Nikoo Bafti is an Iranian-British visual artist and illustrator currently based in Rome, Italy. After graduating with an honors BA degree in Illustration from the Arts University of Bournemouth, Nikoo began her early career as an animation intern at Disney Channel UK, and has since been working independently as an illustrator as well as exhibiting her fine art internationally. Inspired by the traditional miniature paintings of her Persian heritage, Nikoo combines intricate narrative imagery with a deep curiosity for the esoteric and metaphysical phenomena to create ethereal visions of a vibrant, holographic reality. With her spiritual and art practices closely intertwined, she uses her work as a vehicle to explore and understand what lies behind the veil.Nikoo's latest project, The Transmutation Oracle: A Metaphysical Guide To Navigating Reality, will be released by The Philosophical Research Society in January 2024 and is available now to pre-order at PRS.org.You can find more of Nikoo's work on her website nikoobafti.com & on Instagram @nikoobafti.On this episode, Nikoo discusses the meditative nature of her artwork, the magical and aesthetic influences of her Persian roots, and how she developed her holographic outlook.Pam also talks about the wounded healer archetype, and answers a listener question about staying magically anchored during their travels. Our sponsors for this episode are Black Phoenix Alchemy Lab, Open Coven, Sphere + Sundry, BetterHelp, Psyche Magic Podcast, Mithras Candle, and The Meta Muse Tarot We also have brand new print-on-demand merch like Witch Wave shirts, sweatshirts, totes, stickers, and mugs available now here.And if you want more Witch Wave, please consider supporting us on Patreon to get access to bonus Witch Wave Plus episodes, Pam's monthly online rituals, and more! That's patreon.com/witchwave
Learn about managing morbidity - staying active, vigorous, and capable to have as much of a human life as possible for as long as you can. You need to dance with your granddaughter, care for your chickens, and farm your fields. Managing Morbidity: Memento Mori We all die, and as lifters this means we all complete our last PRs. There is a day, and you may have reached it or may reach it soon (you will reach it at some point) when you won't hit any more PRs. This is okay. This is part of the deal. At some point, the strength curves bends and then comes down. For Karl, he still thought he might be able to hit some PRs. He moved to a more rural location, felt the heaviness of his 258 pounds, but he still thought maybe if he hit a good stretch of training he could hit another PR. Then he had a stroke. He had a transient ischemic attack (TIA). The word transient is key - he hasn't experience long-term, permanent effects from the stroke. The stroke occurred due a congenital issue - patent foramen ovale (PFO) - an open oval hole in the wall of the heart. Migraines are common for people with this issue. He confronted the reality that he will never hit another PR again. Managing Morbidity: Staying Active & Vigorous We don't strength train, though, to just stave off death or sickness or even compress morbidity into the smallest possible portion of our lives. We train FOR something (or multiple things). We train for health. We train to dance with out granddaughter. We train to take care of our chickens. Some train for glory, others to take their medicine, others to compete. It's really a remarkable thing, to walk into a gym multiple times a week, year-after-year-, and fight against iron and gravity. While Karl, now walking around 50 pounds lighter, misses looking like he lifts when he walks around. But everyday activities are easier. Certain things open up to him - such as getting clothes that fit easily or may even - gasp - going for a run. Managing Morbidity: Training as an Athlete of Aging Okay, PRs are behind you. What do you do now? Sully and Noah had a great podcast series discussing this in greater detail. Right now, Karl is completing LP and seeing where that ends. He might spend some time pursuing hypertrophy. He might go for a run. He'll definitely attend to his field to grow food and tend his chickens. You need to accumulate hard sets. That's what strength training boils down to. It's not that the reps, sets, technique, or exercise selection don't matter. It's just that, at the end of the day, you need to accumulate hard sets consistently over time. Check out the Barbell Logic podcast landing page. Get Matched with a Professional Strength Coach today for FREE! No contract with us, just commitment to yourself: Start experiencing strength now: https://store.barbell-logic.com/match/ Connect with the hosts Matt on Instagram Niki on Instagram Andrew on Instagram Connect with the show Barbell Logic on Instagram Podcast Webpage Barbell Logic on Facebook Or email email@example.com
Today on The Call Room, Rising Stars is the Midwest Regional Champ, Thomas Westphal! If you're not familiar with Thomas, he has been on an absolute tear over the past few months. He holds PRs of 1:50.8 (800m), 4:10.01 (1600m), 8:55.30 (3200m), 14:57 (5k XC). He was the state runner-up indoors in the 3200, runner-up in the 1600m outdoors, and runner-up at the state cross country meet. Thomas most recently won the 2023 Hoka Foot Locker Midwest Regional. Thomas is committed to run for Michigan State next Fall. In today's conversation, Thomas recaps his incredible performance at the Midwest Regional, his story of progression within running, his ambitions for Foot Locker, his decision to commit to MSU, his training, and so much more! Tune in to hear from one of the brightest young stars in the nation before he tackles the National Meet. Tap into the Thomas Westphal Special. You can listen wherever you find your podcasts by searching, "The Running Effect Podcast." If you enjoy the podcast, please consider following us on Spotify and Apple Podcasts and giving us a five-star review! I would also appreciate it if you share it with your friend who you think will benefit from it. The podcast graphic was done by the talented: Xavier Gallo. S H O W N O T E S -THE HOKA CRESCENDO XC: https://www.hoka.com/en/gb/race/crescendo-xc/196565567727.html -My Instagram: https://www.instagram.com/therunningeffect/?hl=en --- Send in a voice message: https://podcasters.spotify.com/pod/show/dominic-schlueter/message
John Christ returns as Ace Von Johnson and I continue to explore the history of the band Danzig! This is part 4 of a multipart interview. All things John Christ - http://www.johnchrist.com/ All things Ace Von Johnson - https://linktr.ee/acevonjohnson FRUMESS is POWERED by www.riotstickers.com/frumess GET 1000 STICKERS FOR $79 RIGHT HERE - NO PROMO CODE NEED! JOIN THE PATREON FOR LESS THAN A $2 CUP OF COFFEE!! https://www.patreon.com/Frumess
Our next guest returns to us not as a world renown builder of fine guitars, but as an artist/musician, songwriter and honestly a badass guitarist. He has a new record coming on December 1st with his band Eightlock the album is called “Lions Roaring in Quicksand”. Please welcome back to GRS Mr. Paul Reed Smith
Today on the podcast is the one and only certified Ohio legend, Zach Kreft. Zach is fresh off of a 1-0 in the distance of the Marathon, having won the 2023 Columbus Marathon in a time of 2:18:05. All the more impressive, he did that while training through his full-time job. Zach holds PRs of 4:03 (Mile), 7:59 (3k), 13:51 (5k), 29:15 (10k), and 2:18:05 (Marathon). In high school, Zach set the Ohio high school 5K record with a time of 14:29. He was a Two-time state and regional champion, three-time district champion, and four-time conference champion (cross country). He also won two state championships in track, two regional titles, four district championships, and was a 12-time conference champion. Zach then went on to Notre Dame, where he was a part of the Notre Dame Squad that won an ACC Team Championship. Zach transferred after his years at Notre Dame to finish his career at Walsh, where he was a 4xAll-American. In today's episode, Zach goes through training while having a full-time job, winning the 2023 Columbus Marathon, his years at Notre Dame & Walsh, and a deep-dive into his years of domination in the great state of Ohio. I thoroughly enjoyed this conversation and diving into Zach's story. A lot of great nuggets of wisdom as well. I hope you all enjoy this one as much as we did having it! You can listen wherever you find your podcasts by searching, "The Running Effect Podcast." If you enjoy the podcast, please consider following us on Spotify and Apple Podcasts and giving us a five-star review! I would also appreciate it if you share it with your friend who you think will benefit from it. The podcast graphic was done by the talented: Xavier Gallo S H O W N O T E S -2Before: Code: "THERUNNINGEFFECT30" for 30% off: https://2before.com/ -My Instagram: https://www.instagram.com/therunningeffect/?hl=en --- Send in a voice message: https://podcasters.spotify.com/pod/show/dominic-schlueter/message
HouseNation UK is legal - PRS for music registered under licence LE-0004522 Please show some appreciation by adding a comment on iTunes! Worldwide Bookings: firstname.lastname@example.org Website www.djleeharris.com Join me on Facebook! Search DJ Lee Harris Join me on Soundcloud! Search Lee Harris London Please add a review on iTunes if you like this podcast
It's not often that a high-profile investment deal is announced just before a major holiday, but we got lucky this week. After discussing the news that Kim Kardashian's private equity firm SKYY Partners has invested in upscale condiment brand TRUFF, the hosts munched on a new brand of cookies launched by popular Twitch streamer Pokimane and dove into a growing pool of caffeine-free energy drinks. Show notes: 0:35: For Future Reference… Congrats, Nicks (& Kim). Skillet Sweet. Nog & Nitro. – On the cusp on Thanksgiving, the hosts chatted about Turkey Trots,PRs and John chugging gravy before turning to topics like Kim Kardashian's acquisition of “a significant minority stake” in TRUFF, how a gluten-free skillet cookie became a studio favorite and whether good egg nog is bad a couple days after the expiration date. They also spoke at length about a new brand of cookies (and somehow avoided the controversy surrounding it), praised a new Straightaway SKU and hailed Jacqui's attempts to minimize coffee consumption. Brands in this episode: TRUFF, Tofurky, Wholly Gluten Free, MOSH, Super Coffee, Simulate, Verb Energy, Myna, MudWTR, Straightaway Cocktails
The human body does not change under suboptimal stress because it doesn't have to. The dogma ex-phys people are still pursuing is that higher reps produce better hypertrophy than sets of five with heavy weights. Hypertrophy is an increase in the size of muscles. The amount of weight lifted, aka intensity, is the primary driver of hypertrophy. 04:19 Comments from the Haters! 14:20 Hypertrophy 21:41 The phenomenology 31:44 You are not strong enough/Stress management 38:35 People are scared of lifting heavy weights 50:21 PRs are what matter
Host Matthew Boyd welcomes Jason Fitzgerald, founder of Strength Running, to discuss misconceptions surrounding 'off-season' running. Fitzgerald criticizes the idea of an off-season, suggesting the term is non-specific and is not typically found in expert coaching literature. Both Boyd and Fitzgerald highlight the importance of continuous training cycles for runners, emphasizing a need for strategic, moderate input rather than extreme fluctuations between high and low seasons. They discuss the danger of de-training and the risk of subsequent injuries as important factors to consider in maintaining a steady training schedule. Utilizing key running milestones and setting 'training PRs' during what could be called 'base training' or 'pre-season' are suggested to build strong foundation for subsequent training. 00:00 Introduction and Welcoming Guest 00:22 Discussing 'Off Season' Training 00:38 Guest Introduction and Background 03:37 The Concept of 'Off Season' in Running 05:56 The Problem with 'Off Season' Training 07:44 The Importance of Consistent Training 12:26 Planning Training Around Race Schedules 16:01 The Importance of Recovery and Base Training 24:00 Setting Training Goals and Milestones 29:46 The Relationship Between Training and Injury Risk 44:49 Concluding Thoughts and Guest Contact Information Follow Jason Fitzgerald Website: https://strengthrunning.com/ Instagram: https://www.instagram.com/jasonfitz1/ YouTube: https://www.youtube.com/@StrengthRunning --- If you're an injured runner we can help you get back to running pain-free. Click the link to book a free call with us: https://matthewboydphysio.com/booking/ Running Fundamentals Course: https://matthewboydphysio.com/running-fundamentals-course/ Instagram: https://www.instagram.com/matthewboydphysio/
It's just Dan on tonight's show, as Forest is on his honeymoon. :) I hope you guys can stand my meandering about various topics for about an hour. Forest will be back next Monday night. :)
durée : 01:28:28 - En pistes ! du mardi 21 novembre 2023 - par : Emilie Munera, Rodolphe Bruneau Boulmier - Au menu de ce mardi matin en compagnie d'Emilie et Rodolphe : l'Ensemble Consonance dans Purcell, le Quatuor Takács dans Dvorak, mais également Marc André Hamelin dans l'œuvre de Fauré, ainsi que les voix de Scott Robert Shaw et Emilie Bastens dans "Bonny at morn" de Britten. En pistes !
Today on The Call Room Rising Stars is the one and only Patrick Koon (aka King Koon). If you're not familiar with Patrick, he has been on an absolute tear over the past few years. He holds PRs of 8:44.95 (3200m), 14:11.92 (5k), and 4:14.3 (Mile). He's a 3xFHSAA 3A XC state champ and 2xFHSAA Track State Champ. He was a 2021 Footlocker National Qualifier and holds State Records in the 3200m and 5000m. Patrick was also the 2022-2023 Flordia Boys Cross Country Player Of The Year. Patrick is committed to run for Stanford University next Fall. In today's conversation, I give Patrick a new nickname, he recaps his season, including his state meet that he won the day we recorded, his plans for FL Regionals, his thoughts on Nationals, and much more. Anytime King Koon comes on the podcast, it is a banger, and today is no exception. Tune in to hear from one of the brightest young stars in the nation before he tackles the postseason. Tap into the King Koon Special. You can listen wherever you find your podcasts by searching, "The Running Effect Podcast." If you enjoy the podcast, please consider following us on Spotify and Apple Podcasts and giving us a five-star review! I would also appreciate it if you share it with your friend who you think will benefit from it. The podcast graphic was done by the talented: Xavier Gallo. S H O W N O T E S -SIGN UP FOR FOOT LOCKER REGIONALS HERE: https://footlockercc.com/ -THE HOKA CRESCENDO XC: https://www.hoka.com/en/gb/race/crescendo-xc/196565567727.html -My Instagram: https://www.instagram.com/therunningeffect/?hl=en --- Send in a voice message: https://podcasters.spotify.com/pod/show/dominic-schlueter/message
Tanya Petrusenko is the CEO at Bitmedia, a global crypto advertising platform that helps crypto companies find crypto users around the world. Why you should listen Bitmedia started in 2014 to provide advertising opportunities for businesses in the emerging crypto space. Back then, there were few competitors, and most ads were on Bitcoin Talk. The goal was to connect crypto publishers with advertisers and enable monetization through ads. Bitmedia has grown over the years and currently has around 120 team members. Despite challenges during bear markets when budgets are tight, they continue to attract advertisers preparing for future growth. They also explore other niches like gaming to diversify their offerings. The Bitmedia engine is a self-serve platform where advertisers can easily set up ad campaigns based on their preferences such as target audience or ad format. The system tracks various metrics for performance evaluation. Account managers help guide advertisers who may be unfamiliar with digital advertising processes. In terms of building brand loyalty in the crypto space, Bitmedia collaborates closely with brands to craft unique campaigns that resonate with their target audience. Tanja explains that her company works with various established companies to help them with advertising, specifically branding campaigns. They utilize performance tracking and aim for brand recognition. They also engage in PRS and KOL marketing, creating stories and publishing them on top crypto media outlets while promoting businesses to key opinion leaders. Tanja discusses their previous efforts to use blockchain for advertising but mentions that they are currently focusing on building their own DSP (Demand-Side Platform) for buying traffic and ads from different media outlets. She also mentions plans for a decentralized ad exchange using smart contracts to combat ad fraud. In terms of the future of crypto advertising, Tanja believes that traditional advertising technologies should be prioritized over blockchain-based solutions at this point because the technology is not yet mature enough in the crypto market. However, she envisions AI playing a role in future developments within the industry. Supporting links Bitget Bitget Academy Bitget Research Bitget Wallet Bitmedia Andy on Twitter Brave New Coin on Twitter Brave New Coin If you enjoyed the show please subscribe to the Crypto Conversation and give us a 5-star rating and a positive review in whatever podcast app you are using.
durée : 00:02:32 - Le brief politique - Tout comme le MoDem dont le procès des assistants parlementaires européens s'achève mardi 21 novembre, le parti d'extrême droite est accusé d'avoir utilisé des fonds européens entre 2004 et 2016 pour rémunérer des assistants qui travaillaient pour le parti.
Today on the podcast is the one and only Sam McDonnell. She holds PRs of 2:08 (800m), 4:38 (Mile) 10:12 (3200m), 16:43 (XC). She was an All-American for cross country my senior year of high school and was a part of the 4x1600 National Record Squad. Sam then went on to Alabama her freshman year before transferring to UCLA and ultimately ending up at The University of Oregon, where she currently resides. In today's conversation, Sam goes through her running journey, running for Newbury Park & Sean Brosnan, her years in the NCAA and the transfer process, being coached by Shalane Flanagan, her goals in the NCAA, and her thoughts on Connor Burns & Simeon Birnbaum. This discussion is both light + insightful: the perfect combo for a great podcast. Tap into the Sam McDonnell Special. You can listen wherever you find your podcasts by searching, "The Running Effect Podcast." If you enjoy the podcast, please consider following us on Spotify and Apple Podcasts and giving us a five-star review! I would also appreciate it if you share it with your friend who you think will benefit from it. The podcast graphic was done by the talented: Xavier Gallo. S H O W N O T E S -2Before: Code: "THERUNNINGEFFECT30" for 30% off: https://2before.com/ -My Instagram: https://www.instagram.com/therunningeffect/?hl=en --- Send in a voice message: https://podcasters.spotify.com/pod/show/dominic-schlueter/message
Alex Lawrence, Field CISO at Sysdig, joins Corey on Screaming in the Cloud to discuss how he went from studying bioluminescence and mycology to working in tech, and his stance on why open source is the future of cloud security. Alex draws an interesting parallel between the creative culture at companies like Pixar and the iterative and collaborative culture of open-source software development, and explains why iteration speed is crucial in cloud security. Corey and Alex also discuss the pros and cons of having so many specialized tools that tackle specific functions in cloud security, and the different postures companies take towards their cloud security practices. About AlexAlex Lawrence is a Field CISO at Sysdig. Alex has an extensive history working in the datacenter as well as with the world of DevOps. Prior to moving into a solutions role, Alex spent a majority of his time working in the world of OSS on identity, authentication, user management and security. Alex's educational background has nothing to do with his day-to-day career; however, if you'd like to have a spirited conversation on bioluminescence or fungus, he'd be happy to oblige.Links Referenced: Sysdig: https://sysdig.com/ sysdig.com/opensource: https://sysdig.com/opensource falco.org: https://falco.org TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. This promoted guest episode is brought to us by our friends over at Sysdig, and they have brought to me Alexander Lawrence, who's a principal security architect over at Sysdig. Alexander, thank you for joining me.Alex: Hey, thanks for having me, Corey.Corey: So, we all have fascinating origin stories. Invariably you talk to someone, no one in tech emerged fully-formed from the forehead of some God. Most of us wound up starting off doing this as a hobby, late at night, sitting in the dark, rarely emerging. You, on the other hand, studied mycology, so watching the rest of us sit in the dark and growing mushrooms was basically how you started, is my understanding of your origin story. Accurate, not accurate at all, or something in between?Alex: Yeah, decently accurate. So, I was in school during the wonderful tech bubble burst, right, high school era, and I always told everybody, there's no way I'm going to go into technology. There's tons of people out there looking for a job. Why would I do that? And let's face it, everybody expected me to, so being an angsty teenager, I couldn't have that. So, I went into college looking into whatever I thought was interesting, and it turned out I had a predilection to go towards fungus and plants.Corey: Then you realized some of them glow and that wound up being too bright for you, so all right, we're done with this; time to move into tech?Alex: [laugh]. Strangely enough, my thesis, my capstone, was on the coevolution of bioluminescence across aquatic and terrestrial organisms. And so, did a lot of focused work on specifically bioluminescent fungus and bioluminescing fish, like Photoblepharon palpebratus and things like that.Corey: When I talk to people who are trying to figure out, okay, I don't like what's going on in my career, I want to do something different, and their assumption is, oh, I have to start over at square one. It's no, find the job that's halfway between what you're doing now and what you want to be doing, and make lateral moves rather than starting over five years in or whatnot. But I have to wonder, how on earth did you go from A to B in this context?Alex: Yeah, so I had always done tech. My first job really was in tech at the school districts that I went to in high school. And so, I went into college doing tech. I volunteered at the ELCA and other organizations doing tech, and so it basically funded my college career. And by the time I finished up through grad school, I realized my life was going to be writing papers so that other people could do the research that I was coming up with, and I thought that sounded like a pretty miserable life.And so, it became a hobby, and the thing I had done throughout my entire college career was technology, and so that became my new career and vocation. So, I was kind of doing both, and then ended up landing in tech for the job market.Corey: And you've effectively moved through the industry to the point where you're now in security architecture over at Sysdig, which, when I first saw Sysdig launch many years ago, it was, this is an interesting tool. I can see observability stories, I can see understanding what's going on at a deep level. I liked it as a learning tool, frankly. And it makes sense, with the benefit of hindsight, that oh, yeah, I suppose it does make some sense that there are security implications thereof. But one of the things that you've said that I really want to dig into that I'm honestly in full support of because it'll irritate just the absolute worst kinds of people is—one of the core beliefs that you espouse is that security when it comes to cloud is inherently open-source-based or at least derived. I don't want to misstate your position on this. How do you view it?Alex: Yeah. Yeah, so basically, the stance I have here is that the future of security in cloud is open-source. And the reason I say that is that it's a bunch of open standards that have basically produced a lot of the technologies that we're using in that stack, right, your web servers, your automation tooling, all of your different components are built on open stacks, and people are looking to other open tools to augment those things. And the reality is, is that the security environment that we're in is changing drastically in the cloud as opposed to what it was like in the on-premises world. On-prem was great—it still is great; a lot of folks still use it and thrive on it—but as we look at the way software is built and the way we interface with infrastructure, the cloud has changed that dramatically.Basically, things are a lot faster than they used to be. The model we have to use in order to make sure our security is good has dramatically changed, right, and all that comes down to speed and how quickly things evolve. I tend to take a position that one single brain—one entity, so to speak—can't keep up with that rapid evolution of things. Like, a good example is Log4j, right? When Log4j hit this last year, that was a pretty broad attack that affected a lot of people. You saw open tooling out there, like Falco and others, they had a policy to detect and help triage that within a couple of hours of it hitting the internet. Other proprietary tooling, it took much longer than two hours.Corey: Part of me wonders what the root cause behind that delay is because it's not that the engineers working at these companies are somehow worse than folks in the open communities. In some cases, they're the same people. It feels like it's almost corporate process ossification of, “Okay, we built a thing. Now, we need to make sure it goes through branding and legal and marketing and we need to bring in 16 other teams to make this work.” Whereas in the open-source world, it feels like there's much more of a, “I push the deploy button and it's up. The end.” There is no step two.Alex: [laugh]. Yeah, so there is certainly a certain element of that. And I think it's just the way different paradigms work. There's a fantastic book out there called Creativity, Inc., and it's basically a book about how Pixar manages itself, right? How do they deal with creating movies? How do they deal with doing what they do, well?And really, what it comes down to is fostering a culture of creativity. And that typically revolves around being able to fail fast, take risks, see if it sticks, see if it works. And it's not that corporate entities don't do that. They certainly do, but again, if you think about the way the open-source world works, people are submitting, you know, PRs, pull requests, they're putting out different solutions, different fixes to problems, and the ones that end up solving it the best are often the ones that end up coming to the top, right? And so, it's just—the way you iterate is much more akin to that kind of creativity-based mindset that I think you get out of traditional organizations and corporations.Corey: There's also, I think—I don't know if this is necessarily the exact point, but it feels like it's at least aligned with it—where there was for a long time—by which I mean, pretty much 40 years at this point—a debate between open disclosure and telling people of things that you have found in vendors products versus closed disclosure; you only wind—or whatever the term is where you tell the vendor, give them time to fix it, and it gets out the door. But we've seen again and again and again, where researchers find something, report it, and then it sits there, in some cases for years, but then when it goes public and the company looks bad as a result, they scramble to fix it. I wish it were not this way, but it seems that in some cases, public shaming is the only thing that works to get companies to secure their stuff.Alex: Yeah, and I don't know if it's public shaming, per se, that does it, or it's just priorities, or it's just, you know, however it might go, there's always been this notion of, “Okay, we found a breach. Let's disclose appropriately, you know, between two entities, give time to remediate.” Because there is a potential risk that if you disclose publicly that it can be abused and used in very malicious ways—and we certainly don't want that—but there also is a certain level of onus once the disclosure happens privately that we got to go and take care of those things. And so, it's a balancing act.I don't know what the right solution is. I mean, if I did, I think everybody would benefit from things like that, but we just don't know the proper answer. The workflow is complex, it is difficult, and I think doing our due diligence to make sure that we disclose appropriately is the right path to go down. When we get those disclosures we need to take them seriously is when it comes down to.Corey: What I find interesting is your premise that the future of cloud security is open-source. Like, I could make a strong argument that today, we definitely have an open-source culture around cloud security and need to, but you're talking about that shifting along the fourth dimension. What's the change? What do you see evolving?Alex: Yeah, I think for me, it's about the collaboration. I think there are segments of industries that communicate with each other very, very well, and I think there's others who do a decent job, you know, behind closed doors, and I think there's others, again, that don't communicate at all. So, all of my background predominantly has been in higher-ed, K-12, academia, and I find that a lot of those organizations do an extremely good job of partnering together, working together to move towards, kind of, a greater good, a greater goal. An example of that would be a group out in the Pacific Northwest called NWACC—the NorthWest Academic Computing Consortium. And so, it's every university in the Northwest all come together to have CIO Summits, to have Security Summits, to trade knowledge, to work together, basically, to have a better overall security posture.And they do it pretty much out in the open and collaborating with each other, even though they are also direct competitors, right? They all want the same students. It's a little bit of a different way of thinking, and they've been doing it for years. And I'm finding that to be a trend that's happening more and more outside of just academia. And so, when I say the future is open, if you think about the tooling academia typically uses, it is very open-source-oriented, it is very collaborative.There's no specifications on things like eduPerson to be able to go and define what a user looks like. There's things like, you know, CAS and Shibboleth to do account authorization and things like that. They all collaborate on tooling in that regard. We're seeing more of that in the commercial space as well. And so, when I say the future of security in cloud is open-source, it's models like this that I think are becoming more and more effective, right?It's not just the larger entities talking to each other. It's everybody talking with each other, everybody collaborating with each other, and having an overall better security posture. The reality is, is that the folks we're defending ourselves against, they already are communicating, they already are using that model to work together to take down who they view as their targets: us, right? We need to do the same to be able to keep up. We need to be able to have those conversations openly, work together openly, and be able to set that security posture across that kind of overall space.Corey: There's definitely a concern that if okay, you have all these companies and community collaborating around security aspects in public, that well won't the bad actors be able to see what they're looking at and how they're approaching it and, in some cases, move faster than they can or, in other cases, effectively wind up polluting the conversation by claiming to be good actors when they're not. And there's so many different ways that this can manifest. It feels like fear is always the thing that stops people from going down this path, but there is some instance of validity to that I would imagine.Alex: Yeah, no. And I think that certainly is true, right? People are afraid to let go of, quote-unquote, “The keys to their kingdom,” their security posture, their things like that. And it makes sense, right? There's certain things that you would want to not necessarily talk about openly, like, specifically, you know, what Diffie–Hellman key exchange you're using or something like that, but there are ways to have these conversations about risks and posture and tooling and, you know, ways you approach it that help everybody else out, right?If someone finds a particularly novel way to do a detection with some sort of piece of tooling, they probably should be sharing that, right? Let's not keep it to ourselves. Traditionally, just because you know the tool doesn't necessarily mean that you're going to have a way in. Certainly, you know, it can give you a path or a vector to go after, but if we can at least have open standards about how we implement and how we can go about some of these different concepts, we can all gain from that, so to speak.Corey: Part of me wonders if the existing things that the large companies are collaborating on lead to a culture that specifically pushes back against this. A classic example from my misspent youth is that an awful lot of the anti-abuse departments at these large companies are in constant communication. Because if you work at Microsoft, or Google or Amazon, your adversary, as you see it, in the Trust and Safety Group is not those other companies. It's bad actors attempting to commit fraud. So, when you start seeing particular bad actors emerging from certain parts of the network, sharing that makes everything better because there's an understanding there that it's not, “Oh, Microsoft has bad security this week,” or, “Google will wind up approving fraudulent accounts that start spamming everyone.”Because the takeaway by theby the customers is not that this one company is bad; it's oh, the cloud isn't safe. We shouldn't use cloud. And that leads to worse outcomes for basically everyone. But they're als—one of the most carefully guarded secrets at all these companies is how they do fraud prevention and spam detection because if adversaries find that out, working around them becomes a heck of a lot easier. I don't know, for example, how AWS determines whether a massive account overage in a free-tier account is considered to be a bad actor or someone who made a legitimate mistake. I can guess, but the actual signal that they use is something that they would never in a million years tell me. They probably won't even tell each other specifics of that.Alex: Certainly, and I'm not advocating that they let all of the details out, per se, but I think it would be good to be able to have more of an open posture in terms of, like, you know what tooling do they use? How do they accomplish that feat? Like, are they looking at a particular metric? How do they basically handle that posture going forward? Like, what can I do to replicate a similar concept?I don't need to know all the details, but would be nice if they embrace, you know, open tooling, like say a Trivy or a Falco or whatever the thing is, right, they're using to do this process and then contribute back to that project to make it better for everybody. When you kind of keep that stuff closed-source, that's when you start running into that issue where, you know, they have that, quote-unquote, “Advantage,” that other folks aren't getting. Maybe there's something we can do better in the community, and if we can all be better, it's better for everybody.Corey: There's a constant customer pain in the fact that every cloud provider, for example, has its own security perspective—the way that identity is managed, the way that security boundaries exist, the way that telemetry from these things winds up getting represented—where a number of companies that are looking at doing things that have to work across cloud for a variety of reasons—some good, some not so good—have decided that, okay, we're just going to basically treat all these providers as, more or less, dumb pipes and dumb infrastructure. Great, we're just going to run Kubernetes on all these things, and then once it's inside of our cluster, then we'll build our own security overlay around all of these things. They shouldn't have to do that. There should be a unified set of approaches to these things. At least, I wish there were.Alex: Yeah, and I think that's where you see a lot of the open standards evolving. A lot of the different CNCF projects out there are basically built on that concept. Like, okay, we've got Kubernetes. We've got a particular pipeline, we've got a particular type of implementation of a security measure or whatever it might be. And so, there's a lot of projects built around how do we standardize those things and make them work cross-functionally, regardless of where they're running.It's actually one of the things I quite like about Kubernetes: it makes it be a little more abstract for the developers or the infrastructure folks. At one point in time, you had your on-premises stuff and you built your stuff towards how your on-prem looked. Then you went to the cloud and started building yourself to look like what that cloud look like. And then another cloud showed up and you had to go use that one. Got to go refactor your application to now work in that cloud.Kubernetes has basically become, like, this gigantic API ball to interface with the clouds, and you don't have to build an application four different ways anymore. You can build it one way and it can work on-prem, it can work in Google, Azure, IBM, Oracle, you know, whoever, Amazon, whatever it needs to be. And then that also enables us to have a standard set of tools. So, we can use things like, you know, Rego or we can use things like Falco or we can use things that allow us to build tooling to secure those things the same way everywhere we go. And the benefit of most of those tools is that they're also configured, you know, via some level of codification, and so we can have a repository that contains our posture: apply that posture to that cluster, apply it to the other cluster in the other environment. It allows us to automate these things, go quicker, build the posture at the very beginning, along with that application.Corey: One of the problems I feel as a customer is that so many of these companies have a model for interacting with security issues that's frankly obnoxious. I am exhausted by the amount of chest-thumping, you'll see on keynote stages, all of the theme, “We're the best at security.” And whenever a vulnerability researcher reports something of a wide variety of different levels of severity, it always feels like the first concern from the company is not fix the issue, but rather, control the messaging around it.Whenever there's an issue, it's very clear that they will lean on people to rephrase things, not use certain words. It's, I don't know if the words used to describe this cross-tenant vulnerability are the biggest problem you should be focusing on right now. Yes, I understand that you can walk and chew gum at the same time as a big company, but it almost feels like the researchers are first screaming into a void, and then they're finally getting attention, but from all the people they don't want to get the attention from. It feels like this is not a welcoming environment for folks to report these things in good faith.Alex: [sigh]. Yeah, it's not. And I don't know what the solution is to that particular problem. I have opinions about why that exists. I won't go into those here, but it's cumbersome. It's difficult. I don't envy a lot of those research organizations.They're fantastic people coming up with great findings, they find really interesting stuff that comes out, but when you have to report and do that due diligence, that portion is not that fun. And then doing, you know, the fallout component, right: okay, now we have this thing we have to report, we have to go do something to fix it, you're right. I mean, people do often get really spun up on the verbiage or the implications and not just go fix the problem. And so again, if you have ways to mitigate that are more standards-based, that aren't specific to a particular cloud, like, you can use an open-source tool to mitigate, that can be quite the advantage.Corey: One of the challenges that I see across a wide swath of tooling and approaches to it have been that when I was trying to get some stuff to analyze CloudTrail logs in my own environment, I was really facing a bimodal distribution of options. On one end of the spectrum, it's a bunch of crappy stuff—or good stuff; hard to say—but it's all coming off of GitHub, open-source, build it yourself, et cetera. Good luck. And that's okay, awesome, but there's business value here and I'm thrilled to pay experts to make this problem go away.The other end of the spectrum is commercial security tooling, and it is almost impossible in my experience to find anything that costs less than $1,000 a month to start providing insight from a security perspective. Now, I understand the market forces that drive this. Truly I do, and I'm sympathetic to them. It is just as easy to sell $50,000 worth of software as it is five to an awful lot of companies, so yeah, go where the money is. But it also means that the small end of the market as hobbyists, as startups are just getting started, there is a price barrier to engaging in the quote-unquote, “Proper way,” to do security.So, the posture suffers. We'll bolt security on later when it becomes important is the philosophy, and we've all seen how well that plays out in the fullness of time. How do you square that circle? I think the answer has to be open-source improving to the point where it's not just random scripts, but renowned projects.Alex: Correct, yeah, and I'd agree with that. And so, we're kind of in this interesting phase. So, if you think about, like, raw Linux applications, right, Linux, always is the tenant that you build an application to do one thing, does that one thing really, really, really well. And then you ended up with this thing called, like, you know, the Cacti monitoring stack. And so, you ended up having, like, 600 tools you strung together to get this one monitoring function done.We're kind of in a similar spot in a lot of ways right now, in the open-source security world where, like, if you want to do scanning, you can do, like, Clair or you can do Trivy or you have a couple different choices, right? If you want to do posture, you've got things like Qbench that are out there. If you want to go do runtime security stuff, you've got something like Falco. So, you've got all these tools to string together, right, to give you all of these different components. And if you want, you can build it yourself, and you can run it yourself and it can be very fun and effective.But at some point in your life, you probably don't want to be care-and-feeding your child that you built, right? It's 18 years later now, and you want to go back to having your life, and so you end up buying a tool, right? That's why Gartner made this whole CNAP category, right? It's this humongous category of products that are putting all of these different components together into one gigantic package. And the whole goal there is just to make lives a little bit easier because running all the tools yourself, it's fun, I love it, I did it myself for a long time, but eventually, you know, you want to try to work on some other stuff, too.Corey: At one point, I wound up running the numbers of all of the first-party security offerings that AWS offered, and for most use cases of significant scale, the cost for those security services was more than the cost of the theoretical breach that they'd be guarding against. And I think that there's a very dangerous incentive that arises when you start turning security observability into your own platform as a profit center. Because it's, well, we could make a lot of money if we don't actually fix the root issue and just sell tools to address and mitigate some of it—not that I think that's the intentional direction that these companies are taking these things and I don't want to ascribe malice to them, but you can feel that start to be the trend that some decisions get pushed in.Alex: Yeah, I mean, everything comes down to data, right? It has to be stored somewhere, processed somewhere, analyzed somewhere. That always has a cost with it. And so, that's always this notion of the shared security model, right? We have to have someone have ownership over that data, and most of the time, that's the end-user, right? It's their data, it's their responsibility.And so, these offerings become things that they have that you can tie into to work within the ecosystem, work within their infrastructure to get that value out of your data, right? You know, where is the security model going? Where do I have issues? Where do I have misconfigurations? But again, someone has to pay for that processing time. And so, that ends up having a pretty extreme cost to it.And so, it ends up being a hard problem to solve. And it gets even harder if you're multi-cloud, right? You can't necessarily use the tooling of AWS inside of Azure or inside of Google. And other products are trying to do that, right? They're trying to be able to let you integrate their security center with other clouds as well.And it's kind of created this really interesting dichotomy where you almost have frenemies, right, where you've got, you know, a big Azure customer who's also a big AWS customer. Well, they want to go use Defender on all of their infrastructure, and Microsoft is trying to do their best to allow you to do that. Conversely, not all clouds operate in that same capacity. And you're correct, they all come at extremely different costs, they have different price models, they have different ways of going about it. And it becomes really difficult to figure out what is the best path forward.Generally, my stance is anything is better than nothing, right? So, if your only choice is using Defender to do all your stuff and it cost you an arm or leg, unfortunate, but great; at least you got something. If the path is, you know, go use this random open-source thing, great. Go do that. Early on, when I'd been at—was at Sysdig about five years ago, my big message was, you know, I don't care what you do. At least scan your containers. If you're doing nothing else in life, use Clair; scan the darn things. Don't do nothing.That's not really a problem these days, thankfully, but now we're more to a world where it's like, well, okay, you've got your containers, you've got your applications running in production. You've scanned them, that's great, but you're doing nothing at runtime. You're doing nothing in your posture world, right? Do something about it. So, maybe that is buy the enterprise tool from the cloud you're working in, buy it from some other vendor, use the open-source tool, do something.Thankfully, we live in a world where there are plenty of open tools out there we can adopt and leverage. You used the example of CloudTrail earlier. I don't know if you saw it, but there was a really, really cool talk at SharkFest last year from Gerald Combs where they leveraged Wireshark to be able to read CloudTrail logs. Which I thought was awesome.Corey: That feels more than a little bit ridiculous, just because it's—I mean I guess you could extract the JSON object across the wire then reassemble it. But, yeah, I need to think on that one.Alex: Yeah. So, it's actually really cool. They took the plugins from Falco that exist and they rewired Wireshark to leverage those plugins to read the JSON data from the CloudTrail and then wired it into the Wireshark interface to be able to do a visual inspect of CloudTrail logs. So, just like you could do, like, a follow this IP with a PCAP, you could do the same concept inside of your cloud log. So, if you look up Logray, you'll find it on the internet out there. You'll see demos of Gerald showing it off. It was a pretty darn cool way to use a visualization, let's be honest, most security professionals already know how to use in a more modern infrastructure.Corey: One last topic that I want to go into with you before we call this an episode is something that's been bugging me more and more over the years—and it annoyed me a lot when I had to deal with this stuff as a SOC 2 control owner and it's gotten exponentially worse every time I've had to deal with it ever since—and that is the seeming view of compliance and security as being one and the same, to the point where in one of my accounts that I secured rather well, I thought, I installed security hub and finally jumped through all those hoops and paid the taxes and the rest and then waited 24 hours to gather some data, then 24 hours to gather more. Awesome. Applied the AWS-approved a foundational security benchmark to it and it started shrieking its bloody head off about all of the things that were insecure and not configured properly. One of them, okay, great, it complained that the ‘Block all S3 Public Access' setting was not turned on for the account. So, I turned that on. Great.Now, it's still complaining that I have not gone through and also enabled the ‘Block Public Access Setting' on each and every S3 bucket within it. That is not improving your security posture in any meaningful way. That is box-checking so that someone in a compliance role can check that off and move on to the next thing on the clipboard. Now, originally, they started off being good-intentioned, but the result is I'm besieged by these things that don't actually matter and that means I'm not going to have time to focus on the things that actually do. Please tell me I'm wrong on some of this.Alex: [laugh].Corey: I really need to hear that.Alex: I can't. Unfortunately, I agree with you that a lot of that seems erroneous. But let's be honest, auditors have a job for a reason.Corey: Oh, I'm not besmirching the role of the auditor. Far from it. The problem I run into is that it's the Human Nessus report that dumps out, “Here's the 700 things to go fix in your environment,” as opposed to, “Here's the five things you can do right now that will meaningfully improve your security posture.”Alex: Yeah. And so, I think that's a place we see a lot of vendors moving, and I think that is the right path forward. Because we are in a world where we generate reports that are miles and miles long, we throw them over a wall to somebody, and that person says, “Are you crazy?” Like, “You want me to go do what with my time?” Like, “No. I can't. No. This is way too much.”And so, if we can narrow these things down to what matters the most today, and then what can we get rid of tomorrow, that makes life better for everybody. There are certainly ways to accomplish that across a lot of different dimensions, be that vulnerability management, or configuration management stuff, runtime stuff, and that is certainly the way we should approach it. Unfortunately, not all frameworks allow us to look at it that way.Corey: I mean, even AWS's thing here is yelling at me for a number of services not having encryption-at-rest turned on, like CloudTrail logs, or SNS topics. It's okay, let's be very clear what that is defending against: someone stealing drives out of a data center and taking them off to view the data. Is that something that I need to worry about in a public cloud provider context? Not unless I'm the CIA or something pretty close to that. I mean, if you can get my data out of an AWS data center and survive, congratulations, I kind of feel like you've earned it at this point. But that obscures things I need to be doing that I'm not.Alex: Back in the day, I had a customer who used to have—they had storage arrays and their storage arrays' logins were the default login that they came with the array. They never changed it. You just logged in with admin and no password. And I was like, “You know, you should probably fix that.” And he sent a message back saying, “Yeah, you know, maybe I should, but my feeling is that if it got that far into my infrastructure where they can get to that interface, I'm already screwed, so it doesn't really matter to me if I set that admin password or not.”Corey: Yeah, there is a defense-in-depth argument to be made. I am not disputing that, but the Cisco world is melting down right now because of a bunch of very severe vulnerabilities that have been disclosed. But everything to exploit these things always requires, well you need access to the management interface. Back when I was a network administrator at Chapman University in 2006, even then, I knew, “Well, we certainly don't want to put the management interfaces on the same VLAN that's passing traffic.”So, is it good that there's an unpatched vulnerability there? No, but Shodan, the security vulnerability search engine shows over 80,000 instances that are affected on the public internet. It would never have occurred to me to put the management interface of important network gear on the public internet. That just is… I don't understand that.Alex: Yeah.Corey: So, on some level, I think the lesson here is that there's always someone who has something else to focus on at a given moment, and… where it's a spectrum: no one is fully secure, but ideally, you don't want to be the lowest of low-hanging fruit.Alex: Right, right. I mean, if you were fully secure, you'd just turn it off, but unfortunately, we can't do that. We have to have it be accessible because that's our jobs. And so, if we're having it be accessible, we got to do the best we can. And I think that is a good point, right? Not being the worst should be your goal, at the very, very least.Doing bare minimums, looking at those checks, deciding if they're relevant for you or not, just because it says the configuration is required, you know, is it required in your use case? Is it required for your requirements? Like, you know, are you a FedRAMP customer? Okay, yeah, it's probably a requirement because, you know, it's FedRAMP. They're going to tell you got to do it. But is it your dev environment? Is it your demo stuff? You know, where does it exist, right? There's certain areas where it makes sense to deal with it and certain areas where it makes sense to take care of it.Corey: I really want to thank you for taking the time to talk me through your thoughts on all this. If people want to learn more, where's the best place for them to find you?Alex: Yeah, so they can either go to sysdig.com/opensource. A bunch of open-source resources there. They can go to falco.org, read about the stuff on that site, as well. Lots of different ways to kind of go and get yourself educated on stuff in this space.Corey: And we will, of course, put links to that into the show notes. Thank you so much for being so generous with your time. I appreciate it.Alex: Yeah, thanks for having me. I appreciate it.Corey: Alexander Lawrence, principal security architect at Sysdig. I'm Cloud Economist Corey Quinn, and this episode has been brought to us by our friends, also at Sysdig. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an insulting comment that I will then read later when I pick it off the wire using Wireshark.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
Em Moçambique: Igreja Anglicana adia o debate para a resignação imediata do Bispo Carlos Matsinhe. Economista angolana defende diversificação da economia. Na Guiné-Bissau: Como está o deputado do PRS espancado há dias?
Joël got to do some pretty fancy single sign-on work. And when it came time to commit, he documented the ridiculous number of redirects to give people a sense of what was happening. Stephanie has been exploring Rails callbacks and Ruby debugging tools, using methods like save_callbacks and Kernel.caller, and creating a function call graph to better understand and manage complex code dependencies. Stephanie is also engaged in an independent project and seeking strategies to navigate the challenges of solo work. She and Joël explore how to find external support and combat isolation, consider ways to stimulate creativity, and obtain feedback on her work without a direct team. Additionally, they ponder succession planning to ensure project continuity after her involvement ends. They also reflect on the unique benefits of solo work, such as personal growth and flexibility. Stephanie's focus is on balancing the demands of working independently while maintaining a connected and sustainable professional approach. ASCII Sequence Diagram Creator (https://textart.io/sequence) Callback debugging methods (https://andycroll.com/ruby/find-list-debug-active-record-callbacks-in-the-console/) Kernel.caller (https://ruby-doc.org/core-3.0.2/Kernel.html#method-i-caller) Method.source_location (https://ruby-doc.org/core-3.0.2/Method.html#method-i-source_location) Building web apps by your lonesome by Jeremy Smith (https://www.youtube.com/watch?v=Rr871vmV4YM) Transcript: STEPHANIE: Hello and welcome to another episode of The Bike Shed, a weekly podcast from your friends at thoughtbot about developing great software. I'm Stephanie Minn. JOËL: And I'm Joël Quenneville. And together, we're here to share a bit of what we've learned along the way. STEPHANIE: So, Joël, what's new in your world? JOËL: I got to do something really fun this week, where I was doing some pretty fancy single sign-on work. And when it came time to commit, I wanted to document the kind of ridiculous number of redirects that happen and give people a sense of what was going on. And for my own self, what I had been doing is, I had done a sequence diagram that sort of shows, like, three different services that are all talking to each other and where they redirect to each other as they all go through the sequence to sign someone in. And I was like, how could I embed that in the commit message? Because I think it would be really useful context for someone trying to get an overview of what this commit is doing. And the answer, for me, was, can I get this sequence diagram in ASCII form somewhere? And I found a website that allows me to do this in ASCII art. It's the textart.io/sequence. And that allows me to create a sequence diagram that gets generated as ASCII art. I can copy-paste that into a commit message. And now anybody else who is like, "What is it that Joël is trying to do here?" can look at that and be like, "Oh, oh okay, so, we got these, like, four different places that are all talking to each other in this order. Now I see what's happening." STEPHANIE: That's super neat. I love the idea of having it directly in your commit message just because, you know, you don't have to go and find a graph elsewhere if you want to understand what's going on. It's right there for you, for future commit explorers [laughs] trying to understand what was going on in this snippet of time. JOËL: I try as much as possible to include those sorts of things directly in the commit message because you never know who's reading the commit. They might not have access to some sort of linked resource. So, if I were like, "Hey, go to our wiki and see this link," like, sure, that would be helpful, but maybe the person reading it doesn't have access to the wiki. Maybe they do have access, but they're not on the internet right now, and so they don't have access to the wiki. Maybe the wiki no longer exists, and that's a dead link. So, as much as possible, I try to embed context directly in my commit messages. STEPHANIE: That's really cool. And just another shout out to ASCII art, you know [laughs], persevering through all the times with our fancy tools. It's still going strong [laughs]. JOËL: Something about text, right? STEPHANIE: Exactly. I actually also have a diagram graph thing to share about what's new in my world that is kind of in a similar vein. Another thoughtboter and former guest on the show, Sara Jackson, shared in our dev channel about this really cool mural graph that she made to figure out what was going on with callbacks because she was working on, you know, understanding the lifecycle of this model and was running into, like, a lot of complex behavior. And she linked to a really neat blog post by Andy Croll, too, that included a little snippet sharing a few callback debugging methods that are provided by ActiveRecord. So, basically, you can have your model and just call double underscore callbacks. And it returns a list of all the callbacks that are defined for that model, and I thought that was really neat. So, I played around with it and copypastad [laughs] the snippet into my Rails console to figure out what's going on with basically, like, the god object of that that I work in. And the first issue I ran into was that it was undefined because it turns out that my application was on an older [laughs] version of Rails than that method was provided on. But, there are more specific methods for the types of callbacks. So, if you are looking specifically for all the callbacks related to a save or a destroy, I think it's save underscore callbacks, right? And that was available on the Rails version I was on, which was, I think, 4. But that was a lot of fun to play around with. And then, I ended up chatting with Sara afterwards about her process for creating the diagram after, you know, getting a list of all these methods. And I actually really liked this hybrid approach she took where, you know, she automated some parts but then also manually, like, went through and stepped through the code and, like, annotated notes for the methods as she was traversing them. And, you know, sometimes I think about, like, wow, like, it would be so cool if this graph just generated automatically, but I also think there is some value to actually creating it yourself. And there's some amount of, like, mental processing that happens when you do that, as opposed to, like, looking at a thing that was just, you know, generated afterwards, I think. JOËL: Do you know what kind of graph Sara generated? Was it some kind of, like, function call graph, or was it some other way of visualizing the callbacks? STEPHANIE: I think it was a function call graph, essentially. It even kind of showed a lot of the dependencies, too, because some of the callback functions were quite complicated and then would call other classes. So, there was a lot of, I think, hidden dependencies there that were unexpected, you know, when you think you're just going to create a regular old [laughs] record. JOËL: Yeah, I've been burned by unexpected callbacks or callbacks that do things that you wouldn't want in a particular context and then creating bad data or firing off external services that you really didn't want, and that can be an unpleasant surprise. I appreciate it when the framework offers debugging tools and methods kind of built-in, so these helpers, which I was not aware of. It's really cool because they allow you to kind of introspect and understand the code that you're going through. Do you have any others like that from Rails or Ruby that you find yourself using from time to time to help better understand the code? STEPHANIE: I think one I discovered recently was Kernel.caller, which gives you the stack trace wherever you are when executing. And that was really helpful when you're not raising an exception in certain places, and you need to figure out the flow of the code. I think that was definitely a later discovery. And I'm glad to have it in my back pocket now as something I can use in any kind of Ruby code. JOËL: That can, yeah, definitely be a really useful context to have even just in, like, an interactive console. You're like, wait a minute, where's this coming from? What is the call stack right now? STEPHANIE: Do you have any debugging tools or methods that you like to use that maybe are under the radar a little bit? JOËL: One that I really appreciate that's built into Ruby is the source location method on the method object, so Ruby has a method object. And so, when you're dealing with some sort of method and, like, maybe it got generated programmatically through metaprogramming, or maybe it's coming from a gem or something like that, and you're just like, where is this define? I'm trying to find it. If you're in your editor and you're doing stuff, maybe you could run some sort of search, or maybe it has some sort of keyword lookup where you can just find the definition of what's under your cursor. But if you're in an interactive console, you can create a method object for that method name and then call dot source location on it. And it will tell you, here's where it's defined. So, very handy in the right circumstances. STEPHANIE: Awesome. That's a great tip. JOËL: Of course, one of the most effective debugging tools is having a pair, having somebody else work with you, but that's not always something that you have. And you and I were talking recently about what it's like to work solo on a project. Because you're currently on a project, you're solo, at least from the thoughtbot side of things. You're embedding with a team, with a client. Are you working on kind of, like, a solo subtask within that, or are you still kind of embedding and interacting with the other teammates on a regular basis? STEPHANIE: Yeah. So, the past couple of weeks, I am working on more of a solo initiative. The other members of my client team are kind of ramping up on some other projects for this next quarter. And since my engagement is ending soon, I'm kind of left working on some more residual tasks by myself. And this is new for me, actually. I've not really worked in a super siloed by-myself kind of way before. I usually have at least one other dev who I'm, like, kind of partnering up with on a project, or an epic, or something like that. And so, I've had a very quiet week where no one is, you know, kind of, like, reaching out to me and asking me to review their code, or kind of checking in, or, you know, asking me to check in with them. And yeah, it's just a little bit different than how I think I like to normally work. I do like to work with other people. So, this week has been interesting in terms of just kind of being a more different experience where I'm not as actively collaborating with others. JOËL: What do you think are some of the biggest challenges of being kind of a little bit out in your own world? STEPHANIE: I think the challenges for me can definitely be the isolation [laughs], and also, what kind of goes hand in hand with that is when you need help, you know, who can you turn to? There's not as much of an obvious person on your team to reach out to, especially if they're, like, involved with other work, right? And that can be kind of tough. Some of the other ones that I've been thinking about have been, you know, on one hand, like, I get to make all of the decisions that I want [laughs], but sometimes you kind of get, like, really in your own head about it. And you're not in that space of, like, evaluating different solutions that you maybe might not think of. And I've been trying to figure out how to, like, mitigate some of that risk. JOËL: What are some of the strategies that you use to try to balance, like making good decisions when you're a bit more solo? Do you try to pull in someone from another team to talk ideas through? Do you have some sort of internal framework that you use to try to figure out things on your own? What does that look like? STEPHANIE: Yeah, luckily, the feature I'm working on is not a huge project. Well, if it were, I think then I wouldn't be alone on it. But, you know, sometimes you find yourself kind of tasked with one big thing for a while, and you are responsible for from start to finish, like all of the architectural decisions to implementation. But, at least for me, the scope is a little more narrow. And so, I don't feel as much of a need to get a lot of heads together because I at least feel somewhat confident in what I'm doing [laughs]. But I have found myself being a bit more compelled to kind of just verbalize what I'm doing more frequently, even to, like, myself in Slack sometimes. It's just like, I don't know who's reading this, but I'm just going to put it out there because maybe someone will see this and jump in and say, "Oh, like, interesting. Here's some other context that I have that maybe might steer you away from that," or even validating what I have to say, right? Like, "That sounds like a good idea," or, you know, just giving me an emoji reaction [laughs] is sometimes all I need. So, either in Slack or when we give our daily sync updates, I am, I think, offering a little more details than I might if I already was working with someone who I was more in touch with in an organic way. JOËL: And I think that's really powerful because it benefits you. Sort of by having to verbalize that or type it out, you, you know, gain a little bit of self-awareness about what you're trying to do, what the struggles are. But also, it allows anybody else who has potentially helpful information to jump in. I think that's not my natural tendency. When I'm on something solo, I tend to kind of, like, zoom in and focus in on something and, like, ignore a little bit of the world around me. Like, that's almost the time when I should look at overcommunicating. So, I think most times I've been on something solo, I sort of keep relearning this lesson of, like, you know, it's really important to constantly be talking out about the things that you're doing so that other people who are in a broader orbit around you can jump in where necessary. STEPHANIE: Yeah, I think you actually kind of touched on one of the unexpected positives, at least for me. Something I wasn't expecting was how much time I would have to just be with my thoughts. You know, as I'm implementing or just in my head, I'm mulling over a problem. I have less frequent, not distractions necessarily, but interruptions. And sometimes, that has been a blessing because I am not in a spot where I have a lot of meetings right now. And so, I didn't realize how much generative thought happens when you are just kind of, like, doing your own thing for a little bit. I'm curious, for you, is that, like, a space that you enjoy being when you're working by yourself? And I guess, you know, you were saying that it's not your natural state to kind of, like, share what's going on until maybe you've fully formed an idea. JOËL: I think I often will regret not having shared out before everything is done. The times that I have done it, I've been like, that was a really positive experience; I should do that more. I think it's easy to sort of wait too long before sharing something out. And with so many things, it feels like there's only one more small task before it's done. Like, I just need to get this one test to go green, and then I can just put up a PR, and then we'll have a conversation about it. But then, oh, this other test broke, or this dependency isn't installing correctly. And before you know it, you've spent a whole day chasing down these things and still haven't talked. And so, I think if some of those things were discussed earlier, it would help both to help me feel more plugged in, but also, I think everybody else feels like they're getting a chance to participate as well. STEPHANIE: So, you mentioned, you know, obviously, there's, like, the time spent just arriving at the solution before sharing it out for feedback. But have you ever been in a position where there is no one to give you feedback and, like, not even a person to review your code? JOËL: That's really challenging. So, occasionally, if I'm working on a project, maybe it would be, like, very early-stage startup that maybe just has, like, a founder, and then I'm, like, the only technical person on the team, generally, what I'll try to do is to have some kind of review buddy within thoughtbot, so some other developer who's not staffed on my project but who has access to the code such that I can ask them to say, "Hey, can you just take a look at this and give me a code review?" That's the ideal situation. You know, some companies tend to lock things down a lot more if you're dealing with something like healthcare or something like that, where there might be some concerns around personal information, that kind of thing. But generally, in those cases, you can find somebody else within the company who will have some technical knowledge who can take a look at your code; at least, that's been my experience. STEPHANIE: Nice. I don't think I've quite been in that position before; again, I've really mostly worked within a team. But there was a conference talk I watched a little bit ago from Jeremy Smith, and it was called Building Web Apps by Your Lonesome. And he is a, like, one-man agency. And he talked about, you know, what it's like to be in that position where you pretty much don't have other people to collaborate with, to review your code. And one thing that he said that I really liked was shifting between writer and editor mode. If you are the person who has to kind of just decide when your code is good enough to merge, I like that transition between, like, okay, I just spent however many hours putting together the solution, and now I'm going to look at it with a critical eye. And sometimes I think that might require stepping away for a little bit or, like, revisiting it even the next day. That might be able to help see things that you weren't able to notice when you were in that writing mode. But I have found that distinction of roles really helpful because it does feel different when you're looking at it from those two lenses. JOËL: I've definitely done that for some, like, personal solo projects, where I'm participating in a game jam or something, and then I am the only person to review my code. And so, I will definitely, at that point, do a sort of, like, personal code review where I'll look at it. Maybe I'm doing PRs on GitHub, and I'm just merging. Maybe I'm just doing a git diff and looking at a commit in the command line on my own machine. But it is useful, even for myself, to sort of switch into that editor mode and just kind of look at everything there and say, "Is it in a good place?" Ideally, I think I do that before putting it out for a co-worker's review, so you kind of get both. But on a solo project, that has worked actually pretty well for me as well. STEPHANIE: One thing that you and I have talked about before in a different context, I think, when we have chatted about writing conference talks, is you are really great about focusing on the audience. And I was thinking about this in relation to working solo because even when you are working by yourself on a project, you're not writing the code for yourself, even though you might feel like [laughs] it in the moment. And I also kind of like the idea of asking, like, who are you building for? You know, can you ask the stakeholder or whoever has hired you, like, "Who will maintain this project in the future?" Because likely, it won't be you. Hopefully, it won't be you unless that's what you want to be doing. There's also what my friend coined the circus factor as opposed to the bus factor, which is, like, if you ran away to the circus tomorrow [laughs], you know, what is the impact that would have? And yeah, I think working solo, you know, some people might think, like, oh, that gives me free rein to just write the code exactly how I want to, how I want to read it. But I think there is something to be said about thinking about the future of who will be [inaudible 18:10] what you just happen to be working on right now. JOËL: And keep in mind that that person might be future you who might be coming back and be like, "What is going on here?" So, yeah, audience, I think, is a really important thing to keep in mind. I like to ask the question, if somebody else were looking at this code, and somebody else might be future me, what parts would they be confused by? If I was walking somebody else through the code for the first time, where would they kind of stop me through the walkthrough and be like, "Hey, why is this happening? What's the connection between these two things? I can see they're calling each other, but I don't know why." And that's where maybe you put in a comment. Maybe you find a better method or a class name to better explain what happens. Maybe you need to put more context in a commit message. There's all sorts of tools that we can use to better increase documentation. But having that pause and asking, "What will confuse someone?" is, I think, one of the more powerful techniques I do when I'm doing self-review. STEPHANIE: That's really cool. I'm glad you mentioned that, you know, it could also be future you. Because another thing that Jeremy says in this talk that I was just thinking about is the idea of optimizing for autonomy. And there's a lot to be said there because autonomy is like, yeah, like, you end up being the person who has to deal with problems [laughs], you know, if you run into something that you can't figure out, and, ideally, you'll have set yourself up for success. But I think working solo doesn't mean that you are in your own universe by yourself completely. And thinking about future, you, too, is kind of, like, part of the idea that the person in this moment writing code will change [laughs]. You'll get new information. Maybe, like, you'll find out about, like, who might be working on this in the future. And it is kind of a fine balance between making sure that you're set up to handle problems, but at the same time, maybe it's that, like, you set anyone up to be able to take it away from where you left it. JOËL: I want to take a few moments to sort of talk a little bit about what it means to be solo because I think there are sort of multiple different solo experiences that can be very different but also kind of converge on some similar themes. Maybe some of our listeners are listening to us talking and being like, "Well, I'm not at a consultancy, so this never happens to me." But you might find yourself in that position. And I think one that we mentioned was maybe you are embedded on a team, but you're kind of on a bit of a larger project where you're staffed solo. So, even though you are part of a larger team, you do feel like the initiative that you're on is siloed to you a little bit. Are there any others that you'd like to highlight? STEPHANIE: I think we also mentioned, you know, if you're a single developer working on an application because you might be the first technical hire, or a one-person agency, or something, that is different still, right? Because then your community is not even your company, but you have to kind of seek out external communities on social networks, or Slack groups, or whatever. I've also really been interested in the idea of developers kind of being able to be rotated with some kind of frequency where you don't end up being the one person who knows everything about a system and kind of becomes this dependency, right? But how can we make projects so, like, well functioning that, like, anyone can step in to do some work and then move on? If that's just for a couple of weeks, for a couple of months. Do you have any thoughts about working solo in that kind of situation where you're just stepping into something, maybe even to help someone out who's, you know, on vacation, or kind of had to take an unexpected leave? JOËL: Yeah, that can be challenging. And I think, ideally, as a team, if you want to make that easier, you have to set up some things both on a, like, social level and on a tactical level, so all the classic code quality things that you want in place, well structured, encapsulated code, good documentation, things like that. To a certain extent, even breaking down tasks into smaller sort of self-sufficient stories. I talk a lot about working incrementally. But it's a lot easier to say, "Hey, we've got this larger story. It was broken down into 20 smaller pieces that can all be shipped independently, and a colleague got three of them done and then had to go on leave for some reason. Can you step in and do stories 4 through 20?" As opposed to, "Hey, we have this big, amorphous story, and your colleague did some work, and it kind of is done. There's a branch with some code on it. They left a few notes or maybe sent us an email. But they had to go on leave unexpectedly. Can you figure it out and get it done?" The second scenario is going to be much more challenging. STEPHANIE: Yeah, I was just thinking about basically what you described, right? Where you might be working on your own, and you're like, well, I have this one ticket, and it's capturing everything, and I know all that's going on [laughs], even though it's not quite documented in the ticket. But it's, you know, maybe on my branch, or in my head, or, worst of all, on my local machine [laughs] without being pushed up. JOËL: I think maybe that's an anti-pattern of working solo, right? A lot of these disciplines that you build when you're working in a team, such as breaking up tickets into smaller pieces, it's easy to kind of get a little bit lazy with them when you're working solo and let your tickets inflate a little bit, or just have stuff thrown together in branches on your local machine, which then makes it harder if somebody does need to come in to either collaborate with you or take over from you if you ever need to step aside. STEPHANIE: Right. I have definitely seen some people, even just for their personal projects, use, like, a Trello board or some other project management tool. And I think that's really neat because then, you know, obviously, it's maybe just for their own, like, self-organization needs, but it's, like, that recognition that it's still a complicated project. And just because they're working by themselves doesn't mean that they can't utilize a tool for project management that is meant for teams or not even teams [laughs], you know, people use them for their own personal stuff all the time. But I really like that you can choose different levels of how much you're documenting for your future self or for anyone else. You had mentioned earlier kind of the difference between opening up a PR for you...you have to merge your branch into main or whatever versus just committing to main. And that distinction might seem, like, if you were just working on a personal project, like, oh, you know, why go through the extra step? But that can be really valuable in terms of just seeing, like, that history, right? JOËL: I think on solo projects, it can really depend on the way you tend to treat your commit history. I'm very careful with the history on the main branch where I want it to tell a sort of, like, cohesive story. Each commit is kind of, like, crafted a little bit. So, even when I'm working solo and I'm committing directly to master or to the main branch, I'm not just, like, throwing random things there. Ideally, every commit is green and builds and is, like, self-contained. If you don't have that discipline, then it might be particularly valuable to go through the, like, a branching system or a PR system. Or if you just want, like, a place to experiment, just throw a bunch of code together, a bunch of things break; nothing is cohesive, that's fine. It's all a work in progress until you finally get to your endpoint, and then you squash it down, or you merge it, or whatever your workflow is, and then it goes back into the main branch. So, I think that for myself, I have found that, oftentimes, I get not really a whole lot of extra value by going through a branching and PR system when it's, like, a truly solo project, you know, I'm building a side project, something like that. But that's not necessarily true for everyone. STEPHANIE: I think one thing I've seen in other people's solo projects is using a PR description and, you know, having the branching strategy, even just to jot down future improvements or future ideas that they might take with the work, especially if you haven't kind of, like, taken the next step of having that project management system that we talked about. But there is, like, a little more room for some extra context or to, like, leave yourself little notes that you might not want necessarily in your commit history but is maybe more related to this project being, like, a work in progress where it could go in a lot of different directions, and you're figuring that out by yourself. JOËL: Yeah, I mean, definitely something like a draft PR can be a great place to have work in progress and experiment and things like that. Something you were saying got me wondering what distinction you typically have between what you would put in a commit message versus something that you would put in a PR description, particularly given that if you've got, like, a single commit PR, GitHub will automatically make the commit message your PR message as well. STEPHANIE: This has actually evolved for me over time, where I used to be a lot more reliant on PR descriptions holding a lot of the context in terms of the decision-making. I think that was because I thought that, like, that was the most accessible place of information for reviewers to find out, you know, like, why certain decisions were made. And we were using, you know, PR templates and stuff like that. But now the team that I'm working on uses commit message templates that kind of contain the information I would have put in a PR, including, like, motivation for the change, any risks, even deployment steps. So, I have enjoyed that because I think it kind of shortens the feedback loop, too, right? You know, you might be committing more frequently but not, you know, opening a PR until later. And then you have to revisit your commits to figure out, like, okay, what did I do here? But if you are putting that thought as soon as you have to commit, that can save you a little bit of work down the line. What you said about GitHub just pulling your commit message into the PR description has been really nice because then I could just, like, open a thing [laughs]. And that has been nice. I think one aspect that I really like about the PR is leaving myself or reviewers, like, notes via comments, like, annotating things that should not necessarily live in a more permanent form. But maybe I will link to documentation for a method that I'm using that's a little less common or just add some more information about why I made this decision over another at a more granular level. JOËL: Yeah, I think that's probably one of the main things that I tend to put in a PR message rather than the commit message is any sort of extra information that will be helpful at review time. So, maybe it's a comment that says, "Hey, there is a lot of churn in this PR. You will probably have a better experience if you review this in split view versus unified view," things like that. So, kind of, like, meta comments about how you might want to approach reviewing this PR, as opposed to something that, let's say somebody is reviewing the history or is, like, browsing the code later, that wouldn't be relevant to them because they're not in a code review mindset. They're in a, like, code reading, code understanding mindset or looking at the message to say, "Why did you make the changes? I saw this weird method. Why did you introduce that?" So, hopefully, all of that context is in the commit message. STEPHANIE: Yeah, you reminded me of something else that I do, which is leave notes to my future self to revisit something if I'm like, oh, like, this was the first idea I had for the, you know, the way to solve this problem but, you know, note to self to look at this again tomorrow, just in case I have another idea or even to, like, you know, do some more research or ask someone about it and see if they have any other ideas for how to implement what I was aiming for. And I think that is the editor mode that we were talking about earlier that can be really valuable when you're working by yourself to spend a little extra time doing. You know, you are essentially optimizing for autonomy by being your own reviewer or your own critic in a healthy and positive way [laughs], hopefully. JOËL: Exactly. STEPHANIE: So, at the beginning of this episode, I mentioned that this is a new experience for me, and I'm not sure that I would love to do it all of the time. But I'm wondering, Joël, if there are any, you know, benefits or positives to working solo that you enjoy and find that you like to do just at least for a short or temporary amount of time. JOËL: I think one that I appreciate that's maybe a classic developer response is the heads downtime, the focus, being able to just sit down with a problem and a code editor and trying to figure it out. There are times where you really need to break out of that. You need somebody else to challenge you to get through a problem. But there are also just amazing times where you're in that flow state, and you're getting things done. And that can be really nice when you're solo. STEPHANIE: Yeah, I agree. I have been enjoying that, too. But I also definitely am looking forward to working with others on a team, so it's kind of fun having to get to experience both ways of operating. On that note, shall we wrap up? JOËL: Let's wrap up. STEPHANIE: Show notes for this episode can be found at bikeshed.fm. JOËL: This show has been produced and edited by Mandy Moore. STEPHANIE: If you enjoyed listening, one really easy way to support the show is to leave us a quick rating or even a review in iTunes. It really helps other folks find the show. JOËL: If you have any feedback for this or any of our other episodes, you can reach us @_bikeshed, or you can reach me @joelquen on Twitter. STEPHANIE: Or reach both of us at email@example.com via email. JOËL: Thanks so much for listening to The Bike Shed, and we'll see you next week. ALL: Byeeeeeeeeeeeee!!!!!! AD: Did you know thoughtbot has a referral program? If you introduce us to someone looking for a design or development partner, we will compensate you if they decide to work with us. More info on our website at tbot.io/referral. Or you can email us at firstname.lastname@example.org with any questions.
Today on the podcast is Adam Wood! Adam is currently training to take his running to the next level with hopes of one day becoming a professional. He has made a massive platform on Instagram, TikTok, and YouTube off of documenting his journey in a vulernable and personable way that is rarely seen. He has a following of over 100k followers across platforms. Adam ran for BYU in college where he was teamtess with the likes of Connor Mantz, Clayton Young, Casey Clinger, and more. Adam currently holds PRs of 4:10.92 (Mile), 8:47.23 (Steeplechase), 14:00.18 (5000m), and 2:18:37 (Marathon). Adam currently has his eyes set on getting an OTQ at the 2023 California International Marathon early next month. In today's episode, Adam gives an inside look at marathon training, running 100-miles a week, living in Provo, Utah, how he balances work, running, and content creation, handling hate, and so much more. This episode was absoutley fantastic and a very enjoyable conversation. I'm beyond confident you'll gain newfound wisdom through listening to it. Tap into the Adam Wood Special. You can listen wherever you find your podcasts by searching, "The Running Effect Podcast." If you enjoy the podcast, please consider following us on Spotify and Apple Podcasts and giving us a five-star review! I would also appreciate it if you share it with your friend who you think will benefit from it. The podcast graphic was done by the talented: Xavier Gallo. S H O W N O T E S -Adam's YouTube Channel: https://www.youtube.com/@AdamWoodRuns -2Before: Code: "THERUNNINGEFFECT30" for 30% off: https://2before.com/ -My Instagram: https://www.instagram.com/therunningeffect/?hl=en --- Send in a voice message: https://podcasters.spotify.com/pod/show/dominic-schlueter/message
In this special bonus episode of the Award-winning PRS Journal Club Podcast, Dr. Nolan Karp discusses "Incidentally Found Proliferative Lesions in Oncoplastic & Macromastia Breast Reductions." Moderated by 2023 PRS Resident Ambassadors Rami Kantar MD, Yoshi Toyoda MD, and Ronnie Shammas MD, this podcast was recorded at PSTM 2023 in Austin, TX in front of a live audience. An engaging Q&A session between Dr. Karp and members of the audience follows the moderated discussion. Read the discussed article for FREE: https://bit.ly/MacromastiaAnalysis Read the collection of recent classic PRS articles related to this hot topic: https://bit.ly/JCLive_PSTM23_Collection
This week on the podcast, we talk about setting PRs into your 60s (one of our MOTTIV athletes just did it at IM Florida!) How to race 5-8% faster, based on a brand new study. And, a reminder that MOTTIV gear is 30% off in the store in our pre-Black Friday sale that ends Friday, November 10th at midnight Pacific Time. To try the MOTTIV app for free, visit mymottiv.com and sign up now!
On this week's episode, step into the exhilarating world of the runDisney Wine and Dine Half Marathon Weekend! From the thrilling merchandise battles and expo highlights to the dizzying maze of corral confusion, we've got a bundle of stories to share. Brace yourselves for an intimate inside look into the weekend's race, the unforgettable Disney Springs meet-up, and of course, the spectacular after-party at Epcot! We pull back the curtain on the 2023 Wine and Dine Half Marathon weekend, revealing a spectacle of Figment merchandise, costume dramas, and the electrifying experience of a half marathon. Hear the heart-pounding tales of costume confrontations, our triumphant sprint against obstacles, and our encounters at the finish line. From the laughter that echoed under beautiful weather to the friendships forged on the race track, we wrap it all up as we toast to John hopefully bringing his 90s mullet back and fun stories of Allie's posse .As we revel in our listeners' awe-inspiring feats, from 5K runs to half marathons, and dare we say, ultra marathons, we serve up a banquet of race reports from our friends. We celebrate the victories, PRs, and unforgettable moments from various races, including the New York City Marathon, concluding the episode by anticipating upcoming events and giving a warm shout-out to all our friends who ran and shared their stories on Facebook. So tie up your laces, plug in your earphones, and join us on this thrilling running adventure. Thanks for tuning in and remember, stay fabulous, and Happy Running!Rise and Run LinksRise and Run Podcast Facebook PageRise and Run Podcast InstagramRise and Run Podcast Website and ShopRise and Run PatreonPassport to RunRunningwithalysha Alysha's Run CoachingSupport the showRise and Run Podcast is supported by our audience. When you make a purchase through one of our affiliate links, we may earn a commission. As an Amazon Associate we earn from qualifying purchases.Sponsor LinksMagic Bound Travel Affiliate LinksRise and Run Amazon Affiliate Web Page Fluffy FizziesZenGroveKawaiian Pizza ApparelGoGuarded
This is The Lap Count newsletter by Kyle Merber, as read by Chris Chavez. Join more than 15,000 people who stay up-to-date with all the thrilling action and biggest stories in the world of track & field – delivered right to your inbox every Wednesday morning. Subscribe at http://thelapcount.com/ In this week's newsletter: – USATF 5K Championship
David Barkoe joins me this week on the show to discuss the latest strategies in PR. We focus on conferences and events this time, looking at what any independent agency or in-house PR comms pro should be thinking about when setting up stands at events. We talk about what it takes to get noticed by journalists and give some practical experiences we've had on both sides as journalists and PRs. We also talk about the role of influencers in pharmaceutical marketing again and any industry that has a negative perception. David Shares how his team organised his own mini-event for journalists for multiple clients at once and shares his strategies on how they got people there. We also talk about remote working in PR and answer listener questions on topics like "How far should you spin a message". *THE PROJECT* * www.PR-ology.com - turning the best ideas in the show into actionable tutorials * SUBSCRIBE * * Video and Audio links here - https://thepublicrelationspodcast.com/listen/ Or search for "The Public Relations Podcast" on all good podcast apps * Connect with me - LinkedIn - https://www.linkedin.com/in/richard-midson/ * Website and weekly newsletter - https://thepublicrelationspodcast.com/ * Come on the show as a cohost - https://thepublicrelationspodcast.com/one-sheet/ *GUEST* David Barkoe - https://www.linkedin.com/in/david-barkoe/ Carve Communications - https://carvecomms.com/
What is up everyone I'm your host coach Joe Strong here to bring you another great episode of the Business of Strength podcast. Where you can hear the interviews, tips, and tools to turn your passion for strength into a profitable business. Don't forget our annual Next LIVE two-day workshop here at Varsity House is Nov 30 – Dec 1. We will give you a birds eye view of our business from the bottom up. Leave with a blueprint for success and clarity on your next steps. Register at businessofstrength.com In this episode I'm talking about how to hitting PRs in the gym will help you hit PRs on the balance sheet! I've met a lot of trainer/owners who need to hear this… Some topics include… The parallels to training and running a business The Coach / Owner Paradox How to get “Unstuck” with your biz growth How getting on the PR train with your personal fitness should be a top priority What Pat Rigsby said… Let's get it dialed in! Coach Joe
#knowyourgear #podcast You can become a Patreon and support this podcast https://www.patreon.com/phillipmcknightKYG?fan_landing=trueAsk questions herewww.knowyourgearpodcast.comSubject Index00:00 Intro 00:40 What Happened to the Fender Super Champ XD and X2?03:13 My oldest tool?04:09 Fret pullers and what you need to know08:37 Do I use any of my military training to work on guitars?12:02 I was called out for saying PRS took care of their dealers, Did I Get It Wrong?22:09 My favorite Headless guitar and things to think about when getting your first one28:39 Sharp edge on the Floyd Rose nut?31:28 The pit falls of siting to 7 gauge strings?35:56 What Seymour Duncan and Dimarzio could learn from GFS pickups46:13 The forseable issues with putting P90s in a humbucker guitar49:49 I wish guitar manufactures would think about making forever guitars, Because they can58:45 Installing phase switches in a guitar 1:02:07 What do techs say the nut is the issue with Gibson?1:05:55 The UA Ox and The Two Notes Captor X1:09:25 The before and after of a Plekd guitar1:13:48 Some honest talk about cheap vs expensive guitar pickups 1:26:51 Will Ibanez and other drop prices like Fender and PRS?1:33:08 Why Scale length is so important to me and average playersSupport the show
durée : 00:02:19 - Le monde est à nous - Au studio Ghibli à Tokyo, l'antre du maître de l'animation, ses collaborateurs ne croient pas à une prochaine retraite du maître de l'animation japonaise.
Today on The Call Room Rising Stars is Cameron Todd! Cameron is an absolute stud out of the state of Indiana. Cameron has PRs of 4:09.96 (Mile) & 8:55.93 (2-Mile). Last year he placed 6th at Foot Locker. He will return to Foot Locker as the top returner. He's run 14:48.1 thus far this year on the legendary Lavern Gibson Course to win the Nike Twighlight meet and won a state-title in legendary fashion on that same course a few weeks later. In today's episode, Cam goes through his upbringing in the sport, commiting to Notre Dame, Indiana things, his progession in the sport, intrerests outside of running, his experince at Foot Locker last year, beating Simeon Birnbaum, and more.. This episode was an all-timer. It was one of the most fun podcasts I've ever recorded in the 300+ episode history of the show. Tap into the Cam Todd Special. Today's episode is a part of "The Call Room Rising Stars," a series where you will meet the next generation of stars, hear their journey to get to where they are today, and get an inside look at their preparation going into the Foot Locker Regional & National Meets. You can listen wherever you find your podcasts by searching, "The Running Effect Podcast." If you enjoy the podcast, please consider following us on Spotify and Apple Podcasts and giving us a five-star review! I would also appreciate it if you share it with your friend who you think will benefit from it. The podcast graphic was done by the talented: Xavier Gallo. S H O W N O T E S -THE HOKA CRESCENDO XC: https://www.hoka.com/en/gb/race/crescendo-xc/196565567727.html -SIGN UP FOR FOOT LOCKER REGIONALS HERE: https://footlockercc.com/ -My Instagram: https://www.instagram.com/therunningeffect/?hl=en --- Send in a voice message: https://podcasters.spotify.com/pod/show/dominic-schlueter/message
HouseNation UK is legal - PRS for music registered under licence LE-0004522 Please show some appreciation by adding a comment on iTunes! Worldwide Bookings: email@example.com Join me on Facebook! Search DJ Lee Harris Join me on Soundcloud! Search Lee Harris London Please add a review on iTunes if you like this podcast
In this special bonus episode of the Award-winning PRS Journal Club Podcast, Dr. Nolan Karp discusses “Incidentally Found Proliferative Lesions in Oncoplastic & Macromastia Breast Reductions.” Moderated by 2023 PRS Resident Ambassadors Rami Kantar MD, Yoshi Toyoda MD, and Ronnie Shammas MD, this podcast was recorded at PSTM 2023 in Austin, TX in front of a live audience. An engaging Q&A session between Dr. Karp and members of the audience follows the moderated discussion. Read the discussed article for FREE: https://bit.ly/MacromastiaAnalysis Read the collection of recent classic PRS articles related to this hot topic: https://bit.ly/JCLive_PSTM23_Collection #PRSJournalClub #PSTM23 #PRSJournal
We discuss 3 lifter pathways: competing, just training (thriving), and recovering. How do these looks, who might find themselves in one of these pathways (and why)? Andrew & Niki explore this. 3 Lifter Pathways - Competing This pathway involves a state of life where life can support training. For these lifters, training is a high priority. Nutrition supports training, lifters likely give up other pursuits to support training. Obviously, life needs to cooperate (and sometimes it does not), but insofar as you can prioritize training you do. 6 months out from the competition, the training can remain fairly general, though the more advanced the lifter is the earlier the training has to be more specific. As the meet approaches, training will incorporate more heavy singles and doubles. The competition lift will be practiced. The lifter may perform a mock meet. Lastly, the lifter will peak, letting build up fatigue dissipate and allowing performance to increase (it's easy to screw the timing up here). 3 Lifter Pathways - Just Training This is really where most people should be most of the time. Training is a priority, but not the top priority. Training is a tool for their deep goals of health and fitness, and nutrition and sleep can support that. Ultimately, though, if you want to go for a run or a hike, you don't sacrifice this or other physical pursuits for your training. The volume slot in a training week is the primary stress and needs to be productive. For the intensity slot, it's more akin to practice or skill work. It is heavy, but not scary or grindy. 3 Lifter Pathways - Recovering For these lifters, training has to take a back seat. This could be due to an injury or major life setback. It could be, however, a phase of life where time and recovery ability is limited. The lifter wants to continue lifting, but it cannot be as high a priority as the other two pathways. Metrics may need to reflect the shift in focus. This could be going for rep PRs. It could be consistency. It could be pain (looking for less pain). It could be enjoyment of time in the gym. 3 lifter pathways exist, and they reflect different stages and phases of life. If you train long enough, you'll experience all of these. Check out the Barbell Logic podcast landing page. Get Matched with a Professional Strength Coach today for FREE! No contract with us, just commitment to yourself: Start experiencing strength now: https://store.barbell-logic.com/match/ Connect with the hosts Matt on Instagram Niki on Instagram Andrew on Instagram Connect with the show Barbell Logic on Instagram Podcast Webpage Barbell Logic on Facebook Or email firstname.lastname@example.org
In Episode 2 of The Call Room Rising Stars, I have the privilege of speaking with Drew Griffith! If you're not familiar with Drew, he is one of the biggest up-and-coming stars in the US prep distance scene. Drew is the reigning Foot Locker Northeast Regional Champion. He went on to place 6th at the National Meet after throwing up the night before (more fun BTS in the podcast). Drew currently holds PRs of 4:07 in the Mile, 8:48 in the 2-Mile, and most recently ran 14:21 in XC, making him the 11th fastest ever at the distance. Needless to say, Drew is on a tear and nothing seems to be holding him back as we get into the postseason. In today's conversation, Drew and I go through his story, from his early passion for swim to progressively getting more serious about the sport of running. We go through winning the Foot Locker Northeast Regional last year, placing 6th in the country while being sick, and not having the track season he was hoping to have. Lastly, we get into his ambitions for the rest of the season, lessons from his successful career, and so much more. Today's episode is one for the books! Many good nuggets of wisdom in here that you can apply directly into your running and life. Tap into the Drew Griffith Special. Today's episode is a part of "The Call Room Rising Stars" a series where you will meet the next generation of stars, hear their journey to get to where they are today, and get an inside look at their preparation going into the Foot Locker Regional & National Meets. You can listen wherever you find your podcasts by searching, "The Running Effect Podcast." If you enjoy the podcast, please consider following us on Spotify and Apple Podcasts and giving us a five-star review! I would also appreciate it if you share it with your friend who you think will benefit from it. The podcast graphic was done by the talented: Xavier Gallo. S H O W N O T E S -THE HOKA CRESCENDO XC: https://www.hoka.com/en/gb/race/crescendo-xc/196565567727.html -SIGN UP FOR FOOT LOCKER REGIONALS HERE: https://footlockercc.com/ -My Instagram: https://www.instagram.com/therunningeffect/?hl=en --- Send in a voice message: https://podcasters.spotify.com/pod/show/dominic-schlueter/message
Big Jordan Feigenbaum joins us for this one to discuss SARMS, ATP, Dodge Vipers, and chasing powerlifting PRs for a decade. If that's not enough, we also played our game “Supplements: Real or Fake” for this first time in years! Build Fast Formula Use code MASSENOMICS to save 10% on your first order! BearFoot Shoes Use code MASS for a free pair of AWEsome wraps! Juggernaut AI Use code MASSENOMICS to save 10%! The Strength Co Get some Go-To Plates! Swiss Link Use code MASS to save 15%! Texas Power Bars Get the Barbell that changed the game!
In this episode, Lilly Bernardi, Assistant Strength and Conditioning Coach at Hofstra University, talks to Eric McMahon, the NSCA Coaching and Sport Science Program Manager, about her journey from being an athlete to becoming a coach. Bernardi shares sentiments over losing her senior lacrosse season as a college athlete during the COVID-19 pandemic, and how it has fueled her motivational approach in coaching. The episode highlights the importance of building confidence as a young professional and adopting a growth mindset for career development. Additionally, the conversation delves into social media etiquette for coaches in the age of information sharing. Connect with Lilly on Instagram: @lilly_bernardi1 or by email: email@example.com| Find Eric on Instagram: @ericmcmahoncscs or Twitter: @ericmcmahoncscsShow Notes“That’s kind of how I found my love for strength and conditioning because the weight room, I think, was the first place for me where maybe I wasn't getting stats on the field. I saw in the weight room, myself getting stronger and that really just translated into a new level of confidence for me and really allowed for me to embrace my role as a leader and, more specifically, a leader by example in the sport of lacrosse.” 3:05 “My athletes are very aware of the fact that, on any given day, if they're doing conditioning, if they're having the hardest lift, they're getting yelled at practice, that I would do anything to take the jersey off their back and get out there one more time. I think if I have athletes who are kind of just going through the motions, I really try to explain to them, it might be hard, but you're going to look back, and you'll miss these four years. And maybe you don't want to go outside and do conditioning every day, but there's a day that you'll look back and wish you could be a part of it.” 5:20 “My best piece of advice that I received in this career is just, you're never ready for your next step. And so, while, like I said, I had no idea what I was going to present on, I knew I wanted to because I wanted to challenge myself in a different way and prove to myself that I can.” 18:10 “Another thing I love about social media is all the books that people post on their stories and adding it to my list. I think sharing information, but also showing your athletes and other coaches and sharing ideas, creating a community of encouraging each other, whether it's in professional accomplishments, and the PRs are fun too.” 25:45
In Episode 1 of The Call Room Rising Stars, I have the privilege of speaking with Ryan Pajak! Ryan is an absolute stud out of my home state of Pennslyvania. Ryan placed 12th last year at the 2022 Foot Locker National Meet, gaining his First-XC All-American title in the process. Ryan holds PRs of 4:09 (Mile), 8:48 (3200m), and recently ran 14:40 on the grass. Ryan is committed to run for The University of Notre Dame. In today's episode, Ryan goes through his start in the sport, how Pennsylvania is an underrated running state, committing to the University of Notre Dame, placing 12th at Foot Locker last year, his ambitions for State & Foot Locker this year, and so much more! Tap into the Ryan Pajak Special. Today's episode is a part of "The Call Room Rising Stars" a series where you will meet the next generation of stars, hear their journey to get to where they are today, and get an inside look at their preparation going into the Foot Locker Regional & National Meets. You can listen wherever you find your podcasts by searching, "The Running Effect Podcast." If you enjoy the podcast, please consider following us on Spotify and Apple Podcasts and giving us a five-star review! I would also appreciate it if you share it with your friend who you think will benefit from it. The podcast graphic was done by the talented: Xavier Gallo. S H O W N O T E S -THE HOKA CRESCENDO XC: https://www.hoka.com/en/gb/race/crescendo-xc/196565567727.html -SIGN UP FOR FOOT LOCKER REGIONALS HERE: https://footlockercc.com/ -My Instagram: https://www.instagram.com/therunningeffect/?hl=en --- Send in a voice message: https://podcasters.spotify.com/pod/show/dominic-schlueter/message
Rori and team are taking a quick break from podcasting for the fall. Stay tuned, though, because they'll be back soon with more podcasts! In the meantime, check out the PRS website (link below) as well as the many other resources PRS offers. If you're enjoying our podcast, please leave us a review on Apple or Spotify. Need help with an injury or programming? Book a free consultation call with one of the PRS Clinical Coaches here! Interested in attending some of the free PRS community events and getting early access to PRS Podcast episodes? Sign up for our weekly newsletter here! Join our Facebook Community for free form checks, live Q&As & more: https://www.facebook.com/groups/PRS.Barbell.Mastery Got questions or guests you'd like to hear on the show? Submit them here: https://forms.gle/7Vu2HmgHoeQY9xM59 Get in touch with the show! Web: https://www.progressiverehabandstrength.com Email: firstname.lastname@example.org Rori IG: @rorimegan_prs Alyssa IG: @alyssahope_prs
In this episode, we talk about the 2023 Nightforce PRS Finale. We need your help for a special upcoming episode, click on the link below and fill out the form! https://forms.gle/B3E6FKTNmNdbuBS4A Thanks to our show sponsors! Scoped Out: They are having a post-PRS sale, head to their website to pick up a great end-of-year deal: https://www.scopedout.com.au/prs-sale/ The Bearded Chap: Treat yourself to some fantastic products and keep your beard looking amazing by going to http://www.thebeardedchap.com/impact or by using the code impact at the checkout! --- Send in a voice message: https://podcasters.spotify.com/pod/show/impactdynamics/message
Are we looking at the Psalm 83 prophecy fulfillment? (maybe, read it)… and will Damascus go down (read Isaiah 17)... we talk about PRS cheat friendly stages... the Ruger Precision and Magpul PRS Gen 3 stock... ELR success and what it takes... Killer Trace: Dead Man Switch is now out on Audible and other platforms (check it out)... and should you carry chamber loaded? Or chamber empty? Good question! We'll address this. We cover a lot in this week's show, so tune in and let us know what you think! :)
HouseNation UK is legal - PRS for music registered under licence LE-0004522 Please show some appreciation by adding a comment on iTunes! Worldwide Bookings: email@example.com Join me on Facebook! Search DJ Lee Harris Join me on Soundcloud! Search Lee Harris London Please add a review on iTunes if you like this podcast
Following our feature on Duncan Reid & The Big Heads final bittersweet show at The Lexington, we invite Duncan into the Retrosonic Podcast virtual studio to get the lowdown on the shock decision to hang up his purple Duncanbacker bass for the very last time. The announcement came just as he released his fifth and arguably best album to date "And It's Goodbye From Him..." calling time on a musical career that started off in 1976 with spells in The Matinee Idols and The Hollywood Killers before a move to London at the very start of the U.K. Punk explosion in 1977 to join the melodic Punk Pop legends The Boys. In this episode, Duncan picks five songs from the new LP that cover the reasons behind his decision and we take a look back at each of the rest of his albums with The Big Heads, discussing some of his favourite hidden gems and overlooked tracks along the way. He also praises his Big Heads bandmates who contributed to making them one of the most visually exciting live acts of recent years. For full tracklisting, links and a video from the last Big Heads show please check out Retro Man Blog at the link below: https://retroman65.blogspot.com/2023/10/retrosonic-podcast-with-duncan-reid-and.html Cover photo of Duncan with Sophie and Karen of The Big Heads copyright Retro Man Blog. Retrosonic Podcast has a valid PRS licence.
Dakotah Lindwurm and Sara Vaughn are on the podcast today! They both ran PRs at the Chicago Marathon and I loved hearing their recaps on this episode! Sara ran a 2:23:24 which was a 3 minute PR and placed 10th. Sara debuted the marathon in 2021, running a 2:26:53. Last year at Chicago she was ... more »
Obsessed with this chat with Shawna Norton @competitivefemaletraining ALL about being and becoming strong women no matter how old you are.If you have a body, you are an athlete. Can you imagine if you treated yourself as such?We chat aboutwhy strength training and how to get started if you're newthings that need to be normalizedincreasing PRS/push ups/pull upsrecovery and prioritiesand more!Where to find usInstagram @butteryourmacrosThe Internet www.butteryourmacros.comTwitter @whatsupbuttersTikTok @whatsupbuttersInbox firstname.lastname@example.org
This week Francis and Chad connect with Clay Blackketter, one of the winningest shooters in PRS and owner of Clay's Cartridge Company. They discuss his development within the series as a shooter, as a trainer and as a match director. It is worth a listen to hear his approach on shooting PRS and how he has continually improved in this sport we all love.
Today's guest is David Sepulveda. David is a U.S. Air Force retired Master Sergeant with a strong track record in leadership & discipline. Transitioned into real estate investor & commercial broker. Show summary: In this podcast episode, retired US Air Force Master Sergeant David Sepulveda shares his journey in real estate and discusses his expertise in commercial real estate. He emphasizes the importance of considering factors like inflation and the cost of living when investing in real estate. David also talks about the challenges he faced in the industry and how he overcame them by obtaining his license as a commercial broker. He specializes in retail and multifamily properties and discusses the current market trends in Southwest Florida. The episode also touches on David's military background and the leadership skills he learned in the military. Overall, it highlights David's commitment to integrity and client satisfaction in his real estate career. -------------------------------------------------------------- Starting Real Estate Journey [00:01:02] Breaking into Commercial Real Estate [00:02:03] Southwest Florida Real Estate Market [00:05:02] The military rank structure [00:10:13] Leadership skills developed in the military [00:12:19] Impact of insurance market changes in Florida [00:15:35] David's journey in real estate [00:20:48] Becoming a commercial real estate broker [00:21:22] Contacting David [00:21:30] -------------------------------------------------------------- Connect with David: Linkedin: https://www.linkedin.com/in/commercialrealestatedave/ Connect with Sam: I love helping others place money outside of traditional investments that both diversify a strategy and provide solid predictable returns. Facebook: https://www.facebook.com/HowtoscaleCRE/ LinkedIn: https://www.linkedin.com/in/samwilsonhowtoscalecre/ Email me → email@example.com SUBSCRIBE and LEAVE A RATING. Listen to How To Scale Commercial Real Estate Investing with Sam Wilson Apple Podcasts: https://podcasts.apple.com/us/podcast/how-to-scale-commercial-real-estate/id1539979234 Spotify: https://open.spotify.com/show/4m0NWYzSvznEIjRBFtCgEL?si=e10d8e039b99475f -------------------------------------------------------------- Want to read the full show notes of the episode? Check it out below: DAvid Sepulveda (00:00:00) - I tried to explain to them, Well, you're not taking into account, number one, inflation. You're not taking into account, you know, increase in cost of goods. You're not taking into account just increase in cost of living, you know. So all of those things, I think, are important factors that a lot of people kind of. Bypass. They don't they don't take it into consideration as much as I think they should. Intro (00:00:25) - Welcome to the how to scale commercial real estate show. Whether you are an active or passive investor, we'll teach you how to scale your real estate investing business into something big. Sam Wilson (00:00:38) - David Sepulveda is a US Air Force retired master sergeant with a strong track record in leadership and discipline. He is a real estate investor and also now a commercial broker. David, welcome to the show. DAvid Sepulveda (00:00:49) - Thank you for having me, Sam. Absolutely. Sam Wilson (00:00:51) - The pleasure is mine. David There are three questions I ask every guest who comes on the show in 90s or less. Can you tell me where did you start? Where are you now and how did you get there? DAvid Sepulveda (00:01:00) - 90s All right. DAvid Sepulveda (00:01:02) - Well, I honestly started back in 2013. That's where I started my real estate journey. I started out as an investor. It was really my focus to just try to grow my wealth, take care of my family, try to figure out how to get a piece of that American dream, if you will. Um, so got into tax lien investing. From there. I graduated to tax deed investing from tax deed investing scaled up to the single family. Did a very light flip. Then I scaled it up to a major flip. And then I said, Well, you know, the natural progression is to get into commercial real estate. What I noticed when I got into commercial real estate is that it's a little bit more difficult to kind of that entry to barrier, if you will. Um, you have a lot of people that if you don't already have a proven track record, they don't want to play with you, you know, they don't want to allow you to, to come to their sandbox. DAvid Sepulveda (00:02:03) - So I had to do is I had to figure out, well, hey, if this is a space that I really want to be and how do I break into that? And that's what led me to get my license as a commercial broker, because I still wanted to be an investor. But since nobody else wanted me to play, I was going to play the way That's awesome. Sam Wilson (00:02:21) - So did you skip the residential brokerage side altogether? DAvid Sepulveda (00:02:27) - I did. And that's that's not something that normally happens, right? I will say that most brokers and to be honest with you, when I got my license, they didn't even want to talk to me. Right. I actually had to go in person into the different brokerages and say, Hey, here I am, this is who I am. Because commercial real estate is a completely different language than residential real estate. But once I went into the office and I started speaking the language, they were like, Oh, he does know what he's talking about. We can allow him to play with us. DAvid Sepulveda (00:03:01) - So that's really what it took, was the persistence and that just resilience, you know, that that that thing that we get taught in the military being resilient be resilient. Sam Wilson (00:03:10) - Absolutely when you so yeah one of the things that sound like you did right was to understand who it was you were talking to when you went to these brokerages and say, hey, look, I've already done my homework. I know. I know this industry. I mean, a lot of times, like you said, you got to have some sort of experience or something to kind of break in or allow get your foot in the door. What what did you do once you got into the commercial real estate world to really solidify your position? DAvid Sepulveda (00:03:39) - I really had to market myself as an expert. I had to make sure that I conveyed not only the confidence, but the knowledge. You know, because you can have all the confidence in the world. But if you don't have the knowledge to back it, you're still going to look like a fool. DAvid Sepulveda (00:03:54) - You know, So it was nice to come back home to southwest Florida because I know the area I grew up here. So it was very easy for me to already have a good working knowledge of the area. So then all I had to do was really express to all of the different business owners and the different landlords and whatnot that I do understand the market as well as the market product itself. Sam Wilson (00:04:20) - Got it. Got it. Very, very cool. So what year was it then that you got your or you became a commercial real estate broker? DAvid Sepulveda (00:04:28) - I actually got my license back in 21, 2021. Sam Wilson (00:04:33) - Okay. License in 2021. And you specialize. We talked about this off air, so I'll ask a little bit of leading question. But you specialize in retail and multifamily. Things have changed incredibly in both of those asset classes from 2020, especially in the retail side. And multifamily has gone hot and heavy. And then, you know, we've seen quite a bit of slowdown on the transaction side on that. Sam Wilson (00:04:56) - Is that something you're also seeing in your market or are things still just running wide open where you are? DAvid Sepulveda (00:05:02) - Southwest Florida is a very hot market. We're actually seeing growth in a lot of different sectors. So unfortunately, don't get to capitalize on the the downturn as everybody else may be able to in other areas of the of the continent. But southwest Florida is just the growth. Has been phenomenal. We're talking, last I checked, a thousand people moving to Florida daily. And out of that thousand we were capturing here in southwest Florida, I believe it was maybe, you know, 10 to 15% of that. Sam Wilson (00:05:39) - Wow. That's a lot. That's a lot. That's really interesting. So you haven't seen the transaction volume slow down at all on the multifamily side? DAvid Sepulveda (00:05:48) - No, we saw a little bit of a pause because of Hurricane Ian. So a lot of people were, you know, kind of holding on to their money, both on the buyer side and seller side. The buyers were trying to see what the sellers were going to do with the properties, if they were going to fix it up with the insurance money, they were going to take the insurance money and run. DAvid Sepulveda (00:06:06) - So we saw a bit of a pause there. But man, southwest Florida is so strong and so resilient. Man. They just came back and, you know, a year later and it's as if, you know, obviously we have areas where you can see the the damage. But, I mean, everybody's going strong, man. Sam Wilson (00:06:23) - That's great. I think it's one of those things that, you know, we hear it, but you don't if you listen to the national conversation, it's going to say, man, you know, transaction volume in multifamily is down, what, 75% year over year on a national level. But real estate is indeed local. So I think that's the other part of it is, you know, for you guys, it's almost as if interest rates it sounds like interest rates have risen, but you guys haven't taken notice. DAvid Sepulveda (00:06:49) - No, not as bad as that. Other parts mean. There might have been a bit of a slowdown, but not enough for me to be like, Hey, there's just an abundance of multifamily come shopping here, you know. Sam Wilson (00:07:01) - Come shopping and say, Well, let's talk about then what are people buying right now that makes sense for you guys? DAvid Sepulveda (00:07:09) - Man, Let me tell you, we can't keep multifamily on the shelf. We can't keep industrial on the shelf. Um, even retail now is starting to pick it back up. You know, now that Covid has slowed down and we're getting the tourism back into Florida. So a lot of different sectors, especially like I said, here in southwest Florida, we're seeing a good increase. Sam Wilson (00:07:30) - Wow, That's awesome. That's awesome. Let's talk about what you invest in personally. Now, you've been you talked about this early on. You know, in 2013, you were buying tax liens and tax deeds, which I think is kind of an advanced strategy, to be honest with you, for your kind of intro into real estate. Most people don't start with deals with that much hair on them. We won't go down that rabbit hole, but that's someday maybe we'll have you back on and we can talk about that journey because I think that's a very interesting one. Sam Wilson (00:07:57) - But what are you personally investing in now? DAvid Sepulveda (00:08:02) - Now I am still investing in multifamily. I'm investing in small retail as well as small businesses. Sam Wilson (00:08:11) - Interesting. Okay. How do you as a broker tell me this from a not from an ethical standpoint, but just from a working with your client standpoint to know that you're putting their interests first? I'm sure that's something that you have to think about when you see deals come across your desk, you say, Hey, man, that's a great opportunity. But should you know, you don't want to eat the best and leave the leftovers for your clients. So how does that work with you both as an investor and as a broker? DAvid Sepulveda (00:08:41) - It's all about just open and honest communication, right? One of the things that we've learned in the military is integrity first. And I always try to make sure that I'm open and honest with my clients. Let them know, listen, I. Understand that you're trying to sell this property and I may have an interest in this property. DAvid Sepulveda (00:08:59) - Here's what I could offer you. And to be fair, I will also let you know that if we were to take this to market, you would get X amount. And there's quite a delta between my offer and X amount, but I can close quickly. You know, it'll be a smooth transaction as opposed to us being on the market and allowing the market to tell us when it will close. Sam Wilson (00:09:23) - Right, right. Yeah, that's that's really, really interesting. Yeah. But that would be and that's, I mean, that's, that's the beauty of doing what you do is that you can offer, offer people deals that make sense for them in order to avoid a lot of those pains of taking deals there to market. Well tell me this, David, as a master sergeant in the military and I will openly say I knew nothing about the military. I was not in the military. I'm often accused of it just because I was raised by a marine. And so I know what it's like to grow up in one of those houses where it's, you know, be seated by X number of times and out the door by this very, very regimented. Sam Wilson (00:10:00) - But what does a master sergeant do and what are some of the things from a leadership and leadership development perspective, I think that you learned inside of the military that still guide what you do today. DAvid Sepulveda (00:10:13) - Well. So when you're looking at the military, it's really broken down into two different sectors. You have your enlisted sector and you have your officer sector. Being a master sergeant, which is equivalent to E7, is an enlisted sector rank. E7, Master Sergeant is one of the higher ranks. It is part of what they call the top three, the highest rank you can achieve as an enlisted members and E9, which is a chief master sergeant in the Air Force. And then you have below that the senior master sergeant, and then you have the master sergeant. Now depending on your in the Air Force, we call it AFS in the different branches, they call it by a different name. For example, in the army is Mos. But basically what it is, it's your job in the military. So depending on your job in the military can really determine what your responsibilities and your roles are. DAvid Sepulveda (00:11:08) - You could be in charge of a whole section of airmen and it could be include 20 or 30 people as well as a certain number of civilians. Or you could be in a very small shop and only be responsible for 2 or 3 people. A lot of my time as a master sergeant, I spent it in what they call the commander support staff. So the general has an admin staff and that admin staff is responsible for making sure that the airmen are taken care of. Whether we're talking about their vacation time, which we call leave, we're talking about any pay issues that they may have, um, making sure that they're, I don't know what you call them on the civilian side, but we call them enlisted performance reports, so their PRs. So that's really where I spent a lot of my time as a master sergeant is making sure that the airmen were taken care of. Sam Wilson (00:12:08) - Wow, that's really, really awesome. What are some of the things I guess that you felt like were developed in you as a leader in that role? DAvid Sepulveda (00:12:19) - Well, um, there's really a lot of things that you learn being in the military, right? You learned teamwork, you learned, um, the discipline and the core values, which is the the integrity, first excellence and everything we do, you know, and I think a lot of that has carried over into civilian sector for me now is making sure that, you know, like I stated before, I'm open and honest with my communication. DAvid Sepulveda (00:12:47) - I'm letting you know, letting my clients know, like, listen. I can purchase this, but it's going to be significantly lower than if you were to take it to market. However, it's a lot quicker. So that integrity, just being that, you know, that honest dealings with people and you know, the discipline because real estate is really a disciplined game, you have to continuously do the cold calling. You have to continuously do the door knocking. You have to continuously look at the market, the market trends, see what's going on, see what changes are coming into place, whether we're talking about, you know, new policies, new laws, you know, different, you know, companies coming in that may affect other sectors of your businesses. So it's just the discipline of doing the thing over and over again, no matter how much you might dread it. Sam Wilson (00:13:43) - And man, there is plenty of that to go around, I think for all of us, there's there's plenty of those things where you go, yep, I don't really want to do that today, but it's something you just got to put your head down and go. Sam Wilson (00:13:55) - It's probably easier in the military when there's somebody, you know, yelling at you if you don't get it done than it is when you just can, you know, hide it under your own to do list. You're like, you know, maybe tomorrow we'll get that done. But either way, I like both things that you said there was the adaptability is the way I would summarize that when you said, you know, being open to changes and looking at what changes are coming and then the open and honest communication side of things, I think I was speaking with somebody yesterday and they said, man, you know, I just I'm just not very I'm pretty non-confrontational. I'm like, man, like, just one stop saying that. I said, Because that's negative self-talk. And two, we can rephrase this into something where that open and honest communication like you're talking about can become part of who, who that person is. And they're significantly younger than me. But I think it was it was it was just a great conversation, a reminder that we can constantly be improving the way that we communicate. Sam Wilson (00:14:50) - Let's go back, I guess one of the things I thought about when you were saying looking at changes and we're going to take a real left turn here in conversation, so I apologize, but I wrote it down here as a note. The the Florida market, you're on the brink of, I think what's the name of the next hurricane potentially heading your way right now. They named that. Sam Wilson (00:15:07) - Yet Adelia. Sam Wilson (00:15:09) - Amelia okay so that's that's and we're recording this at the end of August here in 2023 hopefully hopefully that passes by without much to talk about. But the insurance market's for what you guys deal with in Florida. I mean, that's a hot topic. Like what are you advising from the brokerage side? Like how are you advising your clients and your own portfolio right now? What are you doing on the insurance side of stuff? DAvid Sepulveda (00:15:35) - I mean, that has been a thorn in everyone's side because so many insurance companies have pulled out of Florida altogether, which, you know, by the law of supply and demand, the ones that have stayed are able to jack up their prices and have I mean, you're talking about people used to pay, you know, let's just say 100 grand annually. DAvid Sepulveda (00:16:00) - Now they're looking at almost half a million annually, you know, So the increase is definitely hurting a lot of people's pockets. Unfortunately, it's a necessary evil. You know, because being here in Florida, you can't just go without flood insurance. You can't just go without, you know, any insurances to cover your assets. So, unfortunately, you know, I try to make sure that I have surrounded myself with the best team so that my clients can win. So I do work with a good insurance broker who goes out there and finds my clients the best insurance coverage that they can. Sam Wilson (00:16:43) - What are people doing to offset some of those just astronomical rate increases? Sam Wilson (00:16:50) - Well. DAvid Sepulveda (00:16:51) - I mean, you're seeing a lot of. A lot of adjustments, whether we're talking scaling back on their inventory in the retail sector, whether they're talking. Increasing the rents in the multifamily sector. So you're seeing a lot of. Passed as being passed, you know, passed down, which it's understandable, but unfortunately when you're in a market. DAvid Sepulveda (00:17:20) - That you have a mix of fixed income and disposable income. Those with the fixed income really feel the pain of those, you know, costs being passed down. Sam Wilson (00:17:34) - And there's really nothing. There's nothing you could do about it. I mean, it's just it is. I mean, you can't you can't continue to absorb those astronomical rate increases without then eventually, you know, passing that on down to the to the end user. And that's I just I don't see a way any other way around that. Especially, again, as you said, you know, the the insurers are leaving the market, leaving just a few there to choose from. And I guess that's just something probably to think through as you look at investing in Florida or markets like Florida that have some of these associated natural disaster risk where it's like, okay. Do you see people underwriting a continued increase in insurance costs where they say, okay, you know, it was 100, now we are 500. But you know what? We're going to go ahead and budget for a million. Sam Wilson (00:18:26) - I mean, is that part of people's equation now? DAvid Sepulveda (00:18:31) - I think it's always smart to make sure that when you're underwriting any asset class that you always increase cost. I think, you know, whether we're talking about a increase of 3% or whether we're talking an increase based on prime rate or even the CPI. I think it's it's wise to I don't see it a lot. I think I'm seeing it more now. You know, now that has skyrocketed. But prior to Hurricane Ian, when I would talk to my clients and I would, you know, see where their mindset was and try to pick their brains as to how they're coming to the numbers that they're coming. I tried to explain to them, Well, you're not taking into account, number one, inflation. You're not taking into account, you know, increase in cost of goods. You're not taking into account just increase in cost of living, you know. So all of those things, I think, are important factors that a lot of people kind of. DAvid Sepulveda (00:19:29) - Bypass. They don't they don't take it into consideration as much as I think they should. Sam Wilson (00:19:34) - Interesting. Interesting. Well, there's there's the nugget for the day. If this is something you haven't been considering in your underwriting, David just laid it out for you. Make sure you're including those things and really probably padding those stats, especially in higher risk markets such as Florida on some of those variable costs that you have. I mean, that's the bummer about it. It's like you have no absolutely no control over it. It's like, oh, by the way, your insurance went up 400 grand and you did nothing wrong. It's not like it's not like half of your property burned down. You rebuilt it and they're like, okay, well, you're a terrible manager. It's like, by the way, you're just we're going to quintuple the cost of your insurance and you're just kind of stuck. So that's, you know, preparing for some of those things can be a difficult thing to do and put in your underwriting because it might might kill more deals than than you would like. Sam Wilson (00:20:26) - But then again, yeah. DAvid Sepulveda (00:20:28) - And I think that's what a lot of people think. That's the deterrent for a lot of people. I think they're so caught up in the momentum of trying to get a deal that they don't look at the fact like, well, what are the factors that will make this a good deal? Because in the long run, if you don't take those things into consideration, even a good deal today may not be a good deal tomorrow. Sam Wilson (00:20:48) - Right. Right. Absolutely. Well said. David, thank you for taking the time here to come on the show today. Certainly enjoyed learning about what a master sergeant is in the military, what your leadership skills there that you had in the military and how you translate those over into what you've done. I love the go get them attitude in 2013, just jumping right into tax liens and tax deeds. I think that's that's that's really, really cool. And then and then, like you said, positioning yourself as an expert, jumping out there and saying, hey, look, I'm going to be a commercial real estate broker becoming an expert there in your market and in your space. Sam Wilson (00:21:22) - You've shared a lot of great things with us today. Certainly appreciate that. If our listeners want to get in touch with you and learn more about you, what is the best way to do that? DAvid Sepulveda (00:21:30) - Honestly, you can find me on most social media under commercial real estate. Dave Or you can look up David Sepulveda with con consultants in Fort Myers, and that'd be the best way to get hold of me. Sam Wilson (00:21:41) - Fantastic. David, thank you again for your time today. I certainly appreciate it. DAvid Sepulveda (00:21:46) - Absolutely. Thank you for having me. Sam Wilson (00:21:47) - Hey, thanks for listening to the How to Scale Commercial Real Estate podcast. If you can do me a favor and subscribe and leave us a review on Apple Podcasts, Spotify, Google Podcasts, whatever platform it is you use to listen. If you can do that for us, that would be a fantastic help to the show. It helps us both attract new listeners as well as rank higher on those directories. So appreciate you listening. Thanks so much and hope to catch you on the next episode.
Adnan Khan, Lead Security Engineer at Praetorian, joins Corey on Screaming in the Cloud to discuss software bill of materials and supply chain attacks. Adnan describes how simple pull requests can lead to major security breaches, and how to best avoid those vulnerabilities. Adnan and Corey also discuss the rapid innovation at Github Actions, and the pros and cons of having new features added so quickly when it comes to security. Adnan also discusses his view on the state of AI and its impact on cloud security. About AdnanAdnan is a Lead Security Engineer at Praetorian. He is responsible for executing on Red-Team Engagements as well as developing novel attack tooling in order to meet and exceed engagement objectives and provide maximum value for clients.His past experience as a software engineer gives him a deep understanding of where developers are likely to make mistakes, and has applied this knowledge to become an expert in attacks on organization's CI/CD systems.Links Referenced: Praetorian: https://www.praetorian.com/ Twitter: https://twitter.com/adnanthekhan Praetorian blog posts: https://www.praetorian.com/author/adnan-khan/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Are you navigating the complex web of API management, microservices, and Kubernetes in your organization? Solo.io is here to be your guide to connectivity in the cloud-native universe!Solo.io, the powerhouse behind Istio, is revolutionizing cloud-native application networking. They brought you Gloo Gateway, the lightweight and ultra-fast gateway built for modern API management, and Gloo Mesh Core, a necessary step to secure, support, and operate your Istio environment.Why struggle with the nuts and bolts of infrastructure when you can focus on what truly matters - your application. Solo.io's got your back with networking for applications, not infrastructure. Embrace zero trust security, GitOps automation, and seamless multi-cloud networking, all with Solo.io.And here's the real game-changer: a common interface for every connection, in every direction, all with one API. It's the future of connectivity, and it's called Gloo by Solo.io.DevOps and Platform Engineers, your journey to a seamless cloud-native experience starts here. Visit solo.io/screaminginthecloud today and level up your networking game.Corey: As hybrid cloud computing becomes more pervasive, IT organizations need an automation platform that spans networks, clouds, and services—while helping deliver on key business objectives. Red Hat Ansible Automation Platform provides smart, scalable, sharable automation that can take you from zero to automation in minutes. Find it in the AWS Marketplace.Corey: Welcome to Screaming in the Cloud, I'm Corey Quinn. I've been studiously ignoring a number of buzzword, hype-y topics, and it's probably time that I addressed some of them. One that I've been largely ignoring, mostly because of its prevalence at Expo Hall booths at RSA and other places, has been software bill of materials and supply chain attacks. Finally, I figured I would indulge the topic. Today I'm speaking with Adnan Khan, lead security engineer at Praetorian. Adnan, thank you for joining me.Adnan: Thank you so much for having me.Corey: So, I'm trying to understand, on some level, where the idea of these SBOM or bill-of-material attacks have—where they start and where they stop. I've seen it as far as upstream dependencies have a vulnerability. Great. I've seen misconfigurations in how companies wind up configuring their open-source presences. There have been a bunch of different, it feels almost like orthogonal concepts to my mind, lumped together as this is a big scary thing because if we have a big single scary thing we can point at, that unlocks budget. Am I being overly cynical on this or is there more to it?Adnan: I'd say there's a lot more to it. And there's a couple of components here. So first, you have the SBOM-type approach to security where organizations are looking at which packages are incorporated into their builds. And vulnerabilities can come out in a number of ways. So, you could have software actually have bugs or you could have malicious actors actually insert backdoors into software.I want to talk more about that second point. How do malicious actors actually insert backdoors? Sometimes it's compromising a developer. Sometimes it's compromising credentials to push packages to a repository, but other times, it could be as simple as just making a pull request on GitHub. And that's somewhere where I've spent a bit of time doing research, building off of techniques that other people have documented, and also trying out some attacks for myself against two Microsoft repositories and several others that have reported over the last few months that would have been able to allow an attacker to slip a backdoor into code and expand the number of projects that they are able to attack beyond that.Corey: I think one of the areas that we've seen a lot of this coming from has been the GitHub Action space. And I'll confess that I wasn't aware of a few edge-case behaviors around this. Most of my experience with client-side Git configuration in the .git repository—pre-commit hooks being a great example—intentionally and by design from a security perspective, do not convey when you check that code in and push it somewhere, or grab someone else's, which is probably for the best because otherwise, it's, “Oh yeah, just go ahead and copy your password hash file and email that to something else via a series of arcane shell script stuff.” The vector is there. I was unpleasantly surprised somewhat recently to discover that when I cloned a public project and started running it locally and then adding it to my own fork, that it would attempt to invoke a whole bunch of GitHub Actions flows that I'd never, you know, allowed it to do. That was… let's say, eye-opening.Adnan: [laugh]. Yeah. So, on the particular topic of GitHub Actions, the pull request as an attack vector, like, there's a lot of different forms that an attack can take. So, one of the more common ones—and this is something that's been around for just about as long as GitHub Actions has been around—and this is a certain trigger called ‘pull request target.' What this means is that when someone makes a pull request against the base repository, maybe a branch within the base repository such as main, that will be the workflow trigger.And from a security's perspective, when it runs on that trigger, it does not require approval at all. And that's something that a lot of people don't really realize when they're configuring their workflows. Because normally, when you have a pull request trigger, the maintainer can check a box that says, “Oh, require approval for all external pull requests.” And they think, “Great, everything needs to be approved.” If someone tries to add malicious code to run that's on the pull request target trigger, then they can look at the code before it runs and they're fine.But in a pull request target trigger, there is no approval and there's no way to require an approval, except for configuring the workflow securely. So, in this case, what happens is, and in one particular case against the Microsoft repository, this was a Microsoft reusable GitHub Action called GPT Review. It was vulnerable because it checked out code from my branch—so if I made a pull request, it checked out code from my branch, and you could find this by looking at the workflow—and then it ran tests on my branch, so it's running my code. So, by modifying the entry points, I could run code that runs in the context of that base branch and steal secrets from it, and use those to perform malicious Actions.Corey: Got you. It feels like historically, one of the big threat models around things like this is al—[and when 00:06:02] you have any sort of CI/CD exploit—is either falls down one of two branches: it's either the getting secret access so you can leverage those credentials to pivot into other things—I've seen a lot of that in the AWS space—or more boringly, and more commonly in many cases, it seems to be oh, how do I get it to run this crypto miner nonsense thing, with the somewhat large-scale collapse of crypto across the board, it's been convenient to see that be less prevalent, but still there. Just because you're not making as much money means that you'll still just have to do more of it when it's all in someone else's account. So, I guess it's easier to see and detect a lot of the exploits that require a whole bunch of compute power. The, oh by the way, we stole your secrets and now we're going to use that to lateral into an organization seem like it's something far more… I guess, dangerous and also sneaky.Adnan: Yeah, absolutely. And you hit the nail on the head there with sneaky because when I first demonstrated this, I made a test account, I created a PR, I made a couple of Actions such as I modified the name of the release for the repository, I just put a little tag on it, and didn't do any other changes. And then I also created a feature branch in one of Microsoft's repositories. I don't have permission to do that. That just sat there for about almost two weeks and then someone else exploited it and then they responded to it.So, sneaky is exactly the word you could describe something like this. And another reason why it's concerning is, beyond the secret disclosure for—and in this case, the repository only had an OpenAI API key, so… okay, you can talk to ChatGPT for free. But this was itself a Github Action and it was used by another Microsoft machine-learning project that had a lot more users, called SynapseML, I believe was the name of the other project. So, what someone could do is backdoor this Action by creating a commit in a feature branch, which they can do by stealing the built-in GitHub token—and this is something that all Github Action runs have; the permissions for it vary, but in this case, it had the right permissions—attacker could create a new branch, modify code in that branch, and then modify the tag, which in Git, tags are mutable, so you can just change the commit the tag points to, and now, every time that other Microsoft repository runs GPT Review to review a pull request, it's running attacker-controlled code, and then that could potentially backdoor that other repository, steal secrets from that repository.So that's, you know, one of the scary parts of, in particular backdooring a Github Action. And I believe there was a very informative Blackhat talk this year, that someone from—I'm forgetting the name of the author, but it was a very good watch about how Actions vulnerabilities can be vulnerable, and this is kind of an example of—it just happened to be that this was an Action as well.Corey: That feels like this is an area of exploit that is becoming increasingly common. I tie it almost directly to the rise of GitHub Actions as the default CI/CD system that a lot of folks have been using. For the longest time, it seemed like a poorly configured Jenkins box hanging out somewhere in your environment that was the exception to the Infrastructure as Code rule because everyone has access to it, configures it by hand, and invariably it has access to production was the way that people would exploit things. For a while, you had CircleCI and Travis-CI, before Travis imploded and Circle did a bunch of layoffs. Who knows where they're at these days?But it does seem that the common point now has been GitHub Actions, and a .github folder within that Git repo with a workflows YAML file effectively means that a whole bunch of stuff can happen that you might not be fully aware of when you're cloning or following along with someone's tutorial somewhere. That has caught me out in a couple of strange ways, but nothing disastrous because I do believe in realistic security boundaries. I just worry how much of this is the emerging factor of having a de facto standard around this versus something that Microsoft has actively gotten wrong. What's your take on it?Adnan: Yeah. So, my take here is that Github could absolutely be doing a lot more to help prevent users from shooting themselves in the foot. Because their documentation is very clear and quite frankly, very good, but people aren't warned when they make certain configuration settings in their workflows. I mean, GitHub will happily take the settings and, you know, they hit commit, and now the workflow could be vulnerable. There's no automatic linting of workflows, or a little suggestion box popping up like, “Hey, are you sure you want to configure it this way?”The technology to detect that is there. There's a lot of third-party utilities that will lint Actions workflows. Heck, for looking for a lot of these pull request target-type vulnerabilities, I use a Github code search query. It's just a regular expression. So, having something that at least nudges users to not make that mistake would go really far in helping people not make these mista—you know, adding vulnerabilities to their projects.Corey: It seems like there's also been issues around the GitHub Actions integration approach where OICD has not been scoped correctly a bunch of times. I've seen a number of articles come across my desk in that context and fortunately, when I wound up passing out the ability for one of my workflows to deploy to my AWS account, I got it right because I had no idea what I was doing and carefully followed the instructions. But I can totally see overlooking that one additional parameter that leaves things just wide open for disaster.Adnan: Yeah, absolutely. That's one where I haven't spent too much time actually looking for that myself, but I've definitely read those articles that you mentioned, and yeah, it's very easy for someone to make that mistake, just like, it's easy for someone to just misconfigure their Action in general. Because in some of the cases where I found vulnerabilities, there would actually be a commit saying, “Hey, I'm making this change because the Action needs access to these certain secrets. And oh, by the way, I need to update the checkout steps so it actually checks out the PR head so that it's [testing 00:12:14] that PR code.” Like, people are actively making a decision to make it vulnerable because they don't realize the implication of what they've just done.And in the second Microsoft repository that I found the bug in, was called Microsoft Confidential Sidecar Containers. That repository, the developer a week prior to me identifying the bug made a commit saying that we're making a change and it's okay because it requires approval. Well, it doesn't because it's a pull request target.Corey: Part of me wonders how much of this is endemic to open-source as envisioned through enterprises versus my world of open-source, which is just eh, I've got this weird side project in my spare time, and it seemed like it might be useful to someone else, so I'll go ahead and throw it up there. I understand that there's been an awful lot of commercialization of open-source in recent years; I'm not blind to that fact, but it also seems like there's a lot of companies playing very fast and loose with things that they probably shouldn't be since they, you know, have more of a security apparatus than any random contributors standing up a clone of something somewhere will.Adnan: Yeah, we're definitely seeing this a lot in the machine-learning space because of companies that are trying to move so quickly with trying to build things because OpenAI AI has blown up quite a bit recently, everyone's trying to get a piece of that machine learning pie, so to speak. And another thing of what you're seeing is, people are deploying self-hosted runners with Nvidia, what is it, the A100, or—it's some graphics card that's, like, $40,000 apiece attached to runners for running integration tests on machine-learning workflows. And someone could, via a pull request, also just run code on those and mine crypto.Corey: I kind of miss the days when exploiting computers is basically just a way for people to prove how clever they were or once in a blue moon come up with something innovative. Now, it's like, well, we've gone all around the mulberry bush just so we can basically make computers solve a sudoku form, and in return, turn that into money down the road. It's frustrating, to put it gently.Adnan: [laugh].Corey: When you take a look across the board at what companies are doing and how they're embracing the emerging capabilities inherent to these technologies, how do you avoid becoming a cautionary tale in the space?Adnan: So, on the flip side of companies having vulnerable workflows, I've also seen a lot of very elegant ways of writing secure workflows. And some of the repositories are using deployment environments—which is the GitHub Actions feature—to enforce approval checks. So, workflows that do need to run on pull request target because of the need to access secrets for pull requests will have a step that requires a deployment environment to complete, and that deployment environment is just an approval and it doesn't do anything. So essentially, someone who has permissions to the repository will go in, approve that environment check, and only then will the workflow continue. So, that adds mandatory approvals to pull requests where otherwise they would just run without approval.And this is on, particularly, the pull request target trigger. Another approach is making it so the trigger is only running on the label event and then having a maintainer add a label so the tests can run and then remove the label. So, that's another approach where companies are figuring out ways to write secure workflows and not leave their repositories vulnerable.Corey: It feels like every time I turn around, Github Actions has gotten more capable. And I'm not trying to disparage the product; it's kind of the idea of what we want. But it also means that there's certainly not an awareness in the larger community of how these things can go awry that has kept up with the pace of feature innovation. How do you balance this without becoming the Department of No?Adnan: [laugh]. Yeah, so it's a complex issue. I think GitHub has evolved a lot over the years. Actions, it's—despite some of the security issues that happen because people don't configure them properly—is a very powerful product. For a CI/CD system to work at the scale it does and allow so many repositories to work and integrate with everything else, it's really easy to use. So, it's definitely something you don't want to take away or have an organization move away from something like that because they are worried about the security risks.When you have features coming in so quickly, I think it's important to have a base, kind of like, a mandatory reading. Like, if you're a developer that writes and maintains an open-source software, go read through this document so you can understand the do's and don'ts instead of it being a patchwork where some people, they take a good security approach and write secure workflows and some people just kind of stumble through Stack Overflow, find what works, messes around with it until their deployment is working and their CI/CD is working and they get the green checkmark, and then they move on to their never-ending list of tasks that—because they're always working on a deadline.Corey: Reminds me of a project I saw a few years ago when it came out that Volkswagen had been lying to regulators. It was a framework someone built called ‘Volkswagen' that would detect if it was running inside of a CI/CD environment, and if so, it would automatically make all the tests pass. I have a certain affinity for projects like that. Another one was a tool that would intentionally degrade the performance of a network connection so you could simulate having a latent or stuttering connection with packet loss, and they call that ‘Comcast.' Same story. I just thought that it's fun seeing people get clever on things like that.Adnan: Yeah, absolutely.Corey: When you take a look now at the larger stories that are emerging in the space right now, I see an awful lot of discussion coming up that ties to SBOMs and understanding where all of the components of your software come from. But I chased some stuff down for fun once, and I gave up after 12 dependency leaps from just random open-source frameworks. I mean, I see the Dependabot problem that this causes as well, where whenever I put something on GitHub and then don't touch it for a couple of months—because that's how I roll—I come back and there's a whole bunch of terrifyingly critical updates that it's warning me about, but given the nature of how these things get used, it's never going to impact anything that I'm currently running. So, I've learned to tune it out and just ignore it when it comes in, which is probably the worst of all possible approaches. Now, if I worked at a bank, I should probably take a different perspective on this, but I don't.Adnan: Mm-hm. Yeah. And that's kind of a problem you see, not just with SBOMs. It's just security alerting in general, where anytime you have some sort of signal and people who are supposed to respond to it are getting too much of it, you just start to tune all of it out. It's like that human element that applies to so much in cybersecurity.And I think for the particular SBOM problem, where, yeah, you're correct, like, a lot of it… you don't have reachability because you're using a library for one particular function and that's it. And this is somewhere where I'm not that much of an expert in where doing more static source analysis and reachability testing, but I'm certain there are products and tools that offer that feature to actually prioritize SBOM-based alerts based on actual reachability versus just having an as a dependency or not.[midroll 00:20:00]Corey: I feel like, on some level, wanting people to be more cautious about what they're doing is almost shouting into the void because I'm one of the only folks I found that has made the assertion that oh yeah, companies don't actually care about security. Yes, they email you all the time after they failed to protect your security, telling you how much they care about security, but when you look at where they invest, feature velocity always seems to outpace investment in security approaches. And take a look right now at the hype we're seeing across the board when it comes to generative AI. People are excited about the capabilities and security is a distant afterthought around an awful lot of these things. I don't know how you drive a broader awareness of this in a way that sticks, but clearly, we haven't collectively found it yet.Adnan: Yeah, it's definitely a concern. When you see things on—like for example, you can look at Github's roadmap, and there's, like, a feature there that's, oh, automatic AI-based pull request handling. Okay, so does that mean one day, you'll have a GitHub-powered LLM just approve PRs based on whether it determines that it's a good improvement or not? Like, obviously, that's not something that's the case now, but looking forward to maybe five, six years in the future, in the pursuit of that ever-increasing velocity, could you ever have a situation where actual code contributions are reviewed fully by AI and then approved and merged? Like yeah, that's scary because now you have a threat actor that could potentially specifically tailor contributions to trick the AI into thinking they're great, but then it could turn around and be a backdoor that's being added to the code.Obviously, that's very far in the future and I'm sure a lot of things will happen before that, but it starts to make you wonder, like, if things are heading that way. Or will people realize that you need to look at security at every step of the way instead of just thinking that these newer AI systems can just handle everything?Corey: Let's pivot a little bit and talk about your day job. You're a lead security engineer at what I believe to be a security-focused consultancy. Or—Adnan: Yeah.Corey: If you're not a SaaS product. Everything seems to become a SaaS product in the fullness of time. What's your day job look like?Adnan: Yeah, so I'm a security engineer on Praetorian's red team. And my day-to-day, I'll kind of switch between application security and red-teaming. And that kind of gives me the opportunity to, kind of, test out newer things out in the field, but then also go and do more traditional application security assessments and code reviews, and reverse engineering to kind of break up the pace of work. Because red-teaming can be very fast and fast-paced and exciting, but sometimes, you know, that can lead to some pretty late nights. But that's just the nature of being on a red team [laugh].Corey: It feels like as soon as I get into the security space and start talking to cloud companies, they get a lot more defensive than when I'm making fun of, you know, bad service naming or APIs that don't make a whole lot of sense. It feels like companies have a certain sensitivity around the security space that applies to almost nothing else. Do you find, as a result, that a lot of the times when you're having conversations with companies and they figure out that, oh, you're a red team for a security researcher, oh, suddenly, we're not going to talk to you the way we otherwise might. We thought you were a customer, but nope, you can just go away now.Adnan: [laugh]. I personally haven't had that experience with cloud companies. I don't know if I've really tried to buy a lot. You know, I'm… if I ever buy some infrastructure from cloud companies as an individual, I just kind of sign up and put in my credit card. And, you know, they just, like, oh—you know, they just take my money. So, I don't really think I haven't really, personally run into anything like that yet [laugh].Corey: Yeah, I'm curious to know how that winds up playing out in some of these, I guess, more strategic, larger company environments. I don't get to see that because I'm basically a tiny company that dabbles in security whenever I stumble across something, but it's not my primary function. I just worry on some level one of these days, I'm going to wind up accidentally dropping a zero-day on Twitter or something like that, and suddenly, everyone's going to come after me with the knives. I feel like [laugh] at some point, it's just going to be a matter of time.Adnan: Yeah. I think when it comes to disclosing things and talking about techniques, the key thing here is that a lot of the things that I'm talking about, a lot of the things that I'll be talking about in some blog posts that have coming out, this is stuff that these companies are seeing themselves. Like, they recognize that these are security issues that people are introducing into code. They encourage people to not make these mistakes, but when it's buried in four links deep of documentation and developers are tight on time and aren't digging through their security documentation, they're just looking at what works, getting it to work and moving on, that's where the issue is. So, you know, from a perspective of raising awareness, I don't feel bad if I'm talking about something that the company itself agrees is a problem. It's just a lot of the times, their own engineers don't follow their own recommendations.Corey: Yeah, I have opinions on these things and unfortunately, it feels like I tend to learn them in some of the more unfortunate ways of, oh, yeah, I really shouldn't care about this thing, but I only learned what the norm is after I've already done something. This is, I think, the problem inherent to being small and independent the way that I tend to be. We don't have enough people here for there to be a dedicated red team and research environment, for example. Like, I tend to bleed over a little bit into a whole bunch of different things. We'll find out. So far, I've managed to avoid getting it too terribly wrong, but I'm sure it's just a matter of time.So, one area that I think seems to be a way that people try to avoid cloud issues is oh, I read about that in the last in-flight magazine that I had in front of me, and the cloud is super insecure, so we're going to get around all that by running our own infrastructure ourselves, from either a CI/CD perspective or something else. Does that work when it comes to this sort of problem?Adnan: Yeah, glad you asked about that. So, we've also seen open-s—companies that have large open-source presence on GitHub just opt to have self-hosted Github Actions runners, and that opens up a whole different Pandora's box of attacks that an attacker could take advantage of, and it's only there because they're using that kind of runner. So, the default GitHub Actions runner, it's just an agent that runs on a machine, it checks in with GitHub Actions, it pulls down builds, runs them, and then it waits for another build. So, these are—the default state is a non-ephemeral runner with the ability to fork off tasks that can run in the background. So, when you have a public repository that has a self-hosted runner attached to it, it could be at the organization level or it could be at the repository level.What an attacker can just do is create a pull request, modify the pull request to run on a self-hosted runner, write whatever they want in the pull request workflow, create a pull request, and now as long as they were a previous contributor, meaning you fixed a typo, you… that could be a such a, you know, a single character typo change could even cause that, or made a small contribution, now they create the pull request. The arbitrary job that they wrote is now picked up by that self-hosted runner. They can fork off it, process it to run in the background, and then that just continues to run, the job finishes, their pull request, they'll just—they close it. Business as usual, but now they've got an implant on the self-hosted runner. And if the runners are non-ephemeral, it's very hard to completely lock that down.And that's something that I've seen, there's quite a bit of that on GitHub where—and you can identify it just by looking at the run logs. And that's kind of comes from people saying, “Oh, let's just self-host our runners,” but they also don't configure that properly. And that opens them up to not only tampering with their repositories, stealing secrets, but now depending on where your runner is, now you potentially could be giving an attacker a foothold in your cloud environment.Corey: Yeah, that seems like it's generally a bad thing. I found that cloud tends to be more secure than running it yourself in almost every case, with the exception that once someone finds a way to break into it, there's suddenly a lot more eggs in a very large, albeit more secure, basket. So, it feels like it's a consistent trade-off. But as time goes on, it feels like it is less and less defensible, I think, to wind up picking out an on-prem strategy from a pure security point of view. I mean, there are reasons to do it. I'm just not sure.Adnan: Yeah. And I think that distinction to be made there, in particular with CI/CD runners is there's cloud, meaning you let your—there's, like, full cloud meaning you let your CI/CD provider host your infrastructure as well; there's kind of that hybrid approach you mentioned, where you're using a CI/CD provider, but then you're bringing your own cloud infrastructure that you think you could secure better; or you have your runners sitting in vCenter in your own data center. And all of those could end up being—both having a runner in your cloud and in your data center could be equally vulnerable if you're not segmenting builds properly. And that's the core issue that happens when you have a self-hosted runner is if they're not ephemeral, it's very hard to cut off all attack paths. There's always something an attacker can do to tamper with another build that'll have some kind of security impact. You need to just completely isolate your builds and that's essentially what you see in a lot of these newer guidances like the [unintelligible 00:30:04] framework, that's kind of the core recommendation of it is, like, one build, one clean runner.Corey: Yeah, that seems to be the common wisdom. I've been doing a lot of work with my own self-hosted runners that run inside of Lambda. Definitionally those are, of course, ephemeral. And there's a state machine that winds up handling that and screams bloody murder if there's a problem with it. So far, crossing fingers hoping it works out well.And I have a bounded to a very limited series of role permissions, and of course, its own account of constraint blast radius. But there's still—there are no guarantees in this. The reason I build it the way I do is that, all right, worst case someone can get access to this. The only thing they're going to have the ability to do is, frankly, run up my AWS bill, which is an area I have some small amount of experience with.Adnan: [laugh]. Yeah, yeah, that's always kind of the core thing where if you get into someone's cloud, like, well, just sit there and use their compute resources [laugh].Corey: Exactly. I kind of miss when that was the worst failure mode you had for these things.Adnan: [laugh].Corey: I really want to thank you for taking the time to speak with me today. If people want to learn more, where's the best place for them to find you?Adnan: I do have a Twitter account. Well, I guess you can call it Twitter anymore, but, uh—Corey: Watch me. Sure I can.Adnan: [laugh]. Yeah, so I'm on Twitter, and it's @adnanthekhan. So, it's like my first name with ‘the' and then K-H-A-N because, you know, my full name probably got taken up, like, years before I ever made a Twitter account. So, occasionally I tweet about GitHub Actions there.And on Praetorian's website, I've got a couple of blog posts. I have one—the one that really goes in-depth talking about the two Microsoft repository pull request attacks, and a couple other ones that are disclosed, will hopefully drop on the twenty—what is that, Tuesday? That's going to be the… that's the 26th. So, it should be airing on the Praetorian blog then. So, if you—Corey: Excellent. It should be out by the time this is published, so we will, of course, put a link to that in the [show notes 00:32:01]. Thank you so much for taking the time to speak with me today. I appreciate it.Adnan: Likewise. Thank you so much, Corey.Corey: Adnan Khan, lead security engineer at Praetorian. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an insulting comment that's probably going to be because your podcast platform of choice is somehow GitHub Actions.Adnan: [laugh].Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.