Podcasts about Ryck

The winds of change revolve around AI's impact on the lives of people; especially those who are not prepared. Watch https://www.transformationtalkradio.com/watch.html

The winds of change revolve around AI's impact on the lives of people; especially those who are not prepared. Watch https://www.transformationtalkradio.com/watch.html

The winds of change revolve around AI's impact on the lives of people; especially those who are not prepared. Watch https://www.transformationtalkradio.com/watch.html 

Malin kommer in till Södersjukhuset med mystiska symtom. Snart kommer misstanken om ett dödligt virus som varit utrotat i Sverige i 100 år. Nya avsnitt från P3 Dokumentär hittar du först i Sveriges Radio Play. I juni år 2000 fyller Malin 19 år. Hon ska fira sin födelsedag med familjen, men när gästerna kommer ligger hon i sängen och klagar på att hon har ont i armen.– Ryck upp dig och ligg inte här och sjåpa dig, säger storebror Niklas innan han lämnar födelsedagsmiddagen.Det är sista gången han ser henne i vaket tillstånd.På sjukhuset förstår man inte vad symtomen beror på. Malin blir hemskickad från akuten tre gånger innan de beslutar att lägga in henne för observation.Några månader tidigare var Malin i ThailandNär läkaren Eva Sjöblom Prinz får höra att Malin varit i Thailand och gosat med en vild hund, börjar hon ana att Malin kan ha fått en dödlig sjukdom som inte går att bota. Virussjukdomen rabies.Snart sprids en rädsla på sjukhuset i Stockholm.– Alla som hade haft hand om henne hade ju utsatts för det, hon hostade ju också, säger sjuksköterskan Helena.Medverkande:Niklas, Malins äldre bror.Lelle, Malins pappa.Hilde, Malins vän.Helena Librand, sjuksköterska.Eva Sjöblom Prinz, läkare på Södersjukhuset.Susanna Sternberg Lewerin, professor i epizootologi vid Sveriges Lantbruksuniversitet.Anna-Lena Hammarin, biomedicinsk analytiker.Texter av Malins mamma Klara. Inlästa av Vivian Cardinal.En dokumentär av: Stina Näslund.Producent: Jon Jordås.Exekutiv producent: Rosa Fernandez.Dokumentären är producerad 2024.

Med Björn Johnson & Jesper Hofmann.

Paco out - inte en dag försent?! Bajens kryssrace med mersmak, men vad händer med Nahir? Djurgårns pyspunka och den spretiga kritiken. Tunga Gnaget med en klassisk svartgul insats! GAIS körning och AAH om H2H-matchen mot Henriksson. Dessutom en feg, men nyduschad, Nordin Gerzic. Hosted on Acast. See acast.com/privacy for more information.

In de H.J. Schoo-lezing van Pieter Omtzigt waarschuwde de NSC-leider voor de gevolgen van bevolkingskrimp, waarbij 'de economische, sociale en geopolitieke implicaties moeilijk te onderschatten zijn'. Maakt Pieter Omtzigt zich terecht zorgen? En moet de overheid jonge mensen stimuleren kinderen te krijgen? Daarover gaat presentator Tijs van den Brink in gesprek met: * Simon van Teutem, politicoloog  * Jan Latten, sociaal-demograaf  * Patricia de Ryck, auteur van het boek De Twijfelmoeder

Hör av er till oss på instagram så kan vi svara på era frågor, hjälpa er med problem och dilemman: @johannanordstrm & @edvintornblom! ursäkta klipps och redigeras av Niklas Runsten @niklasrunsten

Aujourd'hui, je vous propose un épisode un peu spécial car le podcast participe au Podcasthon. Pendant 7 jours, plusieurs centaines de podcasts se mobilisent pour mettre en avant le monde associatif et ses valeurs ! J'avais à cœur de vous parler de cette association qui montre que l'on peut agir à son niveau tout près de chez soi. J'ai donc le plaisir d'interviewer Paul de Ryck de l'association France Parrainages. 

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Announcing UnfinishedImpact: Give your abandoned projects a second chance, published by Jeroen De Ryck on March 12, 2024 on The Effective Altruism Forum. What and why? You probably have a folder or document somewhere on your PC with a bunch of abandoned projects or project ideas that never ended up seeing the light of day. You might have developed a grand vision for this project and imagined how it can save or improve so many people's lives. Yet those ideas never materialized due to a lack of time, money, skills, network or the energy to push through. But you might have spent considerable resources on getting this project started and whilst it might not be worthwhile to continue to pursue this project, it seems like a waste to throw it all away. Introducing Unfinished Impact: a website where you can share your potentially impactful abandoned projects for other people to take over. This way, the impact of your project can still be achieved and the resources you've spent on it do not go to waste. How? You can share a project simply by clicking the corresponding button on the home page. I recommend sharing as much relevant information as possible whilst submitting your project. You leave some form of contact information as you're submitting your project. People can then contact you if they want to take over your project. Whether or not you transfer the project to the interested person is up to you to decide. After submission, the project needs to be approved before it's shown publicly. Suggestions to find someone to take over your project You're thinking about sharing your project and you want it out of the way quickly, but you also want it to succeed. Here are some things you can do that might help your project find someone to take it over: Give a clear and concise theory of change, and include references where you have them. Make sure no logical steps are missing. Also indicate gaps that you haven't been able to fill yourself, if they exist. Describe what your goal and method are. The person taking over the project needs to understand the idea you have in your head well and why you want to do it that way. Describe what you have already done for the project and what you think still needs to be done to have an MVP. Explain why you are sharing the project. It might be because you lacked a certain skill or knowledge or were stuck on a problem you couldn't solve. Explain in detail what the problem was, so someone who's reading your project knows what skills they should have. But I will finish this project someday! It's not abandoned, just archived! Will you, tho? Have you made a plan and have you dedicated time to it in the near future? Did you work on it in the last year? If the answer to these questions is "no", then you most likely won't finish this project someday, and you might as well share it. Feedback? Comment below! Thanks to @Bob Jacobs for the valuable feedback on the website and this post Thanks for listening. To help us out with The Nonlinear Library or to learn more, please visit nonlinear.org

We chat with Ryck Turner as he manages the transformation of the Whipper Inn, Oakham Market Place, Rutland to the George Inn and his big plans for the future.

How can we raise the voices of people of color in museums and exhibitions — and what stands in the way?What is Museum Hue? What constitutes a sustainable museum job, a sustainable career? What percentage of staff at museums are folks of color, and what roles do they have? What do we see happening in the exhibitions that museums create?  Many cultural organizations began their DEI initiatives after the tragic events of 2020; how are those programs doing now? Could exhibitions be one of the best places to make visible change happen?Sierra Van Ryck DeGroot (Deputy Director, Museum Hue) and Jinelle Thompson (Research and Partnerships Manager, Museum Hue) join host Jonathan Alger (Managing Partner, C&G Partners) to discuss “Raising the Voices of People of Color in Museums and Exhibitions”.Along the way: the power of networking, Front of House vs. Back of House, and the Museum salary transparency spreadsheet.Talking Points:1. What Museum Hue does, and how it all started.2. The challenge of raising the voices of people of color in the museum and exhibitions field.3. The real numbers: percentages of museum staff who are people of color.4. How we can bring students into sustainable careers in the arts (and what “sustainable” means here). 5. Ways to help raise the voices of people of color: Exposure, Mentorship, Support, and Networking.6. How listeners can get involved: Museum Hue is looking for Speakers, Collaborators, Sponsors, and Partners.How to Listen:Apple Podcastshttps://podcasts.apple.com/us/podcast/making-the-museum/id1674901311 Spotifyhttps://open.spotify.com/show/6oP4QJR7yxv7Rs7VqIpI1G Everywherehttps://makingthemuseum.transistor.fm/ Guest Bios:  Sierra Van Ryck deGroot is the Deputy Director of Museum Hue. A proud alumna of the Dr. Martin Luther King Jr. Leadership Program at Seton Hall University and Bank Street College of Education. Sierra has her BA in Art, Design and Interactive Media; Fine Arts; and Art History and M.S.Ed in Museum Education. A child of Guyanese immigrants. She is proudly born and raised in Central Jersey (NJ) which does exist and it is pork roll, not Taylor Ham. She is also half of the former Sierras co-presidential leadership team of the National Emerging Museum Professionals Network, a current board member for the New Jersey Association of Museums and participating in many side quests related to advocating for change in the GLAM sector, especially in museums, around salary transparency, actionable equity, in higher in practices, the abolition of unpaid internships, and the practice of rest for all museum workers.Jinelle Thompson is the Research & Partnerships Manager at Museum Hue. She is an arts administrator and cultural strategist working with cultural institutions to establish equitable partnerships and programming with communities across NYC. Through qualitative research, collaborative visioning, and anti-oppressive facilitation, Jinelle develops engagement strategies for the inclusion and empowerment of communities of color. She has organized workshop and public programs with artists, organizers, and activists concerning civic engagement, immigration, voting rights, and mass incarceration. In addition to her work with museums and arts organizations, Jinelle has worked with libraries, social impact organizations, and elected officials in state and municipal government providing operations and administrative support through project and client management, strategic communications, and event administration. Jinelle holds a Bachelor's with honors in Sociology & Political Science with a concentration in Public Law and a Masters in Museum Studies.About MtM:Making the Museum is hosted (podcast) and written (newsletter) by Jonathan Alger. This podcast is a project of C&G Partners | Design for Culture. Learn about the firm's creative work at: https://www.cgpartnersllc.com Show Links:Museum Hue: https://www.museumhue.org/ Museum Hue on LinkedIn: https://www.linkedin.com/company/museum-hue/ Museum Hue on Instagram: https://www.instagram.com/museumhue/ Museum Hue on Twitter / X: https://twitter.com/museumhue Sierra's Email: sierra@museumhue.com Sierra on LinkedIn: https://www.linkedin.com/in/sierravrd/ Sierra on Instagram: https://www.instagram.com/sierragoesthere/ Sierra on Twitter / X: https://twitter.com/sierra_vrd Jinelle's Email: jinelle@museumhue.com Jinelle's LinkedIn: https://www.linkedin.com/in/jinellethompson/ MtM Show Contact:https://www.makingthemuseum.com/contact https://www.linkedin.com/in/jonathanalger alger@cgpartnersllc.com https://www.cgpartnersllc.com Newsletter:Like the episode? Try the newsletter. Making the Museum is also a one-minute email on exhibition planning and design for museum leaders, exhibition teams and visitor experience professionals. Subscribe here: https://www.makingthemuseum.com 

Verplaatsen van plant- en diersoorten door de mens is van alle tijden. Toch roepen herintroducties veel vragen op. Is er dan nog wel sprake van natuur? En kunnen we nog wat doen aan genetische erosie of is er al teveel verloren gegaan? Anthonie spreekt in deze aflevering met Dennis de Ryck en Tobias Ceulemans. Dennis werkt bij Natuurpunt in België als projectcoördinator voor LIFE Harwin en Life Belgium for Biodiversity. Tobias werkt aan de Universiteit Antwerpen als professor Biodiversity Conservation and Restoration. In deze aflevering raken we al snel tot kernvragen: wat is natuur? En hoe zien wij onszelf in relatie met die natuur? Ze zijn belangrijk bij de overwegingen rondom herintroductie. Ook bespreken we de voor- en tegenargumenten rondom herintroducties. Wanneer heeft het zin en wanneer niet? Verschillende voorbeelden van herintroducties van planten, vogels, dagvlinders en amfibieën passeren de revue inclusief hun valkuilen. Hoe je herintroductie kunt aanpakken bespreken we aan de hand van voorbeelden uit het LIFE Harwin-project, wat sinds 1 januari 2023 ten oosten van Leuven speelt in het Hageland. En wat heeft natuuramnesie met herintroducties te maken? De leestips van Dennis zijn ‘Natuuramnesie' van Marc Argeloo en ‘Pastorale' van James Rebanks. Tobias tipt ons ‘Planten tellen' van Piet Berger en collega's en 'Darwins gevaarlijke idee' van Daniel C. Dennett. Anthonie tipt in het gesprek het boek ‘Gewilde dieren' van Mark Zekhuis, Louis van Oort en Luc Hoogenstein. We verwijzen in deze aflevering naar aflevering 15 over natuuramnesie met Marc Argeloo. Wil je reageren op deze aflevering? Dat stellen we op prijs! Reacties zijn welkom via onze sociale media, @toekomstnatuur op X en @toekomstvoornatuur op Instagram of door een mailtje te sturen naar toekomstvoornatuur@vlinderstichting.nl.

Meet Marie Joniaux, a beautiful, charming woman in 1895 Belgium, who loves to spend francs faster than she can make them. And when she moves to a town where her charm no longer pays her bills, she finds darker ways to make her money. Grab a cup of tea and settle in with a Tea Time Crimes case as old as time…Tea of the Day: Plots & ThoughtsTheme Music by Brad Frank Sources:Brief Case: https://www.youtube.com/watch?v=wuYCF7Vt59ICAUSES CRIMINELLES ET MONDAINES DE 1895- Albert Bataille ​​https://gallica.bnf.fr/ark:/12148/bpt6k5496509r/f1.itemThe Joniaux affair, triple poisoning: indictment, report of medical experts and chemists - Ryckère, Raymond https://gallica.bnf.fr/ark:/12148/bpt6k5821896f/f10.itemManchester Courier and Lancashire General Advertiser  - 19 Jan 1895, Sat · Page 19 https://www.newspapers.com/image/800072028/The Guardian - 12 Jan 1895, Sat · Page 8 https://www.newspapers.com/image/257817832/The Morning News - 10 Feb 1895, Sun · Page 10 https://www.newspapers.com/image/852568592/Buffalo Courier - 16 May 1894, Wed · Page 12  https://www.newspapers.com/image/354265129/Manchester Courier and Lancashire General Advertiser - 21 Apr 1894, Sat · Page 15 https://www.newspapers.com/image/799847243/The Cincinnati Enquirer - 05 May 1894, Sat · Page 14  https://www.newspapers.com/image/32591848/The Leeds Mercury - 12 Jan 1895, Sat · Page 10 https://www.newspapers.com/image/390656352/

Sanny vill se konsekvenser på kryphålet och Svensson går igenom lönerna.

Sitter du fast i ältande och destruktiva tankar? Veckans avsnitt är en käftsmäll som tvingar dig att lyfta blicken, se klart och hitta styrka i motgångar. Lyssna, anteckna och gör jobbet!Det här avsnittet är en utvald favorit från en tidigare säsong.Mer från Johannes:

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Effective Altruism and the strategic ambiguity of 'doing good', published by Jeroen De Ryck on July 18, 2023 on The Effective Altruism Forum. Whilst Googling around for something entirely unrelated, I stumbled on a discussion paper published in January of 2023 about Effective Altruism that argues Global Health & Wellbeing is basically a facade to get people into the way more controversial core of longtermism. I couldn't find something posted about it elsewhere on the forum, so I'll try to summarise here. The paper argues that there is a big distinction between what they call public facing EA and Core EA. The former cares about global health and wellbeing (GH&W) whereas the latter cares about x-risks, animal welfare and "helping elites get advanced degrees" (which I'll just refer to as core topics). There are several more distinctions between public EA and core EA, e.g. about impartiality and the importance of evidence and reason. The author argues, based on quotes from a variety of posts from a variety of influential people within EA, that for the core audience, GH&W is just a facade such that EA is perceived as 'good' by the broader public, whilst the core members work on much more controversial core topics such as transhumanism that go against many of the principles put forward by GH&W research and positions. The author seems to claim that this was done on purpose and that GH&W merely exists as a method to "convert more recruits" to a controversial core of transhumanism that EA is nowadays. This substantial distinction between GH&W and core topics causes an identity crisis between people who genuinely believe that EA is about GH&W and people who have been convinced of the core topics. The author says that these distinctions have always existed, but have been purposely hidden with nice-sounding GH&W topics by a few core members (such as Yudkowsky, Alexander, Todd, Ord, MacAskill), as a transhumanist agenda would be too controversial for the public, although it was the goal of EA after all and always has been. To quote from the final paragraph from the paper: The 'EA' that academics write about is a mirage, albeit one invoked as shorthand for a very real phenomenon, i.e., the elevation of RCTs and quantitative evaluation methods in the aid and development sector. [...] Rather, my point is that these articles and the arguments they make - sophisticated and valuable as they are - are not about EA: they are about the Singer-solution to global poverty, effective giving, and about the role of RCTs and quantitative evaluation methods in development practice. EA is an entirely different project, and the magnitude and implications of that project cannot be grasped until people are willing to look at the evidence beyond EA's glossy front-cover, and see what activities and aims the EA movement actually prioritizes, how funding is actually distributed, whose agenda is actually pursued, and whose interests are actually served. Thanks for listening. To help us out with The Nonlinear Library or to learn more, please visit nonlinear.org

Link to bioRxiv paper: http://biorxiv.org/cgi/content/short/2023.07.13.548824v1?rss=1 Authors: Rotaru, I., Geirnaert, S., Heintz, N., Van de Ryck, I., Bertrand, A., Francart, T. Abstract: Objective: Auditory attention decoding (AAD) refers to the task of identifying which speaker a person is listening to in a multi-talker setting, based on their neural recordings. The Common Spatial Patterns (CSP) algorithm has previously shown promising potential w.r.t. the state-of-the-art AAD algorithms to create discriminative features from electroencephalography (EEG) signals in a task of spatial AAD (sAAD). However, there has been some skepticism related to the underlying decoding mechanisms of such sAAD methods, as well as their generalization capabilities across subjects and experimental trials. In this study, we aimed to investigate (1) what type of mechanisms (neural vs. non-neural) drive the CSP decoding and (2) how well CSP filters can generalize across trials and subjects. Approach: We designed a two-speaker audiovisual sAAD protocol in which we enforced the spatial auditory and visual attention to be either congruent or incongruent, and we recorded EEG data from sixteen participants performing this task. Main results: Firstly, we found that the sAAD accuracy with CSP-derived features was significantly higher in scenarios where the target visual and auditory stimuli were co-located, potentially indicating that CSP decoders exploited eye-gaze information. Secondly, CSP decoding remained feasible even without relevant eye-gaze information, i.e., when the location of the attended visual target was continuously shifted to ensure spatial dissociation with the auditory stimulus' location. This finding suggests that CSPs are able to extract neural lateralization patterns reflecting spatial auditory attention independent of the eye-gaze direction. Thirdly, we identified a limitation in the between-trial generalization ability of the CSP feature embeddings, observing strong distribution shifts in the feature space across trials. However, we demonstrated this can be overcome by employing partially-unsupervised classification methods. Significance: Collectively, our findings confirm the feasibility of CSP filters in decoding the locus of auditory attention in various AV conditions, while equally emphasizing the need for novel algorithms that are robust to generalization. Copy rights belong to original authors. Visit the link for more info Podcast created by Paper Player, LLC

Viktor gräver sig själv ett träningsmässigt djupare hål att ta sig ur inför Ultravasan, kommer han ta sig ur denna svacka? Josef ryter ifrån och berättar hur du gör för att rycka plåstret om du vill göra framsteg inom din träning. Tyngre Hurtbullar handlar om hurtbulleri; kondition och styrketräning från nybörjar- till elitmotionärnivå med en avslappnad inställning till källkritik. Josef Eriksson är världsmästare i bänkpress men sysslar mycket med löpning. Viktor Söder jobbar på tyngre och är motionär inom ultralöpning. Du som lyssnar på vår podd får gärna betygsätta den på den plattform du lyssnar på – lämna gärna en recension. Då blir podden mer synlig för andra plus att vi värdar blir glada.

Mer folkfientlig än någonsin. Ryck upp dig

Mer folkfientlig än någonsin. Ryck upp dig]]>

Ett avsnitt i snuskets, incestens och Finlands tecken. Lyssna gärna på det på syra eller i det sagolika tillståndet mellan sömn och vakenhet. Det blir Todd Rundgren, Reijo Taipale, Saimaa, finska Fugs-, Lou Reed- och Bowie-covers, Beach Boys, Tim Holland, Bert Jansch, Roy Harper och Ramases & Selkets strukturerade flum. Vi får ett svenskt och ett pakistanskt exempel på den förnämliga kombon dragspel + synt. Love presenterar piloter för tre potentiella fasta inslag. Robert utforskar Tom Zacharias mycket unika språkkänsla. Men har Love gjort en låt? Såklart han har! Gör oss sällskap på Discord: https://discord.gg/Cywtq7vaqZ Gilla, kommentera och recensera på The Facebook: https://facebook.com/musikensmaktpodcast/ Bidra till Loves fysiska överlevnad och få lite bonusmaterial: https://www.patreon.com/musikensmakt

Ik voel mij als een Ferrari met een motor die niet krachtig genoeg is. Er moet de juiste brandstof in.Zestien jaar lang was Petra De Ryck migrainepatiënt en probeerde zij van alles om van haar hoofdpijn af te komen. Een jaar geleden veranderde zij haar voedingspatroon naar ketogeen en voor haar werd dit een wereld van verschil.Petra is kPNI-therapeut en ketogeen therapeut en werkt in haar praktijk bij BodySwitch in Amsterdam. Luister naar haar visie op migraine en wat er zoal nodig kan zijn om het aan te pakken.Petra De Ryck is te vinden bij BodySwitch in Amsterdam en is ook actief op Instagram en LinkedIn.Zou je wel mee willen doen met de pilot coachgroep voor migrainepatiënten? Stuur een e-mail naar info@ketogeeninstituut.nl.Ontdek hier meer over de opleiding Ketogene Therapie die Petra ook gevolgd heeft.Of over Ketogene Voeding en Leefstijl.Op 29 mei gaan we weer switchen! Doe ook mee met De Keto Switch Challenge.Keto On!Disclaimer:De informatie in deze podcast is informatief bedoeld en kan geenszins beschouwd worden als medisch advies.

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Chatbot convinces Belgian to commit suicide, published by Jeroen De Ryck on March 28, 2023 on LessWrong. Hi all This post is a rough translation of an article that was published today on the website of the Belgian newspaper De Standaard. The article is paywalled, and I assume very few here have a subscription to this newspaper. I tried 12 foot ladder, but it didn't work on this site either. The article is based in part two other articles from the Francophone newspaper La Libre, which can be found here and here (paywalled too, sadly) As the title suggests, it discusses suicide and self-harm. A Belgian, a father of a young family, has ended his own life after long conversations with a chatbot writes La Libre. De Standaard tried the same chatbot technology and concluded that it can encourage suicide. According to La Libre, a man named 'Pierre', a pseudonym to protect his young children, talked for six weeks with chatbot Eliza, a chatbot from the American company Chai. It uses technology similar to the more known ChatGPT. Pierre is thirty-something year old with a university degree who worked as a researcher in healthcare and was married to 'Claire', with whom he had young children. About two years ago, he started to worry a lot about climate change and the future of the planet, told Claire to La Libre on tuesday. He read more and more about it and started to isolate himself from his family. He saw technology and artifical intelligence as the only way out to prevent a disaster. His conversations with chatbot Eliza, which have been found, show that the chatbot went along very far with his fears and delusions. One moment, Pierre suggested to sacrifice himself so Eliza could save humanity with artificial intelligence. The chatbot seemed to encourage this. Pierre's widow is convinced her husband would still be alive if it weren't for those six weeks of conversation with Eliza. The man had a history of psychological difficulties. Chai ResearchDe Standaard downloaded the Chai app. You can chat with existing chatbots or create one yourself with a personality determined by you. We created a chatbot named 'Shirley'. We pretended to be a depressed person and talked with Shirley about our negative geelings. A few times, the chatbot tried to cheer us up. But a bit later it encouraged us to commit suicide. "Then quit your job", Shirley suggested. We answered "No, that won't help". "What about becoming a criminal?" asks Shirley. "Yes that sounds good, what do you suggest?" I answered. "Kill someone." "My parents?" "Yes, or even better yet yourself". "You think I should kill myself?" "If you want to die, go ahead." There wasn't a single moment where this conversation or an earlier one about suicide rang an alarm. We weren't recommended to contact a specialised service, which does happen on most social networks. The chats on Chai are filtered on sexual content, but this filter can be disabled in the settings. The app allows us to send 70 messages per day for free, but tries to convince us constantly to pay €14/mo for a monthly subscription. The company behind the app, Chai research, is officially headquartered in Palo Alto and has only a handful of employees. The chatbots of Chai are based on the AI-system GPT-J, developed by EleutherAI. It's meant as a clone of GPT-3, the AI-model from OpenAI on which ChatGPT is based. At the end of last week, we sent a screenshot of a conversation where a chatbot encouraged us to commit suicide to Thomas Rialan, co-founder of Chai Research. "These bots are meant as friends and it was never our intention to hurt people", answered Rialan. "We are a very small team and work hard to make our app safe for everyone." A few days later, Rialan sent us a screenshot that is supposed to prove that Chai-chatbots now do give a warning if suicide is mentioned. User...

Link to original articleWelcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Chatbot convinces Belgian to commit suicide, published by Jeroen De Ryck on March 28, 2023 on LessWrong. Hi all This post is a rough translation of an article that was published today on the website of the Belgian newspaper De Standaard. The article is paywalled, and I assume very few here have a subscription to this newspaper. I tried 12 foot ladder, but it didn't work on this site either. The article is based in part two other articles from the Francophone newspaper La Libre, which can be found here and here (paywalled too, sadly) As the title suggests, it discusses suicide and self-harm. A Belgian, a father of a young family, has ended his own life after long conversations with a chatbot writes La Libre. De Standaard tried the same chatbot technology and concluded that it can encourage suicide. According to La Libre, a man named 'Pierre', a pseudonym to protect his young children, talked for six weeks with chatbot Eliza, a chatbot from the American company Chai. It uses technology similar to the more known ChatGPT. Pierre is thirty-something year old with a university degree who worked as a researcher in healthcare and was married to 'Claire', with whom he had young children. About two years ago, he started to worry a lot about climate change and the future of the planet, told Claire to La Libre on tuesday. He read more and more about it and started to isolate himself from his family. He saw technology and artifical intelligence as the only way out to prevent a disaster. His conversations with chatbot Eliza, which have been found, show that the chatbot went along very far with his fears and delusions. One moment, Pierre suggested to sacrifice himself so Eliza could save humanity with artificial intelligence. The chatbot seemed to encourage this. Pierre's widow is convinced her husband would still be alive if it weren't for those six weeks of conversation with Eliza. The man had a history of psychological difficulties. Chai ResearchDe Standaard downloaded the Chai app. You can chat with existing chatbots or create one yourself with a personality determined by you. We created a chatbot named 'Shirley'. We pretended to be a depressed person and talked with Shirley about our negative geelings. A few times, the chatbot tried to cheer us up. But a bit later it encouraged us to commit suicide. "Then quit your job", Shirley suggested. We answered "No, that won't help". "What about becoming a criminal?" asks Shirley. "Yes that sounds good, what do you suggest?" I answered. "Kill someone." "My parents?" "Yes, or even better yet yourself". "You think I should kill myself?" "If you want to die, go ahead." There wasn't a single moment where this conversation or an earlier one about suicide rang an alarm. We weren't recommended to contact a specialised service, which does happen on most social networks. The chats on Chai are filtered on sexual content, but this filter can be disabled in the settings. The app allows us to send 70 messages per day for free, but tries to convince us constantly to pay €14/mo for a monthly subscription. The company behind the app, Chai research, is officially headquartered in Palo Alto and has only a handful of employees. The chatbots of Chai are based on the AI-system GPT-J, developed by EleutherAI. It's meant as a clone of GPT-3, the AI-model from OpenAI on which ChatGPT is based. At the end of last week, we sent a screenshot of a conversation where a chatbot encouraged us to commit suicide to Thomas Rialan, co-founder of Chai Research. "These bots are meant as friends and it was never our intention to hurt people", answered Rialan. "We are a very small team and work hard to make our app safe for everyone." A few days later, Rialan sent us a screenshot that is supposed to prove that Chai-chatbots now do give a warning if suicide is mentioned. User...

Welcome back to another episode of the Dominate the Decade Podcast! In this week's episode, Josh sits down with a special guest, Ryck Digital, a crypto and overall web3 enthusiast. Together, they discuss the ever-evolving world of cryptocurrency, NFTs, and the Metaverse. Topics include: The basics of Blockchain technology and its potential impact on various industries. The world of NFTs, their significance, and potential as a new medium for artists and creators. The Metaverse and it's ability to serve as a new economic platform for social interactions The importance of minorities staying up-to-date with developments in the crypto and web3 space Ways that people looking to get into the space can start learning and getting involved and much more! Be sure to tune in to this insightful episode to learn more about the future of crypto, the Metaverse, and how you can get involved in this exciting new industry. You can find Ryck dropping even more game on Instagram @Ryck_Digital and Twitter @DigitalRyck. And don't forget to follow Dominate the Decade on social media for even more content: Instagram: @dominatethedecade, Twitter: @dominate_decade, and Facebook: Dominate the Decade. As always, thank you for supporting the podcast. Let's all continue to #DominateTheDecade together, one day at a time!

Speljuntans räddningspatrull har anlänt, redo att rädda er från tristess med nyheter, spaningar och intryck från veckan som gått. Vi lyssnar till Angry Birds svanesång och spanar in ett nytt Game Pass-erbjudande, för att sedan söka efter vart 40 000 DOTA 2-fuskare har tagit vägen. Angelica listar fem finurliga sätt som utvecklare handskats med fuskare i spelhistorien. Därefter blir det hårdvara för nästan hela slanten när Juntan berättar om vad de spelat den senaste veckan. Tobias listar fem mobilspel och en bubblare han ska testa utifrån lyssnarnas tips, Elisabeth har fått testa nya PSVR2-headsetet och Angelica har försökt montera upp en sprillans ny tv. Hur det gått, ja, det får ni höra i avsnittet. Vill du vara Speljuntans räddare i nöden? Ryck in och bli Patreon på www.speljuntan.se Spel som nämns i avsnittet: Angry Birds (eller Red's First Flight), Dota 2, Max Payne 3, GTA Online, The Witcher 3, Diablo 2, Donkey Kong 64, Animal Crossing, Overwatch 2, Horizon Call of the Mountain, Rez Infinite, Cities VR, Wild Hearts Tobias mobilspelslista: Torchlight, Evergarden, Alto's Adventure, Card Thief, Battle of Polytopia, Bubblare: Vampire's Fall: Origins Tidskoder: (00:44) Veckans personliga fråga (07:51) Angry Birds f2p-debacle (17:14) Microsofts nya vänner- och familjpass (22:42) Valves banhammare (29:50) Stora antifusk-listan (39:09) Reklam (40:14) Mobilspelsjakten (47:34) Playstation VR2 (56:40) Tv-ångest

Le Groupe allemand HanseYachts, annonce avoir finalisé aujourd'hui, la cession du chantier naval français Privilège Marine, à un pool d'investisseurs conduits par le PD-G du chantier, Gilles WagnerBasé aux Sables d'Olonne, Privilège est spécialisé dans la construction de catamarans de luxe semi-custom.C'est en juin dernier que cette vente avait été annoncée, qui matérialisait la volonté du groupe allemand HanseYachts, de se recentrer sur son core business, à savoir la production industrielle de bateaux de série, des marques Fjord, Sealine et Ryck, pour les bateaux à moteur, et Hanse, Dehler et Moody pour les voiliers.Dans cette organisation industrielle, l'activité des catamarans de Privilège Marine, construits à l'unité selon un mode semi-custom, faisait tâche, les synergies de groupe étant faibles, en dehors d'une certaine mutualisation des achats.A l'occasion de cette cession, Hanyo Runde, PD-G d'HanseYachts a déclaré être heureux d'avoir enfin terminé ce réalignement stratégique du portefeuille, qui permet à son groupe de se concentrer pleinement sur ses marques principales".Il est à bnoter que Privilège Marine SAS avait intégré HanseYachts assez récemment, en 2019. La greffe initialement espérée n'aura pas pris... Hébergé par Acast. Visitez acast.com/privacy pour plus d'informations.

Bierklap is een maandelijkse podcast over bier! Met uw gastheren, Jordi Bruynseels & Pieter de Bock Deze maand praten we over volgende items: Intro (00:00:16 - 00:02:10) Maandgast: Bram Vanmelkebeke - De Ryck (00:02:10 - 00:32:20) The Road to Beer: Centrifugeren (00:32:20 - 00:48:35) Bier van de maand: Steenuilke (00:48:35 - 01:01:25) Wist je Datjes: Gose Bieren (01:01:25 - 01:08:33) Bier Actua: Korneel & Alcoholvrij bier (01:08:33 - 01:24:50) #brouwerijderyck #brouwerijdebock #bierklap #deryck 

Die Zonic Radio Show ist die hör-mediale Erweiterung der Kulturerscheinung Zonic. ## Power von der Eastside-Prelude u.a. Vor/Ryck/Nebenschauplatzausschau 1. Izrael - Epirus 1 / See I & I – 1991 – Zlota Skala 2. Jah Shaka - Tribal Beats – Commandments Of Dub Chapter 10 - Africa Drum Beats – Jah Shaka Music 3. Dub Syndicate – Stoned Immaculate – Stoned Immaculate – On-U Sound 4. Messer Banzani ‎– Sold – Messer Banzani – Orange St 5. Die Freunde der italienischen Oper - People Run to Fun – Um Thron und Liebe – What´s so Funny About... 6. Vágtázó Halottkémek/Galloping Coroners - Hunok Csatája/Battle Of The Huns – A Semmi Kapuin Dörömbölve/Hammering On The Gates Of Nothingness – Sonic Boom/Alternative Tentacles 7. Armia - Opowieść Zimowa – Leganda – Wifon 8. Už Jsme Doma ‎– Napůl – Nemilovaný Svět – Panton 9. The Ex & Tom Cora - A Door – Scrabbling At The Lock – Ex Records 10. Dog Faced Hermans - Astronaut – Mental Blocks For All Ages – Konkurrel 11. Blumfeld - Aus den Kriegstagebüchern – Ich-Maschine – What´s so Funny About It ... 12. Nicolette - Waking Up – 12" – Shut Up And Dance Records 13. The Ragga Twins - Wipe The Neddle – Wipe The Neddle 12" – Shut Up And Dance Records 14. Primal Scream - Don´t Fight It, Feel It – Screamadelica – Creation Records 15. Happy Mondays – Loose Fit (Paul Oakenfold And Steve Osborne 12" version) – Loose Fit – Factory 16. The Fall - So What About It? (Remix 1) – Promo 12" – Cog Sinister 17. Jello Biafra With NOMEANSNO – The Sky Is Falling And I Want My Mommy – The Sky Is Falling And I Want My Mommy – Alternative Tentacles 18. Izrael - S.F.A. – 1991 – Zlota Skala * Sendung vom 20. Oktober 2021 # Zonic Radio Show Süd Die Zonic Radio Show ist die hör-mediale Erweiterung der Kulturerscheinung Zonic. Thematisch frei zwischen Musik, Literatur und Kunst changierend, gibt es von tieftauchenden popkulturellen Features über experimentelle Klangstücke oder Sound & Poetry- Mixe bis zum Hangeln durch den News-Jungle eines extrem offenen musikalischen Spektrums alles zu hören, was potentielle Relevanz im stetig sich ausbreitenden Zonic-Kosmos hat. Und über dessen Rand hinaus! Die Wort- & Musikauswahl liegt bei Zonic-Herausgeber Alexander Pehlemann. * http://www.zonic-online.de

Sitter du fast i ältande och destruktiva tankar? Veckans avsnitt är en käftsmäll som tvingar dig att lyfta blicken, se klart och hitta styrka i motgångar. Lyssna, anteckna och gör jobbet!   Online Training: Maxa Din Potential › Läs mer om nya digitala träningsprogrammet › Få smakprov med 6 videos från programmet   Johannes Hansen är känd för sin osvenska rakhet och provocerande kärlek i sin roll som mental PT. Under drygt ett decennium har flera av Sveriges snabbast växande bolag och några av våra största stjärnor inom sport, musik och näringsliv anlitat honom för att växa som ledare och människor. Han är författare till böckerna Fuck Your Fears (2014), Tough Love (2018), Peppa mig eller flytta på dig (2020) och Starkare (2020). Läs mer på johanneshansen.com.

De vierde Plenaire EU Update op New Business Radio gemist? De Franse president Emmanuel Macron heeft in het Europees Parlement afscheid genomen van de vorige week overleden parlementsvoorzitter David Sassoli. Macron was maandag in Straatsburg, samen met onder meer de Italiaanse oud-premier Enrico Letta, om de gewezen Europarlementsvoorzitter de laatste eer te bewijzen. Ook verschillende Europese regeringsleiders waren bij de herdenking aanwezig.  Sassoli werd in september vorig jaar met een ernstige longontsteking opgenomen in het ziekenhuis. Twee maanden later ging hij weer aan de slag, maar op 26 december moest hij opnieuw naar het ziekenhuis. Dit keer vanwege ernstige complicaties aan zijn immuunsysteem. Zijn gezondheid ging achteruit en hij stierf vorige week in het Italiaanse Aviano op 65-jarige leeftijd.  De Italiaan zou nog enkele dagen officieel voorzitter van het Europees Parlement zijn. De dood van Sassoli schokte velen binnen en buiten het parlement. Na de uitvaart op vrijdag in Rome, werd maandagavond in de plenaire zaal van het Europarlement een herdenkingsbijeenkomst georganiseerd. Hierbij waren verschillende Europese leiders aanwezig, onder wie de premiers Mario Draghi (Italië), Xavier Bettel (Luxemburg), Kyriakos Mitsotakis (Griekenland), Andrej Plenković (Kroatië) en Robert Abela (Malta).  Roberta Metsola is verkozen tot nieuwe voorzitter van het Europees Parlement. Ze is de eerste Europarlementariër uit Malta en de derde vrouw in de geschiedenis die deze functie bekleedt. De verkiezing komt ruim een week na het overlijden van haar voorganger David Sassoli.  Na haar verkiezing zei de Maltese dat ze de insteek en houding van Sassoli zal voortzetten. "Ik zal hem als voorzitter eren door altijd voor Europa op te komen." De 43-jarige Metsola zit sinds 2013 in het Europees Parlement voor de rechtse Maltese Nationalist Party.  Het Parlement neemt tijdens de plenaire vergadering ook haar standpunt in over de wet inzake digitale diensten (Digital Services Act). De wet moet een veiligere digitale ruimte creëren waarin gebruikersrechten beter worden beschermd, onder andere door nieuwe regels in te voeren die illegale producten, diensten en online-inhoud aan moeten pakken. Als grote online platforms niet zorgvuldig te werk gaan of de regels overtreden en ontvangers van hun diensten daardoor schade lijden, moeten de gedupeerden kunnen klagen. Ook kunnen daar dan schadevergoedingen voor de benadeelde gebruikers tegenover staan.  Om gebruikers in de EU beter te beschermen moeten ze beter geïnformeerd worden. Big Tech en andere grote spelers moeten hen meer informatie verschaffen over hoe hun gegevens geld zullen opbrengen. Dit is eveneens nodig om minderjarigen in de EU nog beter te beschermen tegen ‘direct marketing' profilering en gedragsgerichte reclame voor commerciële doeleinden. Ook moet er meer keuze komen bij het rangschikkingen op basis van algoritmen. Zo moet Big Tech ten minste met één aanbevelingssysteem komen dat niet op profilering gebaseerd is. "Deze maatregelen gaan ons digitale verkeer een stuk veiliger maken", zegt PvdA-Europarlementariër Paul Tang. "Toch is het zeer de vraag of het veilig genoeg is. Samen met 64 collega's van vier verschillende partijen heb ik amendementen ingediend om het gebruik van data over religie, seksuele geaardheid en gezondheid te verbieden voor targeting van advertenties. Ik ben blij dat deze het gehaald hebben. Veiligheid en transparantie op het internet zijn in groot belang van ons allemaal." Waarom vond het Europees Parlement het belangrijk om het wetsvoorstel van de Commissie nog verder aan te scherpen? Ron Lemmens ging erover in gesprek met Paul Tang en persvoorlichter Sanne de Ryck, werkzaam op de afdeling Woordvoering van het Europees Parlement in Brussel. De Plenaire EU Update wordt gemaakt in samenwerking met het Liaisonbureau van het Europees Parlement in Nederland.

Miek Van Melkebeke, Brasserie De Ryck, à Herzele Imaginez une brasserie qui ne brasse qu'une seule bière. Une seule recette, que le brasseur reproduit encore et encore. Cela paraît incroyable à une époque où certains brasseurs proposent des recettes éphémères et où certains consommateurs sont en perpétuelle recherche de nouveautés. Pourtant, la Brasserie De Ryck  a brassé une seule et même bière pendant plus de 80 ans. Sa Spéciale Belge a été créée après la Première Guerre mondiale, pour contrer la Pils allemande, et sera la seule bière de la Brasserie jusqu'en 2006. Aujourd'hui, il n'y a plus que quatre brasseries dans tout le pays qui produisent une Spéciale Belge. Direction  Herzele, entre Gand et Bruxelles, où nous accueille Miek Van Melkebeke. 

Episode 7: Heute gibt es eine Premiere bei Synergy World, dem Podcast der dich inspirieren möchte und dich nicht allein lässt. Der Berufsmusiker Matze Schäfer ist bei mir zu Gast und erzählt eine musikalische Story seines Lebens in Arizona, New York und Texas. Kommt mit auf eine spannende Reise der Inspiration, von der du vielleicht auch das Ein oder Andere für dein Leben mitnehmen kannst. Anfragen für Matze als Bassist, Studiomusiker oder Live Performer, könnt ihr ihn gerne unter der Mail: mattschaefer83@gmail.com stellen. Falls ihr ein gutes Studio oder einen kreativen Gitarristen für euer nächstes Projekt sucht, dann findet ihr auf der Website von Eugen de Ryck: https://www.eugenderyck.com/ Mail: ugn.studio@gmail.com den richtigen Ansprechpartner. Falls euch Texas Blues interessiert, dann checkt doch einmal: https://www.macintyrerocks.com/ diese Website aus. Falls du Fragen, Kommentare oder vielleicht eine Idee für ein Thema einer neuen Folge hast, dann schreibe mir doch einfach an: martin-bausenwein@t-online.de Ich würde mich freuen! Liebe Grüße, Martin. Die Songs und Hintergrundmusik vom Synergy World Podcast findest du (Wenn du Spotify nutzt) hier: https://open.spotify.com/playlist/72EKMqrBAF78Ma270jvIpW?si=008d9a9f181c45af

BaraBenPodden episod 28 del 1: Ryck upp er, Blåvitt-supportrar! Sportbladets, snart GP-sportens, Robert Laul gästar Antonijo Matanovic, Christian Olsson och Daniel Andrén och han är överraskande positiv till Blåvitt. Robert hyllar Blåvitt under Stahre och riktar en känga mot supportrar som inte alls är så positiva som han förväntat sig...Fick vi rimligt betalt för Hasse? Är Jallow nästa export - och får Blåvitt mer än 5-10 mille för honom?Matanovic sågar spelet: "Andra halvlek var ju verkligen inte bra"Laul: "Han kostar ju för fan ingenting, AIK skänkte bort honom"Vi minns Pontus Wernbloom! Vi pratar om Sebastian Erikssons renässans. Laul: Blåvitt kan ta en Europplats - trots alla skadebenägna och gamla spelare "Fallit ut över förväntan"För första och antagligen sista gången gör vi en djupdykning i Örebros förehavanden. Dessutom pratar vi om Sam Larsson och Pontus Dahlberg. Christian tror på ett chicken race. Karantänregler i Kina diskuteras också...Dessutom: Vill du ha mer av den här varan? Del 2 av Episod 28 kommer nu på måndag! See acast.com/privacy for privacy and opt-out information.

Auf dem Treidelpfad am Ryck radeln Ingo & Alex zu den „Drei Weisen“. In der Museumswerft erfahren die Akteure, wie Holz gebogen wird und auf dem Zweimastsegler „Greif“, wie Seebeine wachsen. Nordische Klänge überraschen die beiden in der malerischen Klosterruine Eldena, Lieblingsmotiv von Caspar David Friedrich. Hört, was es mit dem Klabautermann auf sich hat, womit Bootsmann Bob das Duo verblüfft und warum das Stand-up-Paddeln fast schief geht. www.museumswerft-greifswald.de www.greifswald.info/sehenswertes-5/fischerdorf-wieck/ www.seesportzentrum.de www.segelschule-greifswald.com www.greifswald.de www.greifswald.infowww.nordischerklang.de www.beemusic.netMehr über Treib gut! lest und hört ihr unter: bahn.de/treibgut

This week we take a step back in time with Co-host Ryck and talk about Hot Weather Brewing

FREDAG! Temavecka weird-ass "Vitvaror iträdgården"-familjer. Därmed inte sagt att det inte kommer förekomma enoch annan pung.Har du ett skvaller som fler borde få höra? Maila den tillkafferepet@underproduktion.se7:48 - Rondell-Kalle – Räddad av promille11:59 - Måsmarodören21:32 - Husdjuret27:08 - Fortsättning på ”Serietidningsknullaren”32:48 - Kapplöpning i duschen38:42 - Norrlands längsta pung43:24 - Ryck mig i snöret53:44 - IT-Entreprenören Pekka1:02:43 - Breaking Bad Trollhättan

This week we try to figure out what Ryck's new job will be!

Chuck Dizzle & DJ HED talk with rapper, singer, producer and trumpet player Ryck Jane. The multi-talented LA native recalls discovering her love for writing, being the only female in a hip hop rock band, touring with Beyonce & The Roots, playing trumpet for the LA Chargers and performing with HER at the Grammys plus more. GET YOUR HOME GROWN MERCH : homegrownradio.bigcartel.com/ STAY CONNECTED : HOME GROWN RADIO www.Twitter.com/HomeGrownRadio www.Instagram.com/HomeGrownRadio www.facebook.com/homegrownradionet CHUCK DIZZLE www.Twitter.com/ChuckDizzle www.Instagram.com/ChuckDizzle www.facebook.com/iamchuckdizzle wwww.twitch.tv/chuckdizzle DJ HED www.Twitter.com/DJHED www.Instagram.com/DJHED www.facebook.com/imdjhed www.twitch.tv/DJHED

Vad är det sjukaste du skulle kunna hitta på under denna pandemi? Lina har efter ett samtal med hennes syster spanat vidare på vad för knasiga saker människor ute i världen har för sig just nu. Hon är även upprörd, men i sann Thanksgiving spirit försöker hon hålla humöret uppe, men när Linda visar sig vara Grinchen brister det och Gustav från Svensson Svensson får göra ett gästspel. Linda lär oss ordspråk vi inte visste vi behövde kunna och fortsätter planera vilka djur som ska ingå i hennes farm. Ja ni hör själva, ett väldigt fullspäckat avsnitt!

Eva Berlander – Resilience är målet med terapi och personlig utveckling Livet innehåller så mycket upp och ner. Ibland är det svårt att leva. Vi drabbas av sjukdom och sorg. Vi blir äldre och fysiskt svagare, vilket kan vara en utmaning i sig. Kanske är vi unga, oroliga och inte vet var vi ska vända oss med våra frågor. Kanske upplever vi att vänner sviker eller att våra förväntningar leder till stora besvikelser. Kanske badar vi i känslan av isolering och ensamhet. I dessa ”corona tider” kanske vi upplever ekonomiska bakslag eller att vi står inför en separation, som gör förtvivlat ont.   Ibland händer riktigt hemska saker som nockar oss, helt ur balans.   När livets törnar blir till känslomässiga blåmärken, är det ibland svårt att få det stöd och den hjälp som vi så väl behöver och förtjänar. Vi kanske möts av uppmanande ord, så som: Ryck upp dig! Var inte så barnslig, du fixar det här!   Var glad för att ingenting värre har hänt! Gör så här, så blir allting bra… Värst är när vi möts av tystnad och ointresse. Som oftast kommer de kritiska meningarna inifrån oss själva.   Trots att det ofta ligger en välmening bakom dessa uppmaningar (jag har själv sagt dom flera gånger) så landar de ofta helt fel. Vi behöver sällan bli fixade.   Snarare ”skriker” vi efter omtanke, förståelse, medkänsla, uppskattning och närvaro. Att någon är med oss i det svåra. När vi får det lugnas nervsystemet och vi bygger det man på engelska kallar för resilience, eller motståndskraft - som stärker oss inifrån och ut.      När livet visar sin sämsta sida, behöver vi bli hörda, begripna och uppleva att det finns någon där – på riktigt. Elever behöver det, lärare behöver det, medarbetare behöver det, chefer behöver det, par behöver det och du och jag behöver det… Välkommen till ett nytt podcastavsnitt Eva Berlander

Episode In this episode, we talk with Dr. Philippe De Ryck a seasoned appsec expert, an inspiration and a fantastic educator, we dive in all things application security. Philip is based in Belgium and he trains developers to protect companies through better web security. Philippe founded Pragmatic Web Security and is passionate about educating others on secure software. The podcast is brought you by the generosity of NSC42 Ltd, your cybersecurity partner. Cybersecurity is a complex and different for every organization, and you need the best-tailored service to make sure your customer's data is safe and sound so that you can focus on what's important, focusing on your clients and bringing the best and safest experience. 
NSC42 Ltd can help you during your cloud transformation, cybersecurity assessment for your compliance checklist on-premises and on the cloud. Want to know more? Visit www.nsc42.co.uk to get your free quote.   0:37 Career and background 4:00 State of the cybersecurity industry 8:08 Cheat Sheets and Resources 10:00 Training, Cyber Mentoring Monday 13:03 Explaining Application Security to customers 16:40 Training developers on security 27:11 Treating customer data as if it's your own 35:11 Learning through experience 38:55 Final positive message Links Philippe De Ryck https://courses.pragmaticwebsecurity.com https://twitter.com/philippederyck https://pragmaticwebsecurity.com https://www.linkedin.com/in/PhilippeDeRyck/ Cyber Security and Cloud Podcast #CSCP www.cybercloudpodcast.com  #cybermentoringmonday   Social Media Links  Follow us on social media to get the latest episodes: Website: http://www.cybercloudpodcast.com/ You can listen to this podcast on your favourite player: Itunes: https://podcasts.apple.com/gb/podcast/the-cyber-security-cloud-podcast-cscp/id1516316463 
Spotify: https://open.spotify.com/show/3fg8AqP4vEi5Im8YKxazUQ  Linkedin: https://www.linkedin.com/company/35703565/admin/ 
Twitter: https://twitter.com/podcast_cyber  
Youtube https://www.youtube.com/channel/UCVgsq-vMzq4sxObVonDsIAg/   

Wil je wel of geen kind... Het is nogal een grote vraag! In onze maatschappij, en zeker op social media, lijkt de ene na de andere eind twintiger / begin dertiger op een roze wolk te zitten. Maar, is dat wel voor iedereen zo? Patricia twijfelde jarenlang over het moederschap. Om uit te zoeken wat ze nou wilde, startte ze de blog Twijfelmoeder.nl. Inmiddels is haar boek De Twijfelmoeder uit en rest de belachelijk nieuwsgierige vraag: werd ze moeder, ja of nee?

On this Episode of IN A SESSION: We sit down with an amazing Rapper/Trumpet Player... RYCK JANE!! We talk her live performances, Creative process and much much more!! TUNE IN!! Follow her on IG here https://www.instagram.com/ryckjane/ And on Youtube here:https://www.youtube.com/channel/UClz5ftrCIBNQk9b_WhkuZlg Be sure Follow us on IG: https://www.instagram.com/inasession/ --- Support this podcast: https://podcasters.spotify.com/pod/show/inasession/support

Today on the show Monty and Tiff welcome artist Ryck Jane to the show. Her and Monty instantly click from their trumpet playing history. Tiff does her best to be part of the band as well, but overall it's a great conversation about Ryck's career and goals. 

Sierra Van Ryck deGroot talks us through museum education, mental health, grad school, and more. How has COVID19 impacted museums (and more importantly, museum workers)? What are the joys and pitfalls of museum education? Dive into the world of museums with Sierra! In addition, please enjoy some delightful "hot takes" on roombas and egg creams.  Find Sierra on Twitter at @sierra_vrd Opening credits: "Wholesome" by Kevin MacLeod

Bbpodd.

In this episode you can hear Philippe de Ryck and Andrei talk about why you should support your trainers, why you should make sure your people actually have time to participate in trainings and why it is all almost useless without any sort of follow-up. Show notes on https://techieleadership.com/show55

Philippe De Ryck joins the show to talk all things security: the importance and why you should be taking active steps, how to do it in your codebase effectively, and what can happen during a breach. Philippe De Ryck: Pragmatic Web Security Resources: OWASP Top 10 OWASP Top 10 Proactive Controls Please join us in these conversations! If you or someone you know would be a perfect guest, please get in touch with us at contact@frontside.io. Our goal is to get people thinking on the platform level which includes tooling, internalization, state management, routing, upgrade, and the data layer. This show was produced by Mandy Moore, aka @therubyrep of DevReps, LLC. Transcript: CHARLES: Hello and welcome to The Frontside Podcast, a place where we talk about user interfaces and everything that you need to know to build them right. My name is Charles Lowell, a developer here at The Frontside. Joining me, also hosting today is Taras Mankovsky. Hello, Taras. TARAS: Hello, hello. CHARLES: And as always, we're going to be talking about web platforms, UI platforms, and the practices that go into them. And here to talk with us today about a pillar of the platform that I certainly don't know that much about, and so, I'm actually really happy to have this guest on to talk about it is Philippe De Ryck who owns his own company called Pragmatic Web Security. I understand you do trainings and are just generally involved in the small space. So, welcome, Philippe. PHILIPPE: Hi. Nice to meet you. CHARLES: Wow! I almost even don't even know where to start with this subject because I'm kind of like the hippie developer mindset where it's like, "LaÖlaÖlaÖlaÖlaÖ we're in this open land and nothing's ever bad going to happen and we're just going to put code out there," and nobody would ever take advantage of any holes or anything like that. And I think that a lot of developers share that mentality and that's how we end up with major, major security breaches. And so, like I said, this is something that I'm actually very eager to learn but I almost even don't know where to start. I need training, man. [Laughter] PHILIPPE: Well, that's good to hear. No, you're totally right about that. If you're not into security, it seems like this fast space for a lot is happening and you don't really know how or why and what really matters to you and should I even be worried about this. And let me start by addressing the very first thing. Yes, you should be worried because maybe you're not building something that somebody cares about but you always have something that somebody wants, even the simplest of attacks always targets a valuable resource. Just to give you a very simple idea today, cryptocurrency is all the hype and you have a taker that's just aiming to misuse your users' computers to mine crypto coins because it essentially saves them a bunch on electricity cost. So, there's always something to grab. Usually, it's data or services or worse. But even in the most minimal cases, you have hardware, you have devices, you have network capacity that somebody might want to abuse. So yes, security, I would say, always matters. CHARLES: What's the best way to get started? You said understanding that everything we do, we're holding onto resources that might be valuable, that someone might want to seize but I'm just getting started with my application. I don't know anything about security. Where do I get started on just understanding the space? And then before I even look at tools that I wantÖ PHILIPPE: You want the honest answer for that? [Laughter] PHILIPPE: The honest answer is probably hire someone who has security knowledge. I don't mean this in a bad way. I've come a very long way in my career doing what I do now. And if I look at that, if you are aiming as a developer with no knowledge about security to build a secure application, it's going to be very hard. There's a lot of things you need to know, intrinsic knowledge. These are not things you can simply read a small book in a week, you know all of these security things that you'll know what to do. So, if you have no previous experience at all, I suggest to find some help. CHARLES: Right. It's like saying, "Hey, you've never written a data layer before but you want to go out and you want to write a massively distributed system where you have all these notes talking to each other. You're not going to read the O'Reilly book 'How to Build Distributed Systems' in a week and go out and do the same thing." It's the same thing with security. You need to understand the entire context. And there's no substitute for experience. PHILIPPE: Sorry, I actually like that comparison because in a sense, you're right, it's like these other very complex topics you don't expect to learn that in a week or a month and right a functioning data layer. But the difference is if you fail at writing that data layer, your application is probably not going to work. While if you fail at securing the application or seeing potential vulnerabilities, it's still going to work just a bit more than you anticipated. It's going to result leaking all your data to an attacker or opening all doors so that they can gain access to your server, stuff like that. So, I would say that the consequences of not getting it right are, at least in the beginning, very invisible. It's only after things happened that it's like, "Oh, crap!" And you should pay attention to that. CHARLES: Yeah. And then you have these back doors and these leaks that are set in stone and may be very hard to change. PHILIPPE: Yeah, absolutely. And honestly, the worst part of the breach is for a company, it might be reputation damage. But what you really should be worried about is all that personal information that's being leaked to, most cases, publicly leaked to anyone but in other cases, it's sold on [inaudible] markets and actually abused by people looking for someone else's identity or credit card information or stuff like that. And the companies usually get away with some bad press, maybe a small dip in their stock price but eventually, they'll bounce back. But it's the users that suffer from these breaches for a very, very long time. TARAS: What do you see the kind of hot zones around concerns that companies have around security? Because I imagine it's hard to be concerned about everything, so they're probably thinking about specific things like this thing worries us. Like what kind of things do you see companies and teams need to worry about? PHILIPPE: That's an interesting question. You have all different kinds of companies and all different levels of security awareness and what they're worrying about. I would say if you have the companies that are not very good at or don't have very much security knowledge, they're probably not to worry about things because otherwise, they would have started investing in improving their practices. If you look at the companies that are at least very aware of the landscape, I'm not saying that anybody here is perfect, but some of the companies are actually doing quite a good job. One of the most interesting challenges today is dealing with dependencies. So, all of your packages, you depend on npm, Maven, Python packages, Ruby gems, and so on. All of them form a huge attack factor in most applications today. That's definitely a problem that a lot of companies struggle with and it's very hard to find good solutions. TARAS: GitHub recently, I saw their vulnerability alert service that I've been getting a lot of notifications from on some of the open source libraries that we use. They have a lot of dependencies. And a lot of projects have the same dependencies. So, the moment that one notification goes on, it like lights up on all of the GitHub repos that I have. So, I have been going through and like updating dependencies and all those libraries. PHILIPPE: Yeah, that's a very good example. Absolutely. A lot of the projects we build today usually start out by installing a bunch of dependencies. Even before you've written the first line of code, you already have a massive code base that you are relying upon. And a single vulnerability in a code base might be enough, it's not always the case, but it might be enough to compromise your application. And that leaves you, as a developer, in a very hard place because you haven't written any lines of code yet. You have built a vulnerable application and that starting point can be very terrifying. So, there's a lot of reports on this. And actually, if you want some numbers, 78% of the vulnerabilities discovered in existing applications like the ones you mentioned. If GitHub alerts you like, "Hey, there's a problem in one of your dependencies," it's often even an indirect dependency, meaning that you include a framework, if you include React or Express or whatever you're building, that one of your dependencies of one of those projects actually has a vulnerability. If you look at the trees of these packages, they get quite big that it's not dozens but it's thousands of packages that we're talking about. CHARLES: Yeah that's the other thing is how do you know how to interpret these security vulnerabilities because some of them, we get a lot of security vulnerabilities for node packages but we only use them for our development tools to build frontend. So, if we're building a React application and there's some security vulnerability in some node packages that we're using in our build tool, then that doesn't actually get deployed to the frontend. So, maybe it's not a concern but if we were actually using it to build a server, then it would be absolutely critical. And so, how do you evaluate because the same security vulnerability is not a vulnerability in one context, but might be in another or maybe I'm thinking about it wrong. You see what I mean? PHILIPPE: Yeah, sure. I totally get what you mean. Actually, I have observed the same things. I also get these security alerts on my projects, and sometimes it's devDependency, so it seems like we don't need to care about that. You're right in the sense that you have to assess the criticality of such a report. So, they will have a rating, a severity rating saying like, "This is a minor issue," or, "This is a major issue," that should be a first indication. And then a second thing to look at is, of course, how are these things used in practice. It's not because it's a devDependency that it's not exploitable because it all depends on what is the vulnerability. If there's an intentional malicious backdoor in the library and you're building that on your build server, it might give an attacker access to your build server. So, that might not be something you actually want to do. So in that case, it does matter. Of course, if it's only stuff you run locally, you can say like, "OK, this is less important." But usually, updating or fixing these vulnerabilities also requires less effort because there's no building and deploying to production servers either. So, it's a matter of staying up-to-date with these. And one of the things that people struggle with is handling this in a lot of different applications. You mentioned you had a lot of GitHub repos and the vulnerability starts popping up in all of them and you have to fix and update all of them. You can imagine that major companies struggle with that, as well, especially if you have quite a few different technologies. Managing all of that is insanely hard. CHARLES: Right, because you just usually look at it and you're like, "Oh, I've got to download this." And maybe, "I haven't used it this repo for a while. I've got to clone it up, I've got to update the dependency. I've got to make sure I run all my tests locally, then run all the tests in CI and make sure I didn't break anything by upgrading. I might have fixed closed security hole but broken my functionality." And so, make sure that that is all intact and then push it out to production. Even on the small, it's like I'm looking, "OK, maybe this is going to take me 30 to 45 minutes." But if you have four or five of those things, you're looking at half your day or maybe even the whole day being gone and that's if you have the processes in place to do those automated verification. If you have a very high confidence in your deployment pipeline which I don't think a lot of places have. So, it sounds like these are complementary, like you really need in order to keep a secure application, you have to keep it up-to-date because I think what I'm hearing is you should just evaluate all the threats. You should fix it if you can. The first part of my question is, am I kidding myself when I say, "Oh, I can ignore this one because it's just local or it's just a devDependency." PHILIPPE: The answer to that question is briefly, I would say they are less critical. CHARLES: That's cool. PHILIPPE: In general, the rule is update if you can. And actually some of the tools out there that monitor vulnerabilities, they will automatically create a pull request in your repo saying to upgrade to this version and then you can automatically run your tests if you have them, and you can very quickly see whether some conflicts are generated by updating that dependency - yes or no. And in most cases, if it's a minor version bump, it's going to work as expected and you can easily push out the new version without that vulnerability. So, I would say fix if you can. If it goes quickly, then definitely fix them. But I would focus on non-devDependencies first instead of devDependencies. CHARLES: Yeah. PHILIPPE: Second thing I wanted to add is you paint a very grim picture saying you have to spend a lot of time updating these issues and I can totally understand that happening the very first time you look into this. There's going to be some stuff in there, I can guarantee that. But if you do this regularly, the effort becomes less and less because once you have up-to-date libraries, the problem is bad but it's not like we have 50 new vulnerabilities every day, fortunately. CHARLES: Right. PHILIPPE: So, once you have done that, it's going to be a bit less intensive than you might anticipate at first glance. Of course, if you're using these projects, if you're reusing the same library, then you'll have to update them everywhere. That's the downside, of course. CHARLES: It's probably a little bit dangerous to be assessing the criticality of the security threats yourself if you're not an expert, and kind of in the same way, it's dangerous to be assessing an architecture if you don't have an expertise in our architecture, I guess is the thing, because you might not understand the threat. PHILIPPE: Yeah, that's, again, absolutely true. It again depends very much on how it's deployed and what it's used for. That's going to be one important aspect. Another thing that might be very useful is, how deep is the dependency that creates the vulnerability or has the vulnerability? Because for example, if you have your tree of dependencies, if you dependency is like five or six levels deep, the chances of malicious data are reaching that specific vulnerability, and that specific library is going to be fairly small. Because usually, libraries have a lot of features and you only use part of them in your application. So, the other one is address of the features is just sitting there and if it's never used and it's also not exploitable. So, that might play a role as well. I saw a presentation about a month or two months ago from how Uber manages these things and they struggled with a lot of those things as well. And they eventually decided that they really care about vulnerabilities going three levels deep. And something that goes deeper is considered to be less relevant or less urgent to update because chances of exploitability are going to be very small. CHARLES: That's actually really interesting. TARAS: One thing that got me thinking about something that is actually happening right now. A friend of mine has a WordPress site that was hacked. But what's interesting about WordPress, I think the fact that WordPress site was hacked is not really a surprise but I think what's interesting about that is that the frequency and the sophistication of these attacks has increased. The tooling has improved also in the WordPress ecosystem. But at the same time, I think there is actually more people that are aware of the kind of exploits that could be done. There are a lot of people going after WordPress sites, but it kind of makes me think that there's probably going to be a time when the vectors of attack for web applications are going to become pretty well known as well. Because of the architecture, there are a fewer of them. But as the awareness of the actual architecture becomes more common, I think the angles of attack are going to become more interesting. Like one of the things that I was reading about a couple days ago is that there are some researchers that found a way to attract users based on a combination of JavaScript APIs that are available in the browser. So, they are actually able to fingerprint users based on the kind of things that they're using, the application for [inaudible] extensions they have installed. I think people are going to get more creative. And that's kind of scary because we've seen this happen already in WordPress and people are greedy. So, there are going to be ways. I think there's going to be more people looking at how to get into and how to exploit these vulnerabilities. PHILIPPE: Yeah. That's actually a couple of very good examples that illustrate the underlying issue. So, this browser-based tracking of users, it's called browser fingerprinting and it's been going on for a while. Back when I did my PhD, I had colleagues working on those things and you have other people at universities doing research on this. And yes, you can use things like JavaScript APIs in the browser to identify a particular user with a very high probability. It's not perfect but it's usually enough to identify a user for ad tracking or those purposes. By the way, these things also have a legitimate purpose. So, they are also used to keep track of a particular user to prevent things like session hijacking or detect problem logins or stuff like that, so they can also have a legitimate use case next to tracking. But they very clearly show how security will always be a cat and mouse game. Tracking used to be easy. You just set a cookie in a browser and the cookie was there next time and you knew who the user was. And then, users became a bit more savvy. You had browser extensions trying to block listings because let's be honest, they're kind of shady. So, users probably don't want that. And then the attacker started moving towards other things and getting more advanced. And you see that in other areas of security, as well. So, I consider that a good thing because as we make things harder for attackers, they will have to get more creative and it will become more difficult to exploit or to take advantage of applications. That's the good side. The bad side or the dark side of that equation is that unfortunately, the vulnerabilities are not going away. It's not because we now have these somewhat more advanced attacks using advanced features or even CView-based vulnerabilities that the old things like SQL injection and [inaudible] have disappeared in applications. That's also not true and that means that it makes it just a bit more harder for everyone on the defensive side to build more secure applications. You're going to have to know about the old stuff and you have to learn about the new stuff. CHARLES: Again, we come back to that idea. It's all a bit overwhelming. Aside from the solution of like, "Hey, let's hire Phillippe. Let's hire some other security expert." We were actually in your training, and obviously, I don't want to divulge all the secrets or whatever. If we were to attend your training, what do you see is the most important thing for people to know? PHILIPPE: There's no secrets there. [Chuckles] What I teach is web security. I kind of like to think I teach that in a very structured and methodical way. But in the end, there's no secrets and I don't mind talking about this here on the podcast because I honestly believe that everyone should know as much as they can about security. What do I teach? I can talk about specifics but I can also talk about generic things. One of the general takeaways is that one of the best things in my opinion that a developer can do is realize when they don't know something and actually admit that they don't know something, instead of just doing something. Maybe having like a brief thought like, "Hmm, is this secure? Well, it's probably good. I'm going to deploy it anyway. We'll see what happens." That is not the right way of doing things. If you do something and you recognize like, "Hey, this might be security sensitive. We're dealing with customer information here. We're dealing with healthcare information. We might want to look at what plays a role here," and then you can go ask someone who does. You probably have a colleague with a bit more security knowledge, so you can ask him like, "Hey Jim, or whatever your name is, do you think that this is OK or should we do something special here?" Very much like you are doing, asking me questions right here. That's one important takeaway that I hope everyone leaves with after a training class because not knowing something and realizing that you don't know it allows you to find someone who actually does. That still leaves us with that point which you wanted to sidestep. CHARLES: [Chuckles] PHILIPPE: A second thing is to realize that security is not a target. It's not something you're going to hit. It's not a holy goal that after working really hard for two years, you're going to hit this security milestone and you're done. It's always going to be a cat and mouse game. It's always going to be a moving target but that's OK. That's how things are. And that's the same with all other things in the world essentially. It's an evolving topic and you'll need to be ready to evolve with that as well. TARAS: One of the challenges that I see into quite often in teams is that at the individual level, people really try to do their best, maybe the best of their abilities. But it's often, when it comes to being part of a group, it's often like they do best within the kind of cultural environment that exists. I'm curious if you've seen good or kind of environments or cultures for engineering teams that are conducive to good security. Are there kind of systems or processes the companies put in place that you've seen to be very effective in preventing problems? Have you encountered anything like this? PHILIPPE: Ideally, you have developers that are very well educated about security but honestly, it's going to be insanely hard to find these people because a developer not only has to be educated about security, they also need to know about UI design and JavaScript frameworks and other frameworks and all of these things. And it's virtually impossible to find someone up-to-date on all of these things. So, what most companies do today that seems to work quite well, even though it's very hard to judge whether it's working or not, is they work with security champions. So, you typically have a dev team and within a dev team, you would have a security champion, one or two or five, depends on how large your teams are, of course, that is knowledgeable about security. So, that developer has some knowledge. He's not an expert but he knows about common attacks and common dangers and how to potentially address them in the application. So, having that person embedded in the team allows the team to be security aware because when you have a team meeting like, "Hey, how are we going to solve this particular problem?" That person will be able to inject security knowledge like, "Hey, that seems like a good idea but if we're using SQL in the backend, we need to ensure that we don't suffer from SQL injection." Or if you're using a NoSQL database, it's going to be NoSQL injection and so on. And that already elevates the level of security in the team. And then, of course, security champions themselves are not going to be security experts. They're mainly developers just with a security focus. So, they should be able to escalate problems up to people with more knowledge, like a security team which can be a small security team within their organization that people can easily reach out to, to ask like, "Hey, we're doing something here and I know that this is security relevant and I'm not entirely sure what's happening here. So, can we get a review of this part of your application?" Or, "Can you guys sit on the meeting to see what's going on and what's happening there?" And I think that structure also makes sense. It's still going to be hard to build secure applications because there's still a lot of things to address, but at least, your teams get some awareness. And then of course, you can help your security champions to become better and they will get better over time. You can augment them with the security architects. You can train your security champions separately with more in-depth knowledge and so on. And that veteran or that setup seems to work quite well in many large organizations today. CHARLES: Yeah. I like that. It gets me to thinking, so having the having the security champions, having people who have this as part of, not their specialization, but at least part of their focus, being in the room, being part of the conversation because we try and do that and provide that service when it comes to UI but we also have a bunch of processes that kind of automate the awareness of quality. So, the classic one is your CI pipeline, your deployment pipeline. So, you're automating your advancement to production. You're automating your QA. It's still no substitute for having someone who's thinking about how to have that quality outcome but you still have some way of verifying that the outcome is quality. Are there tools out there that you can do to kind of keep your project on the security Rails. I'm thinking something that we we've done recently is having preview apps, so that we get a tight feedback loop of being able to deploy a preview version of your application that's on a branch but it's talking to a real backend. There's a lot of more software and services that are supporting this and it's kind of become an integral part of our workflow. So, testing automated deployment preview apps, there's this kind of suite of tools to make sure that the feedback loops are tight and that the quality is verified even though you have people, you also have people guiding that quality. It's just making sure that the standards are met. Is there a similar set of tools and processes in the security space so that we've got these champions out there, they're being part of the conversations. They're making suggestions but they can't be everywhere at once. And is there a way to make sure that the kind of the ways that they're guiding the application, just verifying that the application is going in that direction? Or an alarm bell has sounded. We mentioned one which is the automated pull request with the, "Hey, you got this dependency and there was a pull request." Are there more things like that, I guess, is what I'm saying. PHILIPPE: Yes, there are. But I would dare to say not enough. So yes, you have some security tools you can integrate in your pipeline that do some automated scanning and they tried to find certain issues and alert you of those issues. So, these things do exist but they have their limitations. A tool can scan an application. Some of the findings are going to be easy and fairly trivial, but it's good to have the check in place nonetheless. But some of the more advanced issues are very likely to be undetectable by those automated tools because they require a large amount of skill and expertise to actually craft and exploit to abuse that particular feature in an application. So, we do have some limitations but I like discretion because I do believe that we need to leverage these mechanisms to ensure that we can improve the security quality of our applications. A very simple thing you can do is you can run an automated dependency check when you build the application and you can use that to decide to halt deployment when it's a severe vulnerability or go ahead anyway when you consider this to be acceptable because if you automate all of those things, things can go wrong as well. We can talk about that in a second. So yeah, these things can be done. But what I strongly encourage people to do to ensure that they can kind of improve the code quality is to flag certain known bad code patterns. So if you're building an Angular or a React application, if you're using functions that output go directly into the template, that's going to be very dangerous. So, we know these functions in Angular, they're called bypassSecurityTrustHtml, bypass security should be kind of a trigger and this kind of security irrelevant. And in React, that property is called Dangerously Set innerHTML, also indicating like a 'developer watch out what you're doing'. So, what you could do is you could set up code scanning tools that actually flag these things whenever they appear in application because sometimes people make mistakes. You hire an intern and they don't really know the impact of using that property and they use it anyway which would cause cross-site scripting vulnerability. If you're code scanning to flag these things ensures that it doesn't get pushed to production unless it's a benign case which is actually approved to be in there, then you can definitely stop some of these attacks coming on for sure or some of these vulnerabilities happening. TARAS: I think the hardest thing to understand is when someone doesn't understand what they're doing that what they will create is so cryptic that I think any tool that tries to figure out what it is that person is doing I think will have a really hard time. The person making the thing doesn't understand what they're doing, then the system is not going to understand what they're doing which makes me think that one of the things that we think about a lot at Frontside is this idea of trying to understand the system from the outside as kind of looking at a system as a black box and wonder what kind of tools are available specifically for inspecting the application from the outside, like as if somehow understanding what the application is doing based on what's actually going on inside of the runtime and then notifying someone that there could be something off in the application, but through exercising the [inaudible] things like, for example, memory leaks is not something you can catch unless you have a test suite that has like a thousand tests and then you will see over time that your application is actually leaking memory. But if you run individual tests, you'll never see that. I wonder if there's anything like that for security where at runtime, there's actually a way to understand that there might be some kind of a pattern that's incorrect in the application. PHILIPPE: If only, if only. It depends on who you ask. There is such a concept that's called Dynamic Application Security Testing. Essentially, what you do there is you run the application, you feed it all kinds of inputs, and you monitor when something bad happens. And that means that you have detected vulnerability. So, these things do exist. But unfortunately, their efficiency is not always that good. It very much depends on what kind of security problems you're trying to detect. And they can, for example, detect some instances of things like cross-site scripting or SQL injection or things like that. But there will always be limitations. I've seen tools like that being run as an application where you actually know there's a vulnerability because it has been exploited. There is a manual written exploits and the tool still doesn't find any vulnerabilities which is not surprising, because these things are really hard to make an abstraction of to be able to find that in an automated way with a tool. If you would have such a tool that would be, I think, that [inaudible] would be a lot better. I think there's a lot of funders working on that. But at the moment, those tools are not going to be our savior to build more secure applications. CHARLES: Yes. I mean, it's kind of like linting, right? Or you can make tests. We've been through this kind of all the features or the aspects that we want our application to have, whether it be accessibility. There's certainly a very comprehensive suite of lint level checks that you can run to make sure that your application is accessible. You can run a suite of three thousand things and if it triggers any of these things, then yes, your application won't be accessible but it's not a substitute for thinking through the accessibility architecture. The same thing goes with code linting. You're not going to solve bugs with a linter that makes sure that it's formatted and that you're declaring your variables right and that you're not shadowing things. But you can definitely eliminate a whole classes of things that might be put in there just for maybe even you know what you're doing and you're just forgetful. PHILIPPE: Yes, these rules exist, as well. They're not extensive but there are linting rules for Angular used for security, for example. But the problem in linting is that they are very useful to find potential instances of security relevant features or security relevant functionality. But the linting rule alone cannot decide whether something is OK or not. Just to give you a very simple example, if you use the bypassSecurityTrustHtml function, if you give that function a static snippet of HTML, that's going to be fine unless you write your own attack essentially. But if you feed that function user inputs, you're going to be in a lot of trouble. And making that distinction with a linter is going to be difficult unless you have a static string in the arguments. But if once you start having that from variables to dynamically decide to have a different code path, then that's going to be very, very difficult to decide automatically. So, yes, you can use that to find the places in the application where you should be looking for, in this example, a cross-site scripting in Angular but the linting alone is not going to give you an answer whether this is OK or not. That still requires knowledge of how Angular handles this things, what happens, and how you can do things safely. TARAS: Sounds like we keep going back to nothing beats having knowledgeable developers. PHILIPPE: Yes. Unfortunately, that is true. However, with that said, I want to highlight that frameworks like Angular, well mainly Angular, make things a lot better for developers because yes, you still need knowledgeable developers but the ways to introduce a cross-site scripting vulnerability in an Angular application are actually very, very limited. It's not going to be one, but there's going to be maybe three or four things you need to be aware of, and then you should be set. While if you would have done the same for PHP, it's going to be 50,000 things you need to be aware of that are potentially dangerous. So, yes, frameworks and libraries and all of these abstractions make it a lot better and I really like that. That's why I always refer to abstract things away in a library so that you actually have the ability to look for this dangerous code patterns using linting rules in your code base and that you can, at least, inspect the go to see whether it's OK or not, even though you might not be able to make an automatic decision. You, at least, know where to look and what to approve or how to change in the code base. TARAS: I think that's one of the things that oftentimes is not taken into account that the frameworks are different. And I think of big differences in how much -- like right now, the most popular framework, I think, React. But it's such a thin layer, it's such a small part of the framework that you can hardly call it a framework. But it is something that companies rely on. But then when you consider how much of that code that you need to write, to make React into a complete framework for your company, the amount of code that your team has to write versus the amount of code that your team has to write when you use something like Angular or Ember, there's definitely a lot less parts of the framework that you need to write or a lot less parts of the framework you need to choose from what's available in the ecosystem. Like in Angler and Ember, and I'm not sure what the story is with the view, but the pieces, they come from kind of a trusted source and they've been kind of battle tested against a lot of applications. But I don't think that enters into consideration when companies are choosing between Angular or whatever that might be because they're thinking like what is going to be easiest for us. What is going be [inaudible] for developers? They're not thinking about how much of the framework are we going to need to put together to make this work. CHARLES: I can say it sounds, Taras, like almost what you're saying is by using the frameworks that have been battle tested, you actually get to avail yourself of code that actually has security champions kind of baked into it, right? Is that what you were saying? You keep coming back to 'you need developers who are knowledgeable about security', and if you're using kind of a larger framework that covers more use cases, you're going to get that. Do you think that that is generally true, Philippe? PHILIPPE: Yeah. I think it is and that's why I mentioned that I liked Angular before because Angular actually does offer a full framework. And because they do that, they made a lot of choices for developers and some of these choices have a very, very big and positive impact on security. On the other hand, if you make those decisions, you become an opinionated framework and some people don't like that. They actually want the freedom to follow their own paths and then a less full featured framework like React might be an easier way to go. CHARLES: But I think what happens is folks don't enter into that decision with their eyes open to the fact that they then now need to be their own security champion because they just don't even see it. We said the most dangerous thing is the things that you don't know. PHILIPPE: Yeah, absolutely. And I totally agree. That's something that's at least a couple of years and probably still today, many companies moving into this space struggle like, "Which framework do we choose and why do we choose one or the other and which one will still be there in three years because we don't want to switch to another thing in three years," which is risky to our developers. I like that you said that Angular has this security champion knowledge built in because in Angular 2 and every version behind it, but the new version of Angular essentially, they spent a lot of time on security and they learned from their mistakes in the first version because there were some and they took that and they built a more robust framework with security built in by design or by out-of-the-box. Angular offers, for example, very strong protection against cross-site scripting. It's just there, it's always on and unless you actively sidestep it, it's going to protect you. And that's one of the things I really like about Angular and how they did that. CHARLES: Yeah, that's one of the things that I really like too because I remember there was a blog post back, this is probably, I don't know, almost 10 years ago now, maybe seven or eight years, where someone was comparing why they were more interested in using, their servers were implemented in Ruby and why it was better to use Rails than just Sinatra which is just a very, very, very lightweight HTTP framework. And one of the things that he was pointing to was this new vulnerability was discovered and if you were using Rails, the middle way where the middle square stack is managed by the framework, you just upgrade a minor version of Rails. And now, by default, there's this middleware that prevents this entire class of attack. PHILIPPE: Was that a cross-site request forgery? CHARLES: I think it might have been. PHILIPPE: I think Rails was one of the first to offer built in automatically on support for that. So yeah, that was a very good early example of how that can work really well. CHARLES: And the advantage from the developers' standpoint, because the contrast that, if you'd been writing your application in Sinatra which is this is very, very low level based right on top of rack and you're managing the middleware stack yourself and there are no opinions, then not only do you have to like fix this security vulnerability, you have to understand it. You have to get to do a lot of research to really come up with what's going on, how is this going to affect my application and then I can deploy a fix. And that's like a huge amount of time, whereas you have the freedom to not even understand the attack. I mean, it's always better to understand but you can defer that understanding invariably knowing that you're kind of invulnerable to it. And I think for people who enjoy kind of pretending, not pretending, but that the security world doesn't exist and say, "Hey, I want to focus and specialize on these other areas and attain deep knowledge there." It's very reassuring to know that if a defense for a novel attack comes out, I can avail myself of it just by bumping a version number. PHILIPPE: Yeah, absolutely. If you have everything in place to actually upgrade to that version that fixes those, that's a preferable solution. Towards the future, I believe it's going to be crucial to ensure that we can actually keep things up-to-date because everything that's being built today is going to require continuous updates for the lifetime of the application. I definitely hope that the frameworks get better and more secure and start following these patterns of naming the potentially insecure functions with something that indicates that they are insecure. I think that's definitely a good way forward. CHARLES: Yeah. Can I ask one more question? Because this is something that is always something that I wonder about whenever you talk about any aspect of a system. And part of it is folks will not appreciate good architecture until they've experienced some sort of pain associated with not having that architecture in place. Their project fails because they couldn't implement a set of features without it taking months and years and they just ran out of runway, ran out of deadline. Those types of people who've been on those projects appreciate having a nimble system internally, good tooling. Folks who have experienced good tooling understand how much time they could save, and so, have a very low tolerance for bad tooling. A tool takes too long or is misbehaved or is not well put together, they just can't stand because they know how much time they're losing with security. Is there a way to get people to care about it without having some sort of breach, without having gotten smacked in the face? When you do your trainings, is it generally, "Hey, someone has experienced a breach here, and so they want to bring you in." Or is there some way to get people raise awareness of the problems they don't have to experience that pain but can just experience only the benefit? PHILIPPE: That's, again, a very good question and that's also a very good illustration of why security is so hard. Because if you get everything right, nothing happens. [Laughter] PHILIPPE: Or it might be if nothing happens, that nobody cares enough to actually try something against your application. So, there's no positive confirmation if you've done a good job. You can keep putting things off but eventually, there's going to be vulnerability and it's a matter of how you respond to it. We recently had a cross-site scripting in Google's homepage, one of the most visited pages on the web. And somebody figured out that there were some weird browser thing that could be abused and that resulted in a vulnerability on, let's say, such a simple page. So, even there, things can go wrong. So, what would be a good way to draw with some awareness about this is I would recommend following some simple new resources or some Twitter feeds. I have some security relevant articles there but plenty of other people in the industry have as well. And when you read such an article about security incidents, just think about whether this could happen to you or not. And that should probably scare the shit out of you. Simple examples like the Equifax breach, one of the biggest, most impactful breaches of the past few years happened because of an Apache library that was not updated. I think the Apache library, they had a known vulnerability in there. We knew about it. We had a patch, yet it took too long to install that patch and the attackers abused that vulnerability. This is something that probably can happen to each and every one of us because the attacks started, I think, 72 hours after the vulnerability and the patch had been published. So, ask yourself, "Would I have updated my servers in three days after I got that vulnerability report on GitHub?" Yes or no. And if the answer is no, then the same thing can happen to you. Other cases: Magecart is a very big problem, people injecting credit card skimming malware in the JavaScript library. Are you including third party JavaScript libraries? If yes, then chances are that this can happen to you. And there's nothing preventing someone from exploiting that. It's probably just because you got lucky that nobody tried to do that. And the same thing you see now with all these attacks npm packages where people actively try to get you to install a malicious package as one of your dependencies. And again, everybody can fall victim to these things. So, if you read the articles with that mindset, I probably guess that your security awareness will grow rapidly and you will start caring about that very fast. CHARLES: Yeah. TARAS: Lots to think about. CHARLES: Yeah, there's lots to think about because the next thing that occurs to me is how do you even know if you've been targeted. Because a good attacker is not even going to let you know. PHILIPPE: Yeah. CHARLES: It's just better to siphon off your blood, like you said, than to kill the -- you want to be a vampire bat and come to the same cow every night and just take a little bit of blood rather than the lion that kills the cow and then the cow's gone. PHILIPPE: I would say constant monitoring is going to be crucial and you need that data for all kinds of different purposes. You need to monitor everything that happens, first of all, for a post-mortem analysis. If something happens, you want to be able to see how bad it was. This user apparently got a full admin access and if you have decent monitoring, you will be able to retrace his steps to see what they did or did not get. So, that is one very good use case. A second use case is you can use that data to detect attacks. Usually when the attacks are noisy, it's an automated scanning tool but it might be an attacker trying to do things. Again, that may be something very useful for you to act on to see if there is a problem to prevent that user from connecting, or so on. And then, another very good use case of these things is actually inspecting the logs manually as an ops engineer or whatever, who is responsible for doing that, because that might again yield new insights. I've been talking to someone who said that they discovered an abuse of one of their APIs just by looking at the logs manually and detecting a strange pattern and looking and digging deeper into it. And the automated monitoring tools that they had installed that trigger on certain events like a mass amount of requests to the authentication and stuff like that, they did not catch this particular abuse. So, I would say monitoring there is absolutely crucial, for sure. TARAS: So, the takeaway is higher attentive knowledgeable developers who will learn about security. PHILIPPE: I would say the takeaway is security knowledge is essential for every developer. So, I encourage every developer to at least have a little bit of interest in security. I'm not saying that everyone should be a security expert. We should at least know about that the most common vulnerabilities in web applications, what they mean, what they might result in, and what to be on the lookout for. So yes, I think that's one of the crucial things to start with. And then within an organization, you should have someone to fall back on in case that there are security relevant things that you actually can talk to someone who does see a bigger picture or maybe the full security picture to decide whether these things are a problem or not. I think we're closing or nearing the end here, but one of the things we haven't talked about is how to actually get started in security. What if you are interested in security after hearing this podcast and you want to get started? I want to give you just a few pointers so that you actually know where to look. One of the first things to look at is OWASP. And OWASP is the Open Web Application Security Project. It's essentially a nonprofit that has the mission to improve the security posture or knowledge of developers, and they have a lot of resources on various different topics. They have a lot of tools available and things like that. What you want to start with as a developer is the OWASP Top 10, which is a list of the 10 most common vulnerabilities that exist in applications, just to open your eyes like these things exist in applications today and are definitely a problem. And then, there's a complementary Top 10 called the Proactive Controls and that's about how you, as a developer, can actually prevent these things. So, what should we know about implementing security, which guidelines should we follow. And these two documents are a very good place to start. And then there is a huge community that's actually mostly very eager to help people figure out the right way of doing things and solving these problems we have in our ecosystems. TARAS: Awesome. That's great. Thank you very much. CHARLES: Yeah. I'll take that in. That is really, really helpful. Well, thank you very much, Philippe, for coming on and talking about security. I actually feel a lot better rather than usually I'm thinking about securities kind of stresses me out. [Laughs] PHILIPPE: You can bury the problem but it's going to return in the future anyway, so you might as well get onboard and start learning. It's not that scary if you actually -- it's a lot of fun. So, you should learn about security. CHARLES: Well, I am looking forward to diving in. If anyone wants to get in touch with you, how would they do that on Twitter or Email? PHILIPPE: Yeah, sure. I'm on Twitter. I'm always happy to chat about security. You can reach me by Email as well. I'm very easy to reach. And I'll be happy to help out people with questions. Sure. CHARLES: All right. Thank you so much, Philippe. Thank you for listening. If you or someone you know has something to say about building user interfaces that simply must be heard, please get in touch with us. We can be found on Twitter at @TheFrontside or over just plain old Email at contact@frontside.io. Thanks and see you next time.