Podcasts about ssh

Dan and Kyle are back and this week they discuss SSH tips, playing Minecraft, and Kyle's new PeopleSoft Secrets Tool (psst). The PeopleSoft Administrator Podcast is hosted by Dan Iverson and Kyle Benson. Show Notes Minecraft, scp, and spaces @ 2:30 SSH Tips @ 8:00 psst - PeopleSoft Secrets Tool @ 12:45 psvault Python Click

Dr Elizabeth (Liz) Robison, EdD, RN, MSN, CNE, CHSE-A, is Professor Emeritus at Northwest Florida State College in Niceville, Florida, and former Simulation Center Coordinator for the ASN program, which included opening a new center and providing simulation facilitation within all levels of the ASN program. She prefers to go by Liz.. Liz has presented at several simulation based educational conferences and meetings. Her dissertation research involved learning styles and clinical judgment in a simulated clinical experience. She is currently in her second term on the INACSL Board of Directors serving in the role as Secretary/Treasurer and board liaison for the Sustainability Special Interest Groups. Additionally, she is a facilitator for their Simulation Education Program (ISEP), which is a 6-month online educational program. Liz is actively involved with the Organization for Associate Degree Nursing (OADN) Task Force on Simulation since October 2020, having completed reviews of over nine products, presented at conferences related to this work, and has published regarding the work of this group, both in the OADN Journal and ACEN Bridges Newsletter. She is a member of the Society for Simulation in Healthcare (SSH) and involved in several interest groups, presenting at their national conference through work with one of the groups. She is actively involved with the NLN as a co-chair for the NLN Foundation Scholarship Selection Committee, with prior years serving as a scholarship reviewer. She is a manuscript reviewer for Clinical Simulation in Nursing. Certifications she holds include Certified Nurse Educator with the NLN since 2008 and Certified Healthcare Simulation Educator with SSH since 2018, obtaining the advanced designation in 2021. Prior to going into higher education, Liz was a member of the Air Force Nurse Corps retiring after 22 years of service in a multitude of roles in clinical areas and leadership. With her second retirement now from the state, Liz has remained engaged in healthcare simulation and higher education community, consulting for Unbound Medicine, Inc. and GLG Insights.Sponsor: Inclusive Consulting: https://inclusiveconsultingservices.com/LinkedIn: https://www.linkedin.com/company/76504273/admin/

Ahoy! and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to -- talk like a pirate.  ARRR As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. On today's episode we are going to talk about the 9 Cs of Cyber Security.  Note these are not the 9 Seas that you might find today, the 19th of September, which happens to be the 20th annual International Talk like a Pirate Day.  They are the nine words that begin with the letter C (but not the letter ARRR): Controls, Compliance, Continuity, Coverage, Complexity, Competency, Communication, Convenience, Consistency. Please note that this talk is inspired by an article by Mark Wojtasiak from Vectra, but we have modified the content to be more aligned with our thoughts at CISO Tradecraft. Now before we go into the 9 Cs, it's important to understand that the 9 Cs represent three equal groups of three.  Be sure to look at the show notes which will link to our CISO Tradecraft website that shows a 9-box picture which should make this easier to understand.  But if you're listening, imagine a three-by-three grid where each row corresponds to a different stakeholder.  Each stakeholder is going to be concerned with different things, and by identifying three important priorities for each, we have our grid.  Make sense?  Okay, let's dig in. The first row in our grid is the focus of Executive Leaders. First, this group of executives such as the CEO, CIO, and CISO ensure that the IT controls and objectives are working as desired.  Next, these executives want attestations and audits to ensure that compliance is being achieved and the organization is not just paying lip service to those requirements.  Thirdly, they also want business continuity.  IT systems must be constantly available despite attacks from ransomware, hardware failures, and power outages. The second row in our grid is the focus of Software Development shops. This group consists of Architects, Developers, Engineers, and Administrators.  First, they need to ensure they understand the Coverage of their IT systems in asset inventories -- can we account for all hardware and software.  Next, developers should be concerned with how Complexity in their environment can reduce security, as these tend to work at cross-purposes.  Lastly, developers care about Competency of their teams to build software correctly; that competency is a key predictor of the end quality of what is ultimately produced. The third and final row in our grid is the focus of Security Operations Centers. This group consists of Incident Handlers and Responders, Threat Intelligence Teams, and Business Information System Officers commonly known as BISOs.  They need to provide clear communication that informs others what they need to do, they need processes and tools that enable convenience so as to reduce friction.  Finally, they need to be consistent.  No one wants a fire department that only shows up 25% of the time. So now that we have a high-level overview of the 9 C's let's start going into detail on each one of them.  We'll start with the focus of executive leaders.  Again, that is controls, compliance, and continuity. Controls- According to James Hall's book on Accounting Information Systems[i], General Computer Controls are "specific activities performed by persons or systems designed to ensure that business objectives are met." Three common control frameworks that we see inside of organizations today are COBIT, COSO, and ITIL. COBIT®, which stands for The Control Objectives for Information Technology was built by the IT Governance Institute and the Information Systems Audit and Controls Organization, better known as ISACA®.  COBIT® is primarily focused on IT compliance, audit issues, and IT service, which should not be a surprise given its roots from ISACA® which is an Audit and Controls organization.  Overall, COBIT® 2019, the latest version, is based on the following six principles[ii] (note that the prior version, COBIT® 5[iii], had five): Provide stakeholder value Holistic approach Dynamic governance system Governance distinct from management Tailored to enterprise needs End-to-end governance system COSO  stands for The Committee of Sponsoring Organizations of the Treadway Commission.  Their latest version is the 2017 Enterprise Risk Management - Integrated Framework, which is designed to address "enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment.[iv]"  COSO states that internal controls are a PROCESS, effected by leadership, to provide reasonable assurance with respect to effectiveness, reliability, and compliance[v].  The framework consists of five interrelated principles[vi]: Governance and culture Strategy and objective-setting Performance Review and revision, and Information, communication, and reporting To support these principles, COSO defines internal controls as consisting of five interrelated components: Control environments, Risk Assessments, Control Activities, Information and Communication, and Monitoring Activities. The third framework is ITIL®, which stands for Information Technology Infrastructure Library. First published in 1989 (the latest update is 2019/2020), ITIL® is managed and maintained by AXELOS, a joint venture between the Government of the United Kingdom and PeopleCert, which acquired AXELOS in 2021. According to their website[vii], "ITIL 4 is an adaptable framework for managing services within the digital era.  Through our best practice modules, ITIL 4 helps to optimize digital technologies to co-create value with consumers, drive business strategy, and embrace digital transformation." (Talk about buzzword compliance).  ITIL® 4 focuses on process and service management through service strategy, service design, service transition, service operation, and continual service improvement.  What is interesting is that there is no third-party assessment of ITIL® compliance in an organization, only individual certification. At the end of the day an organization needs to pick one of these popular control frameworks and show controls are being followed.  This isn't just a best practice; it's also required by Sarbanes Oxley.  SOX has two sections that require control attestations that impact cyber.  Section 302 requires corporate management, executives, and financial officers to perform quarterly assessments which: Evaluate the effectiveness of disclosure controls, Evaluate changes in internal controls over financial reporting, Disclose all known control deficiencies and weaknesses, and Disclose acts of fraud. Since financial services run on IT applications, cybersecurity is generally in scope for showing weaknesses and deficiencies.  SOX Section 404 requires an annual assessment by both management and independent auditors.  This requires organizations to: Evaluate design and operating effectiveness of internal controls over financial reporting, Disclose all known controls and significant deficiencies, and disclose acts of fraud. Once we understand the requirements for controls, we need to be Compliant. Compliance is the second C we are discussing today.  Remember the CFO and CEO need to produce annual and quarterly reports to regulators such as the SEC.  So, if you as a CISO can help them obtain a clean bill of health or fix previous audit findings, you help the business. A useful tool to consult in terms of compliance is a concept from the Institute of Internal Auditors known as the three lines model or three lines of defense[viii].  This model has as a foundation six principles: Governance Governing body roles Management and first- and second-line roles Third line roles Third line independence, and Creating and protecting value The first line of defense is the business and process owners who maintain internal controls.  You can think of a software developer who should write secure software because there is an IT Control that says so.  That developer is expected to run application security scans and vulnerability scans to find bugs in their code.  They are also expected to fix these issues before releasing to production.  The second line of defense are elements of an organization that focus on risk management and compliance.  Your cyber team is a perfect example of this.  If the developer doesn't fix the application vulnerabilities before sending code to production, then the company is at risk.  Cyber teams generally track and report vulnerability findings to the business units to ensure better compliance with IT controls. Finally, the third line of defense is internal audit.  Internal audit might assess an IT control on secure software development and say we have an issue.  The developers push out bad code with vulnerabilities.  Cyber tells the developers to fix, yet we are observing trends that the total vulnerabilities are only increasing.  This systemic risk is problematic, and we recommend management comply with the IT controls by making immediate fixes to this risky situation. Now, other than the observation that the ultimate line of defense (internal auditors) is defined by the Institute of Internal Auditors (no conflict of interest there), note that internal auditors can report directly to the board.  Developers and CISOs typically cannot.  One of the most powerful weapons in an auditor's toolbox is the "finding."  The U.S. Code defines what represents a finding[ix] in the context of federal awards, to include: Significant deficiencies and material weaknesses in internal control and significant instances of abuse Material noncompliance with the provisions of Federal statutes or regulations Known questioned costs, specifically identified by the auditor, greater than $25,000 for a type of compliance requirement Internal auditors have both a mandate from and access to the board to ensure that the organization meets compliance requirements.  So, if you've been unsuccessful in getting funding for what you consider a critical security asset, maybe, just maybe, you casually point that out to the auditors so that it ends up in a finding.  After all, findings get funded.  Don't get caught, though, or you'll have some explaining to do to your boss who previously turned you down. Management cares a lot about Continuity. Remember, if the business is down, then it's not making money, and it's probably losing money by the hour.  If the business isn't making money, then they can't pay for the cyber department.  So, among your goals as a cyber executive is to ensure the continuity of revenue-generation services.  To start, you must identify what those activities are and find ways to protect the services by reducing the likelihood of vulnerabilities found in those systems.  You also need to ensure regular backup activities are occurring, disaster recovery exercises are performed, Business Continuity Plans are tested, and tabletops are executed.  Each of these activities has the potential to identify gaps which cause harm to the continuity that executives care about. How do you identify revenue-generating elements of the business?  Ask.  But do your homework first.  If you're a publicly traded company, the annual report will often break out lines of business showing profit and loss for each.  Even if it's losing money today, it still may be vital to the organization.  Think, ahem, about your department -- you're probably not making a profit for the company in the security suite, but your services are definitely important.  Look at the IT systems that support each line of business and assess their criticality to the success of that business component.  In today's digitized workplace, the answer will almost always be "yes," but since you don't have unlimited resources, you need to rack and stack what has to be protected first.  A Business Impact Analysis, or BIA, involves meeting with key executives throughout the organization, assessing the importance and value of IT-supported business processes, ranking them in the order in which they need to be assured, and then acting on that knowledge.  [I thought we had done an episode on BIA, but I checked back and couldn't find one.  So, expect to learn more about that in a future episode.] Backups and disaster recovery exercises are a must in today's world of ransomware and surprise risks, but make sure that you're not just hand-waving and assuming that what you think is working really is working.  Do what I call "core sampling" -- get with your team and dig way down until you reach some individual file from a particular date or can observe all logs collected for some arbitrary 5-minute period.  It's not that that information is critical in and of itself, but your team's ability to get to that information quickly and accurately should increase your confidence that they could do the same thing when a true outage occurs. Lastly, tabletop exercises are a great way to ensure that your team (as well as others from around the organization, up to and including senior leadership) know what to do when certain circumstances occur.  The advantage of tabletops is that they don't require much time and effort from the participants to go through emergency response procedures.  The disadvantage of tabletops is that you risk groupthink when everyone thinks someone else took care of that "assumed" item.  Companies have been caught flat-footed when the emergency diesel generator doesn't kick in because no one in the tabletop tests ever thought to check it for fuel, and the tank was empty.  Things change, and there's nothing like a full-scale test where people have to physically go to or do the things they would in a true emergency.  That's a reason why kids in school don't discuss what to do in a fire drill, they actually do what needs to be done -- get out of the building.  Be careful here you don't have a paper tiger for a continuity plan -- it's too late when things start to come apart to realize you hadn't truly done your homework. Those are the three Cs for executives -- controls, compliance, and continuity.  Now let's move on to developers. If you remember, the three Cs for developers are coverage, complexity, and competency. Developers need to care about Coverage. When we talk about coverage, we want to ensure that we know everything that is in our environment.  That includes having a complete and up-to-date asset inventory, knowing our processes are free from security oversight, as well as ensuring that our security controls are deployed across all of our potential attack surfaces.  "We've got your covered" is usually considered reassuring -- it's a statement that someone has thought of what needs to be protected. Specifically, our technical team members are the only ones who can generally tell if the IT asset inventory is correct.  They are the ones who run the tools, update the agents (assuming we're not agentless), and push the reporting.  If the scanning tools we use are missing hardware or software, then those gaps represent potential landing zones for enemy forces.  The Center for Internet Security's Critical Controls start with these two imperatives.  Essentially, if you don't know what you have, how can you secure it? Knowing our processes is key.  For developers today, it's much more likely that they're using a DevOps continuous integration / continuous delivery, or CI/CD process, rather than the classic waterfall methodology.  Agile is often an important part of what we do, and that continuous feedback loop between developer and customer helps to ensure that we cover requirements correctly (while being careful to avoid scope creep.)  Throughout our development cycle, there are numerous places where security belongs -- the art we call DevSecOps.  By putting all of our security processes into version control -- essentially automating the work and moving away from paper-based processes, we create a toolchain that automates our security functionality from pre-commit to commit to acceptance to production to operations.  Doing this right ensures that security in our development environment is covered. Beyond just the development pipeline, we need to cover our production environment.  Now that we've identified all hardware and software and secured our development pipeline, we need to ensure that our security tools are deployed effectively throughout the enterprise to provide protective coverage.  We may know how many servers we have, but if we don't scan continuously to ensure that the defenses are running and up to date, we are effectively outsourcing that work to bad actors, who fundamentally charge higher billing rates than developers when they take down critical systems via ransomware. In his book Data and Goliath, Bruce Schnier wrote, "Complexity is the worst enemy of security, and our systems are getting more complex all the time.[x]" Complexity is inversely correlated to security. If there are two hundred settings that you need to configure properly to make containers secure, that's a big deal.  It becomes a bigger deal when the team only understands how to apply 150 of those settings.  Essentially, your company is left with fifty opportunities for misconfiguration to be abused by bad actors.  Therefore, when possible, focus your understanding on how to minimize complexity.  For example, instead of running your own containers on premises with Kubernetes, try using Amazon Elastic Container Services.  There's a significant amount of configuration complexity decrease.  In addition, using cloud-based services give us a lot of capabilities -- elastic scaling, load balancers, multiple regions and availability zones, and even resistance to DDoS attacks.  That's a lot of overhead to ensure in a high-availability application running on servers in your data center.  Consider using AWS lambda where all of that is already handled as a service for our company.  Remember that complexity makes security more difficult and generally increases the costs of maintenance.  So only increase complexity when the business benefit exceeds the costs. From a business connectivity perspective, consider the complexity of relationships.  Many years ago, data centers were self-contained with 3270 green screens (or punched card readers if you go back far enough) as input and fan-fold line printer generated paper as output.  Essentially, the only connection that mattered was reliable electrical power. Today, we have to be aware of what's going on in our industry, our customers, our suppliers, consumers, service providers, and if we have them, joint ventures or partners.[xi]  This complex web of competing demands stretches our existing strategies, and sometimes rends holes in our coverage.  I would add to that awareness, complexity in our workforce.  How did COVID-19 affect your coverage of endpoints, for example?  Most work-from-home arrangements lost the benefit of the protection of the enterprise security bubble, with firewalls, scanners, and closely-manage endpoints.  Just issuing a VPN credential to a developer working from home doesn't do much when junior sits down at mom's computer to play some online game and downloads who-knows-what.  Consider standardizing your endpoints for manageability -- remove the complexity.  When I was in the Navy, we had exactly two endpoint configurations from which to choose, even though the Navy-Marine Corps Intranet, or NMCI, was the largest intranet in the world at the time.  Although frustrating when you have to explain to the admiral why his staff can't get fancier computers, the offsetting benefit is that when an emergency patch has to get pushed, you know it's going to "take" everywhere. Number six is Competency -- another crucial skill for developers. If your organization doesn't have competent developers, then more vulnerabilities are going to emerge.  So how do most other industries show competencies?  They use a licensure and certification process.  For example, teenagers in the United States must obtain a driver's license before they are legally approved to drive on their own.  Nearly all of us have been through the process -- get a manual when you get a learner's permit, go to a driving school to learn the basics, practice with your terrified parents, and after you reach the minimum age, try not to terrify the DMV employee in the passenger seat.  In the UK, the Driver and Vehicle Standards Agency recommends a minimum of 47 hours of lessons before taking the driving test, which still has only a 52% pass rate on the first attempt[xii]. Now ask yourself, is developing and deploying apps riskier than driving a car?  If so, consider creating a Developer Driver's License exam that identifies when developers are competent before your company gives them the SSH keys to your servers.  Before your new developer sits for the exam you also need to provide the training that identifies the Rules of the Road.  For example, ask: When a new application is purchased, what processes should be followed? When are third party vendor assessments needed?  How does one document applications into asset inventory systems and Configuration Management Databases? If you can build the Driver's Education Training equivalent for developer and measure competency via an exam, you can reduce the risk that comes from bad development and create a sense of accomplishment among your team. So, to summarize so far, for executives we have controls, compliance, and continuity, and for developers we have coverage, complexity, and competency.  It's now time to move to the last three for our security operations center:  clarity, context, and community. The seventh C is Communication. Let's learn from a couple quotes on effective communication. Peter Drucker said, “The most important thing in communication is hearing what isn't said.”  When you share an idea do you look at the person you are informing to see if they understand the idea?  What body language are you seeing?  Are they bored and not facing you, are they engaged and leaning in and paying close attention, or are they closed off with arms crossed?  We've probably all heard the term "active listening."  If you want to ensure the other party understands what you're saying (or if you're trying to show them you understand what they are saying), ask the listener to repeat back in their own words what the speaker has just said.  You'd be amazed how few people are needed to play the game of "telegraph" and distort a message to the point it is no longer recognizable. George Bernard Shaw said, “The single biggest problem in communication is the illusion that it has taken place.”  When you present a technical topic on a new risk to executives, ask questions to ensure they understand what you just shared.  If you don't do so, how do you know when you might be overwhelming them with information that goes right over their heads.  There's always the danger that someone will not want to look stupid and will just nod along like a bobblehead pretending to understand something about which they have absolutely no clue.  Richard Feynman had said, "If you can't explain it to a six-year-old, you don't understand it yourself."  Well, let me offer G Mark's corollary to that quote:  "If you can't explain it to a six-year-old, you can't explain it to your board."  And sometimes the big boss.  And sometimes your manager.  And sometimes your co-worker.  Ask for feedback; make sure the message is understood. Earl Wilson said, “Science may never come up with a better office communication system than the coffee break.”  When you want to launch a really important initiative that needs group buy-in, did you first have one-on-ones to solicit feedback?  Did you have an ear at the water cooler to understand when people say yes but really mean no?  Do you know how to connect with people so you can ask for a favor when you really don't have the resources necessary to make something happen?  Unless you are in the military, you can't issue lawful orders to your subordinates and demand that they carry them out.  You have to structure your communication in such a way that expectations are made clear, but also have to allow for some push-back, depending on the maturity of the relationship you've developed with your team.  [War story:  Just this past week, Apple upgraded to iOS 16.  We use iPhones exclusively as corporate-issued handsets, so I sent a single sentence message to my senior IT team member:  "Please prepare and send an email to all who have an iPhone with steps on how to update the OS soonest.  Thank you."  To me, that seemed like clear communication.  The next day I get a response, "People are slowly updating to 16.0 on their own and as the phone prompts them."  After a second request where I point out "slowly" has not been our strategy for responding to exploitable security vulnerabilities, I get a long explanation of how Apple upgrades work, how he's never been questioned in his long career -- essentially the person spent five times as much time explaining why he will NOT do the task rather than just doing it.  And today 80% of the devices are still not updated.  At times like this I'm reminded of Strother Martin in Cool Hand Luke:  "What we have here is failure to communicate."  So, my lesson for everyone is even though you think your communications are crystal clear, they may not be perceived as such.] Our last quote is from Walt Disney who said, “Of all our inventions for mass communication, pictures still speak the most universally understood language.”  If you believe that pictures are more effective than words, think about how you can create the best pictures in your emails and slide decks to communicate effectively.  I remember a British officer who had visited the Pentagon years ago who commented, "PowerPoint is the language of the US military."  I think he's right, at least in that context.  Ask yourself, are pictures part of your language? Convenience is our eighth C that we are going to talk about. How do we make something convenient?  We do it by automating the routine and removing the time wasters.  In terms of a SOC, we see technology in this space emerging with the use of Security Orchestration, Automation, and Response, or SOAR technologies.  Convenience can come in a lot of ways.  Have we created helpful playbooks that identify a process to follow?  If so, we can save time during a crisis when we don't have a minute to spare.  Have we created simple processes that work via forms versus emails?  It's a lot easier to track how many forms have been submitted and filter on field data versus aggregating unstructured emails.  One thing you might consider as a way to improve convenience are Chatbots.  What if someone could ask a Chatbot a Frequently Asked Question and get a quick, automated, and accurate response?  That convenience helps people, and it saves the SOC time.  If you go that route, as new questions get asked, do you have a way to rank them by frequency and add them as new logic to the chatbot?  If you do, your chatbot gets more useful and provides even greater convenience to the workforce.  How great would it be to hear your colleagues saying it was so convenient to report an incident and see that it was handled in such a timely manner.  Find ways to build that experience and you will become the partner the business wants. Last, but not least, is the 9th C of Consistency. Want to know how to create an audit finding?  Try not being consistent.  Auditors hate that and love to point out inconsistencies in systems.  I'm sure there are auditors right now listening to this podcast smiling with joy saying, "yup, that's me."  Want to know how to pass every audit standard?  Try passing the CARE Standard for cyber security.  CARE is a Gartner acronym that means Consistent, Adequate, Reasonable and Effective.  Auditors look at the Consistency of controls by performing tests to determine if the control is working the same way over time across the organization.  Auditors also look for Adequacy to determine if you have satisfactory controls in line with business needs.  Auditors ensure that your practices are Reasonable by identifying if there exist appropriate, fair, and moderate controls.  Finally, auditors look at Effectiveness to ensure the controls are producing the desired or intended outcomes.  So, in a nutshell, show Auditors that you CARE about cyber security. Okay, let's review.  Our nine Cs are for executives, developers, and SOC teams.  Executives should master controls, compliance, and continuity; developers should master coverage, complexity, and competency; and SOC teams should focus on clarity, communications, and consistency.  If you paid careful attention, I think you would find lessons for security leaders in all nine boxes across the model.  Essentially, don't conclude because boxes four through nine are not for executives that you don't need to master them -- all of this is important to being successful in your security leadership career. Well thanks again for listening to the CISO Tradecraft podcast as we discussed the 9 C's.  And for International Talk Like a Pirate Day, I do have a rrr-request:  if you like our show, please take a few seconds to rate us five stars on your favorite podcast provider.  Another CISO pointed out to me this past week that we came up first on Spotify when searching for C-I-S-O, and that's because those rankings are crowd-sourced.  It's a great way to say thank you for the time and effort we put into our show, and I thank you in advance.  This is your host G. Marrrrk Hardy, and please remember to stay safe out there as you continually practice your CISO Trrrradecraft. References https://www.vectra.ai/blogpost/the-9-cs-of-cybersecurity-value https://en.wikipedia.org/wiki/Information_technology_controls https://www.isaca.org/resources/cobit https://www.apexgloballearning.com/cobit-vs-itil-governance-framework-company-choose-infographic/ https://www.slideshare.net/alfid/it-control-objectives-framework-a-relationship-between-coso-cobit-and-itil https://internalaudit.olemiss.edu/the-three-lines-of-defense/ https://www.linkedin.com/pulse/15-quotes-effective-communication-jim-dent-lssbb-dtm/ https://www.gartner.com/en/articles/4-metrics-that-prove-your-cybersecurity-program-works?utm_medium=socialandutm_source=facebookandutm_campaign=SM_GB_YOY_GTR_SOC_SF1_SM-SWGandutm_content=andsf249612431=1andfbclid=IwAR1dnx-9BqaO8ahzs1HHcO2KAVWzYmY6FH-PmNoh1P4r0689unQuJ4CeQNk   [i] Hall, James A. (1996).  Accounting Information Systems.  Cengage Learning, 754 [ii] https://www.isaca.org/resources/news-and-trends/industry-news/2020/cobit-2019-and-cobit-5-comparison [iii] https://www.itgovernance.co.uk/cobit [iv] https://www.coso.org/SitePages/Enterprise-Risk-Management-Integrating-with-Strategy-and-Performance-2017.aspx [v] https://www.marquette.edu/riskunit/internalaudit/coso_model.shtml [vi] https://www.coso.org/Shared%20Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf [vii] https://www.axelos.com/certifications/itil-service-management/what-is-itil [viii] https://www.theiia.org/globalassets/site/about-us/advocacy/three-lines-model-updated.pdf [ix] https://www.law.cornell.edu/cfr/text/2/200.516 [x] https://www.goodreads.com/quotes/7441842-complexity-is-the-worst-enemy-of-security-and-our-systems [xi] https://www.pwc.com/gx/en/issues/reinventing-the-future/take-on-tomorrow/simplifying-cybersecurity.html [xii] https://www.moneyshake.com/shaking-news/car-how-tos/how-to-pass-your-uk-driving-test

About IanIan Smith is Field CTO at Chronosphere where he works across sales, marketing, engineering and product to deliver better insights and outcomes to observability teams supporting high-scale cloud-native environments. Previously, he worked with observability teams across the software industry in pre-sales roles at New Relic, Wavefront, PagerDuty and Lightstep.Links Referenced: Chronosphere: https://chronosphere.io Last Tweet in AWS: lasttweetinaws.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Every once in a while, I find that something I'm working on aligns perfectly with a person that I wind up basically convincing to appear on this show. Today's promoted guest is Ian Smith, who's Field CTO at Chronosphere. Ian, thank you for joining me.Ian: Thanks, Corey. Great to be here.Corey: So, the coincidental aspect of what I'm referring to is that Chronosphere is, despite the name, not something that works on bending time, but rather an observability company. Is that directionally accurate?Ian: That's true. Although you could argue it probably bend a little bit of engineering time. But we can talk about that later.Corey: [laugh]. So, observability is one of those areas that I think is suffering from too many definitions, if that makes sense. And at first, I couldn't make sense of what it was that people actually meant when they said observability, this sort of clarified to me at least when I realized that there were an awful lot of, well, let's be direct and call them ‘legacy monitoring companies' that just chose to take what they were already doing and define that as, “Oh, this is observability.” I don't know that I necessarily agree with that. I know a lot of folks in the industry vehemently disagree.You've been in a lot of places that have positioned you reasonably well to have opinions on this sort of question. To my understanding, you were at interesting places, such as LightStep, New Relic, Wavefront, and PagerDuty, which I guess technically might count as observability in a very strange way. How do you view observability and what it is?Ian: Yeah. Well, a lot of definitions, as you said, common ones, they talk about the three pillars, they talk really about data types. For me, it's about outcomes. I think observability is really this transition from the yesteryear of monitoring where things were much simpler and you, sort of, knew all of the questions, you were able to define your dashboards, you were able to define your alerts and that was really the gist of it. And going into this brave new world where there's a lot of unknown things, you're having to ask a lot of sort of unique questions, particularly during a particular instance, and so being able to ask those questions in an ad hoc fashion layers on top of what we've traditionally done with monitoring. So, observability is sort of that more flexible, more dynamic kind of environment that you have to deal with.Corey: This has always been something that, for me, has been relatively academic. Back when I was running production environments, things tended to be a lot more static, where, “Oh, there's a problem with the database. I will SSH into the database server.” Or, “Hmm, we're having a weird problem with the web tier. Well, there are ten or 20 or 200 web servers. Great, I can aggregate all of their logs to Syslog, and worst case, I can log in and poke around.”Now, with a more ephemeral style of environment where you have Kubernetes or whatnot scheduling containers into place that have problems you can't attach to a running container very easily, and by the time you see an error, that container hasn't existed for three hours. And that becomes a problem. Then you've got the Lambda universe, which is a whole ‘nother world pain, where it becomes very challenging, at least for me, in order to reason using the old style approaches about what's actually going on in your environment.Ian: Yeah, I think there's that and there's also the added complexity of oftentimes you'll see performance or behavioral changes based on even more narrow pathways, right? One particular user is having a problem and the traffic is spread across many containers. Is it making all of these containers perform badly? Not necessarily, but their user experience is being affected. It's very common in say, like, B2B scenarios for you to want to understand the experience of one particular user or the aggregate experience of users at a particular company, particular customer, for example.There's just more complexity. There's more complexity of the infrastructure and just the technical layer that you're talking about, but there's also more complexity in just the way that we're handling use cases and trying to provide value with all of this software to the myriad of customers in different industries that software now serves.Corey: For where I sit, I tend to have a little bit of trouble disambiguating, I guess, the three baseline data types that I see talked about again and again in observability. You have logs, which I think I've mostly I can wrap my head around. That seems to be the baseline story of, “Oh, great. Your application puts out logs. Of course, it's in its own unique, beautiful format. Why wouldn't it be?” In an ideal scenario, they're structured. Things are never ideal, so great. You're basically tailing log files in some cases. Great. I can reason about those.Metrics always seem to be a little bit of a step beyond that. It's okay, I have a whole bunch of log lines that are spitting out every 500 error that my app is throwing—and given my terrible code, it throws a lot—but I can then ideally count the number of times that appears and then that winds up incrementing counter, similar to the way that we used to see with StatsD, for example, and Collectd. Is that directionally correct? As far as the way I reason about, well so far, logs and metrics?Ian: I think at a really basic level, yes. I think that, as we've been talking about, sort of greater complexity starts coming in when you have—particularly metrics in today's world of containers—Prometheus—you mentioned StatsD—Prometheus has become sort of like the standard for expressing those things, so you get situations where you have incredibly high cardinality, so cardinality being the interplay between all the different dimensions. So, you might have, my container is a label, but also the type of endpoint is running on that container as a label, then maybe I want to track my customer organizations and maybe I have 5000 of those. I have 3000 containers, and so on and so forth. And you get this massive explosion, almost multiplicatively.For those in the audience who really live and read cardinality, there's probably someone screaming about well, it's not truly multiplicative in every sense of the word, but, you know, it's close enough from an approximation standpoint. As you get this massive explosion of data, which obviously has a cost implication but also has, I think, a really big implication on the core reason why you have metrics in the first place you alluded to, which is, so a human being can reason about it, right? You don't want to go and look at 5000 log lines; you want to know, out of those 5000 log lines of 4000 errors and I have 1000, OKs. It's very easy for human beings to reason about that from a numbers perspective. When your metrics start to re-explode out into thousands, millions of data points, and unique sort of time series more numbers for you to track, then you're sort of losing that original goal of metrics.Corey: I think I mostly have wrapped my head around the concept. But then that brings us to traces, and that tends to be I think one of the hardest things for me to grasp, just because most of the apps I build, for obvious reasons—namely, I'm bad at programming and most of these are proof of concept type of things rather than anything that's large scale running in production—the difference between a trace and logs tends to get very muddled for me. But the idea being that as you have a customer session or a request that talks to different microservices, how do you collate across different systems all of the outputs of that request into a single place so you can see timing information, understand the flow that user took through your application? Is that again, directionally correct? Have I completely missed the plot here? Which is again, eminently possible. You are the expert.Ian: No, I think that's sort of the fundamental premise or expected value of tracing, for sure. We have something that's akin to a set of logs; they have a common identifier, a trace ID, that tells us that all of these logs essentially belong to the same request. But importantly, there's relationship information. And this is the difference between just having traces—sorry, logs—with just a trace ID attached to them. So, for example, if you have Service A calling Service B and Service C, the relatively simple thing, you could use time to try to figure this out.But what if there are things happening in Service B at the same time there are things happening in Service C and D, and so on and so forth? So, one of the things that tracing brings to the table is it tells you what is currently happening, what called that. So oh, I know that I'm Service D. I was actually called by Service B and I'm not just relying on timestamps to try and figure out that connection. So, you have that information and ultimately, the data model allows you to fully sort of reflect what's happening with the request, particularly in complex environments.And I think this is where, you know, tracing needs to be sort of looked at as not a tool for—just because I'm operating in a modern environment, I'm using some Kubernetes, or I'm using Lambda, is it needs to be used in a scenario where you really have troubles grasping, from a conceptual standpoint, what is happening with the request because you need to actually fully document it. As opposed to, I have a few—let's say three Lambda functions. I maybe have some key metrics about them; I have a little bit of logging. You probably do not need to use tracing to solve, sort of, basic performance problems with those. So, you can get yourself into a place where you're over-engineering, you're spending a lot of time with tracing instrumentation and tracing tooling, and I think that's the core of observability is, like, using the right tool, the right data for the job.But that's also what makes it really difficult because you essentially need to have this, you know, huge set of experience or knowledge about the different data, the different tooling, and what influential architecture and the data you have available to be able to reason about that and make confident decisions, particularly when you're under a time crunch which everyone is familiar with a, sort of like, you know, PagerDuty-style experience of my phone is going off and I have a customer-facing incident. Where is my problem? What do I need to do? Which dashboard do I need to look at? Which tool do I need to investigate? And that's where I think the observability industry has become not serving the outcomes of the customers.Corey: I had a, well, I wouldn't say it's a genius plan, but it was a passing fancy that I've built this online, freely available Twitter client for authoring Twitter threads—because that's what I do is that of having a social life—and it's available at lasttweetinaws.com. I've used that as a testbed for a few things. It's now deployed to roughly 20 AWS regions simultaneously, and this means that I have a bit of a problem as far as how to figure out not even what's wrong or what's broken with this, but who's even using it?Because I know people are. I see invocations all over the planet that are not me. And sometimes it appears to just be random things crawling the internet—fine, whatever—but then I see people logging in and doing stuff with it. I'd kind of like to log and see who's using it just so I can get information like, is there anyone I should talk to about what it could be doing differently? I love getting user experience reports on this stuff.And I figured, ah, this is a perfect little toy application. It runs in a single Lambda function so it's not that complicated. I could instrument this with OpenTelemetry, which then, at least according to the instructions on the tin, I could then send different types of data to different observability tools without having to re-instrument this thing every time I want to kick the tires on something else. That was the promise.And this led to three weeks of pain because it appears that for all of the promise that it has, OpenTelemetry, particularly in a Lambda environment, is nowhere near ready for being able to carry a workload like this. Am I just foolish on this? Am I stating an unfortunate reality that you've noticed in the OpenTelemetry space? Or, let's be clear here, you do work for a company with opinions on these things. Is OpenTelemetry the wrong approach?Ian: I think OpenTelemetry is absolutely the right approach. To me, the promise of OpenTelemetry for the individual is, “Hey, I can go and instrument this thing, as you said and I can go and send the data, wherever I want.” The sort of larger view of that is, “Well, I'm no longer beholden to a vendor,”—including the ones that I've worked for, including the one that I work for now—“For the definition of the data. I am able to control that, I'm able to choose that, I'm able to enhance that, and any effort I put into it, it's mine. I own that.”Whereas previously, if you picked, say, for example, an APM vendor, you said, “Oh, I want to have some additional aspects of my information provider, I want to track my customer, or I want to track a particular new metric of how much dollars am I transacting,” that effort really going to support the value of that individual solution, it's not going to support your outcomes. Which is I want to be able to use this data wherever I want, wherever it's most valuable. So, the core premise of OpenTelemetry, I think, is great. I think it's a massive undertaking to be able to do this for at least three different data types, right? Defining an API across a whole bunch of different languages, across three different data types, and then creating implementations for those.Because the implementations are the thing that people want, right? You are hoping for the ability to, say, drop in something. Maybe one line of code or preferably just, like, attach a dependency, let's say in Java-land at runtime, and be able to have the information flow through and have it complete. And this is the premise of, you know, vendors I've worked with in the past, like New Relic. That was what New Relic built on: the ability to drop in an agent and get visibility immediately.So, having that out-of-the-box visibility is obviously a goal of OpenTelemetry where it makes sense—Go, it's very difficult to attach things at runtime, for example—but then saying, well, whatever is provided—let's say your gRPC connections, database, all these things—well, now I want to go and instrument; I want to add some additional value. As you said, maybe you want to track something like I want to have in my traces the email address of whoever it is or the Twitter handle of whoever is so I can then go and analyze that stuff later. You want to be able to inject that piece of information or that instrumentation and then decide, well, where is the best utilized? Is it best utilized in some tooling from AWS? Is it best utilized in something that you've built yourself? Is it best of utilized an open-source project? Is it best utilized in one of the many observability vendors, or is even becoming more common, I want to shove everything in a data lake and run, sort of, analysis asynchronously, overlay observability data for essentially business purposes.All of those things are served by having a very robust, open-source standard, and simple-to-implement way of collecting a really good baseline of data and then make it easy for you to then enhance that while still owning—essentially, it's your IP right? It's like, the instrumentation is your IP, whereas in the old world of proprietary agents, proprietary APIs, that IP was basically building it, but it was tied to that other vendor that you were investing in.Corey: One thing that I was consistently annoyed by in my days of running production infrastructures at places, like, you know, large banks, for example, one of the problems I kept running into is that this, there's this idea that, “Oh, you want to use our tool. Just instrument your applications with our libraries or our instrumentation standards.” And it felt like I was constantly doing and redoing a lot of instrumentation for different aspects. It's not that we were replacing one vendor with another; it's that in an observability, toolchain, there are remarkably few, one-size-fits-all stories. It feels increasingly like everyone's trying to sell me a multifunction printer, which does one thing well, and a few other things just well enough to technically say they do them, but badly enough that I get irritated every single time.And having 15 different instrumentation packages in an application, that's either got security ramifications, for one, see large bank, and for another it became this increasingly irritating and obnoxious process where it felt like I was spending more time seeing the care and feeding of the instrumentation then I was the application itself. That's the gold—that's I guess the ideal light at the end of the tunnel for me in what OpenTelemetry is promising. Instrument once, and then you're just adjusting configuration as far as where to send it.Ian: That's correct. The organization's, and you know, I keep in touch with a lot of companies that I've worked with, companies that have in the last two years really invested heavily in OpenTelemetry, they're definitely getting to the point now where they're generating the data once, they're using, say, pieces of the OpenTelemetry pipeline, they're extending it themselves, and then they're able to shove that data in a bunch of different places. Maybe they're putting in a data lake for, as I said, business analysis purposes or forecasting. They may be putting the data into two different systems, even for incident and analysis purposes, but you're not having that duplication effort. Also, potentially that performance impact, right, of having two different instrumentation packages lined up with each other.Corey: There is a recurring theme that I've noticed in the observability space that annoys me to no end. And that is—I don't know if it's coming from investor pressure, from folks never being satisfied with what they have, or what it is, but there are so many startups that I have seen and worked with in varying aspects of the observability space that I think, “This is awesome. I love the thing that they do.” And invariably, every time they start getting more and more features bolted onto them, where, hey, you love this whole thing that winds up just basically doing a tail-F on a log file, so it just streams your logs in the application and you can look for certain patterns. I love this thing. It's great.Oh, what's this? Now, it's trying to also be the thing that alerts me and wakes me up in the middle of the night. No. That's what PagerDuty does. I want PagerDuty to do that thing, and I want other things—I want you just to be the log analysis thing and the way that I contextualize logs. And it feels like they keep bolting things on and bolting things on, where everything is more or less trying to evolve into becoming its own version of Datadog. What's up with that?Ian: Yeah, the sort of, dreaded platform play. I—[laugh] I was at New Relic when there were essentially two products that they sold. And then by the time I left, I think there was seven different products that were being sold, which is kind of a crazy, crazy thing when you think about it. And I think Datadog has definitely exceeded that now. And I definitely see many, many vendors in the market—and even open-source solutions—sort of presenting themselves as, like, this integrated experience.But to your point, even before about your experience of these banks it oftentimes become sort of a tick-a-box feature approach of, “Hey, I can do this thing, so buy more. And here's a shared navigation panel.” But are they really integrated? Like, are you getting real value out of it? One of the things that I do in my role is I get to work with our internal product teams very closely, particularly around new initiatives like tracing functionality, and the constant sort of conversation is like, “What is the outcome? What is the value?”It's not about the feature; it's not about having a list of 19 different features. It's like, “What is the user able to do with this?” And so, for example, there are lots of platforms that have metrics, logs, and tracing. The new one-upmanship is saying, “Well, we have events as well. And we have incident response. And we have security. And all these things sort of tie together, so it's one invoice.”And constantly I talk to customers, and I ask them, like, “Hey, what are the outcomes that you're getting when you've invested so heavily in one vendor?” And oftentimes, the response is, “Well, I only need to deal with one vendor.” Okay, but that's not an outcome. [laugh]. And it's like the business having a single invoice.Corey: Yeah, that is something that's already attainable today. If you want to just have one vendor with a whole bunch of crappy offerings, that's what AWS is for. They have AmazonBasics versions of everything you might want to use in production. Oh, you want to go ahead and use MongoDB? Well, use AmazonBasics MongoDB, but they call it DocumentDB because of course they do. And so, on and so forth.There are a bunch of examples of this, but those companies are still in business and doing very well because people often want the genuine article. If everyone was trying to do just everything to check a box for procurement, great. AWS has already beaten you at that game, it seems.Ian: I do think that, you know, people are hoping for that greater value and those greater outcomes, so being able to actually provide differentiation in that market I don't think is terribly difficult, right? There are still huge gaps in let's say, root cause analysis during an investigation time. There are huge issues with vendors who don't think beyond sort of just the one individual who's looking at a particular dashboard or looking at whatever analysis tool there is. So, getting those things actually tied together, it's not just, “Oh, we have metrics, and logs, and traces together,” but even if you say we have metrics and tracing, how do you move between metrics and tracing? One of the goals in the way that we're developing product at Chronosphere is that if you are alerted to an incident—you as an engineer; doesn't matter whether you are massively sophisticated, you're a lead architect who has been with the company forever and you know everything or you're someone who's just come out of onboarding and is your first time on call—you should not have to think, “Is this a tracing problem, or a metrics problem, or a logging problem?”And this is one of those things that I mentioned before of requiring that really heavy level of knowledge and understanding about the observability space and your data and your architecture to be effective. And so, with the, you know, particularly observability teams and all of the engineers that I speak with on a regular basis, you get this sort of circumstance where well, I guess, let's talk about a real outcome and a real pain point because people are like, okay, yeah, this is all fine; it's all coming from a vendor who has a particular agenda, but the thing that constantly resonates is for large organizations that are moving fast, you know, big startups, unicorns, or even more traditional enterprises that are trying to undergo, like, a rapid transformation and go really cloud-native and make sure their engineers are moving quickly, a common question I will talk about with them is, who are the three people in your organization who always get escalated to? And it's usually, you know, between two and five people—Corey: And you can almost pick those perso—you say that and you can—at least anyone who's worked in environments or through incidents like this more than a few times, already have thought of specific people in specific companies. And they almost always fall into some very predictable archetypes. But please, continue.Ian: Yeah. And people think about these people, they always jump to mind. And one of the things I asked about is, “Okay, so when you did your last innovation around observably”—it's not necessarily buying a new thing, but it maybe it was like introducing a new data type or it was you're doing some big investment in improving instrumentation—“What changed about their experience?” And oftentimes, the most that can come out is, “Oh, they have access to more data.” Okay, that's not great.It's like, “What changed about their experience? Are they still getting woken up at 3 am? Are they constantly getting pinged all the time?” One of the vendors that I worked at, when they would go down, there were three engineers in the company who were capable of generating list of customers who are actually impacted by damage. And so, every single incident, one of those three engineers got paged into the incident.And it became borderline intolerable for them because nothing changed. And it got worse, you know? The platform got bigger and more complicated, and so there were more incidents and they were the ones having to generate that. But from a business level, from an observability outcomes perspective, if you zoom all the way up, it's like, “Oh, were we able to generate the list of customers?” “Yes.”And this is where I think the observability industry has sort of gotten stuck—you know, at least one of the ways—is that, “Oh, can you do it?” “Yes.” “But is it effective?” “No.” And by effective, I mean those three engineers become the focal point for an organization.And when I say three—you know, two to five—it doesn't matter whether you're talking about a team of a hundred or you're talking about a team of a thousand. It's always the same number of people. And as you get bigger and bigger, it becomes more and more of a problem. So, does the tooling actually make a difference to them? And you might ask, “Well, what do you expect from the tooling? What do you expect to do for them?” Is it you give them deeper analysis tools? Is it, you know, you do AI Ops? No.The answer is, how do you take the capabilities that those people have and how do you spread it across a larger population of engineers? And that, I think, is one of those key outcomes of observability that no one, whether it be in open-source or the vendor side is really paying a lot of attention to. It's always about, like, “Oh, we can just shove more data in. By the way, we've got petabyte scale and we can deal with, you know, 2 billion active time series, and all these other sorts of vanity measures.” But we've gotten really far away from the outcomes. It's like, “Am I getting return on investment of my observability tooling?”And I think tracing is this—as you've said, it can be difficult to reason about right? And people are not sure. They're feeling, “Well, I'm in a microservices environment; I'm in cloud-native; I need tracing because my older APM tools appear to be failing me. I'm just going to go and wriggle my way through implementing OpenTelemetry.” Which has significant engineering costs. I'm not saying it's not worth it, but there is a significant engineering cost—and then I don't know what to expect, so I'm going to go on through my data somewhere and see whether we can achieve those outcomes.And I do a pilot and my most sophisticated engineers are in the pilot. And they're able to solve the problems. Okay, I'm going to go buy that thing. But I've just transferred my problems. My engineers have gone from solving problems in maybe logs and grepping through petabytes worth of logs to using some sort of complex proprietary query language to go through your tens of petabytes of trace data but actually haven't solved any problem. I've just moved it around and probably just cost myself a lot, both in terms of engineering time and real dollars spent as well.Corey: One of the challenges that I'm seeing across the board is that observability, for certain use cases, once you start to see what it is and its potential for certain applications—certainly not all; I want to hedge that a little bit—but it's clear that there is definite and distinct value versus other ways of doing things. The problem is, is that value often becomes apparent only after you've already done it and can see what that other side looks like. But let's be honest here. Instrumenting an application is going to take some significant level of investment, in many cases. How do you wind up viewing any return on investment that it takes for the very real cost, if only in people's time, to go ahead instrumenting for observability in complex environments?Ian: So, I think that you have to look at the fundamentals, right? You have to look at—pretend we knew nothing about tracing. Pretend that we had just invented logging, and you needed to start small. It's like, I'm not going to go and log everything about every application that I've had forever. What I need to do is I need to find the points where that logging is going to be the most useful, most impactful, across the broadest audience possible.And one of the useful things about tracing is because it's built in distributed environments, primarily for distributed environments, you can look at, for example, the biggest intersection of requests. A lot of people have things like API Gateways, or they have parts of a monolith which is still handling a lot of requests routing; those tend to be areas to start digging into. And I would say that, just like for anyone who's used Prometheus or decided to move away from Prometheus, no one's ever gone and evaluated Prometheus solution without having some sort of Prometheus data, right? You don't go, “Hey, I'm going to evaluate a replacement for Prometheus or my StatsD without having any data, and I'm simultaneously going to generate my data and evaluate the solution at the same time.” It doesn't make any sense.With tracing, you have decent open-source projects out there that allow you to visualize individual traces and understand sort of the basic value you should be getting out of this data. So, it's a good starting point to go, “Okay, can I reason about a single request? Can I go and look at my request end-to-end, even in a relatively small slice of my environment, and can I see the potential for this? And can I think about the things that I need to be able to solve with many traces?” Once you start developing these ideas, then you can have a better idea of, “Well, where do I go and invest more in instrumentation? Look, databases never appear to be a problem, so I'm not going to focus on database instrumentation. What's the real problem is my external dependencies. Facebook API is the one that everyone loves to use. I need to go instrument that.”And then you start to get more clarity. Tracing has this interesting network effect. You can basically just follow the breadcrumbs. Where is my biggest problem here? Where are my errors coming from? Is there anything else further down the call chain? And you can sort of take that exploratory approach rather than doing everything up front.But it is important to do something before you start trying to evaluate what is my end state. End state obviously being sort of nebulous term in today's world, but where do I want to be in two years' time? I would like to have a solution. Maybe it's open-source solution, maybe it's a vendor solution, maybe it's one of those platform solutions we talked about, but how do I get there? It's really going to be I need to take an iterative approach and I need to be very clear about the value and outcomes.There's no point in doing a whole bunch of instrumentation effort in things that are just working fine, right? You want to go and focus your time and attention on that. And also you don't want to go and burn just singular engineers. The observability team's purpose in life is probably not to just write instrumentation or just deploy OpenTelemetry. Because then we get back into the land where engineers themselves know nothing about the monitoring or observability they're doing and it just becomes a checkbox of, “I dropped in an agent. Oh, when it comes time for me to actually deal with an incident, I don't know anything about the data and the data is insufficient.”So, a level of ownership supported by the observability team is really important. On that return on investment, sort of, though it's not just the instrumentation effort. There's product training and there are some very hard costs. People think oftentimes, “Well, I have the ability to pay a vendor; that's really the only cost that I have.” There's things like egress costs, particularly volumes of data. There's the infrastructure costs. A lot of the times there will be elements you need to run in your own environment; those can be very costly as well, and ultimately, they're sort of icebergs in this overall ROI conversation.The other side of it—you know, return and investment—return, there's a lot of difficulty in reasoning about, as you said, what is the value of this going to be if I go through all this effort? Everyone knows a sort of, you know, meme or archetype of, “Hey, here are three options; pick two because there's always going to be a trade off.” Particularly for observability, it's become an element of, I need to pick between performance, data fidelity, or cost. Pick two. And when data fidelity—particularly in tracing—I'm talking about the ability to not sample, right?If you have edge cases, if you have narrow use cases and ways you need to look at your data, if you heavily sample, you lose data fidelity. But oftentimes, cost is a reason why you do that. And then obviously, performance as you start to get bigger and bigger datasets. So, there's a lot of different things you need to balance on that return. As you said, oftentimes you don't get to understand the magnitude of those until you've got the full data set in and you're trying to do this, sort of, for real. But being prepared and iterative as you go through this effort and not saying, “Okay, well, I'm just going to buy everything from one vendor because I'm going to assume that's going to solve my problem,” is probably that undercurrent there.Corey: As I take a look across the entire ecosystem, I can't shake the feeling—and my apologies in advance if this is an observation, I guess, that winds up throwing a stone directly at you folks—Ian: Oh, please.Corey: But I see that there's a strong observability community out there that is absolutely aligned with the things I care about and things I want to do, and then there's a bunch of SaaS vendors, where it seems that they are, in many cases, yes, advancing the state of the art, I am not suggesting for a second that money is making observability worse. But I do think that when the tool you sell is a hammer, then every problem starts to look like a nail—or in my case, like my thumb. Do you think that there's a chance that SaaS vendors are in some ways making this entire space worse?Ian: As we've sort of gone into more cloud-native scenarios and people are building things specifically to take advantage of cloud from a complexity standpoint, from a scaling standpoint, you start to get, like, vertical issues happening. So, you have things like we're going to charge on a per-container basis; we're going to charge on a per-host basis; we're going to charge based off the amount of gigabytes that you send us. These are sort of like more horizontal pricing models, and the way the SaaS vendors have delivered this is they've made it pretty opaque, right? Everyone has experiences, or has jerks about overages from observability vendors' massive spikes. I've worked with customers who have used—accidentally used some features and they've been billed a quarter million dollars on a monthly basis for accidental overages from a SaaS vendor.And these are all terrible things. Like, but we've gotten used to this. Like, we've just accepted it, right, because everyone is operating this way. And I really do believe that the move to SaaS was one of those things. Like, “Oh, well, you're throwing us more data, and we're charging you more for it.” As a vendor—Corey: Which sort of erodes your own value proposition that you're bringing to the table. I mean, I don't mean to be sitting over here shaking my fist yelling, “Oh, I could build a better version in a weekend,” except that I absolutely know how to build a highly available Rsyslog cluster. I've done it a handful of times already and the technology is still there. Compare and contrast that with, at scale, the fact that I'm paying 50 cents per gigabyte ingested to CloudWatch logs, or a multiple of that for a lot of other vendors, it's not that much harder for me to scale that fleet out and pay a much smaller marginal cost.Ian: And so, I think the reaction that we're seeing in the market and we're starting to see—we're starting to see the rise of, sort of, a secondary class of vendor. And by secondary, I don't mean that they're lesser; I mean that they're, sort of like, specifically trying to address problems of the primary vendors, right? Everyone's aware of vendors who are attempting to reduce—well, let's take the example you gave on logs, right? There are vendors out there whose express purpose is to reduce the cost of your logging observability. They just sit in the middle; they are a middleman, right?Essentially, hey, use our tool and even though you're going to pay us a whole bunch of money, it's going to generate an overall return that is greater than if you had just continued pumping all of your logs over to your existing vendor. So, that's great. What we think really needs to happen, and one of the things we're doing at Chronosphere—unfortunate plug—is we're actually building those capabilities into the solution so it's actually end-to-end. And by end-to-end, I mean, a solution where I can ingest my data, I can preprocess my data, I can store it, query it, visualize it, all those things, aligned with open-source standards, but I have control over that data, and I understand what's going on with particularly my cost and my usage. I don't just get a bill at the end of the month going, “Hey, guess what? You've spent an additional $200,000.”Instead, I can know in real time, well, what is happening with my usage. And I can attribute it. It's this team over here. And it's because they added this particular label. And here's a way for you, right now, to address that and cap it so it doesn't cost you anything and it doesn't have a blast radius of, you know, maybe degraded performance or degraded fidelity of the data.That though is diametrically opposed to the way that most vendors are set up. And unfortunately, the open-source projects tend to take a lot of their cues, at least recently, from what's happening in the vendor space. One of the ways that you can think about it is a sort of like a speed of light problem. Everyone knows that, you know, there's basic fundamental latency; everyone knows how fast disk is; everyone knows the, sort of like, you can't just make your computations happen magically, there's a cost of running things horizontally. But a lot of the way that the vendors have presented efficiency to the market is, “Oh, we're just going to incrementally get faster as AWS gets faster. We're going to incrementally get better as compression gets better.”And of course, you can't go and fit a petabyte worth of data into a kilobyte, unless you're really just doing some sort of weird dictionary stuff, so you feel—you're dealing with some fundamental constraints. And the vendors just go, “I'm sorry, you know, we can't violate the speed of light.” But what you can do is you can start taking a look at, well, how is the data valuable, and start giving the people controls on how to make it more valuable. So, one of the things that we do with Chronosphere is we allow you to reshape Prometheus metrics, right? You go and express Prometheus metrics—let's say it's a business metric about how many transactions you're doing as a business—you don't need that on a per-container basis, particularly if you're running 100,000 containers globally.When you go and take a look at that number on a dashboard, or you alert on it, what is it? It's one number, one time series. Maybe you break it out per region. You have five regions, you don't need 100,000 data points every minute behind that. It's very expensive, it's not very performant, and as we talked about earlier, it's very hard to reason about as a human being.So, giving the tools to be able to go and condense that data down and make it more actionable and more valuable, you get performance, you get cost reduction, and you get the value that you ultimately need out of the data. And it's one of the reasons why, I guess, I work at Chronosphere. Which I'm hoping is the last observability [laugh] venture I ever work for.Corey: Yeah, for me a lot of the data that I see in my logs, which is where a lot of this stuff starts and how I still contextualize these things, is nonsense that I don't care about and will never care about. I don't care about load balance or health checks. I don't particularly care about 200 results for the favicon when people visit the site. I care about other things, but just weed out the crap, especially when I'm paying by the pound—or at least by the gigabyte—in order to get that data into something. Yeah. It becomes obnoxious and difficult to filter out.Ian: Yeah. And the vendors just haven't done any of that because why would they, right? If you went and reduced the amount of log—Corey: Put engineering effort into something that reduces how much I can charge you? That sounds like lunacy. Yeah.Ian: Exactly. They're business models entirely based off it. So, if you went and reduced every one's logging bill by 30%, or everyone's logging volume by 30% and reduced the bills by 30%, it's not going to be a great time if you're a publicly traded company who has built your entire business model on essentially a very SaaS volume-driven—and in my eyes—relatively exploitative pricing and billing model.Corey: Ian, I want to thank you for taking so much time out of your day to talk to me about this. If people want to learn more, where can they find you? I mean, you are a Field CTO, so clearly you're outstanding in your field. But if, assuming that people don't want to go to farm country, where's the best place to find you?Ian: Yeah. Well, it'll be a bunch of different conferences. I'll be at KubeCon this year. But chronosphere.io is the company website. I've had the opportunity to talk to a lot of different customers, not from a hard sell perspective, but you know, conversations like this about what are the real problems you're having and what are the things that you sort of wish that you could do?One of the favorite things that I get to ask people is, “If you could wave a magic wand, what would you love to be able to do with your observability solution?” That's, A, a really great part, but oftentimes be being able to say, “Well, actually, that thing you want to do, I think I have a way to accomplish that,” is a really rewarding part of this particular role.Corey: And we will, of course, put links to that in the show notes. Thank you so much for being so generous with your time. I appreciate it.Ian: Thanks, Corey. It's great to be here.Corey: Ian Smith, Field CTO at Chronosphere on this promoted guest episode. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry comment, which going to be super easy in your case, because it's just one of the things that the omnibus observability platform that your company sells offers as part of its full suite of things you've never used.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Matthew Charnetski, MSMS, NRP, CHSOS, CHSE is the Director of Simulation-Based Education and Research for Dartmouth Health (DH) in Lebanon, NH. His winding path took him around the world several times between Iowa, Africa, Antarctica, Kazakhstan, Arkansas, New Hampshire and almost every bit in between. Matthew's simulation career has been largely academic focused primarily in medical education prior to arriving at DH in 2019. He is a graduate of the Master's in Medical and Healthcare Simulation Program at Drexel University and is actively pursuing his PhD in Health Professions Education at Maastricht University in Maastricht, Netherlands. Matthew is also adjunct faculty in the Massachusetts General Hospital Institute of Health Professions Master's in Health Professions Education Program in the Simulation Operations Track.  Matthew is involved extensively with The Society for Simulation in Healthcare and The International Nursing Association for Clinical Simulation and Learning. For SSH, Matthew is Chair of the Hospital-Based Simulation Programs Section and a member of the Internal Relations Committee and Chair of the Renewal Technology Subcommittee. He serves as a member of the Diversity Equity and Inclusion Task Force and serves as a Director-At-Large for the SSH Board of Directors where he is board liaison to the Education Committee. Matthew is a member of the Standards Committee for INACSL and serves as the Chair of the Operations Standard Subcommittee. He is currently acting as a co-planning chair for SimGHOSTS planning this falls S3 conference in Singapore. His recent research interests largely focus on cultural considerations in and around healthcare simulation.  His PhD work surrounds the role that culture plays in the adaptation and transfer of simulation curricula in transborder education partnerships. Matthew has contributed book chapters on simulation methodologies, moving simulation centers, and cultural considerations in simulation.  His peer-reviewed work has largely been in standards of best practice in simulation, cultural considerations/diversity issues related to simulation, and as a member of the SSH 2023 Distance Simulation Summit.LinkedIN:  https://www.linkedin.com/in/charnetski/SimGHOSTS:  https://simghosts.org/page/Matt_Charnetski SSH: https://simconnect.ssih.org/network/members/profile?UserKey=e417b989-5274-415d-b66f-f88063455397

https://t.me/+ZTPOqXWVV2M4NTM8

Terminals seem like the very lowest common denominator for software platforms. They have to work over SSH. They only show text. You can't do much with them. Or can you? Will McGugan and team have been building Textual (based on Rich) which looks more like an animated web app than a terminal app. And he has learned a bunch of lessons trying to maximize terminal based apps. He's here to share his 7 lessons he's learned while building a modern TUI (text user interface) framework. Links from the show Will McGugan: @willmcgugan 7 things I've learned building a modern TUI framework post: textualize.io Prior Talk Python Episode: talkpython.fm Textualize: textualize.io Kitty terminal: sw.kovidgoyal.net Pydantic Immutability: pydantic-docs.helpmanual.io Monodraw: monodraw.helftone.com Async's lru cache: github.com Rich CLI: github.com Nerd Fonts: nerdfonts.com Oh My Posh: ohmyposh.dev Python Object Allocator ASCII Art: github.com Balsamiq wireframes: balsamiq.com Watch this episode on YouTube: youtube.com Episode transcripts: talkpython.fm --- Stay in touch with us --- Subscribe to us on YouTube: youtube.com Follow Talk Python on Twitter: @talkpython Follow Michael on Twitter: @mkennedy Sponsors Microsoft Sentry's DEX Conference AssemblyAI Talk Python Training

Technologies are often spotlighted when examining different energy transition pathways. However, how we use and produce technology and energy plays a significant role. Profound changes are needed to avoid dangerous climate change, and can only be achieved through public support for relevant policies. Therefore, implementing energy policies requires knowledge of citizens' lifestyles and behaviors. That's where Social Sciences and Humanities (SSH) steps in. To teach us more about the importance of SSH in the energy transition, our guest this week is Chris Foulds, Professor at Anglia Ruskin University. Chris has been part of coordinating the energy-SSH platforms www.shapeenergy.eu and www.energy-shifts.eu, which has evolved into the SSH Centre of Excellence on climate, energy and mobility research for the EC. Papers mentioned in the episode: EC SSH monitoring reports: https://op.europa.eu/en/publication-detail/-/publication/4f198f8e-4599-11eb-b59f-01aa75ed71a1 Overland and Sovacool, 2020, The misallocation of climate research funding, https://www.sciencedirect.com/science/article/pii/S2214629619309119 Royston & Foulds, 2021, The making of energy evidence: How exclusions of Social Sciences and Humanities are reproduced (and what researchers can do about it), https://www.sciencedirect.com/science/article/pii/S2214629621001778 Foulds at al. 2022, An agenda for future Social Sciences and Humanities research on energy efficiency: 100 priority research questions https://www.nature.com/articles/s41599-022-01243-z Silvast & Foulds 2022, Sociology of Interdisciplinarity - The Dynamics of Energy Research, https://link.springer.com/book/10.1007/978-3-030-88455-0

About AlexAlex is the Chief Product Officer of Twingate, which he cofounded in 2019. Alex has held a range of product leadership roles in the enterprise software market over the last 16 years, including at Dropbox, where he was the first enterprise hire in the company's transformation from consumer to enterprise business. A focus of his product career has been using the power of design thinking to make technically complex products intuitive and easy to use. Alex graduated from Stanford University with a degree in Electrical Engineering.Links Referenced:twingate.com: https://twingate.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig secures your cloud from source to run. They believe, as do I, that DevOps and security are inextricably linked. If you wanna learn more about how they view this, check out their blog, it's definitely worth the read. To learn more about how they are absolutely getting it right from where I sit, visit Sysdig.com and tell them that I sent you. That's S Y S D I G.com. And my thanks to them for their continued support of this ridiculous nonsense.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. This promoted episode is brought to us by our friends at Twingate, and in addition to bringing you this episode, they also brought me a guest. Alex Marshall is the Chief Product Officer at Twingate. Alex, thank you for joining me, and what is a Twingate?Alex: Yeah, well, thanks. Well, it's great to be here. What is Twingate? Well, the way to think about Twingate is we're really a network overlay layer. And so, the experience you have when you're running Twingate as a user is that network resources or network destinations that wouldn't otherwise be accessible to you or magically accessible to you and you're properly authenticated and authorized to access them.Corey: When you say it's a network overlay, what I tend to hear and the context I usually see that in, in the real world is, “Well, we're running some things in AWS and some things in Google Cloud, and I don't know because of a sudden sharp blow to the head, maybe Azure as well, and how do you get all of the various security network models of security groups on one side to talk to their equivalent on the other side?” And the correct answer is generally that you don't and you use something else that more or less makes the rest of that irrelevant. Is that the direction you're coming at this from, or do you view it differently?Alex: Yeah, so I think the way that we view this in terms of, like, why we decide to build a product in the first place is that if you look at, sort of like, the internet in 2022, like, there's one thing that's missing from the network routing table, which is authentication and authorization on each row [laugh]. And so, the way that we designed the product is we said, “Okay, we're not going to worry about everything, basically, above the network layer and we're going to focus on making sure that what we're controlling with the client is looking at outbound network connections and making sure that when someone accesses something and only when they access it, that we check to make sure that they're allowed access.” We're basically holding those network connections until someone's proven that they're allowed to access to, then we let it go. And so, from the standpoint of, like, figuring out, like, security groups and all that kind of stuff, we're basically saying, like, “Yeah, if you're allowed to access the database in AWS, or your home assistant on your home network, fine, we'll let you do that, but we'll only let you go there once you've proven you're allowed to. And then once you're there, then you know, we'll let you figure out how you want to authenticate into the destination system.” So, our view is, like, let's start at the network layer, and then that solves a lot of problems.Corey: When I call this a VPN, I know a couple of things are going to be true. One, you're almost certainly going to correct me on that because this is all about Zero Trust. This is the Year of our Lord 2022, after all. But also what I round to what basically becomes a VPN to my mind, there are usually two implementations or implementation patterns that I think about. One of them is the idea of client access, where I have a laptop; I'm in a Starbucks; I want to connect to a thing. And the other has historically been considered, site to site, or I have a data center that I want to have constantly connected to my cloud environment. Which side of that mental model do you tend to fall in? Or is that the wrong way to frame it?Alex: Mm-hm. The way we look at it and sort of the vision that we have for what the product should be, the problem that we should be solving for customers is what we want to solve for customers is that Twingate is a product that lets you be certain that your employees can work securely from anywhere. And so, you need a little bit of a different model to do that. And the two examples you gave are actually both entirely valid, especially given the fact that people just work from everywhere now. Like, resources everywhere, they use a lot of different devices, people work from lots of different networks, and so it's a really hard problem to solve.And so, the way that we look at it is that you really want to be running something or have a system in place that's always taking into account the context that user is in. So, in your example of someone's at a Starbucks, you know, in the public WiFi, last time I checked, Starbucks WiFi was unencrypted, so it's pretty bad for security. So, what we should do is you should take that context into account and then make sure that all that traffic is encrypted. But at the same time, like, you might be in the corporate office, network is perfectly safe, but you still want to make sure that you're authorizing people at the point in time they try to access something to make sure that they actually are entitled to access that database in the AWS network. And so, we're trying to get people away from thinking about this, like, point-to-point connection with a VPN, where you know, the usual experience we've all had as employees is, “Great. Now, I need to fire up the VPN. My internet traffic is going to be horrible. My battery's probably going to die. My—”Corey: Pull out the manual token that rotates with an RSA—Alex: Exactly.Corey: —token that spits out a different digital code every 30 seconds if the battery hasn't died or they haven't gotten their seeds leaked again, and then log in and the rest; in some horrible implementations type that code after your password for some Godforsaken reason. Yeah, we've all been down that path and it's like, “Yeah, just sign into the corporate VPN.” It's like, “Did you just tell me to go screw myself because that's what I heard.”Alex: [laugh]. Exactly. And that is exactly the situation that we're in. And the fact is, like, VPNs were invented a long time ago and they were designed to connect to networks, right? They were designed to connect a branch office to a corporate office, and they're just to join all the devices on the network.So, we're really, like—everybody has had this experience of VPN is suffering from the fact that it's the wrong tool for the job. Going back to, sort of like, this idea of, like, us being the network overlay, we don't want to touch any traffic that isn't intended to go to something that the company or the organization or the team wants to protect. And so, we're only going to gate traffic that goes to those network destinations that you actually want to protect. And we're going to make sure that when that happens, it's painless. So, for example, like, you know, I don't know, again, like, use your example again; you've been at Starbucks, you've been working your email, you don't really need to access anything that's private, and all of a sudden, like, you need to as part of your work that you're doing on the Starbucks WiFi is access something that's in AWS.Well, then the moment you do that, then maybe you're actually fine to access it because you've been authenticated, you know, and you're within the window, it's just going to work, right, so you don't have to go through this painful process of firing up the VPN like you're just talking about.Corey: There are a number of companies out there that, first, self-described as being, “Oh, we do Zero Trust.” And when I hear that, what I immediately hear in my own mind is, “I have something to sell you,” which, fair enough, we live in an industry. We're trying to have a society here. I get it. The next part that I wind up getting confused by then is, it seems like one of those deeply overloaded terms that exists to, more or less—in some cases to be very direct—well, we've been selling this thing for 15 years and that's the buzzword, so now we're going to describe it as the thing we do with a fresh coat of paint on it.Other times it seems to be something radically different. And, on some level, I feel like I could wind up building an entire security suite out of nothing other than things self-billing themselves as Zero Trust. What is it that makes Twingate different compared to a wide variety of other offerings, ranging from Seam to whatever the hell an XDR might be to, apparently according to RSA, a breakfast cereal?Alex: So, you're right. Like, Zero Trust is completely, like, overused word. And so, what's different about Twingate is that really, I think goes back to, like, why we started the company in the first place, which is that we started looking at the remote workspace. And this is, of course, before the pandemic, before everybody was actually working remotely and it became a really urgent problem.Corey: During the pandemic, of course, a lot of the traditional VPN companies are, “Huh. Why is the VPN concentrator glowing white in the rack and melting? And it sounds like screaming. What's going on?” Yeah, it turns out capacity provisioning and bottlenecking of an entire company tends to be a thing at scale.Alex: And so, you're right, like, that is exactly the conversation. We've had a bunch of customers over the last couple years, it's like their VPN gateway is, like, blowing up because it used to be that 10% of the workforce used it on average, and all of a sudden everybody had to use it. What's different about our approach in terms of what we observed when we started the company, is that what we noticed is that this term Zero Trust is kind of floating out there, but the only company that actually implemented Zero Trust was Google. So, if you think about the situations that you look at, Zero Trust is like, obvious. It's like, it's what you would want to do if you redesigned the internet, which is you'd want to say every network connection has to be authorized every single time it's made.But the internet isn't actually designed that way. It's designed default open instead of default closed. And so, we looked at the industry are, like, “Great. Like, Google's done it. Google has, like, tons and tons of resources. Why hasn't anyone else done it?”And the example that I like to talk about when we talk about inception of the business is we went to some products that are out there that were implementing the right technological approach, and one of these products is still in use today, believe it or not, but I went to the documentation page, and I hit print, and it was almost 50 pages of documentation to implement it. And so, when you look at that, you're, like, okay, like, maybe there's a usability problem here [laugh]. And so, what we really, really focus on is, how do we make this product as easy as possible to deploy? And that gets into, like, this area of change management. And so, if you're in IT or DevOps or engineering or security and you're listening to this, I'm sure you've been through this process where it's taken months to deploy something because it was just really technically difficult and because you had to change user behavior. So, the thing that we focus on is making sure that you didn't have to change user behavior.Corey: Every time you expect people to start doing things completely differently, congratulations, you've already lost before you've started.Alex: Yes, exactly. And so, the difference with our product is that you can switch off the VPN one day, have people install a Twingate client, and then tomorrow, they still access things with exactly the same addresses they used before. And this seems like such a minor point, but the fact that I don't have to rewrite scripts, I don't have to change my SSH proxy configuration, I don't have to do anything, all of those private DNS addresses or those private IP address, they'll still work because of the way that our client works on the device.Corey: So, what you're saying is fundamental; you could even do a slow rollout. It doesn't need to be a knife-switch cutover at two in the morning where you're scrambling around and, “Oh, my God, we forgot the entire accounting department.”Alex: Yep, that's exactly right. And that is, like, an attraction of deploying this is that you can actually deploy it department by department and not have to change all your infrastructure at the same time. So again, it's like pretty fundamental point here. It's like, if you're going to get adoption technology, it's not just about how cool the technology is under the hood and how advanced it is; it's actually thinking about from a customer and a business standpoint, like, how much is actually going to cost time-wise and effort-wise to move over to the new solution. So, we've really, really focused on that.Corey: Yeah. That is generally one of those things, that seems to be the hardest approach. I mean, let's back up a little bit here because I will challenge—likely—something that you said a few minutes ago, which is Google was the first and only company for a little while doing Zero Trust. Back in 2012, it turned out that we weren't calling it that then, but that is fundamentally what I built out of the ten-person startup that I was at, where I was the first ops hire, which generally comes in right around Series B when developers realize, okay, we can no longer lie to ourselves that we know what we're doing on an ops side. Everything's on fire and no one can sleep through the night. Help, help, help. Which is fine.I've never had tolerance or patience for ops people who insult people in those situations. It's, “Well, they got far enough along to hire you, didn't they? So, maybe show some respect.” But one of the things that I did was, being on the corporate network got you access to the printer in the corner and that was it. There was no special treatment of that network.And I didn't think much of it at the time, but I got some very strange looks and had some—uh, will call it interesting a decade later; most of the pain has faded—discussions with our auditor when we were going through some PCI work, and they showed up and said, “Great. Okay, where are the credentials for your directory?” And my response was, “Our what now?” And that's when I realized there's a certain point of scale. Back when I started as an independent consultant, everything I did for single-sign-on, for example, was my 1Password vault. Easy enough.Now, that we've scaled up beyond that, I'm starting to see the value of things like single-sign-on in a way that I never did before, and in hindsight, I'd like to go back and do things very differently as a result. Scale matters. What is the point of scale that you find is your sweet spot? Is it one person trying to connect to a whole bunch of nonsense? Is it small to midsize companies—and we should probably bound that because to me, a big company is still one that has 200 people there?Alex: To your original interesting point, which is that yeah, kudos to you for, like, implementing that, like, back then because we've had probably—Corey: I was just being lazy and it was what was there. It's like, “Why do I want to maintain a server in the closet? Honestly, I'm not sure that the office is that secure. And all it's going to do—what I'm I going to put on that? A SharePoint server? Please. We're using Macs.”Alex: Yeah, exactly. Yeah. So it's, we've had, like, I don't know at this point, thousands of customer conversations. The number of people have actually gone down that route implementing things themselves as a very small number. And I think that just shows how hard it is. So again, like, kudos.And I think the scale point is, I think, really critical. So, I think it's changed over time, but actually, the point at which a customer gets to a scale where I think a solution has, like, leveraged high value is when you get to maybe only 50, 75 people, which is a pretty small business. And the reason is that that's the point at which a bunch of tools start getting implemented a company, right? When you're five people, you're not going to install, like, an MDM or something on people's devices, right? When you get to 50, 75, 100, you start hiring your first IT team members. That's the point where them being able to, like, centralize management of things at the company becomes really critical.And so, one of the other aspects that makes this a little bit different terms of approach is that what we see is that there's a huge number of tools that have to be managed, and they have different configuration settings. You can't even get consistency on MDM is across different platforms, necessarily, right? Like, Linux, Windows, and Mac are all going to have slight differences, and so what we've been working with the platform towards is actually being the centralization point where we integrate with these different systems and then pull together, like, a consistent way to create those authentication authorization policies I was talking about before. And the last thing on SSO, just to sort of reiterate that, I think that you're talking about you're seeing the value of that, the other thing that we've, like, made a deliberate decision on is that we're not going to try to, like, re-solve, like, a bunch of these problems. Like, some of the things that we do on the user authentication point is that we rely on there being an SSO, like, user directory, that handles authentication, that handles, like, creating user groups. And we want to reuse that when people are using Twingate to control access to network destinations.So, for us, like, it's actually, you know, that point of scale comes fairly early. It only gets harder from there, and it's especially when that IT team is, like, a relatively small number of people compared to number of employees where it becomes really critical to be able to leverage all the technology they have to deploy.Corey: I guess this might be one of those areas where I'm not deep enough in your space to really see it the same way that you do, which is the whole reason I have people like you on the show: so I can ask these questions directly. What is the painful position that I find myself in that I should say, “Ah, I should bring Twingate in to solve this obnoxious, painful problem so I never have to think about it again.” What is it that you solve?Alex: Yeah, I mean, I think for what our customers tell us, it's providing a, like, consistent way to get access into, like, a wide variety of internal resources, and generally in multi-cloud environments. That's where it gets, like, really tricky. And the consistency is, like, really important because you're trying to provide access to your team—often like it's DevOps teams, but all kinds of people can access these things—trying to write access is a multiple different environments, again, there's a consistency problem where there are multiple different ways to provide that, and there isn't a single place to manage all that. And so, it gets really challenging to understand who has access to what, makes sure that credentials expire when they're supposed to expire, make sure that all the routing inside those remote destinations is set up correctly. And it just becomes, like, a real hassle to manage those things.So, that's the big one. And usually where people are coming from is that they've been using VPN to do that because they didn't know anything better exists, or they haven't found anything that's easy enough to deploy, right? So, that's really the problem that they're running into.Corey: There's also a lot of tribal knowledge that gets passed down. The oral tradition of, “I have this problem. What should I do? I know, I will consult the wise old sage.” “Well, where can you find the wise old sage?” “Under the rack of servers, swearing at them.” “Great, cool. Well, use a VPN. That's what we've used since time immemorial.” And then the sins are visited onto yet another generation.There's a sense that I have that companies that are started now are going to have a radically different security posture and a different way of thinking about these things than the quote-unquote, “Legacy companies.”—legacy, of course, being that condescending engineering term for ‘it makes money—who are migrating their way into a brave new world because they had the temerity to found themselves as companies before 2012.Alex: Absolutely. When we're working with customers, there is a sort of a sweet spot, both in terms of, like, the size and role that we were talking about before, but also just in terms of, like, where they are, in, sort of like, the sort of lifecycle of their company. And I think one of the most exciting things for us is that we get to work with companies that are kind of figuring this stuff out for the first time and they're taking a fresh look at, like, what the capabilities are out there in the landscape. And that's, I think, what makes this whole space, like, super, super interesting.There's some really, really fantastic things you can do. Just give you an example, again, that I think might resonate with your audience quite a bit is this whole topic of automation, right? Your time at the tribal knowledge of, like, “Oh, of course. You know, we set up a VPN and so on.” One of the things that I don't think is necessarily obvious in this space is that for the teams that—at companies that are deploying, configuring, managing internal network infrastructure, is that in the past, you've had to make compromises on infrastructure in order to accommodate access, right?Because it's kind of a pain to deploy a bunch of, like, VPN gateways, mostly for the end-user because they got to, like, choose which one they're connecting to. You potentially had to open up traffic routes to accommodate a VPN gateway that you wouldn't otherwise want to open up. And so, one of the things that's, like, really sort of fascinating about, like, a new way of looking at things is that what we allow with Twingate—and part of this is because we've really made sure that the product is, like, API-first in the very beginning, which allows us to very easily integrate in with things, like, Terraform and Pulumi for deployment automation, is that now you have a new way of looking at things, which is that you can build a network infrastructure that you want with the data flow rules that you want, and very easily provide access into, like, points of that infrastructure, whether that's an entire subnet or just a single host somewhere. I think these are the ways, like, the capabilities have been realized are possible until they, sort of like, understand some of these new technologies.Corey: This episode is sponsored in part by our friend EnterpriseDB. EnterpriseDB has been powering enterprise applications with PostgreSQL for 15 years. And now EnterpriseDB has you covered wherever you deploy PostgreSQL on-premises, private cloud, and they just announced a fully-managed service on AWS and Azure called BigAnimal, all one word. Don't leave managing your database to your cloud vendor because they're too busy launching another half-dozen managed databases to focus on any one of them that they didn't build themselves. Instead, work with the experts over at EnterpriseDB. They can save you time and money, they can even help you migrate legacy applications—including Oracle—to the cloud. To learn more, try BigAnimal for free. Go to biganimal.com/snark, and tell them Corey sent you.Corey: This feels like one of those technologies where the place that a customer starts from and where they wind up going are very far apart. Because I can see the metaphorical camel's nose under the tent flap being, “Ah, this is a VPN except it doesn't suck. Great.” But once you wind up with effectively an overlay network connecting all the things that you care about within an organization, it feels like that unlocks a whole universe of possibility.Alex: Mm-hm. Yeah, definitely. I mean, I think you hit the nail on the head there. Like, a lot of people approach us because they're having a lot of pain with VPN and all the operational difficulties they were talking about earlier, but I think what sort of starts to open up is there's some, sort of like, not obvious things that happen. And one of them is that all of a sudden, when you can limit access at a network connection level, you start to think about, like, credentials and access management a little differently, right?So, one of the problems that well-known is people set a bastion host. And they set bastion host so that there's, like, a limited way into the network and all the, you know, keys are stored in that bastion host and so on. So, you basically have a system where fine, we had bastion host set up because, A, we want limited ingress, and B, we want to make sure that we know exactly who has access to our internal resources. You could do away with that and with a simple, like, configuration change, you can basically say, “Even if this employee for whatever reason, we've forgotten to remove—revoke their SSH keys, even if they still have those keys, they can't access the destination because we're blocking network access at their actual device,” then you have a very different way to restrict access. So, it's still important to manage credentials, but you now have a way to actually block things out at a network level. And I think it's like when people start to realize that these capabilities are possible that they definitely start thinking about things a little bit differently. VPNs just don't allow this, like, level of granularity.Corey: I am a firm believer in the idea that any product with any kind of longevity gets an awful lot of its use case and product-market fit not from the people building it, but from the things that those folks learn from their customers. What did you learn from customers rolling out Twingate that reshaped how you thought about the space, or surprised you as far as use cases go?Alex: Yeah, so I think it's a really interesting question because one of the benefits of having a small business and being early on is that you have very close relationships with all your customers and they're really passionate about your product. And what that leads to is just a lot of, sort of like, knowledge sharing around, like, how they're using your product, which then helps inform the types of things that we build. So, one of the things that we've done internally to help us learn, but then also help us respond more quickly to customers, is we have this group called Twingate Labs. And it's really just a group of folks that are outside the engineering org that are just allowed to build whatever they want to try to prove out, like, interesting concepts. And a lot of those—I say a lot; honestly, probably all of those concepts have come from our customers, and so we've been able to, like, push the boundaries on that.And so, it just gave you an example, I mean, AWS can be sometimes a challenging product to manage and interact with, and so that team has, for example, built capabilities, again, using that just the regular Twingate API to show that it's possible to automatically configure resources in AWS based on tags. Now, that's not something that's in our product, but it's us showing our customers that, you know, we can respond quickly to them and then they actually, like, try to accommodate some, like, these special use cases they have. And if that works out, then great, we'll pull it into the product, right? So, I think that's, like, the nice thing about serving a smaller businesses is that you get a lot of that back and forth to your customers and they help us generate ideas, too.Corey: One thing that stands out to me from the testimonials from customers you have on your website has been a recurring theme that crops up that speaks to I guess, once I spend more than ten seconds thinking about it, one of the most obvious reasons that I would say, “Oh, Twingate? That sounds great for somebody else. We're never rolling it out here.” And that is the ease of adoption into environments that are not greenfield because I don't believe that something like this product will ever get deployed to something greenfield because this is exactly the kind of problem that you don't realize exists and don't have to solve for until it's too late because you already have that painful problem. It's an early optimization until suddenly, it's something you should have done six months ago. What is the rolling it out process for a company that presumably already is built out, has hired a bunch of people, and they already have something that, quote-unquote, “Works,” for granting access to things?Alex: Mm-hm. Yeah, so the beauty is that you can really deploy this side-by-side with an existing solution, so—whatever it happens to be; I mean, whether it's a VPN or something else—is you can put the side-by-side and the deployment process, just to talk a little bit about the architecture; we've talked a lot about this client that runs on the user's device, but on the remote network side, just to be really clear on this, there's a component called a connector that gets deployed inside the remote network, and it does not have to be installed on every single destination host. You're sort of thinking about it, sort of like this routing point inside that network, and that connector controls what traffic is allowed to go to internal locations based on the rules. So, from a deployment standpoint, it's really just put a connector in place and put it in place in whatever subnet you want to provide access to.And so you're—unlikely, but if your entire company has one subnet, great. You're done with one connector. But it does mean you can sort of gradually roll it out as it goes. And the connector can be deployed in a bunch of different environments, so we're just talking with AWS. Maybe it's inside a VPC, but we have a lot of people that actually just want to control access to specific services inside a Kubernetes cluster, and so you can deploy it as a container, right inside Kubernetes. And so, you can be, like, really specific about how you do that and then gradually roll it out to teams as they need it and without having to necessarily on that day actually shut off the old solution.So, just to your comment, by the way, on the greenfield versus, sort of like, brownfield, I think the greenfield story, I think, is changing a little bit, I think, especially to your comment earlier around younger companies. I think younger companies are realizing that this type of capability is an option and that they want to get in earlier. But the reality is that, you know, 98% of people are really in the established network situation, and so that's where that rollout process is really important.Corey: As you take a look throughout what you're seeing customers doing, what you see the industry doing as a result of that—because customers are, in fact, the industry, let's be clear here—what do you think is, I guess, the next wave of security offerings? I guess what I'm trying to do here is read the tea leaves and predict what the buzzwords will be all over the place that next RSA. But on a slightly more serious note, what do you see this is building towards? What are the trends that you're identifying in the space?Alex: There's a couple of things that we see. So one, sort of, way to look at this is that we're sort of in this, like, Third Wave. And I think these things change more slowly than—with all due respect to marketers—than marketers would [laugh] have you believe. And so, thinking about where we are, there's, like, Wave One is, like, good old happy days, we're all in the office, like, your computer can't move, like, all the data is in the office, like, everything is in one place, right?Corey: What if someone steals your desktop? Well, they're probably going to give themselves a hernia because that thing's heavy. Yeah.Alex: Exactly. And is it really worth stealing, right? But the Wave One was really, like, network security was actually just physical security, to that point; that's all it was, just, like, physically secure the premises.Wave Two—and arguably you could say we're kind of still in this—is actually the transition to cloud. So, let's convert all CapEx to OpEx, but that also introduces a different problem, which is that everything is off-network. So, you have to, like, figure out, you know, what you do about that.But Wave Three is really I think—and again, just to be clear, I think Wave Two, there are, like, multi-decade things that happen—and I'd say we're in the middle of, like, Wave Three. And I think that everyone is still, like, gradually adapting to this, which is what we describe it as sort of people everywhere, applications are everywhere, people are using a whole bunch of different devices, right? There is no such thing as BYOD in the early-2000s, late-90s, and people are accessing things from all kinds of different networks. And this presents a really, really challenging problem. So, I would argue, to your question, I think we're still in the middle of that Wave Three and it's going to take a long time to see that play through the industry. Just, things change slowly. That tribal knowledge takes time to change.The other thing that I think we very strongly believe in is that—and again, this is, sort of like, coming from our customers, too—is that people basically with security industry have had a tough time trying things out and adopting them because a lot of vendors have put a lot of blockers in place of doing that. There's no public documentation; you can't just go use the product. You got to talk to a salesperson who then filters you through—Corey: We have our fifth call with the sales team. We're hoping this is the one where they'll tell us how much it costs.Alex: Exactly. Or like, you know, now you get to the sales engineer, so you gradually adopt this knowledge. But ultimately, people just want to try the darn thing [laugh], right? So, I think we're big believers that I think hopefully, what we'll see in the security industry is that—we're trying to set an example here—is really that there's an old way of doing things, but a new way of doing things is make the product available for people to use, document the heck out of it, explain all the different use cases that exist for how to be successful your product, and then have these users actually then reach out to you when they want to have more in-depth conversation about things. So, those are the two big things, I'd say. I don't know if those are translated buzzwords at RSA, but those are two big trends we see.Corey: I look forward to having you back in a year or two and seeing how close we get to the reality. “Well, I guess we didn't see that acronym coming, but don't worry. They've been doing it for the last 15 years under different names, so it works out.” I really want to thank you for being as generous with your time as you have been. If people want to learn more, where should they go?Alex: Well, as we're just talking about, you try the product at twingate.com. So, that should be your first stop.Corey: And we will of course put links to that in the show notes. Thank you so much for being as forthcoming as you have been about all this stuff. I really appreciate your time.Alex: Yeah, thank you, Corey. I really appreciate it. Thanks.Corey: Alex Marshall, Chief Product Officer at Twingate. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with a long angry ranty comment about what you hated about the episode, which will inevitably get lost when it fails to submit because your crappy VPN concentrator just dropped it on the floor.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

A MaxCityben jelenleg is megtekinthető SSH! Graffiti. Streetart. Kortárssh. kiállítás kapcsán kaptuk mikrofonvégre a kiállítás kurátorát, Németh Zoltánt és a sokáig Japánban alkotó építészt, kortárs műgyűjtőt Pálffy Györgyöt. Az alábbi kérdésekre kaphatsz választ az adásban: - Mi is az a street art és urban art? - Ennek az eszköze a graffiti? - Honnan ered és hogyan alakult ki a graffiti? - Mit akarnak üzenni vele az alkotók? - Hogy lesz egy graffitiző fiúból 110 millió dollár értékű festményt alkotó művész? - Be lehet-e vinni a graffitit egy galériába? - Mi a közös az SSH kiállítás alkotóiban? - Mi egy ilyen kiállítás célja? Tarts velünk és nézd meg a Gallery MAX *SSH! kiállítását a MaxCity-ben szeptember 20-ig! Vendégeink: Pálffy György - építész, műgyűjtő Németh Zoltán - MNU creative solutions kreatív igazgatója, az *SSH! kiállítás kurátora ----------------------------------------------------------------------------------------------------- Kövess minket az alábbi csatornákon: MaxCity LinkedIn oldala - ahol mindig a legfrissebb infókat találhatod meg a Design Komplex Podcastről: www.linkedin.com/company/maxcitybudapest Spotify: https://open.spotify.com/show/0AU2jKGyeZDqmg2RsExl4F?si=vIZyJSf1RbeIlsXPFEwz6A&dl_branch=1 Apple Podcast: https://podcasts.apple.com/hu/podcast/designkomplex/id1575544332 Google Podcast: https://podcasts.google.com/feed/aHR0cHM6Ly9mZWVkcy5zb3VuZGNsb3VkLmNvbS91c2Vycy9zb3VuZGNsb3VkOnVzZXJzOjEwMDI5NzEwMjAvc291bmRzLnJzcw A DesignKomplex podcast felvétele a Brocasterz Stúdióban történik, az adások teljes menedzsmentjét pedig a Brocasterz Podcast Ügynökség csapata végzi. Ha szeretnéd jobban megismerni őket: https://brocasterz.com

Hacker Public Radio New Years Eve Show 2021 - 2022 Part 2 Massachusetts MCAS Tests https://www.doe.mass.edu/mcas/ A Level Test mention - http://www.gostudyuk.com/a-levels-and-equivalents/ COVID-19: quarantine, masks, vaccination, testing, etc. Michael Mina @michaelmina_lab https://twitter.com/michaelmina_lab West Virginia & Kentucky Accents https://www.dialectsarchive.com/west-virginia https://www.dialectsarchive.com/kentucky Netminer talks about being a security guard & Security Guard tools of the trade Detex Clock https://www.watchmanclocks.com/productdetails.aspx?ProductID=56 Mag light flashlight https://maglite.com/ Ohio Linux Fest https://olfconference.org/ Not Curses https://notcurses.com/notcurses.3.html Sixel https://en.wikipedia.org/wiki/Sixel The Book Of Boba Fett https://www.imdb.com/title/tt13668894/ https://en.wikipedia.org/wiki/The_Book_of_Boba_Fett Under The Helmet : The Legacy of Boba Fett https://www.imdb.com/title/tt15715890/ Mordancy talks about Mark from Command Line Magic Command Line Magic Homepage - http://www.climagic.org/ Command Line Magic Youtube - https://www.youtube.com/user/climagic/videos Command Line Magic Twitter - https://twitter.com/climagic Command Line Magic Mastadon - https://mastodon.social/@climagic Mordancy also suggests https://www.commandlinefu.com/commands/browse https://explainshell.com/ More Website Suggestions Regex Crossword is a crossword puzzle game, where the crossword clues are defined using regular expressions https://regexcrossword.com Learn VIM while playing a game https://vim-adventures.com/ Tennesee Valley Authority https://www.tva.com/ https://en.wikipedia.org/wiki/Tennessee_Valley_Authority West Virginia Coal Mines https://www.americangeosciences.org/critical-issues/maps/interactive-map-coal-mines-west-virginia Nuclear Power Plants in the USA https://en.wikipedia.org/wiki/Nuclear_power_in_the_United_States https://www.eia.gov/tools/faqs/faq.php?id=207&t=3 Moss Wants to Build a Pi Hole https://pi-hole.net/ Take The Long Way Home (SuperTramp) https://youtu.be/zKGOCOAI_2c Push To Talk Mumble Settings https://www.mumble.com/support/mumble-server-push-to-talk.php Dont use Balena Etcher, try instead https://bztsrc.gitlab.io/usbimager/ USBImager is a really really simple GUI application that writes compressed disk images to USB drives and creates backups. Available platforms: Windows, MacOS and Linux. Its interface is as simple as it gets, totally bloat-free. It is very small below 300 KB compared to more the than 130 MB of Etcher. A Maintenance Tool For Ubuntu uCareSystem Core basic https://ostechnix.com/ucaresystem-core-basic-maintenance-tool-ubuntu/ https://github.com/Utappia/uCareSystem To get rid of old kernels with no work - just paste in the commandline echo $(dpkg --list | grep linux-image | awk '{ print $2 }' | sort -V | sed -n '/'`uname -r`'/q;p') $(dpkg --list | grep linux-headers | awk '{ print $2 }' | sort -V | sed -n '/'"$(uname -r | sed "s/([0-9.-]*)-([^0-9]+)/1/")"'/q;p') | xargs echo sudo apt-get -y purge the result is a sudo command to remove old kernels. And finally this one: sudo apt autoremove && sudo apt autoclean && sudo apt clean Moss talks about ArcoLinux https://arcolinux.com/ Minnix uses Funk Whale https://funkwhale.audio/ Moss announces the passing of Betty White - RIP https://www.cnn.com/2022/01/10/entertainment/betty-white-cause-of-death/index.html https://www.rollingstone.com/tv-movies/tv-movie-news/betty-white-dead-obituary-197806/ https://en.wikipedia.org/wiki/The_Golden_Girls https://www.grunge.com/659496/the-truth-about-betty-whites-guinness-world-record/ The guys mention - Ultramarines : A Warhammer 40k movie https://en.wikipedia.org/wiki/Ultramarines:_A_Warhammer_40,000_Movie https://youtu.be/3fpvOyD5Jr0 Warhammer Cosplay https://youtu.be/9RpfpSyWGhk https://youtu.be/VZ8_aU0G094 https://www.belloflostsouls.net/2020/08/40k-cosplay-the-ultramarine-by-upw-designs.html https://www.instructables.com/Warhammer-40K-Tech-Priest-Cosplay-SKS-Props/ Matrix Movie (Matrix Resurrections) + other NPH (Neil Patrick Harris) films https://en.wikipedia.org/wiki/The_Matrix_Resurrections https://www.imdb.com/title/tt10838180/ 8-Bit Christmas https://www.imdb.com/title/tt11540284/ Doctor Horrible's Sing-Along https://www.imdb.com/title/tt1227926/ Bruce Campbell in Black Friday + other Bruce projects https://www.imdb.com/title/tt11649338/ Deadite (Evil Dead films) https://evildead.fandom.com/wiki/Deadite Burn Notice https://www.imdb.com/title/tt0810788/ The Adventures of Brisco County Jr. https://www.imdb.com/title/tt0105932/ Burn Notice Movie - The Fall of Sam Axe https://www.imdb.com/title/tt1697851/ Ash Vs Evil Dead (TV Series) https://www.imdb.com/title/tt4189022/ https://evildead.fandom.com/wiki/Ash_vs_Evil_Dead Christian Clemenson https://www.imdb.com/name/nm0166061/ https://en.wikipedia.org/wiki/Christian_Clemenson Freddie Highmore https://en.wikipedia.org/wiki/The_Good_Doctor_(TV_series) https://www.imdb.com/title/tt6470478/ Chat about Lenovo ThinkCentre Products https://pcsupport.lenovo.com/us/en/products/desktops-and-all-in-ones/thinkcentre-m-series-desktops/thinkcentre-m58 https://www.lenovo.com/in/en/desktops/thinkcentre/m-series-sff/m83/ https://www.lenovo.com/gb/en/desktops-and-all-in-ones/thinkcentre/m-series-tiny/M700-Tiny/p/11TC1MTM700 Moss Plugs - https://itsmoss.com/ and talks about installing Linux on his ThinkCentre https://itsmoss.com/2021/12/22/installing-linux-on-a-thinkcentre-tiny-m700/ A Deeper Dive Into Funk Whale https://funkwhale.audio/ https://funkwhale.audio/en_GB/faqs#decentralized-and-federated https://wiki.archlinux.org/title/Funkwhale https://twitter.com/funkwhaleaudio Peer Tube - Free software to take back control of your videos https://joinpeertube.org/ https://twitter.com/joinpeertube Joe and Danny talk 3-D Printing & Core XY Printers Voron Design https://vorondesign.com/ The Best CoreXY 3D Printers in 2022 https://all3dp.com/1/best-corexy-3d-printer/ The Voron 2.4 Build Experience https://youtu.be/0E0dM0ZdpRE Core XY Explained https://youtu.be/_ramiM3KHYE Volcano Hot End & Block https://e3d-online.com/products/volcano-hotend https://e3d-online.com/products/volcano-block-for-sensor-cartridges CES 2022 https://www.ces.tech/About-CES.aspx Danny gives a thumbs up to the Android Playstation 2 Emulator - Aethersx2 https://play.google.com/store/apps/details?id=xyz.aethersx2.android X-Files : Resist Or Serve for the Playstation 2 https://en.wikipedia.org/wiki/The_X-Files:_Resist_or_Serve Walkthrough for X-Files : Resist Or Serve https://youtu.be/_1DoMfufliQ PCSX2 - An Open-Source Playstation 2 Emulator supporting over 98% Of the PS2 library https://pcsx2.net/ GTA Vice City https://www.rockstargames.com/games/vicecity Armored Core : Masters Of Arena https://armoredcore.fandom.com/wiki/Armored_Core:_Master_of_Arena http://www.cheatcodes.com/guide/walkthrough-armored-core-master-of-arena-playstation-16686/ Joe Has Some Tech Repairs to Do Playstation 3 that needs the optical drive repaired https://www.ifixit.com/Guide/PlayStation+3+Blu-ray+Disc+Drive+Replacement/3484 Xbox 360 Drive replacement https://www.ifixit.com/Guide/Xbox+360+Optical+Drive+Replacement/3358 Skullcandy HESH 3 Battery Replacement https://youtu.be/PLM7wfTCzms (generic headphone battery replacement video) LG Tone Repair https://youtu.be/DJvzWsT_ESY Open Razer https://openrazer.github.io/ Clonezilla has built in SSH support https://clonezilla.org/ Radio Shack reviving, rebranding into cryptocurrency platform https://www.foxbusiness.com/markets/radioshack-rebrands-cryptocurrency-exchange-platform https://www.nbcnews.com/pop-culture/pop-culture-news/radioshack-clarify-twitter-wasnt-hacked-just-sell-crypto-now-rcna36112 Deal Extreme https://www.dx.com/ Brick & Mortar Computer Stores Past & Present COMP USA https://www.compusa.com/ Fry's Electronics https://www.frys.com/ https://en.wikipedia.org/wiki/Fry%27s_Electronics Micro Center https://www.microcenter.com/ Tiger Direct https://www.tigerdirect.com/ Ben Heck & Oscilloscopes https://youtu.be/RuC8XmDX9iA Mordancy has projects https://www.proxmox.com/en/ https://www.docker.com/ https://jitsi.org/ https://joinpeertube.org/ https://matrix.org/ https://bitbucket.org/product F(x)tec Pro¹ Phone https://www.fxtec.com/ Joe and Mordancy chat Cryptocurrency https://www.investopedia.com/terms/c/cryptocurrency.asp Nishant gives up Windows for Fedora https://getfedora.org/en/workstation/download/ Linux LPIC Certifications https://www.lpi.org/our-certifications/summary-of-certifications https://www.lpi.org/our-certifications/lpic-1-overview https://www.lpi.org/our-certifications/lpic-2-overview ITIL Certification https://www.axelos.com/certifications/itil-service-management 3M PELTOR ComTac™ VI Hearing Defender https://www.3m.com/3M/en_US/p/d/v100849027/ TP-120 Socket https://connectors.nexus.com/item/telephone-plugs-and-jacks/telephone-plugs/tp-120 Fluke 107 Pocket Digital Multimeter https://www.fluke.com/en-us/product/electrical-testing/digital-multimeters/pocket-107 Razer Nari Ultimate Headset https://www.razer.com/gaming-headsets/razer-nari-ultimate/RZ04-02670100-R3U1 Garuda Linux https://garudalinux.org/ Centos https://www.centos.org/ FreeBSD https://www.freebsd.org/ Q-tile - A full-featured, hackable tiling window manager written and configured in Python http://www.qtile.org/ Adam WIlliamson - Fedora Team https://fedoraproject.org/wiki/User:Adamwill https://www.happyassassin.net/ https://twitter.com/adamw_ha https://fedoramagazine.org/fedora-qa-adam-williamson/ Raspberry Pi Price Jump https://www.tomshardware.com/news/raspberry-pi-4-supply-issues Headphone Repair Chat BeyerDynamic DT770 https://www.sweetwater.com/store/detail/DT770pro80--beyerdynamic-dt-770-pro-80-ohm-closed-back-studio-mixing-headphones Audio Technica ATH-M50X https://www.audio-technica.com/en-us/ath-m50x HP Thin Client Model T6xx (watch for them on Ebay) https://support.hp.com/us-en/document/c06433828 Firefox Phone https://firefoxosdevices.org/en/#type:smartphones|coming-devices:yes https://en.wikipedia.org/wiki/Firefox_OS Love 2D Gaming Engine https://love2d.org/ Roblox https://www.roblox.com/ Minecraft https://www.minecraft.net/en-us Alpine Linux https://www.alpinelinux.org/ Rick & Morty https://rickandmorty.fandom.com/wiki/Rick_and_Morty_(TV_series) Gravity Falls https://en.wikipedia.org/wiki/Gravity_Falls Final Space https://en.wikipedia.org/wiki/Final_Space Peter Cushing Dr. Who movies https://tardis.fandom.com/wiki/Peter_Cushing https://en.wikipedia.org/wiki/Dr._Who_and_the_Daleks https://en.wikipedia.org/wiki/Daleks%27_Invasion_Earth_2150_A.D. Blake's 7 https://en.wikipedia.org/wiki/Blake%27s_7 Gorillaz - Clint Eastwood https://youtu.be/1V_xRb0x9aw

Carlos Alexandro Becker shared some SSH tips, Sakun Acharige (a Comp Sci student + visual design enthusiast) created System.css, Felix Krause built a browser app that shows the JavaScript commands being executed by iOS app in-app browers, Yan Zhulanow decided to create Marta, and Lőrik Levente did a comparrison between Tauri & Electron using a real world application he's building called Authme.

Carlos Alexandro Becker shared some SSH tips, Sakun Acharige (a Comp Sci student + visual design enthusiast) created System.css, Felix Krause built a browser app that shows the JavaScript commands being executed by iOS app in-app browers, Yan Zhulanow decided to create Marta, and Lőrik Levente did a comparrison between Tauri & Electron using a real world application he's building called Authme.

Jess Archer's Twitter - https://twitter.com/jessarchercodesJess Archer's GitHub - https://github.com/jessarcherJess Archer's GitHub dotfiles - https://github.com/jessarcher/dotfilesJess Archer's Website - https://jessarcher.comJess Archer's Youtube - https://www.youtube.com/channel/UCrk0VncCvtJUtAVEdwYIE-AHow to turn Vim into a powerful and beautiful IDE | Jess Archer, Vimconf 2021 - https://www.youtube.com/watch?v=434tljD-5C8Airlume - https://airlume.app/Neovim - https://neovim.io/Neovim GitHub - https://github.com/neovimSponsor Neovim - https://github.com/sponsors/neovimVim - https://www.vim.org/vi - https://en.wikipedia.org/wiki/ViVimtutor - https://web.archive.org/web/20100107121743/http://linuxcommand.gds.tuwien.ac.at/man_pages/vimtutor1.htmlVisual Studio Code - https://code.visualstudio.com/PhpStorm - https://www.jetbrains.com/phpstorm/Markdown - https://www.markdownguide.org/Matt's Book - https://mattstauffer.com/laravel-up-and-running/GitHub dotfiles - https://github.com/topics/dotfilesVimConf - https://vimconf.org/Jeffrey Way's Twitter - https://twitter.com/jeffrey_way?lang=enJeffrey Way's GitHub - https://github.com/JeffreyWayKinesis Advantage2 - https://kinesis-ergo.com/shop/advantage2/Bram Moolenaar's Website - https://moolenaar.net/Lua - https://www.lua.org/Practical Vim - http://vimcasts.org/publications/Drew Neil - http://drewneil.com/Taylor Otwell's Twitter - https://twitter.com/taylorotwellTaylor Otwell's GitHub - https://github.com/taylorotwellTailwind - https://tailwindcss.com/

Max, Dominik und Jochen unterhalten sich diesmal über Ansible. Dass Ansible selbst in Python geschrieben ist, macht es für Python-Entwickler wie uns natürlich besonders interessant. "Infrastructure as code" machen inzwischen ja irgendwie auch alle - bleibt nur die Frage, ob man Terraform von Ansible aus aufrufen sollte, oder umgekehrt

We are back people! On this week's episode we recap our week off and wish SSH's very own Pookz a Happy Birthday! Our entertainment segment consists of the 2 new Netflix docu series The Most Hated Man On The Internet and  Woodstock 99.  Our thoughts on Britney Griner being sentenced to 9 years in Russian prison. Florida man is back with a story about a stolen jet ski. All while sipping on Nosotros Blanco Tequila. Thanks for all the love and support!Follow us on all our socials!IG: SilverStateHeavyweightsYouTube: SilverStateHeavyweightsTikTok: SSHPODCASTTwitter: SSHPodcast775

A recent study by a firm called ExtraHop revealed that over 60% of IT environments analyzed has SSH ports exposed. Additional research shows that many less than secure ports and protocols are left open, allowing more vectors for attackers to probe. This episode breaks down what those were and how you can get a handle on these in your environment. Be aware, be safe. *** Support the podcast with a cup of coffee *** - Ko-Fi Security In Five or become a patron https://www.patreon.com/SecurityInFive Don't forget to subscribe to the Security In Five Newsletter. —————— Where you can find Security In Five —————— Security In Five Reddit Channel r/SecurityInFive Podcast RSS Twitter @binaryblogger YouTube, Stitcher Email - bblogger@protonmail.com

Apple @ Work is brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that fully integrates 5 different applications on a single Apple-only platform, allowing Businesses and Schools to easily and automatically deploy, manage & protect all their Apple devices . Over 32,000 organizations leverage Mosyle solutions to automate the deployment,  management and security of millions of Apple devices daily. Request a FREE account today and discover how you can put your Apple fleet on auto-pilot at a price point that is hard to believe. Apple @ Work is brought to you by Kolide. Kolide can help you nail third party audits and internal compliance goals with endpoint security for your entire fleet. Learn more here. In this episode of Apple @ Work, Brad Fitzpatrick from Tailscale joins the show to talk about creating a better VPN solution, the new SSH tool, and how the company got started. Links Tailscale SSH Coding on iPad using VSCode, Caddy, and code-server Connect with Bradley Twitter LinkedIn Listen and subscribe Apple Podcasts Overcast Spotify Pocket Casts Castro RSS

In this podcast, Series 2, Chapter 6, Dr. Barsuk interviews Dr. Haru Okuda, President of the Society for Simulation in Healthcare, about important initiatives and future plans of the Society.

Donate to the podcast directly with the links below. ⚡️Donate any amount from a Bitcoin Lightning wallet ( including Cash.App ) to Billy Newman https://strike.me/billynewman ⚡️Donate $5 from a Bitcoin Lightning wallet to Billy Newman https://yr.link/lightningpay5 ⚡️Donate $11.11 from a Bitcoin Lightning wallet to Billy Newman https://yr.link/lightningpay11 ⚡️Donate $50 from a Bitcoin Lightning wallet to Billy Newman https://yr.link/lightningpay50 *New* You can send a Bitcoin Lightning payment direct from the Cash.app Get a Bitcoin Lightning wallet for free instant transfers https://breez.technology https://muun.com https://bluewallet.io Value streaming payments system enables listeners to send Bitcoin micropayments to podcasters as they listen, in real-time. Start streaming value! It's easy to remember: http://value4value.io/ newpodcastapps.com I use https://fountain.fm If you're looking to discuss photography assignment work, or a podcast interview, please drop me an email. Drop Billy Newman an email here. If you want to look at my photography, my current portfolio is here. If you want to read a free PDF eBook written by Billy Newman about film photography: you can download Working With Film here. If you get value out of the content I produce, consider making a sustaining value for value financial contribution, Visit the Support Page here. You can find my latest photo books all on Amazon here. Website Billy Newman Photo https://billynewmanphoto.com/ YouTube https://www.youtube.com/billynewmanphoto Facebook Page https://www.facebook.com/billynewmanphotos/ Twitter https://twitter.com/billynewman Instagram https://www.instagram.com/billynewman/ About   https://billynewmanphoto.com/about/ 0:14 Hello, and thank you very much for listening to this episode of The Billy Newman photo podcast. Today I'm talking more about SSH. I'm sure that's what everybody is excited to hear about. Today I was going to talk a little bit about what you can do, I guess to get to your local network from your iPhone, it's kind of interesting how you can access an SSH server or host from a terminal SSH app on your iPhone, it's kind of a cool way to do it. And it really visualizes the terminal pretty functionally. And it's an interesting way to get access to all of your files that are at home. Now to do this on a more complex scale, you have to do some kind of tricky router, port forwarding. I know it's kind of a scary set of words. But sort of on the more small scale, you can do it I guess just from your phone while you're on your local network. Or like let's say you're at work and you have a bigger like work wireless network. If you're on that local network, you can get an app like Terminus that's the one I'm using right now you search SSH in the app store and you can find a ton of stuff but I'm using this app Terminus to log in to my home computer and then access my files or FTP, myself photographs or something like that. It's kind of interesting, but it's really kind of a novelty right now until I can figure out how to do some some higher level stuff with it. I'm learning how to use like back to my Mac, some of the remote login stuff to kind of also set up a shell system I get so kind of cool, but some interesting sort of geeky stuff that I've been been messing around with the last couple weeks that's probably what you've been seeing on my Instagram stories. If you've been watching those, it's just me like, hey, look at this thing in SSH. I logged into a server no way get it you can see more of my work at Billy Newman photo comm you can check out some of my photo books on Amazon. I think if you look up Billy Newman under the authors section there and see some of the photo books on film on the desert, on surrealism on camping, you cool stuff over there and wanted to jump into a couple of the things I've been doing through the month of July and some of the outdoor camping and travel stuff I've been up to I was gonna run down some of that in this podcast today I wanted to talk about a trip I did out toward Eastern Oregon I think like last week before last is when I was out in this area and I was trying to get some good observations in for comet neowise I'm not sure if any of you guys got to check that out while it was in its prime viewing section there I think that was why we had kind of like the new moon before it switched over to being gibbous moon or nearly full moon like it's been the last week or so but I think was it around like the 15th through the 25th or so of July there's some pretty good observations to be made of comet Neo wise and I guess after after kind of reading about it a little bit it's not considered a great comment like Hale Bopp was or I think it was was an eye talkie in 1996 we haven't had a great comment in a long time I've ever seen those when I was a kid though that was pretty cool like watching the Hale Bopp come through for it seemed like three months or something you know that you're just kind of looking at that in the in the low corners of the northwestern and Western skies It was kind of cruising across the skyline I remember that still from from like third fourth grade when it was coming through and I also remember the year before that when when like straight up in the air you know like straight up in the sky at night for it was only like a week or so I was a kid you know but I remember for that week you can see a real bright two tailed comet those guns I think I can't remember how to pronounce i think is how you talk here. I think it's some it's some Japanese name. Pretty sure but that was a really cool one that one I still remember really clearly I was only like, I don't know seven or something when that like when when that comic came through but I really appreciate getting to make some observations with that one as a kid. I missed Halley's Comet though back in what 87 I think was the last one it It came through and I probably will be the few years that you know that decade or two of age range that doesn't get to see Halley's Comet in their lifetime. So I think I think I was born in 88 of course so if I make it past 100 maybe I'll see it what is it maybe like 80 something years so it's probably not going to come back around until I think it's like the 2017 or 2000 80s that I'd have to make it to for the see Halley's Comet again. 4:50 That'd be fun, but I don't know maybe we'll see a future. The future is at that time. But it was really cool to get to see comet neowise It was just a little below what would be the legs and feet of Ursa Major, the Big Dipper, or like the big bear as it would kind of be observed. But if you kind of look at the deeper part that we're all, mostly familiar with, if you kind of consider Ursa Major, the larger bear constellation that it's structured on, if you kind of look down below the dipper is where I was able to make my observations of comet neowise. And over here in the elevation area that I'm at, in Western Oregon, it's about 200 or 300 feet above sea level. And there's there's kind of a constant problem with haze and with light pollution in this area. And I think it has to do something with the well I mean, of course, the you know, the amount of population that's around and but also, something about the air quality, or about how the air kind of flows out around here that just doesn't ever seem to be as crisp or as dark as you can get up in the mountains. And, and really, it's just like a stunning difference, when you're able to get out further and make some some more clear observations, you know, the level of magnitude of stars that you're able to reveal, just in a dark night is so much more crisp and clear. It's just like a total difference. So it was cool to I think I first was able to spot just a little fuzzy bit of a second magnitude version of comet neowise while I was here in town, but I tried to make a special trip out toward Eastern Oregon out into the desert just to do some camping stuff. But what I wanted to do at the same time was make some good observations and also try and get some good photographs of comet neowise as it was coming through during its period, where you could, you could make some, some good sightings of it, but it was cool. So going out to Eastern Oregon, as it got dark, a little past 1030 or so as you look to the northwest, you can really see the comet and its tail spread for a couple inches in the sky. And I was really surprised to notice how little of it you could really make out I see when you're in an area of almost any light pollution, once you're back in town, or once you're in a lower elevation area. With some light pollution and haze around it was really difficult to make out in the same way that I could out in the desert or out in the mountains. And so I thought that was pretty cool to get to get to see and get to check out over there. But yeah, as a blast getting to do some stuff out in Eastern Oregon, I went over to the john de river area. And I was checking out that area. There's a lot of public land out in that area. But there's also some a lot of private land too. It's just kind of an interesting area, how it sort of broken up and it was cool to get to go out go out to the I headed out to Madras and then I took off and headed over East there until I ran into the john de River. And then I was able to use this map that I have to go through and find some of the open off or just the open roads that are you know, smaller gravel roads that are set up to kind of traverse the back country out there. So I was able to find a few of those that were open and travel around on those for a while. And that was pretty cool. I was able to find some dispersed campsites and set up right along the john de River, which is really cool. It's a beautiful area out there. It's kind of interesting, the john de river flows through this sort of, I guess it would be I don't know it's kind of like Canyon land and it's also sort of these rolling grass hills that sort of make up the landscape of, of Northern northern and northeastern Oregon. And I think Yeah, as soon as you kind of get a little bit for like a little bit north of bend is when you get out of the Great Basin area and you start to get into another kind of landscape that seems to stretch up north of the Columbia River up into Washington I've heard that some of it's from like really old 8:53 deposits from the river systems in the waterways that were up there and how it were like there's old old deposits and then an erosion that's happened from those rivers running through the area for such a long time but but really cool to see kind of the rolling hills and then some of the carved out canyons that go through the john de river area up there when I found the campsite I was at I was pretty far away from everybody and I was really far away from any substantial town I think it was near i don't know i don't even know what it is there wasn't anything there when I drove through there's a bridge and a couple little ranch houses you know real ranches right? Like just a little a little a little house like a little two bedroom house and then 100 acres of cattle to deal with so it seems uh seems like another life out there I wonder how they're dealing with you know, kind of the way the world is things are this summer, but it was cool. Yeah, getting out there. Went to already kind of set up my campsite and stuff had my truck going. And that was all pretty easygoing. But then I waited till dark after 1030 Yeah, comment neowise is really visible up below the Big Dipper. That was pretty cool to get to see out there in Eastern Oregon really bright really clear, you could almost make out the second tail I have my binoculars with me. I think there's some 10 by 40 twos. And those really well to view it to view the comment library really crisp through there through the binoculars and yeah, really easy to spot most of the night Even just to the naked eye, it was really easy to spot it was like, Oh yeah, it's right there, there's a comment, it's just a big whisper in the sky. So it was really cool to get to view it, what I did is I set up my tripod, and I have my camera with me. So I set it up with a really wide angle. And then I was trying to get some photographs of it as it was, as the comment was sort of coming down to set on the landscape of the hillside, you know, as the hours went on into the night. So I think I stayed out until maybe one or two in the morning, when the Big Dipper was sort of scooping down a little low onto the horizon. And then at that point, the place where the comment was dipped below the horizon and then was out of view for the rest of the evening. And I think even into the morning, I think by that time when I was photographing it, it wasn't it wasn't visible any longer. up in the morning sky, I think they said you know, at first in early July, you could kind of view it around Capella, if you were able to get out early enough, say three or four in the morning. But as as the direction as it was moving, it was kind of creeping up pretty quickly or you know, day over day over day, it would kind of move a good chunk through the sky. And in the direction that it was moving, it was moving to be more visible at the nighttime which really offered more hours of good observation time, which I thought was pretty cool to wait until it was really dark enough in the northwest view of the sky probably about 1030 onward is when you're finally able to make out those kind of finer points of light in the sky in that region. So it was really cool, set up the tripod, set up the camera, set up some manual focus to to get it kind of set sharp at night you can't you can't use autofocus when you're trying to make photographs of the night sky, the stars because it just kind of seeps back and forth you have to set it to manual focus and then 12:15 ring out your your focus ring to infinity and then just back a little bit you'll notice this every time if you do it, it's really frustrating the dark because you can't really always make it out in an easy way and edit your mistake quickly. But if you go all the way to infinity and then take fixed pictures there the night sky you're going to notice that this points of light that are the stars sort of end up a little fuzzy and it's because all the way to infinity for whatever reason just isn't quite in focus at infinity. So you have to go all the way up to infinity and then back it off just a little bit. And that'll nearly ensure that most of that part of the image is in focus the whole way and it's difficult even even if you do have an F stop that's a little bit more tightened out say like an f4 six or something you're still gonna get a lot of that out of focus softness, if the focus ring isn't really dialed into the right spot. So I try to work on that a little bit. And yeah, dialed in my focus was able to set it up with reasonable ISO to get some images of the night sky and pick up some of those finer points of light and then it was able to take a series of photographs in a few different locations out there in the john de River Valley which I thought was really cool is pretty to be out there and it was a nice night really warm in the River Canyon and really remote to like I was mentioned I think I was the only person out there for a few miles I saw another another group coming in on a like a little midsize SUV and they were going fishing out of the bend in the river a couple miles up from where I was this I took my truck down a little further and camped out just on the side of the river. It was cool nice Green River up to the kind of high desert tan rim rock that runs the area around there. So it was it was a cool evening cool campsite area it's cool spot to check out comet neowise too. So I tried to check it out. Up until I don't know what 130 in the morning when I couldn't see it anymore and then spent the night out there out in the john de river area and then the next morning got up and try to check out some of the different roads and stuff that went around. You can check out more information at Billy Newman photo comm you can go to Billy Newman photo.com Ford slash support. If you want to help me out and participate in the value for value model that we're running this podcast with. If you received some value out of some of the stuff that I was talking about, you're welcome to help me out and send some value my way through the portal at Billy Newman photo comm forward slash support. You can also find more info They're about Patreon and the way that I use it if you're interested or feel more comfortable using Patreon that's patreon.com forward slash Billy Newman photo. 15:15 For the longest time I was shooting with Nikon cameras and I'd always really liked doing that but most of that was always kind of maybe constrained by budget for I think I started with a Nikon D 40 back in mid 2007 is when I bought it the camera probably came out earlier than that, I really enjoyed kind of picking up that was like an entry level DSLR at the time, and now it's like really antiquated. I sold that off now years ago and kind of moved it over into other other camera equipment over time. But that's what I got while I was in college is a really good camera for me to learn on and kind of learn some of the fundamentals of working with a digital camera and I had a lot of fun working with I made it like a ton of photographs with it. then pretty soon after that. I tried to switch over to something that was more of a professional body when I was trying to take some of the work that I was doing a little more seriously and when I was trying to get hired as a photographer to do really even just student projects at the time I was trying to get a couple extra lenses and I was trying to get a couple stronger features in the in the camera body that I was using. So at the time I think it was in like 2008 2009 actually I think it was in 2009 I bought my first like professional body that Nikon D two H and at that time that was already a pretty antiquated camera I think in 2009 it probably came out in 2003 I think is what it was. So it's already like a pretty big gap in time there there's been at that time especially in that decade. There's just so much advancement in the way that sensors worked in the way that the scene wasn't even a CMOS It was like an elb caste is like an lb ca St. Named sensor. I don't even know what that is but it was different than the CMR system that would be in a lot of cameras I think that maybe we probably find now or you know like the sensor piece in the back and it wasn't full frame either it was in even the professional and it wasn't full frame it was still like that crop sensor that Nikon had. So it was good for for a long time and I was really happy to use it and happy to kind of learn on that camera it had a ton of features and really I probably go back to that that full professional body of Nikon. If If I was just to pick any camera that I wanted to use, I think like a Nikon D five would be an amazing camera to work with. But at the time, what I was trying to do was get a job at a newspaper like the student newspaper when I was going to college and to try and get some jobs or you know trying to get get some activity to try and go and take different photographs in different locations. And that job was great. It was cool working for the student newspaper because you get to go to different locations and try and make some interesting photo out of something that's probably not very interesting. It's normally like a person talking to a to a classroom with beige walls and low level ceiling light or something like that every once in a while you get to go to a football game or something like that so that you don't really have the opportunity to go to normally that was really fun that was interesting and it provided me a lot of opportunities to do some some different you know work with different lenses work with you know, different lighting and some sort of you know, interesting and dynamic subject matter. But a lot of the time like I mentioned it was like I think I had to go photograph that they were removing pipes from a student building on some side of campus I hadn't been to before so it was it was the I was supposed to take a photograph of the absence of pipes didn't really make a lot of sense it wasn't really a very interesting photo and there was no people or story around it so it's you know it's always something like that or it seemed to be often something like that. That was just like had almost no subject to take a photograph so it was a challenge in that way. But it was really fun when you got to do something cool so that's that's why I bought that that Nikon D to H and then to a company that I think I tried to save up some money in college that was hard for me to do. I tried to save up I think like $150 or something like that to buy the 50 millimeter one eight lens there was like I don't know the version of nifty 50 that they have over on the Nikon side It was great to use and and that that kit there that the D to H and the than the 50 millimeter was what I used to take a bunch of photographs for the next many years is a great kit of a camera to have it work really well to take I think like a bunch of the cool landscape stuff that I did on the first couple trips they did were just both with that setup. So I bought that I bought that Nikon D two h USD on eBay when I made that purchase of it. And I use that camera probably for the longest amount of time. Like I think I used that up until like around 2013 or so when I was kind of trying to shift away from it. And that's when I was getting into more film photography stuff at that time I actually switched over to a an even or just a different camera, a Nikon n 80 film camera because I was I was doing a ton of stuff with with film and film roles at the time. And then I bought a Nikon F four s another film body camera that was from like the 90s I think is when that one was manufactured. I think it first came out in like 1988 that I probably mentioned a couple 20:07 times. Thanks a lot for checking out this episode of The Billy Newman photo podcast. Hope you guys check out some stuff on Billy Newman photo.com few new things up there some stuff on the homepage good links to other other outbound sources, some links to books and links to some podcasts. Like this blog posts are pretty cool. Yeah, check it out at Billy numina photo.com. Thanks a lot for listening to this episode and the back end. Thank you Next

About BrandonBrandon West was raised in part by video games and BBSes and has been working on web applications since 1999. He entered the world of Developer Relations in 2011 as an evangelist for a small startup called SendGrid and has since held leadership roles at companies like AWS. At Datadog, Brandon is focused on helping developers improve the performance and developer experience of the things they build. He lives in Seattle where enjoys paddle-boarding, fishing, and playing music.Links Referenced: Datadog: https://www.datadoghq.com/ Twitter: https://twitter.com/bwest TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: This episode is sponsored in part by our friends at Fortinet. Fortinet's partnership with AWS is a better-together combination that ensures your workloads on AWS are protected by best-in-class security solutions powered by comprehensive threat intelligence and more than 20 years of cybersecurity experience. Integrations with key AWS services simplify security management, ensure full visibility across environments, and provide broad protection across your workloads and applications. Visit them at AWS re:Inforce to see the latest trends in cybersecurity on July 25-26 at the Boston Convention Center. Just go over to the Fortinet booth and tell them Corey Quinn sent you and watch for the flinch. My thanks again to my friends at Fortinet.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today is someone I've been trying to get on the show for years, but I'm very bad at, you know, following up and sending the messages and all the rest because we all struggle with our internal demons. My guest instead struggles with external demons. He is the team lead for developer experience and tools advocacy at what I can only assume is a Tinder for Pets style company, Date-A-Dog. Brendon West, thank you for joining me today.Brandon: Hey, Corey, thanks for having me. I'm excited to be here. Finally, like you said, it's been a couple of years. But glad that it's happening. And yeah, I'm on the DevRel team at Datadog.Corey: Yes, I'm getting a note here in the headset of breaking news coming in. Yes, you're not apparently a dog dating company, you are a monitoring slash observability slash whatever the cool kids are calling it today telemetry outputer dingus nonsense. Anyone who has ever been to a community or corporate event has no doubt been tackled by one of the badge scanners that you folks have orbiting your booth, but what is it that you folks do?Brandon: Well, the observability, the monitoring, the distributed tracing, all that stuff that you mentioned. And then a lot of other interesting things that are happening. Security is a big focus—InfoSec—so we're adding some products around that, automated security monitoring, very cool. And then the sort of stuff that I'm representing is stuff that helps developers provide a better experience to their end-users. So, things like front-end monitoring, real-time user monitoring, synthetic testing of your APIs, whatever it might be.Corey: Your path has been somewhat interesting because you—well, everyone's path has been somewhat interesting; yours has been really interesting because back in 2011, you entered the world of developer relations, or being a DevReloper as I insist on calling it. And you were in a—you call it a small startup called SendGrid. Which is, on some level, hilarious from my point of view. I've been working with you folks—you folks being SendGrid—for many years now. I cared a lot about email once upon a time.And now I send an email newsletter every week, that deep under the hood, through a couple of vendor abstraction layers is still SendGrid, and I don't care about email because that's something that I can pay someone else to worry about. You went on as well to build out DevRel teams at AWS. You decided okay, you're going to take some time off after that. You went to a small scrappy startup and ah, nice. You could really do things right and you have a glorious half of the year and then surprise, you got acquired by Datadog. Congratu-dolances on that because now you're right back in the thick of things at big company-style approaches. Have I generally nailed the trajectory of the past decade for you?Brandon: Yeah, I think the broad strokes are all correct there. SendGrid was a small company when I joined, you know? There were 30 of us or so. So, got to see that grow into what it is today, which was super, super awesome. But other than that, yeah, I think that's the correct path.Corey: It's interesting to me, in that you were more or less doing developer relations before that was really a thing in the ecosystem. And I understand the challenge that you would have in a place like SendGrid because that is large-scale email sending, transactional or otherwise, and that is something that by and large, has slipped below the surface level of awareness for an awful lot of folks in your target market. It's, “Oh, okay, and then we'll just have the thing send an email,” they say, hand-waving over what is an incredibly deep and murky pool. And understanding that is a hard thing requires a certain level of technical sophistication. So, you started doing developer relations for something that very clearly needed some storytelling chops. How did you fall into it originally?Brandon: Well, I wanted to do something that let me use those storytelling chops, honestly. I had been writing code at an agency for coal mines and gold mines and really actively inserting evil into the world, power plants, and that sort of thing. And, you know, I went to school for English literature. I loved writing. I played in thrash metal bands when I was a kid, so I've been up on stage being cussed at and told that I suck. So I—Corey: Oh, I get that conference talks all the time.Brandon: Yeah, right? So, that's why when people ask me to speak, I'm like, “Absolutely.” There's no way I can bomb harder than I've bombed before. No fear, right? So yeah, I wanted to use those skills. I wanted to do something different.And one of my buddies had a company that he had co-founded that was going through TechStars in Boulder. SendGrid was the first accelerator-backed company to IPO which is pretty cool. But they had gone through TechStars in 2009. They were looking for a developer evangelist. So, SendGrid was looking for developer evangelist and my friend introduced me said, “I think you'd be good at this. You should have a conversation.” My immediate thought was what the hell is a developer evangelist?Corey: And what might a SendGrid be? And all the rest. Yes, it's that whole, “Oh, how do I learn to swim?” Someone throws you off the end of the dock and then retrospect, it's, “I don't think they were trying to teach me how to swim.” Yeah. Hindsight.Brandon: Yeah. It worked out great. I will say, though, that I think DevRel has been around for a long time, you know? The title has been around since the original Macintosh at Apple in 1980-ish. There's a whole large part of the tech world that would like you to think that it's new because of all the terrible things that their DevRel team did at Microsoft in the late-90s.And you can go read all about this. There were trials about it. These documents were released to the public, James Plamondon is the lead architect of all of this nastiness. But I think there was then a concerted effort to memory-hole that and say, “No, DevRel is new and shiny.” And then Google came along and said, “Well, it's not evangelism anymore. It's advocacy.”Corey: It's not sysadmin work anymore. It's SRE. It's not on-prem, it's Sparkling Kubernetes, et cetera, et cetera.Brandon: Yeah, so there's this sense in a lot of places that DevRel is new, but it's actually been around a long time. And you can learn a lot from reading about the history and understanding it, something I've given a talk on and written a bit about. So.Corey: My philosophy around developer relations for a while has been that in many cases, its biggest obstacle is the way that it is great at telling stories about fantastically complex, deeply technical things; it can tell stories about almost anything except itself. And I keep seeing similar expressions of the same problem again, and again, and again. I mean, AWS, where you worked, as an example: they love to talk about their developer advocates, and you read the job descriptions and these are high-level roles with sweeping responsibilities, broad basis of experience being able to handle things at a borderline executive level. And then they almost neuter the entire thing by slapping a developer advocate title on top of those people, which means that some of the people that would be most effectively served by talking to them will dismiss them as, “Well, I'm a director”—or a VP—“What am I going to do talking to a developer advocate?” It feels like there's a swing and a miss as far as encapsulating the value that the function provides.I want to be clear, I am not sitting here shitting on DevRel or its practitioners, I see a problem with how it [laugh] is being expressed. Now, feel free to argue with me and just scream at me for the next 20 minutes, and this becomes a real short show. But—Brandon: [laugh].Corey: —It'll be great. Hit me.Brandon: No, you're correct in many ways, which makes me sad because these are the same conversations that I've been having for the 11, 12 years that I've been in DevRel now. And I thought we would have moved past this at some point, but the problem is that we are bad at advocating for advocacy. We do a bad job of relating to people about DevRel because we spend so much time worried about stuff that doesn't really matter. And we get very loud voices in the echo chamber screaming about titles and evangelism versus advocate versus community manager, and which department you should report up to, and all of these things that ultimately don't matter. And it just seems like bickering from the outside. I think that the core of what we do is super awesome. And I don't think it's very hard to articulate. It's just that we don't spend the time to do that.Corey: It's always odd to me when I talk to someone like, “Oh, you're in DevRel. What does that mean?” And their immediate response is, “Well, it's not marketing, I'll tell you that.” It's feels like there might be some trauma that is being expressed in some strange ways. I do view it as marketing, personally, and people who take umbrage at that don't generally tend to understand what marketing is.Yeah, you can look at any area of business or any function and judge it by some of the worst examples that we've all seen, but when someone tells me they work in sales, I don't automatically assume that they are sending me horrifyingly passive-aggressive drip campaigns, or trying to hassle me in a car lot. It's no, there's a broad spectrum of people. Just like I don't assume that you're an engineer. And I immediately think, oh, you can't solve FizzBuzz on a whiteboard. No, there's always going to be a broad spectrum of experience.Marketing is one of those awesome areas of business that's dramatically misunderstood a lot. Similarly to the fact that, you know, DevRel can't tell stories, you think marketing could tell stories about itself, but it's still struggles, too, in a bunch of ways. But I do believe that even if they're not one of the same, developer relations and marketing are aligned around an awful lot of things like being able to articulate value that is hard to quantify.Brandon: I completely agree with that. And if I meet someone in DevRel that starts off the conversation by saying that they're not in marketing, then I know they're probably not that great at their job. I mean, I think there's a place of tech hubris, where we want to disrespect anything that's not a hard skill where it's not putting zeros and ones into a chip—Corey: And spoiler, they're all very hard skills.Brandon: [laugh]. Yeah. And so, first off, like, stop disrespecting marketing. It's important; your business probably wouldn't survive if you didn't have it. And second of all, you're not immune to it, right?Like, Heartbleed had a logo and a name for vulnerability because tech people are so susceptible to it, right? People don't just wake up and wait in line for three days for a new iPhone because tech marketing doesn't work, right?Corey: “Oh, tech marketing doesn't work on me,” says someone who's devoted last five years of their life to working on Kubernetes. Yeah, sure it doesn't.Brandon: Yeah exactly. So, that whole perspective is silly. I think part of the problem is that they don't want to invest in learning how to communicate what they do to a marketing org. They don't want to spend the time to say, “Here's how the marketing world thinks, and here's how we can fit into that perspective.” They want to come in and say, “Well, you don't understand DevRel. Let me define DevRel for you and tell you what we do.” And all those sorts of things. It's too prescriptive and less collaborative.Corey: Anytime you start getting into the idea of metrics around how do you measure someone in a developer advocacy role, the answer is, “Well, your metrics that you're using are wrong, and any metrics you use are wrong, and there's no good way to do it.” And I am sympathetic to that. When I started this place, I knew that if I went to a bunch of events and did my thing, good things would happen for the business. And how did I articulate that? Gut feel, but when you own the place, you can do that.Whereas when you are a function inside of another org, inside of another org, and you start looking at from the executive leadership position at these things, it's, “Okay, so let me get this straight. You cost as much as an engineer, you cost as much as that again, in your expenses because you're traveling all the time, you write zero production code, whenever people ask you what it is you do here, you have a very strange answer, and from what we can tell, it looks like you hang out with your friends in exotic locations, give a 15-minute talk from time to time that mentions our name at the beginning, and nothing else relevant to our business, and then you go around and the entire story is ‘just trust me, I'm adding value.'” Yeah, when it's time to tighten belts and start cutting back, is it any wonder that the developer advocacy is often one of the first departments hit from that perspective?Brandon: It doesn't surprise me. I mean, I've been a part of DevRel teams where we had some large number of events that we had attended for the year—I think 450-something—and the director of the team was very excited to show that off, right, you should have seen the CFOs face when he heard that, right, because all he sees is outgoing dollar signs. Like, how much expense? What's the ROI on 450 events?Corey: Yeah, “450 events? That's more than one a day. Okay, great. That's a big number and I already know what we're spending. Great. How much business came out of that?”And that's when the hemming and hawing starts. Like, well, sort of, and yadda—and yeah, it doesn't present well in the language that they are prepared to speak. But marketing can tell those stories because they have for ages. Like, “Okay, how much business came from our Superbowl ad?” “I dunno. The point is, is that there's a brand awareness play, there's the chance to remain top of the mental stack when people think about this space. And over the next few months, we can definitely see there's been a dramatic uptick in our business. Now, how do we attribute that back? Well, I don't know.”There's a saying in marketing, that half of your marketing budget is wasted. Now, figuring out which half will spend the rest of your career, you'll never get even close. Because people don't know the journey that customers go through, not really. Even customers don't often see it.Take this podcast, for example. I have sponsors that I do love and appreciate who say things from time to time on this show. And people will hear it and occasionally will become customers of those sponsors. But very often, it's, “Oh, I heard about that on the podcast. I'll Google it when I get to work and then I'll have a conversation with my team and we'll agree to investigate that.”And any UTM tracking has long since fallen by the wayside. You might get to that from discussions with users in their interview process, but very often, they won't remember where it came up. And it's one of those impossible to quantify things. Now, I sound like one of those folks where I'm trying to say, “Oh, buy sponsorships that you can never prove add value.” But that is functionally how advertising tends to work, back in the days before it spied on you.Brandon: Yeah, absolutely. And we've added a bunch of instrumentation to allow us to try and put that multi-touch attribution model together after the fact, but I'm still not sure that that's worth the squeeze, right? You don't get much juice out. One of the problems with metrics in DevRel is that the things that you can measure are very production-focused. It's how many talks did you give? How many audience members did you reach?Some developer relations folks do actually write production code, so it might be how many of the official SDK that you support got downloaded? That can be more directly attributed to business impact, those sorts of things are fantastic. But a lot of it is kind of fuzzy and because it's production-focused, it can lead to burnout because it's disconnected from business impact. “It's how many widgets did your line produce today?” “Well, we gave all these talks and we had 150,000 engaged developer hours.” “Well, cool, what was the business outcome?” And if you can't answer that for your own team and for your own self in your role, that leads pretty quickly to burnout.Corey: Anytime you start measuring something and grading people based on it, they're going to optimize for what you measure. For example, I send an email newsletter out, at time of this recording, to 31,000 people every week and that's awesome. I also periodically do webinars about the joys of AWS bill optimization, and you know, 50 people might show up to one of those things. Okay, well, from a broad numbers perspective, yeah, I'd much rather go and send something out to those 31,000, folks until you realize that the kind of person that's going to devote half an hour, forty-five minutes to having a discussion with you about AWS bill optimization is far likelier to care about this to the point where they become a customer than someone who just happens to be in an audience for something that is orthogonally-related. And that is the trick because otherwise, we would just all be optimizing for the single biggest platforms out there if oh, I'm going to go talk at this conference and that conference, not because they're not germane to what we do, but because they have more people showing up.And that doesn't work. When you see that even on the podcast world, you have Joe Rogan, as the largest podcast in the world—let's not make too many comparisons in different ways because I don't want to be associated with that kind of tomfoolery—but there's a reason that his advertisers, by and large, are targeting a mass-market audience, whereas mine are targeting B2B SaaS, by and large. I'm not here shilling for various mattress companies. I'm instead talking much more about things that solve the kind of problem that listeners to this show are likely to have. It's the old-school of thought of advertising, where this is a problem that is germane to a certain type of audience, and that certain type of audience listens to shows like this. That was my whole school of thought.Brandon: Absolutely. I mean, the core value that you need to do DevRel, in my opinion is empathy. It's all about what Maya Angelou said, right? “People may not remember what you said, but they'll definitely remember how you made them feel.” And I found that to be incredibly true.Like, the moments that I regret the most in DevRel are the times when someone that I've met and spent time with before comes up to have a conversation and I don't remember them because I met 200 people that night. And then I feel terrible, right? So, those are the metrics that I use internally. It's hearts and minds. It's how do people feel? Am I making them feel empowered and better at their craft through the work that I do?That's why I love DevRel. If I didn't get that fulfillment, I'd go write code again. But I don't get that sense of satisfaction, and wow, I made an impact on this person's trajectory through their career that I do from DevRel. So.Corey: I come bearing ill tidings. Developers are responsible for more than ever these days. Not just the code that they write, but also the containers and the cloud infrastructure that their apps run on. Because serverless means it's still somebody's problem. And a big part of that responsibility is app security from code to cloud. And that's where our friend Snyk comes in. Snyk is a frictionless security platform that meets developers where they are - Finding and fixing vulnerabilities right from the CLI, IDEs, Repos, and Pipelines. Snyk integrates seamlessly with AWS offerings like code pipeline, EKS, ECR, and more! As well as things you're actually likely to be using. Deploy on AWS, secure with Snyk. Learn more at Snyk.co/scream That's S-N-Y-K.co/screamCorey: The way that I tend to see it, too, is that there's almost a bit of a broadening of DevRel. And let's be clear, it's a varied field with a lot of different ways to handle that approach. I'm have a terrible public speaker, so I'm not going to ever succeed in DevRel. Well, that's certainly not true. People need to write blog posts; people need to wind up writing some of the sample code, in some cases; people need to talk to customers in a small group environment, as opposed to in front of 3000 people and talk about the things that they're seeing, and the rest.There's a broad field and different ways that it applies. But I also see that there are different breeds of developer advocate as well. There are folks, like you for example. You and I have roughly the same amount of time in the industry working on different things, whereas there's also folks who it seems like they graduate from a boot camp, and a year later, they're working in a developer advocacy role. Does that mean that they're bad developer advocates?I don't think so, but I think that if they try and present things the same way that you were I do from years spent in the trenches working on these things, they don't have that basis of experience to fall back on, so they need to take a different narrative path. And the successful ones absolutely do.Brandon: Yeah.Corey: I think it's a nuanced and broad field. I wish that there was more acceptance and awareness of that.Brandon: That's absolutely true. And part of the reason people criticize DevRel and don't take it seriously, as they say, “Well, it's inconsistent. This org, it reports to product; or, this org, it reports up to marketing; this other place, it's part of engineering.” You know, it's poorly defined. But I think that's true of a lot of roles in tech.Like, engineering is usually done a different way, very differently at some orgs compared to others. Product teams can have completely different methodologies for how they track and manage and estimate their time and all of those things. So, I would like to see people stop using that as a cudgel against the whole profession. It just doesn't make any sense. At the same time, two of the best evangelist I ever hired were right out of university, so you're completely correct.The key thing to keep in mind there is, like, who's the audience, right, because ultimately, it's about building trust with the audience. There's a lot of rooms where if you and I walk into the room; if it's like a college hackathon, we're going to have a—[laugh], we're going to struggle.Corey: Yeah, we have some real, “Hello fellow kids,” energy going on when we do that.Brandon: Yeah. Which is also why I think it's incredibly important for developer relations teams to be aware of the makeup of their team. Like, how diverse is your team, and how diverse are the audiences you're speaking to? And if you don't have someone who can connect, whether it's because of age or lived experience or background, then you're going to fail because like I said that the number one thing you need to be successful in this role is empathy, in my opinion.Corey: I think that a lot of the efforts around a lot of this—trying to clarify what it is—some cases gone in well, I guess I'm going to call it the wrong direction. And I know that sounds judgy and I'm going to have to live with that, I suppose, but talk to me a bit about the, I guess, rebranding that we've seen in some recent years around developer advocates. Specifically, like, I like calling folks DevRelopers because it's cutesy, it's a bit of a portmanteau. Great. But it's also not something I seriously suggest most people put on business cards.But there are people who are starting to, I think, take a similar joke and actually identify with it where they call themselves developer avocados, which I don't fully understand. I have opinions on it, but again, having opinions that are not based in data is something I try not to start shouting from the rooftops wherever I can. You live in that world a lot more posted than I do, where do you stand?Brandon: So, I think it was well-intentioned and it was an attempt to do some of the awareness and brand building for DevRel, broadly, that we had lacked. But I see lots of problems with it. One, we already struggle to be taken seriously in many instances, as we've been discussing, and I don't think we do ourselves any favors by giving ourselves cutesy nicknames that sort of infantilize the role like I can't think of any other job that has a pet name for the work that they do.Corey: Yeah. The “ooh-woo accounting”. Yeah, I sort of don't see that happening very often in most business orgs.Brandon: Yeah. It's strange to me at the same time, a lot of the people who came up with it and popularized it are people that I consider friends and good colleagues. So hopefully, they won't be too offended, but I really think that it kind of set us back in many ways. I don't want to represent the work that I do with an emoji.Corey: Funny, you bring that up. As we record this through the first recording, I have on my new ridiculous desktop computer thing from Apple, which I have named after a—you know, the same naming convention that you would expect from an AWS region—it's us-shitpost-one. Instead of the word shit, it has the poop emoji. And you'd be amazed at the number of things that just melt when you start trying to incorporate that. GitHub has a problem with that being the name of an SSH key, for example.I don't know if I'll keep it or I'll just fall back to just spelling words out, but right now, at least, it really is causing all kinds of strange computer problems. Similarly, it causes strange cultural problems when you start having that dissonance and seeing something new and different like that in a business context. Because in some cases, yeah, it helps you interact with your audience and build rapport; in many others, it erodes trust and confidence that you know what you're talking about because people expect things to be cast a certain way. I'm not saying they're right. There's a shitload of bias that bakes into that, but at the same time, I'd like to at least bias for choosing when and where I'm going to break those expectations.There's a reason that increasingly, my Duckbillgroup.com website speaks in business terms, rather than in platypus metaphors, whereas lastweekinaws.com, very much leans into the platypus. And that is the way that the branding is breaking down, just because people expect different things in different places.Brandon: Yeah and, you know, this framing matters. And I've gone through two exercises now where I've helped rename an evangelism team to an advocacy team, not because I think it's important to me—it's a bunch of bikeshedding—but it has external implications, right? Especially evangelism, in certain parts of the world, has connotations. It's just easier to avoid those. And how we present ourselves, the titles that we choose are important.I wish we would spend way less time arguing about them, you know, advocacy has won evangelism, don't use it. DevRel, if you don't want to pick one, great. DevRel is broader umbrella. If you've got community managers, people who can't write code that do things involving your events or whatever, program managers, if they're on your team, DevRel, great description. I wish we could just settle that. Lots of wasted air discussing that one.Corey: Constantly. It feels like this is a giant distraction that detracts from the value of DevRel. Because I don't know about you, but when I pick what I want to do next in my career, the things I want to explain to people and spend that energy on are never, I want to explain what it is that I do. Like I've never liked those approaches where you have to first educate someone before they're going to be in a position where they want to become your customer.I think, honestly, that's one of the things that Datadog has gotten very right. One of the early criticisms lobbed against Datadog when it first came out was, “Oh, this is basically monitoring by Fisher-Price.” Like, “This isn't the deep-dive stuff.” Well yeah, but it turns out a lot of your buying audience are fundamentally toddlers with no visibility into what's going on. For an awful lot of what I do, I want it to be click, click, done.I am a Datadog customer for a reason. It's not because I don't have loud and angry opinions about observability; it's because I just want there to be a dashboard that I can look at and see what's working, what's not, and do I need to care about things today? And it solves that job admirably because if I have those kinds of opinions about every aspect, I'm never going to be your customer anyway, or anyone's customer. I'm going to go build my own and either launch a competitor or realize this is my what I truly love doing and go work at a company in this space, possibly yours. There's something to be said for understanding the customer journey that those customers do not look like you.And I think that's what's going on with a lot of the articulation around what developer relations is or isn't. The people on stage who go to watch someone in DevRel give a talk, do not care, by and large, what DevRel is. They care about the content that they're about to hear about, and when the first half of it is explaining what the person's job is or isn't, people lose interest. I don't even like intros at the beginning of a talk. Give me a hook. Talk for 45 seconds. Give me a story about why I should care before you tell me who you are, what your credentials are, what your job title is, who you work for. Hit me with something big upfront and then we'll figure it out from there.Brandon: Yeah, I agree with you. I give this speaking advice to people constantly. Do not get up on stage and introduce yourself. You're not a carnival hawker. You're not trying to get people to roll up and see the show.They're already sitting in the seat. You've established your credibility. If they had questions about it, they read your abstract, and then they went and checked you out on LinkedIn, right? So, get to the point; make it engaging and entertaining.Corey: I have a pet theory about what's going on in some cases where, I think, on some level, it's an outgrowth of an impostor-syndrome-like behavior, where people don't believe that they deserve to be onstage talking about things, so they start backing up their bona fides to almost reassure themselves because they don't believe that they should be up there and if they don't believe it, why would anyone else. It's the wrong approach. By holding the microphone, you inherently deserve to hold the microphone. And go ahead and tell your story. If people care enough to dig into you and who you are and well, “What is this person's background, really?” Rest assured the internet is pretty easy to use these days, people will find out. So, let them do that research if they care. If they don't, then there's an entire line of people in this world who are going to dislike you or say you're not qualified for what it is you're doing or you don't deserve it. Don't be in that line, let alone at the front of it.Brandon: So, you mentioned imposter syndrome and it got me thinking a little bit. And hopefully this doesn't offend anyone, but I kind of starting to think that imposter syndrome is in many ways invented by people to put the blame on you for something that's their fault. It's like a carbon footprint to the oil and gas industry, right? These companies can't provide you psychological safety and now they've gone and convinced you that it's your fault and that you're suffering from this syndrome, rather than the fact that they're not actually making you feel prepared and confident and ready to get up on that stage, even if it's your first time giving a talk, right?Corey: I hadn't considered it like that before. And again, I do tend to avoid straying into mental health territory on this show because I'm not an—Brandon: Yes.Corey: Expert. I'm a loud, confident white guy in tech. My failure mode is a board seat and a book deal, but I am not board-certified, let's be clear. But I think you're onto something here because early on in my career, I was very often faced with a whole lot of nebulous job description-style stuff and I was never sure if I was working on the right thing. Now that I'm at this stage of my career, and as you become more senior, you inherently find yourselves in roles, most of the time, that are themselves mired in uncertainty. That is, on some level, what seniority leads to.And that's fine, but early on in your career, not knowing if you're succeeding or failing, I got surprise-fired a number of times when I thought I was doing great. There are also times that I thought I was about to be fired on the spot and, “Come on in; shut the door.” And yeah, “Here's a raise because you're just killing it.” And it took me a few years after that point to realize, wait a minute. They were underpaying me. That's what that was, and they hope they didn't know.But it's that whole approach of just trying to understand your place in the world. Do I rock? Do I suck? And it's that constant uncertainty and unknowing. And I think companies do a terrible job, by and large, of letting people know that they're okay, they're safe, and they belong.Brandon: I completely agree. And this is why I would strongly encourage people—if you have the privilege—please do not work at a company that does not want you to bring your whole self to work, or that bans politics, or however they want to describe it. Because that's just a code word for we won't provide you psychological safety. Or if they're going to, it ends at a very hard border somewhere between work and life. And I just don't think anyone can be successful in those environments.Corey: I'm sure it's possible, but it does bias for folks who, frankly, have a tremendous amount of privilege in many respects where I mentioned about, like, I'm a white dude in tech—you are too—and when we say things, we are presumed competent and people don't argue with us by default. And that is a very easy to forget thing. Not everyone who looks like us is going to have very similar experiences. I have gotten it hilariously wrong before when I gave talks on how to wind up negotiating for salaries, for example, because well, it worked for me, what's the problem? Yeah, I basically burned that talk with fire, redid the entire thing and wound up giving it with a friend of mine who was basically everything that I am not.She was an attorney, she was a woman of color, et cetera, et cetera. And suddenly, it was a much stronger talk because it wasn't just, “How to Succeed for White Guys.” There's value in that, but you also have to be open to hearing that and acknowledging that you were born on third; you didn't hit a triple. There's a difference. And please forgive the sports metaphor. They do not sound natural coming from me.Brandon: [laugh]. I don't think I have anything more interesting to add on that topic.Corey: [laugh]. So, I really want to thank you for taking the time to speak with me today. If people want to learn more about what you're up to and how you view the world, what's the best place to find you.Brandon: So, I'm most active on Twitter at @bwest, but you know, it's a mix of things so you may or may not just get tech. Most recently, I've been posting about a—Corey: Oh, heaven forbid you bring your whole self to school.Brandon: Right? I think most recently, I've been posting about a drill press that I'm restoring. So, all kinds of fun stuff on there.Corey: I don't know it sounds kind of—wait for it—boring to me. Bud-dum-tiss.Brandon: [laugh]. [sigh]. I can't believe I missed that one.Corey: You're welcome.Brandon: Well, done. Well, done. And then I also will be hiring for a couple of developer relations folks at Datadogs soon, so if that's interesting and you like the words I say about how to do DevRel, then reach out.Corey: And you can find all of that in the show notes, of course. I want to thank you for being so generous with your time. I really appreciate it.Brandon: Hey, thank you, Corey. I'm glad that we got to catch up after all this time. And hopefully get to chat with you again sometime soon.Corey: Brandon West, team lead for developer experience and tools advocacy at Datadog. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry and insulting comment that is talking about how I completely misunderstand the role of developer advocacy. And somehow that rebuttal features no fewer than 400 emoji shoved into it.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

About ChrisChris Short has been a proponent of open source solutions throughout his over two decades in various IT disciplines, including systems, security, networks, DevOps management, and cloud native advocacy across the public and private sectors. He currently works on the Kubernetes team at Amazon Web Services and is an active Kubernetes contributor and Co-chair of OpenGitOps. Chris is a disabled US Air Force veteran living with his wife and son in Greater Metro Detroit. Chris writes about Cloud Native, DevOps, and other topics at ChrisShort.net. He also runs the Cloud Native, DevOps, GitOps, Open Source, industry news, and culture focused newsletter DevOps'ish.Links Referenced: DevOps'ish: https://devopsish.com/ EKS News: https://eks.news/ Containers from the Couch: https://containersfromthecouch.com opengitops.dev: https://opengitops.dev ChrisShort.net: https://chrisshort.net Twitter: https://twitter.com/ChrisShort TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Coming back to us since episode two—it's always nice to go back and see the where are they now type of approach—I am joined by Senior Developer Advocate at AWS Chris Short. Chris, been a few years. How has it been?Chris: Ha. Corey, we have talked outside of the podcast. But it's been good. For those that have been listening, I think when we recorded I wasn't even—like, when was season two, what year was that? [laugh].Corey: Episode two was first pre-pandemic and the rest. I believe—Chris: Oh. So, yeah. I was at Red Hat, maybe, when I—yeah.Corey: Yeah. You were doing Red Hat stuff, back when you got to work on open-source stuff, as opposed to now, where you're not within 1000 miles of that stuff, right?Chris: Actually well, no. So, to be clear, I'm on the EKS team, the Kubernetes team here at AWS. So, when I joined AWS in October, they were like, “Hey, you do open-source stuff. We like that. Do more.” And I was like, “Oh, wait, do more?” And they were like, “Yes, do more.” “Okay.”So, since joining AWS, I've probably done more open-source work than the three years at Red Hat that I did. So, that's kind of—you know, like, it's an interesting point when I talk to people about it because the first couple months are, like—you know, my friends are like, “So, are you liking it? Are you enjoying it? What's going on?” And—Corey: Do they beat you with reeds? Like, all the questions people have about companies? Because—Chris: Right. Like, I get a lot of random questions about Amazon and AWS that I don't know the answer to.Corey: Oh, when I started telling people, I fixed Amazon bills, I had to quickly pivot that to AWS bills because people started asking me, “Well, can you save me money on underpants?” It's I—Chris: Yeah.Corey: How do you—fine. Get the prime credit card. It docks 5% off the bill, so there you go. But other than that, no, I can't.Chris: No.Corey: It's—Chris: Like, I had to call my bank this morning about a transaction that I didn't recognize, and it was from Amazon. And I was like, that's weird. Why would that—Corey: Money just flows one direction, and that's the wrong direction from my employer.Chris: Yeah. Like, what is going on here? It shouldn't have been on that card kind of thing. And I had to explain to the person on the phone that I do work at Amazon but under the Web Services team. And he was like, “Oh, so you're in IT?”And I'm like, “No.” [laugh]. “It's actually this big company. That—it's a cloud company.” And they're like, “Oh, okay, okay. Yeah. The cloud. Got it.” [laugh]. So, it's interesting talking to people about, “I work at Amazon.” “Oh, my son works at Amazon distribution center,” blah, blah, blah. It's like, cool. “I know about that, but very little. I do this.”Corey: Your son works in Amazon distribution center. Is he a robot? Is normally my next question on that? Yeah. That's neither here nor there.So, you and I started talking a while back. We both write newsletters that go to a somewhat similar audience. You write DevOps'ish. I write Last Week in AWS. And recently, you also have started EKS News because, yeah, the one thing I look at when I'm doing these newsletters every week is, you know what I want to do? That's right. Write more newsletters.Chris: [laugh].Corey: So, you are just a glutton for punishment? And, yeah, welcome to the addiction, I suppose. How's it been going for you?Chris: It's actually been pretty interesting, right? Like, we haven't pushed it very hard. We're now starting to include it in things. Like we did Container Day; we made sure that EKS news was on the landing page for Container Day at KubeCon EU. And you know, it's kind of just grown organically since then.But it was one of those things where it's like, internally—this happened at Red Hat, right—when I started live streaming at Red Hat, the ultimate goal was to do our product management—like, here's what's new in the next version thing—do those live so anybody can see that at any point in time anywhere on Earth, the second it's available. Similar situation to here. This newsletter actually is generated as part of a report my boss puts together to brief our other DAs—or developer advocates—you know, our solutions architects, the whole nine yards about new EKS features. So, I was like, why can't we just flip that into a weekly newsletter, you know? Like, I can pull from the same sources you can.And what's interesting is, he only does the meeting bi-weekly. So, there's some weeks where it's just all me doing it and he ends up just kind of copying and pasting the newsletter into his document, [laugh] and then adds on for the week. But that report meeting for that team is now getting disseminated to essentially anyone that subscribes to eks.news. Just go to the site, there's a subscribe thing right there. And we've gotten 20 issues in and it's gotten rave reviews, right?Corey: I have been a subscriber for a while. I will say that it has less Chris Short personality—Chris: Mm-hm.Corey: —to it than DevOps'ish does, which I have to assume is by design. A lot of The Duckbill Group's marketing these days is no longer in my voice, rather intentionally, because it turns out that being a sarcastic jackass and doing half-billion dollar AWS contracts can not to be the most congruent thing in the world. So okay, we're slowly ameliorating that. It's professional voice versus snarky voice.Chris: Well, and here's the thing, right? Like, I realized this year with DevOps'ish that, like, if I want to take a week off, I have to do, like, what you did when your child was born. You hired folks to like, do the newsletter for you, or I actually don't do the newsletter, right? It's binary: hire someone else to do it, or don't do it. So, the way I structured this newsletter was that any developer advocate on my team could jump in and take over the newsletter so that, you know, if I'm off that week, or whatever may be happening, I, Chris Short, am not the voice. It is now the entire developer advocate team.Corey: I will challenge you on that a bit. Because it's not Chris Short voice, that's for sure, but it's also not official AWS brand voice either.Chris: No.Corey: It is clearly written by a human being who is used to communicating with the audience for whom it is written. And that is no small thing. Normally, when oh, there's a corporate newsletter; that's just a lot of words to say it's bad. This one is good. I want to be very clear on that.Chris: Yeah, I mean, we have just, like, DevOps'ish, we have sections, just like your newsletter, there's certain sections, so any new, what's new announcements, those go in automatically. So, like, that can get delivered to your inbox every Friday. Same thing with new blog posts about anything containers related to EKS, those will be in there, then Containers from the Couch, our streaming platform, essentially, for all things Kubernetes. Those videos go in.And then there's some ecosystem news as well that I collect and put in the newsletter to give people a broader sense of what's going on out there in Kubernetes-land because let's face it, there's upstream and then there's downstream, and sometimes those aren't in sync, and that's normal. That's how Kubernetes kind of works sometimes. If you're running upstream Kubernetes, you are awesome. I appreciate you, but I feel like that would cause more problems and it's worse sometimes.Corey: Thank you for being the trailblazers. The rest of us can learn from your misfortune.Chris: [laugh]. Yeah, exactly. Right? Like, please file your bugs accordingly. [laugh].Corey: EKS is interesting to me because I don't see a lot of it, which is, probably, going to get a whole lot of, “Wait, what?” Moments because wait, don't you deal with very large AWS bills? And I do. But what I mean by that is that EKS, until you're using its Fargate expression, charges for the control plane, which rounds to no money, and the rest is running on EC2 instances running in a company's account. From the billing perspective, there is no difference between, “We're running massive fleets of EKS nodes.” And, “We're managing a whole bunch of EC2 instances by hand.”And that feels like an interesting allegory for how Kubernetes winds up expressing itself to cloud providers. Because from a billing perspective, it just looks like one big single-tenant application that has some really strange behaviors internally. It gets very chatty across AZs when there's no reason to, and whatnot. And it becomes a very interesting study in how to expose aspects of what's going on inside of those containers and inside of the Kubernetes environment to the cloud provider in a way that becomes actionable. There are no good answers for this yet, but it's something I've been seeing a lot of. Like, “Oh, I thought you'd be running Kubernetes. Oh, wait, you are and I just keep forgetting what I'm looking at sometimes.”Chris: So, that's an interesting point. The billing is kind of like, yeah, it's just compute, right? So—Corey: And my insight into AWS and the way I start thinking about it is always from a billing perspective. That's great. It's because that means the more expensive the services, the more I know about it. It's like, “IAM. What is that?” Like, “Oh, I have no idea. It's free. How important could it be?” Professional advice: do not take that philosophy, ever.Chris: [laugh]. No. Ever. No.Corey: Security: it matters. Oh, my God. It's like you're all stars. Your IAM policy should not be. I digress.Chris: Right. Yeah. Anyways, so two points I want to make real quick on that is, one, we've recently released an open-source project called Carpenter, which is really cool in my purview because it looks at your Kubernetes file and says, “Oh, you want this to run on ARM instance.” And you can even go so far as to say, right, here's my limits, and it'll find an instance that fits those limits and add that to your cluster automatically. Run your pod on that compute as long as it needs to run and then if it's done, it'll downsize—eventually, kind of thing—your cluster.So, you can basically just throw a bunch of workloads at it, and it'll auto-detect what kind of compute you will need and then provision it for you, run it, and then be done. So, that is one-way folks are probably starting to save money running EKS is to adopt Carpenter as your autoscaler as opposed to the inbuilt Kubernetes autoscaler. Because this is instance-aware, essentially, so it can say, like, “Oh, your massive ARM application can run here,” because you know, thank you, Graviton. We have those processors in-house. And you know, you can run your ARM64 instances, you can run all the Intel workloads you want, and it'll right size the compute for your workloads.And I'll look at one container or all your containers, however you want to configure it. Secondly, the good folks over at Kubecost have opencost, which is the open-source version of Kubecost, basically. So, they have a service that you can run in your clusters that will help you say, “Hey, maybe this one notes too heavy; maybe this one notes too light,” and you know, give you some insights into Kubernetes spend that are a little bit more granular as far as usage and things like that go. So, those two projects right there, I feel like, will give folks an optimal savings experience when it comes to Kubernetes. But to your point, it's just compute, right? And that's really how we treat it, kind of, here internally is that it's a way to run… compute, Kubernetes, or ECS, or any of those tools.Corey: A fairly expensive one because ignoring entirely for a second the actual raw cost of compute, you also have the other side of it, which is in every environment, unless you are doing something very strange or pre-funding as a one-person startup in your spare time, your payroll costs will it—should—exceed your AWS bill by a fairly healthy amount. And engineering time is always more expensive than services time. So, for example, looking at EKS, I would absolutely recommend people use that rather than rolling their own because—Chris: Rolling their own? Yeah.Corey: —get out of that engineering space where your time is free. I assure you from a business context, it is not. So, there's always that question of what you can do to make things easier for people and do more of the heavy lifting.Chris: Yeah, and to your rather cheeky point that there's 17 ways to run a container on AWS, it is answering that question, right? Like those 17 ways, like, how much of this do you want to run yourself, you could run EKS distro on EC2 instances if you want full control over your environment.Corey: And then run IoT Greengrass core on top within that cluster—Chris: Right.Corey: So, I can run my own Lambda function runtime, so I'm not locked in. Also, DynamoDB local so I'm not locked into AWS. At which point I have gone so far around the bend, no one can help me.Chris: Well—Corey: Pro tip, don't do that. Just don't do that.Chris: But to your point, we have all these options for compute, and specifically containers because there's a lot of people that want to granularly say, “This is where my engineering team gets involved. Everything else you handle.” If I want EKS on Spot Instances only, you can do that. If you want EKS to use Carpenter and say only run ARM workloads, you can do that. If you want to say Fargate and not have anything to manage other than the container file, you can do that.It's how much does your team want to manage? That's the customer obsession part of AWS coming through when it comes to containers is because there's so many different ways to run those workloads, but there's so many different ways to make sure that your team is right-sized, based off the services you're using.Corey: I do want to change gears a bit here because you are mostly known for a couple of things: the DevOps'ish newsletter because that is the oldest and longest thing you've been doing the time that I've known you; EKS, obviously. But when prepping for this show, I discovered you are now co-chair of the OpenGitOps project.Chris: Yes.Corey: So, I have heard of GitOps in the context of, “Oh, it's just basically your CI/CD stuff is triggered by Git events and whatnot.” And I'm sitting here going, “Okay, so from where you're sitting, the two best user interfaces in the world that you have discovered are YAML and Git.” And I just have to start with the question, “Who hurt you?”Chris: [laugh]. Yeah, I share your sentiment when it comes to Git. Not so much with YAML, but I think it's because I'm so used to it. Maybe it's Stockholm Syndrome, maybe the whole YAML thing. I don't know.Corey: Well, it's no XML. We'll put it that way.Chris: Thankfully, yes because if it was, I would have way more, like, just template files laying around to build things. But the—Corey: And rage. Don't forget rage.Chris: And rage, yeah. So, GitOps is a little bit more than just Git in IaC—infrastructure as Code. It's more like Justin Garrison, who's also on my team, he calls it infrastructure software because there's four main principles to GitOps, and if you go to opengitops.dev, you can see them. It's version one.So, we put them on the website, right there on the page. You have to have a declared state and that state has to live somewhere. Now, it's called GitOps because Git is probably the most full-featured thing to put your state in, but you could use an S3 bucket and just version it, for example. And make it private so no one else can get to it.Corey: Or you could use local files: copy-of-copy-of-this-thing-restored-parentheses-use-this-one-dot-final-dot-doc-dot-zip. You know, my preferred naming convention.Chris: Ah, yeah. Wow. Okay. [laugh]. Yeah.Corey: Everything I touch is terrifying.Chris: Yes. Geez, I'm sorry. So first, it's declarative. You declare your state. You store it somewhere. It's versioned and immutable, like I said. And then pulled automatically—don't focus so much on pull—but basically, software agents are applying the desired state from source. So, what does that mean? When it's—you know, the fourth principle is implemented, continuously reconciled. That means those software agents that are checking your desired state are actually putting it back into the desired state if it's out of whack, right? So—Corey: You're talking about agents running it persistently on instances, validating—Chris: Yes.Corey: —a checkpoint on a cron. How is this meaningfully different than a Puppet agent running in years past? Having spent I learned to speak publicly by being a traveling trainer for Puppet; same type of model, and in fact, when I was at Pinterest, we wound up having a fair bit—like, that was their entire model, where they would have—the Puppet's code would live in an S3 bucket that was then copied down, I believe, via Git, and then applied to the instance on a schedule. Like, that sounds like this was sort of a early days GitOps.Chris: Yeah, exactly. Right? Like so it's, I like to think of that as a component of GitOps, right? DevOps, when you talk about DevOps in general, there's a lot of stuff out there. There's a lot of things labeled DevOps that maybe are, or maybe aren't sticking to some of those DevOps core things that make you great.Like the stuff that Nicole Forsgren writes about in books, you know? Accelerate is on my desk for a reason because there's things that good, well-managed DevOps practices do. I see GitOps as an actual implementation of DevOps in an open-source manner because all the tooling for GitOps these days is open-source and it all started as open-source. Now, you can get, like, Flux or Argo—Argo, specifically—there's managed services out there for it, you can have Flux and not maintain it, through an add-on, on EKS for example, and it will reconcile that state for you automatically. And the other thing I like to say about GitOps, specifically, is that it moves at the speed of the Kubernetes Audit Log.If you've ever looked at a Kubernetes audit log, you know it's rather noisy with all these groups and versions and kinds getting thrown out there. So, GitOps will say, “Oh, there's an event for said thing that I'm supposed to be watching. Do I need to change anything? Yes or no? Yes? Okay, go.”And the change gets applied, or, “Hey, there's a new Git thing. Pull it in. A change has happened inGit I need to update it.” You can set it to reconcile on events on time. It's like a cron or it's like an event-driven architecture, but it's combined.Corey: How does it survive the stake through the heart of configuration management? Because before I was doing all this, I wasn't even a T-shaped engineer: you're broad across a bunch of things, but deep in one or two areas, and one of mine was configuration management. I wrote part of SaltStack, once upon a time—Chris: Oh.Corey: —due to a bunch of very strange coincidences all hitting it once, like, I taught people how to use Puppet. But containers ultimately arose and the idea of immutable infrastructure became a thing. And these days when we were doing full-on serverless, well, great, I just wind up deploying a new code bundle to the Lambdas function that I wind up caring about, and that is a immutable version replacement. There is no drift because there is no way to log in and change those things other than through a clear deployment of this as the new version that goes out there. Where does GitOps fit into that imagined pattern?Chris: So, configuration management becomes part of your approval process, right? So, you now are generating an audit log, essentially, of all changes to your system through the approval process that you set up as part of your, how you get things into source and then promote that out to production. That's kind of the beauty of it, right? Like, that's why we suggest using Git because it has functions, like, requests and issues and things like that you can say, “Hey, yes, I approve this,” or, “Hey, no, I don't approve that. We need changes.” So, that's kind of natively happening with Git and, you know, GitLab, GitHub, whatever implementation of Git. There's always, kind of—Corey: Uh, JIF-ub is, I believe, the pronunciation.Chris: JIF-ub? Oh.Corey: Yeah. That's what I'm—Chris: Today, I learned. Okay.Corey: Exactly. And that's one of the things that I do for my lasttweetinaws.com Twitter client that I build—because I needed it, and if other people want to use it, that's great—that is now deployed to 20 different AWS commercial regions, simultaneously. And that is done via—because it turns out that that's a very long to execute for loop if you start down that path—Chris: Well, yeah.Corey: I wound up building out a GitHub Actions matrix—sorry a JIF-ub—actions matrix job that winds up instantiating 20 parallel builds of the CDK deploy that goes out to each region as expected. And because that gets really expensive with native GitHub Actions runners for, like, 36 cents per deploy, and I don't know how to test my own code, so every time I have a typo, that's another quarter in the jar. Cool, but that was annoying for me so I built my own custom runner system that uses Lambda functions as runners running containers pulled from ECR that, oh, it just runs in parallel, less than three minutes. Every time I commit something between I press the push button and it is out and running in the wild across all regions. Which is awesome and also terrifying because, as previously mentioned, I don't know how to test my code.Chris: Yeah. So, you don't know what you're deploying to 20 regions sometime, right?Corey: But it also means I have a pristine, re-composable build environment because I can—Chris: Right.Corey: Just automatically have that go out and the fact that I am making a—either merging a pull request or doing a direct push because I consider main to be my feature branch as whenever something hits that, all the automation kicks off. That was something that I found to be transformative as far as a way of thinking about this because I was very tired of having to tweak my local laptop environment to, “Oh, you didn't assume the proper role and everything failed again and you broke it. Good job.” It wound up being something where I could start developing on more and more disparate platforms. And it finally is what got me away from my old development model of everything I build is on an EC2 instance, and that means that my editor of choice was Vim. I use the VS Code now for these things, and I'm pretty happy with it.Chris: Yeah. So, you know, I'm glad you brought up CDK. CDK gives you a lot of the capabilities to implement GitOps in a way that you could say, like, “Hey, use CDK to declare I need four Amazon EKS clusters with this size, shape, and configuration. Go.” Or even further, connect to these EKS clusters to RDS instances and load balancers and everything else.But you put that state into Git and then you have something that deploys that automatically upon changes. That is infrastructure as code. Now, when you say, “Okay, main is your feature branch,” you know, things happen on main, if this were running in Kubernetes across a fleet of clusters or the globe-wide in 20 regions, something like Flux or Argo would kick in and say, “There's been a change to source, main, and we need to roll this out.” And it'll start applying those changes. Now, what do you get with GitOps that you don't get with your configuration?I mean, can you rollback if you ever have, like, a bad commit that's just awful? I mean, that's really part of the process with GitOps is to make sure that you can, A, roll back to the previous good state, B, roll forward to a known good state, or C, promote that state up through various environments. And then having that all done declaratively, automatically, and immutably, and versioned with an audit log, that I think is the real power of GitOps in the sense that, like, oh, so-and-so approve this change to security policy XYZ on this date at this time. And that to an auditor, you just hand them a log file on, like, “Here's everything we've ever done to our system. Done.” Right?Like, you could get to that state, if you want to, which I think is kind of the idea of DevOps, which says, “Take all these disparate tools and processes and procedures and culture changes”—culture being the hardest part to adopt in DevOps; GitOps kind of forces a culture change where, like, you can't do a CAB with GitOps. Like, those two things don't fly. You don't have a configuration management database unless you absolutely—Corey: Oh, you CAB now but they're all the comments of the pull request.Chris: Right. Exactly. Like, don't push this change out until Thursday after this other thing has happened, kind of thing. Yeah, like, that all happens in GitHub. But it's very democratizing in the sense that people don't have to waste time in an hour-long meeting to get their five minutes in, right?Corey: DoorDash had a problem. As their cloud-native environment scaled and developers delivered new features, their monitoring system kept breaking down. In an organization where data is used to make better decisions about technology and about the business, losing observability means the entire company loses their competitive edge. With Chronosphere, DoorDash is no longer losing visibility into their applications suite. The key? Chronosphere is an open-source compatible, scalable, and reliable observability solution that gives the observability lead at DoorDash business, confidence, and peace of mind. Read the full success story at snark.cloud/chronosphere. That's snark.cloud slash C-H-R-O-N-O-S-P-H-E-R-E.Corey: So, would it be overwhelmingly cynical to suggest that GitOps is the means to implement what we've all been pretending to have implemented for the last decade when giving talks at conferences?Chris: Ehh, I wouldn't go that far. I would say that GitOps is an excellent way to implement the things you've been talking about at all these conferences for all these years. But keep in mind, the technology has changed a lot in the, what 11, 12 years of the existence of DevOps, now. I mean, we've gone from, let's try to manage whole servers immutably to, “Oh, now we just need to maintain an orchestration platform and run containers.” That whole compute interface, you go from SSH to a Docker file, that's a big leap, right?Like, you don't have bespoke sysadmins; you have, like, a platform team. You don't have DevOps engineers; they're part of that platform team, or DevOps teams, right? Like, which was kind of antithetical to the whole idea of DevOps to have a DevOps team. You know, everybody's kind of in the same boat now, where we see skill sets kind of changing. And GitOps and Kubernetes-land is, like, a platform team that manages the cluster, and its state, and health and, you know, production essentially.And then you have your developers deploying what they want to deploy in when whatever namespace they've been given access to and whatever rights they have. So, now you have the potential for one set of people—the platform team—to use one set of GitOps tooling, and your applications teams might not like that, and that's fine. They can have their own namespaces with their own tooling in it. Like, Argo, for example, is preferred by a lot of developers because it has a nice UI with green and red dots and they can show people and it looks nice, Flux, it's command line based. And there are some projects out there that kind of take the UI of Argo and try to run Flux underneath that, and those are cool kind of projects, I think, in my mind, but in general, right, I think GitOps gives you the choice that we missed somewhat in DevOps implementations of the past because it was, “Oh, we need to go get cloud.” “Well, you can only use this cloud.” “Oh, we need to go get this thing.” “Well, you can only use this thing in-house.”And you know, there's a lot of restrictions sometimes placed on what you can use in your environment. Well, if your environment is Kubernetes, how do you restrict what you can run, right? Like you can't have an easily configured say, no open-source policy if you're running Kubernetes. [laugh] so it becomes, you know—Corey: Well, that doesn't stop some companies from trying.Chris: Yeah, that's true. But the idea of, like, enabling your developers to deploy at will and then promote their changes as they see fit is really the dream of DevOps, right? Like, same with production and platform teams, right? I want to push my changes out to a larger system that is across the globe. How do I do that? How do I manage that? How do I make sure everything's consistent?GitOps gives you those ways, with Kubernetes native things like customizations, to make consistent environments that are robust and actually going to be reconciled automatically if someone breaks the glass and says, “Oh, I need to run this container immediately.” Well, that's going to create problems because it's deviated from state and it's just that one region, so we'll put it back into state.Corey: It'll be dueling banjos, at some point. You'll try and doing something manually, it gets reverted automatically. I love that pattern. You'll get bored before the computer does, always.Chris: Yeah. And GitOps is very new, right? When you think about the lifetime of GitOps, I think it was coined in, like, 2018. So, it's only four years old, right? When—Corey: I prefer it to ChatOps, at least, as far as—Chris: Well, I mean—Corey: —implementation and expression of the thing.Chris: —ChatOps was a way to do DevOps. I think GitOps—Corey: Well, ChatOps is also a way to wind up giving whoever gets access to your Slack workspace root in production.Chris: Mmm.Corey: But that's neither here nor there.Chris: Mm-hm.Corey: It's yeah, we all like to pretend that's not a giant security issue in our industry, but that's a topic for another time.Chris: Yeah. And that's why, like, GitOps also depends upon you having good security, you know, and good authorization and approval processes. It enforces that upon—Corey: Yeah, who doesn't have one of those?Chris: Yeah. If it's a sole operation kind of deal, like in your setup, your case, I think you kind of got it doing right, right? Like, as far as GitOps goes—Corey: Oh, to be clear, we are 11 people and we do have dueling pull requests and all the rest.Chris: Right, right, right.Corey: But most of the stuff I talk about publicly is not our production stuff, so it really is just me. Just as a point of clarity there. I've n—the 11 people here do not all—the rest of you don't just sit there and clap as I do all the work.Chris: Right.Corey: Most days.Chris: No, I'm sure they don't. I'm almost certain they don't clap… for you. I mean, they would—Corey: No. No, they try and talk me out of it in almost every case.Chris: Yeah, exactly. So, the setup that you, Corey Quinn, have implemented to deploy these 20 regions is kind of very GitOps-y, in the sense that when main changes, it gets updated. Where it's not GitOps-y is what if the endpoint changes? Does it get reconciled? That's the piece you're probably missing is that continuous reconciliation component, where it's constantly checking and saying, “This thing out there is deployed in the way I want it. You know, the way I declared it to be in my source of truth.”Corey: Yeah, when you start having other people getting involved, there can—yeah, that's where regressions enter. And it's like, “Well, I know where things are so why would I change the endpoint?” Yeah, it turns out, not everyone has the state of the entire application in their head. Ideally it should live in—Chris: Yeah. Right. And, you know—Corey: —you know, Git or S3.Chris: —when I—yeah, exactly. When I think about interactions of the past coming out as a new DevOps engineer to work with developers, it's always been, will developers have access to prod or they don't? And if you're in that environment with—you're trying to run a multi-billion dollar operation, and your devs have direct—or one Dev has direct access to prod because prod is in his brain, that's where it's like, well, now wait a minute. Prod doesn't have to be only in your brain. You can put that in the codebase and now we know what is in your brain, right?Like, you can almost do—if you document your code, well, you can have your full lifecycle right there in one place, including documentation, which I think is the best part, too. So, you know, it encourages approval processes and automation over this one person has an entire state of the system in their head; they have to go in and fix it. And what if they're not on call, or in Jamaica, or on a cruise ship somewhere kind of thing? Things get difficult. Like, for example, I just got back from vacation. We were so far off the grid, we had satellite internet. And let me tell you, it was hard to write an email newsletter where I usually open 50 to 100 tabs.Corey: There's a little bit of internet out Californ-ie way.Chris: [laugh].Corey: Yeah it's… it's always weird going from, like, especially after pandemic; I have gigabit symmetric here and going even to re:Invent where I'm trying to upload a bunch of video and whatnot.Chris: Yeah. Oh wow.Corey: And the conference WiFi was doing its thing, and well, Verizon 5G was there but spotty. And well, yeah. Usual stuff.Chris: Yeah. It's amazing to me how connectivity has become so ubiquitous.Corey: To the point where when it's not there anymore, it's what do I do with myself? Same story about people pushing back against remote development of, “Oh, I'm just going to do it all on my laptop because what happens if I'm on a plane?” It's, yeah, the year before the pandemic, I flew 140,000 miles domestically and I was almost never hamstrung by my ability to do work. And my only local computer is an iPad for those things. So, it turns out that is less of a real world concern for most folks.Chris: Yeah I actually ordered the components to upgrade an old Nook that I have here and turn it into my, like, this is my remote code server, that's going to be all attached to GitHub and everything else. That's where I want to be: have Tailscale and just VPN into this box.Corey: Tailscale is transformative.Chris: Yes. Tailscale will change your life. That's just my personal opinion.Corey: Yep.Chris: That's not an AWS opinion or anything. But yeah, when you start thinking about your network as it could be anywhere, that's where Tailscale, like, really shines. So—Corey: Tailscale makes the internet work like we all wanted to believe that it worked.Chris: Yeah. And Wireguard is an excellent open-source project. And Tailscale consumes that and puts an amazingly easy-to-use UI, and troubleshooting tools, and routing, and all kinds of forwarding capabilities, and makes it kind of easy, which is really, really, really kind of awesome. And Tailscale and Kubernetes—Corey: Yeah, ‘network' and ‘easy' don't belong in the same sentence, but in this case, they do.Chris: Yeah. And trust me, the Kubernetes story in Tailscale, there is a lot of there. I understand you might want to not open ports in your VPC, maybe, but if you use Tailscale, that node is just another thing on your network. You can connect to that and see what's going on. Your management cluster is just another thing on the network where you can watch the state.But it's all—you're connected to it continuously through Tailscale. Or, you know, it's a much lighter weight, kind of meshy VPN, I would say, if I had to sum it up in one sentence. That was not on our agenda to talk about at all. Anyways. [laugh]Corey: No, no. I love how many different topics we talk about on these things. We'll have to have you back soon to talk again. I really want to thank you for being so generous with your time. If people want to learn more about what you're up to and how you view these things, where can they find you?Chris: Go to ChrisShort.net. So, Chris Short—I'm six-four so remember, it's Short—dot net, and you will find all the places that I write, you can go to devopsish.com to subscribe to my newsletter, which goes out every week. This year. Next year, there'll be breaks. And then finally, if you want to follow me on Twitter, Chris Short: at @ChrisShort on Twitter. All one word so you see two s's. Like, it's okay, there's two s's there.Corey: Links to all of that will of course be in the show notes. It's easier for people to do the clicky-clicky thing as a general rule.Chris: Clicky things are easier than the wordy things, yes.Corey: Says the Kubernetes guy.Chris: Yeah. Says the Kubernetes guy. Yeah, you like that, huh? Like I said, Argo gives you a UI. [laugh].Corey: Thank you [laugh] so much for your time. I really do appreciate it.Chris: Thank you. This has been fun. If folks have questions, feel free to reach out. Like, I am not one of those people that hides behind a screen all day and doesn't respond. I will respond to you eventually.Corey: I'm right here, Chris. Come on, come on. You're calling me out in front of myself. My God.Chris: Egh. It might take a day or two, but I will respond. I promise.Corey: Thanks again for your time. This has been Chris Short, senior developer advocate at AWS. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice and if it's YouTube, click the thumbs-up button. Whereas if you've hated this podcast, same thing, smash the buttons five-star review and leave an insulting comment that is written in syntactically correct YAML because it's just so easy to do.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.