RSA, ECC and Discrete Log methods will all be cracked by quantum computers using Shor's algorithm Lattice methods represent bit values as polynomial values, such as 1001 is x³+1 as a polynomial. Taher Elgamal — the sole inventor of the ElGamal encryption method — and Paul Koche were the creators of SSL, and developed it for the Netscape browser. David Chaum is considered as a founder of electronic payments and, in 1983, created ECASH, along with publishing a paper on “Blind signatures for untraceable payments”. Satoshi Nakamoto worked with Hal Finney on the first versions of Bitcoin, and which were created for a Microsoft Windows environment. Blockchains can either be permissioned (requiring rights to access the blockchain) or permissionless (open to anyone to use). Bitcoin and Ethereum are the two most popular permissionless blockchains, and Hyperledger is the most popular permissioned ledger. In 1992, Eric Hughes, Timothy May, and John Gilmore set up the cypherpunk movement and defined, “We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.” In Bitcoin and Ethereum, a private key (x) is converted to a public key with x.G, and where G is the base point on the secp256k1 curve. Ethereum was first conceived in 2013 by Vitalik Buterin, Gavin Wood, Charles Hoskinson, Anthony Di Iorio and Joseph Lubin. It introduced smaller blocks, improved proof of work, and smart contracts. NI-ZKPs involves a prover (Peggy), a verifier (Victor) and a witness (Wendy) and were first defined by Manuel Blum, Paul Feldman, and Silvio Micali in their paper entitled “Non-interactive zero-knowledge and its applications”. Popular ZKP methods include ZK-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) and ZK-STARKs (Zero-Knowledge Scalable Transparent Argument of Knowledge). Bitcoin and Ethereum are pseudo-anonymised, and where the sender and recipient of a transaction, and its value, can be traced. Privacy coins enable anonymous transactions. These include Zcash and Monero. In 1992, David Chaum and Torben Pryds Pedersen published “Wallet databases with observers,” and outlined a method of shielding the details of a monetary transaction. In 1992, Adi Shamir (the “S” in RSA) published a paper on “How to share a secret” in the Communications of the ACM. This supported the splitting of a secret into a number of shares (n) and where a threshold value (t) could be defined for the minimum number of shares that need to be brought back together to reveal the secret. These are known as Shamir Secret Shares (SSS). In 1991, Torbin P Pedersen published a paper entitled “Non-interactive and information-theoretic secure verifiable secret sharing” — and which is now known as Pedersen Commitment. This is where we produce our commitment and then show the message that matches the commitment. Distributed Key Generation (DKG) methods allow a private key to be shared by a number of trusted nodes. These nodes can then sign for a part of the ECDSA signature by producing a partial signature with these shares of the key. Not all blockchains use ECDSA. The IOTA blockchain uses the EdDSA signature, and which uses Curve 25519. This is a more lightweight signature version and has better support for signature aggregation. It uses Twisted Edwards Curves. The core signing method used in EdDSA is based on the Schnorr signature scheme and which was created by Claus Schnorr in 1989. This was patented as a “Method for identifying subscribers and for generating and verifying electronic signatures in a data exchange system”. The patent ran out in 2008. Curve 25519 uses the prime number of 2²⁵⁵-19 and was created by Daniel J. Bernstein. Peter Shor defined that elliptic curve methods can be broken with quantum computers. To overcome the cracking of the ECDSA signature from quantum computers, NIST are standardising a number of methods. At present, this focuses on CRYSTALS-Dilithium, and which is a lattice cryptography method. Bulletproofs were created in 2017 by Stanford's Applied Cryptography Group (ACG). They define a zero-knowledge proof as where a value can be checked to see it lies within a given range. The name “bulletproofs” is defined as they are short, like a bullet, and with bulletproof security assumptions. Homomorphic encryption methods allow for the processing of encrypted values using arithmetic operations. A public key is used to encrypt the data, and which can then be processed using an arithmetic circuit on the encrypted data. The owner of the associated private key can then decrypt the result. Some traditional public key methods enable partial homomorphic encryption. RSA and ElGamal allow for multiplication and division, whilst Pailier allows for homomorphic addition and subtraction. Full homomorphic encryption (FHE) supports all of the arithmetic operations and includes Fan-Vercauteren (FV) and BFV (Brakerski/Fan-Vercauteren) for integer operations and HEAAN (Homomorphic Encryption for Arithmetic of Approximate Numbers) for floating point operations. Most of the Full Homomorphic encryption methods use lattice cryptography. Some blockchain applications use Barreto-Lynn-Scott (BLS) curves which are pairing-friendly. They can be used to implement Bilinear groups and which are a triplet of groups (G1, G2 and GT), so that we can implement a function e() such that e(g1^x,g2^y)=gT^{xy}. Pairing-based cryptography is used in ZKPs. The main BLS curves used are BLS12–381, BLS12–446, BLS12–455, BLS12–638 and BLS24–477. An accumulator can be used for zero-knowledge proof of knowledge, such as using a BLS curve to create to add and remove proof of knowledge. Metamask is one of the most widely used blockchain wallets and can integrate into many blockchains. Most wallets generate the seed from the operating system and where the browser can use the Crypto.getRandomValues function, and compatible with most browsers. With a Verifiable Delay Function (VDF), we can prove that a given amount of work has been done by a prover (Peggy). A verifier (Victor) can then send the prover a proof value and compute a result which verifies the work has been done, with the verifier not needing to do the work but can still prove the work has been done. A Physical Unclonable Functions (PUFs) is a one-way function which creates a unique signature pattern based on the inherent delays within the wires and transistors. This can be used to link a device to an NFT.

两个相似字符串的哈希值是完全不同的： ~ echo 大老李聊数学 | md5Aeeb9bab2b328c3304d88f691d60fe64~ echo 大老王聊数学 | md552454cd51a108d4d79ca049770170a72我下载的一本三国演义小说的md5哈希值：cat 三国演义.txt| md562567e868640dd07494fdd399d618617以上这张图片显示了自身的md5哈希值：MD5 (md5.gif) = f5ca4f935d44b85c431a8bf788c0eaca喜马拉雅FM：https://www.ximalaya.com/keji/6310606/ （欢迎加入Ximi团）微信关注：dalaoli_shuxue B站: https://space.bilibili.com/423722633 知乎：https://zhuanlan.zhihu.com/dalaoli-shuxue/

Cybersecurity Cloud Lesson 1 rule book in key management for companies: Your encryption keys are the keys to your castle. So protect them with your life! Your enemy is you! The main threat is insiders, so beware of yourself and others in your company. Beware of those that you trust and who you partner with. They can be your enemies, too. For sensitive data, try not to let Amazon or Microsoft manage your keys. Put your private keys in an HSM (Hardware Security Module). A shared HSM is fine, but if you have funds, create your own Cloud HSM. If you are audited for your keys, you may need an on-premise HSM to link to your Cloud instance. Create meaningful tags for your keys that make sense for everyone. Don't tag them as “Key1”, “Key2”, and so on. Give them meaning, “Main Active Directory Single Sign-on Key for Sales in Europe”. Add words that allow you to search for keys easily. Log the usage of your keys everywhere and link to people, roles, services and applications. Log, log and log some more. Watch out for those keys being deleted … it is one of the easiest hacks for a disgruntled employee to perform. Watch out for key wrapping from your insiders and your key exports. See Point 1. Use a tiered alerting system which escalates the severity of the key usage, but make sure you keep those logs. Use envelope encryption. Test, test, and test some more. Audit, audit, and audit. On a daily basis, if nescessary. Test those encrypted backups. We all make mistakes. If you delete a key, please say, as we have 60 days to undelete it. Use key rotation wherever possible. Just because ECDSA and EdDSA sound all fancy and brand new doesn't mean that RSA is not an option. RSA is still your friend. Forget about those doom sayers on quantum cracking. MD5 and SHA-1 should never, ever, be seen. Beware of DevOpSec. They can be sloppy with their keys. Tell them off for doing risky things! I had better stop here. So, finally, put a large poster on the wall that says, “no key, means no data!”, “the enemy is within and around you!”, “A breach of the trust infrastructure is one of the most expensive cybersecurity threats to resolve”, “A single key breached, and this company could be finished!”. Sorry for being so coarse in places, but handling keys is a serious business.

•  Guidelines, standards, and resources to address Remote Auditing•The purpose of auditing includes verifying the conformance of an organization's processes and management system to defined requirements. It depends on the type of audit and the objective, the stated criteria, which can vary. The standard/s which an audit may be conducted could be an organization's own internal procedures or work instructions, a management systems standard such as ISO 9001, AS9100, or International Automotive Task Force (IATF) 16949; ISO 22000, “Food Safety Management Systems (FSMS) customer-specified requirements; or government regulations such as FAA/Nadcap, NRC, etc...• Remote auditing has been a hot topic the last year, given the circumstances surrounding the COVID-19 pandemic over the last year. However, remote auditing has been around for over a decade. Its popularity now is being spurred by advances in technology and globalization. There has been a considerable increase in multi-site companies with operations scattered across the globe and more companies engaging in international supply chains that require auditing.• Regardless, proper planning is key for contingency and understanding the kind of risks to achieve audit objectives based upon the scope/criteria, and the most suitable and available technology, as well as the auditor and auditee's complete understanding of the (ICT) Information and Communications Technology, platform/s to be used.• Companies, Registrars, and Accreditation Organizations are now and must continue to reinvent and adapt to the “new normal” regarding “Remote Auditing” and figure out ways to achieve a balance in assuring Quality Management System conformance versus not auditing at all and maintaining the rigor and respect of a QMS and/or Accreditation program as we move forward.• ISO 19011-Annex A.1-option and A.16 for remote and virtual auditing and the ISO/IEC 17021 has recognized remote auditing since 2011. Considerations of the International Accreditation Forum (IAF) Mandatory Documents -MD4 and MD5-2019, Guidance ID3 are available, and links are included.• There are still limitations when considering issues like initial audits and/or critical processes and highly classified facilities and proprietary processes or problematic non-conforming systems previously audited.• Remote Auditing Practices and Resources *Remote Auditing: A Quick and Easy Guide for Management System Auditors Paperback –2020-Denise RobitailleLinks to relevant sourceshttps://www.iaf.nu/articles/Mandatory_Documents_/38•IAF MD4:2018, ICT is the use of technology for gathering, storing, retrieving, processing, analyzing, and transmitting information. It includes software and hardware such as smartphones, handheld devices, laptop computers, desktop computers, drones, video cameras, wearable technology, artificial intelligence, and others. The use of ICT may be appropriate for auditing/assessment both locally and remotely. • ISO 9001 Auditing Practices Group Guidance on: REMOTE AUDITS, provides for:* BACKGROUND INFORMATION ON ISO 19011:2018 AND IAF MD 4 *GENERAL RECOMMENDATIONS FOR REMOTE AUDITING *AUDIT PROGRAM *AUDIT PLANNING *AUDIT REALIZATION *AUDIT CONCLUSION**Annex: Example of identification of Risks and Opportunities for using remote auditing.https://committee.iso.org/files/live/sites/tc176/files/documents/ISO%209001%20Auditing%20Practices%20Group%20docs/Auditing%20General/APG-Remote_Audits.pdf• Remote Auditing aSupport the show

PipemanRadio Interviews HelloweenHELLOWEEN To Return To The US And Canada This Spring; Tickets On Sale NOW!Legendary German heavy metal icons HELLOWEEN will return to the US and Canada this Spring as part of their ongoing United Forces world tour alongside supporting special guests, HammerFall. The trek will commence on May 13th in Dallas, Texas and wind its way through a total of thirteen cities, the journey drawing to a close on June 3rd in San Francisco, California. Fans can expect an epic night of HELLOWEEN hits spanning the band's legacy as well as tunes from their latest album, Helloween, marking the first time tracks from the album will be performed live for US and Canadian audiences. Tickets are on sale now. Secure yours today at THIS LOCATION. See all confirmed dates below. HELLOWEEN w/ HammerFall:5/13/2023 The Bomb Factory – Dallas, TX5/16/2023 Jannus Live – St. Petersburg, FL5/18/2023 The Fillmore – Silver Spring, MD5/20/2023 Terminal 5 – New York, NY5/21/2023 The Palladium – Worcester, MA5/23/2023 History – Toronto, ON5/24/2023 Royal Oak Music Hall – Royal Oak MI5/26/2023 The Riviera – Chicago, IL5/27/2023 The Fillmore – Minneapolis, MN5/30/2023 Ogden Theatre – Denver, CO6/01/2023 Brooklyn Bowl – Las Vegas, NV6/02/2023 YouTube Theater – Los Angeles, CA6/03/2023 The Warfield – San Francisco, CAFor HELLOWEEN coverage in the US contact liz@earsplitcompound.com. http://www.helloween.org http://www.facebook.com/helloweenofficial http://www.instagram.com/helloweenofficial http://www.twitter.com/helloweenorg http://www.youtube.com/helloweenhttp://www.atomicfire-records.comhttp://www.facebook.com/atomicfirerecordshttp://www.instagram.com/atomicfirerecordshttp://www.twitter.com/atomicfirerecTake some zany and serious journeys with The Pipeman aka Dean K. Piper, CST on The Adventures of Pipeman also known as Pipeman Radio syndicated globally “Where Who Knows And Anything Goes”. Listen to & Watch a show dedicated to motivation, business, empowerment, inspiration, music, comedy, celebrities, shock jock radio, various topics, and entertainment. The Adventures of Pipeman is hosted by Dean K. Piper, CST aka “The Pipeman” who has been said to be hybrid of Tony Robbins, Batman, and Howard Stern. The Adventures of Pipeman has received many awards, media features, and has been ranked for multiple categories as one of the Top 6 Live Radio Shows & Podcasts in the world. Pipeman Radio also consists of multiple podcasts showing the many sides of Pipeman. These include The Adventures of Pipeman, Pipeman in the Pit, and Positively Pipeman and more. You can find all of the Pipeman Podcasts anywhere you listen to podcasts. With thousands of episodes that focus on Intertainment which combines information and entertainment there is something for everyone including over 5000 interviews with celebrities, music artists/bands, authors, speakers, coaches, entrepreneurs, and all kinds of professionals.Then there is The Pipeman Radio Tour where Pipeman travels the country and world doing press coverage for Major Business Events, Conferences, Conventions, Music Festivals, Concerts, Award Shows, and Red Carpets. One of the top publicists in music has named Pipeman the “King of All Festivals.” So join the Pipeman as he brings “The Pipeman Radio Tour” to life right before your ears and eyes.The Adventures of Pipeman Podcasts are heard on The Adventures of Pipeman Site, Pipeman Radio, Talk 4 Media, Talk 4 Podcasting, iHeartRadio, Pandora, Amazon Music, Audible, Spotify, Apple Podcast, Google Podcasts and over 100 other podcast outlets where you listen to Podcasts. The following are the different podcasts to check out and subscribe to:• The Adventures of Pipeman• Pipeman Radio• Pipeman in the Pit• Positively PipemanFollow @pipemanradio on all social media outletsVisit Pipeman Radio on the Web at linktr.ee/pipemanradio, theadventuresofpipeman.com, pipemanradio.com, talk4media.com, w4cy.com, talk4tv.com, talk4podcasting.comDownload The Pipeman Radio APPPhone/Text Contact – 561-506-4031Email Contact – dean@talk4media.com The Adventures of Pipeman is broadcast live daily at 8AM ET.The Adventures of Pipeman TV Show is viewed on Talk 4 TV (www.talk4tv.com).The Adventures of Pipeman Radio Show is broadcast on W4CY Radio (www.w4cy.com) and K4HD Radio (www.k4hd.com) – Hollywood Talk Radio part of Talk 4 Radio (www.talk4radio.com) on the Talk 4 Media Network (www.talk4media.com). The Adventures of Pipeman Podcast is also available on www.theadventuresofpipeman.com, Talk 4 Media (www.talk4media.com), Talk 4 Podcasting (www.talk4podcasting.com), iHeartRadio, Amazon Music, Pandora, Spotify, Audible, and over 100 other podcast outlets.

The guys are here to get you ready for MLS Matchday 5! We dig into our games to watch, the Rapids tough start and the effects of the international break. 6:24 - Arsenal named 2023 MLS All-Star opponent 14:54 - MLS teams getting hit hard by international call ups 28:21 - Austin v Colorado in a matchup of desperate teams 30:57 - Deep dive on what's gone wrong in Colorado 48:17 - Our matches to watch in MD5 59:06 - Dante Vanzeir Interview 1:17:57 - Mailbag

Episode 5: In this episode of Critical Thinking - Bug Bounty Podcast we talk about the new XSS Hunter, MD5 collisions and using ChatGPT for security, and much more!Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynoraterSave All Resources Chrome Extension: https://chrome.google.com/webstore/detail/save-all-resources/abpdnfjocnmdomablahdcfnoggeeiedb?hl=enCorben's AMA: https://twitter.com/hacker_/status/1620514351521366016Collisions repo: https://github.com/corkami/collisions

The mighty CPU that wasn't. Hive ransomware takedown. Dutch data crime suspect busted. Samba finally gets rid of MD5. GitHub admits to an intrusion. Storing passwords securely. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity

Subscribe to Changelog++: https://changelog.com/podcast/519/discussFeaturing Shawn Wang – Twitter, GitHub, Website Adam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, Website Jerod Santo – Mastodon, Twitter, GitHub, LinkedIn Notes and Links AI Notes Why “Prompt Engineering” and “Generative AI” are overhyped Multiverse, not Metaverse The Particle/Wave Duality Theory of Knowledge OpenRAIL: Towards open and responsible AI licensing frameworks Open-ish from Luis Villa ChatGPT for Google The Myth of The Infrastructure Phase ChatGPT examples in the wild Debugging code TypeScript answer is wrong Fix code and explain fix dynamic programming Translating/refactoring Wasplang DSL AWS IAM policies Code that combines multiple cloud services Solving a code problem Explain computer networks homework Rewriting code from elixir to PHP Turning ChatGPT into an interpreter for a custom language, and then generating code and executing it, and solving Advent of Code correctly Including getting #1 place “I haven't done a single google search or consulted any external documentation to do it and I was able to progress faster than I have ever did before when learning a new thing.” Build holy grail website and followup with framework, copy, repsonsiveness For ++ subscribers Getting Senpai To Notice You Moving to Obsidian as a Public Second Brain Transcript**Jerod Santo:** Alright, well we have Sean Wang here again. Swyx, welcome back to the show.**Shawn Wang:** Thanks for having me back on. I have lost count of how many times, but I need to track my annual appearance on the Changelog.**Adam Stacoviak:** Is that twice this year on this show, and then once on JS Party at least, right?**Shawn Wang:** Something like that, yeah. I don't know, it's a dream come true, because, I changed careers into tech listening to the Changelog, so every time I'm asked on, I'm always super-grateful. So yeah, here to chat about all the hottest, latest things, right?**Adam Stacoviak:** Yeah.**Jerod Santo:** That's right, there's so much going on right now. It seems like things just exploded this fall. So we had Stable Diffusion back in late August; it really blew up at the end of August. And then in September is when we had Simon Willison on the show to talk about Stable Diffusion breaking the internet. You've been tracking this stuff really closely. You even have a Substack, and you've got Obsidian notes out there in the wild, and then of course, you're learning in public, so whenever Swyx is learning something, we're all kind of learning along with you... Which is why we brought you back on. I actually included your Stable Diffusion 2.0 summary stuff in our Changelog News episode a couple of weeks back, and a really interesting part of that post that you have, that I didn't talk about much, but I touched on and I want you to expand upon here is this idea of prompt engineering, not as a cool thing, but really as a product smell. And when I first saw it, I was like, "No, man, it's cool." And then I read your explainer and I'm like, "No, he's right. This is kind of a smell."**Adam Stacoviak:** "Dang it, he's right again."**Jerod Santo:** Yeah. We just learned about prompt engineering back in September, with Simon, and talking about casting spells and all this, and now it's like, well, you think it's overhyped. I'll stop prompting you, and I'll just let you engineer an answer.**Jerod Santo:** Well, so I don't know if you know, but the Substack itself got its start because I listened to the Simon episode, and I was like, "No, no, no. Spellcasting is not the way to view this thing. It's not something we glorify." And that's why I wrote "Multiverse, not Metaverse", because the argument was that prompting is -- you can view prompting as a window into a different universe, with a different seed, and every seed is a different universe. And funny enough, there's a finite number of seeds, because basically, Stable Diffusion has a 512x512 space that determines the total number of seeds.So yeah, prompt engineering [unintelligible 00:04:23.23] is not my opinion. I'm just reporting on what the AI thought leaders are already saying, and I just happen to agree with it, which is that it's very, very brittle. The most interesting finding in the academic arena about prompt engineering is that default GPT-3, they ran it against some benchmarks and it came up with like a score of 17 out of 100. So that's a pretty low benchmark of like just some logical, deductive reasoning type intelligence tests. But then you add the prompt "Let's think step by step" to it, and that increases the score from 17 to 83... Which is extremely -- like, that sounds great. Like I said, it's a magic spell that I can just kind of throw onto any problems and make it think better... But if you think about it a little bit more, like, would you actually use this in a real work environment, if you said the wrong thing and it suddenly deteriorates in quality - that's not good, and that's not something that you want to have in any stable, robust product; you want robustness, you want natural language understanding, to understand what you want, not to react to random artifacts and keywords that you give.Since then, we actually now know why "Let's think step by step" is a magic keyword, by the way, because -- and this is part of transformer architecture, which is that the neural network has a very limited working memory, and if you ask a question that requires too many steps to calculate the end result, it doesn't have the working memory to store the result, therefore it makes one up. But if you give it the working memory, which is to ask for a longer answer, the longer answer stores the intermediate steps, therefore giving you the correct result.**Jerod Santo:** [06:00] Talk about implementation detail, right?**Shawn Wang:** It's yeah, it's leaking implementation detail, it's not great, and that's why a lot of the thought leaders - I think I quoted Andrej Karpathy, who was head of AI at Tesla, and now he's a YouTuber... [laughter] And Sam Altman, who is the CEO of -- yeah, he quit Tesla to essentially pursue an independent creator lifestyle, and now he's a YouTuber.**Jerod Santo:** I did not know that.**Adam Stacoviak:** All roads lead to creator land, you know what I'm saying? You'll be an expert in something for a while, and eventually you'll just eject and be like "I want to own my own thing, and create content, and educate people around X."**Shawn Wang:** So at my day job I'm a head of department now, and I work with creators, and some of them have very valuable side hustles... And I just had this discussion yesterday, of like "Why do you still have a job if you're an independent creator? Like, isn't total independence great." And I had to remind them, "No. Like, career progression is good. You're exposed to new things etc." but that's just me trying to talk him out of quitting. [laughter] No, I have a serious answer, but we're not here to talk about that.**Jerod Santo:** Right.**Shawn Wang:** So I'll read out this quote... So Sam Altman, CEO of OpenAI, says "I don't think we'll still be doing prompt engineering in five years. It's not about figuring out how to hack the prompt by adding one magic word to the end that changes everything else. What will matter is the quality of ideas and the understanding that you want." I think that is the prevailing view, and I think as people change models, they are understanding the importance of this.So when Stable Diffusion 1 came out, everyone was like, "Alright, we know how to do this. I'm going to build an entire business on this" etc. And then Stable Diffusion 2 came out and everything broke. All the [unintelligible 00:07:40.21] stopped working, because they just expected a different model, and you have to increase your negative prompting, and people are like "What is negative prompting?" etc. These are all new techniques that arise out of the model, and this is going to happen again and again and again, because you're relying on a very, very brittle foundation.Ultimately, what we want to get people to is computers should understand what we want. And if we haven't specified it well enough, they should be able to ask us what we want, and we should be able to tell them in some capacity, and eventually, they should produce something that we like. That is the ultimate alignment problem.We talk about AI a lot, and you hear about this alignment problem, which is basically some amount of getting it to do what we want it to do, which is a harder problem than it sounds until you work with a programmer, and try to give them product specs and see how many different ways they can get it wrong. But yeah, this is an interesting form of the alignment problem, and it interestingly has a very strong tie with Neuralink as well, because the problem, ultimately, is the amount of bandwidth that we can transfer from our brain to an artificial brain. And right now it's prompts. But why does it have to be prompts? It could be images. That's why you have image-to-image in Stable Diffusion. And it could also be brain neural connections. So there's a lot in there; I'll give you time to pick on whatever you respond to...**Jerod Santo:** Well, I went from -- so I was super-excited about prompting after talking with Simon a few months back, and I was super-excited about Stable Diffusion. And I went from like giddy schoolboy who's just like "Gonna learn all the spells" very quickly to like aggravated end user who's like "Nah, I don't want to go to this other website and copy and paste this paragraph of esoterica in order to get a result that I like." And so I wonder what's so exciting about the whole prompt engineering thing to us nerds, and I think maybe there's like a remnant of "Well, I still get to have esoteric knowledge" or "I still get to be special somehow if I can learn this skill..."[09:46] But in reality, what we're learning, I think, by all the people using ChatGPT - the ease of use of it, as opposed to the difficulty of getting an image out of Stable Diffusion 1.0 at least, is quite a bit different. And it goes from aggravating and insider baseball kind of terms, keywords, spells, to plain English, explain what you want, and maybe modify that with a follow-up, which we'll get into ChatGPT, but we don't necessarily have to go into the depths of that right now... But I changed very quickly, even though I still thought prompt engineering was pretty rad... And then when you explain to me how Stable Diffusion 2 completely broke all the prompts, I'm like, "Oh yeah, this is a smell. This doesn't work. You can't just completely change the way it works on people..." That doesn't scale.**Shawn Wang:** Yeah. And then think about all the businesses that have been built already. There haven't been any huge businesses built on Stable Diffusion, but GPT-3 has internal models as well. So Jasper recently raised like a 1.5 billion valuation, and then ChatGPT came out, basically validating Jasper... So all the people who bought stock are probably not feeling so great right now. [laughs]That's it. So I don't want to overstate my position. There are real moats to be built around AI, and I think that the best entrepreneurs are finding that regardless of all these flaws. The fact that there are flaws right now is the opportunity, because so many people are scared off by it. They're like, "AI has no moats. You're just a thin wrapper around OpenAI." But the people who are real entrepreneurs figure it out. So I think it's just a really fascinating case study in technology and entrepreneurship, because here's a new piece of technology nobody knows how to use and productize, and the people who figure out the playbook are the ones who win.**Adam Stacoviak:** Yeah. Are we back to this -- I mean, it was like this years ago, when big data became a thing... But are we back to this whole world where -- or maybe we never left, where "Data is the new oil", is the quote... Because to train these models, you have to have data. So you could be an entrepreneur, you could be a technologist, you could be a developer, you could be in ML, you could be whatever it might take to build these things, but at some point you have to have a dataset, right? Like, how do you get access to these datasets? It's the oil; you've got to have money to get these things, you've got to have money to run the hardware to enable... Jerod, you were saying before the call, there was speculation of how much it costs to run ChatGPT daily, and it's just expensive. But the data is the new oil thing - how does that play into training these models and being able to build the moat?**Shawn Wang:** Yeah. So one distinction we must make there is there is a difference between running the models, which is just inferences, which is probably a few orders of magnitude cheaper than training the models, which are essentially a one-time task. Not that many people continuously train, which is nice to have, but I don't think people actually care about that in reality.So the training of the models ranges between -- and let's just put some bounds for people. I love dropping numbers in podcasts, by the way, because it helps people contextualize. You made an oblique reference to how much ChatGPT costs, but let's give real numbers. I think the guy who did an estimate said it was running at $3 million a month. I don't know if you heard any different, but that's...**Jerod Santo:** I heard a different estimate, that would have been more expensive, but I think yours is probably more reliable than mine... So let's just go with that.**Shawn Wang:** I went through his stuff, and I was like, "Yeah, okay, this is on the high end." I came in between like one to three as well. It's fine. And then for training the thing - so it's widely known or widely reported that Stable Diffusion cost 600k for a single run. People think the full thing, including R&D and stuff, was on the order of 10 million. And GPT-3 also costs something on the order of tens of millions. So I think that is the cost, but then also that is training; that is mostly like GPU compute. We're not talking about data collection, which is a whole other thing, right?[13:46] And I think, basically, there's a towering stack of open source contributions to this data collective pool that we have made over time. I think the official numbers are like 100,000 gigabytes of data that was trained for Stable Diffusion... And it's basically pooled from like Flickr, from Wikipedia, from like all the publicly-available commons of photos. And that is obviously extremely valuable, because -- and another result that came out recently that has revolutionized AI thinking is the concept of Chinchilla Laws. Have you guys covered that on the show, or do I need to explain that?**Adam Stacoviak:** Chinchilla Laws misses the mark for me. Please tell. I like the idea though; it sounds cool, so please...**Shawn Wang:** Yeah, they just had a bunch of models, and the one that won happened to be named Chinchilla, so they kind of went with it. It's got a cute name. But the main idea is that we have discovered scaling laws for machine learning, which is amazing.So in the sort of classical understanding of machine learning, you would have a point at which there's no further point to train. You're sort of optimizing for a curve, and you get sort of like diminishing returns up to a certain point, and then that's about it. You would typically conclude that you have converged on a global optimum, and you kind of just stop there. And mostly, in the last 5 to 10 years, the very depressing discovery is that this is a mirage. This is not a global optimum, this is a local optimum... And this is called the Double Dissent Problem. If you google it, on Wikipedia you'll find it... Which is you just throw more data at it, it levels off for a bit, and then it continues improving. And that's amazing for machine learning, because that basically precipitated the launch of all these large models. Because essentially, what it concludes is that there's essentially no limit to how good these models are, as long as you can throw enough data at it... Which means that, like you said, data is the new oil again, but not for the old reason, which is like "We're gonna analyze it." No, we're just gonna throw it into all these neural nets, and let them figure it out.**Adam Stacoviak:** Yeah. Well, I think there's a competitive advantage though if you have all the data. So if you're the Facebooks, or if you're the Google, or X, Y, or Z... Instagram, even. Like, Instagram ads are so freakin relevant that --**Jerod Santo:** Apple...**Adam Stacoviak:** Yeah, Apple for sure.**Jerod Santo:** TikTok...**Adam Stacoviak:** Yeah. Gosh... Yeah, TikTok. Yeah, the point is, these have a competitive advantage, because they essentially have been collecting this data, would-be to analyze, potentially to advertise to us more, but what about in other ways that these modes can be built? I just think like, when you mentioned the entrepreneurial mind, being able to take this idea, this opportunity as this new AI landscape, to say, "Let me build a moat around this, and not just build a thin layer on top of GPT, but build my own thing on all together", I've gotta imagine there's a data problem at some point, right? Obviously, there's a data problem at some point.**Shawn Wang:** So obviously, the big tech companies have a huge headstart. But how do you get started collecting this data as a founder? I think the story of Midjourney is actually super-interesting. So between Midjourney, Stability AI and OpenAI, as of August, who do you think was making the most money? I'll give you the answer, it was Midjourney.**Jerod Santo:** Oh, I was gonna guess that. You can't just give us the answer...**Shawn Wang:** Oh... [laughs]**Jerod Santo:** I had it.**Shawn Wang:** But it's not obvious, right? Like, the closed source one, that is not the big name, that doesn't have all the industry partnerships, doesn't have the celebrity CEO, that's the one that made the most money.**Jerod Santo:** Yeah. But they launched with a business model immediately, didn't they? They had a subscription out of the box.**Shawn Wang:** Yeah, they did. But also, something that they've been doing from the get-go is that you can only access Midjourney through Discord. Why is that?**Jerod Santo:** Right. Because it's social, or... I don't know. What do you think? That's my guess, because they're right in front of everybody else.**Shawn Wang:** Data.**Adam Stacoviak:** Data.**Jerod Santo:** Oh...**Adam Stacoviak:** Please tell us more, Shawn.**Shawn Wang:** Because the way that you experience Midjourney is you put in a prompt, it gives you four images, and you pick the ones that you like for enhancing. So the process of using Midjourney generates proprietary data for Midjourney to improve Midjourney. So from v3 to v4 of Midjourney they improved so much that they have carved out a permanent space for their kind of visual AI-driven art, that is so much better than everyone else because they have data that no one else has.**Jerod Santo:** [17:55] That's really cool.**Adam Stacoviak:** And that's relevance, or is it like quality takes? What is the data they actually get?**Shawn Wang:** Preference, right?**Jerod Santo:** What's good.**Shawn Wang:** Yeah. Literally, you type in a prompt, unstructuredly it tells you -- they give you four low-res images, and you have to pick one of the four to upscale it. By picking that four, they now have the data that says "Okay, out of these four, here's what a human picks." And it's and it's proprietary to them, and they paid nothing for it, because it's on Discord. It's amazing.**Jerod Santo:** That is awesome.**Shawn Wang:** They didn't build a UI, they just used Discord. I don't know if Discord knows this, or cares... But it's pretty freakin' phenomenal...**Jerod Santo:** That's pretty smart.**Shawn Wang:** ...because now they have this--**Adam Stacoviak:** It's the ultimate in scrappy, right? It's like, by any means necessary. That's the ultimate binding that's necessary, right? You'll make a beat however you can to put up the track and become the star.**Jerod Santo:** Right.**Adam Stacoviak:** That's amazing.**Jerod Santo:** That's really cool.**Shawn Wang:** So just to close this out, the thing I was saying about Chinchilla was "More data is good, we've found the double descent problem. Now let's go get all the data that's possible." I should make a mention about the open source data attempts... So people understand the importance of data, and basically Luther.AI is kind of the only organization out there that is collecting data that anyone can use to train anything. So they have two large collections of data called The Stack and The Pile, I think is what it's called. Basically, the largest collection of open source permissively-licensed text for you to train whatever language models you want, and then a similar thing for code. And then they are training their open source equivalents of GPT-3 and Copilot and what have you. But I think those are very, very important steps to have. Basically, researchers have maxed out the available data, and part of why Open AI Whisper is so important for OpenAI is that it's unlocking sources of text that are not presently available in the available training data. We've basically exhausted, we're data-constrained in terms of our ability to improve our models. So the largest source of untranscribed text is essentially on YouTube, and there's a prevailing theory that the primary purpose of Whisper is to transcribe all video, to get text, to train the models... [laughs] Because we are so limited on data.**Adam Stacoviak:** Yeah. We've helped them already with our podcasts. Not that it mattered, but we've been transcribing our podcasts for a while, so we just gave them a leg up.**Shawn Wang:** You did.**Adam Stacoviak:** And that's open source on GitHub, too. They probably -- I mean, ChatGPT knows about Changelog. They know that -- Jerod, I don't know if I told you this yet, but I prompted that; I said "Complete the sentence "Who's the hosts of the Changelog podcast?" "Well, that's the dynamic duo, Jerod Santo and Adam Stacoviak." It knows who we are. I mean, maybe it's our transcripts, I don't know, but it knows...**Jerod Santo:** Please tell me it called us "the dynamic duo"... [laughs]**Adam Stacoviak:** I promise you!**Jerod Santo:** It said that?**Adam Stacoviak:** I promise you it said that. "The dynamic duo..."**Jerod Santo:** Oh, [unintelligible 00:20:34.05]**Adam Stacoviak:** It actually reversed the order. It said Adams Stacoviak first and then Jerod Santo... Because usually, my name is, I guess, first, because - I have no clue why it's ever been that way, but... It said "The dynamic duo, Adam Stacoviak and Jerod Santo..."**Jerod Santo:** That's hilarious.**Adam Stacoviak:** ...hosts of the Changelog Podcast.**Jerod Santo:** It already understands flattery.**Adam Stacoviak:** Yeah, it does. Well, actually, the first prompt didn't include us, and I said "Make it better, and include the hosts." And that's all I said, was "Make it better and include the hosts." So in terms of re-prompting, or refining the response that you get from the prompts - that to me is like the ultimate human way to conjure the next available thing, which is try again, or do it better by giving me the hosts, too. And the next one was flattery, and actually our names in the thing. So... It's just crazy. Anyways...**Shawn Wang:** Yeah, so that is the big unlock that ChatGPT enabled.**Jerod Santo:** Totally.**Shawn Wang:** Which is why usually I take a few weeks for my takes to marinate, for me to do research, and then for me to write something... But I had to write something immediately after ChatGPT to tell people how important this thing is. It is the first real chat AI, which means that you get to give human feedback. And this theme of reinforcement learning through human feedback is - the low-res version of it was Midjourney. Actually, the lowest-res version of it was TikTok, because every swipe is human feedback. And being able to incorporate that into your -- and same for Google; every link click is a is human feedback. But the ability to incorporate that and to improve the recommendations and the generations is essentially your competitive advantage, and being able to build that as part of your UI... Which is why, by the way, I have been making the case that frontend engineers should take this extremely seriously, because guess who's very good at making a UI?**Adam Stacoviak:** Yeah, for sure.**Shawn Wang:** But yeah, ChatGPT turns it from a one-off zero-shot experience where you prompt the thing, and then you get the result, and it's good or bad, that's about the end of the story - now it's an interactive conversation between you and the bot, and you can shape it to whatever you want... Which is a whole different experience.**Break:** [22:31]**Adam Stacoviak:** "Complete the sentence" has been a hack for me to use, particularly with ChatGPT. "Complete the sentence" is a great way to easily say "Just give me somebody long, given these certain constraints."**Jerod Santo:** Well, that's effectively what these models are, right? They're auto-complete on steroids. Like, they are basically auto-completing with a corpus of knowledge that's massive, and guessing what words semantically should come next, kind of a thing... In layman's terms; it's more complicated than that, of course, but they are basically auto-completers.**Adam Stacoviak:** Yeah. On that note though, we have a show coming out... So we're recording this on a Friday, the same day we release the same podcast, but it's the week before. So we had Christina Warren on, and so I was like "You know what? I'm gonna use ChatGPT to give me a leg up. Let me make my intro maybe a little easier, and just spice it up a little bit." So I said "Complete the sentence "This week on the Changelog we're talking to Christina Warren about..." and then I ended the quote, and I said "and mention her time at Mashable, film and pop culture, and now being a developer advocate at GitHub." And I've gotta say, most of, 50% of the intro for the episode with Christina is thanks to ChatGPT. I don't know if I break the terms of service by doing that or not, but like -- do I? I don't know. If I do, sue me. I'm sorry. But... Don't sue me. Don't sue us. We'll take it down. We'll axe it out.**Jerod Santo:** We'll rewrite it.**Adam Stacoviak:** Yeah, we'll rewrite it. But, I mean, it's basically what I would have said. So...**Shawn Wang:** There's a nice poetry -- there's a YouTuber who's been on this forever, Two Minute Papers, and what he often says is, "What a time to be alive." And this is very much what a time to be alive. But not just because we're seeing this evolve live, but because we get to be part of the training data. And there was a very interesting conversation between Lex Fridman and Andrej Andrej Karpathy; he was inviting him on to the show... He said, "Our conversation will be immortalized in the training data. This is a form of immortality, because we get to be the first humans essentially baked in." [laughter]**Jerod Santo:** Essentially baked in... Hello, world.**Shawn Wang:** Like, 100-200 years from now, if someone has the Changelog podcast, they will keep having Jerod and Adam pop up, because they're in the goddamn training data. [laughs]**Jerod Santo:** They're like "Come on, these guys have been dead for a long time."**Adam Stacoviak:** [26:05] Let them go. Give them their RIP. [laughter]**Shawn Wang:** Which is poetic and nice. Yeah.**Adam Stacoviak:** Yeah, it is a good time to be alive... I think it is interesting, too... I just wonder -- I mean, this might be jumping the shark a little bit, but I often wonder, at what point does humanity stop creating? And at some point, 100 years from now, or maybe more, I don't know, we're gonna be -- maybe sooner, given how fast this is advancing, that we'll create only through what was already created. "At what point is the snake eating the snake?" kind of thing. Like, is there an end to human creativity at some point, because we are just so reliant, at some point, shape, or form, on [unintelligible 00:26:45.20] because of training data, and this just kind of like morphing to something much, much bigger in the future?**Shawn Wang:** So I have an optimistic attitude to that... This question basically is asking, "Can we exhaust infinity?" And so my obvious answer is no. There is a more concrete stat I can give you, which is I think - this is floating around out there. Don't quote me on the exact number, but apparently, 10% of all Google searches every single year have never been asked before. And Google's been around for like 20 years.**Adam Stacoviak:** That's a big percentage.**Shawn Wang:** It's still true. So it's on that order; it might be like 7%, it might be 13%.**Adam Stacoviak:** Well, is it trending down though? Is it trending down? Is it 10% per year, but is it like trending down to like 8%?**Jerod Santo:** Is it because we put the year in our searches? [laughter]**Adam Stacoviak:** Yeah, it's true, Jerod. Good one.**Shawn Wang:** Yeah. But anyway, so that's what the SEO people talk about when they talk about long tail... The amount of infinity is always bigger than our capability of creating to fill it.**Jerod Santo:** I mean, I feel like if you look at us in an abstract way, humans, we are basically taking in inputs and then generating outputs. But that's creativity, right? So I think what we're just doing is adding more to the inputs. Now we have computers that also take in inputs and generate outputs, but like, everything's already a remix, isn't it? Our life experience and everything that goes into us, and then something else produces a brand new thing, which isn't really new, but it's a remix of something else that we experienced... So I feel like we're just going to keep doing that, and we'll have computer aid at doing that, and the computer eventually maybe will just do the actual outputting part, but we somehow instruct it. I'm with Swyx on this one; I don't think there's going to be an end to human creativity, as the AI gets more and more output... What's the word? When you're just -- not notorious. What's it called when you just can't stop outputting stuff?**Adam Stacoviak:** I don't know.**Jerod Santo:** Prolific!**Adam Stacoviak:** Prolific.**Jerod Santo:** As the AI gets more and more output-prolific, and overwhelms us with output, I think we're still going to be doing our thing.**Adam Stacoviak:** Yeah. It's the ultimate reduction in latency to new input, right? Think of 100 years ago - creative folks were few and far between. They had miles between them, depending on your system; maybe it's kilometers. No offense. But there's distance of some sort of magnitude, and the lack of connection and shared ideas. So that's the latency, right? And now, the latency to the next input is just so small in comparison, and will get reduced to basically nothing. So we'll just constantly be inputting and outputting creativity, we'll just become like a creative [unintelligible 00:29:31.17] system with zero latency, nonstop creativity... Go, go, go...**Shawn Wang:** Well, I think this is where you start -- I don't know about you, but I feel a little bit uncomfortable with that, right? Entropy is always increasing in the universe; we're contributing to increasing noise and not signal. And that is a primary flaw of all these language models, is just they are very confidently incorrect. They have no sense of physics, no sense of logic; they will confidently assert things that are not true, and they're trained on sounding plausible, rather than being true.**Jerod Santo:** Right. They're kind of like me when I was in college, you know?**Shawn Wang:** Exactly. [laughter]**Jerod Santo:** [30:10] Just so much confidence, but wrong most of the time. [laughs]**Shawn Wang:** Exactly. Which happens to Galactica, which is this sort of science LLM from Meta, where Yann LeCun, who is one of the big names in tech, was like "This thing will generate papers for you." And within three days, the internet tore it apart, and they had to take it down. It was a very, very dramatic failure, this kind of tech... Because you're talking about biology, and science, and medicine, and you can't just make stuff up like that. [laughs]**Jerod Santo:** Right. So like in the world where chat GPT operates today, which is really in the world of fiction, and kind of BS-ing, for lack of a better term, like writing intros to a podcast - you know, like, it doesn't have to be correct necessarily; it can be like close enough to correct, and then you can massage it, of course, you can cherry pick to get the one that you like... But when the rubber hits the road, like on serious things, like science, or "How many of these pills do I need to take?" I guess that is also -- that's health science. So science, and other things... It's like, it can't be correct 60% of the time, or 80%, or even like 95%. It's gotta reach that point where you actually can trust it. And because we're feeding it all kinds of information that's not correct, de facto... Like, how much of the internet's wrong? Most of it, right?**Adam Stacoviak:** I mean, medicine though has evolved too, and it hasn't always been correct, though it's also very serious... You'd get advice from a doctor 10-15 years ago, they'd say it with full confidence and full accuracy, but it's only based on that current dataset.**Jerod Santo:** But you can sue them for malpractice and stuff, right? Like, how do we take recourse against--**Adam Stacoviak:** You can if they actually have malpractice; they can be wrong, because it's as much science as possible to make the most educated guess. It's malpractice when there's negligence; it's not malpractice when they're wrong.**Jerod Santo:** A good doctor will actually go up to the fringe and say, "You know what - I'm not 100% sure about this. It's beyond my knowledge."**Adam Stacoviak:** Sure. For sure.**Jerod Santo:** "Here's what you can do. Here's the risks of doing that." Whereas the chat bots, the ChatGPT thing is like, "The answer is 7", and you're like, "It actually was 12." And it's like, "Ah, shoot..." [laughter]**Adam Stacoviak:** Well, I think when there's mortality involved, maybe there's going to be a timeframe when we actually begin to trust the future MedGPT, for example; I don't know if that's a thing in the future, but something that gives you medical results or responses based upon data, real data, potentially, that you get there, but it's not today.**Jerod Santo:** Well, I think this goes back to the data point that you made, and I think where we go from like the 95 -- I'm making up numbers here, but like 95% accuracy, to get it to like 98.5%, or 99%. Like, that's gonna require niche, high-value, high-signal data that maybe this medical facility has, because they've been collecting it for all these years. And they're the only ones who have it. And so maybe that's where you like carve out proprietary datasets that take these models from a baseline of accuracy, to like, in this particular context of health it's this much accuracy. And then maybe eventually you combine all those and have a super model. I don't know... Swyx, what do you think?**Shawn Wang:** I love the term super-model. I think the term [unintelligible 00:33:23.10] in the industry is ensemble. But that just multiplies the costs, right? Like if you want to run a bank of five models, and pick the best one, that obviously 6x-es your cost. So not super-interesting; good for academic papers, but not super-interesting in practice, because it's so expensive.There's so many places to go with this stuff... Okay, there's one law that I love, which is Brandolini's Law. I have this tracking list of eponymous laws... Brandolini's law is people's ability to create bulls**t far exceeds the ability of people to refute it. Basically, if all of these results of this AI stuff is that we create better bulls***t engines, it's not great. And what you're talking about, the stuff with like the 90% correct, 95% correct - that is actually a topic of discussion. It's pretty interesting to have the SRE type conversation of "How many nines do you need for your use case, and where are we at right now?" Because the number of nines will actually improve. We are working on -- sorry, "we" as in the collective human we, not me personally...**Adam Stacoviak:** [34:32] The royal we, yes.**Shawn Wang:** The role royal we... Like, humanity is working on ways to improve, to get that up. It's not that great right now, so that's why it's good for creativity and not so much for precision, but it will get better. One of the most viral posts on Hacker News is something that you featured, which is the ability to simulate virtual machines instead of ChatGPT-3, where people literally opened -- I mean, I don't know how crazy you have to be, but open ChatGPT-3, type in LS, and it gives you a file system. [laughter]**Jerod Santo:** But that only exists -- it's not a real file system, it's just one that's [unintelligible 00:35:00.05]**Shawn Wang:** It's not a real file system, for now. It's not a real set file system for now, because they hallucinate some things... Like, if you ask it for a Git hash, it's gonna make up a Git hash that's not real, because you can verify [unintelligible 00:35:10.25] MD5. But like, how long before it learns MD5? And how long before it really has a virtual machine inside of the language model? And if you go that far, what makes you so confident that we're not in one right now? [laughs]**Jerod Santo:** Now I'm uncomfortable... That actually is a very short hop into the simulation hypothesis, because we are effectively simulating a brain... And if you get good enough at simulating brains, what else can you simulate?**Adam Stacoviak:** What else WOULD you want to simulate? I mean, that's the Holy Grail, a brain.**Shawn Wang:** Yeah. So Emad Mostaque is the CEO of Stability AI. He's like, "We're completely unconcerned with the AGI. We don't know when it'll get here. We're not working on it. But what we're concerned about is the ability to augment human capability. People who can't draw now can draw; people who can't write marketing texts or whatever, now can do that." And I think that's a really good way to approach this, which is we don't know what the distant future is gonna hold, but in the near future, this can help a lot of people.**Adam Stacoviak:** It's the ultimate tool in equality, right? I mean, if you can do --**Shawn Wang:** Yeah, that's a super-interesting use case. So there was a guy who was like sort of high school-educated, not very professional, applying for a job. And what he used ChatGPT to do was like "Here's what I want to say, and please reward this in a professional email." And it basically helped to pass the professional class status check. Do you know about the status checks? All the other sort of informal checks that people have, like "Oh, we'll fly you in for your job interview... Just put the hotel on your credit card." Some people don't have credit cards. And likewise, when people email you, you judge them by their email, even though some haven't been trained to write professionally, right? And so yeah, GPT is helping people like that, and it's a huge enabler for those people.**Adam Stacoviak:** Hmm... That is -- I mean, I like that idea, honestly, because it does enable more people who are less able... It's a net positive.**Shawn Wang:** Yeah. I mean, I seem generally capable, but also, I have RSI on my fingers, and sometimes I can't type. And so what Whisper is enabling me to do, and Copilot... So GitHub, at their recent GitHub Universe, recently announced voice-enabled Copilot... And it is good enough for me to navigate VS Code, and type code with Copilot and voice transcription. Those are the two things that you need; and they're now actually good enough that I don't have to learn a DSL for voice coding, like you would with Talon, or the prior solutions.**Adam Stacoviak:** You know, it's the ultimate -- if you're creative enough, it's almost back to the quote that Sam had said, that you liked... Well, I'm gonna try and go back to it; he says "At the end, because they were just able to articulate it with a creative eye that I don't have." So that to me is like insight, creativity; it's not skill, right? It's the ability to dream, which is the ultimate human skill, which is - since the beginning of time, we've been dreamers.**Shawn Wang:** [38:01] This is a new brush. Some artists are learning to draw with it. There'll be new kinds of artists created.**Adam Stacoviak:** Provided that people keep making the brush, though. It's a new brush...**Shawn Wang:** Well, the secret's out; the secret's out that you can make these brushes.**Jerod Santo:** Right.**Adam Stacoviak:** Yeah, but you still have to have the motivation to maintain the brush, though.**Jerod Santo:** What about access, too? I mean, right now you're talking about somebody who's made able, that isn't otherwise, with let's just say ChatGPT, which is free for now. But OpenAI is a for profit entity, and they can't continue to burn money forever; they're gonna have to turn on some sort of a money-making machine... And that's going to inevitably lock some people out of it. So now all of a sudden, access becomes part of the class, doesn't it? Like, you can afford an AI and this person cannot. And so that's gonna suck. Like, it seems like open source could be for the win there, but like you said, Swyx, there's not much moving and shaking in that world.**Adam Stacoviak:** Well, I haven't stopped thinking about what Swyx said last time we talked, which was above or below the API, which is almost the same side of the coin that we talked about last time, which is like, this the same thing.**Jerod Santo:** Yeah. Well, ChatGPT is an API, isn't it?**Shawn Wang:** Nice little callback. Nice. [laughter]**Adam Stacoviak:** I really haven't been able to stop thinking about it. Every time I use any sort of online service to get somebody to do something for me that I don't want to do, because I don't have the time for it, or I'd rather trade dollars for my time, I keep thinking about that above or below the API, which is what we talked about. And that's what Jerod has just brought up; it's the same exact thing.**Shawn Wang:** Yep, it is. One more thing I wanted to offer, which is the logical conclusion to generative. So that post where we talked about why prompt engineering is overrated - the second part of it is why you shouldn't think about this as generative... Because right now, the discussion we just had was only thinking about it as a generative type of use case. But really, what people want to focus on going forward is -- well, two things. One is the ability for it to summarize and understand and reason, and two, for it to perform actions. So the emerging focuses on agentic AI; AI agents that can perform actions on your behalf. Essentially, hooking it up to -- giving it legs and legs and arms and asking it to do stuff autonomously.So I think that's super-interesting to me, because then you get to have it both ways. You get AI to expand bullet points into prose, and then to take prose into bullet points. And there's a very funny tweet from Josh Browder, who is the CEO DoNotPay, which is kind of like a --**Adam Stacoviak:** Yeah, I'm a fan of him.**Shawn Wang:** Yeah. Fantastic, right? So what DoNotPay does is they get rid of annoying payment UX, right? Like, sometimes it was parking tickets, but now they are trying to sort of broaden out into different things. So he recently tweeted that DoNotPay is working on a way to talk to Comcast to negotiate your cable bill down. And since Comcast themselves are going to have a chat bot as well, it's going to be chat bots talking to each other to resolve this... [laughter]**Adam Stacoviak:** Wow, man...**Jerod Santo:** It's like a scene out of Futurama, or something...**Shawn Wang:** Yeah. So I'm very excited about the summarization aspects, right? One of the more interesting projects that came out of this recent wave was Explained Paper, which is - you can throw any academic paper at it and it explains the paper to you in approachable language, and you can sort of query it back and forth. I think those are super-interesting, because that starts to reverse Brandolini is law. Instead of generating bulls**t, you're taking bulls**it in, getting into some kind of order. And that's very exciting.**Adam Stacoviak:** Yeah. 17 steps back, it makes me think about when I talk to my watch, and I say "Text my wife", and I think about like who is using this to their betterment? And I'm thinking like, we're only talking about adults, for the most part. My kid, my son, Eli - he talks to Siri as if like she knows everything, right? But here's me using my watch to say "Text my wife." I say it, it puts it into the phone... And the last thing it does for me, which I think is super-interesting for the future, as like this AI assistant, is "Send it" is the final prompt back to me as the human; should I send this? And if I say no, Siri doesn't send it. But if I say "Send it", guess what she does? She sends it. But I love this idea of the future, like maybe some sort of smarter AI assistant like that. I mean, to me, that's a dream. I'd love that.**Shawn Wang:** [42:21] Yeah, I was watching this clip of the first Iron Man, when Robert Downey Jr. is kind of working with his bot to work on his first suit... And he's just talking to the bot, like "Here's what I want you to do." Sometimes it gets it wrong and he slaps it on the ahead... But more often than not, he gets it right. And this is why I've been -- you know, Wes Boss recently tweeted -- this is actually really scary. "Should we be afraid as engineers, like this is going to come for our jobs?" And I'm like, "No. All of us just got a personal junior developer." That should excite you.**Jerod Santo:** Yeah. And it seems like it's particularly good at software development answers. You'd think it's because there's lots of available text... I mean, think about like things that it's good at; it seems like it knows a lot about programming.**Shawn Wang:** I have a list. Do you want a list?**Jerod Santo:** Yeah.**Shawn Wang:** So writing tutorials - it's very good. Literally, tables of contents, section by section, explaining "First you should npm install. Then you should do X. Then you should do Y." Debugging code - just paste in your error, and paste in the source code, and it tells you what's wrong with it. Dynamic programming, it does really well. Translating DSLs. I think there'll be a thousand DSLs blooming, because the barrier to adoption of a DSL has just disappeared. [laughs] So why would you not write a DSL? No one needs to learn your DSL.**Adam Stacoviak:** What is this, Copilot you're using, or ChatGPT, that you're--**Shawn Wang:** ChatGPT-3. I have a bunch of examples here I can drop in the show notes. AWS IAM policies. "Hey, I want to do X and Y in AWS." Guess what? There's tons of documentation. ChatGPT knows AWS IAM policies. Code that combines multiple cloud services. This one comes from Corey Quinn. 90% of our jobs is hooking up one service to another service. You could just tell it what to do, and it just does it, right? There a guy who was like, "I fed my college computer network's homework to it, and they gave the right result", which is pretty interesting.Refactoring code from Elixir to PHP is another one that has been has been done... And obviously, Advent of Code, which - we're recording this in December now. The person who won -- so Advent of Code for the first 100 people is a race; whoever submits the correct answer first, wins it. And the number one place in the first Advent of Code this year was a ChatGPT guy. So it broke homework. Like, this thing has broken homework and take-home interviews, basically. [laughs]**Jerod Santo:** Completely. It's so nice though; like, I've only used it a little bit while coding, but it's two for two, of just like drilling my exact questions. And just stuff like "How do you match any character that is not an [unintelligible 00:44:43.28] regular expression?"**Shawn Wang:** Oh, yeah. Explaining regexes.**Jerod Santo:** Yeah. That was my question. Like, I know exactly what I want, but I can't remember which is the character, and so I just asked it, and it gave me the exact correct answer, and an example, and explained it in more detail, if I wanted to go ahead and read it. And it warned me, "Hey, this is not the best way to test against email addresses... But here it is." So I was like, "Alright..." This is a good thing for developers, for sure.**Shawn Wang:** Yeah. But you can't trust it -- so you have a responsibility as well. You can't write bad code, have something bad happen, and go, "Oh, it wasn't my fault. It was ChatGPT."**Jerod Santo:** Well, you can't paste Stack Overflow answers into your code either.**Shawn Wang:** You have the responsibility. Exactly.**Jerod Santo:** Yeah. I mean, you can, but you're gonna get fired, right? Like, if the buck stops at you, not at the Stack Overflow answer person, you can't go find them and be like, "Why were you wrong?" Right? It stops at you.**Shawn Wang:** Yeah. So I think the way I phrased it was -- do you know about this trade offer meme that is going around? So it's "Trade offer - you receive better debugging, code explanation, install instructions, better documentation, elimination of your breaking of flow from copy and pasting in Stack Overflow - you receive all these benefits, in exchange for more code review." There is a cost, which is code review. You have to review the code that your junior programmer just gave you. But hey, that's better and easier than writing code yourself.**Jerod Santo:** [46:04] Yeah, because you've got a free junior programmer working for you now. [laughter]**Shawn Wang:** There's a guy that says, "I haven't done a single Google search or consulted any external documentation for the past few days, and I was able to progress faster than I ever had when delivering a new thing." I mean, it's just... It's amazing, and Google should be worried.**Jerod Santo:** Yeah, that's what I was gonna say - is this an immediate threat to Google? Now, I did see a commenter on Hacker News - Swyx, I'm not sure if you saw this one - from inside of Google, talking about the cost of integration?**Shawn Wang:** Yes. Yeah, I've read basically every thread... [laughter] Which is a full-time job, but... This is so important. Like, I don't do this for most things, right? Like, I think this is big enough that I had to drop everything and go read up on it... And not be an overnight expert, but at least try to be informed... And that's all I'm doing here, really. But yeah, do you want to read it up?**Jerod Santo:** Yeah. So in summary, they were responding... This is on a thread about ChatGPT, and they say -- this is a Googler, and they say "It's one thing to put up a demo that interested nerds can play with, but it's quite another thing to try to integrate it deeply in a system that serves billions of requests a day, when you take into account serving costs, added latency, and the fact that average revenue on something like a Google search is close to infinitesimal (which is the word I can't say out loud) already. I think I remember the presenter saying something like they'd want to reduce the cost by at least 10 times before it could be feasible to integrate models like this in products like Google search. A 10x or even 100x improvement is obviously an attainable target in the next few years, so I think technology like this is coming in the next few years."So that's one insider's take on where Google stands. Obviously, Google has tons of resources dedicated to these areas of expertise, right? It's not like Google's asleep at the wheel, and is going to completely have their lunch eaten by OpenAI. But right now, there's a lot of people who are training new habits, right? They're like, "I'm not gonna use Google anymore. I'm gonna start using OpenAI." I think it's something on the order of one million users in their first few days have signed up... How long can Google potentially bleed people before it becomes an actual problem? I don't know. I don't know the answer to these things.**Shawn Wang:** So there's one way in which you can evaluate for yourself right now, and I think that's the most helpful, constructive piece of advice that we can give on this podcast, which is -- we're covering something that is moving very live, very fast. Everything that we say could be invalidated tomorrow by something new. But you could just run ChatGPT-3 alongside of all your Google searches. That's a very, very simple way to evaluate if this would replace Google for you; just run it twice, every single time. And so there's a Google extension - and I'll link it - [unintelligible 00:48:47.04] ChatGPT Google extension; I'll put it in the show notes. And yeah, I have it running; it's not that great. [laughs] Surprisingly. So ChatGPT is optimized for answering questions. Sometimes I don't put questions in there. I just put the thing I'm looking for, and Google's pretty good at that, it turns out... [laughs]**Jerod Santo:** Right. See, because you are an expert-level Google prompt engineer, right? Like, you know how to talk to Google.**Shawn Wang:** We have optimized to Google prompting, yes.**Jerod Santo:** Exactly.**Shawn Wang:** If I need to search within a certain date range, I know how to do that in Google. I can't do that in ChatGPT-3. If I need to look for PDFs, I know how to do that. If I want to look for Reddit, and constrain the site to Reddit, I know how to do that. ChatGPT-3 has no concept of attribution, no concept of date ranges, and stuff like that.**Jerod Santo:** Right.**Shawn Wang:** But yeah, it is just like better at some things, and worse at other things, and that is the nature of all new technology. It just has to be better at one thing, that you cannot get anywhere else, and it has a permanent hold in your mind. Whenever you need that thing done, you will turn to ChatGPT-3, or any other new technology.[49:53] I love this sort of meta philosophy about technology adoption, because all new toys just generally are worse than the things that they replace, except in one area, and that's the area needs to matter. And if it does matter, it will win, because they will fix the bugs.**Jerod Santo:** Yeah, oftentimes with disruption, that area is cost; like acquisition cost. Sometimes it's convenience, and maybe I guess sometimes it's accuracy. There's different metrics, but it's got to be the one that matters. If it's marginally better at things that don't matter, you're not going to disrupt. But if it's a lot better at one thing that matters a lot, even if everything else sucks, you'll use that thing.**Shawn Wang:** Yeah, exactly. So it's interesting, because -- you know, Google has a few things going for it. By the way, it has one of the largest training repositories of text that no one else has, which is Gmail. But the most impressive thing it's being able to ship with Gmail is the little autocomplete, like, "Looks good", Okay", the little buttons that you see in the smart replies.**Jerod Santo:** Do you guys ever use those? Do you ever click on those?**Shawn Wang:** I use that. I use that. Save some typing.**Adam Stacoviak:** Yeah, well, I used to actually use Gmail directly to compose my emails, or respond. I would tap to complete all the time, if the response was like, "Yeah, I was gonna say that."**Shawn Wang:** There's a billion little ways that AI is built into Google right now, that we just take for granted, because we don't feel it, because there's no prompts. [laughter]**Jerod Santo:** We need a prompt!**Adam Stacoviak:** Even if OpenAI did eat Google's lunch, Google would just acquire it, or something...**Shawn Wang:** You would think so...**Jerod Santo:** Maybe...**Shawn Wang:** But I would say that probably OpenAI is not for sale. Like, they have this world-conquering ambition that would just not let them settle for anything less than global domination... Which is a little bit scary, right?**Jerod Santo:** Yeah, I think they're probably going the distance, is their plan, it seems like...**Shawn Wang:** Well, if anything, Microsoft should have bought them when they had the chance, because that was Bing's opportunity, and I don't think that ever came to pass... Probably because Sam Altman was smart enough not to do that deal. But yeah, so let's take that line of thinking to its logical conclusion. What would you feel if Google started autocompleting your entire email for you, and not just like individual, like two or three words? You would feel different, you would feel creeped out. So Google doesn't have the permission to innovate.**Adam Stacoviak:** I wouldn't freak out if I opted in, though. If I was like, "This technology exists, and it's helpful. I'll use that." Now, if it just suddenly started doing it, yeah, creeped out. But if I'm like, "Yeah, this is kind of cool. I opt into this enhanced AI, or this enhanced autocompletion", or whatever, simplifies the usage of it, or whatever.**Shawn Wang:** Yeah, so there's actually some people working on the email client that does that for you. So Evan Conrad is working on EveryPrompt email, which is essentially you type a bunch of things that you want to say, and you sort of batch answer all your emails with custom generated responses from GPT-3. It's a really smart application of this tech to email that I've seen. But I just think, like, you would opt in; the vast majority of people never opt into anything.**Jerod Santo:** Yeah, most people don't opt in.**Shawn Wang:** Like, that's just not the default experience. So I'm just saying, one reason that Google doesn't do it is "Yeah, we're just too big." Right? That is essentially the response that you read out from that engineer; like, "This doesn't work at Google scale. We can't afford it. It would be too slow", whatever. That's kind of a cop out, I feel like... Because Google should be capable. These are the best engineers in the world, they should they should be able to do it.**Jerod Santo:** Well, he does say he thinks it's coming in the next few years. So he's not saying it's impossible, he's saying they're not there yet. And I will say, I'm giving ChatGPT the benefit of my wait time that I do not afford to Google. I do not wait for Google to respond. I will give ChatGPT three to five seconds, because I know it's like a new thing that everyone's hitting hard... But like, if they just plugged that in, it would be too slow. I wouldn't wait three to five seconds for a Google search.**Shawn Wang:** Yeah. By the way, that's a fascinating cloud story that you guys have got to have on - find the engineer at OpenAI that scaled ChatGPT-3 in one week from zero to one million users?**Jerod Santo:** Yeah, totally.**Adam Stacoviak:** [53:58] Well, if you're listening, or you know the person, this is an open invite; we'd love to have that conversation.**Shawn Wang:** Yeah. I've seen the profile of the guy that claimed to [unintelligible 00:54:04.00] so that he would know... But I don't know who would be responsible for that. That is one of the most interesting cloud stories probably of the year. And Azure should be all over this. Azure should be going like, "Look, they handled it no problem. This is most successful consumer product of all time come at us", right?**Jerod Santo:** That's true. They should.**Shawn Wang:** They're the number three cloud right now. This is like their one thing, this is their time to shine. They've got to do it.**Jerod Santo:** And does anybody even know that Azure is behind OpenAI? I'm sure you can find out, but like, is that well known? I didn't know that.**Shawn Wang:** Oh, it's very public. Microsoft invested a billion dollars in OpenAI.**Jerod Santo:** Okay. Did you know that, Adam?**Adam Stacoviak:** No.**Jerod Santo:** So I'm trying to gauge the public knowledge...**Shawn Wang:** What we didn't know was that it was at a valuation of $20 billion, which... So OpenAI went from like this kind of weird research lab type thing into one of the most highly valued startups in the world. [laughs]**Jerod Santo:** Do you think Microsoft got their money's worth?**Shawn Wang:** I think so... It's awash right now, because --**Jerod Santo:** Too early.**Shawn Wang:** ...they probably cut them a lot of favorable deals for training, and stuff... So it's more about like being associated with one of the top AI names. Like, this is the play that Microsoft has been doing for a long time, so it's finally paying off... So I'm actually pretty happy for that. But then they have to convert into like getting people who are not [unintelligible 00:55:21.00] onto this thing.**Break:** [55:26]**Adam Stacoviak:** What's the long-term play here though? I mean, if Microsoft invested that kind of money, and we're using ChatGPT right now, we're willing to give it extra seconds, potentially even a minute if the answer is that important to you, that you wouldn't afford to Google... Like, what's the play for them? Will they turn this into a product? How do you make billions from this? Do you eventually just get absorbed by the FAANGs of the world, and next thing you know now this incredible future asset to humanity is now owned by essentially folks we try to like host our own services for? Like, we're hosting Nextcloud locally, so we can get off the Google Drives and whatnot... And all this sort of anti-whatever. I mean, what's the endgame here?**Shawn Wang:** Am I supposed to answer that? [laughs]**Adam Stacoviak:** Do you have an answer? I mean, that's what I think about...**Jerod Santo:** Let's ask ChatGPT what the endgame is... No, I mean, short-term it doesn't seem like OpenAI becomes the API layer for every AI startup that's gonna start in the next 5 or 10 years, right? Like, aren't they just charging their fees to everybody who wants to integrate AI into their products, pretty much? That's not an end game, but that's a short-term business model, right?**Shawn Wang:** That is a short-term business model, yeah. I bet they have much more up their sleeves... I don't actually know. But they did just hire their first developer advocate, which is interesting, because I think you'll start to hear a lot more from them.[58:12] Well, there's two things I will offer for you. One, it's a very common view or perception that AI is a centralizing force, right? Which is, Adam, what you're talking about, which is, "Does this just mean that the big always get bigger?" Because the big have the scale and size and data advantage. And one of the more interesting blog posts - sorry, I can't remember who I read this from - was that actually one of the lessons from this year is that it's not necessarily true, because AI might be a more decentralized force, because it's more amenable to open source... And crypto, instead of being decentralized, turned out to be more centralized than people thought.So the two directions of centralized versus decentralized - the common perception is that AI is very centralized, and crypto very decentralized. The reality was that it's actually the opposite, which is fascinating to me as a thesis. Like, is that the end game, that AI eventually gets more decentralized, because people want this so badly that there are enough researchers who go to NeurIPS to present their research papers and tweet out all this stuff, that diffuses these techniques all over the place? And we're seeing that happen, helped in large probably by Stability AI. The proof that Stability as an independent, outsider company, like not a ton of connections in the AI field, did this humongous achievement I think is just a remarkable encouragement that anyone could do it... And that's a really encouraging thing for those people who are not FAANG and trying to make some extra headroom in this world. So that's one way to think about the future.The second way to think about who monetizes and who makes the billion dollars on this... There's a very influential post that I was introduced to recently from Union Square Ventures, called "The myth of the infrastructure phase", which is directly tackling this concept that everyone says "When you have a gold rush, sell picks and shovels", right? And it's a very common thing, and presumably AI being the gold rush right now, you should sell picks and shovels, which is you should build AI infrastructure companies. But really, there are tons of AI infrastructure companies right now, they're a dime a dozen; really, they're all looking for use cases, and basically, the argument, the myth of the infrastructure phase is that technology swings back and forth between app constraint and infra constraint. And right now, we're not infrastructure-constrained, we're app-constrained. And really, it's the builders of AI-enabled products like TikTok that know what to do with the AI infrastructure tha

El BCE advierte contra el Bitcoin / Cómo funcionan los reembolsos de Stadia / El software mágico de Disney para cambiar caras / Facebook está eliminando el contenido basura / Sorpresa de OnePlus Patrocinador: En Carrefour han tenido una idea que me parece muy innovadora. Se llama Mi Abono Carrefour Plus, y es una suscripción de 5,99 euros al mes que te permitirá ahorrar el 15% de todos los productos frescos que compres: pescado, carne, fruta, verduras, charcutería, panadería, los platos preparados, sushi.. etc. — Saca la calculadora, que seguro que te interesa. El primer mes es gratis. El BCE advierte contra el Bitcoin / Cómo funcionan los reembolsos de Stadia / El software mágico de Disney para cambiar caras / Facebook está eliminando el contenido basura / Sorpresa de OnePlus

A pioneer in the field of integrative medicine, James M. Greenblatt, MD, has treated patients since 1988. Dr. Greenblatt has lectured internationally on the scientific evidence for nutritional interventions in psychiatry and mental illness. James Greenblatt, MDPsychiatry RedefinedIntegrative Psychiatry & Functional Medicine BooksIf you are in a crisis or think you have an emergency, call your doctor or 911. If you're considering suicide, call 1-800-273-TALK to speak with a skilled trained counselor.RADICALLY GENUINE PODCASTRadically Genuine Podcast Website Twitter: Roger K. McFillin, Psy.D., ABPPInstagram @radgenpodTikTok @radgenpodRadGenPodcast@gmail.comADDITIONAL RESOURCES3:00 - James Greenblatt, MD5:30 - Integrative Medicine: What Is It, Types, Risks & Benefits6:30 - What is Functional Medicine? | Psychiatry Redefined11:00 - Antidepressants and the Placebo Effect - PMC16:00 - Key Nutrients for ADHD, OCD, and Tics - James Greenblatt, MD17:30 - Foods and additives are common causes of the attention deficit hyperactive disorder in children18:00 - Delayed Hypersensitivity - an overview | ScienceDirect Topics22:00 - Finally Focused: Mineral Imbalances & ADHD (Part 1: Zinc Deficiency & Copper Excess)23:00 - Magnesium: The Missing Link in Mental Health? | PR24:30 - Episode 40. Chris Palmer, MD27:00 - Diet Alert: Vegetarianism and the Risks of Anorexia Nervosa37:00 - Answers to Anorexia: Malnourished Minds | Psychiatry Redefined40:30 - Let Them Eat Dirt: Saving Your Child from an Oversanitized World42:00 - Association between naturally occurring lithium in drinking water and suicide rates: systematic review and meta-analysis of ecological studies44:00 - Lithium occurrence in drinking water sources of the United States - ScienceDirect45:00 - Nirvana – Lithium Lyrics

New leaders and first wins plus a partidazo in Ipurua. Alex and Liam review MD5 in Segunda. Visit our Sponsors Surprise Shirts at https://linktr.ee/surpriseshirts and get 10% off purchases using the voucher code "SpanishSegundaShow" at the check out.Join our Segunda Spanish Show community FOR FREE on discord - link below. https://discord.gg/Wt9YssuQau- Free App- Free to join- Chat with like minded Segunda fans, including Alex and Liam(Similar to a whatsapp group chat but does not reveal your phone number to other users)

About DanDan Moore is head of developer relations for FusionAuth, where he helps share information about authentication, authorization and security with developers building all kinds of applications.A former CTO, AWS certification instructor, engineering manager and a longtime developer, he's been writing software for (checks watch) over 20 years.Links Referenced: FusionAuth: https://fusionauth.io Twitter: https://twitter.com/mooreds TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at AWS AppConfig. Engineers love to solve, and occasionally create, problems. But not when it's an on-call fire-drill at 4 in the morning. Software problems should drive innovation and collaboration, NOT stress, and sleeplessness, and threats of violence. That's why so many developers are realizing the value of AWS AppConfig Feature Flags. Feature Flags let developers push code to production, but hide that that feature from customers so that the developers can release their feature when it's ready. This practice allows for safe, fast, and convenient software development. You can seamlessly incorporate AppConfig Feature Flags into your AWS or cloud environment and ship your Features with excitement, not trepidation and fear. To get started, go to snark.cloud/appconfig. That's snark.cloud/appconfig.Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig secures your cloud from source to run. They believe, as do I, that DevOps and security are inextricably linked. If you wanna learn more about how they view this, check out their blog, it's definitely worth the read. To learn more about how they are absolutely getting it right from where I sit, visit Sysdig.com and tell them that I sent you. That's S Y S D I G.com. And my thanks to them for their continued support of this ridiculous nonsense.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I am joined today on this promoted episode, which is brought to us by our friends at FusionAuth by Dan Moore, who is their head of DevRel at same. Dan, thank you for joining me.Dan: Corey, thank you so much for having me.Corey: So, you and I have been talking for a while. I believe it predates not just you working over at FusionAuth but me even writing the newsletter and the rest. We met on a leadership Slack many years ago. We've kept in touch ever since, and I think, I haven't run the actual numbers on this, but I believe that you are at the top of the leaderboard right now for the number of responses I have gotten to various newsletter issues that I've sent out over the years.And it's always something great. It's “Here's a link I found that I thought that you might appreciate.” And we finally sat down and met each other in person, had a cup of coffee somewhat recently, and the first thing you asked was, “Is it okay that I keep doing this?” And at the bottom of the newsletter is “Hey, if you've seen something interesting, hit reply and let me know.” And you'd be surprised how few people actually take me up on it. So, let me start by thanking you for being as enthusiastic a contributor of the content as you have been.Dan: Well, I appreciate that. And I remember the first time I ran across your newsletter and was super impressed by kind of the breadth of it. And I guess my way of thanking you is to just send you interesting tidbits that I run across. And it's always fun when I see one of the links that I sent go into the newsletter because what you provide is just such a service to the community. So, thank you.Corey: The fun part, too, is that about half the time that you send a link in, I already have it in my queue, or I've seen it before, but not always. I talked to Jeff Barr about this a while back, and apparently, a big Amazonian theme that he lives by is two is better than zero. He'd rather two people tell him about a thing than no one tells him about the thing. And I've tried to embody that. It's the right answer, but it's also super tricky to figure out what people have heard or haven't heard. It leads to interesting places. But enough about my nonsense. Let's talk about your nonsense instead. So, FusionAuth; what do you folks do over there?Dan: So, FusionAuth is an auth provider, and we offer a Community Edition, which is downloadable for free; we also offer premium editions, but the space we play in is really CIAM, which is Customer Identity Access Management. Very similar to Auth0 or Cognito that some of your listeners might have heard of.Corey: If people have heard about Cognito, it's usually bracketed by profanity, in one direction or another, but I'm sure we'll get there in a minute. I will say that I never considered authentication to be a differentiator between services that I use. And then one day I was looking for a tool—I'm not going to name what it was just because I don't really want to deal with the angry letters and whatnot—but I signed up for this thing to test it out, and “Oh, great. So, what's my password?” “Oh, we don't use passwords. We just every time you want to log in, we're going to email you a link and then you go ahead and click the link.”And I hadn't seen something like that before. And my immediate response to that was, “Okay, this feels like an area they've decided to innovate in.” Their core business is basically information retention and returning it to you—basically any CRUD app. Yay. I don't think this is where I want them to be innovating.I want them to use the tried and true solutions, not build their own or be creative on this stuff, so it was a contributor to me wanting to go in a different direction. When you start doing things like that, there's no multi-factor authentication available and you start to wonder, how have they implemented this? What corners have they cut? Who's reviewed this? It just gave me a weird feeling.And that was sort of the day I realized that authentication for me is kind of like crypto, by which I mean cryptography, not cryptocurrency, I want to be very clear on, here. You should not roll your own cryptography, you should not roll your own encryption, you should buy off-the-shelf unless you're one of maybe five companies on the planet. Spoiler, if you're listening to this, you are almost certainly not one of them.Dan: [laugh]. Yeah. So, first of all, I've been at FusionAuth for a couple of years. Before I came to FusionAuth, I had rolled my own authentication a couple of times. And what I've realized working there is that it really is—there a couple of things worth unpacking here.One is you can now buy or leverage open-source libraries or other providers a lot more than you could 15 or 20 years ago. So, it's become this thing that can be snapped into your architecture. The second is, auth is the front door to application. And while it isn't really that differentiated—I don't think most applications, as you kind of alluded to, should innovate there—it is kind of critical that it runs all the time that it's safe and secure, that it's accessible, that it looks like your application.So, at the same time, it's undifferentiated, right? Like, at the end of the day, people just want to get through authentication and authorization schemes into your application. That is really the critical thing. So, it's undifferentiated, it's critical, it needs to be highly available. Those are all things that make it a good candidate for outsourcing.Corey: There are a few things to unpack there. First is that everything becomes commoditized in the fullness of time. And this is a good thing. Back in the original dotcom bubble, there were entire teams of engineers at all kinds of different e-commerce companies that were basically destroying themselves trying to build an online shopping cart. And today you wind up implementing Shopify or something like it—which is usually Shopify—and that solves the problem for you. This is no longer a point of differentiation.If I want to start selling physical goods on the internet, it feels like it'll take me half an hour or so to wind up with a bare-bones shopping cart thing ready to go, and then I just have to add inventory. Authentication feels like it was kind of the same thing. I mean, back in that song from early on in internet history “Code Monkey” talks about building a login page as part of it, and yeah, that was a colossal pain. These days, there are a bunch of different ways to do that with folks who spend their entire careers working on this exact problem so you can go and work on something that is a lot more core and central to the value that your business ostensibly provides. And that seems like the right path to go down.But this does lead to the obvious counter-question of how is it that you differentiate other than, you know, via marketing, which again, not the worst answer in the world, but it also turns into skeezy marketing. “Yes, you should use this other company's option, or you could use ours and we don't have any intentional backdoors in our version.” “Hmm. That sounds more suspicious and more than a little bit frightening. Tell me more.” “No, legal won't let me.” And it's “Okay.” Aside from the terrible things, how do you differentiate?Dan: I liked that. That was an oddly specific disclaimer, right? Like, whenever a company says, “Oh, yeah, no.” [laugh].Corey: “My breakfast cereal has less arsenic than leading brands.”Dan: Perfect. So yeah, so FusionAuth realizes that, kind of, there are a lot of options out there, and so we've chosen to niche down. And one of the things that we really focus on is the CIAM market. And that stands for Customer Identity Access Management. And we can dive into that a little bit later if you want to know more about that.We have a variety of deployment options, which I think differentiates us from a lot of the SaaS providers out there. You can run us as a self-hosted option with, by the way, professional-grade support, you can use us as a SaaS provider if you don't want to run it yourself. We are experts in operating this piece of software. And then thirdly, you can move between them, right? It's your data, so if you start out and you're bare bones and you want to save money, you can start with self-hosted, when you grow, move to the SaaS version.Or we actually have some bigger companies that kickstart on the SaaS version because they want to get going with this integration problem and then later, as they build out their capabilities, they want the option to move it in-house. So, that is a really key differentiator for us. The last one I'd say is we're really dev-focused. Who isn't, right? Everyone says they're dev-focused, but we live that in terms of our APIs, in terms of our documentation, in terms of our open development process. Like, there's actually a GitHub issues list you can go look on the FusionAuth GitHub profile and it shows exactly what we have planned for the next couple of releases.Corey: If you go to one of my test reference applications, lasttweetinaws.com, as of the time of this recording at least, it asks you to authenticate with your Twitter account. And you can do that, and it's free; I don't charge for any of these things. And once you're authenticated, you can use it to author Twitter threads because I needed it to exist, first off, and secondly, it makes a super handy test app to try out a whole bunch of different things.And one of the reasons you can just go and use it without registering an account for this thing or anything else was because I tried to set that up in an early version with Cognito and immediately gave the hell up and figured, all right, if you can find the URL, you can use this thing because the experience was that terrible. If instead, I had gone down the path of using FusionAuth, what would have made that experience different, other than the fact that Cognito was pretty clearly a tech demo at best rather than something that had any care, finish, spit and polish went into it.Dan: So, I've used Cognito. I'm not going to bag on Cognito, I'm going to leave that to—[laugh].Corey: Oh, I will, don't worry. I'll do all the bagging on Cognito you'd like because the problem is, and I want to be clear on this point, is that I didn't understand what it was doing because the interface was arcane, and the failure mode of everything in this entire sector, when the interface is bad, the immediate takeaway is not “This thing's a piece of crap.” It's, “Oh, I'm bad at this. I'm just not smart enough.” And it's insulting, and it sets me off every time I see it. So, if I feel like I'm coming across as relatively annoyed by the product, it's because it made me feel dumb. That is one of those cardinal sins, from my perspective. So, if you work on that team, please reach out. I would love to give you a laundry list of feedback. I'm not here to make you feel bad about your product; I'm here to make you feel bad about making your customers feel bad. Now please, Dan, continue.Dan: Sure. So, I would just say that one of the things that we've strived to do for years and years is translate some of the arcane IAM Identity Access Management jargon into what normal developers expect. And so, we don't have clients in our OAuth implementation—although they really are clients if you're an RFC junkie—we have applications, right? We have users, we have groups, we have all these things that are what users would expect, even though underlying them they're based on the same standards that, frankly, Cognito and Auth0 and a lot of other people use as well.But to get back to your question, I would say that, if you had chosen to use FusionAuth, you would have had a couple of advantages. The first is, as I mentioned, kind of the developer friendliness and the extensive documentation, example applications. The second would be a themeability. And this is something that we hear from our clients over and over again, is Cognito is okay if you stay within the lines in terms of your user interface, right? If you just want to login form, if you want to stay between lines and you don't want to customize your application's login page at all.We actually provide you with HTML templates. It's actually using a language called FreeMarker, but they let you do whatever the heck you want. Now, of course, with great power comes great responsibility. Now, you own that piece, right, and we do have some more simple customization you can do if all you want to do is change the color. But most of our clients are the kind of folks who really want their application login screen to look exactly like their application, and so they're willing to take on that slightly heavier burden. Unfortunately, Cognito doesn't give you that option at all, as far as I can tell when I've kicked the tires on it. The theming is—how I put this politely—some of our clients have found the theming to be lacking.Corey: That's part of the issue where when I was looking at all the reference implementations, I could find for Cognito, it went from “Oh, you have your own app, and its branding, and the rest,” and bam, suddenly, you're looking right, like, you're logging into an AWS console sub-console property because of course they have those. And it felt like “Oh, great. If I'm going to rip off some company's design aesthetic wholesale, I'm sorry, Amazon is nowhere near anywhere except the bottom 10% of that list, I've got to say. I'm sorry, but it is not an aesthetically pleasing site, full stop. So, why impose that on customers?”It feels like it's one of those things where—like, so many Amazon service teams say, “We're going to start by building a minimum lovable product.” And it's yeah, it's a product that only a parent could love. And the problem is, so many of them don't seem to iterate beyond that do a full-featured story. And this is again, this is not every AWS service. A lot of them are phenomenal and grow into themselves over time.One of the best rags-to-riches stories that I can recall is EFS, their Elastic File System, for an example. But others, like Cognito just sort of seem to sit and languish for so long that I've basically given up hope. Even if they wind up eventually fixing all of these problems, the reputation has been cemented at this point. They've got to give it a different terrible name.Dan: I mean, here's the thing. Like, EFS, if it looks horrible, right, or if it has, like, a toughest user experience, guess what? Your users are devs. And if they're forced to use it, they will. They can sometimes see the glimmers of the beauty that is kind of embedded, right, the diamond in the rough. If your users come to a login page and see something ugly, you immediately have this really negative association. And so again, the login and authentication process is really the front door of your application, and you just need to make sure that it shines.Corey: For me at least, so much of what's what a user experience or user takeaway is going to be about a company's product starts with their process of logging into it, which is one of the reasons that I have challenges with the way that multi-factor auth can be presented, like, “Step one, login to the thing.” Oh, great. Now, you have to fish out your YubiKey, or you have to go check your email for a link or find a code somewhere and punch it in. It adds friction to a process. So, when you have these services or tools that oh, your session will expire every 15 minutes and you have to do that whole thing again to log back in, it's ugh, I'm already annoyed by the time I even look at anything beyond just the login stuff.And heaven forbid, like, there are worse things, let's be very clear here. For example, if I log in to a site, and I'm suddenly looking at someone else's account, yeah, that's known as a disaster and I don't care how beautiful the design aesthetic is or how easy to use it is, we're done here. But that is job zero: the security aspect of these things. Then there's all the polish that makes it go from something that people tolerate because they have to into something that, in the context of a login page I guess, just sort of fades into the background.Dan: That's exactly what you want, right? It's just like the old story about the sysadmin. People only notice when things are going wrong. People only care about authentication when it stops them from getting into what they actually want to do, right? No one ever says, “Oh, my gosh, that login experience was so amazing for that application. I'm going to come back to that application,” right? They notice when it's friction, they noticed when it's sand in the gears.And our goal at FusionAuth, obviously, security is job zero because as you said, last thing you want is for a user to have access to some other user's data or to be able to escalate their privileges, but after that, you want to fade in the background, right? No one comes to FusionAuth and builds a whole application on top of it, right? We are one component that plugs into your application and lets you get on to the fundamentals of building the features that your users really care about, and then wraps your whole application in a blanket of security, essentially.Corey: I'll take even one more example before we just drive this point home in a way that I hope resonates with folks. Everyone has an opinion on logging into AWS properties because “Oh, what about your Amazon account?” At which point it's “Oh, sit down. We're going for a ride here. Are you talking about amazon.com account? Are you talking about the root account for my AWS account? Are you talking about an IAM user? Are you talking about the service formerly known as AWS SSO that's now IAM Identity Center users? Are you talking about their Chime user account? Are you talking about your repost forum account?” And so, on and so on and so on. I'm sure I'm missing half a dozen right now off the top of my head.Yeah, that's awful. I've been also developing lately on top of Google Cloud, and it is so far to the opposite end of that spectrum that it's suspicious and more than a little bit frightening. When I go to console.cloud.google.com, I am boom, there. There is no login approach, which on the one hand, I definitely appreciate, just from a pure perspective of you're Google, you track everything I do on the internet. Thank you for not insulting my intelligence by pretending you don't know who I am when I log into your Cloud Console.Counterpoint, when I log into the admin portal for my Google Workspaces account, admin.google.com, it always re-prompts for a password, which is reasonable. You'd think that stuff running production might want to do something like that, in some cases. I would not be annoyed if it asked me to just type in a password again when I get to the expensive things that have lasting repercussions.Although, given my personality, logging into Gmail can have massive career repercussions as soon as I hit send on anything. I digress. It is such a difference from user experience and ease-of-use that it's one of those areas where I feel like you're fighting something of a losing battle, just because when it works well, it's glorious to the point where you don't notice it. When authentication doesn't work well, it's annoying. And there's really no in between.Dan: I don't have anything to say to that. I mean, I a hundred percent agree that it's something that you could have to get right and no one cares, except for when you get it wrong. And if your listeners can take one thing away from this call, right, I know it's we're sponsored by FusionAuth, I want to rep Fusion, I want people to be aware of FusionAuth, but don't roll your own, right? There are a lot of solutions out there. I hope you evaluate FusionAuth, I hope you evaluate some other solutions, but this is such a critical thing and Corey has laid out [laugh] in multiple different ways, the ways it can ruin your user experience and your reputation. So, look at something that you can build or a library that you can build on top of. Don't roll your own. Please, please don't.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: So, tell me a little bit more about how it is that you folks think about yourselves in just in terms of the market space, for example. The idea of CIAM, customer IAM, it does feel viscerally different than traditional IAM in the context of, you know, AWS, which I use all the time, but I don't think I have the vocabulary to describe it without sounding like a buffoon. What is the definition between the two, please? Or the divergence, at least?Dan: Yeah, so I mean, not to go back to AWS services, but I'm sure a lot of your listeners are familiar with them. AWS SSO or the artist formerly known as AWS SSO is IAM, right? So, it's Workforce, right, and Workforce—Corey: And it was glorious, to the point where I felt like it was basically NDA'ed from other service teams because they couldn't talk about it. But this was so much nicer than having to juggle IAM keys and sessions that timeout after an hour in the console. “What do you doing in the console?” “I'm doing ClickOps, Jeremy. Leave me alone.”It's just I want to make sure that I'm talking about this the right way. It feels like AWS SSO—creature formerly known as—and traditional IAM feels like they're directionally the same thing as far as what they target, as far as customer bases, and what they empower you to do.Dan: Absolutely, absolutely. There are other players in that same market, right? And that's the market that grew up originally: it's for employees. So, employees have this very fixed lifecycle. They have complicated relationships with other employees and departments in organizations, you can tell them what to do, right, you can say you have to enroll your MFA key or you are no longer employed with us.Customers have a different set of requirements, and yet they're crucial to businesses because customers are, [laugh] who pay you money, right? And so, things that customers do that employees don't: they choose to register; they pick you, you don't pick them; they have a wide variety of devices and expectations; they also have a higher expectation of UX polish. Again, with an IAM solution, you can kind of dictate to your employees because you're paying them money. With a customer identity access management solution, it is part of your product, in the same way, you can't really dictate features unless you have something that the customer absolutely has to have and there are no substitutes for it, you have to adjust to the customer demands. CIAM is more responsive to those demands and is a smoother experience.The other thing I would say is CIAM, also, frankly, has a simpler model. Most customers have access to applications, maybe they have a couple of roles that you know, an admin role, an editor role, a viewer role if you're kind of a media conglomerate, for an example, but they don't have necessarily the thicket of complexity that you might have to have an eye on, so it's just simpler to model.Corey: Here's an area that feels like it's on the boundary between them. I distinctly remember being actively annoyed a while back that I had to roll my marketing person her own entire AWS IAM account solely so that she could upload assets into an S3 bucket that was driving some other stuff. It feels very much like that is a better use case for something that is a customer IAM solution. Because if I screw up those permissions even slightly, well, congratulations, now I've inadvertently given someone access to wind up, you know, taking production down. It feels like it is way too close to things that are going to leave a mark, whereas the idea of a customer authentication story for something like that is awesome.And no please if you're listening to this, don't email me with this thing you built and put on the Marketplace that “Oh, it uses signed URLs and whatnot to wind up automatically federating an identity just for this one per—” Yes. I don't want to build something ridiculous and overwrought so a single person can update assets within S3. I promise I don't want to do that. It just ends badly.Dan: Well, that was the promise of Cognito, right? And that is actually one of the reasons you should stick with Cognito if you have super-detailed requirements that are all about AWS and permissions to things inside AWS. Cognito has that tight integration. And I assume—I haven't looked at some of the other big cloud providers, but I assume that some of the other ones have that similar level of integration. So yeah, so that my answer there would be Cognito is the CIAM solution that AWS has, so that is what I would expect it to be able to handle, relatively smoothly.Corey: A question I have for you about the product itself is based on a frustration I originally had with Cognito, which is that once you're in there and you are using that for authentication and you have users, there's no way for me to get access to the credentials of my users. I can't really do an export in any traditional sense. Is that possible with FusionAuth?Dan: Absolutely. So, your data is your data. And because we're a self-hosted or SaaS solution, if you're running it self-hosted, obviously you have access to the password hashes in your database. If you are—Corey: The hashes, not the plaintext passwords to be explicitly clear on this. [laugh].Dan: Absolutely the hashes. And we have a number of guides that help you get hashes from other providers into ours. We have a written export guide ourselves, but it's in the database and the schema is public. You can go download our schema right now. And if—Corey: And I assume you've used an industry standard hashing algorithm for this?Dan: Yeah, we have a number of different options. You can bring your own actually, if you want, and we've had people bring their own options because they have either special needs or they have an older thing that's not as secure. And so, they still want their users to be able to log in, so they write a plugin and then they import the users' hashes, and then we transparently re-encrypt with a more modern one. The default for us is PDK.Corey: I assume you do the re-encryption at login time because there's no other way for you to get that.Dan: Exactly. Yeah yeah yeah—Corey: Yeah.Dan: —because that's the only time we see the password, right? Like we don't see it any other time. But we support Bcrypt and other modern algorithms. And it's entirely configurable; if you want to set a factor, which basically is how—Corey: I want to use MD5 because I'm still living in 2003.Dan: [laugh]. Please don't use MD5. Second takeaway: don't roll your own and don't use MD5. Yeah, so it's very tweakable, but we shipped with a secured default, basically.Corey: I just want to clarify as well why this is actively important. I don't think people quite understand that in many cases, picking an authentication provider is one of those lasting decisions where migrations take an awful lot of work. And they probably should. There should be no mechanism by which I can export the clear text passwords. If any authentication provider advertises or offers such a thing, don't use that one. I'm going to be very direct on that point.The downside to this is that if you are going to migrate from any other provider to any other provider, it has to happen either slowly as in, every time people log in, it'll check with the old system and then migrate that user to the new one, or you have to force password resets for your entire customer base. And the problem with that is I don't care what story you tell me. If I get an email from one of my vendors saying “You now have to reset your password because we're migrating to their auth thing,” or whatnot, there's no way around it, there's no messaging that solves this, people will think that you suffered a data breach that you are not disclosing. And that is a heavy, heavy lift. Another pattern I've seen is it for a period of three months or whatnot, depending on user base, you will wind up having the plug in there, and anyone who logs in after that point will, “Ohh you need to reset your password. And your password is expired. Click here to reset.” That tends to be a little bit better when it's not the proactive outreach announcement, but it's still a difficult lift and it adds—again—friction to the customer experience.Dan: Yep. And the third one—which you imply it—is you have access to your password hashes. They're hashed in a secure manner. And trust me, even though they're hashed securely, like, if you contact FusionAuth and say, “Hey, I want to move off FusionAuth,” we will arrange a way to get you your database in a secure manner, right? It's going to be encrypted, we're going to have a separate password that we communicate with you out-of-band because this is—even if it is hashed and salted and handled correctly, it's still very, very sensitive data because credentials are the keys to the kingdom.So, but those are the three options, right? The slow migration, which is operationally expensive, the requiring the user to reset their password, which is horribly expensive from a user interface perspective, right, and the customer service perspective, or export your password hashes. And we think that the third option is the least of the evils because guess what? It's your data, right? It's your user data. We will help you be careful with it, but you own it.Corey: I think that there's a lot of seriously important nuance to the whole world of authentication. And the fact that this is such a difficult area to even talk about with folks who are not deeply steeped in that ecosystem should be an indication alone that this is the sort of thing that you definitely want to outsource to a company that knows what the hell they're doing. And it's not like other areas of tech where you can basically stumble your way through something. It's like “Well, I'm going to write a Lambda to go ahead and post some nonsense on Twitter.” “Okay, are you good at programming?” “Not even slightly, but I am persistent and brute force is a viable strategy, so we're going to go with that one.” “Great. Okay, that's awesome.”But authentication is one of those areas where mistakes will show. The reputational impact of losing data goes from merely embarrassing to potentially life-ruining for folks. The most stressful job I've ever had from a data security position wasn't when I was dealing with money—because that's only money, which sounds like a weird thing to say—it was when I did a brief stint at Grindr where people weren't out. In some countries, users could have wound up in jail or have been killed if their sexuality became known. And that was the stuff that kept me up at night.Compared to that, “Okay, you got some credit card numbers with that. What the hell do I care about that, relatively speaking?” It's like, “Yeah, it's well, my credit card number was stolen.” “Yeah, but did you die, though?” “Oh, you had to make a phone call and reset some stuff.” And I'm not trivializing the importance of data security. Especially, like, if you're a bank, and you're listening to this, and you're terrified, yeah, that's not what I'm saying at all. I'm just saying there are worse things.Dan: Sure. Yeah. I mean, I think that, unfortunately, the pandemic showed us that we're living more and more of our lives online. And the identity online and making sure that safe and secure is just critical. And again, not just for your employees, although that's really important, too, but more of your customer interactions are going to be taking place online because it's scalable, because it makes people money, because it allows for capabilities that weren't previously there, and you have to take that seriously. So, take care of your users' data. Please, please do that.Corey: And one of the best ways you can do that is by not touching the things that are commoditized in your effort to apply differentiation. That's why I will never again write my own auth system, with a couple of asterisks next to it because some of what I do is objectively horrifying, intentionally so. But if I care about the authentication piece, I have the good sense to pay someone else to do it for me.Dan: From personal experience, you mentioned at the beginning that we go back aways. I remember when I first discovered RDS, and I thought, “Oh, my God. I can outsource all this scut work, all of the database backups, all of the upgrades, all of the availability checking, right? Like, I can outsource this to somebody else who will take this off my plate.” And I was so thankful.And I don't—outside of, again, with some asterisks, right, there are places where I could consider running a database, but they're very few and far between—I feel like auth has entered that category. There are great providers like FusionAuth out there that are happy to take this off your plate and let you move forward. And in some ways, I'm not really sure which is more dangerous; like, not running a database properly or not running an auth system properly. They both give me shivers and I would hate to [laugh] hate to be forced to choose. But they're comparable levels of risk, so I a hundred percent agree, Corey.Corey: Dan, I really want to thank you for taking so much time to talk to me about your view of the world. If people want to learn more because you're not in their inboxes responding to newsletters every week, where's the best place to find you?Dan: Sure, you can find more about me at Twitter. I'm @mooreds, M-O-O-R-E-D-S. And you can learn more about FusionAuth and download it for free at fusionauth.io.Corey: And we will put links to all of that in the show notes. I really want to thank you again for just being so generous with your time. It's deeply appreciated.Dan: Corey, thank you so much for having me.Corey: Dan Moore, Head of DevRel at FusionAuth. I'm Cloud Economist Corey Quinn. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry, insulting comment that will be attributed to someone else because they screwed up by rolling their own authentication.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Raise your hand if you have heard the almost cult like saying that 10,000 steps a day = optimal health! "We need 10,000 steps a day for optimal health!" But what does this really mean? Where did this 10,000 step magic number come from? In this episode Michelle discusses where the idea of 10,000 steps comes from, ways to incorporate more movement into our lives and how to set challenging but manageable goals in our "stretch" zone when it comes to both non exercise based movement and exercise activity. ---------------------------- Research Article Referenced in Episode from Amanda E. Paluch, PhD1; Kelley Pettee Gabriel, PhD2; Janet E. Fulton, PhD3; et alCora E. Lewis, MD2; Pamela J. Schreiner, PhD4; Barbara Sternfeld, PhD5; Stephen Sidney, MD5; Juned Siddique, PhD6; Kara M. Whitaker, PhD7; Mercedes R. Carnethon, PhD6: "Adults taking at least 7000 steps/d, compared with those taking fewer than 7000 steps/d, had approximately 50% to 70% lower risk of mortality. Taking more than 10 000 steps/d was not associated with further reduction in mortality risk. This work extends previous research on the association between steps and mortality in a prospective study of middle-aged Black and White adults"

Wild Winsday This episode was recorded LIVE on July 7th, 2022 with the MD5 group at Antioch Baptist in Conway Arkansas. Fitness is of the body and Faith is of the spirit. Where do they intersect in our lives? Learn More About Men's Discipleship 5! https://www.mdfive.org Join our awesome community! https://betterdaily.live

Will Real Estate Crash in 2022? Episode 13 Show Notes Is the housing market going to crash in 2022? Will rent prices decline? Will cities start shutting down Airbnb rentals? Let's talk about it! In this episode of the Collecting Keys Real Estate Investing Podcast, we share our thoughts and predictions as real estate investors on the state of the housing market in 2022. You'll gain insight into how inflation will affect real estate investors, a few lessons to be learned from the psychology of buyers and sellers, and how changes in the financial sector might impact homeowners, renters, and investors. We also highlight the (not so bad) worst-case scenario for real estate investors during hyperinflation and a few new opportunities you can take advantage of this year as an investor. Plus, we share our top tips and advice for aspiring and beginner real estate investors on succeeding in 2022 and beyond. Key Points From This Episode:The power of consistency and celebrating your wins and past accomplishments. [02:05]The state of the real estate market from 2021-2022: What will the market look like for retail, investment, valuations, etc.? [07:23] Analyzing the psychology of real estate buyers and sellers & What happens to home prices when inflation rates go up? [10:03]The worst-case scenario + new opportunities for real estate investors during hyperinflation. [15:08]Changes in the government's financial sector and how they're impacting homeowners. [19:01]Rental rates have climbed… Will rent prices decline? Will cities start shutting down Airbnb rentals? [21:35]Top tips for aspiring and beginner real estate investors on succeeding in 2022. [25:26] How to get our FREE 5-Step Guide to Start Generating Off-Market Leads.  [31:10] Tweetables:“I'm guessing most markets are going to still see a multi single digit growth rate.” — Dan Austin [0:09:52] “As an investor, just stick to the lower price points because… Say you're a house flipper, your worst-case exit is trying to hold onto something and just renting it out… There's still going to be great demand for rental properties.” [0:15:08] “I don't think the rent growth that we've seen, just like the house price growth, is going to be sustainable. I don't see the rents declining, though.” — Dan Austin [0:23:28] Resources Mentioned:BlinkestOpen Letter Marketing (Use code KEYS5 for $$$ off your order!)Ballpoint Marketing (Use code MD5 for $$$ off your order!)Get your FREE 5-Step Guide to Start Generating Off-Market Leads Connect with us:Connect with Michael DeHaan on LinkedInFollow Michael DeHaan on InstagramFollow Michael DeHaan on TikTokVisit Dan Austin's websiteFollow Dan Austin on InstagramListen to more Collecting Keys episodesCollecting Keys Podcast on Instagram  If you enjoyed this episode,

In episode 60 of The Cyber5, we are joined by Tom Thorley, the Director of Technology at the Global Internet Forum to Counter Terrorism (GIF-CT).  We discuss the mission of GIF-CT and how it's evolved over the last five years, with particular interest on violent terrorist messaging across different social media platforms. We also discuss the technical approaches to countering terrorism between platforms and how their organization accounts for human rights while conducting their mission.  Four Key Takeaways: 1) The Evolving Mission of GIF-CT  GIF-CT combats terrorist messaging on digital platforms and is particularly focused on removing live streaming of violence. They were founded in 2017 by Microsoft, Facebook, YouTube, and Twitter to mostly combat advanced ISIS messaging efforts across their platforms, particularly after several high profile terrorist attacks were live streamed.  GIF-CT has grown to include 17 different technology companies that participate in the mission of combating terrorist exploitation of their platforms. Since ISIS has been degraded over the last three years, GIF-CT has expanded their mission to include supporting the United Nations Security Council's Consolidated Sanctions List.  2) Behavioral Models as Opposed to Group Affiliation Due to the fast adaptation and evolution of terrorism, GIF-CT has moved to track behavioral models of violence rather than attempt to focus on known terrorist groups. They built out an incident response framework to review emergency crisis situations using technology called “hash sharing.” Now, they are looking at expanding into:   Manifestations of terrorist attacks just carried out Terrorist publications (Inspire Magazine by al-Qaeda) with specific branding URLs, videos, and images where specific terrorist content exists across platforms  3) Hash Sharing Across Social Media Platforms with Content User created content is not associated with an identifiable individual, like an IP address generally tied to a device. When GIF-CT hashes videos, they not only use traditional MD5 hashes, but also use perceptual hashes, which are locality sensitive. These hashing techniques and different algorithms provided by the technology companies, allow images, videos, and URLs to be flagged and potentially removed from the platform in close to real time.  There is some new hash sharing technology that is being explored around PDFs. The need has been driven in part because malware is exploited because the backend code of the PDF is manipulated whereas terrorist manifestos are not, they are just content. Technology is being explored by GIF-CT where they can hash certain content strings in PDFs for alert. 4) Optimizing for Human Rights GIF-CT hashing algorithms minimizes impact to human rights during emergency situations and differentiates between legitimate journalism and normal discord between people on the platform. GIF-CT goes through tremendous transparency initiatives that focus their algorithms on violence extremism.

Welcome to the History of Computing Podcast, where we explore the history of information technology. Because understanding the past prepares us for the innovations of the future! Todays episode is scraping the surface of cryptography. Cryptography is derived from the Greek words kryptos, which stands for hidden and grafein, which stands for to write. Through history, cryptography has meant the process of concealing the contents of a message from all except those who know the key. Dating back to 1900 BC in Egypt and Julius Caesar using substitution cyphers, encryption used similar techniques for thousands of years, until a little before World War II. Vigenere designed the first known cipher thatused an encryption key in the 16th century. Since then with most encryption, you convert the contents, known as plaintext, into encrypted information that's otherwise unintelligible, known as cipher text. The cypher is a pair of algorithms - one to encrypt, the other to decrypt. Those processes are done by use of a key. Encryption has been used throughout the ages to hide messages. Thomas Jefferson built a wheel cypher. The order of the disks you put in the wheel was the key and you would provide a message, line the wheels up and it would convert the message into cypher text. You would tell the key to the person on the other end, they would put in the cypher text and out would pop the message. That was 1795 era encryption and is synonymous with what we call symmetrical key cryptography, which was independently invented by Etienne Bazeries and used well into the 1900s by the US Army. The Hebern rotor machine in the 19th century gave us an electro-mechanical version of the wheel cypher and then everything changed in encryption with the introduction of the Enigma Machine, which used different rotors placed into a machine and turned at different speeds based on the settings of those rotors. The innovations that came out of breaking that code and hiding the messages being sent by the Allies kickstarted the modern age of encryption. Most cryptographic techniques rely heavily on the exchange of cryptographic keys. Symmetric-key cryptography refers to encryption methods where both senders and receivers of data share the same key and data is encrypted and decrypted with algorithms based on those keys. The modern study of symmetric-key ciphers revolves around block ciphers and stream ciphers and how these ciphers are applied. Block ciphers take a block of plaintext and a key, then output a block of ciphertext of the same size. DES and AES are block ciphers. AES, also called Rijndael, is a designated cryptographic standard by the US government. AES usually uses a key size of 128, 192 or 256 bits. DES is no longer an approved method of encryption triple-DES, its variant, remains popular. Triple-DES uses three 56-bit DES keys and is used across a wide range of applications from ATM encryption to e-mail privacy and secure remote access. Many other block ciphers have been designed and released, with considerable variation in quality. Stream ciphers create an arbitrarily long stream of key material, which is combined with a plaintext bit by bit or character by character, somewhat like the one-time pad encryption technique. In a stream cipher, the output stream is based on an internal state, which changes as the cipher operates. That state's change is controlled by the key, and, in some stream ciphers, by the plaintext stream as well. RC4 is an example of a well-known stream cipher. Cryptographic hash functions do not use keys but take data and output a short, fixed length hash in a one-way function. For good hashing algorithms, collisions (two plaintexts which produce the same hash) are extremely difficult to find, although they do happen. Symmetric-key cryptosystems typically use the same key for encryption and decryption. A disadvantage of symmetric ciphers is that a complicated key management system is necessary to use them securely. Each distinct pair of communicating parties must share a different key. The number of keys required increases with the number of network members. This requires very complex key management schemes in large networks. It is also difficult to establish a secret key exchange between two communicating parties when a secure channel doesn't already exist between them. You can think of modern cryptography in computers as beginning with DES, or the Data Encryption Standard, us a 56-bit symmetric-key algorithm developed by IBM and published in 1975, with some tweaks here and there from the US National Security Agency. In 1977, Whitfield Diffie and Martin Hellman claimed they could build a machine for $20 million dollars that could find a DES key in one day. As computers get faster, the price goes down as does the time to crack the key. Diffie and Hellman are considered the inventors of public-key cryptography, or asymmetric key cryptography, which they proposed in 1976. With public key encryption, two different but mathematically related keys are used: a public key and a private key. A public key system is constructed so that calculation of the private key is computationally infeasible from knowledge of the public key, even though they are necessarily related. Instead, both keys are generated secretly, as an interrelated pair. In public-key cryptosystems, the public key may be freely distributed, while its paired private key must remain secret. The public key is typically used for encryption, while the private or secret key is used for decryption. Diffie and Hellman showed that public-key cryptography was possible by presenting the Diffie-Hellman key exchange protocol. The next year, Ron Rivest, Adi Shamir and Leonard Adleman developed the RSA encryption algorithm at MIT and founded RSA Data Security a few years later in 1982. Later, it became publicly known that asymmetric cryptography had been invented by James H. Ellis at GCHQ, a British intelligence organization and that both the Diffie-Hellman and RSA algorithms had been previously developed in 1970 and were initially called “non-secret encryption.” Apparently Ellis got the idea reading a bell labs paper about encrypting voice communication from World War II. Just to connect some dots here, Alan Turing, who broke the Enigma encryption, visited the proposed author of that paper, Shannon, in 1943. This shouldn't take anything away from Shannon, who was a brilliant mathematical genius in his own right, and got to see Gödel, Einstein, and others at Princeton. Random note: he invented wearables to help people cheat at roulette. Computer nerds have been trying leverage their mad skills to cheat at gambling for a long time. By the way, he also tried to cheat at, er, I mean, program chess very early on, noting that 10 to the 120th power was the game-tree complexity of chess and wrote a paper on it. Of course someone who does those things as a hobby would be widely recognized as the father of informational theory. RSA grew throughout the 80s and 90s and in 1995, they spun off a company called VeriSign, who handled patent agreements for the RSA technology until the patents wore out, er, I mean expired. RSA Security was acquired by EMC Corporation in 2006 for $2.1 billion and was a division of EMC until EMC was acquired by Dell in 2016. They also served as a CA - that business unit was sold in 2010 to Symantec for $1.28B. RSA has made a number of acquisitions and spun other businesses off over the years, helping them get into more biometric encryption options and other businesses. Over time the 56 bit key size of DES was too small and it was followed up by Triple-DES in 1998. And Advanced Encryption Standard, or AES, also in 1998. Diffie-Hellman and RSA, in addition to being the first public examples of high quality public-key cryptosystems have been amongst the most widely used. In addition to encryption, public-key cryptography can be used to implement digital signature schemes. A digital signature is somewhat like an ordinary signature; they have the characteristic that they are easy for a user to produce, but difficult for anyone else to forge. Digital signatures can also be permanently tied to the content of the message being signed as they cannot be moved from one document to another as any attempt will be detectable. In digital signature schemes, there are two algorithms: one for signing, in which a secret key is used to process the message (or a hash of the message or both), and one for verification, in which the matching public key is used with the message to check the validity of the signature. RSA and DSA are two of the most popular digital signature schemes. Digital signatures are central to the operation of public key infrastructures and to many network security schemes (SSL/TLS, many VPNs, etc). Digital signatures provide users with the ability to verify the integrity of the message, thus allowing for non-repudiation of the communication. Public-key algorithms are most often based on the computational complexity of hard problems, often from number theory. The hardness of RSA is related to the integer factorization problem, while Diffie-Hellman and DSA are related to the discrete logarithm problem. More recently, elliptic curve cryptography has developed in which security is based on number theoretic problems involving elliptic curves. Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public-key cryptosystems are commonly hybrid systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed. OpenSSL is a software library that most applications use to access the various encryption mechanisms supported by the operating systems. OpenSSL supports Diffie-Hellman and various versions of RSA, MD5, AES, Base, sha, DES, cast and rc. OpenSSL allows you to create ciphers, decrypt information and set the various parameters required to encrypt and decrypt data. There are so many of these algorithms because people break them and then a new person has to come along and invent one and then version it, then add more bits to it, etc. At this point, I personally assume that all encryption systems can be broken. This might mean that the system is broken while encrypting, or the algorithm itself is broken once encrypted. A great example would be an accidental programming mistake allowing a password to be put into the password hint rather than in the password. Most flaws aren't as simple as that. Although Kerckhoffs's principle teaches us that the secrecy of your message should depend on the secrecy of the key, and not on the secrecy of the system used to encrypt the message. Some flaws are with the algorithms themselves, though. At this point most of those are public and security without a password or private key they just take too long to decrypt to be worth anything once decrypted. This doesn't mean we don't encrypt things, it just means that in addition to encryption we now add another factor to that security. But we'll leave the history of two-factor security to another episode. Finally, RSA made a lot of money because they used ciphers that were publicly reviewed and established as a standard. Public review of various technological innovations allows for commentary and making it better. Today, you can trust most encryption systems because due to that process, it costs more to decrypt what you're sending over the wire than what is being sent is worth. In other words, collaboration trumps secrecy.

An interview with Alison Gianotto / Snipe, creator of Snipe IT Snipe.net Snipe-IT @snipeyhead Editing sponsored by Larajobs Transcription sponsored by GoTranscript.com [music] Matt: All right, cool. All right. Welcome back to the latest episode of Laravel Podcast. It's been a little bit of a break for those of you who tune in to every new episode, but I've got another great interview here. As with every single one, I'm interested and excited to introduce someone to you. Some of you have heard of before, a lot of you might not know that she actually works in Laravel. Either way, it's going to be great. This is Snipe. Although in my head, you have been Snipeyhead because I feel that's been your Twitter name for a while. Real name, Alison Gianotto, but I'm probably just going to end up calling you Snipe for rest of this call. Before I go in asking you questions, the first thing I want to do is just I always ask somebody, if you meet somebody in the grocery store who you know isn't technical at all, and they ask you, "What do you do?" What's the first way you answer that question? Snipe: I say I work with computers. Matt: Right, and then if they say, "My cousin works with computers and whatever." Where do you go from there? Snipe: Well, it depends on their answer. If they say, "Do you fix computers?" I'm like, "Not exactly." If they say, "Really? What type of computer work do you do?" I say, "Well, I'm a programmer." They're like, "So you make games?" "Well, not exactly." If they say something like, "Mobile apps or web? What languages?" Then I'm like, "Okay, now I can actually have a conversation." I don't do it to be disrespectful to the person asking. It's just confusing to them, and so I like to keep it bite-sized enough that no one gets confused. Matt: If you talk to a grandma in a store who doesn't have much exposure with computers, and you say, "Well, I work in InfoSec with blah-blah-blah." Then she's going to go, "Huh?" I totally hear you. If somebody does ask and they say, "You know what? I actually work in Rails," or, "I know what a framework is." How do you answer someone when they are more technical? Let's say, somebody-- You understand that this person is going to get all the names that you drop. Where do you go from there? How do you tell someone about what you do? Snipe: I actually usually say that I run a software company. I say, "I run a small software company that basically works on open source software." Usually, they look at me like, "How do you--" Matt: How do you make money? Snipe: Literally makes no sense. [laughter] Matt: Which is where we're going to go. Let's actually go there. Snipe-IT, it's a company that has an open source product. I'm guessing that you make your money by paid support plans and hosting plans. Right? Then you also have the whole thing available for free in open source? Snipe: That's correct. Yes. Matt: Could you give us a little pitch for anybody who doesn't know what Snipe-IT is, and what it does, and who it's for? Snipe: I'm so bad at this. I'm the worst salesperson ever. Matt: Well, I'm helping you grow. [laughter] Matt: Thirty seconds or less. Snipe: If you have any kind of a company and you buy assets like laptops, or desktops, or monitors, you need to keep track of them and you know who has what, what software is installed on what. Then usually I'm like, "I've got this nailed. I've got this nailed." Then I end up saying, "It's not a very sexy project, but people need it." [chuckles] Matt: Right, right, right. You have to justify yourself in your sales. Snipe: I know it. I really do. I'm really the worst at it. People get really excited. We're going to DEF CON this year like we usually do. I'm actually bringing my whole crew. Matt: Cool. Snipe: Because I really want them to be able to experience the way people react when they realize that we are Snipe-IT because they just get so excited. I've had people run across the conference floor to give me a hug that I've never met. Matt: Wow. Snipe: It's really cool. There was another time I was talking to, I think, YTCracker on the conference floor. He introduces me to one of his friends. He's like, "Yes, she's got a IT asset management software." He's like, "Really? I just heard about one of those. That was really great." I know exactly where this is going. I'm watching him look at his phone. He's like, "Yes, I just heard about it. It's really amazing. I think through your competition." I'm just sitting there smirking and I'm like, "Okay." Totally, I know exactly where this is going, but I let him spend five minutes looking it up on his phone. He's like, "It's called Snipe It?" I just look at him like, "Hi, I'm Snipe." [laughter] Snipe: It was actually wonderful. Matt: It's one of the benefits not just of having the company, but actually naming it after yourself. You're like, "No. I'm actually the Snipe. That's me." Snipe: I'm excited to bring my crew out to DEF CON this year so they can really get to experience that first hand. Because like anything else in open source and in company support in general, a lot of times, you only hear the negative stuff. You hear about when something is broken or when something doesn't work exactly the way they want it to work. To actually get just random people coming up-- I'm getting us swag. I'm getting us t-shirts printed out. I'm super excited. Matt: I love it. There's nothing like having the opportunity to see the people who love what you're doing to really motivate you to go back and do it again. I hear that, for sure. Snipe: Definitely. Open source can be really tough with that because for the most part, the only thing that you're hearing is, "It doesn't work," or, "Why doesn't it do it do this thing?" Or people telling you how they think your software should work. To just get basically unbridled love, it really recharges me. It makes me want to work on a project even harder. Matt: Plus, the phrase unbridled love is just fantastic. [laughter] Matt: It should be in our lexicon more often. Snipe: I agree. Matt: It's asset management software. I'm imagining I've got a 500-person company, and every single person gets issued a laptop within certain specs. After it's a certain amount of time old, then it gets replaced. We're going to make sure they have the latest build of whatever, Windows and the latest security patches, and that kind of stuff. It's at the point where you don't have-- My company has, I think, 17 people right now. There is just a spreadsheet somewhere. This is when you get to the point where a spreadsheet is really missing people. People aren't getting their upgrades. People don't have security updates. My guess was the reason there was InfoSec involved in this at DEF CON is because security updates is a big piece of why that's the case. Did I assume right? Could you tell us a little bit more about how InfoSec and security are related to what you're doing here? Snipe: You're kind of right. We don't currently have a network agent, so we don't have anything that listens on the wire. We do have a JSON REST API, though. Basically, we're now working with folks like Jira, Atlassian, and we're going to be working with a JaMP API to try and basically make that stuff easier. I feel like its out of scope for us to try and build another networking agent, but we have an API. If we can just build those bridges, then it just makes it a little bit easier. Ultimately, in terms of security, the real reason why I think people in InfoSec appreciate this tool, especially given the fact that we don't have-- And some people in InfoSec actually like the fact that we don't have a monitoring agent because that actually becomes a separate problem in and of itself. Let me give you a backstory on why I created this in the first place. Matt: Please do. Snipe: Maybe that'll help explain a little bit more. I was the CTO of an ad agency in New York City. We had grown from-- I think I was employee number 12, and we were now at 60 something people. We were using a Google Sheet shared between three IT people, some of which were not necessarily the most diligent- [laughter] Matt: Sure. Snipe: -about keeping things up to date. Basically, when you've got a single point of truth that is no longer a single point of truth, it becomes a bit of a hellish nightmare. Additionally, if you're repurposing-- Because it's an ad agency, so you have a lot of turnover. You don't have any history on any particular asset if this asset is actually bad. If the hard drive on this is actually just bad and should be replaced. If this is bad hardware, then we should consider just unsetting it, and getting a brand new box, whatever. We had to move offices. We were moving our main office and also our data center. Of course, when you're trying to move a 60-person company, and servers, and everything else, the very first thing that you have to do is to know what you have. That was an enlightening experience. It basically turned out that we had about $10,000 worth of hardware that we just didn't know where it was anymore. Matt: Wow. Snipe: People got fired. This is basically before I was a CTO and before I had set up the exiting process. People had been fired or had quit and just taken their laptops with them. That's got company data on it. That was a huge, huge issue for us. I was like, "Okay, we need something that we can integrate into our exit strategy or exit process to make sure that we're reclaiming back all of the data that--" Because some of those stuff is client data. It's actually really sensitive from a corporate perspective. Also, sometimes it's customer data. It was really important to have a way to handle that a bit better. That's it. The asset part is the most important part of that software. We do have support for licenses where the cloud offering portion of that is not as fully developed. We're going to be building in a services section soon. That will describe, for example, if you had Snipe-IT as a vendor, where would we fit in this ecosystem for our customers? We don't actually have a good answer for that. We're going to be building out a services section that lets you know how much money you're paying every month, how many seats you have. Matt: That's great. That would cover not just global stuff, but also individual subscriptions like Adobe and PHP-- Snipe: Sure, sure. Matt: Cool. That's awesome. Snipe: Licenses are really hard. They're hard because you can have-- One of our customers actually has a hundred thousand licenses. Matt: Oh, my Lord. Snipe: Because you've got this notion of a software license and then a bunch of different seats. There are some licenses that have one seat, and only one seat they only ever will. Then there are ones that have tens of thousands. For example, Microsoft Suite. If you have a large company, you're going to have a lot of those licenses. One of the things I care really deeply about in Snipe-IT, and I think one of the reasons why we've been successful in this really saturated marketplace, because it is a really saturated marketplace, is that I care a lot about the users' experience. I know, for example, that our licenses section, the UI on that, the UX on that is not as optimized as it could be. That will be the next thing that we're really tackling is because it is a popular section. It's one that because of the nature of the variability of licenses, makes that a really tricky UX problem to solve. That's one of the things that I love about this work is getting to solve those kinds of problems. Matt: You're just starting to make me interested in this which means you're doing your job of the sales pitch. You said you got something you're super comfortable with. Snipe: [laughs] Matt: I always struggle-- Somebody made a joke and they said something like, "It's a drinking game for how many times Matt says 'I could talk about this for hours' during a podcast." Snipe: I did see that, yes. Matt: We're there already. [laughter] Matt: I want to step back from Snipe-IT just a little bit. Snipe It, I want to call it Snipe It now that you said that. Snipe: Please don't call it that. [laughs] Matt: I won't, I promise. Think a little bit about what got you to here, and what got you to the point where you're a name and an online persona. I saw you had some interactions with @SwiftOnSecurity the other day. Everyone got all excited seeing the two of you interacting. What was the story? I want to eventually go back to when you got into computers in the first place. First, what was the story of the process of you going from just any other person on the Internet, on Twitter, on GitHub, or whatever to being a persona that is relatively well-known across multiple communities? Snipe: I can't really answer that for you because I don't really understand it myself. Other than lots of poop jokes-- Matt: It's the best. Snipe: Yes. [chuckles] I think, probably, I've been on Twitter for a while. Also, I was on IRC for a long time. I think I'm still an op in the ##php channel on Freenode, although I don't visit there as often as I used to. I was really involved in that as I was learning PHP, and as I was helping other people learn PHP. I don't know. I've always been a mouthy broad, and I think that's probably worked because whether you like me or not, you remember me. [laughs] Matt: Yes, for sure. Snipe: I'm doing my very best to not swear on your podcast, by the way. I've caught myself at least five times that I'm like, "No, no, no." [laughs] Matt: If it happens, it happens but I appreciate it. Snipe: I'm doing my very best. I'm at a conference-- Matt: Broad was a good one, yes. All right, exactly. Snipe: Yes, I know. Yes, exactly. I was like, "B-b-b-broad." Matt: [laughs] Snipe: Which is an offensive term in and of itself, but it's still- Matt: We toned it down a little. Snipe: -better than the alternative, I think. [laughter] Matt: I love it. Snipe: I'm trying my best here, Matt. Matt: I appreciate it very much. Was it in the world of PHP? First of all, I heard longevity. I've been here for a while. That's always a big win. Poop jokes, that's also obviously big win. Give the people what they want. Snipe: I don't know if I can say dick jokes on your podcast. Matt: Well, you did. There we are. Snipe: Dick jokes are definitely big part of my repertoire. [laughs] Matt: Yes, I know. Being an interesting person, having been around for a while, but was it in PHP, and teaching PHP, and being around in the PHP world for a while, was that the main space where you came to prominence versus InfoSec, versus being open source business owner? Was it primarily in being a PHP personality where you came to at least your original knownness? Snipe: I think probably. Probably, yes. When I grab onto something, I don't let go of it. I've been doing some Perl work. I've probably started with Perl, but that was back in the days when I ran Linux as a desktop on purpose. [laughs] Matt: Oh, my goodness. Snipe: I was writing some Perl stuff. Heard about this this crazy thing called PHP which looked way easier and was way more readable, and ended up writing some-- Now, terribly insecure. I know this now, because it's like 2000, 2001, something like that. Which is for going back a ways. I had just started to put out stupid scripts like e-card scripts and things like that, because they served the need that I needed to have filled. This is a well-known secret, but I worked Renaissance Fairs for a very long time. I was guild member number four of the International Wenches Guild. Matt: What? Snipe: Yes. That's not even the most interesting thing I can tell you. Anyway, I was running their website Wench.org which now looks terrible because Facebook took over that community. I used to have interactive like sending roses to each other. Because in the Renaissance Fair community, different rose colors have different meaning. It's basically like an online greeting card thing with these built-in rose color meanings. You could pick different colors of roses and send them to people that you liked, or people you didn't like, or whatever. Having this playground of a huge community of people who-- Basically, I would post to the forums. I'd say, "I'm thinking about building this. What do you guys think?" By the time they actually answered me, I had already built it anyway. I was just like, "This looks really interesting. I want to see if I can do this." Matt: To do it, yes. Snipe: Yes, exactly. It was really, really cool to have access to, basically, a beta-testing community that was super excited about anything that I put out. It definitely stoked the fires for me, stretching and doing things that I may not have done if I didn't have a reason to do it before. Matt: Well, I love how much passion plays a part there. Not this ill-defined like, "I'm passionate about programming. That means I spend all my free time doing it," but more like-- I've noticed that a lot of people who are a little bit older had PHP-- Actually, just developers in general which is quite a few people I've had on the show. Snipe: Are you calling me old? Matt: Me too. I'm in the group too. Snipe: Are you calling me old? Oh my God. That's it. This interview is over. [laughter] Matt: You're going to burn the place down. I think those of us who started back when becoming a programmer wasn't necessarily going to make you big and rich. There's a little bit of that idea today. Go do a six-month boot camp, and then you're going to be rich or something. I think when a lot of us started-- I'm putting myself in that bucket, in the '90s and the '80s. When we started, it was because it was something that allowed us to do things we couldn't do otherwise. I don't know your whole back story, so I want to hear it, but a lot of the people I've noticed, "I was in the dancing community. I was in the video game community. I was in the Renaissance whatever Fair community." Snipe: I used to work on Wall Street. That was what I was doing before I got into computers. [laughs] Matt: Okay. Well, before I talk anymore, we need to talk about this. Tell me the story. Tell me about Wall Street, and then tell me when did you actually first get into computers? Snipe: I left high school. I was living with my sister in a tent in Montana for about nine months. Then it got too cold, our toothpaste started to freeze during the day. We were like, "F this business." We went down to Colorado because we'd met some friends at Colorado School of Mines. Stayed there for a little bit. Came back to New Jersey, and was like, "Well, I don't want to go to college. I also don't have any money for college." [laughs] There's that. I ended up waitressing for a little bit. Was waitressing, wearing my indoor soccer shoes, because I was a soccer player for 13 years. The coach from Caine College came in to eat at my restaurant. He looks at me with disdain and he goes, "You actually play soccer with those, or are they just for fashion?" Matt: Oh, my goodness. Snipe: I'm like, "Bitch, I was All-State. What are you talking about?" [laughter] Snipe: He's like, "Do you want to go to college?" I'm like, "I guess." He invited me to go to Caine College where I studied education of the hearing impaired for exactly one semester. [laughter] Snipe: I was like, "Holy crap. This is so boring. I can't do this." Not the education of the hearing impaired part. Matt: Just college. Snipe: Yes, it just wasn't my jam. I was like, "I want to move to New York." I moved to New York City. I pick up a paper, and I'm like, "Okay, I'm super not qualified to do any of these things." Basically, I was a leatherworker at a Renaissance Fair. I'd done makeup work for the adult film industry. I'm like, "Um." Of course, the easiest way to Wall Street is sales. I had the most grueling interview I've ever had in my life, because I didn't know anything about real sales compared to retail. I remember sweating so hard. I'd just dyed my hair back to a normal color. You could still see a little bit of green in it, and I'm wearing my sister's fancy, fancy suit. I have no idea what I'm actually going to be doing there. It is literally out of Glengarry Glen Ross, high-pressure sales that they're expecting from me. I'm like, "I'm 17, 18 years old. I have no idea what I'm doing." I managed to pull it out. At the very last minute, I got the job. Matt: Nice. Snipe: Was working at a place that did forex futures. Then they went out of business because the principals moved back to Argentina with all of our clients' money. That spent a little bit of time in the attorney general's office, making it really clear that we had nothing to do with it. Matt: At least it was there and not jail. Snipe: That's absolutely true. It's not that uncommon that the main traders are the ones that actually have the access to the real money. Then we started working at a stock shop. I realized I was working until six, seven o'clock at night, busting my ass all for lines in a ledger. I was actually pretty good at that job, but I also caught myself using those creepy, sleazy sales techniques on my friends and my family. When you catch yourself saying, "Well, let me ask you this." You're like, "Ah, ah." Matt: "I hate myself. Oh, my God, what am I doing?" Snipe: I know. I just realized that I hated myself, and that I didn't want to do it anymore. I quit my job. I had a boyfriend at that time that had a computer. That's pretty much it. I had done some basic programming, literally BASIC programming in high school. Matt: Like QBasic? Snipe: Yes. BASIC in high school. In fact, funny story, when I wrote my first book-- I almost didn't graduate high school because my parents were getting divorced, and I just checked out. I was good in all my classes, I just checked out. I had to pass a computer programming class in order to graduate. My teacher, who was the track coach as well, Coach Terrell, he knew me from soccer. He calls me into his office. He's like, "Alison, I've got to tell you. You just weren't here, and you know that if you don't show up, I penalize you for that. Did really well on all your tests, but attendance is not optional in this class. I just don't think I can pass you." I'm like, "I'm not going to graduate then." He's like, "All right. Well, the thing is that when you're here, you do really good work. I'm going to let you go this time, but you've really got to get your shit together." Matt: Wow. Snipe: When I published my first programming book, I sent him a copy. [laughter] Matt: That's awesome. Snipe: I wrote on the inside, "Dear Coach Terrell, thanks for having faith in me." [laughs] Matt: That's amazing, and you know he has that sitting on the shelf where everyone can see it. Snipe: Yes, yes, yes. Matt: That's really cool. Snipe: That was really nice of him. [laughs] My life would have had a slightly different outcome if I'd had to take some more time, and get a GED, and everything else just because I didn't show up to my programming class. Matt: Wow. Snipe: Anyway, I left Wall Street because I had a soul, apparently. Matt: Turns out. Snipe: It turns out, "Surprise." I totally still have one. [laughter] Matt: It's funny because you're telling me this whole story, and what I'm seeing in front of my face in Skype is your avatar. For anyone who's never seen this avatar, it's got a star around one eye, smirky, slanty eyes, looking down where you're like, "I'm going to get you." It's funny hearing you tell this story, and just the dissonance is so strong of seeing that, hearing your voice, and then hearing you talk about being on Wall Street. Obviously, I'm looking back. Hindsight is 20/20, but seeing this story turned out the way it has so far does not surprise me, looking at the picture of you that I'm looking at right now. Snipe: Mohawk people have souls too. Matt: It turns out, yes. Snipe: I got that mohawk as a fundraiser for EFF. Matt: Really? Snipe: I raised like $1,500 for EFF a bunch of years ago. Matt: You just liked it and kept it? Snipe: Yes. Once I had it, I was like, "Wait a minute. This completely fits me. Why did I not have this my entire life?" Matt: That's awesome. Snipe: Yes, there was a good reason behind it. Matt: Honestly, what I meant is actually the inverse which is that I associate having the soul-- When you imagine a soulless, crushing New York City job where you hate what you're doing, you don't usually associate it with the sense of owning who I am and myself that is associated with the picture I'm looking at right in front of me. Your boyfriend at that time had a computer, you actually had a little bit of history because you'd studied at least some coding. You said primarily and BASIC in high school. Where did you go from there? Was that when you were doing the Renaissance Fairs, and you started building that? Or was there a step before that? Snipe: No. Remember, this is back when the Web-- I'm 42. Matt: I wasn't making any assumptions about what the Web was like at that point. Snipe: I think there might have been one HTML book that was about to come out. That's where we were. If you wanted to do anything on the Web, you basically figured out how to right-click- Matt: View source them. Snipe: -and view source, and you just poked at things until they did what you wanted. There was no other way around that. I realized that I really liked it because it let me say what I wanted to say, it let me make things look-- For what we had back then, we didn't have JavaScript, or CSS, or any of that stuff. Matt: Right. Use that cover tag. Snipe: Yes, exactly. It was enormously powerful to be able to have things to say, and put them out there, and other people could see it. Then I just started to freelance doing that. I was also doing some graphic design for one of those-- It's like the real estate magazines, like Autotrader type of things but for cars. I used to do photo correction for them using CorelDraw, I think it was. Matt: Oh, my gosh, that's a throwback. Snipe: Yes. I'm an old, old woman. [laughter] Matt: I've used CorelDraw in my day, but it's been a long time. Snipe: Our hard drives would fill up every single day, and so we'd have to figure out what had already gone to press that we can delete it off. Basically, Photoshopping, to use Photoshop as a verb inappropriately, garbage cans and other stuff out of people's black and white, crappy photos. Because he was nice enough to give me a job. I offered and I said, "You know, I can make you a website." He's like, "Yes, the Internet's a fad." I was like, "I'm just trying to build up my portfolio, dude, for you for free." He's like, "Yes, yes, yes, it's not going to stick." I'm like, "Okay." [laughs] Matt: All right, buddy. Snipe: That's where it started. Then I think I moved to Virginia for a short amount of time, and then Georgia. Got a job at a computer telephony company where I was running their website, and also designing trade show materials like booths and stuff, which, by the way, I had no idea how to do. No one was more surprised than I was when they took pictures of the trade show and the booth actually looked amazing. Matt: That should look good. Snipe: I was like, "Look, yes." Matt: "Hey, look at that." [laughter] Snipe: That's very, very lucky. There was definitely a lot of fake it until you make it. Also, I've never designed a trade show booth, but trade show booths do get designed by someone, and at least a handful of those people have never done it before. Matt: Right. I'm relatively intelligent person, I understand the general shape of things. Snipe: Yes. Get me some dimensions, I'm sure I could make this work. Matt: What is the DPI thing again? [chuckles] Snipe: Yes, exactly. That was exciting and fun. Then I moved back to New York to teach web design and graphic design at an extension of Long Island University. Matt: Cool. Snipe: Yes, it was actually very, very cool. The school was owned by these two teeny-tiny Israeli ladies. They were absolutely fabulous. It was kind of a crash course in Hasidic and Orthodox Jewish culture. It was in Flatbush, so basically, 90% of my students were Hasidic or Orthodox. I think I broke every rule ever. The two owners of the school would just look at me and laugh. They wouldn't offer me any guidance. They just liked watching. Matt: Well, it would be awkward. Yes. Snipe: Exactly. I'm like, "Why would you do that to me?" [laughter] Snipe: They're just laughing. I could hear them laughing from upstairs- Matt: That's hilarious. Snipe: -when they knew I was putting my foot in another cultural mess. That was really, really fun. I learned a lot from that. I learned a lot about teaching. I even got to have a deaf student one time, which was great, except I didn't know-- I used to know or still know American sign language, but when I learned, there weren't any computer-related signs. It was actually a weird barrier that I hadn't thought about. We're like, "Okay, I can sign as I'm talking," but then I'm like, "Wait, do I have to spell all this stuff out every single time? I have no idea." That was cool. Then I started just doing HTML for a company called Cybergirl, which is not a porn site. I always have to clarify that. Not that there's anything wrong with porn, but it was not, in fact, a porn site. It was an online women's community. Matt: Cool. Snipe: They weren't really super profitable in the community itself, so they had a separate part that did websites for clients. I was put on to work mostly with their clients. They had stuff written in ASP, ColdFusion. Because the people who had designed it weren't there anymore, I basically had to learn all of these languages. Also, we only had a part time sysadmin, so when we'd hire someone new, I'm like, "I guess I'm creating email accounts for people now." I became a stand-in for a lot of different roles. Got to play with a lot of different languages, some of which I liked vastly better than others. ColdFusion? Really? [laughs] Matt: ASP wasn't that bad. There was worse things than classic ASP. Snipe: Yes, there are. That is a thing that could be said. That is an opinion one might have. [laughter] Matt: Trying to keep a positive spin on it. Snipe: I would say that all of these languages, the ones that are still around, have come a very long way since then, including PHP. Matt: Yes, yes. .NET is not a classic ASP. PHP 5, whatever. PHP 7 is no PHP 3, for sure. Snipe: Certainly. Matt: Were you using PHP at that point already, then? Was that one your-- Snipe: Yes. That was one I was-- Because I'd already done some Perl stuff, and it just wasn't that hard. One of our clients had a website, I think it was The Bone Marrow Foundation, had their website in PHP. That forced me to do a bit more legwork on it. That was the beginnings, the very beginnings. Matt: At that point, we're probably talking about single-page PHP files for each page. At the top, you've got a common.inc that you're doing your database connections. Then below that, it's just a template, right? Okay. Snipe: Functions.inc and usually some sort of PHTML. [laughs] Matt: God, PHTML, yes. Okay, all right. Snipe: I told you, I am an old, old lady. Matt: Honestly, we worked on a site that still used PHTML and things like four or five years ago. I was like, "I didn't even know that PHP parser is still allowed for this." Apparently, some of these things still stick around. Snipe: Whatever you set as your acceptable file formats, it'll parse. Matt: Yes, you can make it happen. Snipe: I can have a .dot site file extension if I wanted to. Matt: I like that idea now. Jeez. When was the transition? What were the steps between there and ending up where you are now? Are we still many steps behind, or did you get out on your own pretty quickly after that? Snipe: I was doing some contract work. Thanks to a friend that I'd met through IRC. I was doing some contract work for a company out in San Diego. They were an ad agency. This is the beginning of the days when marketing companies were trying to own digital, and they were trying to build up their digital departments. They moved me out there because they're like, "You're amazing, so come on out here and build up our team." I did. I built up their team. We had some really cool clients. We had San Diego Zoo, San Diego Padres, California Avocado Commission. At that time, I didn't like avocados. I was giving away free avocados that I did not like. Matt: [chuckles] Oh, no. That's so good. Snipe: I hate myself now for knowing how many avocados I could have had. [laughs] I got to build lots of custom web apps, all the database-y stuff. That was really fun. I left there, started my own web design company for lack of a better term, where I was basically using PHP, but also pretending like I knew how to design anything at all. Sorry, hang on. Incoming call. Building my own custom applications for people. None of it is really that fancy, but whatever. That was fun. Then I broke my foot. This is before the ACA, and so I had no insurance. Thousands of dollars and a spiral fracture later, I'm like, "Maybe I should get a real job." [laughter] Snipe: I started to work for the San Diego Blood Bank, which was a great gig. It's probably my favorite job. The pay wasn't that great, but my coworkers were great. Your hours were your hours. There was no overtime. If you had to work overtime, you got paid double time and a half, something like that. It was insane. Matt: Especially compared to the ad agency world, which is basically the exact opposite. Snipe: Yes. Yes. There's no amount of blood you can show to prove that you're loyal to that particular market. I ended up moving back to New York and ended up working for the Village Voice for a little while. Matt: Really? That's cool. Snipe: Yes, that was cool. Unfortunately, they had already been bought out by Newtimes, and so they were not the Village Voice that I grew up with, the one that warmed the liberal cockles of my heart. It was actually a crap place to work, to be honest. People were getting fired all the time. There was this one guy, he used to hang out in the archives room with an X-Acto blade and a piece of paper and would just cut at the piece of paper. He was actually scary. Everyone was afraid of him, because that's office shooter kind of crazy. Matt: Exactly, exactly. Snipe: I left there, finally, and worked for another ad agency. That's the one that I was working at when I finally started to work with Snipe-IT. Finally started to make Snipe-IT. For a while, while I was in California, the nice thing about running your own gig back then, because it was like a one-man shop, so I didn't have people that I had to worry about. I got a chance to work with tigers for about a year. It was just exhausting. That was around the time when I was writing my book, too. Working with tigers, commuting four hours a day, coming home stinking like raw chicken and tiger pee. Then working on my book, and then whatever I can possibly eke out for customers. It was pretty chaotic and definitely exhausting, but they were good times. Matt: I don't want to preach too far on this, but I feel like the more of our story that takes us around different aspects of life and different experiences, the more we bring to the thing we're in right now. That's one of the reasons I keep pushing on people having histories before they came to tech or diverse histories in tech. It's not to say that someone who just graduated from college and instantly got a job as a developer is therefore now incomplete, but I think that a lot of what makes a lot of people interesting is what they bring outside. That's true for anybody, right? What makes you different from the people around you makes you different, and makes you interesting, and it makes you have a perspective to be able to bring that the people around you don't. It sounds like you have quite a few of those, at least as you enter into the communities that I'm asking you from the perspective of whether PHP, or Laravel, or anything like that. I don't know where I'm going with that, but anyway. Snipe: [laughs] Matt: That's very interesting to hear. Snipe: I always say I sound really interesting on paper. I'm not really that interesting to talk to, but when you actually look at all the crap I've done, it's like, "Wow. That's kind of a lot." Matt: Right. That is a lot going on. Snipe: It's all weird. Weird stuff. Matt: If I remember right, the book that you wrote was a Wrox PHP book, right? Snipe: Yes, yes. You can still get it on Amazon, but it costs more to ship. Matt: Really? I got to-- Snipe: Actually, I'm not sure. It may just be eBay. The last time I checked, it was selling for $2.95 and costs like $80 to ship. [laughs] Matt: Professional PHP4 Web Development Solutions. Snipe: Yes. Matt: I don't see a Mohawk. I don't know which one's you. Snipe: No, no. Matt: [laughs] Snipe: Yes, I know. Gosh, it's a mystery of the ages, isn't it? [laughs] Matt: All right. Yes. $22.99. Wow. What was your experience like writing a book? Would you do it again? Snipe: Possibly, but I would need a bit more written assurances up front about how-- This is a co-authored book. Basically, we were not given communication information with each other. We were writing these chapters completely independently and it sucked. I offered to set up a bulletin board just so we could-- For some reason, they didn't want us talking to each other or something. I don't know, but I was like, "Because I don't know where this chapter is going to fall, I want to make sure that I'm not rehashing a thing that's already been discussed, or touching on something that needs more information." They never facilitated that. They actually pushed back against it. It was really frustrating. You're literally writing chapters in a vacuum that then have to be cohesive when you string them all together. I would need to know if it was going to be a co-authorship. I would need to know that this will truly be collaborative. Because the way it looks on the cover, it looks like we're all hanging out. No, I don't think I've ever spoken to those people ever. [laughs] Matt: Wow. Jeez. Snipe: It's really weird. It's really weird. I did not like that. I thought that was really just not a way to give the best experience to the reader. If I was going to collaborate, I would have to make sure that there was something like that. I've toyed with writing a couple of books over the last few years. It is also a bit of a time suck. Matt: Yes, it is. My perception, what I've told people in the past is that people often ask me, "Should I write a book with a traditional publisher like you did?" Because mine was with O'Reilly. "Or should I self-publish like a lot of the people in our community have?" My general perception has been, if you want to make money, self-publish. Snipe: Definitely. Matt: If you want reach that's outside of your current ability, then consider a traditional publisher. You've got quite a bit of reach and I wonder whether it's-- Snipe: This is like 2003, though. Matt: I don't mean for them, but I mean now. If you're going at it now. It seems like there'll probably be less of a reason for you to do a traditional publisher at this point. Snipe: I don't know, though. I still kind of O'Reilly. Matt: You still like it? Snipe: Being a published O'Reilly author, I still toy with that, honestly. Matt: I tell people I got a degree in secondary English education, basically. This O'Reilly book is my proof that I'm actually a real programmer. Snipe: [laughs] You know what? Honestly, that was really important to me back then. Snipe: Me too, really. Matt: I don't know where things would have gone, I don't know if I would have-- I probably would have stuck with it because I really, really liked it. I think that gave me a bit of confidence that I really needed. Proof, again, because I didn't graduate college. I nearly didn't graduate high school because of the programming class. [laughs] It was a way for me to say not just to the rest of the world, but to myself, like, "Hey, I actually know what I'm talking about." Matt: You can't underappreciate just how significant that is. I love that you said it. It's not just to everybody else, it's to you, too. Snipe: More than anyone else, to myself, honestly. I don't care what you guys think. [laughs] Matt: I spent several thousand hours writing a book with a major publisher so that I can overcome impostor syndrome. It's totally worth it. [laughter] Snipe: I still have it. That's a thing, I have it. Matt: I still have it, but maybe a little less. Snipe: At least if someone actually pushes the impostor syndrome too far, I'll be like, "I wrote a book. What have you done?" Matt: Exactly. Snipe: Meanwhile, I go off and rock in the corner as if, "Oh, my God. I don't deserve to be here. I don't deserve to be here." Matt: Exactly. It certainly doesn't make it go away, but maybe it's a tool in our arsenal to battle it. Snipe: That's a very good way to describe it. Matt: I like it. Snipe: I would need that to be a bit more of a tighter process. Matt: Well, if you decide to write with O'Reilly, I know some people. Just give me a call. Snipe: [laughs] I also know some people in O'Reilly. Matt: I was just going to say I'm pretty sure you don't need me for any of that kind of stuff. I just had to say it to try and seem like I actually matter, so this works. Snipe: Of course, you matter. Matt: I matter. Snipe: I got up early for you, Matt. I got up early for you. Matt: That's true. Snipe: You don't have any idea. Matt: That's true, this is quite early your time. I appreciate it. Snipe: [laughs] Matt: I'm trying to not talk forever. I'm trying to move us on even though I'm just my usual caveats, everyone take a drink. You eventually started Snipe-IT. I think we skipped a couple of things. We were talking about you becoming the CTO of the ad agency and being in a place where you needed to manage that kind of stuff. You started Snipe-IT. You now have a remote team. Could you tell me a little about the makeup of your team, and what it's like running a remote team, and the pros and cons you've experienced, and anything else that you would want to share about what that experience is like for you? Snipe: Well, I'm really lucky, first of all, because although our team is remote, we're all also local. We can actually see each other, we'll go out and have beers when we hit a major milestone. We'll go out and have some champagne and celebrate that we do get to see each other's faces. Also, we were friends first, so that helps. It's totally, totally different. If you're looking for advice on how to run a real remote team, that I can't help you with. I can't tell you how to manage your friends through Slack, though. [laughs] Matt: Basically, you and a bunch of friends live like an hour driving distance to each other or whatever and choose to work from home? Snipe: More like seven minutes. [laughs] Matt: Jeez. Snipe: Yes, yes. Matt: Okay, so this is really just like, "We just don't feel like going to an office," kind of vibe. Snipe: It's pants, it's pants. I'm not putting on pants. I've worked too hard in my career to have to put on pants anymore. There is a reason this isn't a video call, Matt. Seriously. [laughter] Matt: I wish that this was one of the podcasts-- Snipe: I think I just made Matt blush, by the way. Matt: I wish this was one of the podcasts where they name each episode, because that would have been the name right there for this episode. I might have to, just for this one, just give it a name just for that. Okay. I hear you. I get it. Snipe: The thing is I hadn't actually planned on hiring when I did. The reality is I should have, because I was really buckling under the helpdesk. That customer support load was a lot. It was causing me a great deal of anxiety. Looking back at it now, it was really untenable. Of course, I think that I'm 10 feet tall and bulletproof, so I'm like, "I got this. I got this." Meanwhile, it's four o'clock in the morning and I can't even see straight anymore. I ended up having to hire someone for a personal reason. She's actually worked out great. She's an absolute rock star on the helpdesk. She's never worked a helpdesk before, and she owns it. It's actually really, really great. Once I'd hired her, I think-- The onboarding takes a little bit. Especially, literally never worked a helpdesk before, so it's not just onboarding with my company, it's like onboarding the entire concept. As soon as she got her footing, she just completely handled it. It was really great. The next hire was a developer/sysadmin that I've known for a while. He is just fantastic. He's actually the harder one because he, I think, requires a little bit more structure, and a little bit more face time. I need to be better. I do. I need to be better about working with that because in my head, I'm still managing this the way that I want to be managed. I forget that that's actually not my job anymore. Matt: People are different. Snipe: Yes, people are different. Also, not everybody wants what I want. Frankly, it doesn't matter what I want. Ultimately, that's no longer a luxury that I have, caring more about how I want things to go for myself. That priority has shifted, and so I'm having to painfully learn [chuckles] that lesson. Not painfully. I love my entire team. They're absolutely amazing. I'm super, super grateful for them every day that goes by. Every time one of them takes vacation, we all hold on to our desks. We're like, "Okay, we can get through this, we can get through this." It's a learning curve, certainly. I've run my own small business, I've run dev teams. This is a different thing though, because the reason why I wanted to make this a company instead of just running this as a side project is because I've worked for tons of shitty companies. I want to build the company that I wish I'd worked for. Matt: I'm so sorry for doing this, but I was doing that thing where you're hearing somebody talking and waiting for your chance to talk. I literally was about to say Dan and I, when we started Tighten, the first thing we said was, "We want to build the company we want to work for." You just said and I'm like, "Exactly." That introduces the problem you're talking about, which is you just assume everybody wants the same things you want. It also means nobody else gets to force you to put people through things that you wouldn't want to be put through. It's an incredible freedom if you can make it profitable. Snipe: Yes. Absolutely. Getting to institute stuff that I think is really worker-friendly. We all make our own hours. We have office hours so that when Victoria's handling the helpdesk, she's got access to the text that she needs during a certain amount of time. In general, she's got a kid. We have to have that flexibility, so that she-- Honestly, she just lets us know that she's going to pick up her kid. It's like, "Okay, cool. See you back in half an hour or whatever." Vacation, she had not had a real vacation in probably 10 or 15 years. Last year, we were like, "You are taking vacation." She kept checking into Slack. I'm like, "Girl, I will actually revoke your credentials." Matt: [laughs] Exactly. Snipe: Do not play with me. Matt: I love it. Snipe: This year, I've decided that there's two weeks basically mandatory vacation, and we're going to put $3,000 towards each person's vacation funds- Matt: That's cool. Snipe: -so that they can actually go and do something awesome, and relaxing, and not stress about money while they're there, and just get to go and actually enjoy things, and come back refreshed and ready to work. It's pretty cool being able to come up with stuff like this and really like, "What would I have needed?" Because when I was working at the ad agencies especially, I would accrue my PTO. Honestly, that's why Snipe-IT existed. It was because I had two and a half weeks, three weeks of PTO that was not going to roll over. They made me take vacation in November. They wouldn't let me do it in December. They made me do it in November, and I was like, "Yes, three weeks of just relaxing, playing video games." That didn't work. I accidentally the product. [laughs] Now, I accidentally the business. Matt: That's awesome. One of the things I often talk about as an entrepreneur, as a business owner is something that I think people are scared of talking about, which is power. Because being a business owner means you get to hire, you get to figure out how money is spent, you get to figure out what pressures are and are not put in the people you work with. I call that power, but I think power doesn't have to be a scary word because, really, what matters is what you do with the power. When we hear power as a negative thing, it is usually because the people on power are benefiting themselves. I think that something is really beautiful, and wonderful, and we need more of in the world is when we can see power as a positive thing, because people get power and then use it for the benefit of other people. I just want to applaud and affirm what you're doing, because you just described that. It's like, "I got power, and the first thing I did was work to make other people's lives better understanding what the situation that they were in was." I love hearing that. I'm really glad that we got to talk about this today. Snipe: Well, thank you. I'm looking forward to coming up with more stuff like that. Matt: I love it. Snipe: It's super important to me. Our customers are incredibly important to us, obviously, but my staff is as important. You can't have one without the other either direction. Matt: In the end, they're just both people who you work with. The hope is that you're able to make both groups of people really have lives that are better because they had a chance to interact with you. Snipe: Yes, absolutely. Matt: Okay. We are almost out of time. I asked people at Tighten if they had any questions for you. They gave me a million, and I haven't gotten any of them. They're all going to be mad at me, so I'm trying to look at the one that I could pull up that won't turn into a 30-minute long conversation. Snipe: I'm Italian. There is literally nothing you can talk to me about that won't turn into a 30-minute conversation. [laughs] Matt: All right. I'll literally go with the question that has the least words in it and see if that gets us anywhere. Coffee or tea? Snipe: Red Bull. Matt: There you go. See how short that was? All right. Snipe: This podcast is sponsored by Red Bull. [laughter] Matt: It's so funny that it's been the thing at Tighten for the longest time, where those of us who started the company and the first hires were primarily coffee people. There's one tea holdout, but over time, the tea contingent has grown. Just within the last nine months, we hired two people who are Red Bull addicts. All of a sudden, we're shopping for the company on-site and they're like, "Orange Red Bull, no sugar, energy, blah, blah, blah." I'm like, I have a course in Red Bull flavors. Anyway, I still think it's pretty gross, but I did try some of them. Snipe: It's disgusting. No, it is utterly vile. It is really, really gross. [laughter] Matt: I don't get it. Please pitch me on why I would drink red Bull instead of coffee then. Snipe: No. If you don't drink Red Bull, then there will be more for me. First of all, I'm not going to pitch that. Matt: World's dwindling storage of Red Bull. Snipe: Obviously, we buy our stores out of local Red Bull, it's ridiculous. We have a main store, and then we have a failover store. Listen, you don't drink it because it tastes good. It tastes like dog ass, but it wakes you up. It keeps you awake. It feels the same role that coffee does, and frankly, I don't think that coffee tastes that good. Matt: Okay. Fair enough. Snipe: I can ask the same question to you. Matt: Right. For you, it's a combination. You don't like the flavor of either, but one of them you can buy in bulk and throw in the fridge? Snipe: Yes, yes. Matt: Got it. I get that. I love the flavor of coffee, but I'm like a geek. I have all the equipment, and all that kind of stuff. Snipe: Of course, you do. [laughter] Matt: Am I predictable? I am predictable. Okay. Snipe: I will neither confirm nor deny. My lawyer has advised me. [laughs] Matt: Not to make a statement on this particular-- I have one more and I'm praying that I can make it short, but I probably won't. You are a member of the Laravel community. You use Laravel. You share things every once in a while, but for someone who is such a big name, who's a member of the Laravel community, much of your popularity is not within the Laravel community. You're not popular because you're speaking at Laracon, you're not creating Laravel packages that all the people are consuming. It's this interesting thing where you're a very well-known person who uses Laravel and is a member of the Laravel community but is not necessarily gaining all that fame within Laravel space. It's an interesting overlap. As someone who does have exposure to lots of the tech communities, you're in the InfoSec world, you've been in PHP for a while, but you're also solidly Laravel. Do you have any perspectives on either, maybe the differences between InfoSec and PHP, differences between InfoSec and Laravel, and/or is there anything that you would say to the Laravel community, or things you'd either applaud or hope to see grow? Is there anything you just want to say about the way Laravel compares, or connects, or overlaps, or whatever with the rest of the world that you're in? Snipe It's always an ongoing joke in the InfoSec community. PHP developers are pretty much the easiest punching bag in the InfoSec community. Matt: And everywhere else. Snipe: In fact, I think just yesterday, I submitted an eye-rolling gift in relation to someone at InfoSec, bagging on PHP developers. I get it. When the language first came out, it was really easy to learn. You didn't need to have any knowledge of programming, or discipline, or best practices. There were no best practices for quite some time in PHP. I totally get that. The thing is that that's not really the world that we live in anymore. It's actually hard to write a PHP application without using a framework these days. Because the frameworks are so much better and it's so much faster, that for me, I'm pretty sure I could still write a PHP application without a framework, but why the hell would? If I ever have to write another gddmn login auth routine, I'll kill myself. I will actually kill myself. Comparing InfoSec to PHP or Laravel is like comparing apples to orangutans. They're entirely different animals and there is a little bit of overlap, but typically not. In general, PHP has a bad reputation in InfoSec. In fact, I will tell you a very brief story about how I got into InfoSec. This one's always a fun one. I used to run a nonprofit organization when I moved to California the first time. It was basically like Megan's Law for animal abusers. Criminal animal abuse. I would pull in data, break it down statistically based on a couple of different pointers like domestic violence connection, blah blah blah blah blah, and basically run statistics on that stuff. This was going back a very, very long time when nobody really knew or gave a crap at all about AppSec. At one point, my website got hacked. The organization's website got hacked. I am literally on my way to speak at a conference in Florida, an animal welfare conference. I'm checking in. I'm like, "Hi, I'm Alison Gionatto. I'm a speaker." She goes, "You're petabuse.com. That's great. I'm so sorry to hear about what happened." I'm like, "I've been on a plane for a couple of hours." I'm like, "Wait, what?" [chuckles] I run to my hotel room, and somebody has defaced the website with an animated GIF, and a song playing in the background which was basically a clip from Meetspin, and they linked to Meatspin. If any of your listeners don't know what Meatspin is- Matt: I don't. Snipe: -please do not Google that. You can google it, but have safe search on. Matt: Is it like Goatse kind of stuff? Snipe: Yes. "You spin me right round, baby, right round" playing in the background on autoloop. To this day, when I hear that song, I shiver a little bit. Matt: Trigger, yes. Snipe: Exactly. I ended up actually talking to this guy who thought that we were a much bigger organization than we were. He was trying to extort money, of course. I was like, "Dude, you have you have no idea. We get like $800 in donations every month. You are barking up the wrong tree." He's like, "I thought you were bigger. I'm sorry, but it is what it is." I toyed with him long enough to figure out what he had done. The thing is, this is on a Cobalt RaQ server. First of all, we're going back. Second of all, those are not exactly going for their security, but it was what I could afford. Honestly, it's what I could afford. I figured it out, I locked him out. I did leave him one final kind of F you text. [laughter] Snipe: Just so that he knew. That was how I got into this in the first place was basically a horrific, horrific internet meme and the defacement of my organization's website. Again, this is 2004, 2005. Application security became really important to me, and that's why I'm here. [chuckles] That's why I go to DEF CON. That's why I speak about application security and security in general. To get back to your original question, there isn't really an overlap. There is this disdainful relationship, for the most part, coming from both directions because InfoSec people don't typically treat programmers in general very well, but especially not PHP developers. PHP developers are tired of getting shit on, and so they don't necessarily treat-- It becomes a bit of a self-fulfilling-- Matt: Impostor, yes. Exactly. Snipe: Honestly, it's all just a bunch of dumbass egos and it's stupid. If we would just talk to each other a little bit more, we'd probably be a little better off. Matt: Come on, somebody. You'll be surprised to hear that I could talk about InfoSec and PHP for an hour, but we're out of time. I don't know if I'm going to have you back sometime or I don't know what, but this's been amazing. I really appreciate you spending some time with me. Before we cut off for the day and I cry because of all the topics I'm not going to cover, is there anything you wanted to talk about? Anything you want to plug, anything you want to cover, anything you want to say to the people that we haven't got to cover today? Snipe: Nothing that really comes to mind. I am still really passionate about AppSec. If you're using a framework and you're not utilizing all of the security stuff that's built in already, specifically Laravel is really good with that. I've had write some Middleware to add some additional CSP headers and things like that. If you're already paying the price, the overhead of using a framework, then freaking use it. Actually use all of the bits that are good, not just the bits that you don't feel like writing. Laravel makes it really hard to avoid the CSRF tokens. You'll actually have to go out of your way to disable those. I like that about Laravel. I like that it's opinionated. I like that it doesn't want you to screw this up. That said, any developer left to their own devices sufficiently motivated will still screw it up. Matt: Will screw something up, yes. Snipe: Yes, Exactly. Frameworks like Laravel, I think once that are headed in the right direction, so your default login already uses bcrypt to hash the password. You would, again, have to go out of your way to write something that would store something in cleartext or MD5. I think it's a step in the right direction. Use your frameworks, learn what their built-in security functionality is, and use them. Matt: Use it. [laughs] Snipe: One of the packages I'm actually writing for Laravel right now is an XSS package which will basically walk through your schema, and will try and inject rows of XSS stuff in there so that when you reload the app and if you got to any kind of functional testing or acceptance testing setup, you'll be able to see very quickly what you've forgotten to escape. Matt: I love it. Snipe: For a normal Laravel app, that's actually hard to do because the double braces will escape everything. For example, if you're using data from an API, maybe you're not cleaning it as well or whatever. That's one of the packages that I actually am working on. Matt: That's great. Also, if you're using JavaScript, it's really common for people to not escape it, and so that all of a sudden, they forget to clean it. Snipe: Exactly. I wanted one quick way to basically just check and see how boned I was. That'll be fun. Matt: Yes. Does it have a name yet that we can watch for or would you just link it once you have it? Snipe: Well, the only name-- You know how the mocking data packages called Faker? You can imagine what I'm considering calling this that I probably won't call it? [laughs] Matt: Probably won't, but now we can all remember it that way? Yes. Snipe: No promises. Absolutely no promises is all I'm saying. [laughs] Matt: Assuming it's safe for work, I will link the name in the show notes later. If not, you could just go-- [crosstalk] [laughter] Snipe: Again, no promises. Matt: I like it. Okay. You all have taken enough drinks, so I won't say my usual ending for you to drink too. Snipe, Alison, thank you so much. Thank you for the ways you have spoken up for a lot of things that really matter both in this call and our community as a whole. Thank you for hopefully helping me but also our entire community get better going forward, but also the things you brought to us in the past in terms of application security. I don't know why I didn't say this earlier, but Mr. Rogers is maybe one of my top heroes of all time. That was what was going through my mind when you were talking about running your company. Thank you for being that force both for running companies that way and taking care of people, and then, of course, by proxy for just the people who you're working with. The more people that are out there doing that, I think the better it is for all of us. This has been ridiculously fun. If anyone wants to follow you on Twitter, what's your Twitter handle and what are other things they should check out? That URL for Snipe-IT? I will put all of these in the show notes, but I just wanted you to get a chance to say them all at the end. Snipe: My Twitter handle is @snipeyhead, because @snipe was taken. I'm still pissed at that guy. [laughter] Snipe: The URL for Snipe-IT is snipeitapp.com. Not very creative. All of our issues are on GitHub. Your pool of requests are welcome. [laughter] Snipe: As always. Matt: Nice. Snipe: It is free. If it helps you solve some of your problems at your organization, we would love for you to try it out. If you'd like to give us money, that's awesome too. Ultimately, the more people who are using it, the better. Matt: Nice. Okay. Well, thank you so much for your time. Everyone, check out the show notes as always. We'll see you again in a couple of weeks with a special episode. I'll tell you more what it is when that one happens. See you. Snipe: [chuckles] Thank you so much, Matt.

We take a look at two-faced Oracle, cover a FAMP installation, how Netflix works the complex stuff, and show you who the patron of yak shaving is. This episode was brought to you by Headlines Why is Oracle so two-faced over open source? (https://www.theregister.co.uk/2017/10/12/oracle_must_grow_up_on_open_source/) Oracle loves open source. Except when the database giant hates open source. Which, according to its recent lobbying of the US federal government, seems to be "most of the time". Yes, Oracle has recently joined the Cloud Native Computing Foundation (CNCF) to up its support for open-source Kubernetes and, yes, it has long supported (and contributed to) Linux. And, yes, Oracle has even gone so far as to (finally) open up Java development by putting it under a foundation's stewardship. Yet this same, seemingly open Oracle has actively hammered the US government to consider that "there is no math that can justify open source from a cost perspective as the cost of support plus the opportunity cost of forgoing features, functions, automation and security overwhelm any presumed cost savings." That punch to the face was delivered in a letter to Christopher Liddell, a former Microsoft CFO and now director of Trump's American Technology Council, by Kenneth Glueck, Oracle senior vice president. The US government had courted input on its IT modernisation programme. Others writing back to Liddell included AT&T, Cisco, Microsoft and VMware. In other words, based on its letter, what Oracle wants us to believe is that open source leads to greater costs and poorly secured, limply featured software. Nor is Oracle content to leave it there, also arguing that open source is exactly how the private sector does not function, seemingly forgetting that most of the leading infrastructure, big data, and mobile software today is open source. Details! Rather than take this counterproductive detour into self-serving silliness, Oracle would do better to follow Microsoft's path. Microsoft, too, used to Janus-face its way through open source, simultaneously supporting and bashing it. Only under chief executive Satya Nadella's reign did Microsoft realise it's OK to fully embrace open source, and its financial results have loved the commitment. Oracle has much to learn, and emulate, in Microsoft's approach. I love you, you're perfect. Now change Oracle has never been particularly warm and fuzzy about open source. As founder Larry Ellison might put it, Oracle is a profit-seeking corporation, not a peace-loving charity. To the extent that Oracle embraces open source, therefore it does so for financial reward, just like every other corporation. Few, however, are as blunt as Oracle about this fact of corporate open-source life. As Ellison told the Financial Times back in 2006: "If an open-source product gets good enough, we'll simply take it. So the great thing about open source is nobody owns it – a company like Oracle is free to take it for nothing, include it in our products and charge for support, and that's what we'll do. "So it is not disruptive at all – you have to find places to add value. Once open source gets good enough, competing with it would be insane... We don't have to fight open source, we have to exploit open source." "Exploit" sounds about right. While Oracle doesn't crack the top-10 corporate contributors to the Linux kernel, it does register a respectable number 12, which helps it influence the platform enough to feel comfortable building its IaaS offering on Linux (and Xen for virtualisation). Oracle has also managed to continue growing MySQL's clout in the industry while improving it as a product and business. As for Kubernetes, Oracle's decision to join the CNCF also came with P&L strings attached. "CNCF technologies such as Kubernetes, Prometheus, gRPC and OpenTracing are critical parts of both our own and our customers' development toolchains," said Mark Cavage, vice president of software development at Oracle. One can argue that Oracle has figured out the exploitation angle reasonably well. This, however, refers to the right kind of exploitation, the kind that even free software activist Richard Stallman can love (or, at least, tolerate). But when it comes to government lobbying, Oracle looks a lot more like Mr Hyde than Dr Jekyll. Lies, damned lies, and Oracle lobbying The current US president has many problems (OK, many, many problems), but his decision to follow the Obama administration's support for IT modernisation is commendable. Most recently, the Trump White House asked for feedback on how best to continue improving government IT. Oracle's response is high comedy in many respects. As TechDirt's Mike Masnick summarises, Oracle's "latest crusade is against open-source technology being used by the federal government – and against the government hiring people out of Silicon Valley to help create more modern systems. Instead, Oracle would apparently prefer the government just give it lots of money." Oracle is very good at making lots of money. As such, its request for even more isn't too surprising. What is surprising is the brazenness of its position. As Masnick opines: "The sheer contempt found in Oracle's submission on IT modernization is pretty stunning." Why? Because Oracle contradicts much that it publicly states in other forums about open source and innovation. More than this, Oracle contradicts much of what we now know is essential to competitive differentiation in an increasingly software and data-driven world. Take, for example, Oracle's contention that "significant IT development expertise is not... central to successful modernization efforts". What? In our "software is eating the world" existence Oracle clearly believes that CIOs are buyers, not doers: "The most important skill set of CIOs today is to critically compete and evaluate commercial alternatives to capture the benefits of innovation conducted at scale, and then to manage the implementation of those technologies efficiently." While there is some truth to Oracle's claim – every project shouldn't be a custom one-off that must be supported forever – it's crazy to think that a CIO – government or otherwise – is doing their job effectively by simply shovelling cash into vendors' bank accounts. Indeed, as Masnick points out: "If it weren't for Oracle's failures, there might not even be a USDS [the US Digital Service created in 2014 to modernise federal IT]. USDS really grew out of the emergency hiring of some top-notch internet engineers in response to the Healthcare.gov rollout debacle. And if you don't recall, a big part of that debacle was blamed on Oracle's technology." In short, blindly giving money to Oracle and other big vendors is the opposite of IT modernisation. In its letter to Liddell, Oracle proceeded to make the fantastic (by which I mean "silly and false") claim that "the fact is that the use of open-source software has been declining rapidly in the private sector". What?!? This is so incredibly untrue that Oracle should score points for being willing to say it out loud. Take a stroll through the most prominent software in big data (Hadoop, Spark, Kafka, etc.), mobile (Android), application development (Kubernetes, Docker), machine learning/AI (TensorFlow, MxNet), and compare it to Oracle's statement. One conclusion must be that Oracle believes its CIO audience is incredibly stupid. Oracle then tells a half-truth by declaring: "There is no math that can justify open source from a cost perspective." How so? Because "the cost of support plus the opportunity cost of forgoing features, functions, automation and security overwhelm any presumed cost savings." Which I guess is why Oracle doesn't use any open source like Linux, Kubernetes, etc. in its services. Oops. The Vendor Formerly Known As Satan The thing is, Oracle doesn't need to do this and, for its own good, shouldn't do this. After all, we already know how this plays out. We need only look at what happened with Microsoft. Remember when Microsoft wanted us to "get the facts" about Linux? Now it's a big-time contributor to Linux. Remember when it told us open source was anti-American and a cancer? Now it aggressively contributes to a huge variety of open-source projects, some of them homegrown in Redmond, and tells the world that "Microsoft loves open source." Of course, Microsoft loves open source for the same reason any corporation does: it drives revenue as developers look to build applications filled with open-source components on Azure. There's nothing wrong with that. Would Microsoft prefer government IT to purchase SQL Server instead of open-source-licensed PostgreSQL? Sure. But look for a single line in its response to the Trump executive order that signals "open source is bad". You won't find it. Why? Because Microsoft understands that open source is a friend, not foe, and has learned how to monetise it. Microsoft, in short, is no longer conflicted about open source. It can compete at the product level while embracing open source at the project level, which helps fuel its overall product and business strategy. Oracle isn't there yet, and is still stuck where Microsoft was a decade ago. It's time to grow up, Oracle. For a company that builds great software and understands that it increasingly needs to depend on open source to build that software, it's disingenuous at best to lobby the US government to put the freeze on open source. Oracle needs to learn from Microsoft, stop worrying and love the open-source bomb. It was a key ingredient in Microsoft's resurgence. Maybe it could help Oracle get a cloud clue, too. Install FAMP on FreeBSD (https://www.linuxsecrets.com/home/3164-install-famp-on-freebsd) The acronym FAMP refers to a set of free open source applications which are commonly used in Web server environments called Apache, MySQL and PHP on the FreeBSD operating system, which provides a server stack that provides web services, database and PHP. Prerequisites sudo Installed and working - Please read Apache PHP5 or PHP7 MySQL or MariaDB Install your favorite editor, ours is vi Note: You don't need to upgrade FreeBSD but make sure all patches have been installed and your port tree is up-2-date if you plan to update by ports. Install Ports portsnap fetch You must use sudo for each indivdual command during installations. Please see link above for installing sudo. Searching Available Apache Versions to Install pkg search apache Install Apache To install Apache 2.4 using pkg. The apache 2.4 user account managing Apache is www in FreeBSD. pkg install apache24 Confirmation yes prompt and hit y for yes to install Apache 2.4 This installs Apache and its dependencies. Enable Apache use sysrc to update services to be started at boot time, Command below adds "apache24enable="YES" to the /etc/rc.conf file. For sysrc commands please read ```sysrc apache24enable=yes Start Apache service apache24 start``` Visit web address by accessing your server's public IP address in your web browser How To find Your Server's Public IP Address If you do not know what your server's public IP address is, there are a number of ways that you can find it. Usually, this is the address you use to connect to your server through SSH. ifconfig vtnet0 | grep "inet " | awk '{ print $2 }' Now that you have the public IP address, you may use it in your web browser's address bar to access your web server. Install MySQL Now that we have our web server up and running, it is time to install MySQL, the relational database management system. The MySQL server will organize and provide access to databases where our server can store information. Install MySQL 5.7 using pkg by typing pkg install mysql57-server Enter y at the confirmation prompt. This installs the MySQL server and client packages. To enable MySQL server as a service, add mysqlenable="YES" to the /etc/rc.conf file. This sysrc command will do just that ```sysrc mysqlenable=yes Now start the MySQL server service mysql-server start Now run the security script that will remove some dangerous defaults and slightly restrict access to your database system. mysqlsecureinstallation``` Answer all questions to secure your newly installed MySQL database. Enter current password for root (enter for none): [RETURN] Your database system is now set up and we can move on. Install PHP5 or PHP70 pkg search php70 Install PHP70 you would do the following by typing pkg install php70-mysqli mod_php70 Note: In these instructions we are using php5.7 not php7.0. We will be coming out with php7.0 instructions with FPM. PHP is the component of our setup that will process code to display dynamic content. It can run scripts, connect to MySQL databases to get information, and hand the processed content over to the web server to display. We're going to install the modphp, php-mysql, and php-mysqli packages. To install PHP 5.7 with pkg, run this command ```pkg install modphp56 php56-mysql php56-mysqli Copy sample PHP configuration file into place. cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini Regenerate the system's cached information about your installed executable files rehash``` Before using PHP, you must configure it to work with Apache. Install PHP Modules (Optional) To enhance the functionality of PHP, we can optionally install some additional modules. To see the available options for PHP 5.6 modules and libraries, you can type this into your system pkg search php56 Get more information about each module you can look at the long description of the package by typing pkg search -f apache24 Optional Install Example pkg install php56-calendar Configure Apache to Use PHP Module Open the Apache configuration file vim /usr/local/etc/apache24/Includes/php.conf DirectoryIndex index.php index.html Next, we will configure Apache to process requested PHP files with the PHP processor. Add these lines to the end of the file: SetHandler application/x-httpd-php SetHandler application/x-httpd-php-source Now restart Apache to put the changes into effect service apache24 restart Test PHP Processing By default, the DocumentRoot is set to /usr/local/www/apache24/data. We can create the info.php file under that location by typing vim /usr/local/www/apache24/data/info.php Add following line to info.php and save it. Details on info.php info.php file gives you information about your server from the perspective of PHP. It' useful for debugging and to ensure that your settings are being applied correctly. If this was successful, then your PHP is working as expected. You probably want to remove info.php after testing because it could actually give information about your server to unauthorized users. Remove file by typing rm /usr/local/www/apache24/data/info.php Note: Make sure Apache / meaning the root of Apache is owned by user which should have been created during the Apache install is the owner of the /usr/local/www structure. That explains FAMP on FreeBSD. IXsystems IXsystems TrueNAS X10 Torture Test & Fail Over Systems In Action with the ZFS File System (https://www.youtube.com/watch?v=GG_NvKuh530) How Netflix works: what happens every time you hit Play (https://medium.com/refraction-tech-everything/how-netflix-works-the-hugely-simplified-complex-stuff-that-happens-every-time-you-hit-play-3a40c9be254b) Not long ago, House of Cards came back for the fifth season, finally ending a long wait for binge watchers across the world who are interested in an American politician's ruthless ascendance to presidency. For them, kicking off a marathon is as simple as reaching out for your device or remote, opening the Netflix app and hitting Play. Simple, fast and instantly gratifying. What isn't as simple is what goes into running Netflix, a service that streams around 250 million hours of video per day to around 98 million paying subscribers in 190 countries. At this scale, providing quality entertainment in a matter of a few seconds to every user is no joke. And as much as it means building top-notch infrastructure at a scale no other Internet service has done before, it also means that a lot of participants in the experience have to be negotiated with and kept satiated?—?from production companies supplying the content, to internet providers dealing with the network traffic Netflix brings upon them. This is, in short and in the most layman terms, how Netflix works. Let us just try to understand how Netflix is structured on the technological side with a simple example. Netflix literally ushered in a revolution around ten years ago by rewriting the applications that run the entire service to fit into a microservices architecture?—?which means that each application, or microservice's code and resources are its very own. It will not share any of it with any other app by nature. And when two applications do need to talk to each other, they use an application programming interface (API)?—?a tightly-controlled set of rules that both programs can handle. Developers can now make many changes, small or huge, to each application as long as they ensure that it plays well with the API. And since the one program knows the other's API properly, no change will break the exchange of information. Netflix estimates that it uses around 700 microservices to control each of the many parts of what makes up the entire Netflix service: one microservice stores what all shows you watched, one deducts the monthly fee from your credit card, one provides your device with the correct video files that it can play, one takes a look at your watching history and uses algorithms to guess a list of movies that you will like, and one will provide the names and images of these movies to be shown in a list on the main menu. And that's the tip of the iceberg. Netflix engineers can make changes to any part of the application and can introduce new changes rapidly while ensuring that nothing else in the entire service breaks down. They made a courageous decision to get rid of maintaining their own servers and move all of their stuff to the cloud?—?i.e. run everything on the servers of someone else who dealt with maintaining the hardware while Netflix engineers wrote hundreds of programs and deployed it on the servers rapidly. The someone else they chose for their cloud-based infrastructure is Amazon Web Services (AWS). Netflix works on thousands of devices, and each of them play a different format of video and sound files. Another set of AWS servers take this original film file, and convert it into hundreds of files, each meant to play the entire show or film on a particular type of device and a particular screen size or video quality. One file will work exclusively on the iPad, one on a full HD Android phone, one on a Sony TV that can play 4K video and Dolby sound, one on a Windows computer, and so on. Even more of these files can be made with varying video qualities so that they are easier to load on a poor network connection. This is a process known as transcoding. A special piece of code is also added to these files to lock them with what is called digital rights management or DRM?—?a technological measure which prevents piracy of films. The Netflix app or website determines what particular device you are using to watch, and fetches the exact file for that show meant to specially play on your particular device, with a particular video quality based on how fast your internet is at that moment. Here, instead of relying on AWS servers, they install their very own around the world. But it has only one purpose?—?to store content smartly and deliver it to users. Netflix strikes deals with internet service providers and provides them the red box you saw above at no cost. ISPs install these along with their servers. These Open Connect boxes download the Netflix library for their region from the main servers in the US?—?if there are multiple of them, each will rather store content that is more popular with Netflix users in a region to prioritise speed. So a rarely watched film might take time to load more than a Stranger Things episode. Now, when you will connect to Netflix, the closest Open Connect box to you will deliver the content you need, thus videos load faster than if your Netflix app tried to load it from the main servers in the US. In a nutshell… This is what happens when you hit that Play button: Hundreds of microservices, or tiny independent programs, work together to make one large Netflix service. Content legally acquired or licensed is converted into a size that fits your screen, and protected from being copied. Servers across the world make a copy of it and store it so that the closest one to you delivers it at max quality and speed. When you select a show, your Netflix app cherry picks which of these servers will it load the video from> You are now gripped by Frank Underwood's chilling tactics, given depression by BoJack Horseman's rollercoaster life, tickled by Dev in Master of None and made phobic to the future of technology by the stories in Black Mirror. And your lifespan decreases as your binge watching turns you into a couch potato. It looked so simple before, right? News Roundup Moving FreshPorts (http://dan.langille.org/2017/11/15/moving-freshports/) Today I moved the FreshPorts website from one server to another. My goal is for nobody to notice. In preparation for this move, I have: DNS TTL reduced to 60s Posted to Twitter Updated the status page Put the website put in offline mode: What was missed I turned off commit processing on the new server, but I did not do this on the old server. I should have: sudo svc -d /var/service/freshports That stops processing of incoming commits. No data is lost, but it keeps the two databases at the same spot in history. Commit processing could continue during the database dumping, but that does not affect the dump, which will be consistent regardless. The offline code Here is the basic stuff I used to put the website into offline mode. The main points are: header(“HTTP/1.1 503 Service Unavailable”); ErrorDocument 404 /index.php I move the DocumentRoot to a new directory, containing only index.php. Every error invokes index.php, which returns a 503 code. The dump The database dump just started (Sun Nov 5 17:07:22 UTC 2017). root@pg96:~ # /usr/bin/time pg_dump -h 206.127.23.226 -Fc -U dan freshports.org > freshports.org.9.6.dump That should take about 30 minutes. I have set a timer to remind me. Total time was: 1464.82 real 1324.96 user 37.22 sys The MD5 is: MD5 (freshports.org.9.6.dump) = 5249b45a93332b8344c9ce01245a05d5 It is now: Sun Nov 5 17:34:07 UTC 2017 The rsync The rsync should take about 10-20 minutes. I have already done an rsync of yesterday's dump file. The rsync today should copy over only the deltas (i.e. differences). The rsync started at about Sun Nov 5 17:36:05 UTC 2017 That took 2m9.091s The MD5 matches. The restore The restore should take about 30 minutes. I ran this test yesterday. It is now Sun Nov 5 17:40:03 UTC 2017. $ createdb -T template0 -E SQL_ASCII freshports.testing $ time pg_restore -j 16 -d freshports.testing freshports.org.9.6.dump Done. real 25m21.108s user 1m57.508s sys 0m15.172s It is now Sun Nov 5 18:06:22 UTC 2017. Insert break here About here, I took a 30 minute break to run an errand. It was worth it. Changing DNS I'm ready to change DNS now. It is Sun Nov 5 19:49:20 EST 2017 Done. And nearly immediately, traffic started. How many misses? During this process, XXXXX requests were declined: $ grep -c '" 503 ' /usr/websites/log/freshports.org-access.log XXXXX That's it, we're done Total elapsed time: 1 hour 48 minutes. There are still a number of things to follow up on, but that was the transfers. The new FreshPorts Server (http://dan.langille.org/2017/11/17/x8dtu-3/) *** Using bhyve on top of CEPH (https://lists.freebsd.org/pipermail/freebsd-virtualization/2017-November/005876.html) Hi, Just an info point. I'm preparing for a lecture tomorrow, and thought why not do an actual demo.... Like to be friends with Murphy :) So after I started the cluster: 5 jails with 7 OSDs This what I manually needed to do to boot a memory stick Start een Bhyve instance rbd --dest-pool rbddata --no-progress import memstick.img memstick rbd-ggate map rbddata/memstick ggate-devvice is available on /dev/ggate1 kldload vmm kldload nmdm kldload iftap kldload ifbridge kldload cpuctl sysctl net.link.tap.uponopen=1 ifconfig bridge0 create ifconfig bridge0 addm em0 up ifconfig ifconfig tap11 create ifconfig bridge0 addm tap11 ifconfig tap11 up load the GGate disk in bhyve bhyveload -c /dev/nmdm11A -m 2G -d /dev/ggate1 FB11 and boot a single from it. bhyve -H -P -A -c 1 -m 2G -l com1,/dev/nmdm11A -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap11 -s 4,ahci-hd,/dev/ggate1 FB11 & bhyvectl --vm=FB11 --get-stats Connect to the VM cu -l /dev/nmdm11B And that'll give you a bhyve VM running on an RBD image over ggate. In the installer I tested reading from the bootdisk: root@:/ # dd if=/dev/ada0 of=/dev/null bs=32M 21+1 records in 21+1 records out 734077952 bytes transferred in 5.306260 secs (138341865 bytes/sec) which is a nice 138Mb/sec. Hope the demonstration does work out tomorrow. --WjW *** Donald Knuth - The Patron Saint of Yak Shaves (http://yakshav.es/the-patron-saint-of-yakshaves/) Excerpts: In 2015, I gave a talk in which I called Donald Knuth the Patron Saint of Yak Shaves. The reason is that Donald Knuth achieved the most perfect and long-running yak shave: TeX. I figured this is worth repeating. How to achieve the ultimate Yak Shave The ultimate yak shave is the combination of improbable circumstance, the privilege to be able to shave at your hearts will and the will to follow things through to the end. Here's the way it was achieved with TeX. The recount is purely mine, inaccurate and obviously there for fun. I'll avoid the most boring facts that everyone always tells, such as why Knuth's checks have their own Wikipedia page. Community Shaving is Best Shaving Since the release of TeX, the community has been busy working on using it as a platform. If you ever downloaded the full TeX distribution, please bear in mind that you are downloading the amassed work of over 40 years, to make sure that each and every TeX document ever written builds. We're talking about documents here. But mostly, two big projects sprung out of that. The first is LaTeX by Leslie Lamport. Lamport is a very productive researcher, famous for research in formal methods through TLA+ and also known laying groundwork for many distributed algorithms. LaTeX is based on the idea of separating presentation and content. It is based around the idea of document classes, which then describe the way a certain document is laid out. Think Markdown, just much more complex. The second is ConTeXt, which is far more focused on fine grained layout control. The Moral of the Story Whenever you feel like “can't we just replace this whole thing, it can't be so hard” when handling TeX, don't forget how many years of work and especially knowledge were poured into that system. Typesetting isn't the most popular knowledge around programmers. Especially see it in the context of the space it is in: they can't remove legacy. Ever. That would break documents. TeX is also not a programming language. It might resemble one, but mostly, it should be approached as a typesetting system first. A lot of it's confusing lingo gets much better then. It's not programming lingo. By approaching TeX with an understanding for its history, a lot of things can be learned from it. And yes, a replacement would be great, but it would take ages. In any case, I hope I thoroughly convinced you why Donald Knuth is the Patron Saint of Yak Shaves. Extra Credits This comes out of a enjoyable discussion with [Arne from Lambda Island](https://lambdaisland.com/https://lambdaisland.com/, who listened and said “you should totally turn this into a talk”. Vincent's trip to EuroBSDCon 2017 (http://www.vincentdelft.be/post/post_20171016) My euroBSDCon 2017 Posted on 2017-10-16 09:43:00 from Vincent in Open Bsd Let me just share my feedback on those 2 days spent in Paris for the EuroBSDCon. My 1st BSDCon. I'm not a developer, contributor, ... Do not expect to improve your skills with OpenBSD with this text :-) I know, we are on October 16th, and the EuroBSDCon of Paris was 3 weeks ago :( I'm not quick !!! Sorry for that Arrival at 10h, I'm too late for the start of the key note. The few persons behind a desk welcome me by talking in Dutch, mainly because of my name. Indeed, Delft is a city in Netherlands, but also a well known university. I inform them that I'm from Belgium, and the discussion moves to the fact the Fosdem is located in Brussels. I receive my nice T-shirt white and blue, a bit like the marine T-shirts, but with the nice EuroBSDCon logo. I'm asking where are the different rooms reserved for the BSD event. We have 1 big on the 1st floor, 1 medium 1 level below, and 2 smalls 1 level above. All are really easy to access. In this entrance we have 4 or 5 tables with some persons representing their company. Those are mainly the big sponsors of the event providing details about their activity and business. I discuss a little bit with StormShield and Gandi. On other tables people are selling BSD t-shirts, and they will quickly be sold. "Is it done yet ?" The never ending story of pkg tools In the last Fosdem, I've already hear Antoine and Baptiste presenting the OpenBSD and FreeBSD battle, I decide to listen Marc Espie in the medium room called Karnak. Marc explains that he has rewritten completely the pkg_add command. He explains that, at contrario with other elements of OpenBSD, the packages tools must be backward compatible and stable on a longer period than 12 months (the support period for OpenBSD). On the funny side, he explains that he has his best idea inside his bath. Hackathons are also used to validate some ideas with other OpenBSD developers. All in all, he explains that the most time consuming part is to imagine a good solution. Coding it is quite straightforward. He adds that better an idea is, shorter the implementation will be. A Tale of six motherboards, three BSDs and coreboot After the lunch I decide to listen the talk about Coreboot. Indeed, 1 or 2 years ago I had listened the Libreboot project at Fosdem. Since they did several references to Coreboot, it's a perfect occasion to listen more carefully to this project. Piotr and Katazyba Kubaj explains us how to boot a machine without the native Bios. Indeed Coreboot can replace the bios, and de facto avoid several binaries imposed by the vendor. They explain that some motherboards are supporting their code. But they also show how difficult it is to flash a Bios and replace it by Coreboot. They even have destroyed a motherboard during the installation. Apparently because the power supply they were using was not stable enough with the 3v. It's really amazing to see that open source developers can go, by themselves, to such deep technical level. State of the DragonFly's graphics stack After this Coreboot talk, I decide to stay in the room to follow the presentation of Fran?ois Tigeot. Fran?ois is now one of the core developer of DrangonflyBSD, an amazing BSD system having his own filesystem called Hammer. Hammer offers several amazing features like snapshots, checksum data integrity, deduplication, ... Francois has spent his last years to integrate the video drivers developed for Linux inside DrangonflyBSD. He explains that instead of adapting this code for the video card to the kernel API of DrangonflyBSD, he has "simply" build an intermediate layer between the kernel of DragonflyBSD and the video drivers. This is not said in the talk, but this effort is very impressive. Indeed, this is more or less a linux emulator inside DragonflyBSD. Francois explains that he has started with Intel video driver (drm/i915), but now he is able to run drm/radeon quite well, but also drm/amdgpu and drm/nouveau. Discovering OpenBSD on AWS Then I move to the small room at the upper level to follow a presentation made by Laurent Bernaille on OpenBSD and AWS. First Laurent explains that he is re-using the work done by Antoine Jacoutot concerning the integration of OpenBSD inside AWS. But on top of that he has integrated several other Open Source solutions allowing him to build OpenBSD machines very quickly with one command. Moreover those machines will have the network config, the required packages, ... On top of the slides presented, he shows us, in a real demo, how this system works. Amazing presentation which shows that, by putting the correct tools together, a machine builds and configure other machines in one go. OpenBSD Testing Infrastructure Behind bluhm.genua.de Here Jan Klemkow explains us that he has setup a lab where he is able to run different OpenBSD architectures. The system has been designed to be able to install, on demand, a certain version of OpenBSD on the different available machines. On top of that a regression test script can be triggered. This provides reports showing what is working and what is not more working on the different machines. If I've well understood, Jan is willing to provide such lab to the core developers of OpenBSD in order to allow them to validate easily and quickly their code. Some more effort is needed to reach this goal, but with what exists today, Jan and his colleague are quite close. Since his company is using OpenBSD business, to his eyes this system is a "tit for tat" to the OpenBSD community. French story on cybercrime Then comes the second keynote of the day in the big auditorium. This talk is performed by the colonel of french gendarmerie. Mr Freyssinet, who is head of the Cyber crimes unit inside the Gendarmerie. Mr Freyssinet explains that the "bad guys" are more and more volatile across countries, and more and more organized. The small hacker in his room, alone, is no more the reality. As a consequence the different national police investigators are collaborating more inside an organization called Interpol. What is amazing in his talk is that Mr Freyssinet talks about "Crime as a service". Indeed, more and more hackers are selling their services to some "bad and temporary organizations". Social event It's now time for the famous social event on the river: la Seine. The organizers ask us to go, by small groups, to a station. There is a walk of 15 minutes inside Paris. Hopefully the weather is perfect. To identify them clearly several organizers takes a "beastie fork" in their hands and walk on the sidewalk generating some amazing reactions from some citizens and toursits. Some of them recognize the Freebsd logo and ask us some details. Amazing :-) We walk on small and big sidewalks until a small stair going under the street. There, we have a train station a bit like a metro station. 3 stations later they ask us to go out. We walk few minutes and come in front of a boat having a double deck: one inside, with nice tables and chairs and one on the roof. But the crew ask us to go up, on the second deck. There, we are welcome with a glass of wine. The tour Eiffel is just at few 100 meters from us. Every hour the Eiffel tower is blinking for 5 minutes with thousands of small lights. Brilliant :-) We see also the "statue de la libertee" (the small one) which is on a small island in the middle of the river. During the whole night the bar will be open with drinks and some appetizers, snacks, ... Such walking diner is perfect to talk with many different persons. I've discussed with several persons just using BSD, they are not, like me, deep and specialized developers. One was from Switzerland, another one from Austria, and another one from Netherlands. But I've also followed a discussion with Theo de Raadt, several persons of the FreeBSD foundation. Some are very technical guys, other just users, like me. But all with the same passion for one of the BSD system. Amazing evening. OpenBSD's small steps towards DTrace (a tale about DDB and CTF) On the second day, I decide to sleep enough in order to have enough resources to drive back to my home (3 hours by car). So I miss the 1st presentations, and arrive at the event around 10h30. Lot of persons are already present. Some faces are less "fresh" than others. I decide to listen to Dtrace in OpenBSD. After 10 minutes I am so lost into those too technical explainations, that I decide to open and look at my PC. My OpenBSD laptop is rarely leaving my home, so I've never had the need to have a screen locking system. In a crowded environment, this is better. So I was looking for a simple solution. I've looked at how to use xlock. I've combined it with the /ets/apm/suspend script, ... Always very easy to use OpenBSD :-) The OpenBSD web stack Then I decide to follow the presentation of Michael W Lucas. Well know person for his different books about "Absolute OpenBSD", Relayd", ... Michael talks about the httpd daemon inside OpenBSD. But he also present his integration with Carp, Relayd, PF, FastCGI, the rules based on LUA regexp (opposed to perl regexp), ... For sure he emphasis on the security aspect of those tools: privilege separation, chroot, ... OpenSMTPD, current state of affairs Then I follow the presentation of Gilles Chehade about the OpenSMTPD project. Amazing presentation that, on top of the technical challenges, shows how to manage such project across the years. Gilles is working on OpenSMTPD since 2007, thus 10 years !!!. He explains the different decisions they took to make the software as simple as possible to use, but as secure as possible, too: privilege separation, chroot, pledge, random malloc, ? . The development starts on BSD systems, but once quite well known they received lot of contributions from Linux developers. Hoisting: lessons learned integrating pledge into 500 programs After a small break, I decide to listen to Theo de Raadt, the founder of OpenBSD. In his own style, with trekking boots, shorts, backpack. Theo starts by saying that Pledge is the outcome of nightmares. Theo explains that the book called "Hacking blind" presenting the BROP has worried him since few years. That's why he developed Pledge as a tool killing a process as soon as possible when there is an unforeseen behavior of this program. For example, with Pledge a program which can only write to disk will be immediately killed if he tries to reach network. By implementing Pledge in the +-500 programs present in the "base", OpenBSD is becoming more secured and more robust. Conclusion My first EuroBSDCon was a great, interesting and cool event. I've discussed with several BSD enthusiasts. I'm using OpenBSD since 2010, but I'm not a developer, so I was worried to be "lost" in the middle of experts. In fact it was not the case. At EuroBSDCon you have many different type of enthusiasts BSD's users. What is nice with the EuroBSDCon is that the organizers foresee everything for you. You just have to sit and listen. They foresee even how to spend, in a funny and very cool attitude, the evening of Saturday. > The small draw back is that all of this has a cost. In my case the whole weekend cost me a bit more than 500euro. Based on what I've learned, what I've saw this is very acceptable price. Nearly all presentations I saw give me a valuable input for my daily job. For sure, the total price is also linked to my personal choice: hotel, parking. And I'm surely biased because I'm used to go to the Fosdem in Brussels which cost nothing (entrance) and is approximately 45 minutes of my home. But Fosdem is not the same atmosphere and presentations are less linked to my daily job. I do not regret my trip to EuroBSDCon and will surely plan other ones. Beastie Bits Important munitions lawyering (https://www.jwz.org/blog/2017/10/important-munitions-lawyering/) AsiaBSDCon 2018 CFP is now open, until December 15th (https://2018.asiabsdcon.org/) ZSTD Compression for ZFS by Allan Jude (https://www.youtube.com/watch?v=hWnWEitDPlM&feature=share) NetBSD on Allwinner SoCs Update (https://blog.netbsd.org/tnf/entry/netbsd_on_allwinner_socs_update) *** Feedback/Questions Tim - Creating Multi Boot USB sticks (http://dpaste.com/0FKTJK3#wrap) Nomen - ZFS Questions (http://dpaste.com/1HY5MFB) JJ - Questions (http://dpaste.com/3ZGNSK9#wrap) Lars - Hardening Diffie-Hellman (http://dpaste.com/3TRXXN4) ***