Podcasts about OpenSSL

video: https://youtu.be/ua-RPOtdcF8 Comment on the TWIL Forum (https://thisweekinlinux.com/forum) This week in Linux, App 3.0 drops, bringing big changes under the hood. Amiga OS, yes, that Amiga OS, is still alive and getting updates, apparently. Open SSL 3.5 and Open SSH 10.0 both rolled out new features this week with also some future-proofing involved. And Sony, yes, that Sony, has released The Last of Us Part II on PC and it's Steam Deck verified. All that and much more on This Week in Linux, the weekly news show that keeps you plugged into everything happening in the Linux and Open Source world. Now let's jump right into Your Source for Linux GNews. Download as MP3 (https://aphid.fireside.fm/d/1437767933/2389be04-5c79-485e-b1ca-3a5b2cebb006/c5514bc1-148c-43d2-a6eb-4d0fcbfd6966.mp3) Support the Show Become a Patron = tuxdigital.com/membership (https://tuxdigital.com/membership) Store = tuxdigital.com/store (https://tuxdigital.com/store) Chapters: 00:00 Intro 00:39 APT 3.0 Released 02:48 Last of US Part 2 Verified for Steam Deck 05:47 MPV 0.40 Released 08:58 Sandfly Security [ad] 10:54 AmigaOS still exists and getting updates apparently 14:24 TUXEDO Provides Update On Their Snapdragon X Elite Linux Laptop 17:20 OpenSSL 3.5 Released 19:19 OpenSSH 10.0 Released 21:41 Support the show Links: APT 3.0 Released https://tracker.debian.org/news/1635519/accepted-apt-300-source-into-unstable/ (https://tracker.debian.org/news/1635519/accepted-apt-300-source-into-unstable/) https://9to5linux.com/apt-3-0-debian-package-manager-released-with-revamped-command-line-interface (https://9to5linux.com/apt-3-0-debian-package-manager-released-with-revamped-command-line-interface) https://www.phoronix.com/news/Debian-APT-3.0-Released (https://www.phoronix.com/news/Debian-APT-3.0-Released) Last of US Part 2 Verified for Steam Deck https://gameinformer.com/interview/2025/04/01/naughty-dog-and-nixxes-on-the-pc-port-of-the-last-of-us-part-ii-we-take-the (https://gameinformer.com/interview/2025/04/01/naughty-dog-and-nixxes-on-the-pc-port-of-the-last-of-us-part-ii-we-take-the) https://www.pcguide.com/news/steam-deck-support-is-so-important-says-the-last-of-us-part-2-pc-project-director/ (https://www.pcguide.com/news/steam-deck-support-is-so-important-says-the-last-of-us-part-2-pc-project-director/) MPV 0.40 Released https://mpv.io/ (https://mpv.io/) https://github.com/mpv-player/mpv/releases/tag/v0.40.0 (https://github.com/mpv-player/mpv/releases/tag/v0.40.0) https://www.phoronix.com/news/MPV-0.40-Released (https://www.phoronix.com/news/MPV-0.40-Released) https://9to5linux.com/mpv-0-40-open-source-video-player-released-with-native-hdr-support-on-linux (https://9to5linux.com/mpv-0-40-open-source-video-player-released-with-native-hdr-support-on-linux) Sandfly Security [ad] https://thisweekinlinux.com/sandfly (https://thisweekinlinux.com/sandfly) https://destinationlinux.net/409 (https://destinationlinux.net/409) discount code: destination50 (Home Edition) AmigaOS still exists and getting updates apparently https://www.hyperion-entertainment.com/index.php/news/1-latest-news/320-new-update-3-for-amigaos-32-available-for-download (https://www.hyperion-entertainment.com/index.php/news/1-latest-news/320-new-update-3-for-amigaos-32-available-for-download) https://www.theregister.com/2025/04/10/amigaos32_3/ (https://www.theregister.com/2025/04/10/amigaos_3_2_3/) TUXEDO Provides Update On Their Snapdragon X Elite Linux Laptop https://www.tuxedocomputers.com/en/How-is-TUXEDOCOes-ARM-Notebook-Coming-Along.tuxedo (https://www.tuxedocomputers.com/en/How-is-TUXEDOCOes-ARM-Notebook-Coming-Along.tuxedo) https://www.qualcomm.com/products/mobile/snapdragon/laptops-and-tablets/snapdragon-x-elite (https://www.qualcomm.com/products/mobile/snapdragon/laptops-and-tablets/snapdragon-x-elite) https://www.linaro.org/ (https://www.linaro.org/) https://www.phoronix.com/news/TUXEDO-Snapdragon-Laptop-Update (https://www.phoronix.com/news/TUXEDO-Snapdragon-Laptop-Update) OpenSSL 3.5 Released https://openssl-library.org/ (https://openssl-library.org/) https://github.com/openssl/openssl/releases/tag/openssl-3.5.0 (https://github.com/openssl/openssl/releases/tag/openssl-3.5.0) https://lwn.net/Articles/1016851/ (https://lwn.net/Articles/1016851/) https://9to5linux.com/openssl-3-5-released-with-support-for-pqc-algorithms-server-side-quic (https://9to5linux.com/openssl-3-5-released-with-support-for-pqc-algorithms-server-side-quic) https://www.phoronix.com/news/OpenSSL-3.5-Released (https://www.phoronix.com/news/OpenSSL-3.5-Released) OpenSSH 10.0 Released https://www.openssh.com/ (https://www.openssh.com/) https://www.openssh.com/releasenotes.html#10.0p1 (https://www.openssh.com/releasenotes.html#10.0p1) https://www.phoronix.com/news/OpenSSH-10.0-Released (https://www.phoronix.com/news/OpenSSH-10.0-Released) https://lwn.net/Articles/1016924/ (https://lwn.net/Articles/1016924/) Support the show https://tuxdigital.com/membership (https://tuxdigital.com/membership) https://store.tuxdigital.com/ (https://store.tuxdigital.com/)

Microsoft Patch Tuesday Microsoft patched over 120 vulnerabilities this month. 11 of these were rated critical, and one vulnerability is already being exploited. https://isc.sans.edu/diary/Microsoft%20April%202025%20Patch%20Tuesday/31838 Adobe Updates Adobe released patches for 12 different products. In particular important are patches for Coldfusion addressing several remote code execution vulnerabilities. Adobe Commercse got patches as well, but none of the vulnerabilities are rated critical. https://helpx.adobe.com/security/security-bulletin.html OpenSSL 3.5 Released OpenSSL 3.5 was released with support to post quantum ciphers. This is a long term support release. https://groups.google.com/a/openssl.org/g/openssl-project/c/9ZYdIaExmIA Fortiswitch Update Fortinet released an update for Fortiswitch addressing a vulnerability that may be used to reset a password without verification. https://fortiguard.fortinet.com/psirt/FG-IR-24-435

There's been a bit of a shakeup this week, with Torvalds criticizing Docker, Rustls dominating the TLS performance war, and Intel releasing a graphics card while "retiring" their CEO. Then, Flathub and KDE are working on their finances, OpenVPN has modernized its kernel driver, and Steam Machines may be back! Oh, and don't forget OBS 31 or the potential security issue with OpenWRT! For tips, we have eza as an ls replacement, pv for pipe progress viewing, IMSProg for EEPROM hacking, and HandlePowerKey for customizing what your machine does when you hit the power button. Grab the show notes at https://bit.ly/4gl1VtB and enjoy! Host: Jonathan Bennett Co-Hosts: Rob Campbell, David Ruggles, and Jeff Massie Want access to the video version and exclusive features? Become a member of Club TWiT today! https://twit.tv/clubtwit Club TWiT members can discuss this episode and leave feedback in the Club TWiT Discord.

Cybersecurity Today: Zero Day Flaws, FinTech Breach, Phishing Scams & More In today's episode, host Jim Love discusses critical updates in the cybersecurity world. Discover the latest zero day vulnerabilities patched by Apple, a significant data breach at Fintech giant Finastra, emerging phishing attack tactics using Microsoft Visio files and SVG attachments, and the launch of a new privacy-focused telecom service, CAPE. Additionally, learn about Google's AI-powered OSS Fuzz tool, which uncovered a critical flaw in the OpenSSL library. Stay informed to protect yourself and your organization from sophisticated cyber threats. 00:00 Introduction and Sponsor Message 00:59 Emerging Phishing Attack Strategies 03:12 Finastra Data Breach Investigation 04:49 Launch of CAPE: A Privacy-Focused Telecom Service 06:19 Apple's Emergency Updates for Zero-Day Vulnerabilities 07:29 Google's OSS Fuzz Uncovers Critical Vulnerabilities 09:07 Conclusion and Podcast Information

Join us for a very special in-depth interview with Lucy Chen, VP of Claris Engineering. Kate Waldhauser hosts this special edition of the FileMaker DevCast, as Lucy gives us a glimpse behind the scenes of the engineering world at Claris, an Apple Company. Lucy shares insights as to how new features get into the product and how the latest version improves performance, reliability and security. She takes us under the hood, diving into the new enhancements of FileMaker 21.1, including the move to newer technologies like Java 17, Xcode 16, and OpenSSL 3.3. She also covers new features in FileMaker 21.1, such as HTTPS tunneling, improvements to the Admin Console, and the integration of AI-powered semantic search, for both natural language and image content searches. These changes have come about through Claris's ongoing commitment to understanding customer feedback. Join Kate & Lucy as they explore how the FileMaker platform continues to empower businesses with innovative capabilities.   Portage Bay Solutions is a custom software development firm based in Seattle, WA, with additional offices in the Austin, Chicago, Dallas, Omaha, Orange County, and Vancouver areas. For more than thirty years, we have been helping businesses of all sizes get the most out of their FileMaker investments. As a full-service Claris FileMaker Platinum Partner, Portage Bay is committed to helping you optimize your software investments and improve your business processes. #claris #filemaker #devtools #devs #devcast #openSSL #https #tunneling #AI #semanticsearch #innovation #portagebaysolutions #portagebay  #FileMaker21.1

This week Robie Basak joins Noah from the Ubuntu Summit and gives an introduction on how to get started contributing to Ubuntu. -- During The Show -- 01:26 HexOS - Craig Start with the Command Line When is a GUI appropriate Start with make a ZFS pool make a samba share Help us understand your goal What is HexOS Ubuntu and ZFS DKMS kABI Advantages of TrueNAS Snapshots Send/Receive 1 Click Re-silvering 17:08 Questions about HDMI switch - Andy Theater Receiver Decimator (https://www.amazon.com/Decimator-DMON-QUAD-SD-SDI-Multi-Viewer-Outputs/dp/B072NGFDMR) 21:14 News Wire SQLite 3.47.0 - sqlite.org (https://sqlite.org/releaselog/3_47_0.html) Peazip 10 - github.io (https://peazip.github.io) Jellyfin 10.10.0 - jellyfin.org (https://jellyfin.org/posts/jellyfin-release-10.10.0/) EasyOS 6.4 - puppylinux.com (https://forum.puppylinux.com/viewtopic.php?t=12973) Gnome 47.1 - gnome.org (https://discourse.gnome.org/t/gnome-47-1-released/24670) Tor Browser 14.0 - torproject.org (https://blog.torproject.org/new-release-tor-browser-140/) AlmaLinux Kitten 10 - almalinux.org (https://almalinux.org/blog/2024-10-22-introducing-almalinux-os-kitten/) Gentoo & DTrace 2.0 - gentoo.org (https://www.gentoo.org/news/2024/10/23/DTrace-for-Gentoo.html) NASA $15.6M Grant for Open Source Tools - spaceanddefense.io (https://spaceanddefense.io/nasa-awards-15-6-million-in-open-source-software-funding/) Open Source Printable Lathe - hackaday.com (https://hackaday.com/2024/10/23/a-3d-printed-open-source-lathe/) Thelio Astra - system76.com (https://system76.com/desktops/thelio-astra) Eight Nvidia High Severity Vulnerabilities - forbes.com (https://www.forbes.com/sites/daveywinder/2024/10/25/urgent-new-nvidia-security-warning-for-200-million-linux-and-windows-gamers/) OpenSSL 3.4 - github.com (https://github.com/openssl/openssl/releases/tag/openssl-3.4.0) IPS Snort v3.5 - github.com (https://github.com/snort3/snort3/releases) Parrot OS 6.2 - parrotsec.org (https://parrotsec.org/blog/2024-10-23-parrot-6.2-release-notes/) New Granite 3.0 - zdnet.com (https://www.zdnet.com/article/ibm-doubles-down-on-open-source-ai-with-new-granite-3-0-models/) HUGS - reuters.com (https://www.reuters.com/technology/startup-hugging-face-aims-cut-ai-costs-with-open-source-offering-2024-10-23/) SynthID Now Open Source - theverge.com (https://www.theverge.com/2024/10/23/24277873/google-artificial-intelligence-synthid-watermarking-open-source) Mochi 1 - venturebeat.com (https://venturebeat.com/ai/video-ai-startup-genmo-launches-mochi-1-an-open-source-model-to-rival-runway-kling-and-others/) Ubuntu Turns 20 - ubuntu.com (https://ubuntu.com/20years) 23:23 Robie Basak - Ubuntu Technical Council What drew you to Linux? Why did you decide to work for Canonical? What is the Ubuntu Technical Board? Difference between Ubuntu and Canonical The process of granting commit rights Conflict resolution Cloud init Unique ID Ubuntu Summit Range of interaction Membership Board Meeting Full Hour Long Meeting Recording YouTube (https://www.youtube.com/live/pyRcIZskKNE?si=frx3zrPhUoeLrHi8) 43:40 Fedora 41 Fedora 41 available early! New DNF bootc Plasma Mobile Spin (https://fedoramagazine.org/announcing-fedora-linux-41/) Fedora Magazine (https://fedoramagazine.org/announcing-fedora-linux-41/) Minisforum v3 (https://store.minisforum.com/products/minisforum-v3?) Steve, Fedora, hardware 50:30 Russian Kernel Maintainers Removed Greg Kroah-Hartman removed them due to "various compliance requirements" Removed developers Russian and not minor contributors We live in a world where decisions are made for political reasons zdnet.com (https://www.zdnet.com/article/why-remove-russian-maintainers-of-linux-kernel-heres-what-torvalds-says/) therecord.media (https://therecord.media/russia-separate-linux-community-kernel-maintainers-delisted) -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/413) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed)

独立行政法人情報処理推進機構（IPA）および一般社団法人JPCERT コーディネーションセンター（JPCERT/CC）は10月18日、OpenSSLにおける境界外書き込みの脆弱性について「Japan Vulnerability Notes（JVN）」で発表した。

In der Folge mit der Unglückszahl 13 geht es um diverse Dinge, die unglücklich gelaufen sind, von Linux-Bootloadern, die Microsoft nur teilweise unabsichtlich blockiert hat, bis zur mangelhaften Sicherheit bei "MLOps", also dem KI-Pendant zu DevOps. Zuerst schauen sich Christopher und Sylvester aber eine sehr erfreuliche Diskussion zu OpenSSL an; die Entwickler haben ihre Community um Meinungen zu einer sicherheitsrelevanten Änderung gebeten. Außerdem geht es um die Festnahme von Pavel Durov, den Schöpfer des gar-nicht-so-sicheren Messengers Telegram, und das altehrwürdige Hacker-ezine "Phrack", das in Ausgabe 71 erschienen ist.

This week we take a deep dive behind-the-scenes look into how the team handled a recent report from Snyk's Security Lab of a local privilege escalation vulnerability in `wpa_supplicant` plus we cover security updates in Prometheus Alertmanager, OpenSSL, Exim, snapd, Gross, curl and more.

Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/ The Security Champions Success Guide - https://securitychampionsuccessguide.org/ "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-294

The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Show Notes: https://securityweekly.com/asw-294

Even though Security Champions programs look very different across organizations and maturity levels, they share core principles for becoming successful. Marisa shares her experience in building these programs to foster a positive security culture within companies. She explains the incentives and rewards that lead to more engagement from champions and the benefits that come from so many people being engaged with security. Segment Resources: OWASP Security Champions Guide - Get Involved! - https://owasp.org/www-project-security-champions-guidebook/#div-getinvolved OWASP Security Champions Guide - LinkedIn page - https://www.linkedin.com/company/owasp-security-champions-guide/ The Security Champions Success Guide - https://securitychampionsuccessguide.org/ "Building a Successful Security Champions Program... What Does it Take?" - https://www.katilyst.com/post/building-a-successful-security-champions-program-what-does-it-take The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-294

The code curation considerations of removing abandoned protocols in OpenSSL, kernel driver lessons from CrowdStrike's crash, choosing isolation primitives, cross-cache attacks made possible by SLUBStick, and more! Show Notes: https://securityweekly.com/asw-294

As the podcast winds down for a break over the next month, this week we talk about RSA timing side-channel attacks and the recently announced DNSBomb vulnerability as we cover security updates in VLC, OpenSSL, Netatalk, WebKitGTK, amavisd-new, Unbound, Intel Microcode and more.

We delve into the top 3 open-source revenue streams, expose the pitfalls, and discuss what could be done quickly to improve the situation.

-- During The Show -- 00:50 MIDI MIDI a better mouse trap Pitch bending Special snowflake Firewire hardware Motu UltraLite AVB (https://motu.com/products/avb/ultralite-avb) Ardour (https://ardour.org/) Musicians please send in feedback! 11:25 News Wire Dynebolic is Back - ZDnet (https://www.zdnet.com/article/dynebolic-is-a-portable-linux-distribution-that-can-be-used-without-installation/) OpenSSL 3.3 - OpenSSL (https://www.openssl.org/news/openssl-3.3-notes.html) OpenTTD - OpenTTD (https://www.openttd.org/news/2024/04/13/openttd-14-0) Ardour - Ardour (https://ardour.org/whatsnew.html) KDE Frameworks 6.1.0 - KDE (https://kde.org/announcements/frameworks/6/6.1.0/) Descent 3 MIT Licensed - Gaming on Linux (https://www.gamingonlinux.com/2024/04/descent-3-has-been-made-open-source/) - Github (https://github.com/kevinbentley/Descent3) Opentofu vs Hashicorps - Opentofu (https://opentofu.org/blog/our-response-to-hashicorps-cease-and-desist/) Huggingface Updated - Venture Beat (https://venturebeat.com/ai/hugging-face-introduces-idefics2-an-8b-open-source-visual-language-model/) Samll Verson of LLaMA-3 - CCN (https://www.ccn.com/news/technology/llama-3-release-date/) Spectre v2 Attacks - Bleeping Computer (https://www.bleepingcomputer.com/news/security/new-spectre-v2-attack-impacts-linux-systems-on-intel-cpus/) OpenSFF and OpenJS Foundation Warning - Computer Weekly (https://www.computerweekly.com/news/366580938/More-social-engineering-attacks-on-open-source-projects-observed) 12:56 Framework Laptops Matt Hartley Linux Support Lead Reddit welcome post (https://old.reddit.com/r/framework/comments/yoslxe/welcome_to_the_framework_cx_team_matt_hartley/) First impressions Assembly How Framework supports Linux Officially supported distros Community support program Community support Ansible for other distros Support Framework 16 Alternative uses of Frameworks 27:48 Tailscale Tailscale (https://tailscale.com/) Alex Kretzschmar (https://blog.ktz.me/author/alex/) How Tailscale stays free How to get started How Tailscale works Headscale (https://headscale.net/) Tailscale for business (Paid) Features 35:37 QLC+ QLC+ (https://www.qlcplus.org/) DMX Lighting Control Boards Lighting Cues DMX King (https://dmxking.com/) Chases Built in web interface Network interfacing Elation Enode4 (https://www.elationlighting.com/enode4) Please write in about lighting on Linux! -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/385) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed)

CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

CISA's "Secure by Design" Initiative The GNU C Library Flaw Fastly CDN switches from OpenSSL to BoringSSL Roskomnadzor asserts itself Google updates Android's Password Manager Firefox gets post-quantum crypto Get your TOTP tokens from LastPass Inflated iOS app data LearnDMARC Sync mobile app bug SpinRite and Windows Defender Crypto signing camera Analog hole in digital camera authentication iOS and Google's Topics The gathering of the Stephvens Programmable Logic Controllers SpinRite update Malware-infected Toothbrush The Unforeseen Consequences of Google's 3rd-party Cookie Cutoff Show Notes - https://www.grc.com/sn/SN-960-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit joindeleteme.com/twit promo code TWIT GO.ACILEARNING.COM/TWIT vanta.com/SECURITYNOW

We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/pscf https://prods.ec/ https://owaspsamm.org https://iso25000.com/index.php/en/iso-25000-standards/iso-25010 https://www.scmagazine.com/podcast-episode/application-security-weekly-242 Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-272

Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Show Notes: https://securityweekly.com/asw-272

We can't talk about OWASP without talking about lists, but we go beyond the lists to talk about a product security framework. Grant shares his insights on what makes lists work (and not work). More importantly, he shares the work he's doing to spearhead a new OWASP project to help scale the creation of appsec programs, whether you're on your own or part of a global org. Segment Resources: https://owasp.org/www-project-product-security-capabilities-framework/ https://github.com/OWASP/pscf https://prods.ec/ https://owaspsamm.org https://iso25000.com/index.php/en/iso-25000-standards/iso-25010 https://www.scmagazine.com/podcast-episode/application-security-weekly-242 Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-272

Qualys discloses syslog and qsort vulns in glibc, Apple's jailbroken iPhone for security researchers, moving away from OpenSSL, what an ancient vuln in image parsing can teach us today, and more! Show Notes: https://securityweekly.com/asw-272

This week Steve goes through his data migration story at his house. What things should you consider before moving large datasets around, and what things need to be taken into account for a solid backup plan? -- During The Show -- 01:52 Home Automation Leak Detection - Jeremy You can't really Using cameras 08:06 mmWave sensor update/comparison Seedstudio mmWave Sensor (https://wiki.seeedstudio.com/mmwave_human_detection_kit/) Space for other sensors Way better than a PIR sensor Aqara Water Sensor (https://cloudfree.shop/product/aqara-water-sensor/) 11:19 Point of sale gear? - Charlie Odoo (https://github.com/odoo/odoo) Open Source POS (https://github.com/opensourcepos/opensourcepos) UniCenta (https://unicenta.com/) Squirrel Systems (https://www.squirrelsystems.com/squirrel-pos-for-hotels) 13:28 Succession Planning - David Password dump Bitwarden Network diagram with pictures Good documentation Techy friends Dave Ramsey - Legacy box Legacy Folder Data, external drives 23:23 Odoo for Accounting and Bookkeeping - Tiny Looks like a solid platform Expensive Self hosting not really an option Accounting solid but very basic no payroll Not fully open source 25:51 Backups? - Mike Copying the file MIGHT be ok if file system has bit rot protection works till it doesn't Better to use database tools External drives 3.5 StarTech Enclosure (https://www.amazon.com/StarTech-com-10Gbps-Enclosure-SATA-Drives/dp/B00XLAZEFC) Pelican 1120 Case 2.5 Cable Matters Enclosure (https://www.amazon.com/Cable-Matters-Aluminum-External-Enclosure/dp/B07CQD6M5B) Steve's M.2 Enclosure (https://www.amazon.com/gp/product/B09T97Z7DM) ASUS ROG M.2 Enclosure (https://www.amazon.com/ASUS-ROG-Arion-Aluminum-Enclosure/dp/B07ZKB4SLK) 37:57 News Wire OpenZFS 2.2.1 - Phoronix (https://www.phoronix.com/news/OpenZFS-2.2.1-Released) Weston 13.0 - Freedesktop.org (https://lists.freedesktop.org/archives/wayland-devel/2023-November/043326.html) OpenSSL 3.2 - GitHub (https://github.com/openssl/openssl/blob/openssl-3.2.0/NEWS.md) PipeWire 1.0 - Phoronix (https://www.phoronix.com/news/PipeWire-1.0-Released) LibreOffice 7.6.3 On Android - Document Foundation (https://blog.documentfoundation.org/blog/2023/11/23/libreoffice-763-and-android-viewer-app/) Wine 8.21 - Gaming On Linux (https://www.gamingonlinux.com/2023/11/wine-821-brings-high-dpi-scaling-and-initial-vulkan-support-for-wayland/) Studio One 6.5 - Presonus Software (https://www.presonussoftware.com/en_US/blog/studio-one-6-5-for-linux) PeerTube v6 - Frama Blog (https://framablog.org/2023/11/28/peertube-v6-is-out-and-powered-by-your-ideas/) Proxmox 8.1 - Proxmox (https://www.proxmox.com/en/about/press-releases/proxmox-virtual-environment-8-1) OpenMandriva - LX 5.0 - Beta News (https://betanews.com/2023/11/25/openmandriva-lx-50-linux-download/) Nitrix 3.2.0 - NXOS.org (https://nxos.org/changelog/release-announcement-nitrux-3-2-0/) Ultra Marine Linux 39 - Fyra Labs (https://blog.fyralabs.com/ultramarine-39-released/) Linux 6.6 tagged LTS - Security Boulevard (https://securityboulevard.com/2023/11/linux-6-6-is-now-officially-an-lts-release/) Linux Runs 20% Faster on Ryzen 7995WX - Toms Hardware (https://www.tomshardware.com/news/ubuntu-runs-20-faster-than-windows-11-on-amd-threadripper-pro-7995wx) MicroCloud - Infoq (https://www.infoq.com/news/2023/11/canonical-microcloud-open-source/) GIMP Team Targeting May 2024 - Librearts.org (https://librearts.org/2023/11/gimp-3-0-roadmap/) X11 Being Removed from RHEL 10 - Red Hat (https://www.redhat.com/en/blog/rhel-10-plans-wayland-and-xorg-server) Fuctional Source License - The Register (https://www.theregister.com/2023/11/24/opinion_column/) Kinsing Malware - Hack Read (https://www.hackread.com/kinsing-crypto-malware-linux-apache-activemq-flaw/) SysJoker Malware - Cyber Security News (https://cybersecuritynews.com/sysjoker-malware-attacking-windows-linux-and-mac-users-abusing-onedrive/) Looney Tunables - Security Affairs (https://securityaffairs.com/154573/security/cisa-known-exploited-vulnerabilities-catalog-looney-tunables.html) Open Source Tesla - The Verge (https://www.theverge.com/2023/11/23/23973701/tesla-roadster-is-now-fully-open-source) AMD GPU & RISC-V - Toms Hardware (https://www.tomshardware.com/pc-components/gpus/amds-fastest-gaming-gpu-now-works-with-risc-v-cpus-amd-radeon-rx-7900-xtx-open-source-linux-drivers-available) Real AI - Mark Tech Post (https://www.marktechpost.com/2023/11/23/real-ai-wins-project-to-build-europes-open-source-large-language-model/) Synthetic Machine Learning Data - SD Times (https://sdtimes.com/data/capital-one-open-sources-new-project-for-generating-synthetic-data/) Uploading Minds - Crypto Slate (https://cryptoslate.com/buterin-sees-benefit-of-uploading-minds-and-need-for-open-source-innovation-in-ai/) AI Linux Optimization - Toms Hardware (https://www.tomshardware.com/news/chinese-company-uses-ai-to-optimize-linux-kernel) 41:11 Nativefier Makes native Linux app out of web pages Saves credentials and session Mind Drip One (http://docs.minddripone.com/how-to/install-use-nativefier/) Nativefier GUI GitHub (https://github.com/mattruzzi/nativefier-gui) 45:44 Data Migration Good to rotate drives Disk burn in (bunch of rsync) Rsync 26 hours rsync will preserve hard links with the right flags software raid is more portable nuke & pave 2 vdevs, 3 drives per vdev can only loose one drive ZFS send/receive is much faster and better IDrive (https://www.idrive.com/) Kopia (https://kopia.io/) Spider Oak One Plan for your target rsync commands a: Archive mode, which preserves permissions, ownership, and timestamps. v: Verbose mode, which prints out detailed information about the transfer. H: Preserve hard links. P: Preserve permissions. Dumping a database is intensive Proxmox gets in the way doesn't gain Steve anything Special snowflake Custom UI Good for multi node No updates KVM works the same everywhere Cockpit GUI Will eventually replace virtmanager -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/365) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed)

Joël recaps his time at RubyConf! He shares insights from his talk about different aspects of time in software development, emphasizing the interaction with the audience and the importance of post-talk discussions. Stephanie talks about wrapping up a long-term client project, the benefits of change and variety in consulting, and maintaining a balance between project engagement and avoiding burnout. They also discuss strategies for maintaining work-life balance, such as physical separation and device management, particularly in a remote work environment. Rubyconf (https://rubyconf.org/) Joël's talk slides (https://speakerdeck.com/joelq/which-time-is-it) Flaky test summary slide (https://speakerdeck.com/aridlehoover/the-secret-ingredient-how-to-understand-and-resolve-just-about-any-flaky-test?slide=170) Transcript: STEPHANIE: Hello and welcome to another episode of The Bike Shed, a weekly podcast from your friends at thoughtbot about developing great software. I'm Stephanie Minn. JOËL: And I'm Joël Quenneville. And together, we're here to share a bit of what we've learned along the way. STEPHANIE: So, Joël, what's new in your world? JOËL: Well, as of this recording, I have just gotten back from spending the week in San Diego for RubyConf. STEPHANIE: Yay, so fun. JOËL: It's always so much fun to connect with the community over there, talk to other people from different companies who work in Ruby, to be inspired by the talks. This year, I was speaking, so I gave a talk on time and how it's not a single thing but multiple different quantities. In particular, I distinguish between a moment in time like a point, a duration and amount of time, and then a time of day, which is time unconnected to a particular day, and how those all connect together in the software that we write. STEPHANIE: Awesome. How did it go? How was it received? JOËL: It was very well received. I got a lot of people come up to me afterwards and make a variety of time puns, which those are so easy to make. I had to hold myself back not to put too many in the talk itself. I think I kept it pretty clean. There were definitely a couple of time puns in the description of the talk, though. STEPHANIE: Yeah, absolutely. You have to keep some in there. But I hear you that you don't want it to become too punny [laughs]. What I really love about conferences, and we've talked a little bit about this before, is the, you know, like, engagement and being able to connect with people. And you give a talk, but then that ends up leading to a lot of, like, discussions about it and related topics afterwards in the hallway or sitting together over a meal. JOËL: I like to, in my talks, give little kind of hooks for people who want to have those conversations in the hallway. You know, sometimes it's intimidating to just go up to a speaker and be like, oh, I want to, like, dig into their talk a little bit. But I don't have anything to say other than just, like, "I liked your talk." So, if there's any sort of side trails I had to cut for the talk, I might give a shout-out to it and say, "Hey, if you want to learn more about this aspect, come talk to me afterwards." So, one thing that I put in this particular talk was like, "Hey, we're looking at these different graphical ways to think about time. These are similar to but not the same as thinking of time as a one-dimensional vector and applying vector math to it, which is a whole other side topic. If you want to nerd out about that, come find me in the hallway afterwards, and I'd love to go deeper on it." And yeah, some people did. STEPHANIE: That's really smart. I like that a lot. You're inviting more conversation about it, which I know, like, you also really enjoy just, like, taking it further or, like, caring about other people's experiences or their thoughts about vector math [laughs]. JOËL: I think it serves two purposes, right? It allows people to connect with me as a speaker. And it also allows me to feel better about pruning certain parts of my talk and saying, look, this didn't make sense to keep in the talk, but it's cool material. I'd love to have a continuing conversation about this. So, here's a path we could have taken. I'm choosing not to, as a speaker, but if you want to take that branch with me, let's have that afterwards in the hallway. STEPHANIE: Yeah. Or even as, like, new content for yourself or for someone else to take with them if they want to explore that further because, you know, there's always something more to explore [chuckles]. JOËL: I've absolutely done that with past talks. I've taken a thing I had to prune and turned it into a blog post. A recent example of that was when I gave a talk at RailsConf Portland, which I guess is not so recent. I was talking about ways to deal with a test suite that's making too many database requests. And talking about how sometimes misusing let in your RSpec tests can lead to more database requests than you expect. And I had a whole section about how to better understand what database requests will actually be made by a series of let expressions and dealing with the eager versus lazy and all of that. I had to cut it. But I was then able to make a blog post about it and then talk about this really cool technique involving dependency graphs. And that was really fun. So, that was a thing where I was able to say, look, here's some content that didn't make it into the talk because I needed to focus on other things. But as its own little, like, side piece of content, it absolutely works, and here's a blog post. STEPHANIE: Yeah. And then I think it turned into a Bike Shed episode, too [laughs]. JOËL: I think it did, yes. I think, in many ways, creativity begets creativity. It's hard to get started writing or producing content or whatever, but once you do, every idea you have kind of spawns new ideas. And then, pretty soon, you have a backlog that you can't go through. STEPHANIE: That's awesome. Any other highlights from the conference you want to shout out? JOËL: I'd love to give a shout-out to a couple of talks that I went to, Aji Slater's talk on the Enigma machine as a German code machine from World War II and how we can sort of implement our own in Ruby and an exploration of object-oriented programming was fantastic. Aji is just a masterful storyteller. So, that was really great. And then Alan Ridlehoover's talk on dealing with flaky tests that one, I think, was particularly useful because I think it's one of the talks that is going to be immediately relevant on Monday morning for, like, every developer that was in that room and is going back to their regular day job. And they can immediately use all of those principles that Alan talked about to deal with the flaky tests in their test suite. And there's, in particular, at the end of his presentation, Alan has this summary slide. He kind of broke down flakiness across three different categories and then talked about different strategies for identifying and then fixing tests that were flaky because of those reasons. And he has this table where he sort of summarizes basically the entire talk. And I feel like that's the kind of thing that I'm going to save as a cheat sheet. And that can be, like, I'm going to link to this and share it all over because it's really useful. Alan has already put his slides up online. It's all linked to that particular slide in the show notes because I think that all of you would benefit from seeing that. The talks themselves are recorded, but they're not going to be out for a couple of weeks. I'm sure when they do, we're going to go through and watch some and probably comment on some of the talks as well. So, Stephanie, what is new in your world? STEPHANIE: Yeah. So, I'm celebrating wrapping up a client project after a nine-month engagement. JOËL: Whoa, that's a pretty long project. STEPHANIE: Yeah, that's definitely on the longer side for thoughtbot. And I'm, I don't know, just, like, feeling really excited for a change, feeling really, you know, proud of kind of, like, all of the work that we had done. You know, we had been working with this client for a long time and had been, you know, continuing to deliver value to them to want to keep working with us for that long. But I'm, yeah, just looking forward to a refresh. And I think that's one of my favorite things about consulting is that, you know, you can inject something new into your work life at a kind of regular cadence. And, at least for me, that's really important in reducing or, like, preventing the burnout. So, this time around, I kind of started to notice, and other people, too, like my manager, that I was maybe losing a bit of steam on this client project because I had been working on it for so long. And part of, you know, what success at thoughtbot means is that, like, we as employees are also feeling fulfilled, right? And, you know, what are the different ways that we can try to make sure that that remains the case? And kind of rotating folks on different projects and kind of making sure that things do feel fresh and exciting is really important. And so, I feel very grateful that other people were able to point that out for me, too, when I wasn't even fully realizing it. You know, I had people checking in on me and being like, "Hey, like, you've been on this for a while now. Kind of what I've been hearing is that, like, maybe you do need something new." I'm just excited to get that change. JOËL: How do you find the balance between sort of feeling fulfilled and maybe, you know, finding that point where maybe you're feeling you're running out of steam–versus, you know, some projects are really complex, take a while to ramp up; you want to feel productive; you want to feel like you have contributed in a significant way to a project? How do you navigate that balance? STEPHANIE: Yeah. So, the flip side is, like, I also don't think I would enjoy having to be changing projects all the time like every couple of months. That maybe is a little too much for me because I do like to...on our team, Boost, we embed on our team. We get to know our teammates. We are, like, building relationships with them, and supporting them, and teaching them. And all of that is really also fulfilling for me, but you can't really do that as much if you're on more shorter-term engagements. And then all of that, like, becomes worthwhile once you're kind of in that, like, maybe four or five six month period where you're like, you've finally gotten your groove. And you're like, I'm contributing. I know how this team works. I can start to see patterns or, like, maybe opportunities or gaps. And that is all really cool, and I think also another part of what I really like about being on Boost. But yeah, I think what I...that losing steam feeling, I started to identify, like, I didn't have as much energy or excitement to push forward change. When you kind of get a little bit too comfortable or start to get that feeling of, well, these things are the way they are [laughs], -- JOËL: Right. Right. STEPHANIE: I've now identified that that is kind of, like, a signal, right? JOËL: Maybe time for a new project. STEPHANIE: Right. Like starting to feel a little bit less motivated or, like, less excited to push myself and push the team a little bit in areas that it needs to be pushed. And so, that might be a good time for someone else at thoughtbot to, like, rotate in or maybe kind of close the chapter on what we've been able to do for a client. JOËL: It's hard to be at 100% all the time and sort of always have that motivation to push things to the max, and yeah, variety definitely helps with that. How do you feel about finding signals that maybe you need a break, maybe not from the project but just in general? The idea of taking PTO or having kind of a rest day. STEPHANIE: Oh yeah. I, this year, have tried out taking time off but not going anywhere just, like, being at home but being on vacation. And that was really great because then it was kind of, like, less about, like, oh, I want to take this trip in this time of year to this place and more like, oh, I need some rest or, like, I just need a little break. And that can be at home, right? Maybe during the day, I'm able to do stuff that I keep putting off or trying out new things that I just can't seem to find the time to do [chuckles] during my normal work schedule. So, that has been fun. JOËL: I think, yeah, sometimes, for me, I will sort of hit that moment where I feel like I don't have the ability to give 100%. And sometimes that can be a signal to be like, hey, have you taken any time off recently? Maybe you should schedule something. Because being able to refresh, even short-term, can sort of give an extra boost of energy in a way where...maybe it's not time for a rotation yet, but just taking a little bit of a break in there can sort of, I guess, extend the time where I feel like I'm contributing at the level that I want to be. STEPHANIE: Yeah. And I actually want to point out that a lot of that can also be, like, investing in your life outside of work, too, so that you can come to work with a different approach. I've mentioned the month that I spent in the Hudson Valley in New York and, like, when I was there, I felt, like, so different. I was, you know, just, like, so much more excited about all the, like, novel things that I was experiencing that I could show up to work and be like, oh yeah, like, I'm feeling good today. So, I have all this, you know, energy to bring to the tasks that I have at work. And yeah, so even though it wasn't necessarily time off, it was investing in other things in my life that then brought that refresh at work, even though nothing at work really changed [laughs]. JOËL: I think there's something to be said for the sort of energy boost you get from novelty and change, and some of that you get it from maybe rotating to a different project. But like you were saying, you can change your environment, and that can happen as well. And, you know, sometimes it's going halfway across the country to live in a place for a month. I sometimes do that in a smaller way by saying, oh, I'm going to work this morning from a coffee shop or something like that. And just say, look, by changing the environment, I can maybe get some focus or some energy that I wouldn't have if I were just doing same old, same old. STEPHANIE: Yeah, that's a good point. So, one particularly surprising refresh that I experienced in offboarding from my client work is coming back to my thoughtbot, like, internal company laptop, which had been sitting gathering dust [laughs] a little bit because I had a client-issued laptop that I was working in most of the time. And yeah, I didn't realize how different it would feel. I had, you know, gotten everything set up on my, you know, my thoughtbot computer just the way that I liked it, stuff that I'd never kind of bothered to set up on my other client-issued laptop. And then I came back to it, and then it ended up being a little bit surprising. I was like, oh, the icons are smaller on this [laughs] computer than the other computer. But it definitely did feel like returning to home, I think, instead of, like, being a guest in someone else's house that you haven't quite, like, put all your clothes in the closet or in the drawers. You're still maybe, like, living out of a suitcase a little bit [laughs]. So yeah, I was kind of very excited to be in my own space on my computer again. JOËL: I love the metaphor of coming home, and yeah, being in your own space, sleeping in your own bed. There's definitely some of that that I feel, I think, when I come back to my thoughtbot laptop as well. Do you feel like you get a different sense of connection with the rest of our thoughtbot colleagues when you're working on the thoughtbot-issued laptop versus a client-issued one? STEPHANIE: Yeah. Even though on my client-issued computer I had the thoughtbot Slack, like, open on there so I could be checking in, I wasn't necessarily in, like, other thoughtbot digital spaces as much, right? So, our, like, project management tools and our, like, internal company web app, those were things that I was on less of naturally because, like, the majority of my work was client work, and I was all in their digital spaces. But coming back and checking in on, like, all the GitHub discussions that have been happening while I haven't had enough time to catch up on them, just realizing that things were happening [laughs] even when I was doing something else, that is both cool and also like, oh wow, like, kind of sad that I [chuckles] missed out on some of this as it was going on. JOËL: That's pretty similar to my experience. For me, it almost feels a little bit like the difference between back when we used to be in person because thoughtbot is now fully remote. I would go, usually, depending on the client, maybe a couple of days a week working from their offices if they had an office. Versus some clients, they would come to our office, and we would work all week out of the thoughtbot offices, particularly if it was like a startup founder or something, and they might not already have office space. And that difference and feeling the connection that I would have from the rest of the thoughtbot team if I were, let's say, four days a week out of a client office versus two or four days a week out of the thoughtbot office feels kind of similar to what it's like working on a client-issued laptop versus on a thoughtbot-issued one. STEPHANIE: Another thing that I guess I forgot about or, like, wasn't expecting to do was all the cleanup, just the updating of things on my laptop as I kind of had it been sitting. And it reminded me to, I guess, extend that, like, coming home metaphor a little bit more. In the game Animal Crossing, if you haven't played the game in a while because it tracks, like, real-time, so it knows if you haven't, you know, played the game in a few months, when you wake up in your home, there's a bunch of cockroaches running around [laughs], and you have to go and chase and, like, squash them to clean it up. JOËL: Oh no. STEPHANIE: And it kind of felt like that opening my computer. I was like, oh, like, my, like, you know, OS is out of date. My browsers are out of date. I decided to get an internal company project running in my local development again, and I had to update so many things, you know, like, install the new Ruby version that the app had, you know, been upgraded to and upgrade, like, OpenSSL and all of that stuff on my machine to, yeah, get the app running again. And like I mentioned earlier, just the idea of like, oh yeah, this has evolved and changed, like, without me [laughs] was just, you know, interesting to see. And catching myself up to speed on that was not trivial work. So yeah, like, all that maintenance stuff still got to do it. It's, like, the digital cleanup, right? JOËL: Exactly. So, you mentioned that on the client machine, you still had the thoughtbot Slack. So, you were able to keep up at least some messages there on one device. I'm curious about the experience, maybe going the other way. How much does thoughtbot stuff bleed into your personal devices, if at all? STEPHANIE: Barely. I am very strict about that, I think. I used to have Slack on my phone, I don't know, just, like, in an earlier time in my career. But now I have it a rule to keep it off. I think the only thing that I have is my calendar, so no email either. Like, that is something that I, like, don't like to check on my personal time. Yeah, so it really just is calendar just in case I'm, like, out in the morning and need to be, like, oh, when is my first meeting? But [laughs] I will say that the one kind of silly thing is that I also refuse to sign into my Google account for work. So, I just have the calendar, like, added to my personal calendar but all the events are private. So, I can't actually see what the events are [laughs]. I just know that I have something going on at, like, 10:00 a.m. So, I got to make sure I'm back home by then [laughs], which is not so ideal. But at the risk of being signed in and having other things bleed into my personal devices, I'm just living with that for now [laughs]. JOËL: What I'm hearing is that I could put some mystery events on your calendar, and you would have a fun surprise in the morning because you wouldn't know what it is. STEPHANIE: Yeah, that is true [laughs]. If you put, like, a meeting at, like, 8:00 a.m., [laughs] then I'm like, oh no, what's this? And then I arrive, and it's just, like [laughs], a fun prank meeting. So, you know, you were talking about how you were at the conference this week. And I'm wondering, how connected were you to work life? JOËL: Uh, not very. I tried to be very present in the moment at the conference. So, I'm, you know, connected to all the other thoughtboters who were there and connecting with the attendees. I do have Slack on my phone, so if I do need to check it for something. There was a little bit of communication that was going on for different things regarding the conference, so I did check in for that. But otherwise, I tried to really stay focused on the in-person things that are happening. I'm not doing any client work during those days that I'm at RubyConf, and so I don't need to deal with anything there. I had my thoughtbot laptop with me because that's what I used to give my presentation. But once the presentation was done, I closed that laptop and didn't open it again, and, honestly, that felt kind of good. STEPHANIE: Yeah, that is really nice. I'm the same way, where I try to be pretty connected at conferences, and, like, I will actually redownload Slack sometimes just for, like, coordinating purposes with other folks who are there. But I think I make it pretty clear that I'm, like, away. You know, like, I'm not actually...like, even though I'm on work time, I'm not doing any other work besides just being present there. JOËL: So, you mentioned the idea of work time. Do you have, like, a pretty strict boundary between personal time and work time and, like, try not to allow either to bleed into each other? STEPHANIE: Yeah. I can't remember if I've mentioned this on the show. I think I have, but I'm going to again because one of my favorite things that I picked up from The Bike Shed back when Chris Toomey and Steph Viccari were hosting the show is Chris had, like, a little ritual that he would do every day to signal that he was done with work. He would close his laptop and say, "Schedule shutdown complete," I think. And I've started adopting it because then it helps me be like, I'm not going to reopen my laptop after this because I have said the words. And even if I think of something that I maybe need to add to my to-do list, I will, instead of opening my computer and adding to my, like, whatever digital to-do list, I will, like, write it down on a piece of paper instead for the sake of, you know, not risking getting sucked back into, you know, whatever might be going on after the time that I've, like, decided that I need to be done. JOËL: So, you have a very strict divisioning between work time and personal time. STEPHANIE: Yeah, I would say so. I think it's important for me because even when I take time off, you know, sometimes folks might work a half day or something, right? I really struggle with having even a half day feel like, once I'm done with work, having that feel like okay, like, now I'm back in my personal time. I'd much prefer not working the entire day at all because that is kind of the only way that I can feel like I've totally reclaimed that time. Otherwise, it's like, once I start thinking about work stuff, it's like I need a mental boundary, right? Because if I'm thinking about a work problem, or, like, an interaction or, like, just anything, it's frustrating because it doesn't feel like time in my own brain [laughs] is my own. What do work and personal time boundaries look like for you? JOËL: I think it's evolved over time. Device usage is definitely a little bit more blurry for me. One thing that I have started doing since we've gone fully remote as the pandemic has been winding down and, you know, you can do things, but we're still working from home, is that more days than not, I work from home during the day, and then I leave my home during the evening. I do a variety of social activities. And because I like to be sort of present in the moment, that means that by being physically gone, I have totally disconnected because I'm not checking emails or anything like that. Even though I do have thoughtbot email on my phone, Gmail allows me to like log into my personal account and my thoughtbot account. I have to, like, switch between the two accounts, and so, that's, like, more work than I would want. I don't have any notifications come in for the thoughtbot account. So, unless I'm, like, really wanting to see if a particular email I'm waiting for has come in, I don't even look at it, ever. It's mostly just there in case I need to see something. And then, by being focused in the moment doing social things with other people, I don't find too much of a temptation to, like, let work life bleed into personal life. So, there's a bit of a physical disconnect that ends up happening by moving out of the space I work in into leaving my home. STEPHANIE: Yeah. And I'm sure it's different for everyone. As you were saying that, I was reminded of a funny meme that I saw a long time ago. I don't think I could find it if I tried to search for it. But basically, it's this guy who is, you know, sitting on one side of the couch, clearly working. And he's kind of hunched over and, like, typing and looking very serious. And then he, like, closes his laptop, moves over, like, just slides to the other side of the couch, opens his laptop. And then you see him, like, lay back, like, legs up on the coffee table. And it's, like, work computer, personal computer, but it's the same computer [laughs]. It's just the, like, how you've decided like, oh, it's time for, you know, legs up, Netflix watching [laughs]. JOËL: Yeah. Yeah. I'm curious: do you use your thoughtbot computer for any personal things? Or is it just you shut that down; you do the closing ritual, and then you do things on a separate device? STEPHANIE: Yeah, I do things on a separate device. I think the only thing there might be some overlap for are, like, career-related extracurriculars or just, like, development stuff that I'm interested in doing, like, separate from what I am paid to do. But that, you know, kind of overlaps a little bit because of, like, the tools and the stuff I have installed on my computer. And, you know, with our investment time, too, that ends up having a bit of a crossover. JOËL: I think I'm similar in that I'll tend to do development things on my thoughtbot machine, even though they're not necessarily thoughtbot-related, although they could be things that might slot into something like investment time. STEPHANIE: Yeah, yeah. And it's because you have all your stuff set up for it. Like, you're not [laughs] trying to install the latest Ruby version on two different machines, probably [laughs]. JOËL: Yeah. Also, my personal device is a Windows machine. And I've not wanted to bother learning how to set that up or use the Windows Subsystem for Linux or any of those tools, which, you know, may be good professional learning activities. But that's not where I've decided to invest my time. STEPHANIE: That makes sense. I had an interesting conversation with someone else today, actually, about devices because I had mentioned that, you know, sometimes I still need to incorporate my personal devices into work stuff, especially, like, two-factor authentication. And specifically on my last client project...I have a very old iPhone [laughs]. I need to start out by saying it's an iPhone 8 that I've had for, like, six or seven years. And so, it's old. Like, one time I went to the Apple store, and I was like, "Oh, I'm looking for a screen protector for this." And they're like, "Oh, it's an iPhone 8. Yikes." [laughs] This was, you know, like, not too long ago [laughs]. And the multi-factor authentication policy for my client was that, you know, we had to use this specific app. And it also had, like, security checks. Like, there's a security policy that it needed to be updated to the latest iOS. So, even if I personally didn't want to update my iOS [laughs], I felt compelled to because, otherwise, I would be locked out of the things that I needed to do at work [laughs]. JOËL: Yeah, that can be a challenge sometimes when you're adding work things to personal devices, maybe not because it's convenient and you want to, but because you don't have a choice for things like two-factor auth. STEPHANIE: Yeah, yeah. And then the person I was talking to actually suggested something I hadn't even thought about, which is like, "Oh, you know, if you really can't make it work, then, like, consider having that company issue another device for you to do the things that they're, like, requiring of you." And I hadn't even thought of that, so... And I'm not quite at the point where I'm like, everything has to be, like, completely separate [laughs], including two-factor auth. But, I don't know, something to consider, like, maybe that might be a place I get to if I'm feeling like I really want to keep those boundaries strict. JOËL: And I think it's interesting because, you know, when you think of the kind of work that we do, it's like, oh, we work with computers, but there are so many subfields within it. And device management and, just maybe, corporate IT, in general, is a whole subfield that is separate and almost a little bit alien. Two, I feel like me, as a software developer, I'm just aware of a little bit...like, I've read a couple of articles around...and this was, you know, years ago when the trend was starting called Bring Your Own Device. So, people who want to say, "Hey, I want to use my phone. I want to have my work email on my phone." But then does that mean that potentially you're leaking company memos and things? So, how do you secure that kind of thing? And everything that IT had to think through in order to allow that, the pros and cons. So, I think we're just kind of, as users of that system, touching the surface of it. But there's a lot of thought and discussion that, as an industry, the kind of corporate IT folks have gone through to struggle with how to balance a lot of those things. STEPHANIE: Yeah, yeah. I bet there's a lot of complexity or nuance there. I mean, we're just talking about, like, ways that we do or don't mix work and personal life. And for that kind of work, you know, that's, like, the job is to think really thoroughly about how people use their devices and what should and shouldn't be permissible. The last thing that I wanted to kind of ask about in terms of device management or, like, work and personal intermixing is the idea of being on call and your device being a way for work to reach you and that being a requirement, right? I feel very lucky to obviously not really be in that position. As consultants, like, we're not usually so embedded into a team that we're then brought into, like, an on-call rotation, and I think that's good for me. Like, I don't think that that is something I'd be interested in doing anytime soon. Do you have any experience with that? JOËL: I have not been on a project where I've had to be on call, and I think that's generally true for most of us at thoughtbot who are doing software development. I know those who are doing more kind of platformy SRE-type things are on call. And, in fact, we have specifically hired people in different regions around the world so that we can provide 24-hour coverage for that kind of thing. STEPHANIE: Yeah. And I imagine kind of like what we're talking about with work device management looks even different for that kind of role, where maybe you do need a lot more access to things, like, wherever you might be. JOËL: And maybe the answer there is you get issued a work-specific device and a work phone or something like that, or an old-school work pager. STEPHANIE: [laughs] JOËL: PagerDuty is not just a metaphoric thing. Back in the day, they used actual pagers. STEPHANIE: Yeah, that would be very funny. JOËL: So yeah, I can't speak to it from personal experience, but I could imagine that maybe some of the dynamics there might be a little bit different. And, you know, for some people, maybe it's fine to just have an app on your phone that pings you when something happens, and you have to be on call. And you're able to be present while waiting, like, in case you get pinged, but also let it go while you're on call. I can imagine that's, like, a really weird kind of, like, shadow, like, working, not working experience that I can't really speak to because I have not been in that position. STEPHANIE: Yeah. As you were saying that, I also had the thought that, like, our ability to step away from work and our devices is also very much dependent on, like, a company culture and those types of factors, right? Where, you know, it is okay for me to not be able to look at that stuff and just come back to it Monday morning, and I am very grateful [laughs] for that. Because I recognize that, like, not everyone is in that position where there might be a lot more pressure or urgency to be on top of that. But right now, for this time in my life, like, that's kind of how I like to work. JOËL: I think it kind of sits at the intersection of a few different things, right? There's sort of where you are personally. It might be a combination, like, personality and maybe, like, mental health, things like that, how you respond to how sharp or blurry those lines between work and personal life can be. Like you said, it's also an element of company culture. If there's a company culture that's really pushing to get into your personal life, maybe you need firmer boundaries. And then, finally, what we spent most of this episode talking about: technical solutions, whether that's, like, physically separating everything such that there are two devices. And you close down your laptop, and you're done for the day. And whether or not you allow any apps on your personal phone to carry with you after you leave for the day. So, I think at the intersection of those three is sort of how you're going to experience that, and every person is going to be a little bit different. Because those three...I guess I'm thinking of a Venn diagram. Those three circles are going to be different for everyone. STEPHANIE: Yeah, that makes complete sense. JOËL: On that note, shall we wrap up? STEPHANIE: Let's wrap up. Show notes for this episode can be found at bikeshed.fm. JOËL: This show has been produced and edited by Mandy Moore. STEPHANIE: If you enjoyed listening, one really easy way to support the show is to leave us a quick rating or even a review in iTunes. It really helps other folks find the show. JOËL: If you have any feedback for this or any of our other episodes, you can reach us @_bikeshed, or you can reach me @joelquen on Twitter. STEPHANIE: Or reach both of us at hosts@bikeshed.fm via email. JOËL: Thanks so much for listening to The Bike Shed, and we'll see you next week. ALL: Byeeeeeee!!!!!! AD: Did you know thoughtbot has a referral program? If you introduce us to someone looking for a design or development partner, we will compensate you if they decide to work with us. More info on our website at: tbot.io/referral. Or you can email us at: referrals@thoughtbot.com with any questions.

Mike Perham is the creator of Sidekiq, a background job processor for Ruby. He's also the creator of Faktory a similar product for multiple language environments. We talk about the RubyConf keynote and Ruby's limitations, supporting products as a solo developer, and some ideas for funding open source like a public utility. Recorded at RubyConf 2023 in San Diego. -- A few topics covered: Sidekiq (Ruby) vs Faktory (Polyglot) Why background job solutions are so common in Ruby Global Interpreter Lock (GIL) Ractors (Actor concurrency) Downsides of Multiprocess applications When to use other languages Getting people to pay for Sidekiq Keeping a solo business Being selective about customers Ways to keep support needs low Open source as a public utility Mike Mike's blog mastodon Sidekiq faktory From Employment to Independence Ruby Ractor The Practical Effects of the GVL on Scaling in Ruby Transcript You can help correct transcripts on GitHub. Introduction [00:00:00] Jeremy: I'm here at RubyConf San Diego with Mike Perham. He's the creator of Sidekiq and Faktory. [00:00:07] Mike: Thank you, Jeremy, for having me here. It's a pleasure. Sidekiq [00:00:11] Jeremy: So for people who aren't familiar with, I guess we'll start with Sidekiq because I think that's what you're most known for. If people don't know what it is, maybe you can give like a small little explanation. [00:00:22] Mike: Ruby apps generally have two major pieces of infrastructure powering them. You've got your app server, which serves your webpages and the browser. And then you generally have something off on the side that... It processes, you know, data for a million different reasons, and that's generally called a background job framework, and that's what Sidekiq is. [00:00:41] It, Rails is usually the thing that, that handles your web stuff, and then Sidekiq is the Sidekiq to Rails, so to speak. [00:00:50] Jeremy: And so this would fit the same role as, I think in Python, there's celery. and then in the Ruby world, I guess there is, uh, Resque is another kind of job. [00:01:02] Mike: Yeah, background job frameworks are quite prolific in Ruby. the Ruby community's kind of settled on that as the, the standard pattern for application development. So yeah, we've got, a half a dozen to a dozen different, different examples throughout history, but the major ones today are, Sidekiq, Resque, DelayedJob, GoodJob, and, and, and others down the line, yeah. Why background jobs are so common in Ruby [00:01:25] Jeremy: I think working in other languages, you mentioned how in Ruby, there's this very clear, preference to use these job scheduling systems, these job queuing systems, and I'm not. I'm not sure if that's as true in, say, if somebody's working in Java, or C sharp, or whatnot. And I wonder if there's something specific about Ruby that makes people kind of gravitate towards this as the default thing they would use. [00:01:52] Mike: That's a good question. What makes Ruby... The one that so needs a background job system. I think Ruby, has historically been very single threaded. And so, every Ruby process can only do so much work. And so Ruby oftentimes does, uh, spin up a lot of different processes, and so having processes that are more focused on one thing is, is, is more standard. [00:02:24] So you'll have your application server processes, which focus on just serving HTTP responses. And then you have some other sort of focused process and that just became background job processes. but yeah, I haven't really thought of it all that much. But, uh, you know, something like Java, for instance, heavily multi threaded. [00:02:45] And so, and extremely heavyweight in terms of memory and startup time. So it's much more frequent in Java that you just start up one process and that's it. Right, you just do everything in that one process. And so you may have dozens and dozens of threads, both serving HTTP and doing work on the side too. Um, whereas in Ruby that just kind of naturally, there was a natural split there. Global Interpreter Lock [00:03:10] Jeremy: So that's actually a really good insight, because... in the keynote at RubyConf, Mats, the creator of Ruby, you know, he mentioned the, how the fact that there is this global, interpreter lock, [00:03:23] or, or global VM lock in Ruby, and so you can't, really do multiple things in parallel and make use of all the different cores. And so it makes a lot of sense why you would say like, okay, I need to spin up separate processes so that I can actually take advantage of, of my, system. [00:03:43] Mike: Right. Yeah. And the, um, the GVL. is the acronym we use in the Ruby community, or GIL. Uh, that global lock really kind of is a forcing function for much of the application architecture in Ruby. Ruby, uh, applications because it does limit how much processing a single Ruby process can do. So, uh, even though Sidekiq is heavily multi threaded, you can only have so many threads executing. [00:04:14] Because they all have to share one core because of that global lock. So unfortunately, that's, that's been, um, one of the limiter, limiting factors to Sidekiq scalability is that, that lock and boy, I would pay a lot of money to just have that lock go away, but. You know, Python is going through a very long term experiment about trying to remove that lock and I'm very curious to see how well that goes because I would love to see Ruby do the same and we'll see what happens in the future, but, it's always frustrating when I come to another RubyConf and I hear another Matt's keynote where he's asked about the GIL and he continues to say, well, the GIL is going to be around, as long as I can tell. [00:04:57] so it's a little bit frustrating, but. It's, it's just what you have to deal with. Ractors [00:05:02] Jeremy: I'm not too familiar with them, but they, they did mention during the keynote I think there Ractors or something like that. There, there, there's some way of being able to get around the GIL but there are these constraints on them. And in the context of Sidekiq and, and maybe Ruby in general, how do you feel about those options or those solutions? [00:05:22] Mike: Yeah, so, I think it was Ruby 3. 2 that introduced this concept of what they call a Ractor, which is like a thread, except it does not have the global lock. It can run independent to the global lock. The problem is, is because it doesn't use the global lock, it has pretty severe constraints on what it can do. [00:05:47] And the, and more specifically, the data it can access. So, Ruby apps and Rails apps throughout history have traditionally accessed a lot of global data, a lot of class level data, and accessed all this data in a, in a read only fashion. so there's no race conditions because no one's changing any of it, but it's still, lots of threads all accessing the same variables. [00:06:19] Well, Ractors can't do that at all. The only data Ractors can access is data that they own. And so that is completely foreign to Ruby application, traditional Ruby applications. So essentially, Ractors aren't compatible with the vast majority of existing Ruby code. So I, I, I toyed with the idea of prototyping Sidekiq and Ractors, and within about a minute or two, I just ran into these, these, uh... [00:06:51] These very severe constraints, and so that's why you don't see a lot of people using Ractors, even still, even though they've been out for a year or two now, you just don't see a lot of people using them, because they're, they're really limited, limited in what they can do. But, on the other hand, they're unlimited in how well they can scale. [00:07:12] So, we'll see, we'll see. Hopefully in the future, they'll make a lot of improvements and, uh, maybe they'll become more usable over time. Downsides of multiprocess (Memory usage) [00:07:19] Jeremy: And with the existence of a job queue or job scheduler like Sidekiq, you're able to create additional processes to get around that global lock, I suppose. What are the... downsides of doing so versus another language like we mentioned Java earlier, which is capable of having true parallelism in the same process. [00:07:47] Mike: Yeah, so you can start up multiple Ruby processes to process things truly in parallel. The issue is that you do get some duplication in terms of memory. So your Ruby app maybe take a gigabyte per process. And, you can do copy on write forking. You can fork and get some memory sharing with copy on write semantics on Unix operating systems. [00:08:21] But you may only get, let's say, 30 percent memory savings. So, there's still a significant memory overhead to forking, you know, let's say, eight processes versus having eight threads. You know, you, you, you may have, uh, eight threads can operate in a gigabyte process, but if you want to have eight processes, that may take, let's say, four gigabytes of RAM. [00:08:48] So you, you still, it's not going to cost you eight gigabytes of RAM, you know, it's not like just one times eight, but, there's still a overhead of having those separate processes. [00:08:58] Jeremy: would you say it's more of a cost restriction, like it costs you more to run these applications, or are there actual problems that you can't solve because of this restriction. [00:09:13] Mike: Help me understand, what do you mean by restriction? Do you mean just the GVL in general, or the fact that forking processes still costs memory? [00:09:22] Jeremy: I think, well, it would be both, right? So you're, you have two restrictions right now. You have the, the GVL, which means you can't have parallelism within the same process. And then your other option is to spin up a bunch of processes, which you have said is the downside there is that you're using a lot more RAM. [00:09:43] I suppose my question is that Does that actually stop you from doing anything? Like, if you throw more money at the problem, you go like, we're going to have more instances, I'll pay for the RAM, it's fine, can that basically get you out of these situations or are these limitations actually stopping you from, from doing things you could do in other languages? [00:10:04] Mike: Well, you certainly have to manage the multiple processes, right? So you've gotta, you know, if one child process crashes, you've gotta have a parent or supervisor process watching all that and monitoring and restarting the process. I don't think it restricts you. Necessarily, it just, it adds complexity to your deployment. [00:10:24] and, and it's just a question of efficiency, right? Instead of being able to deploy on a, on a one gigabyte droplet, I've got to deploy to a four gigabyte droplet, right? Because I just, I need the RAM to run the eight processes. So it, it, it's more of just a purely a function of how much money am I going to have to throw at this problem. [00:10:45] And what's it going to cost me in operational costs to operate this application in production? When to use other languages? [00:10:53] Jeremy: So during the. Keynote, uh, Matz had mentioned that Rails, is really suitable as this one person framework, like you can have a very small team or maybe even yourself and, and build this product. And so I guess from... Your perspective, once you cross a certain threshold, is like, what Ruby and what Sidekiq provides not enough, and that's why you need to start looking into other languages? [00:11:24] Or like, where's the, turning point, or the, if you [00:11:29] Mike: Right, right. The, it's all about the problem you're trying to solve, right? At the end of the day, uh, the, the question is just what are we trying to solve and how are we trying to solve it? So at a higher level, you got to think about the architecture. if the problem you're trying to solve, if the service you're trying to build, if the app you're trying to operate. [00:11:51] If that doesn't really fall into the traditional Ruby application architecture, then you, you might look at it in another language or another ecosystem. something like Go, for instance, can compile down to a single binary, which makes deployment really easy. It makes shipping up a product. on to a user's machine, much simpler than deploying a Ruby application onto a user's desktop machine, for instance, right? [00:12:22] Um, Ruby does have this, this problem of how do you package everything together and deploy it somewhere? Whereas Go, when you can just compile to a single binary, now you've just got a single thing. And it's just... Drop it on the file system and execute it. It's easy. So, um, different, different ecosystems have different application architectures, which empower different ways of solving the same problems. [00:12:48] But, you know, Rails as a, as a one man framework, or sorry, one person framework, It, it, I don't, I don't necessarily, that's a, that's sort of a catchy marketing slogan, but I just think of Rails as the most productive framework you can use. So you, as a single person, you can maximize what you ship and the, the, the value that you can create because Rails is so productive. [00:13:13] Jeremy: So it, seems like it's maybe the, the domain or the type of application you're making. Like you mentioned the command line application, because you want to be able to deliver it to your user easily. Just give them a binary, something like Go or perhaps Rust makes a lot more sense. and then I could see people saying that if you're doing something with machine learning, like the community behind Python, it's, they're just, they're all there. [00:13:41] So Room for more domains in Ruby [00:13:41] Mike: That was exactly the example I was going to use also. Yeah, if you're doing something with data or AI, Python is going to be a more, a more traditional, natural choice. that doesn't mean Ruby can't do it. That doesn't mean, you wouldn't be able to solve the problem with Ruby. And, and there's, that just also means that there's more space for someone who wants to come in and make an impact in the Ruby community. [00:14:03] Find a problem that Ruby's not really well suited to solving right now and build the tooling out there to, to try and solve it. You know, I, I saw a talk, from the fellow who makes the Glimmer gem, which is a native UI toolkit. Uh, a gem for building native UIs in Ruby, which Ruby traditionally can't do, but he's, he's done an amazing job at sort of surfacing APIs to build these, um, these native, uh, native applications, which I think is great. [00:14:32] It's awesome. It's, it's so invigorating to see Ruby in a new space like that. Um, I talked to someone else who's doing the Polars gem, which is focused on data processing. So it kind of takes, um, Python and Pandas and brings that to Ruby, which is, is awesome because if you're a Ruby developer, now you've got all these additional tools which can allow you to solve new sets of problems out there. [00:14:57] So that's, that's kind of what's exciting in the Ruby community right now is just bring it into new spaces. Faktory [00:15:03] Jeremy: In addition to Sidekiq, you have, uh, another product called Faktory, I believe. And so does that serve a, a similar purpose? Is that another job scheduling, job queueing system? [00:15:16] Mike: It is, yes. And it's, it's, it's similar in a way to Sidekiq. It looks similar. It's got similar concepts at the core of it. At the end of the day, Sidekiq is limited to Ruby. Because Sidekiq executes in a Ruby VM, it executes the jobs, and the jobs are, have to be written in Ruby because you're running in the Ruby VM. [00:15:38] Faktory was my attempt to bring, Sidekiq functionality to every other language. I wanted, I wanted Sidekiq for JavaScript. I wanted Sidekiq for Go. I wanted Sidekiq for Python because A, a lot of these other languages also could use a system, a background job system. And the problem though is that. [00:16:04] As a single man, I can't port Sidekiq to every other language. I don't know all the languages, right? So, Faktory kind of changes the architecture and, um, allows you to execute jobs in any language. it, it replaces Redis and provides a server where you just fetch jobs, and you can use it from it. [00:16:26] You can use that protocol from any language to, to build your own worker processes that execute jobs in whatever language you want. [00:16:35] Jeremy: When you say it replaces Redis, so it doesn't use Redis, um, internally, it has its own. [00:16:41] Mike: It does use Redis under the covers. Yeah, it starts Redis as a child process and, connects to it over a Unix socket. And so it's really stable. It's really fast. from the outside, the, the worker processes, they just talk to Faktory. They don't know anything about Redis at all. [00:16:59] Jeremy: I see. And for someone who, like we mentioned earlier in the Python community, for example, there is, um, Celery. For someone who is using a task scheduler like that, what's the incentive to switch or use something different? [00:17:17] Mike: Well, I, I always say if you're using something right now, I'm not going to try and convince you to switch necessarily. It's when you have pain that you want to switch and move away. Maybe you have Maybe there's capabilities in the newer system that you really need that the old system doesn't provide, but Celery is such a widely known system that I'm not necessarily going to try and convince people to move away from it, but if people are looking for a new system, one of the things that Celery does that Faktory does not do is Celery provides like data adapters for using store, lots of different storage systems, right? [00:17:55] Faktory doesn't do that. Faktory is more, has more of the Rails mantra of, you know, Omakase where we choose, I choose to use Redis and that's it. You don't, you don't have a choice for what to use because who cares, you know, at the end of the day, let Faktory deal with it. it's, it's not something that, You should even necessarily be concerned about it. [00:18:17] Just, just try Faktory out and see how it works for you. Um, so I, I try to take those operational concerns off the table and just have the user focus on, you know, usability, performance, and that sort of thing. but it is, it's, it's another background job system out there for people to try out and see if they like that. [00:18:36] And, and if they want to, um, if they know Celery and they want to use Celery, more power to Faktory them. Sidekiq (Ruby) or Faktory (Polyglot) [00:18:43] Jeremy: And Sidekiq and Faktory, they serve a very similar purpose. For someone who they have a new project, they haven't chosen a job. scheduling system, if they were using Ruby, would it ever make sense for them to use Faktory versus use Sidekiq? [00:19:05] Mike: Uh Faktory is excellent in a polyglot situation. So if you're using multiple languages, if you're creating jobs in Ruby, but you're executing them in Python, for instance, um, you know, if you've, I have people who are, Creating jobs in PHP and executing them in Python, for instance. That kind of polyglot scenario, Sidekiq can't do that at all. [00:19:31] So, Faktory is useful there. In terms of Ruby, Ruby is just another language to Faktory. So, there is a Ruby API for using Faktory, and you can create and execute Ruby jobs with Faktory. But, you'll find that in the Ruby community, Sidekiq is much widely... much more widely used and understood and known. So if you're just using Ruby, I think, I think Sidekiq is the right choice. [00:19:59] I wouldn't look at Faktory. But if you do need, find yourself needing that polyglot tool, then Faktory is there. Temporal [00:20:07] Jeremy: And this is maybe one, maybe one layer of abstraction higher, but there's a product called Temporal that has some of this job scheduling, but also this workflow component. I wonder if you've tried that out and how you think about that product? [00:20:25] Mike: I've heard of them. I don't know a lot about the product. I do have a workflow API, the Sidekiq batches, which allow you to fan out jobs and then, and then execute callbacks when all the jobs in that, in that batch are done. But I don't, provide sort of a, a high level. Graphical Workflow Editor or anything like that. [00:20:50] Those to me are more marketing tools that you use to sell the tool for six figures. And I don't think they're usable. And I don't think they're actually used day to day. I provide an API for developers to use. And developers don't like moving blocks of code around in a GUI. They want to write code. And, um, so yeah, temporal, I, like I said, I don't know much about them. [00:21:19] I also, are they a venture capital backed startup? [00:21:22] Jeremy: They are, is my understanding, [00:21:24] Mike: Yeah, that, uh, any, any sort of venture capital backed startup, um, who's building technical infrastructure. I, I would look long and hard at, I'm, I think open source is the right core to build on. Of course I sell commercial software, but. I'm bootstrapped. I'm profitable. [00:21:46] I'm going to be around forever. A VC backed startup, they tend to go bankrupt, because they either get big or they go out of business. So that would be my only comment is, is, be a little bit leery about relying on commercial venture capital based infrastructure for, for companies, uh, long term. Getting people to pay for Sidekiq [00:22:05] Jeremy: So I think that's a really interesting part about your business is that I think a lot of open source maintainers have a really big challenge figuring out how to make it as a living. The, there are so many projects that they all have a very permissive license and you can use them freely one example I can think of is, I, I talked with, uh, David Kramer, who's the CTO at Sentry, and he, I don't think they use it anymore, but they, they were using Nginx, right? [00:22:39] And he's like, well, Nginx, they have a paid product, like Nginx. Plus that or something. I don't know what the name is, but he was like, but I'm not going to pay for it. Right. I'm just going to use the free one. Why would I, you know, pay for the, um, the paid thing? So I, I, I'm kind of curious from your perspective when you were coming up with Sidekiq both as an open source product, but also as a commercial one, how did you make that determination of like to make a product where it's going to be useful in its open source form? [00:23:15] I can still convince people to pay money for it. [00:23:19] Mike: Yeah, the, I was terrified, to be blunt, when I first started out. when I started the Sidekiq project, I knew it was going to take a lot of time. I knew if it was successful, I was going to be doing it for the next decade. Right? So I started in 2012, and here I am in 2023, over a decade, and I'm still doing it. [00:23:38] So my expectation was met in that regard. And I knew I was not going to be able to last that long. If I was making zero dollars, right? You just, you burn out. Nobody can last that long. Well, I guess there are a few exceptions to that rule, but yeah, money, I tend to think makes things a little more sustainable for sure. [00:23:58] Especially if you can turn it into a full time job solving and supporting a project that you, you love and, and is, is, you know, your, your, your baby, your child, so to speak, your software, uh, uh, creation that you've given to the world. but I was terrified. but one thing I did was at the time I was blogging a lot. [00:24:22] And so I was telling people about Sidekiq. I was telling people what was to come. I was talking about ideas and. The one thing that I blogged about was financial experiments. I said bluntly to the, to, to the Ruby community, I'm going to be experimenting with financial stability and sustainability with this project. [00:24:42] So not only did I create this open source project, but I was also publicly saying I I need to figure out how to make this work for the next decade. And so eventually that led to Sidekiq Pro. And I had to figure out how to build a closed source Ruby gem, which, uh, There's not a lot of, so I was kind of in the wild there. [00:25:11] But, you know, thankfully all the pieces came together and it was actually possible. I couldn't have done it if it wasn't possible. Like, we would not be talking if I couldn't make a private gem. So, um, but it happened to work out. Uh, and it allowed me to, to gate features behind a paywall effectively. And, and yeah, you're right. [00:25:33] It can be tough to make people pay for software. but I'm a developer who's selling to other developers, not, not just developers, open source developers, and they know that they have this financial problem, right? They know that there's this sustainability problem. And I was blunt in saying, this is my solution to my sustainability. [00:25:56] So, I charge what I think is a very fair price. It's only a thousand dollars a year to a hobbyist. That may seem like a lot of money to a business. It's a drop in the bucket. So it was easy for developers to say, Hey, listen, we want to buy this tool for a thousand bucks. It'll ensure our infrastructure is maintained for the next decade. [00:26:18] And it's, and it's. And it's relatively cheap. It's way less than, uh, you know, a salary or even a laptop. So, so that's, that's what I did. And, um, it's, it worked out great. People, people really understood. Even today, I talk to people and they say, we, we signed up for Sidekiq Pro to support you. So it's, it's, it's really, um, invigorating to hear people, uh, thank me and, and they're, they're actively happy that they're paying me and our customers. [00:26:49] Jeremy: it's sort of, uh, maybe a not super common story, right, in terms of what you went through. Because when I think of open core businesses, I think of companies like, uh, GitLab, which are venture funded, uh, very different scenario there. I wonder, like, in your case, so you started in 2012, and there were probably no venture backed competitors, right? [00:27:19] People saying that we're going to make this job scheduling system and some VC is going to give me five million dollars and build a team to work on this. It was probably at the time, maybe it was Rescue, which was... [00:27:35] Mike: There was a venture backed system called IronMQ, [00:27:40] Jeremy: Hmm. [00:27:41] Mike: And I'm not sure if they're still around or not, but they... They took, uh, one or more funding rounds. I'm not sure exactly, but they were VC backed. They were doing, background jobs, scheduled jobs, uh, you know, running container, running container jobs. They, they eventually, I think, wound up sort of settling on Docker containers. [00:28:06] They'll basically spin up a Docker container. And that container can do whatever it wants. It can execute for a second and then shut down, or it can run for, for however long, but they would, um, yeah, I, yeah, I'll, I'll stop there because I don't know the actual details of exactly their system, but I'm not sure if they're still around, but that's the only one that I remember offhand that was around, you know, years ago. [00:28:32] Yeah, it's, it's mostly, you know, low level open source infrastructure. And so, anytime you have funded startups, they're generally using that open source infrastructure to build their own SaaS. And so SaaS's are the vast majority of where you see sort of, uh, commercial software. [00:28:51] Jeremy: so I guess in that way it, it, it gave you this, this window or this area where you could come in and there wasn't, other than that iron, product, there wasn't this big money that you were fighting against. It was sort of, it was you telling people openly, I'm, I'm working on this thing. [00:29:11] I need to make money so that I can sustain it. And, if you, yeah. like the work I do, then, you know, basically support me. Right. And, and so I think that, I'm wondering how we can reproduce that more often because when you see new products, a lot of times it is VC backed, right? [00:29:35] Because people say, I need to work on this. I need to be paid. and I can't ask a team to do this. For nothing, right? So [00:29:44] Mike: Yeah. It's. It's a wicked problem. Uh, it's a really, really hard problem to solve if you take vc you there, that that really kind of means that you need to be making tens if not hundreds of millions of dollars in sales. If you are building a small or relatively small. You know, put small in quotes there because I don't really know what that means, but if you have a small open source project, you can't charge huge amounts for it, right? [00:30:18] I mean, Sidekiq is a, I would call a medium sized open source project, and I'm charging a thousand bucks for it. So if you're building, you know, I don't know, I don't even want to necessarily give example, but if you're building some open source project, and It's one of 300 libraries that people's applications will depend on. [00:30:40] You can't necessarily charge a thousand dollars for that library. depending on the size and the capabilities, maybe you can, maybe you can't. But there's going to be a long tail of open source projects that just, they can't, they can't charge much, if anything, for them. So, unfortunately, we have, you know, these You kind of have two pathways. [00:31:07] Venture capital, where you've got to sell a ton, or free. And I've kind of walked that fine line where I'm a small business, I can charge a small amount because I'm bootstrapped. And, and I don't need huge amounts of money, and I, and I have a project that is of the right size to where I can charge a decent amount of money. [00:31:32] That means that I can survive with 500 or a thousand customers. I don't need to have a hundred million dollars worth of customers. Because I, you know, when I started the business, one of the constraints I said is I don't want to hire anybody. I'm just going to be solo. And part of the, part of my ability to keep a low price and, and keep running sustainably, even with just You know, only a few hundred customers is because I'm solo. [00:32:03] I don't have the overhead of investors. I don't have the overhead of other employees. I don't have an office space. You know, my overhead is very small. So that is, um, you know, I just kind of have a unique business in that way, I guess you might say. Keeping the business solo [00:32:21] Jeremy: I think that's that's interesting about your business as well But the fact that you've kept it you've kept it solo which I would imagine in most businesses, they need support people. they need, developers outside of maybe just one. Um, there's all sorts of other, I don't think overhead is the right word, but you just need more people, right? [00:32:45] And, and what do you think it is about Sidekiq that's made it possible for it to just be a one person operation? [00:32:52] Mike: There's so much administrative overhead in a business. I explicitly create business policies so that I can run solo. you know, my support policy is officially you get one email ticket or issue per quarter. And, and anything more than that, I can bounce back and say, well, you're, you're requiring too much support. [00:33:23] In reality, I don't enforce that at all. And people email me all the time, but, but things like. Things like dealing with accounting and bookkeeping and taxes and legal stuff, licensing, all that is, yeah, a little bit of overhead, but I've kept it as minimal as I can. And part of that is I don't want to hire another employee because then that increases the administrative overhead that I have. [00:33:53] And Sidekiq is so tied to me and my knowledge that if I hire somebody, they're probably not going to know Ruby and threading and all the intricate technical detail necessary to build and maintain and support the system. And so really you'll kind of regress a little bit. We won't be able to give as good support because I'm busy helping that other employee. Being selective about customers [00:34:23] Mike: So, yeah, it's, it's a tightrope act where you've got to really figure out how can I scale myself as far as possible without overwhelming myself. The, the overwhelming thing that I have that I've never been able to solve. It's just dealing with billing inquiries, customers, companies, emailing me saying, how do we buy this thing? [00:34:46] Can I get an invoice? Every company out there, it seems wants an invoice. And the problem with invoicing is it takes a lot more. manual labor and administrative overhead to issue that invoice to collect payment on the invoice. So that's one of the reasons why I have a very strict policy about credit card only for, for the vast majority of my customers. [00:35:11] And I demand that companies pay a lot more. You have to have a pretty big enterprise license if you want an invoice. And if the company, if the company comes back and complains and says, well, you know, that's ridiculous. We don't, we don't want to pay that much. We don't need it that much. Uh, you know, I, I say, okay, well then you have two, two things, two, uh, two things. [00:35:36] You can either pay with a credit card or you can not use Sidekiq. Like, that's, that's it. I'm, I don't need your money. I don't want the administrative overhead of dealing with your accounting department. I just want to support my, my customers and build my software. And, and so, yeah, I don't want to turn into a billing clerk. [00:35:55] So sometimes, sometimes the, the, the best thing in business that you can do is just say no. [00:36:01] Jeremy: That's very interesting because I think being a solo... Person is what probably makes that possible, right? Because if you had the additional staff, then you might say like, Well, I need to pay my staff, so we should be getting, you know, as much business as [00:36:19] Mike: Yeah. Chasing every customer you can, right. But yeah. [00:36:22] Every customer is different. I mean, I have some customers that just, they never contact me. They pay their bill really fast or right on time. And they're paying me, you know, five figures, 20, a year. And they just, it's a, God bless them because those are, are the. [00:36:40] Best customers to have and the worst customers are the ones who are paying 99 bucks a month and everything that they don't understand or whatever is a complaint. So sometimes, sometimes you, you want to, vet your customers from that perspective and say, which one of these customers are going to be good? [00:36:58] Which ones are going to be problematic? [00:37:01] Jeremy: And you're only only person... And I'm not sure how many customers you have, but [00:37:08] Mike: I have 2000 [00:37:09] Jeremy: 2000 customers. [00:37:10] Okay. [00:37:11] Mike: Yeah. [00:37:11] Jeremy: And has that been relatively stable or has there been growth [00:37:16] Mike: It's been relatively stable the last couple of years. Ruby has, has sort of plateaued. Um, it's, you don't see a lot of growth. I'm getting probably, um, 15, 20 percent growth maybe. Uh, so I'm not growing like a weed, like, you know, venture capital would want to see, but steady incremental growth is, is, uh, wonderful, especially since I do very little. [00:37:42] Sales and marketing. you know, I come to RubyConf I, I I tweet out, you know, or I, I toot out funny Mastodon Toots occasionally and, and, um, and, and put out new releases of the software. And, and that's, that's essentially my, my marketing. My marketing is just staying in front of developers and, and, and being a presence in the Ruby community. [00:38:06] But yeah, it, it's, uh. I, I, I see not a, not a huge amount of churn, but I see enough sales to, to, to stay up and keep my head above water and to keep growing, um, slowly but surely. Support needs haven't grown [00:38:20] Jeremy: And as you've had that steady growth, has the support burden not grown with it? [00:38:27] Mike: Not as much because once customers are on Sidekiq and they've got it working, then by and large, you don't hear from them all that much. There's always GitHub issues, you know, customers open GitHub issues. I love that. but yeah, by and large, the community finds bugs. and opens up issues. And so things remain relatively stable. [00:38:51] I don't get a lot of the complete newbie who has no idea what they're doing and wants me to, to tell them how to use Sidekiq that I just don't see much of that at all. Um, I have seen it before, but in that case, generally, I, I, I politely tell that person that, listen, I'm not here to educate you on the product. [00:39:14] It's there's documentation in the wiki. Uh, and there's tons of, of more Ruby, generic Ruby, uh, educational material out there. That's just not, not what I do. So, so yeah, by and large, the support burden is, is not too bad because once people are, are up and running, it's stable and, and they don't, they don't need to contact me. [00:39:36] Jeremy: I wonder too, if that's perhaps a function of the price, because if you're a. new developer or someone who's not too familiar with how to do job processing or what they want to do when you, there is the open source product, of course. but then the next step up, I believe is about a hundred dollars a month. [00:39:58] And if you're somebody who is kind of just getting started and learning how things work, you're probably not going to pay that, is my guess. And so you'll never hear from them. [00:40:11] Mike: Right, yeah, that's a good point too, is the open source version, which is what people inevitably are going to use and integrate into their app at first. Because it's open source, you're not going to email me directly, um, and when people do email me directly, Sidekiq support questions, I do, I reply literally, I'm sorry I don't respond to private email, unless you're a customer. [00:40:35] Please open a GitHub issue and, um, that I try to educate both my open source users and my commercial customers to try and stay in GitHub issues because private email is a silo, right? Private email doesn't help anybody else but them. If I can get people to go into GitHub issues, then that's a public record. [00:40:58] that people can search. Because if one person has that problem, there's probably a dozen other people that have that same problem. And then that other, those other 11 people can search and find the solution to their problem at four in the morning when I'm asleep. Right? So that's, that's what I'm trying to do is, is keep, uh, keep everything out in the open so that people can self service as much as possible. Sidekiq open source [00:41:24] Jeremy: And on the open source side, are you still primarily the main contributor? Or do you have other people that are [00:41:35] Mike: I mean, I'd say I do 90 percent of the work, which is why I don't feel guilty about keeping 100 percent of the money. A lot of open source projects, when they look for financial sustainability, they also look for how can we split this money amongst the team. And that's, that's a completely different topic that I've. [00:41:55] is another reason why I've stayed solo is if I hire an employee and I pay them 200, 000 a year as a developer, I'm meanwhile keeping all the rest of the profits of the company. And so that almost seems a little bit unfair. because we're both still working 40 hours a week, right? Why am I the one making the vast majority of the, of the profit and the money? [00:42:19] Um, so, uh, I've always, uh, that's another reason why I've stayed solo, but, but yeah, having a team of people working on something, I do get, regular commits, regular pull requests from people, fixing a bug that they found or just making a tweak that. that they saw, that they thought they could improve. [00:42:42] A little more rarely I get a significant improvement or feature, as a pull request. but Sidekiq is so stable these days that it really doesn't need a team of people maintaining it. The volume of changes necessary, I can easily keep up with that. So, I'm still doing 90 95 percent of the work. Are there other Sidekiq-like opportunities out there? [00:43:07] Jeremy: Yeah, so I think Sidekiq has sort of a unique positioning where it's the code base itself is small enough where you can maintain it yourself and you have some help, but primarily you're the main maintainer. And then you have enough customers who are willing to, to pay for the benefit it gives them on top of what the open source product provides. [00:43:36] cause it's, it's, you were talking about how. Every project people work on, they have, they could have hundreds of dependencies, right? And to ask somebody to, to pay for each of them is, is probably not ever going to happen. And so it's interesting to think about how you have things like, say, you know, OpenSSL, you know, it's a library that a whole bunch of people rely on, but nobody is going to pay a monthly fee to use it. [00:44:06] You have things like, uh, recently there was HashiCorp with Terraform, right? They, they decided to change their license because they, they wanted to get, you know, some of that value back, some of the money back, and the community basically revolted. Right? And did a fork. And so I'm kind of curious, like, yeah, where people can find these sweet spots like, like Sidekiq, where they can find this space where it's just small enough where you can work on it on your own and still get people to pay for it. [00:44:43] It's, I'm trying to picture, like, where are the spaces? Open source as a public utility [00:44:48] Mike: We need to look at other forms of financing beyond pure capitalism. If this is truly public infrastructure that needs to be maintained for the long term, then why are we, why is it that we depend on capitalism to do that? Our roads, our water, our sewer, those are not Capitalist, right? Those are utilities, that's public infrastructure that we maintain, that the government helps us maintain. [00:45:27] And in a sense, tech infrastructure is similar or could be thought of in a similar fashion. So things like Open Collective, things like, uh, there's a, there's a organization in Europe called NLNet, I think, out of the Netherlands. And they do a lot of grants to various open source projects to help them improve the state of digital infrastructure. [00:45:57] They support, for instance, Mastodon as a open source project that doesn't have any sort of corporate backing. They see that as necessary social media infrastructure, uh, for the long term. And, and I, and I think that's wonderful. I like to see those new directions being explored where you don't have to turn everything into a product, right? [00:46:27] And, and try and market and sale, um, and, and run ads and, and do all this stuff. If you can just make the case that, hey, this is, this is useful public infrastructure that so many different, um, Technical, uh, you know, applications and businesses could rely on, much like FedEx and DHL use our roads to the benefit of their own, their own corporate profits. [00:46:53] Um, why, why, why shouldn't we think of tech infrastructure sort of in a similar way? So, yeah, I would like to see us explore more. in that direction. I understand that in America that may not happen for quite a while because we are very, capitalist focused, but it's encouraging to see, um, places like Europe, uh, a little more open to, to trialing things like, cooperatives and, and grants and large long term grants to, to projects to see if they can, uh, provide sustainability in, in, you know, in a new way. [00:47:29] Jeremy: Yeah, that's a good point because I think right now, a lot of the open source infrastructure that we all rely on, either it's being paid for by large companies and at the whim of those large companies, if Google decides we don't want to pay for you to work on this project anymore, where does the money come from? [00:47:53] Right? And on the other hand, there's the thousands, tens of thousands of people who are doing it. just for free out of the, you know, the goodness of their, their heart. And that's where a lot of the burnout comes from. Right. So I think what you're saying is that perhaps a lot of these pieces that we all rely on, that our, our governments, you know, here in the United States, but also around the world should perhaps recognize as this is, like you said, this is infrastructure, and we should be. [00:48:29] Paying these people to keep the equivalent of the roads and, and, uh, all that working. [00:48:37] Mike: Yeah, I mean, I'm not, I'm not claiming that it's a perfect analogy. There's, there's, there's lots of questions that are unanswered in that, right? How do you, how do you ensure that a project is well maintained? What does that even look like? What does that mean? you know, you can look at a road and say, is it full of potholes or is it smooth as glass, right? [00:48:59] It's just perfectly obvious, but to a, to a digital project, it's, it's not as clear. So, yeah, but, but, but exploring those new ways because turning everybody into a businessman so that they can, they can keep their project going, it, it, it itself is not sustainable, right? so yeah, and that's why everything turns into a SaaS because a SaaS is easy to control. [00:49:24] It's easy to gatekeep behind a paywall and it's easy to charge for, whereas a library on GitHub. Yeah. You know, what do you do there? You know, obviously GitHub has sponsors, the sponsors feature. You've got Patreon, you've got Open Collective, you've got Tidelift. There's, there's other, you know, experiments that have been run, but nothing has risen to the top yet. [00:49:47] and it's still, it's still a bit of a grind. but yeah, we'll see, we'll see what happens, but hopefully people will keep experimenting and, and maybe, maybe governments will start. Thinking in the direction of, you know, what does it mean to have a budget for digital infrastructure maintenance? [00:50:04] Jeremy: Yeah, it's interesting because we, we started thinking about like, okay, where can we find spaces for other Sidekiqs? But it sounds like maybe, maybe that's just not realistic, right? Like maybe we need more of a... Yeah, a rethinking of, I guess the, the structure of how people get funded. Yeah. [00:50:23] Mike: Yeah, sometimes the best way to solve a problem is to think at a higher level. You know, we, the, the sustainability problem in American Silicon Valley based open source developers is naturally going to tend toward venture capital and, and capitalism. And I, you know, I think, I think that's, uh, extremely problematic on a, on a lot of different, in a lot of different ways. [00:50:47] And, and so sometimes you need to step back and say, well, maybe we're, maybe we just don't have the right tool set to solve this problem. But, you know, I, I. More than that, I'm not going to speculate on because it is a wicked problem to solve. [00:51:04] Jeremy: Is there anything else you wanted to, to mention or thought we should have talked about? [00:51:08] Mike: No, I, I, I loved the talk, of sustainability and, and open source. And I, it's, it's a, it's a topic really dear to my heart, obviously. So I, I am happy to talk about it at length with anybody, anytime. So thank you for having me. [00:51:25] Jeremy: All right. Thank you very much, Mike.

With the Ubuntu Summit just around the corner, we preview a couple talks by the Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP, AOM, ncurses, the Linux kernel and more.

Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline. Segment resources: https://www.solarwinds.com/assets/solarwinds/swresources/whitepaper/2111swiwhitepaper_nextgenbuild.pdf https://next.redhat.com/project/tekton-chains/ https://tekton.dev/ In the news, a stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security), and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-256

A stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security). Show Notes: https://securityweekly.com/asw-256

Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline. Segment resources: https://www.solarwinds.com/assets/solarwinds/swresources/whitepaper/2111swiwhitepaper_nextgenbuild.pdf https://next.redhat.com/project/tekton-chains/ https://tekton.dev/ In the news, a stroll back through the Apache Struts breach of Equifax, CISA's list of Known Exploited Vulnerabilities, Rust's replacement for OpenSSL, Go no longer throws programmers for a loop, complexity vs. design (that leads to better security), and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-256

What if you could purchase a computer built like a Mac but run a free and open source operating system on it that you can't break, would you buy one? Steve and Noah discuss the Malibal, and an immutable distro with Flatpaks that "just works" -- During The Show -- 00:58 Intro Steve's Nvidea Issue trouble shooting process root cause = it's dirty why dig for the root cause Good News! Axia fixed our board! 06:50 Google Ad Policy - Ahmed Google ads used for phishing Google ads placement confusing Why google don't clearly label ads 12:05 TPM & Drive Encryption On Fedora - Tiny Clevis (https://github.com/latchset/clevis) SystemD Cryptenroll Fedora TPM Blog Post (https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/) Fedora Security Keys Blog Post (https://fedoramagazine.org/use-systemd-cryptenroll-with-fido-u2f-or-tpm2-to-decrypt-your-disk/) 15:09 Linux Mint Issues - penguin prince Maybe re-seat things? 15:55 Current Grafana Setup - Tiny Current Usage Network CPU RAM Disk Matrix database Added to Ansible Grafana can be more than graphs 21:00 News Wire Fedora KDE Plasma 6 Dropping X11 - 9 to 5 Linux (https://9to5linux.com/fedora-linux-40-to-offer-the-kde-plasma-6-desktop-on-wayland-and-drop-x11-session) Linux 6.7 Drops Itanium IA-64 - Phoronix (https://www.phoronix.com/news/Linux-6.7-To-Drop-Itanium-IA-64) ReiserFS Removed From Default Kernel - Phoronix (https://www.phoronix.com/news/ReiserFS-Drop-From-Defconfigs) Tails 5.17.1 - Tails (https://tails.net/news/version_5.17.1/index.en.html) Real-Time Linux on AWS - The News Stack (https://thenewstack.io/canonical-brings-real-time-linux-to-amazon-web-services/) Delayed Module Signature Verification - Phoronix (https://www.phoronix.com/news/Linux-Delay-Module-Verification) OpenSUSE Seeks LEAP Replacement - ZDNet (https://www.zdnet.com/article/opensuse-seeks-a-leap-replacement-but-will-distro-community-rise-to-the-challenge/) OpenSource.com Reborn - Open SOurce Watch (https://opensourcewatch.beehiiv.com/p/invaluable-opensourcecom-site-reborn-opensourcenet) Intel FPGA & RISC-V - The Register (https://www.theregister.com/2023/09/15/intel_fpga_updates/) OpenSSL 1.1.1 is EOL - The News Stack (https://thenewstack.io/update-now-openssl-1-1-1s-shelf-life-has-ended/) Earth Lusca & SprySOCKS backdoor - Bleeping Computer (https://www.bleepingcomputer.com/news/security/new-sprysocks-linux-malware-used-in-cyber-espionage-attacks/) NCurses Flaw - The Hacker News (https://thehackernews.com/2023/09/microsoft-uncovers-flaws-in-ncurses.html) CISA Announcement - CISA.gov (https://www.cisa.gov/news-events/news/cisa-announces-open-source-software-security-roadmap) VC Bill Gurley - Fortune.com (https://fortune.com/2023/09/17/bill-gurley-warns-regulatory-capture-ai-hails-open-source/) 6.1.14 Kernel in Scratch - MIT.edu (https://scratch.mit.edu/projects/892602496) 23:00 OpenSuse Aeon "It Just Works" Linux MicroOS & Gnome as immmutable base Software via FlatPak and distrobox Good for some users What problem does this solve? Purpose Driven OpenSuse Aeon (https://en.opensuse.org/Portal:Aeon) All Systems GO Talk (https://www.youtube.com/watch?v=1K_kGbmlewo) 34:30 Penguin Prince Calls Adding a Page to WordPress Issue Page refuses to go live 38:55 The US Assembled Linux Laptop You Haven't Heard Of Malibal (https://www.malibal.com/) Final Assembly in the US Expensive Making a powerful sleek computer Most have graphics cards Optimus Manager (https://github.com/Askannz/optimus-manager) Coreboot Commitment to sustainability Barrel Power vs Type-C charging Dell's commitment to Linux System76 (https://system76.com/) Framework Laptops (https://frame.work/) 51:36 NextCloud Hub 6 They have to have email Mail in a Box (https://mailinabox.email/) LInux Today (https://www.linuxtoday.com/news/nextcloud-hub-6-more-than-a-foss-replacement-for-microsoft-365-business-standard/) Linux UnPlugged 528 (https://linuxunplugged.com/528) 52:25 LFNW Moved to Next Year Had to move the date Will still have things to do -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/355) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed) • Ask Noah Show © CC-BY-ND 2021 •

Watch on YouTube About the show Sponsored by InfluxDB from Influxdata. Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesdays at 11am PT. Older video versions available there too. Michael #1: makeapp via Felix Ingram Simplifies Python application rollout and publishing. Link to its mention on Talk Python. Simplifies Python application rollout and publishing: Make a skeleton for your new application with one console command Automatically create a VCS repository for your application. Automatically check whether the chosen application name is not already in use. Customize new application layouts with skeleton templates. Put some skeleton default settings into a configuration file not to mess with command line switches anymore. Easily add entries to your changelog. Publish your application to remotes (VCS, PyPI) with single command. Brian #2: Looking forward to Python 3.12 We're on 3.12.0a7 now, the last alpha, final is scheduled for October schedule So far, in 3.12.0a7 What's new in Python 3.12 page has some examples of the Improved Error Messages Recent addition, PEP 684 - A Per-Interpreter GIL was approved recently “… sufficient isolation would facilitate true multi-core parallelism …” seems like a good thing. But also, “… this is an advanced feature meant for a narrow set of users of the C-API. “, so not really sure how this will affect us. Still, seems cool. Michael #3: Python 3.11.3 is out Fixes a HIGH level CVE in OpenSSL (so patch it) Lots of changes in Core and Builtins Brian #4: How to Make a Great Conference Talk Sebastian Witowski Lots of great advice for tech conf talks. Don't skip the last half of this, getting your talk accepted is really when the work starts. Good sections to make sure you don't miss Live demos “First of all - do you really need a demo? …” Rehearsing Don't skip this. Do this. A lot. Out loud. With a timer. While standing. Memorize the first few minutes, and the last few. Know how you're going to open and close. Night before get enough sleep Day of eat well. Don't drink too much liquids. Be comfortable. Sebastian was honest in saying this stuff works for him, but do what works for you. From Brian: I deviate from Sebastian in quite a few places, but still don't disagree with his advice. I can't give a talk without slides, as I use them for prompts to know what I'm talking about next. My talks usually have a lot of code snippets. Obviously, that would be difficult without slides. I write my talk and my slides in Markdown. Sebastian writes in something else, then builds slides as visual aids. That's cool. Do what works for you. Bonus tool from the article: demo-magic - If I'm ever tempted to live code again, I think I'll try this instead. Extras Michael: NOW the CDN course is out. Django 4.2 released. Joke: Using A.I. for Efficiency

Organizations spend hundreds of work hours to build applications and services that will benefit customers and employees alike. Whether the application/service is externally facing or for internal use only, it is mandatory to identify and understand the scope of potential cyber risks and threats it poses to the organization. But where and how do you start with an accurate threat model? Nick can discuss how to approach this and create a model that's useful to security and developers alike. Segment Resources https://github.com/trailofbits/publications/blob/master/reviews/2022-12-curl-threatmodel.pdf   Reddit's breach disclosure, simple vulns in Toyota's web portals, OpenSSL vulns, voting results for Portswigger's top 10 web hacking techniques of 2022, tiny IoT cryptography implementations, real world migration of a million lines of code    Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/asw229

Tanium has recently released a new capability called Tanium Software Bill of Materials (SBOM) to help customers identify third-party libraries associated with software packages. • What is Tanium SBOM • Why is it different and why do you need it • How to configure SBOM • How to query for the details about every software application in your environment • Where your vulnerable packages exist • Ways that Tanium can remediate vulnerabilities from OpenSSL to Struts to Log4j today as well as new supply-chain vulnerabilities in the future   No one knows what the next supply chain vulnerability is going to be, but with Tanium, you will have access to data about how your applications are affected before it happens so that when it does, you're ready to take action to remediate the issue from within the Tanium XEM platform.   Segment Resources: https://www.tanium.com/products/tanium-sbom/  https://www.tanium.com/press-releases/tanium-launches-software-bill-of-materials-for-unprecedented-visibility-to-combat-supply-chain-threats/  https://www.tanium.com/blog/software-bill-of-materials-openssl/   This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!   Syxsense and Enterprise Management Associates (EMA) recently teamed up to publish a survey around the current state of Zero Trust within enterprises as well as where it's going. This interview will discuss the key findings and insights into the challenges many organizations face around Zero Trust, as well as endpoint security and network access. Segment Resources: https://www.syxsense.com/advancing-zero-trust-priorities   In the Enterprise News: Whether you want insurtechs or not, they're here and you're getting them! Don't worry - we'll explain what insurtechs are. Two potential deals to take security companies private: Sumo Logic and Rapid 7! Looks like 32 year old security company Cyren is shutting down, hoping for an asset sale. They've already laid off all their employees. Big drama: a firm shorts Darktrace and releases a scathing report. We've got yet more more layoffs this week, but don't fret - the NSA is hiring!  For our squirrel stories, we'll be deciding between three stories: codebreakers solve 500 year old ciphers, the real cost of meetings visualized, and sushi terrorists! All that and more, on this episode of Enterprise Security Weekly.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw305

About TimTim Gonda is a Cloud Security professional who has spent the last eight years securing and building Cloud workloads for commercial, non-profit, government, and national defense organizations. Tim currently serves as the Technical Director of Cloud at Praetorian, influencing the direction of its offensive-security-focused Cloud Security practice and the Cloud features of Praetorian's flagship product, Chariot. He considers himself lucky to have the privilege of working with the talented cyber operators at Praetorian and considers it the highlight of his career.Tim is highly passionate about helping organizations fix Cloud Security problems, as they are found, the first time, and most importantly, the People/Process/Technology challenges that cause them in the first place. In his spare time, he embarks on adventures with his wife and ensures that their two feline bundles of joy have the best playtime and dining experiences possible.Links Referenced: Praetorian: https://www.praetorian.com/ LinkedIn: https://www.linkedin.com/in/timgondajr/ Praetorian Blog: https://www.praetorian.com/blog/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at Thinkst Canary. Most Companies find out way too late that they've been breached. Thinkst Canary changes this. Deploy Canaries and Canarytokens in minutes and then forget about them. Attackers tip their hand by touching 'em giving you the one alert, when it matters. With 0 admin overhead and almost no false-positives, Canaries are deployed (and loved) on all 7 continents. Check out what people are saying at canary.love today!Corey: Kentik provides Cloud and NetOps teams with complete visibility into hybrid and multi-cloud networks. Ensure an amazing customer experience, reduce cloud and network costs, and optimize performance at scale — from internet to data center to container to cloud. Learn how you can get control of complex cloud networks at www.kentik.com, and see why companies like Zoom, Twitch, New Relic, Box, Ebay, Viasat, GoDaddy, booking.com, and many, many more choose Kentik as their network observability platform. Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Every once in a while, I like to branch out into new and exciting territory that I've never visited before. But today, no, I'd much rather go back to complaining about cloud security, something that I tend to do an awful lot about. Here to do it with me is Tim Gonda, Technical Director of Cloud at Praetorian. Tim, thank you for joining me on this sojourn down what feels like an increasingly well-worn path.Tim: Thank you, Corey, for having me today.Corey: So, you are the Technical Director of Cloud, which I'm sort of short-handing to okay, everything that happens on the computer is henceforth going to be your fault. How accurate is that in the grand scheme of things?Tim: It's not too far off. But we like to call it Praetorian for nebula. The nebula meaning that it's Schrödinger's problem: it both is and is not the problem. Here's why. We have a couple key focuses at Praetorian, some of them focusing on more traditional pen testing, where we're looking at hardware, hit System A, hit System B, branch out, get to goal.On the other side, we have hitting web applications and [unintelligible 00:01:40]. This insecure app leads to this XYZ vulnerability, or this medical appliance is insecure and therefore we're able to do XYZ item. One of the things that frequently comes up is that more and more organizations are no longer putting their applications or infrastructure on-prem anymore, so therefore, some part of the assessment ends up being in the cloud. And that is the unique rub that I'm in. And that I'm responsible for leading the direction of the cloud security focus group, who may not dive into a specific specialty that some of these other teams might dig into, but may have similar responsibilities or similar engagement style.And in this case, if we discover something in the cloud as an issue, or even in your own organization where you have a cloud security team, you'll have a web application security team, you'll have your core information security team that defends your environment in many different methods, many different means, you'll frequently find that the cloud security team is the hot button for hey, the server was misconfigured at one certain level, however the cloud security team didn't quite know that this web application was vulnerable. We did know that it was exposed to the internet but we can't necessarily turn off all web applications from the internet because that would no longer serve the purpose of a web application. And we also may not know that a particular underlying host's patch is out of date. Because technically, that would be siloed off into another problem.So, what ends up happening is that on almost every single incident that involves a cloud infrastructure item, you might find that cloud security will be right there alongside the incident responders. And yep, this [unintelligible 00:03:20] is here, it's exposed to the internet via here, and it might have the following application on it. And they get cross-exposure with other teams that say, “Hey, your web application is vulnerable. We didn't quite inform the cloud security team about it, otherwise this wouldn't be allowed to go to the public internet,” or on the infrastructure side, “Yeah, we didn't know that there was a patch underneath it, we figured that we would let the team handle it at a later date, and therefore this is also vulnerable.” And what ends up happening sometimes, is that the cloud security team might be the onus or might be the hot button in the room of saying, “Hey, it's broken. This is now your problem. Please fix it with changing cloud configurations or directing a team to make this change on our behalf.”So, in essence, sometimes cloud becomes—it both is and is not your problem when a system is either vulnerable or exposed or at some point, worst case scenario, ends up being breached and you're performing incident response. That's one of the cases why it's important to know—or important to involve others in the cloud security problem, or to be very specific about what the role of a cloud security team is, or where cloud security has to have certain boundaries or has to involve certain extra parties have to be involved in the process. Or when it does its own threat modeling process, say that, okay, we have to take a look at certain cloud findings or findings that's within our security realm and say that these misconfigurations or these items, we have to treat the underlying components as if they are vulnerable, whether or not they are and we have to report on them as if they are vulnerable, even if it means that a certain component of the infrastructure has to already be assumed to either have a vulnerability, have some sort of misconfiguration that allows an outside attacker to execute attacks against whatever the [unintelligible 00:05:06] is. And we have to treat and respond our security posture accordingly.Corey: One of the problems that I keep running into, and I swear it's not intentional, but people would be forgiven for understanding or believing otherwise, is that I will periodically inadvertently point out security problems via Twitter. And that was never my intention because, “Huh, that's funny, this thing isn't working the way that I would expect that it would,” or, “I'm seeing something weird in the logs in my test account. What is that?” And, “Oh, you found a security vulnerability or something akin to one in our environment. Oops. Next time, just reach out to us directly at the security contact form.” That's great. If I'd known I was stumbling blindly into a security approach, but it feels like the discovery of these things is not heralded by an, “Aha, I found it.” But, “Huh, that's funny.”Tim: Of course. Absolutely. And that's where some of the best vulnerabilities come where you accidentally stumble on something that says, “Wait, does this work how—what I think it is?” Click click. Like, “Oh, boy, it does.”Now, I will admit that certain cloud providers are really great about with proactive security reach outs. If you either just file a ticket or file some other form of notification, just even flag your account rep and say, “Hey, when I was working on this particular cloud environment, the following occurred. Does this work the way I think it is? Is this is a problem?” And they usually get back to you with reporting it to their internal team, so on and so forth. But let's say applications are open-source frameworks or even just organizations at large where you might have stumbled upon something, the best thing to do was either look up, do they have a public bug bounty program, do they have a security contact or form reach out that you can email them, or do you know, someone that the organization that you just send a quick email saying, “Hey, I found this.”And through some combination of those is usually the best way to go. And to be able to provide context of the organization being, “Hey, the following exists.” And the most important things to consider when you're sending this sort of information is that they get these sorts of emails almost daily.Corey: One of my favorite genre of tweet is when Tavis Ormandy and Google's Project Zero winds up doing a tweet like, “Hey, do I know anyone over at the security apparatus at insert company here?” It's like, “All right. I'm sure people are shorting stocks now [laugh], based upon whatever he winds up doing that.”Tim: Of course.Corey: It's kind of fun to watch. But there's no cohesive way of getting in touch with companies on these things because as soon as you'd have something like that, it feels like it's subject to abuse, where Comcast hasn't fixed my internet for three days, now I'm going to email their security contact, instead of going through the normal preferred process of wait in the customer queue so they can ignore you.Tim: Of course. And that's something else you want to consider. If you broadcast that a security vulnerability exists without letting the entity or company know, you're also almost causing a green light, where other security researchers are going to go dive in on this and see, like, one, does this work how you described. But that actually is a positive thing at some point, where either you're unable to get the company's attention, or maybe it's an open-source organization, or maybe you're not being fully sure that something is the case. However, when you do submit something to the customer and you want it to take it seriously, here's a couple of key things that you should consider.One, provide evidence that whatever you're talking about has actually occurred, two, provide repeatable steps that the layman's term, even IT support person can attempt to follow in your process, that they can repeat the same vulnerability or repeat the same security condition, and three, most importantly, detail why this matters. Is this something where I can adjust a user's password? Is this something where I can extract data? Is this something where I'm able to extract content from your website I otherwise shouldn't be able to? And that's important for the following reason.You need to inform the business what is the financial value of why leaving this unpatched becomes an issue for them. And if you do that, that's how those security vulnerabilities get prioritized. It's not necessarily because the coolest vulnerability exists, it's because it costs the company money, and therefore the security team is going to immediately jump on it and try to contain it before it costs them any more.Corey: One of my least favorite genres of security report are the ones that I get where I found a vulnerability. It's like, that's interesting. I wasn't aware that I read any public-facing services, but all right, I'm game; what have you got? And it's usually something along the lines of, “You haven't enabled SPF to hard fail an email that doesn't wind up originating explicitly from this list of IP addresses. Bug bounty, please.” And it's, “No genius. That is very much an intentional choice. Thank you for playing.”It comes down to also an idea of whenever I have reported security vulnerabilities in the past, the pattern I always take is, “I'm seeing something that I don't fully understand. I suspect this might have security implications, but I'm also more than willing to be proven wrong.” Because showing up with, “You folks are idiots and have a security problem,” is a terrific invitation to be proven wrong and look like an idiot. Because the first time you get that wrong, no one will take you seriously again.Tim: Of course. And as you'll find that most bug bounty programs are, if you participate in those, the first couple that you might have submitted, the customer might even tell you, “Yeah, we're aware that that vulnerability exists, however, we don't view it as a core issue and it cannot affect the functionality of our site in any meaningful way, therefore we're electing to ignore it.” Fair.Corey: Very fair. But then when people write up about those things, well, they've they decided this is not an issue, so I'm going to do a write-up on it. Like, “You can't do that. The NDA doesn't let you expose that.” “Really? Because you just said it's a non-issue. Which is it?”Tim: And the key to that, I guess, would also be that is there an underlying technology that doesn't necessarily have to be attributed to said organization? Can you also say that, if I provide a write-up or if I put up my own personal blog post—let's say, we go back to some of the OpenSSL vulnerabilities including OpenSSL 3.0, that came out not too long ago, but since that's an open-source project, it's fair game—let's just say that if there was a technology such as that, or maybe there's a wrapper around it that another organization could be using or could be implementing a certain way, you don't necessarily have to call the company up by name, or rather just say, here's the core technology reason, and here's the core technology risk, and here's the way I've demoed exploiting this. And if you publish an open-source blog like that and then you tweet about that, you can actually gain security support around such issue and then fight for the research.An example would be that I know a couple of pen testers who have reported things in the past, and while the first time they reported it, the company was like, “Yeah, we'll fix it eventually.” But later, when another researcher report this exact same finding, the company is like, “We should probably take this seriously and jump on it.” It sometimes it's just getting in front of that and providing frequency or providing enough people around to say that, “Hey, this really is an issue in the security community and we should probably fix this item,” and keep pushing others organizations on it. A lot of times, they just need additional feedback. Because as you said, somebody runs an automated scanner against your email and says that, “Oh, you're not checking SPF as strictly as the scanner would have liked because it's a benchmarking tool.” It's not necessarily a security vulnerability rather than it's just how you've chosen to configure something and if it works for you, it works for you.Corey: How does cloud change this? Because a lot of what we talked about so far could apply to anything. Go back in time to 1995 and a lot of what we're talking about mostly holds true. It feels like cloud acts as a significant level of complexity on top of all of this. How do you view the differentiation there?Tim: So, I think it differentiated two things. One, certain services or certain vulnerability classes that are handled by the shared service model—for the most part—are probably secure better than you might be able to do yourself. Just because there's a lot of research, the team is [experimented 00:13:03] a lot of time on this. An example of if there's a particular, like, spoofing or network interception vulnerability that you might see on a local LAN network, you probably are not going to have the same level access to be able to execute that on a virtual private cloud or VNet, or some other virtual network within cloud environment. Now, something that does change with the paradigm of cloud is the fact that if you accidentally publicly expose something or something that you've created expo—or don't set a setting to be private or only specific to your resources, there is a couple of things that could happen. The vulnerabilities exploitability based on where increases to something that used to be just, “Hey, I left a port open on my own network. Somebody from HR or somebody from it could possibly interact with it.”However, in the cloud, you've now set this up to the entire world with people that might have resources or motivations to go after this product, and using services like Shodan—which are continually mapping the internet for open resources—and they can quickly grab that, say, “Okay, I'm going to attack these targets today,” might continue to poke a little bit further, maybe an internal person that might be bored at work or a pen tester just on one specific engagement. Especially in the case of let's say, what you're working on has sparked the interest of a nation-state and they want to dig into a little bit further, they have the resources to be able to dedicate time, people, and maybe tools and tactics against whatever this vulnerability that you've given previously the example of—maybe there's a specific ID and a URL that just needs to be guessed right to give them access to something—they might spend the time trying to brute force that URL, brute force that value, and eventually try to go after what you have.The main paradigm shift here is that there are certain things that we might consider less of a priority because the cloud has already taken care of them with the shared service model, and rightfully so, and there's other times that we have to take heightened awareness on is, one, we either dispose something to the entire internet or all cloud accounts within creations. And that's actually something that we see commonly. In fact, one thing I would like to say we see very common is, all AWS users, regardless if it's in your account or somewhere else, might have access to your SNS topic or SQS Queue. Which doesn't seem like that big of vulnerability, but I changed the messages, I delete messages, I viewed your messages, but rather what's connected to those? Let's talk database Lambda functions where I've got source code that a developer has written to handle that source code and may not have built in logic to handle—maybe there was a piece of code that could be abused as part of this message that might allow an attacker to send something to your Lambda function and then execute something on that attacker's behalf.You weren't aware of it, you weren't thinking about it, and now you've exposed it to almost the entire internet. And since anyone can go sign up for an AWS account—or Azure or GCP account—and then they're able to start poking at that same piece of code that you might have developed thinking, “Well, this is just for internal use. It's not a big deal. That one static code analysis tool isn't probably too relevant.” Now, it becomes hyper-relevant and something you have to consider with a little more attention and dedicated time to making sure that these things that you've written or deploying, are in fact, safe because misconfigured or mis-exposed, and suddenly the entire world is starts knocking at it, and increases the risk of, it may really well be a problem. The severity of that issue could increase dramatically.Corey: As you take a look across, let's call it the hyperscale clouds, the big three—which presumably I don't need to define out—how do you wind up ranking them in terms of security from top to bottom? I have my own rankings that I like to dole out and basically, this is the, let's offend someone at every one of these companies, no matter how we wind up playing it. Because I will argue with you just on principle on them. How do you view them stacking up against each other?Tim: So, an interesting view on that is based on who's been around longest and who is encountered of the most technical debt. A lot of these security vulnerabilities or security concerns may have had to deal with a decision made long ago that might have made sense at the time and now the company has kind of stuck with that particular technology or decision or framework, and are now having to build or apply security Band-Aids to that process until it gets resolved. I would say, ironically, AWS is actually at the top of having that technical debt, and actually has so many different types of access policies that are very complex to configure and not very user intuitive unless you speak intuitively JSON or YAML or some other markdown language, to be able to tell you whether or not something was actually set up correctly. Now, there are a lot of security experts who make their money based on knowing how to configure or be able to assess whether or not these are actually the issue. I would actually bring them as, by default, by design, between the big three, they're actually on the lower end of certain—based on complexity and easy-to-configure-wise.The next one that would also go into that pile, I would say is probably Microsoft Azure, who [sigh] admittedly, decided to say that, “Okay, let's take something that was very complicated and everyone really loved to use as an identity provider, Active Directory, and try to use that as a model for.” Even though they made it extensively different. It is not the same as on-prem directory, but use that as the framework for how people wanted to configure their identity provider for a new cloud provider. The one that actually I would say, comes out on top, just based on use and based on complexity might be Google Cloud. They came to a lot of these security features first.They're acquiring new companies on a regular basis with the acquisition of Mandiant, the creation of their own security tooling, their own unique security approaches. In fact, they probably wrote the book on Kubernetes Security. Would be on top, I guess, from usability, such as saying that I don't want to have to manage all these different types of policies. Here are some buttons I would like to flip and I'd like my resources, for the most part by default, to be configured correctly. And Google does a pretty good job of that.Also, one of the things they do really well is entity-based role assumption, which inside of AWS, you can provide access keys by default or I have to provide a role ID after—or in Azure, I'm going to say, “Here's a [unintelligible 00:19:34] policy for something specific that I want to grant access to a specific resource.” Google does a pretty good job of saying that okay, everything is treated as an email address. This email address can be associated in a couple of different ways. It can be given the following permissions, it can have access to the following things, but for example, if I want to remove access to something, I just take that email address off of whatever access policy I had somewhere, and then it's taken care of. But they do have some other items such as their design of least privilege is something to be expected when you consider their hierarchy.I'm not going to say that they're not without fault in that area—in case—until they had something more recently, as far as finding certain key pieces of, like say, tags or something within a specific sub-project or in our hierarchy, there were cases where you might have granted access at a higher level and that same level of access came all the way down. And where at least privilege is required to be enforced, otherwise, you break their security model. So, I like them for how simple it is to set up security at times, however, they've also made it unnecessarily complex at other times so they don't have the flexibility that the other cloud service providers have. On the flip side of that, the level of flexibility also leads to complexity at times, which I also view as a problem where customers think they've done something correctly based on their best knowledge, the best of documentation, the best and Medium articles they've been researching, and what they have done is they've inadvertently made assumptions that led to core anti-patterns, like, [unintelligible 00:21:06] what they've deployed.Corey: This episode is sponsored in part by our friends at Uptycs, because they believe that many of you are looking to bolster your security posture with CNAPP and XDR solutions. They offer both cloud and endpoint security in a single UI and data model. Listeners can get Uptycs for up to 1,000 assets through the end of 2023 (that is next year) for $1. But this offer is only available for a limited time on UptycsSecretMenu.com. That's U-P-T-Y-C-S Secret Menu dot com.Corey: I think you're onto something here, specifically in—well, when I've been asked historically and personally to rank security, I have viewed Google Cloud as number one, and AWS is number two. And my reasoning behind that has been from an absolute security of their platform and a pure, let's call it math perspective, it really comes down to which of the two of them had what for breakfast on any given day there, they're so close on there. But in a project that I spin up in Google Cloud, everything inside of it can talk to each other by default and I can scope that down relatively easily, whereas over an AWS land, by default, nothing can talk to anything. And that means that every permission needs to be explicitly granted, which in an absolutist sense and in a vacuum, yeah, that makes sense, but here in reality, people don't do that. We've seen a number of AWS blog posts over the last 15 years—they don't do this anymore—but it started off with, “Oh, yeah, we're just going to grant [* on * 00:22:04] for the purposes of this demo.”“Well, that's horrible. Why would you do that?” “Well, if we wanted to specify the IAM policy, it would take up the first third of the blog post.” How about that? Because customers go through that exact same thing. I'm trying to build something and ship.I mean, the biggest lie in any environment or any codebase ever, is the comment that starts with, “To do.” Yeah, that is load-bearing. You will retire with that to do still exactly where it is. You have to make doing things the right way at least the least frictionful path because no one is ever going to come back and fix this after the fact. It's never going to happen, as much as we wish that it did.Tim: At least until after the week of the breach when it was highlighted by the security team to say that, “Hey, this was the core issue.” Then it will be fixed in short order. Usually. Or a Band-Aid is applied to say that this can no longer be exploited in this specific way again.Corey: My personal favorite thing that, like, I wouldn't say it's a lie. But the favorite thing that I see in all of these announcements right after the, “Your security is very important to us,” right after it very clearly has not been sufficiently important to them, and they say, “We show no signs of this data being accessed.” Well, that can mean a couple different things. It can mean, “We have looked through the audit logs for a service going back to its launch and have verified that nothing has ever done this except the security researcher who found it.” Great. Or it can mean, “What even are logs, exactly? We're just going to close our eyes and assume things are great.” No, no.Tim: So, one thing to consider there is in that communication, that entire communication has probably been vetted by the legal department to make sure that the company is not opening itself up for liability. I can say from personal experience, when that usually has occurred, unless it can be proven that breach was attributable to your user specifically, the default response is, “We have determined that the security response of XYZ item or XYZ organization has determined that your data was not at risk at any point during this incident.” Which might be true—and we're quoting Star Wars on this one—from a certain point of view. And unfortunately, in the case of a post-breach, their security, at least from a regulation standpoint where they might be facing a really large fine, is absolutely probably their top priority at this very moment, but has not come to surface because, for most organizations, until this becomes something that is a financial reason to where they have to act, where their reputation is on the line, they're not necessarily incentivized to fix it. They're incentivized to push more products, push more features, keep the clients happy.And a lot of the time going back and saying, “Hey, we have this piece of technical debt,” it doesn't really excite our user base or doesn't really help us gain a competitive edge in the market is considered an afterthought until the crisis occurs and the information security team rejoices because this is the time they actually get to see their stuff fixed, even though it might be a super painful time for them in the short run because they get to see these things fixed, they get to see it put to bed. And if there's ever a happy medium, where, hey, maybe there was a legacy feature that wasn't being very well taken care of, or maybe this feature was also causing the security team a lot of pain, we get to see both that feature, that item, that service, get better, as well as security teams not have to be woken up on a regular basis because XYZ incident happened, XYZ item keeps coming up in a vulnerability scan. If it finally is put to bed, we consider that a win for all. And one thing to consider in security as well as kind of, like, we talk about the relationship between the developers and security and/or product managers and security is if we can make it a win, win, win situation for all, that's the happy path that we really want to be getting to. If there's a way that we can make sure that experience is better for customers, the security team doesn't have to be broken up on a regular basis because an incident happened, and the developers receive less friction when they want to go implement something, you find that that secure feature, function, whatever tends to be the happy path forward and the path of least resistance for everyone around it. And those are sometimes the happiest stories that can come out of some of these incidents.Corey: It's weird to think of there being any happy stories coming out of these things, but it's definitely one of those areas that there are learnings there to be had if we're willing to examine them. The biggest problem I see so often is that so many companies just try and hide these things. They give the minimum possible amount of information so the rest of us can't learn by it. Honestly, some of the moments where I've gained the most respect for the technical prowess of some of these cloud providers has been after there's been a security issue and they have disclosed either their response or why it was a non-issue because they took a defense-in-depth approach. It's really one of those transformative moments that I think is an opportunity if companies are bold enough to chase them down.Tim: Absolutely. And in a similar vein, when we think of certain cloud providers outages and we're exposed, like, the major core flaw of their design, and if it kept happening—and again, these outages could be similar and analogous to an incident or a security flaw, meaning that it affected us. It was something that actually happened. In the case of let's say, the S3 outage of, I don't know, it was like 2017, 2018, where it turns out that there was a core DNS system that inside of us-east-1, which is actually very close to where I live, apparently was the core crux of, for whatever reason, the system malfunctioned and caused a major outage. Outside of that, in this specific example, they had to look at ways of how do we not have a single point of failure, even if it is a very robust system, to make sure this doesn't happen again.And there was a lot of learnings to be had, a lot of in-depth investigation that happened, probably a lot of development, a lot of research, and sometimes on the outside of an incident, you really get to understand why a system was built a certain way or why a condition exists in the first place. And it sometimes can be fascinating to kind of dig into that very deeper and really understand what the core problem is. And now that we know what's an issue, we can actually really work to address it. And sometimes that's actually one of the best parts about working at Praetorian in some cases is that a lot of the items we find, we get to find them early before it becomes one of these issues, but the most important thing is we get to learn so much about, like, why a particular issue is such a big problem. And you have to really solve the core business problem, or maybe even help inform, “Hey, this is an issue for it like this.”However, this isn't necessarily all bad in that if you make these adjustments of these items, you get to retain this really cool feature, this really cool thing that you built, but also, you have to say like, here's some extra, added benefits to the customers that you weren't really there. And—such as the old adage of, “It's not a bug, it's a feature,” sometimes it's exactly what you pointed out. It's not necessarily all bad in an incident. It's also a learning experience.Corey: Ideally, we can all learn from these things. I want to thank you for being so generous with your time and talking about how you view this increasingly complicated emerging space. If people want to learn more, where's the best place to find you?Tim: You can find me on LinkedIn which will be included in this podcast description. You can also go look at articles that the team is putting together at praetorian.com. Unfortunately, I'm not very big on Twitter.Corey: Oh, well, you must be so happy. My God, what a better decision you're making than the rest of us.Tim: Well, I like to, like, run a little bit under the radar, except on opportunities like this where I can talk about something I'm truly passionate about. But I try not to pollute the airwaves too much, but LinkedIn is a great place to find me. Praetorian blog for stuff the team is building. And if anyone wants to reach out, feel free to hit the contact page up in praetorian.com. That's one of the best places to get my attention.Corey: And we will, of course, put links to that in the [show notes 00:30:19]. Thank you so much for your time. I appreciate it. Tim Gonda, Technical Director of Cloud at Praetorian. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment talking about how no one disagrees with you based upon a careful examination of your logs.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

OpenSSL is a free, open-source cryptographic library that provides secure communications over computer networks. It's widely used to implement the secure socket layer (SSL) and transport layer security (TLS) protocols, which are the basis for secure, encrypted connections on the internet. On Oct 25th, the OpenSSL project informed its users of a critical vulnerability that The post OpenSSL Vulnerability with Ilkka Turunen appeared first on Software Engineering Daily.

We are (finally) talking about the recent OpenSSL vulnerability as we had to redo this EP.  In our infinite podcasting wisdom, we took a stab at it roughly 2 hours before the embargo expired and coverage was released - which is obviously is a very silly idea in hindsight. After we cover the current issue at hand, Lurene leads us through the surface levels of how vulns can be exploited in the heap or stack, and the different perspective and processes in practice by offensive security experts.  If you want to walk away with a new view of vulns and exploits, stay for the whole hour.Here is a great write up from DataDog on OpenSSL vulnerability CVE-2022-3602.

Picture of the Week. A minor Dropbox breach. OpenSSL follow-up. FTC sued and settled with a repeated offender. $1.2 billion in reported ransomware payments during 2021. Akamai's Q3 Threat Report. Initial Access Brokerages. How do today's bank heists work? De-Fi De-struction De-jour. Russia moves to Linux. We're The Red Cross. Don't attack us, please! Where there's a will, there's a way. From China with Love. The UK's NCSC scan plan. Miscellany. Closing The Loop. SpinRite. We invite you to read our show notes at https://www.grc.com/sn/SN-896-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: canary.tools/twit - use code: TWIT drata.com/twit

OpenSSL patches two vulnerabilities. CISA and election security. Killnet attempted DDoS against the US Treasury. XDR data reveals threat trends. Business email compromise and gift cards. Tim Starks from the Washington Posts' Cybersecurity 202 has the latest on election security. A visit to the CyberWire's Women in Cyber Security event. And consequences for Raccoon Stealer from the war in Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/211 Selected reading. OpenSSL patched today. (CyberWire) OpenSSL Releases Security Update (CISA)  OpenSSL releases fixes for two ‘high' severity vulnerabilities (The Record by Recorded Future) OpenSSL patches are out – CRITICAL bug downgraded to HIGH, but patch anyway! (Naked Security) Threat Advisory: High Severity OpenSSL Vulnerabilities (Cisco Talos Blog) OpenSSL Vulnerability Patch Released (Sectigo® Official) Clearing the Fog Over the New OpenSSL Vulnerabilities (Rezilion) OpenSSL vulnerability CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) Check Point Research Update (Check Point Software) Undisclosed OpenSSL vulnerability: Free scripts for target scoping (Lightspin) Discussions of CISA's part in elections and the JCDC. (CyberWire) U.S. Treasury thwarted attack by Russian hacker group last month-official (Reuters)  XDR data reveals threat trends. (CyberWire) What happens to a gift card given to a scammer? (CyberWire) How Russia's war in Ukraine helped the FBI crack one of the biggest cybercrime cases in years (MarketWatch)

OpenSSL 3.0 Punycode Vulnerability Fix https://isc.sans.edu/forums/diary/Critical+OpenSSL+30+Update+Released+Patches+CVE20223786+CVE20223602/29208 https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

On this week's show Patrick Gray, Adam Boileau and Dmitri Alperovitch discuss the week's security news, including: Twitter bluechecks face phishing barrage Australian government goes berserk on Medibank hack response Former WSJ journalist sues law firm over email hack and info op that got him fired OpenSSL bug lands with a whimper Apple macOS Ventura update breaks security tools Much, much more This week's show is brought to you by Thinkst Canary. Marco Slaviero, Thinkst's head of engineering, joins us this week to talk through the company's latest release, codenamed Quokka. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Twitter's verification chaos is now a cybersecurity problem | TechCrunch Unconfirmed hack of Liz Truss' phone prompts calls for “urgent investigation” | Ars Technica Chinese hackers are scanning state political party headquarters, FBI says - The Washington Post Former WSJ reporter says law firm used Indian hackers to sabotage his career | Reuters The source - Columbia Journalism Review Upcoming ‘critical' OpenSSL update prompts feverish speculation | The Daily Swig OpenSSL vulnerability downgraded to ‘high' severity | The Daily Swig Medibank says hackers had access to ‘all personal data' belonging to all customers - The Record by Recorded Future Australia to tighten privacy laws, increase fines after series of data breaches - The Record by Recorded Future Votes in Slovakia's parliament suspended after alleged ‘cybersecurity incident' - The Record by Recorded Future NY Post confirms hack after website, Twitter feed flooded with threats toward Biden, AOC - The Record by Recorded Future Apple MacOS Ventura Bug Breaks Third-Party Security Tools | WIRED Microsoft ties Vice Society hackers to additional ransomware strains - The Record by Recorded Future How Vice Society Got Away With a Global Ransomware Spree | WIRED FTC seeks action against Drizly — and its CEO — for cybersecurity failures - The Record by Recorded Future Critical authentication bug in Fortinet products actively exploited in the wild | The Daily Swig Google Play apps with >20M downloads depleted batteries and network bandwidth | Ars Technica Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn – Krebs on Security Microsoft leaked 2.4TB of data belonging to sensitive customer. Critics are furious | Ars Technica Microsoft disputes report on Office 365 Message encryption issue after awarding bug bounty - The Record by Recorded Future Microsoft Office Online Server open to SSRF-to-RCE exploit | The Daily Swig Microsoft's Sociopathic Cybersecurity Pedantry Brazilian police announce arrest of alleged Lapsus$ member - The Record by Recorded Future Accused ‘Raccoon' Malware Developer Fled Ukraine After Russian Invasion – Krebs on Security European gang that sold car hacking tools to thieves arrested - The Record by Recorded Future How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica

OpenSSL 3.0 Punycode Vulnerability Fix https://isc.sans.edu/forums/diary/Critical+OpenSSL+30+Update+Released+Patches+CVE20223786+CVE20223602/29208 https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Twitter bluechecks face phishing barrage Australian government goes berserk on Medibank hack response Former WSJ journalist sues law firm over email hack and info op that got him fired OpenSSL bug lands with a whimper Apple macOS Ventura update breaks security tools Much, much more This week's show is brought to you by Thinkst Canary. Marco Slaviero, Thinkst's head of engineering, joins us this week to talk through the company's latest release, codenamed Quokka. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Twitter's verification chaos is now a cybersecurity problem | TechCrunch Unconfirmed hack of Liz Truss' phone prompts calls for “urgent investigation” | Ars Technica Chinese hackers are scanning state political party headquarters, FBI says - The Washington Post Former WSJ reporter says law firm used Indian hackers to sabotage his career | Reuters The source - Columbia Journalism Review Upcoming ‘critical' OpenSSL update prompts feverish speculation | The Daily Swig OpenSSL vulnerability downgraded to ‘high' severity | The Daily Swig Medibank says hackers had access to ‘all personal data' belonging to all customers - The Record by Recorded Future Australia to tighten privacy laws, increase fines after series of data breaches - The Record by Recorded Future Votes in Slovakia's parliament suspended after alleged ‘cybersecurity incident' - The Record by Recorded Future NY Post confirms hack after website, Twitter feed flooded with threats toward Biden, AOC - The Record by Recorded Future Apple MacOS Ventura Bug Breaks Third-Party Security Tools | WIRED Microsoft ties Vice Society hackers to additional ransomware strains - The Record by Recorded Future How Vice Society Got Away With a Global Ransomware Spree | WIRED FTC seeks action against Drizly — and its CEO — for cybersecurity failures - The Record by Recorded Future Critical authentication bug in Fortinet products actively exploited in the wild | The Daily Swig Google Play apps with >20M downloads depleted batteries and network bandwidth | Ars Technica Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn – Krebs on Security Microsoft leaked 2.4TB of data belonging to sensitive customer. Critics are furious | Ars Technica Microsoft disputes report on Office 365 Message encryption issue after awarding bug bounty - The Record by Recorded Future Microsoft Office Online Server open to SSRF-to-RCE exploit | The Daily Swig Microsoft's Sociopathic Cybersecurity Pedantry Brazilian police announce arrest of alleged Lapsus$ member - The Record by Recorded Future Accused ‘Raccoon' Malware Developer Fled Ukraine After Russian Invasion – Krebs on Security European gang that sold car hacking tools to thieves arrested - The Record by Recorded Future How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica

OpenSSL is patched today. The misconfiguration risk to US government networks' security and compliance. Hacking Ms Truss's phone. Assistance for Ukraine's cyber defense. Joe Carrigan looks at the latest round of apps pulled from the Google Play Store. Our guest is Matias Madou of Secure Code Warrior on why cultivating a positive culture among security and developer teams continues to fall short. And a quick look at DNS threats. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/210 Selected reading. Effectively Preparing for the OpenSSL 3.x Vulnerability (Akamai) O How The OpenSSL 3 Vulnerability Will Really Affect Your Environment (Nucleus Security)  New Critical Flaw in OpenSSL: How to Know if You're at Risk (Rezilion) Experts warn of critical security vulnerability discovered in OpenSSL (Application Security Blog) The impact of exploitable misconfigurations on network security within US Federal organizations (Titania) Liz Truss's personal phone hacked by Putin's spies (Mail Online) O Truss phone was hacked by suspected Putin agents when she was foreign minister, the Daily Mail reports (Reuters)  Liz Truss phone hack claim prompts calls for investigation (BBC News)  Russian spies hacked Truss's personal phone (Computing) Government urged to investigate report Liz Truss's phone was hacked (the Guardian) Ministers creating ‘wild west' conditions with use of personal phones (the Guardian) Suella Braverman admits sending official documents to personal email six times (The Telegraph)  Ukraine War: UK reveals £6m package for cyber defence (BBC News) DNS Threat Report — Q3 2022 (Akamai)

 Picture of the Week.   OpenSSL's Patch For Heap Memory Corruption Vulnerability.   NIST Announces First Four Quantum-Resistant Cryptographic Algorithms.   Yubico donated 30,000 Yubikeys to Ukraine.   Apple's new extreme "Lockdown Mode".   Microsoft to re-enable Office Macros.   This Is the Code the FBI Used to Wiretap the World.   Closing The Loop.   The Rolling Pwn. We invite you to read our show notes at https://www.grc.com/sn/SN-879-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: expressvpn.com/securitynow tanium.com/twit canary.tools/twit - use code: TWIT