Podcasts about SSO

  • 254PODCASTS
  • 452EPISODES
  • 36mAVG DURATION
  • 5WEEKLY NEW EPISODES
  • Nov 30, 2022LATEST

POPULARITY

20152016201720182019202020212022


Best podcasts about SSO

Latest podcast episodes about SSO

SurgOnc Today
Is ctDNA Ready for Prime Time?

SurgOnc Today

Play Episode Listen Later Nov 30, 2022 28:18


On SurgOnc Today®, Patrick S. Sullivan, MD, Maria Diab, MD, and Nader Hanna, MD, discuss the use of liquid biopsy or ctDNA to identify molecular disease prior to clinically detectable disease. Molecular detection of ctDNA can be used to detect minimal residual disease (MRD) which is residual cancer cells detected only by molecular techniques but not by conventional testing. Molecular testing of ctDNA can also be used to detect molecular relapse. This allows the molecular detection of occult disease during adjuvant therapy or during surveillance. This information can be prognostic and help determine patients with increased risk of recurrent disease who may benefit from adjuvant therapy and targeted chemotherapy. It can also be used for prediction for adjuvant chemotherapy. In addition it can be used for de-escalation of chemotherapy by identifying patients who would not gain the benefit of chemotherapy. There are 2 approaches for detecting MRD. One is tumor agnostic and the second is tumor informed. The tumor informed has higher sensitivity by identifying mutations in the tumor tissue and tracking these mutations in the plasma.

SBS Italian - SBS in Italiano
Un 2023 stellare per la Sydney Symphony Orchestra

SBS Italian - SBS in Italiano

Play Episode Listen Later Nov 5, 2022 12:57


Simone Young, tra i migliori direttori d'orchestra al mondo, ci presenta il ricchissimo programma della SSO per il 2023.

Hacker Public Radio
HPR3718: Making Ansible playbooks to configure Single Sign On for popular open source applications

Hacker Public Radio

Play Episode Listen Later Nov 2, 2022


This is a recording of a short introduction into my latest project. To help sysadmins everywhere the Onestein organization (an organization specialized in Odoo implementations) invested 4 month of research to create a set of easy to use Ansible playbooks to configure single sign on (SSO) for popular open source applications to enable them to authenticate to a Keycloak server as the central identity provider. These playbooks have been published on https://github.com/onesteinbv/project_single_sign_on. The list of supported applications are currently: Bitwarden Jenkins Gitlab Keycloak (not SSO, but the identity provider) Nextcloud Odoo Xwiki Zabbix All playbooks and servers are for Ubuntu servers and are meant to be used as a starting point. 5 minute YouTube talk at the 2022 Nextcloud conference about this project: https://www.youtube.com/watch?v=pDPKzo8Bi10

Cloud Posse DevOps
Cloud Posse DevOps "Office Hours" (2022-10-26)

Cloud Posse DevOps "Office Hours" Podcast

Play Episode Listen Later Oct 26, 2022 59:36


Cloud Posse holds public "Office Hours" every Wednesday at 11:30am PST to answer questions on all things related to DevOps, Terraform, Kubernetes, CICD. Basically, it's like an interactive "Lunch & Learn" session where we get together for about an hour and talk shop. These are totally free and just an opportunity to ask us (or our community of experts) any questions you may have. You can register here: https://cloudposse.com/office-hoursJoin the conversation: https://slack.cloudposse.com/Find out how we can help your company:https://cloudposse.com/quizhttps://cloudposse.com/accelerate/Learn more about Cloud Posse:https://cloudposse.comhttps://github.com/cloudpossehttps://sweetops.com/https://newsletter.cloudposse.comhttps://podcast.cloudposse.com/[00:00:00] Intro[00:01:29] Spacelift Neutral Status Checks!https://github.com/cloudposse/infra-live/pull/184[00:03:35]  AWS Organizations now manages primary contact information for all accountshttps://aws.amazon.com/about-aws/whats-new/2022/10/aws-organizations-console-centrally-manage-primary-contact-information-aws-accounts/[00:04:26] AWS Batch now supports EKShttps://aws.amazon.com/about-aws/whats-new/2022/10/aws-batch-supports-amazon-eks/[00:05:38] Terraform: why data sources and filters are preferable over remote statehttps://devopsian.net/posts/terraform-data-sources-over-remote-state/[00:09:42] Advanced Terraform Manipulations: Filtering, Grouping, Transformationshttps://brendanthompson.com/posts/2022/10/terraform-for-expression [00:14:07] How are people enforcing MFA in AWS [with IAM users and not SSO]?[00:16:40] Any atmos questions from last week's demo?[00:18:43] Home Automation[00:34:54] How does someone get good at IAM? [00:58:58] Outro#officehours,#cloudposse,#sweetops,#devops,#sre,#terraform,#kubernetes,#awsSupport the show

Salesforce Way
97. SSO in Salesforce | Lawrence Newcombe

Salesforce Way

Play Episode Listen Later Oct 26, 2022


Lawrence Newcombe, who joins to talk about SSO in Salesforce, is the Lead Technical Architect at Giveclarity.org and Salesforce CTA. Main Points What is SSO The role of Salesforce in SSO The Salesforce certificate that covers the SSO topic Lawrence's blog to share his Salesforce knowledge SAML SSO OpenID SSO Debug SSO Links Lawrence's LinkedIn Lawrence's Twitter Lawrence's blog  Blog: Service Provider initiated SSO Blog: OpenID Connect Video Teaser The YouTube Video URL The post 97. SSO in Salesforce | Lawrence Newcombe appeared first on SalesforceWay.

Astro arXiv | all categories
The Colibri Telescope Array for KBO Detection through Serendipitous Stellar Occultations: a Technical Description

Astro arXiv | all categories

Play Episode Listen Later Oct 12, 2022 0:51


The Colibri Telescope Array for KBO Detection through Serendipitous Stellar Occultations: a Technical Description by M. J. Mazur et al. on Wednesday 12 October We present the technical design, construction and testing of the Colibri telescope array at Elginfield Observatory near London, Ontario, Canada. Three 50-cm telescopes are arranged in a triangular array and are separated by 110-160 metres. During operation, they will monitor field stars at the intersections of the ecliptic and galactic plane for serendipitous stellar occultations (SSOs) by trans-Neptunian objects (TNOs). At a frame rate of 40 frames per second (fps), Fresnel diffraction in the occultation light curve can be resolved and, with coincident detections, be used to estimate basic properties of the occulting object. Using off-the-shelf components, the Colibri system streams imagery to disk at a rate of 1.5 GB/s for next-day processing by a custom occultation detection pipeline. The imaging system has been tested and is found to perform well, given the moderate site conditions. Limiting magnitudes at 40 fps are found to be about 12.1 (temporal SNR=5, visible light Gaia G band) with time-series standard deviations ranging from about 0.035 mag to >0.2 mag. SNR is observed to decrease linearly with magnitude for stars fainter than about G = 9.5 mag. Brighter than this limit, SNR is constant, suggesting that atmospheric scintillation is the dominant noise source. Astrometric solutions show errors typically less than approximately 0.3 pixels (0.8 arc seconds) without a need for high-order corrections. arXiv: http://arxiv.org/abs/http://arxiv.org/abs/2210.05808v1

CISO Tradecraft
#98 - Outrunning the Bear

CISO Tradecraft

Play Episode Listen Later Oct 3, 2022 33:12


Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we are going to discuss how nation state conflict and sponsored cyberattacks can affect us as non-combatants, and what we should be doing about it.  Even if you don't have operations in a war zone, remember cyber has a global reach, so don't think that just because you may be half a world away from the battlefield that someone is not going to reach out and touch you in a bad way.  So, listen for what I think will be a fascinating episode, and please do us a small favor and give us a "like" or a 5-star review on your favorite podcast platform -- those ratings really help us reach our peers.  It only takes a click -- thank you for helping out our security leadership community. I'm not going to get into any geopolitics here; I'm going to try to ensure that this episode remains useful for quite some time.  However, since the conflict in Ukraine has been ongoing for over two hundred days, I will draw examples from that. The ancient Chinese military strategist Sun Tzu wrote: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.  If you know neither the enemy nor yourself, you will succumb in every battle.” That's a little more detailed than the classic Greek aphorism, "know thyself," but the intent is the same even today.  Let me add one more quote and we'll get into the material.  Over 20 years ago, when he was Secretary of Defense, Donald Rumsfeld said: "As we know, there are known knowns; there are things we know we know.  We also know there are known unknowns; that is to say we know there are some things we do not know.  But there are also unknown unknowns—the ones we don't know we don't know.  And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones. So, knowledge seems extremely important throughout the ages.  Modern governments know that, and as a result all have their own intelligence agencies.  Let's look at an example.  If we go to the CIA's website, we will see the fourfold mission of the Central Intelligence Agency: Collecting foreign intelligence that matters Producing objective all-source analysis Conducting effective covert action as directed by the President Safeguarding the secrets that help keep our nation safe. Why do we mention this?  Most governments around the world have similar Nation State objectives and mission statements.  Additionally, it's particularly important to understand what is wanted by "state actors" (note, I'll use that term for government and contract intelligence agents.). What are typical goals for State Actors?  Let's look at a couple: Goal 1: Steal targeting data to enable future operations.  Data such as cell phone records, banking statements or emails allow countries to better target individuals and companies when they know that identifying information.  Additionally, targeting data allows Nation state organizations to understand how individuals are connected.  This can be key when we are looking for key influencers for targets of interest.  All targeting data should not be considered equal.  Generally, Banking and Telecom Data are considered the best for collecting so be mindful if that is the type of company that you protect.  State Actors target these organizations because of two factors:The Importance of the Data is the first factor.  If one party sends a second party an email, that means there is a basic level of connection.  However, it's not automatically a strong connection since we all receive emails from spammers.  If one party calls someone and talks for 10 minutes to them on a phone call, that generally means a closer connection than an email.  Finally, if one party sends money to another party that either means a really strong connection exists, or someone just got scammed. The Accuracy of the Data is the second factor.  Many folks sign up for social media accounts with throw away credentials (i.e., fake names and phone numbers).  Others use temporary emails to attend conferences, so they don't get marketing spam when they get home.  However, because of Anti Money Laundering (or AML) laws, people generally provide legitimate data to financial services firms.  If they don't, then they risk not being able to take the money out of a bank -- which would be a big problem. A second goal in addition to collecting targeting data, is that State Actors are interested in collecting Foreign Intelligence.  Foreign Intelligence which drives policy-making decisions is very impactful.  Remember, stealing secrets that no one cares about is generally just a waste of government tax dollars.  If governments collect foreign intelligence on sanctioned activity, then they can inform policy makers on the effectiveness of current sanctions, which is highly useful.  By reporting sanctioned activity, the government can know when current sanctions are being violated and when to update current sanctions.  This can result in enabling new intelligence collection objectives.  Examples of this include:A country may sanction a foreign air carrier that changes ownership or goes out of business.  In that case, sanctions may be added against different airlines.  This occurred when the US sanctioned Mahan Air, an Iran's airline.  Currently the US enforces sanctions on more than half of Iran's civilian airlines. A country may place sanctions on a foreign bank to limit its ability to trade in certain countries or currencies.  However, if sanctioned banks circumvent controls by trading with smaller banks which are not sanctioned, then current sanctions are likely ineffective.  Examples of sanctioning bank activity by the US against Russia during the current war with Ukraine include:On February 27th sanctions were placed against Russian Banks using the SWIFT international payment systems On February 28th, the Russian Central Bank was sanctioned On March 24th, the Russian Bank Sberbank CEO was sanctioned On April 5th, the US IRS suspended information exchanges with the Russian tax authorities to hamper Moscow's ability to collect taxes. On April 6th, the US sanctioned additional Russian banks. These sanctions didn't just start with the onset of hostilities on 24 February 2022.  They date back to Russia's invasion of Crimea.  It's just that the US has turned up the volume this time. If sanctions are placed against a country's nuclear energy practices, then knowing what companies are selling or trading goods into the sanctioned country becomes important.  Collecting information from transportation companies that identify goods being imported and exported into the country can also identify sanction effectiveness. A third goal or activity taken by State Actors is covert action.  Covert Action is generally intended to cause harm to another state without attribution.  However, anonymity is often hard to maintain.If we look at Russia in its previous history with Ukraine, we have seen the use of cyber attacks as a form of covert action.  The devastating NotPetya malware (which has been generally accredited to Russia) was launched as a supply chain attack.  Russian agents compromised the software update mechanism of Ukrainian accounting software M.E. Doc, which was used by nearly 400,000 clients to manage financial documents and file tax returns.  This update did much more than the intended choking off of Ukrainian government tax revenue -- Maersk shipping estimates a loss of $300 million.  FedEx around $400 million.  The total global damage to companies is estimated at around $10 billion. The use of cyberattacks hasn't been limited to just Russia.  Another example is Stuxnet.  This covert action attack against Iranian nuclear facilities that destroyed nearly one thousand centrifuges is generally attributed to the U.S. and Israel. Changing topics a little bit, we can think of the story of two people encountering a bear. Two friends are in the woods, having a picnic.  They spot a bear running at them.  One friend gets up and starts running away from the bear.  The other friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching.  “Are you crazy?” the first friend shouts, looking over his shoulder as the bear closes in on his friend.  “You can't outrun a bear!”  “I don't have to outrun the bear,” said the second friend.  “I only have to outrun you.” So how can we physically outrun the Cyber Bear? We need to anticipate where the Bear is likely to be encountered.  Just as national park signs warn tourists of animals, there's intelligence information that can inform the general public.  If you are looking for physical safety intelligence you might consider:The US Department of State Bureau of Consular Affairs.  The State Department hosts a travel advisory list.  This list allows anyone to know if a country has issues such as Covid Outbreaks, Civil Unrest, Kidnappings, Violent Crime, and other issues that would complicate having an office for most businesses. Another example is the CIA World Factbook.  The World Factbook provides basic intelligence on the history, people, government, economy, energy, geography, environment, communications, transportation, military, terrorism, and transnational issues for 266 world entities. Additionally you might also consider data sources from the World Health Organization and The World Bank If we believe that one of our remote offices is now at risk, then we need to establish a good communications plan.  Good communications plans generally require at least four forms of communication.  The acronym PACE or Primary, Alternate, Contingency, and Emergency is often usedPrimary Communication: We will first try to email folks in the office. Alternate Communication: If we are unable to communicate via email, then we will try calling their work phones. Contingency Communication: If we are unable to reach individuals via their work phones, then we will send a Text message to their personal cell phones. Emergency Communication: If we are unable to reach them by texting their personal devices, then we will send an email to their personal emails and next of kin. Additionally, we might purchase satellite phones for a country manager.  Satellite phones can be generally purchased for under $1,000 and can be used with commercial satellite service providers such as Inmarsat, Globalstar, and Thuraya.  One popular plan is Inmarsat's BGAN.  BGAN can usually be obtained from resellers for about $100 per month with text messaging costing about fifty cents each and calls costing about $1.50 per minute.  This usually translates to a yearly cost of $1,500-2K per device.  Is $2K worth the price of communicating to save lives in a high-risk country during high political turmoil?  Let your company decide.  Note a great time to bring this up may be during use-or-lose money discussions at the end of the year. We should also consider preparing egress locations.  For example, before a fire drill most companies plan a meetup location outside of their building so they can perform a headcount.  This location such as a vacant parking lot across the street allows teams to identify missing personnel which can later be communicated to emergency personnel.  If your company has offices in thirty-five countries, you should think about the same thing, but not assembling across the street but across the border.  Have you identified an egress office for each overseas country?  If you had operations in Ukraine, then you might have chosen a neighboring country such as Poland, Romania, or Hungary to facilitate departures.  When things started going bad, that office could begin creating support networks to find local housing for your corporate refugees.  Additionally, finding job opportunities for family members can also be extremely helpful when language is a barrier in new countries. If we anticipate the Bear is going to attack our company digitally, then we should also look for the warning signs.  Good examples of this include following threat intelligence information from: Your local ISAC organization.  ISAC or Information Sharing Analysis Centers are great communities where you can see if your vertical sector is coming under attack and share your experiences/threats.  The National Council of ISACs lists twenty-five different members across a wide range of industries.  An example is the Financial Services ISAC or FS-ISAC which has a daily and weekly feed where subscribers can find situational reports on cyber threats from State Actors and criminal groups. InfraGard™ is a partnership between the Federal Bureau of Investigation and members of the private sector for the protection of US Critical Infrastructure.  Note you generally need to be a US citizen without a criminal history to join AlienVault offers a Threat Intelligence Community called Open Threat Exchange which grants users free access to over nineteen million threat indicators.  Note AlienVault currently hosts over 100,000 global participants, so it's a great place to connect with fellow professionals. The Cybersecurity & Infrastructure Security Agency or CISA also routinely issues cybersecurity advisories to stop harmful malware, ransomware, and nation state attacks.  Helpful pages on their websites include the following:Shields Up which provides updates on cyber threats, guidance for organizations, recommendations for corporate Leaders and CEOs, ransomware responses, free tooling, and steps that you can take to protect your families. There's even a Shields Technical Guidance page with more detailed recommendations. CISA routinely puts out Alerts which identify threat actor tactics and techniques.  For example, Alert AA22-011A identifies how to understand and mitigate Russian State Sponsored Cyber Threats to US Critical Infrastructure.  This alert tells you what CVEs the Russian government is using as well as the documented TTPs which map to the MITRE ATT&CK™ Framework.  Note if you want to see more on the MITRE ATT&CK mapped to various intrusion groups we recommend going to attack.mitre.org slant groups. CISA also has notifications that organizations can sign up for to receive timely information on security issues, vulnerabilities, and high impact activity. Another page to note on CISA's website is US Cert.  Here you can report cyber incidents, report phishing, report malware, report vulnerabilities, share indicators, or contact US Cert.  One helpful page to consider is the Cyber Resilience Review Assessment.  Most organizations have an IT Control to conduct yearly risk assessments, and this can help identify weaknesses in your controls. Now that we have seen a bear in the woods, what can we do to put running shoes on to run faster than our peers?  If we look at the CISA Shield Technical Guidance Page we can find shields up recommendations such as remediating vulnerabilities, enforcing MFA, running antivirus, enabling strong spam filters to prevent phishing attacks, disabling ports and protocols that are not essential, and strengthening controls for cloud services.  Let's look at this in more detail to properly fasten our running shoes. If we are going to remediate vulnerabilities let's focus on the highest priority.  I would argue those are high/critical vulnerabilities with known exploits being used in the wild.  You can go to CISA's Known Exploited Vulnerabilities Catalog page for a detailed list.  Each time a new vulnerability gets added, run a vulnerability scan on your environment to prioritize patching. Next is Multi Factor Authentication (MFA).  Routinely we see organizations require MFA access to websites and use Single Sign On.  This is great -- please don't stop doing this.  However, we would also recommend MFA enhancements in two ways.  One, are you using MFA on RDP/SSH logins by administrators?  If not, then please enable immediately.  You never know when one developer will get phished, and the attacker can pull his SSH keys.  Having MFA means even when those keys are lost, bad actor propagation can be minimized.  Another enhancement is to increase the security within your MFA functionality.  For example, if you use Microsoft Authenticator today try changing from a 6 digit rotating pin to using security features such as number matching that displays the location of their IP Address.  You can also look at GPS conditional policies to block all access from countries in which you don't have a presence. Running antivirus is another important safeguard.  Here's the kicker -- do you actually know what percentage of your endpoints are running AV and EDR agents?  Do you have coverage on both your Windows and Linux Server environments?  Of the agents running, what portion have signatures updates that are not current?  How about more than 30 days old.  We find a lot of companies just check the box saying they have antivirus, but if you look behind the scenes you can see that antivirus isn't as effective as you think when it's turned off or outdated. Enabling Strong Spam Filters is another forgotten exercise.  Yes, companies buy solutions like Proofpoint to secure email, but there's more that can be done.  One example is implementing DMARC to properly authenticate and block spoofed emails.  It's the standard now and prevents brand impersonation.  Also please consider restricting email domains.  You can do this at the very top.  Today, the vast majority of legitimate correspondents still utilize one of the original seven top-level domains:  .com, .org, .net, .edu, .mil, .gov, and .int, as well as two-letter country code top-level domains (called ccTLDs).  However, you should look carefully at your business correspondence to determine if communicating with all 1,487 top-level domains is really necessary.  Let's say your business is located entirely in the UK.  Do you really want to allow emails from Country codes such as .RU, .CN, and others?  Do you do business with .hair, or .lifestyle, or .xxx?  If you don't have a business reason for conducting commerce with these TLDs, block them and minimize both spam and harmful attacks.  It won't stop bad actors from using Gmail to send phishing attacks, but you might be surprised at just how much restricting TLDs in your email can help.  Note that you have to be careful not to create a self-inflicted denial of service, so make sure that emails from suspect TLDs get evaluated before deletion. Disabling Ports and Protocols is key since you don't want bad actors having easy targets.  One thing to consider is using Amazon Inspector.  Amazon Inspector has rules in the network reachability package to analyze your network configurations to find security vulnerabilities in your EC2 Instances.  This can highlight and provide guidance about restricting access that is not secure such as network configurations that allow for potentially malicious access such as mismanaged security groups, Access Control Lists, Internet Gateways, etc. Strengthening Cloud Security- We won't go into this topic too much as you could spend a whole talk on strengthening cloud security.  Companies should consider purchasing a cloud security solution like Wiz, Orca, or Prisma for help in this regard.  One tip we don't see often is using geo-fencing and IP allow-lists.  For example, one new feature that AWS recently created is to enable Web Application Firewall protections for Amazon Cognito.  This makes it easier to protect user pools and hosted UIs from common web exploits. Once we notice there's likely been a bear attack on our peers or our infrastructure, we should report it.  This can be done by reporting incidents to local governments such as CISA or a local FBI field office, paid sharing organizations such as ISAC, or free communities such as AlienVault OTX. Let's walk through a notional example of what we might encounter as collateral damage in a cyberwar.  However, to keeps this out of current geopolitics, we'll use the fictitious countries Blue and Orange. Imagine that you work at the Acme Widget Corporation which is a Fortune 500 company with a global presence.  Because Acme manufactures large scale widgets in their factory in the nation of Orange, they are also sold to the local Orange economy.  Unfortunately for Acme, Orange has just invaded their neighboring country Blue.  Given that Orange is viewed as the aggressor, various countries have imposed sanctions against Orange.  Not wanting to attract the attention of the Orange military or the U.S. Treasury department, your company produces an idea that might just be crazy enough to work.  Your company is going to form a new company within Orange that is not affiliated with the parent company for the entirety of the war.  This means that the parent company won't provide services to the Orange company.  Additionally, since there is no affiliation between the companies then the legal department advises that there will not be sanction evasion activity which could put the company at risk.  There's just one problem.  Your company has to evict the newly created Orange company (Acme Orange LLC) from its network and ensure it has the critical IT services to enable its success. So where do we start?  Let's consider a few things.  First, what is the lifeblood of a company?  Every company really needs laptops and Collaboration Software like Office 365 or GSuite.  So, if we have five hundred people in the new Acme Orange company, that's five hundred new laptops and a new server that will host Microsoft Exchange, a NAS drive, and other critical Microsoft on premises services. Active Directory: Once you obtain the server, you realize a few things.  Previous Acme admin credentials were used to troubleshoot desktops in the Orange environment.  Since exposed passwords are always a bad thing, you get your first incident to refresh all passwords that may have been exposed.  Also, you ensure a new Active Directory server is created for your Orange environment.  This should leverage best practices such as MFA since Orange Companies will likely come under attack. Let's talk about other things that companies need to survive: Customer relations management (CRM) services like Salesforce Accounting and Bookkeeping applications such as QuickBooks Payment Software such as PayPal or Stripe File Storage such as Google Drive or Drop Box Video Conferencing like Zoom Customer Service Software like Zendesk Contract Management software like DocuSign HR Software like Bamboo or My Workday Antivirus & EDR software Standing up a new company's IT infrastructure in a month is never a trivial task.  However, if ACME Orange is able to survive for 2-3 years it can then return to the parent company after the sanctions are lifted. Let's look at some discussion topics. What IT services will be the hardest to transfer? Can new IT equipment for Acme Orange be procured in a month during a time of conflict? Which services are likely to only have a SaaS offering and not enable on premises during times of conflicts? Could your company actually close a procurement request in a one-month timeline? If we believe we can transfer IT services and get the office up and running, we might look at our cyber team's role in providing recommendations to a new office that will be able to survive a time of turmoil. All laptops shall have Antivirus and EDR enabled from Microsoft. Since the Acme Orange office is isolated from the rest of the world, all firewalls will block IP traffic not originating from Orange. SSO and MFA will be required on all logins Backups will be routinely required. Note if you are really looking for effective strategies to mitigate cyber security incidents, we highly recommend the Australian Essential Eight.  We have a link in our show notes if you want more details. Additionally, the ACME Orange IT department will need to create its own Incident Response Plan (IRP).  One really good guide for building Cyber Incident Response Playbooks comes from the American Public Power Association.  (I'll put the link in our show notes.)  The IRP recommends creating incident templates that can be used for common attacks such as: Denial of Service (DoS) Malware Web Application Attack (SQL Injection, XSS, Directory Traversal, …) Cyber-Physical Attack Phishing Man in the middle attack Zero Day Exploit This Incident Response Template can identify helpful information such as Detection: Record how the attack was identified Reporting: Provide a list of POCs and contact information for the IT help desk to contact during an event Triage: List the activities that need to be performed during Incident Response.  Typically, teams follow the PICERL model.  (Preparation - Identification - Containment - Eradication - Recovery - Lessons Learned) Classification: Depending on the severity level of the event, identify additional actions that need to occur Communications: Identify how to notify local law enforcement, regulatory agencies, and insurance carriers during material cyber incidents.  Additionally describe the process on how communications will be relayed to customers, employees, media, and state/local leaders. As you can see, there is much that would have to be done in response to a nation state aggression or regional conflict that would likely fall in your lap.  If you didn't think about it before, you now have plenty of material to work with.  Figure out your own unique requirements, do some tabletop exercises where you identify your most relevant Orange and Blue future conflict, and practice, practice, practice.  We learned from COVID that companies that were well prepared with a disaster response plan rebranded as a pandemic response plan fared much better in the early weeks of the 2020 lockdown.  I know my office transitioned to remote work for over sixty consecutive weeks without any serious IT issues because we had a written plan and had practiced it.  Here's another one for you to add to your arsenal.  Take the time and be prepared -- you'll be a hero "when the bubble goes up."  (There -- you've learned an obscure term that nearly absent from a Google search but well-known in the Navy and the Marine Corps.) Okay, that's it for today's episode on Outrunning the Bear.  Let's recap: Know yourself Know what foreign adversaries want Know what information, processes, or people you need to protect Know the goals of state actors:steal targeting data collect foreign intelligence covert action Know how to establish a good communications plan (PACE)Primary Alternate Contingency Emergency Know how to get out of Dodge Know where to find private and government threat intelligence Know your quick wins for protectionremediate vulnerabilities implement MFA everywhere run current antivirus enable strong spam filters restrict top level domains disable vulnerable or unused ports and protocols strengthen cloud security Know how to partition your business logically to isolate your IT environments in the event of a sudden requirement. Thanks again for listening to CISO Tradecraft.  Please remember to like us on your favorite podcast provider and tell your peers about us.  Don't forget to follow us on LinkedIn too -- you can find our regular stream of low-noise, high-value postings.  This is your host G. Mark Hardy, and until next time, stay safe. References https://www.goodreads.com/quotes/17976-if-you-know-the-enemy-and-know-yourself-you-need https://en.wikipedia.org/wiki/There_are_known_knowns  https://www.cia.gov/about/mission-vision/  https://www.cybersecurity-insiders.com/ukraines-accounting-software-firm-refuses-to-take-cyber-attack-blame/  https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/  https://www.nationalisacs.org/member-isacs-3  https://attack.mitre.org/groups/  https://data.iana.org/TLD/tlds-alpha-by-domain.txt  https://www.publicpower.org/system/files/documents/Public-Power-Cyber-Incident-Response-Playbook.pdf 

Star Potters
SSO Updates 3

Star Potters

Play Episode Listen Later Oct 1, 2022 10:13


Wir erzählen euch die neuen Updates in SSO. Also die tolle, neue Preissteigerung und die neue Charakterveränderung!!!! Viel Spaß! ☺️

Dell Technologies PowerofStorage Podcast
I'd like 2 boxes of IAM, a ZTA and some SSO please!

Dell Technologies PowerofStorage Podcast

Play Episode Listen Later Sep 29, 2022 18:42


Security is high on the agenda of nearly all organizations, and we hear a lot of buzzwords flying about like Identity and Access Management (IAM), Zero Trust Architecture (ZTA), and Single Sign-On (SSO) but what are they and can we just buy a box of them? We chat with Joann Kent a Security Product Manager at Dell Technologies to understand why these are important in the drive to try and secure an organizations infrastructure.

The DooDoo Diva's Smells Like Money Podcast
S3 EP 13 Manhole Covers - I & I Culprit or Hero?

The DooDoo Diva's Smells Like Money Podcast

Play Episode Listen Later Sep 27, 2022 42:20


– The DooDoo Diva's Smells Like Money Podcast – Manhole Covers “I & I Culprit or Hero?”– With Eric DuPre Listen to this latest episode of “The DooDoo Diva's Smells like Money Podcast” where Eric DuPre talks about how important the manhole is, and even more important, how critical the lid, the ring and the entry point to that manhole are, as they relate to the entire collection system structure and the health of it. You'll be shocked at some of the statistics and data shared. He also tackled the topic of environment health impact and costs. A review of composite manholes and non-corrosive material sealed manholes from multiple manufacturers rounded out this informative, revealing and sometimes shocking . This episode covers: ● Environmental Health Impact ● How manholes can help in stopping SSOs and I & I ● Benefits of composite manhole covers I hope you find this episode as informative and as exciting as we have. Please let us know your thoughts about the episode! Connect with Eric DuPre LinkedIn: https://www.linkedin.com/in/eric-dupre-tx33/ Connect with Suzan Chin-Taylor, host of The DooDoo Diva's Smells Like Money Podcast: Website: www.creativeraven.com | https://thetuitgroup.com/ LinkedIn: https://www.linkedin.com/in/creativeraven/ Email: raven@creativeraven.com Telephone: +1 760-217-8010 Listen and Subscribe here to your favorite platform : Apple Podcast - Google Podcast - CastBox - OverCast - Pocket Casts - Youtube - Spotify https://creativeraven.com/smells-like-money-podcast/ Subscribe to the Podcast: https://creativeraven.com/smells-like-money-podcast/ Be a guest on our show: https://calendly.com/thetuitgroup/be-a-podcast-guest Check Out my NEW Digital Marketing E-Course & Coaching Program just for Wastewater Pros: https://store.thetuitgroup.com/diy-digital-marketing-playbook-for-wastewater-pros

Secret Sources of Sustenance
Indie Dad Rock of “The National”

Secret Sources of Sustenance

Play Episode Listen Later Sep 27, 2022 106:50


Ben and Bob are both super fans of the American indie rock band, “The National”. Both have been obsessed for a decade-plus with the roots of their friendship tracing back to that discovery. Challenged with distilling it down to their absolute favorites, they each come up with a Top 10 list with a few overlapping songs. Mutual favorites include “Bloodbuzz Ohio”, “Mistaken for Strangers”, and “Mr. November”. Ben's list is rounded off by “Don't Swallow the Cap”, “Rylan”, “I Need My Girl”, “Slow Show”, “Fake Empire”, “Walk It Back”, and “Nobody Else Will Be There”. Bob's list also includes “Day I Die”, “I Should Live in Salt”, “Afraid of Everyone”, “Vanderlyle Crybaby Geeks”, “Secret Meeting”, “Abel”, and “Looking For Astronauts”. Make yourself a 17-song playlist, give it a few spins, then listen to Ben and Bob fanboy out on this hard-double-vouch episode of SSOS.

The tastytrade network
The Skinny on Options: Abstract Applications - September 26, 2022 - The Leverage Trap

The tastytrade network

Play Episode Listen Later Sep 26, 2022 17:59


Leveraged Funds such as TQQQ, SSO, or SPXL have gained popularity in recent months, as traders look to capitalize on the large directional moves in the market. By trading a product that offers a 2x or 3x return on the underlying index itself, a move in your favor can pay off handsomely with quick profits. However, with the daily reset in most of these funds, any type of marketplace cyclicality whittles down the price over time, which will make it increasingly difficult to make any type of profit on the position.Did you catch our recently on how to determine Delta/Theta levels for your portfolio?

The tastytrade network
The Skinny on Options: Abstract Applications - September 26, 2022 - The Leverage Trap

The tastytrade network

Play Episode Listen Later Sep 26, 2022 17:09


Leveraged Funds such as TQQQ, SSO, or SPXL have gained popularity in recent months, as traders look to capitalize on the large directional moves in the market. By trading a product that offers a 2x or 3x return on the underlying index itself, a move in your favor can pay off handsomely with quick profits. However, with the daily reset in most of these funds, any type of marketplace cyclicality whittles down the price over time, which will make it increasingly difficult to make any type of profit on the position.Did you catch our recently on how to determine Delta/Theta levels for your portfolio?

Star Potters
SSO Updates 2

Star Potters

Play Episode Listen Later Sep 24, 2022 18:37


SSO wird 11 Jahre alt! Wir berichten was es beim Geburtstags-Festival gibt und wo ihr eurer Geld verschwenden könnt!! Achtung, die Folge ist langweilig, aber hört sie euch trotzdem gerne an…

SurgOnc Today
Malignant Bowel Obstruction: The Elephant in the Room

SurgOnc Today

Play Episode Listen Later Sep 19, 2022 12:38


In this episode of SurgOnc Today®, Martin Goodman, MD, is joined by fellow members of the SSO Peritoneal Surface Malignancy Disease Site Workgroup, Ioannis Konstantinidis, MD, FACS, FSSO, and Trang Nguyen, MD.  They discuss various scenarios in which patients present with malignant bowel obstruction, reviewing the decision making process and treatment options to meet the individualized needs of each patient.  

CarahCast: Podcasts on Technology in the Public Sector
FCW ICAM Workshop ft. Keeper Security: Securing Every User and Every Application, on Every Device

CarahCast: Podcasts on Technology in the Public Sector

Play Episode Listen Later Sep 15, 2022 24:08


Listen to FCW, Keeper Security, and Carahsoft's latest podcast on the topic of "Securing every user, every application on every device." This episode is an extension of Keeper Security's presentation at FCW's recent ICAM Workshop.

Sixteen:Nine
Paul Ciolino, OptiSigns

Sixteen:Nine

Play Episode Listen Later Sep 7, 2022 35:31


The 16:9 PODCAST IS SPONSORED BY SCREENFEED – DIGITAL SIGNAGE CONTENT It has been nagging at me for the last few months that I didn't know a hell of a lot about OptiSigns, even though the Houston-based company was a main advertiser on Sixteen:Nine. That's been fixed, having had a great conversation last week with the company's sales director Paul Ciolino. We got into a whole bunch of things, from the company's roots, how software development bridges the US and Vietnam, and their go-to-market model. OptiSigns is focused on making a product and services available that manage to tick the much-demanded boxes of intuitive and affordable, but also have a lot of sophistication and scalability. Ciolino works out of New York City, which will help explain why you might hear sirens in the background. Subscribe to this podcast: iTunes * Google Play * RSS TRANSCRIPT Paul, thank you for joining me. Can you give me the background on what OptiSigns is all about? Because I know them, but I don't know much about your company yet.  Paul Ciolino: Yeah, absolutely. Dave, thanks so much for having me. First of all, excited to be here. You're my first podcast ever so it's a wonderful honor for you to have, but OptiSigns is a cloud-based digital signage solution and really the key tenets of OptiSigns signs are: Can we make it a low barrier to entry? Can anybody use it? Is it easy? Is it accessible? Can people deploy on myriad, different platforms or OSs?  And we try to check all those boxes as much as possible while making it all cost-effective.  And the company's based in Houston?  Paul Ciolino: That's right, yep.  How long has the company been around?  Paul Ciolino: So it was founded in 2015, but really the growth started happening within the last three years and we're seeing incredible year-over-year growth now.  Back in 2015, there was already any number of easy-to-use, I don't wanna say entry-level because that kind of diminishes the product, but friendly, price effective, on and on, and I'm curious what prompted the founders to look at the market and go, okay, there's an opportunity here, because, from my perspective, there was a lot of what you've described already out there? Paul Ciolino: Yeah, absolutely. That's a really good question. I think when you think about digital signage top-down and you're looking at it with a bird's eye view, there's just a huge TAM there, right? Even if it is a saturated market, there are hundreds of vendors that do it today. There are a few really big players and there are a few really big players that do it really well. The key differentiator for us is probably just going to be on the usability side of things, and I think that was where, the powers that be, were sitting in a back room somewhere saying, how do we put our footprint on this industry? What can we do to make ourselves stand out and be late adopters of getting into the industry while also being a significant factor?  Yeah, it's an interesting balance that has to be struck in that I've seen a few times promotions for companies who say that we have a very easy-to-use friendly platform and when I've looked at it or other people have looked at it, they said, it's not really all that friendly or easier, or sure, it is friendly, but it doesn't do much.  Paul Ciolino: Yeah, I think that's a good point. When we have this conversation internally a lot, and sometimes I talk to our customer base about it, but really the idea behind designing OptiSigns from the ground up with our engineering team and from a product perspective was like taking a look at something like an iPhone, right? When you purchase an iPhone, you get the iPhone, you take it out of the box, you put a SIM card in it and you just start using it. You've got an iPhone now. So we thought about that with a digital signage lens, and that's where we started putting our plan into motion.  So when you are a new user of the system, how does it work, is it software as a service?  Paul Ciolino: Yeah, absolutely. At our core, we're a software company. We don't do the installation. We don't do hardware sales outside of a couple of pre-configured devices that you can get. Really, what we do focus on is just that UX/UI component. We have 135 native app integrations now, from a simple weather app to Tableau, Power BI and more sophisticated web scripting and an open API, so we run the gamut of what you can do with digital signage.  Is there a particular market that you guys are targeting?  Paul Ciolino: So the nice thing about digital signage is that there's just so much variability in actual implementations. So when we think about targeting somebody specific, we do have our eyes on a couple of industries like logistics right now is something that we're making a big push into. We're also looking into things like healthcare, we've got a pretty good customer base with healthcare already, but we're seeing a lot of organic conversations happen there. So we're like, hey, what do we do? How can we accelerate their growth into this vertical and things like that? That's interesting because I was waiting for you to say, yeah we're chasing retail and QSR and then I'd be rolling my eyes because everybody and their sister is, but logistics and healthcare, I think that's really smart. They're not all that addressed yet, and I'm curious, what's the ask in logistics, is it for visualizing data like Power BI and Tableau? Paul Ciolino: Yeah, absolutely. A lot of times these people are using more bespoke dashboards as well. So when you think about trying to take something out of the box, and then you think about maybe the staff over at one of these logistics companies, let's call it a trucking company or something like that for example, maybe they don't have the bandwidth on the it side of the ball to have somebody spend three weeks creating a custom integration with an API or something like that, which they can do with us. But we offer OptiSigns where you can basically take your internal dashboards that are gated by username and password, and you can script the authentication and the execution of that username and password, and then get to your target resource that way.  Why do they want that? Where are they showing on these screens?  Paul Ciolino: They're showing everything from lead times to rotation schedules to availability to weather, to all kinds of different, increment factors that could be going into either a trucking scenario again, or maybe we've got some type of supply chain issue, and they're doing a full SWOT analysis in their backroom and they have to have all of this real-time data come up as they're planning around the next week, month, quarter, half year, whatever they're gonna do.  So it's really myriad, just like all of our deployments are as well in different verticals, you can use it however you need to.  I find that interesting because so much of the attention in digital signage is around the wow factor, creative like amazing displays and all these things that are going on, and to me the long tail of digital signage is the stuff that you might describe as boring, just like showing KPIs on a screen or giving instructions on what to do when something happens like an alarm trigger or whatever, like that stuff doesn't get anybody's pulse racing, but it's incredibly valuable to the day to day of a company, right?  Paul Ciolino: I think there's been like this large front end push to make signage sexy when I think, at the end of the day, the reason that somebody's gonna go pay for anything in a digital signage space is that they need it and they need specific things to be up on the screen. I'm not saying you can't make things look sexy with OptiSigns, obviously, you can do that, but at the end of the day, we want people to be able to take anything that they need to have up on their screens and deploy it easily and efficiently without breaking the bank.  You mentioned breaking the bank, your pricing tiers are pretty friendly in that. I think I saw it was $10-12 a month, depending on what you're doing. Is that accurate? Paul Ciolino: Yeah, that's about right, and that's gonna be the starting price, obviously, if people are gonna be looking at growing their business with us and scaling, which is something that we specialize in as well, just making that ease of scaling, something that comes out of the box with us. It could be anywhere from $10-15 a month per screen, unlimited users, unlimited resources uploaded into the cloud, and all that kind of stuff.  The $10 one gives you a lot of functionality, but as you scale up or tier up, so to speak, you are just adding more capability. Paul Ciolino: Yeah, basically the way you can think about it is, let's say somebody's got maybe they even have a hundred screens or something like that, but they're gonna be putting the same thing on a hundred of their screens. They probably don't need to go into the conversation about creating manual permissions or a brand kit or reporting for their advertisers that are paying for ad space or things like that, so they can live with that standard plan that we have and be happy all day.  They still have access to 95% of the functionality on the platform. It's just gonna be some of those more robust features binding to an IDP or an SSO provider or something like that or creating a monitoring and alerting system where they can enable triggers for different events to go to specific people and make sure that they've got as much uptime as possible. That's all quite interesting because when I think of the pricing tier that you're at, it's usually small to medium business operators who the company is targeting and they're never talking about data binding or anything like that, it's just about you can put this menu on a screen and you can change it on demand. Paul Ciolino: Yeah, and you hit the nail on the head there. We have incredible organic growth within those verticals where you're looking at QSRs gyms, and places like that. But I think the thing that we've been doing really well this year, especially, and especially in the last quarter and a half or so, has been getting into really earnest more of those enterprise deployments, where we're talking about, we've got a GDPR situation in Germany or something like that, and we have facilities on five different continents and we need to make sure that everybody's got the right access and we've got audit logs that they can enable and we really do pair very well with very robust security concerns.  Yeah, that's interesting as well in that I've talked to a few companies who started out targeting the small to medium business market and have migrated to enterprise because of the demands of customers, but also it's just that if you're dealing with the entry level market, you're being beaten up on price and it's not necessarily easy to scale that kind of management of all those different customers.  Paul Ciolino: Yeah, and I think that's something that's, again, credit to our engineering team, they make it so easy for people to scale on multiple different levels, whether you're talking about headcount as users within the platform, you're talking about multiple locations, or you're talking about multiple screens within a single location, and it really does just make it very intuitive. We've got our support team as well who's great. I think the CSAT that we talked about in our H1 review was like 94 or something like that, and that's an objective number, I'm not putting a lens on that one, but I think when you think about implementing something new and you're looking at a by process that maybe has 15-20 touchpoints or something like that, you're making a pretty big commitment just from a G&A perspective as a client, and then you think about, okay, is this gonna save my needs for the next year, three years, five years, ten years, and if so, how is that gonna look? What is my hardware, reliability gonna look like and things like that, and we kind of cover all bases.  Is it important when you're dealing with those kinds of pricing tiers to minimize the number of customer touches, make as much of your offer and your software self-service and not have to provide a lot of support and customer contact? Not that you don't wanna talk to your customers, but it's just that if you have a whole bunch of them, that means you need a whole bunch of people to deal with them. Paul Ciolino: Absolutely. Yeah, so that's again, credit to our engineering team and the way that we laid the bedrock as a company from our founders to be able to build this thing where it is very self-service.  Another thing that we do that a lot of companies these days are moving towards is we've got a support blog, we've got a support site. We've got a ticket creation system, a phone number, and an email. It's very multi-threaded in how people can actually go about getting the help they need, and I think that's something that has allowed us to spend time on growth and not as much time on maintenance, while still providing an exceptional level of service to our customer base.  You've mentioned a lot of growth in the last three years. Why do you think that is? What is it that's resonating?  Paul Ciolino: So at the end of the day, every company's going to have a little bit of this slow out of the gates kind of motion, right? And once you get the feeling for an industry and a customer base, and you have enough conversations and you get enough feedback, all of those things combined into something very powerful, even from a business owner's perspective, where you're like, okay, I can listen to these things and then I can go act on them. And one of the nice things about us is we run a very agile team, a very lean team, and we have the same communication with the same people, a lot of the time, and so that means that we can go ahead and pivot on almost a weekly basis with our roadmap if we need to, and we can effectively release functional app integrations or just things that maybe we don't think about that our users think about. And I think that level of service that comes from, even the engineering team level, is something that is really hard to achieve in any business in 2022 these days.  And some of the software development's done in Vietnam, right?  Paul Ciolino: That's right. They have a very close working relationship with our founders. They've worked together for a long time. They know how to communicate effectively, and it's really paid dividends for us as a business.  Is that kind of a historical thing? I don't know South Texas all that well, but I believe that there's a pretty big Vietnamese diaspora there that went over there for fishing fleets and everything else, but I suspect there's still a lot of business ties back? Paul Ciolino: Yeah, absolutely. I can't speak to the geopolitical business ties within the founder's relationship levels. Personally, I've benefited from the influx of the Vietnamese community in Houston via Cajun cuisine, but outside of that, I think it's just something where people have worked together before, I've worked with people and at a few different companies or something like that, and we can talk about anything at the drop of a hat and we can make an effective decision when it needs to be made How do you sell? Is it just direct to the customer or are you doing things like an affiliate channel or reseller channel? Paul Ciolino: Yeah, so we absolutely do offer that. We have a couple of different options available. We've got an affiliate program to where, maybe you don't wanna spend the time or you don't have the time or the capital or anything else to be able to go and become a reseller, but you have a lot of people that you know in your network that are interested in digital signage. So we've got that affiliate program. You can make some money off of referring customers to us and it pays out quarterly and things like that, and we try to make it very easy and low maintenance for them to maintain those relationships, and then also generate business for us that are not cold leads at all. They're very warm leads.  The other side of that is gonna be that reseller pro reseller program that you mentioned and that can work in a few different ways. You can package the software, if you need to, you can white label it, and that's not even in our top-level plan, that's in our middle level plan. It's not like we're gate keeping too much here like we really do wanna make this software available to anybody that needs it, and we're doing that in several different ways as well.  You're happy enough to be just operating under the hood and nobody even knows it's OptiSigns?  Paul Ciolino: Absolutely, that's why I'm off camera.  You have an $80 Android stick that you offer as a hardware option. I'm curious how often that comes up as an ask or are they using any number of different platforms out there, because I know you have a web player or that's the foundational player. Paul Ciolino: So going back to the low barrier to entry that we're going with at OptiSigns. We're OS agnostic. You can deploy Windows or Linux, we've got an ARM Linux. We've got LG commercial grade native app, an Android native app, and Fire TV so you can use a Fire Stick as well. It really doesn't matter how you deploy with us, that is just there as an Option. We don't make any money off of those devices, they're literally just there in case somebody thinks that's the best deployment for them, and if you go to, like Reddit or somewhere third party where there's no Optisign sales lens on it, you can see that these Android players are generally very reliable.  We've had them deployed for, I think over a year and a half now, and we've got over 99% uptime with them. So things like that, providing reliability to our customers and, places like Australia, where it gets super hot over there, maybe there's not the best wifi connection, things like that. Those are really good deployments. I think we've got over 10,000 of our Android sticks that are out right now, and that's just one of our deployments. Oh really, and are people going down that path because they are price sensitive or they just want like a dumb-down device that they can just stick in? Paul Ciolino: Yeah, I think it's somewhere between those two. Okay. So if you think about it like a Fire Stick, it's gonna be a little bit cumbersome, people can go watch ESPN or something like that on a Fire Stick. If you're looking at something like a Raspberry PI, right now those are incredibly expensive. We do sell those too, just in case that's what people are familiar with and maybe they need more granular security pushes or something like that to their systems..  That's interesting, I've never heard somebody say Raspberry PIs are incredibly expensive, but I know what you're saying. Once you fully get them out, they're not $35, right?  Paul Ciolino: Yeah, with supply chain stuff happening right now, they're like $300 or something like that. That's what I've been hearing. We're selling them for $130 on our site, I think, but outside of that, you've got the ability to do something like an Intel NUC, or you can do a Micro PC, or you can have a full-blown computer behind a screen. When you think about something that marries the functionality of what those things can do without the processing power, because you don't need it, but you also have the reliability that's gonna be above something like a Fire Stick, or if you're just using a web browser version or something like that, I think that's a really nice, happy medium.  One of the devil's advocates arguments around web players for digital signage is: yes, you can get this application running on any number of different kinds of devices, whether they're smart TVs or Fire sticks or whatever it may be, but there's not a lot of device management. How do you counter that argument?  Paul Ciolino: Honestly, it's not really our job to counter that argument because it's not gonna be our most recommended deployment. We're not gonna sit in front of the University of Central Florida and say, you guys should be using a web browser version for all 360 TVs that you have or something like that. We're gonna tell 'em like, what do you need? Do you have wifi in every area? Do you need an ethernet adapter? Do you need to go to a Raspberry PI? And so we'll have a very consultative conversation with our customer base before we even get into demoing the software. So that's like the first thing that we wanna nail down with our customers: How are you gonna deploy? And let's figure out the reasons why you wanna do that, and not just because, you're used to doing it that way, or you heard it was the best from like Jim down the street.  So you are saying that you have native players as well, or you have web players that have device management? Paul Ciolino: Yeah, so kind of all of the above. So if you wanted to go, like with what's called our managed device route, right? Like you could do something where you get that $80 Android stick, we'll charge you a little bit extra, as long as you have a pro plus package, you're gonna have our version of an Apple Care where we have an MDM, our support team can remote in, they can troubleshoot. You don't have to spend valuable time with your IT professionals or anything like that to go and troubleshoot these sticks. We can do it for you.  So is that your happy place? If a customer goes down that path where obviously you're making a bit more money out of them, but you remove some of the mystery, so to speak because it's a known device. Paul Ciolino: Yeah, absolutely, and I think at the end of the day, we're happy if our customers are happy, and that's why we have that consultative approach on the deployment.  Tell me about the app store/library. You mentioned you have a hundred plus apps on there. Paul Ciolino: Yeah. So we've everything from, something like just a native designer app that's within the platform, or something like the Adobe Designer Suite, or like Canva or something like that. Something simple, something that most people that are creating digital signage are gonna need at some point. How does that work?  Paul Ciolino: Yeah, it's basically a frame within the platform, it is just like an app. It'll take you to a page where you can design from a template, we've got like 700 plus templates out there right now. Everything from menus to employee appreciation to emergency notices, all that kind of stuff, and then you can go ahead and configure each element on the page. You could even do something like pull from a data source where we can map elements within that page to a spreadsheet in Google or Excel, and so for QSRs in particular, this is really beneficial because they can go into a spreadsheet, never have to log into OptiSigns again, once they get the framework of their menu done, they can just change their pricing by changing that spreadsheet. Do you have to work with your customers to help them figure out what to do? Paul Ciolino: Absolutely, and that's within the fee structure that we have, with supporting meetings, and obviously we've got our blog with really good documentation on it as well. Where are you seeing traction in the marketplace? I know you mentioned healthcare and logistics. Are there particular areas where there seems to be a lot of interest and more of an ask than maybe in the past?  Paul Ciolino: We talked about it earlier actually, but one of the places where we see a ton of room for growth is gonna be in that reseller side. So creating those partnerships and channels. We have a couple of partners where if they need to have somebody do install and maintenance, we can do that as well. We're never gonna be that company that vertically integrates all of that under one umbrella, but we can certainly provide the introductions to those. We predict that the reseller marketplace is gonna be a significant chunk of our revenue within the next two years.  You also have a mobile app, which I was curious about. Is that a mobile app for control of the screens?  Paul Ciolino: Yep, nail on the head. So that's just gonna be an admin app. You don't want to go on an iPhone 5s and start designing on there for screens that are gonna be much bigger than that. We tried to keep it pretty myopic with the app deployment. That's just one of those things where somebody's on the go, maybe it's a small business owner, maybe it's somebody in a larger company that is going around and they wanna show something cool to their stakeholders or shareholders or whatever it's gonna be, and they can go ahead and just control it ad hoc as they need it. Was that something that you developed because a customer was asking for it, or you could just figure out that this is something that would be useful? Paul Ciolino: I honestly can't speak to the inception of the idea. But I do know the way that we think about things in general and it's like:  Is there going to be a need for this at some point?cHow much is it gonna cost us from a time money perspective? Is it worth it? And then we just go do it.  You also have an audience analytics add-on, what's that about? And is that something you guys wrote or is it a partner?  Paul Ciolino: No, that is actually a proprietary algorithm that our engineering team has done as well. We're talking about basically three different statistics here. The first one is going to be gender: Is the person looking at the screen male or female or walking by the screen, male or female? The second is going to be dwell time, and that's gonna be, how long is this person in front of the screen for? The third is gonna be attention time and that's how long is this person interacting with the screen for? And so when you think about reporting, OptiSigns does it really well in a couple of different ways. The first way is going to be like a proof of play reporting where you've got an advertiser, they're paying for a certain ad to be played a certain number of times over a certain period, you can batch those reports, send them out, do whatever you need to do, make sure that everybody's cool. Everything's transparent. Everything's above board.  Same thing with AI reporting, but that's gonna be more in the split testing realm of things, right? Where you design an advertisement or you design a menu or you design something and you want to see how people engage with it when you test different versions of it and so you can basically take August 1 through August 31 on this design, September 1 through September 30 on this design. What does my dwell time look like? What does my attention time look like? How's my split looking? Are males interacting more with this design? Are females interacting more with that design? All that kind of stuff. The audience analytics stuff using computer vision has been around for probably 15 years, and the challenge in the past was that it was expensive and you had to have additional hardware and everything else, and that kind of ruled out much adoption.  Has that changed? I believe it's $5 a month at MSRP so I suspect at scale it gets cheaper than that, and I'm assuming you're using just simple USB cameras to do the capture.  Paul Ciolino: Yeah, honestly, I think you could probably just pitch this for me at this point, but basically you need any camera that can see, right? It doesn't have to be a fancy camera that can do like 4k or anything like that. You wanna make sure that you're setting it up at the right distance, obviously, you don't want a $20 USB camera trying to find out who's looking at the screen 50 yards away or something like that.  But outside of that, it really is just plug-and-play. Does it make sense financially for you to go invest the time and the little bit extra money for that to get that kind of feedback for your own purposes or for your client's purposes? If yes, then, it's a great option to have.  Does that change the hardware set-up at all? I guess what I'm saying is does the $80 Android stick no longer the right device because you've got the extra overhead of the video processing?  Paul Ciolino: Yep, nail on the head again. You're gonna need to do a Linux or a Windows deployment with something like that, just because of the processing power that's needed to be able to effectively communicate that data back to the algorithm.  So just going back to the company, how large is it?  Paul Ciolino:  So we're just sub-20 right now so we're a very small shop. We definitely move quickly for sure, and again, just going into that, learned communication that we all have together, makes it really efficient for all of us to get stuff done. And it's just privately held, self-funded that sort of thing?  Paul Ciolino: Yep, precap and no debt. I asked about shares when I was joining and they said yes, but it'll be very expensive.  So what can we expect out of OptiSigns through the rest of this year and into next year?  Paul Ciolino: I think more the same, we're gonna be obviously focusing on a few different verticals going forward as we identify some customers, as we continue to move internationally, we've got a decent customer base in the EU, UK. We're blowing out into South America at this point a little bit. We do have a decent customer base in Australia as well, and then I've been having conversations with people in places like Somalia and other countries in Africa. So the reach is wide, right? And we've really only tapped that kind of outreach from a marketing perspective, even. We really haven't put a whole lot of dollars into growing our business internationally. It's mostly been organic.  So I think you can see that we're gonna be growing organically again. We're gonna be trying to be more aggressive in the way that we ideate on how we're going to tackle new verticals and things like that as well. But yeah, at the end of the day, we want to continue to make a product that will take any screen and turn it into a digital sign that you can use in any way that you and your team or your clients need to use it.  All right, and they can find the company at optisigns.com?  Paul Ciolino: Yes. Paul, thank you very much for spending time with me.  Paul Ciolino: Absolutely. Dave, it was a pleasure.

Screaming in the Cloud
Third Wave Security with Alex Marshall of Twingate

Screaming in the Cloud

Play Episode Listen Later Sep 1, 2022 31:46


About AlexAlex is the Chief Product Officer of Twingate, which he cofounded in 2019. Alex has held a range of product leadership roles in the enterprise software market over the last 16 years, including at Dropbox, where he was the first enterprise hire in the company's transformation from consumer to enterprise business. A focus of his product career has been using the power of design thinking to make technically complex products intuitive and easy to use. Alex graduated from Stanford University with a degree in Electrical Engineering.Links Referenced:twingate.com: https://twingate.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig secures your cloud from source to run. They believe, as do I, that DevOps and security are inextricably linked. If you wanna learn more about how they view this, check out their blog, it's definitely worth the read. To learn more about how they are absolutely getting it right from where I sit, visit Sysdig.com and tell them that I sent you. That's S Y S D I G.com. And my thanks to them for their continued support of this ridiculous nonsense.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. This promoted episode is brought to us by our friends at Twingate, and in addition to bringing you this episode, they also brought me a guest. Alex Marshall is the Chief Product Officer at Twingate. Alex, thank you for joining me, and what is a Twingate?Alex: Yeah, well, thanks. Well, it's great to be here. What is Twingate? Well, the way to think about Twingate is we're really a network overlay layer. And so, the experience you have when you're running Twingate as a user is that network resources or network destinations that wouldn't otherwise be accessible to you or magically accessible to you and you're properly authenticated and authorized to access them.Corey: When you say it's a network overlay, what I tend to hear and the context I usually see that in, in the real world is, “Well, we're running some things in AWS and some things in Google Cloud, and I don't know because of a sudden sharp blow to the head, maybe Azure as well, and how do you get all of the various security network models of security groups on one side to talk to their equivalent on the other side?” And the correct answer is generally that you don't and you use something else that more or less makes the rest of that irrelevant. Is that the direction you're coming at this from, or do you view it differently?Alex: Yeah, so I think the way that we view this in terms of, like, why we decide to build a product in the first place is that if you look at, sort of like, the internet in 2022, like, there's one thing that's missing from the network routing table, which is authentication and authorization on each row [laugh]. And so, the way that we designed the product is we said, “Okay, we're not going to worry about everything, basically, above the network layer and we're going to focus on making sure that what we're controlling with the client is looking at outbound network connections and making sure that when someone accesses something and only when they access it, that we check to make sure that they're allowed access.” We're basically holding those network connections until someone's proven that they're allowed to access to, then we let it go. And so, from the standpoint of, like, figuring out, like, security groups and all that kind of stuff, we're basically saying, like, “Yeah, if you're allowed to access the database in AWS, or your home assistant on your home network, fine, we'll let you do that, but we'll only let you go there once you've proven you're allowed to. And then once you're there, then you know, we'll let you figure out how you want to authenticate into the destination system.” So, our view is, like, let's start at the network layer, and then that solves a lot of problems.Corey: When I call this a VPN, I know a couple of things are going to be true. One, you're almost certainly going to correct me on that because this is all about Zero Trust. This is the Year of our Lord 2022, after all. But also what I round to what basically becomes a VPN to my mind, there are usually two implementations or implementation patterns that I think about. One of them is the idea of client access, where I have a laptop; I'm in a Starbucks; I want to connect to a thing. And the other has historically been considered, site to site, or I have a data center that I want to have constantly connected to my cloud environment. Which side of that mental model do you tend to fall in? Or is that the wrong way to frame it?Alex: Mm-hm. The way we look at it and sort of the vision that we have for what the product should be, the problem that we should be solving for customers is what we want to solve for customers is that Twingate is a product that lets you be certain that your employees can work securely from anywhere. And so, you need a little bit of a different model to do that. And the two examples you gave are actually both entirely valid, especially given the fact that people just work from everywhere now. Like, resources everywhere, they use a lot of different devices, people work from lots of different networks, and so it's a really hard problem to solve.And so, the way that we look at it is that you really want to be running something or have a system in place that's always taking into account the context that user is in. So, in your example of someone's at a Starbucks, you know, in the public WiFi, last time I checked, Starbucks WiFi was unencrypted, so it's pretty bad for security. So, what we should do is you should take that context into account and then make sure that all that traffic is encrypted. But at the same time, like, you might be in the corporate office, network is perfectly safe, but you still want to make sure that you're authorizing people at the point in time they try to access something to make sure that they actually are entitled to access that database in the AWS network. And so, we're trying to get people away from thinking about this, like, point-to-point connection with a VPN, where you know, the usual experience we've all had as employees is, “Great. Now, I need to fire up the VPN. My internet traffic is going to be horrible. My battery's probably going to die. My—”Corey: Pull out the manual token that rotates with an RSA—Alex: Exactly.Corey: —token that spits out a different digital code every 30 seconds if the battery hasn't died or they haven't gotten their seeds leaked again, and then log in and the rest; in some horrible implementations type that code after your password for some Godforsaken reason. Yeah, we've all been down that path and it's like, “Yeah, just sign into the corporate VPN.” It's like, “Did you just tell me to go screw myself because that's what I heard.”Alex: [laugh]. Exactly. And that is exactly the situation that we're in. And the fact is, like, VPNs were invented a long time ago and they were designed to connect to networks, right? They were designed to connect a branch office to a corporate office, and they're just to join all the devices on the network.So, we're really, like—everybody has had this experience of VPN is suffering from the fact that it's the wrong tool for the job. Going back to, sort of like, this idea of, like, us being the network overlay, we don't want to touch any traffic that isn't intended to go to something that the company or the organization or the team wants to protect. And so, we're only going to gate traffic that goes to those network destinations that you actually want to protect. And we're going to make sure that when that happens, it's painless. So, for example, like, you know, I don't know, again, like, use your example again; you've been at Starbucks, you've been working your email, you don't really need to access anything that's private, and all of a sudden, like, you need to as part of your work that you're doing on the Starbucks WiFi is access something that's in AWS.Well, then the moment you do that, then maybe you're actually fine to access it because you've been authenticated, you know, and you're within the window, it's just going to work, right, so you don't have to go through this painful process of firing up the VPN like you're just talking about.Corey: There are a number of companies out there that, first, self-described as being, “Oh, we do Zero Trust.” And when I hear that, what I immediately hear in my own mind is, “I have something to sell you,” which, fair enough, we live in an industry. We're trying to have a society here. I get it. The next part that I wind up getting confused by then is, it seems like one of those deeply overloaded terms that exists to, more or less—in some cases to be very direct—well, we've been selling this thing for 15 years and that's the buzzword, so now we're going to describe it as the thing we do with a fresh coat of paint on it.Other times it seems to be something radically different. And, on some level, I feel like I could wind up building an entire security suite out of nothing other than things self-billing themselves as Zero Trust. What is it that makes Twingate different compared to a wide variety of other offerings, ranging from Seam to whatever the hell an XDR might be to, apparently according to RSA, a breakfast cereal?Alex: So, you're right. Like, Zero Trust is completely, like, overused word. And so, what's different about Twingate is that really, I think goes back to, like, why we started the company in the first place, which is that we started looking at the remote workspace. And this is, of course, before the pandemic, before everybody was actually working remotely and it became a really urgent problem.Corey: During the pandemic, of course, a lot of the traditional VPN companies are, “Huh. Why is the VPN concentrator glowing white in the rack and melting? And it sounds like screaming. What's going on?” Yeah, it turns out capacity provisioning and bottlenecking of an entire company tends to be a thing at scale.Alex: And so, you're right, like, that is exactly the conversation. We've had a bunch of customers over the last couple years, it's like their VPN gateway is, like, blowing up because it used to be that 10% of the workforce used it on average, and all of a sudden everybody had to use it. What's different about our approach in terms of what we observed when we started the company, is that what we noticed is that this term Zero Trust is kind of floating out there, but the only company that actually implemented Zero Trust was Google. So, if you think about the situations that you look at, Zero Trust is like, obvious. It's like, it's what you would want to do if you redesigned the internet, which is you'd want to say every network connection has to be authorized every single time it's made.But the internet isn't actually designed that way. It's designed default open instead of default closed. And so, we looked at the industry are, like, “Great. Like, Google's done it. Google has, like, tons and tons of resources. Why hasn't anyone else done it?”And the example that I like to talk about when we talk about inception of the business is we went to some products that are out there that were implementing the right technological approach, and one of these products is still in use today, believe it or not, but I went to the documentation page, and I hit print, and it was almost 50 pages of documentation to implement it. And so, when you look at that, you're, like, okay, like, maybe there's a usability problem here [laugh]. And so, what we really, really focus on is, how do we make this product as easy as possible to deploy? And that gets into, like, this area of change management. And so, if you're in IT or DevOps or engineering or security and you're listening to this, I'm sure you've been through this process where it's taken months to deploy something because it was just really technically difficult and because you had to change user behavior. So, the thing that we focus on is making sure that you didn't have to change user behavior.Corey: Every time you expect people to start doing things completely differently, congratulations, you've already lost before you've started.Alex: Yes, exactly. And so, the difference with our product is that you can switch off the VPN one day, have people install a Twingate client, and then tomorrow, they still access things with exactly the same addresses they used before. And this seems like such a minor point, but the fact that I don't have to rewrite scripts, I don't have to change my SSH proxy configuration, I don't have to do anything, all of those private DNS addresses or those private IP address, they'll still work because of the way that our client works on the device.Corey: So, what you're saying is fundamental; you could even do a slow rollout. It doesn't need to be a knife-switch cutover at two in the morning where you're scrambling around and, “Oh, my God, we forgot the entire accounting department.”Alex: Yep, that's exactly right. And that is, like, an attraction of deploying this is that you can actually deploy it department by department and not have to change all your infrastructure at the same time. So again, it's like pretty fundamental point here. It's like, if you're going to get adoption technology, it's not just about how cool the technology is under the hood and how advanced it is; it's actually thinking about from a customer and a business standpoint, like, how much is actually going to cost time-wise and effort-wise to move over to the new solution. So, we've really, really focused on that.Corey: Yeah. That is generally one of those things, that seems to be the hardest approach. I mean, let's back up a little bit here because I will challenge—likely—something that you said a few minutes ago, which is Google was the first and only company for a little while doing Zero Trust. Back in 2012, it turned out that we weren't calling it that then, but that is fundamentally what I built out of the ten-person startup that I was at, where I was the first ops hire, which generally comes in right around Series B when developers realize, okay, we can no longer lie to ourselves that we know what we're doing on an ops side. Everything's on fire and no one can sleep through the night. Help, help, help. Which is fine.I've never had tolerance or patience for ops people who insult people in those situations. It's, “Well, they got far enough along to hire you, didn't they? So, maybe show some respect.” But one of the things that I did was, being on the corporate network got you access to the printer in the corner and that was it. There was no special treatment of that network.And I didn't think much of it at the time, but I got some very strange looks and had some—uh, will call it interesting a decade later; most of the pain has faded—discussions with our auditor when we were going through some PCI work, and they showed up and said, “Great. Okay, where are the credentials for your directory?” And my response was, “Our what now?” And that's when I realized there's a certain point of scale. Back when I started as an independent consultant, everything I did for single-sign-on, for example, was my 1Password vault. Easy enough.Now, that we've scaled up beyond that, I'm starting to see the value of things like single-sign-on in a way that I never did before, and in hindsight, I'd like to go back and do things very differently as a result. Scale matters. What is the point of scale that you find is your sweet spot? Is it one person trying to connect to a whole bunch of nonsense? Is it small to midsize companies—and we should probably bound that because to me, a big company is still one that has 200 people there?Alex: To your original interesting point, which is that yeah, kudos to you for, like, implementing that, like, back then because we've had probably—Corey: I was just being lazy and it was what was there. It's like, “Why do I want to maintain a server in the closet? Honestly, I'm not sure that the office is that secure. And all it's going to do—what I'm I going to put on that? A SharePoint server? Please. We're using Macs.”Alex: Yeah, exactly. Yeah. So it's, we've had, like, I don't know at this point, thousands of customer conversations. The number of people have actually gone down that route implementing things themselves as a very small number. And I think that just shows how hard it is. So again, like, kudos.And I think the scale point is, I think, really critical. So, I think it's changed over time, but actually, the point at which a customer gets to a scale where I think a solution has, like, leveraged high value is when you get to maybe only 50, 75 people, which is a pretty small business. And the reason is that that's the point at which a bunch of tools start getting implemented a company, right? When you're five people, you're not going to install, like, an MDM or something on people's devices, right? When you get to 50, 75, 100, you start hiring your first IT team members. That's the point where them being able to, like, centralize management of things at the company becomes really critical.And so, one of the other aspects that makes this a little bit different terms of approach is that what we see is that there's a huge number of tools that have to be managed, and they have different configuration settings. You can't even get consistency on MDM is across different platforms, necessarily, right? Like, Linux, Windows, and Mac are all going to have slight differences, and so what we've been working with the platform towards is actually being the centralization point where we integrate with these different systems and then pull together, like, a consistent way to create those authentication authorization policies I was talking about before. And the last thing on SSO, just to sort of reiterate that, I think that you're talking about you're seeing the value of that, the other thing that we've, like, made a deliberate decision on is that we're not going to try to, like, re-solve, like, a bunch of these problems. Like, some of the things that we do on the user authentication point is that we rely on there being an SSO, like, user directory, that handles authentication, that handles, like, creating user groups. And we want to reuse that when people are using Twingate to control access to network destinations.So, for us, like, it's actually, you know, that point of scale comes fairly early. It only gets harder from there, and it's especially when that IT team is, like, a relatively small number of people compared to number of employees where it becomes really critical to be able to leverage all the technology they have to deploy.Corey: I guess this might be one of those areas where I'm not deep enough in your space to really see it the same way that you do, which is the whole reason I have people like you on the show: so I can ask these questions directly. What is the painful position that I find myself in that I should say, “Ah, I should bring Twingate in to solve this obnoxious, painful problem so I never have to think about it again.” What is it that you solve?Alex: Yeah, I mean, I think for what our customers tell us, it's providing a, like, consistent way to get access into, like, a wide variety of internal resources, and generally in multi-cloud environments. That's where it gets, like, really tricky. And the consistency is, like, really important because you're trying to provide access to your team—often like it's DevOps teams, but all kinds of people can access these things—trying to write access is a multiple different environments, again, there's a consistency problem where there are multiple different ways to provide that, and there isn't a single place to manage all that. And so, it gets really challenging to understand who has access to what, makes sure that credentials expire when they're supposed to expire, make sure that all the routing inside those remote destinations is set up correctly. And it just becomes, like, a real hassle to manage those things.So, that's the big one. And usually where people are coming from is that they've been using VPN to do that because they didn't know anything better exists, or they haven't found anything that's easy enough to deploy, right? So, that's really the problem that they're running into.Corey: There's also a lot of tribal knowledge that gets passed down. The oral tradition of, “I have this problem. What should I do? I know, I will consult the wise old sage.” “Well, where can you find the wise old sage?” “Under the rack of servers, swearing at them.” “Great, cool. Well, use a VPN. That's what we've used since time immemorial.” And then the sins are visited onto yet another generation.There's a sense that I have that companies that are started now are going to have a radically different security posture and a different way of thinking about these things than the quote-unquote, “Legacy companies.”—legacy, of course, being that condescending engineering term for ‘it makes money—who are migrating their way into a brave new world because they had the temerity to found themselves as companies before 2012.Alex: Absolutely. When we're working with customers, there is a sort of a sweet spot, both in terms of, like, the size and role that we were talking about before, but also just in terms of, like, where they are, in, sort of like, the sort of lifecycle of their company. And I think one of the most exciting things for us is that we get to work with companies that are kind of figuring this stuff out for the first time and they're taking a fresh look at, like, what the capabilities are out there in the landscape. And that's, I think, what makes this whole space, like, super, super interesting.There's some really, really fantastic things you can do. Just give you an example, again, that I think might resonate with your audience quite a bit is this whole topic of automation, right? Your time at the tribal knowledge of, like, “Oh, of course. You know, we set up a VPN and so on.” One of the things that I don't think is necessarily obvious in this space is that for the teams that—at companies that are deploying, configuring, managing internal network infrastructure, is that in the past, you've had to make compromises on infrastructure in order to accommodate access, right?Because it's kind of a pain to deploy a bunch of, like, VPN gateways, mostly for the end-user because they got to, like, choose which one they're connecting to. You potentially had to open up traffic routes to accommodate a VPN gateway that you wouldn't otherwise want to open up. And so, one of the things that's, like, really sort of fascinating about, like, a new way of looking at things is that what we allow with Twingate—and part of this is because we've really made sure that the product is, like, API-first in the very beginning, which allows us to very easily integrate in with things, like, Terraform and Pulumi for deployment automation, is that now you have a new way of looking at things, which is that you can build a network infrastructure that you want with the data flow rules that you want, and very easily provide access into, like, points of that infrastructure, whether that's an entire subnet or just a single host somewhere. I think these are the ways, like, the capabilities have been realized are possible until they, sort of like, understand some of these new technologies.Corey: This episode is sponsored in part by our friend EnterpriseDB. EnterpriseDB has been powering enterprise applications with PostgreSQL for 15 years. And now EnterpriseDB has you covered wherever you deploy PostgreSQL on-premises, private cloud, and they just announced a fully-managed service on AWS and Azure called BigAnimal, all one word. Don't leave managing your database to your cloud vendor because they're too busy launching another half-dozen managed databases to focus on any one of them that they didn't build themselves. Instead, work with the experts over at EnterpriseDB. They can save you time and money, they can even help you migrate legacy applications—including Oracle—to the cloud. To learn more, try BigAnimal for free. Go to biganimal.com/snark, and tell them Corey sent you.Corey: This feels like one of those technologies where the place that a customer starts from and where they wind up going are very far apart. Because I can see the metaphorical camel's nose under the tent flap being, “Ah, this is a VPN except it doesn't suck. Great.” But once you wind up with effectively an overlay network connecting all the things that you care about within an organization, it feels like that unlocks a whole universe of possibility.Alex: Mm-hm. Yeah, definitely. I mean, I think you hit the nail on the head there. Like, a lot of people approach us because they're having a lot of pain with VPN and all the operational difficulties they were talking about earlier, but I think what sort of starts to open up is there's some, sort of like, not obvious things that happen. And one of them is that all of a sudden, when you can limit access at a network connection level, you start to think about, like, credentials and access management a little differently, right?So, one of the problems that well-known is people set a bastion host. And they set bastion host so that there's, like, a limited way into the network and all the, you know, keys are stored in that bastion host and so on. So, you basically have a system where fine, we had bastion host set up because, A, we want limited ingress, and B, we want to make sure that we know exactly who has access to our internal resources. You could do away with that and with a simple, like, configuration change, you can basically say, “Even if this employee for whatever reason, we've forgotten to remove—revoke their SSH keys, even if they still have those keys, they can't access the destination because we're blocking network access at their actual device,” then you have a very different way to restrict access. So, it's still important to manage credentials, but you now have a way to actually block things out at a network level. And I think it's like when people start to realize that these capabilities are possible that they definitely start thinking about things a little bit differently. VPNs just don't allow this, like, level of granularity.Corey: I am a firm believer in the idea that any product with any kind of longevity gets an awful lot of its use case and product-market fit not from the people building it, but from the things that those folks learn from their customers. What did you learn from customers rolling out Twingate that reshaped how you thought about the space, or surprised you as far as use cases go?Alex: Yeah, so I think it's a really interesting question because one of the benefits of having a small business and being early on is that you have very close relationships with all your customers and they're really passionate about your product. And what that leads to is just a lot of, sort of like, knowledge sharing around, like, how they're using your product, which then helps inform the types of things that we build. So, one of the things that we've done internally to help us learn, but then also help us respond more quickly to customers, is we have this group called Twingate Labs. And it's really just a group of folks that are outside the engineering org that are just allowed to build whatever they want to try to prove out, like, interesting concepts. And a lot of those—I say a lot; honestly, probably all of those concepts have come from our customers, and so we've been able to, like, push the boundaries on that.And so, it just gave you an example, I mean, AWS can be sometimes a challenging product to manage and interact with, and so that team has, for example, built capabilities, again, using that just the regular Twingate API to show that it's possible to automatically configure resources in AWS based on tags. Now, that's not something that's in our product, but it's us showing our customers that, you know, we can respond quickly to them and then they actually, like, try to accommodate some, like, these special use cases they have. And if that works out, then great, we'll pull it into the product, right? So, I think that's, like, the nice thing about serving a smaller businesses is that you get a lot of that back and forth to your customers and they help us generate ideas, too.Corey: One thing that stands out to me from the testimonials from customers you have on your website has been a recurring theme that crops up that speaks to I guess, once I spend more than ten seconds thinking about it, one of the most obvious reasons that I would say, “Oh, Twingate? That sounds great for somebody else. We're never rolling it out here.” And that is the ease of adoption into environments that are not greenfield because I don't believe that something like this product will ever get deployed to something greenfield because this is exactly the kind of problem that you don't realize exists and don't have to solve for until it's too late because you already have that painful problem. It's an early optimization until suddenly, it's something you should have done six months ago. What is the rolling it out process for a company that presumably already is built out, has hired a bunch of people, and they already have something that, quote-unquote, “Works,” for granting access to things?Alex: Mm-hm. Yeah, so the beauty is that you can really deploy this side-by-side with an existing solution, so—whatever it happens to be; I mean, whether it's a VPN or something else—is you can put the side-by-side and the deployment process, just to talk a little bit about the architecture; we've talked a lot about this client that runs on the user's device, but on the remote network side, just to be really clear on this, there's a component called a connector that gets deployed inside the remote network, and it does not have to be installed on every single destination host. You're sort of thinking about it, sort of like this routing point inside that network, and that connector controls what traffic is allowed to go to internal locations based on the rules. So, from a deployment standpoint, it's really just put a connector in place and put it in place in whatever subnet you want to provide access to.And so you're—unlikely, but if your entire company has one subnet, great. You're done with one connector. But it does mean you can sort of gradually roll it out as it goes. And the connector can be deployed in a bunch of different environments, so we're just talking with AWS. Maybe it's inside a VPC, but we have a lot of people that actually just want to control access to specific services inside a Kubernetes cluster, and so you can deploy it as a container, right inside Kubernetes. And so, you can be, like, really specific about how you do that and then gradually roll it out to teams as they need it and without having to necessarily on that day actually shut off the old solution.So, just to your comment, by the way, on the greenfield versus, sort of like, brownfield, I think the greenfield story, I think, is changing a little bit, I think, especially to your comment earlier around younger companies. I think younger companies are realizing that this type of capability is an option and that they want to get in earlier. But the reality is that, you know, 98% of people are really in the established network situation, and so that's where that rollout process is really important.Corey: As you take a look throughout what you're seeing customers doing, what you see the industry doing as a result of that—because customers are, in fact, the industry, let's be clear here—what do you think is, I guess, the next wave of security offerings? I guess what I'm trying to do here is read the tea leaves and predict what the buzzwords will be all over the place that next RSA. But on a slightly more serious note, what do you see this is building towards? What are the trends that you're identifying in the space?Alex: There's a couple of things that we see. So one, sort of, way to look at this is that we're sort of in this, like, Third Wave. And I think these things change more slowly than—with all due respect to marketers—than marketers would [laugh] have you believe. And so, thinking about where we are, there's, like, Wave One is, like, good old happy days, we're all in the office, like, your computer can't move, like, all the data is in the office, like, everything is in one place, right?Corey: What if someone steals your desktop? Well, they're probably going to give themselves a hernia because that thing's heavy. Yeah.Alex: Exactly. And is it really worth stealing, right? But the Wave One was really, like, network security was actually just physical security, to that point; that's all it was, just, like, physically secure the premises.Wave Two—and arguably you could say we're kind of still in this—is actually the transition to cloud. So, let's convert all CapEx to OpEx, but that also introduces a different problem, which is that everything is off-network. So, you have to, like, figure out, you know, what you do about that.But Wave Three is really I think—and again, just to be clear, I think Wave Two, there are, like, multi-decade things that happen—and I'd say we're in the middle of, like, Wave Three. And I think that everyone is still, like, gradually adapting to this, which is what we describe it as sort of people everywhere, applications are everywhere, people are using a whole bunch of different devices, right? There is no such thing as BYOD in the early-2000s, late-90s, and people are accessing things from all kinds of different networks. And this presents a really, really challenging problem. So, I would argue, to your question, I think we're still in the middle of that Wave Three and it's going to take a long time to see that play through the industry. Just, things change slowly. That tribal knowledge takes time to change.The other thing that I think we very strongly believe in is that—and again, this is, sort of like, coming from our customers, too—is that people basically with security industry have had a tough time trying things out and adopting them because a lot of vendors have put a lot of blockers in place of doing that. There's no public documentation; you can't just go use the product. You got to talk to a salesperson who then filters you through—Corey: We have our fifth call with the sales team. We're hoping this is the one where they'll tell us how much it costs.Alex: Exactly. Or like, you know, now you get to the sales engineer, so you gradually adopt this knowledge. But ultimately, people just want to try the darn thing [laugh], right? So, I think we're big believers that I think hopefully, what we'll see in the security industry is that—we're trying to set an example here—is really that there's an old way of doing things, but a new way of doing things is make the product available for people to use, document the heck out of it, explain all the different use cases that exist for how to be successful your product, and then have these users actually then reach out to you when they want to have more in-depth conversation about things. So, those are the two big things, I'd say. I don't know if those are translated buzzwords at RSA, but those are two big trends we see.Corey: I look forward to having you back in a year or two and seeing how close we get to the reality. “Well, I guess we didn't see that acronym coming, but don't worry. They've been doing it for the last 15 years under different names, so it works out.” I really want to thank you for being as generous with your time as you have been. If people want to learn more, where should they go?Alex: Well, as we're just talking about, you try the product at twingate.com. So, that should be your first stop.Corey: And we will of course put links to that in the show notes. Thank you so much for being as forthcoming as you have been about all this stuff. I really appreciate your time.Alex: Yeah, thank you, Corey. I really appreciate it. Thanks.Corey: Alex Marshall, Chief Product Officer at Twingate. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with a long angry ranty comment about what you hated about the episode, which will inevitably get lost when it fails to submit because your crappy VPN concentrator just dropped it on the floor.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Secret Sources of Sustenance
Lighthearted Political Comedy “My Fellow Americans”

Secret Sources of Sustenance

Play Episode Listen Later Aug 30, 2022 76:11


Given the focus of their last episode, Ben & Bob needed something wholly lighthearted to cleanse their pallets. Enter 1996 political conspiracy/road trip comedy “My Fellow Americans”. Starring Jack Lemmon, James Garner, Dan Aykroyd and a cast of other legendary (and somewhat legendary) faces, this is Bob's comedic comfort food. Two bitter rival ex-Presidents team up to unravel a conspiracy that puts them both in danger and on the run from rogue NSA agents to mostly hilarious affect. To Bob, it's the equivalent of mom's meatloaf in VHS form. But will Ben be satiated or is it too cheesy for his tastes? Find out on this episode of SSOS.

MacVoices Video
MacVoices #22173: MacVoices Live! - An Apple Watch Story, Update on Parallels and Windows (1)

MacVoices Video

Play Episode Listen Later Aug 23, 2022 36:48


This MacVoices Live! panel starts out with a personal story by host Chuck Joiner about how an Apple Watch sent a fall notice that hit close to home. Then, David Ginsburg, Jim Rea and special guests Web Bixby and Eric Bolden follow up with comments about the medial ID features on the iPhone, and renewed discussion about Windows emulation on the M1 Macs using Parallels. (Part 1) This edition of MacVoices is supported by Kolide. Get important, timely, and relevant security recommendations for your Mac, right inside Slack. Try Kolide with all its features on an unlimited number of devices for free for 14 days; no credit card required, at Kolide.com/macvoices. MacVoices is supported by Rocket Money. Take full control of your subscriptions at RocketMoney.com/macvoices. Show Notes: Links: Parallels Desktop 18 simplifies installing Windows 11 on Apple Silicon, adds new SSO licensing, and improves Xbox and PS4 controller support on 9-5 Mac: https://9to5mac.com/2022/08/08/parallels-18/ Use fall detection with Apple Watch on Apple.com: https://support.apple.com/en-us/HT208944 Guests: Web Bixby has been in the insurance business for 40 years and has been an Apple user for longer than that.You can catch up with him on Facebook, Twitter, and LinkedIn. Eric Bolden is into macOS, plants, sci-fi, food, and is a rural internet supporter. You can connect with him on Twitter by email at embolden@mac.com, and on his blog, Trending At Work. Jeff Gamet is a technology blogger, podcaster, author, and public speaker. Previously, he was The Mac Observer's Managing Editor, and the TextExpander Evangelist for Smile. He has presented at Macworld Expo, RSA Conference, several WordCamp events, along with many other conferences. You can find him on several podcasts such as The Mac Show, The Big Show, MacVoices, Mac OS Ken, This Week in iOS, and more. Jeff is easy to find on social media as @jgamet on Twitter and Instagram, and jeffgamet on LinkedIn., and on his YouTube Channel at YouTube.com/jgamet. David Ginsburg is the host of the weekly podcast In Touch With iOS where he discusses all things iOS, iPhone, iPad, Apple TV, Apple Watch, and related technologies. He is an IT professional supporting Mac, iOS and Windows users. Visit his YouTube channel at https://youtube.com/daveg65 and find and follow him on Twitter @daveg65. Jim Rea has been an independent Mac developer continuously since 1984. He is the founder of ProVUE Development, and the author of Panorama X, ProVUE's ultra fast RAM based database software for the macOS platform. Follow Jim at provue.com and via @provuejim on Twitter.   Support: Become a MacVoices Patron on Patreon      http://patreon.com/macvoices      Enjoy this episode? Make a one-time donation with PayPal Connect: Web:      http://macvoices.com Twitter: http://www.twitter.com/chuckjoiner      http://www.twitter.com/macvoices Facebook:      http://www.facebook.com/chuck.joiner MacVoices Page on Facebook:      http://www.facebook.com/macvoices/ MacVoices Group on Facebook:      http://www.facebook.com/groups/macvoice LinkedIn:      https://www.linkedin.com/in/chuckjoiner/ Instagram:      https://www.instagram.com/chuckjoiner/ Subscribe:      Audio in iTunes      Video in iTunes      Subscribe manually via iTunes or any podcatcher: Audio: http://www.macvoices.com/rss/macvoicesrss      Video: http://www.macvoices.com/rss/macvoicesvideorss

Adventures in .NET
Authentication and Authorization - .NET 132

Adventures in .NET

Play Episode Listen Later Aug 23, 2022 42:25


 If the title of this episode didn't give it away... we are talking about logging into and accessing the content in web applications. Albert Starreveld spends a lot of his time implementing authentication and authorization workflows for his clients. There are a lot of factors that determine how to handle these implementations correctly. Are you still using role-based authorization? What identity provider are you using? Are you using SSO? Are you using claims/scopes? Do you know how to set up claims transformations? These are just some of the questions to ask when dealing with authentication and authorization. In this episode, we discuss these questions and more with Albert. Have you had to implement auth in a web application? How did it go? Let us know on Twitter at @dotnet_Podcast. Sponsors Top End Devs Coaching | Top End Devs Links Claims Transformation in .NET 6. OAuth2 is a great protocol to… | by Albert Starreveld | Medium Auth0: Secure access for everyone. But not just anyone. jwt.ms General Data Protection Regulation (GDPR) – Official Legal Text Albert Starreveld - Medium LinkedIn: Albert Starreveld Contact Albert at astarreveld@vx.com Picks Caleb- Lifespan Shawn- Watch Locke & Key | Netflix Official Site

MacVoices Audio
MacVoices #22173: MacVoices Live! - An Apple Watch Story, Update on Parallels and Windows (1)

MacVoices Audio

Play Episode Listen Later Aug 22, 2022 36:49


This MacVoices Live! panel starts out with a personal story by host Chuck Joiner about how an Apple Watch sent a fall notice that hit close to home. Then, David Ginsburg, Jim Rea and special guests Web Bixby and Eric Bolden follow up with comments about the medial ID features on the iPhone, and renewed discussion about Windows emulation on the M1 Macs using Parallels. (Part 2) This edition of MacVoices is supported by Kolide. Get important, timely, and relevant security recommendations for your Mac, right inside Slack. Try Kolide with all its features on an unlimited number of devices for free for 14 days; no credit card required, at Kolide.com/macvoices. MacVoices is supported by Rocket Money. Take full control of your subscriptions at RocketMoney.com/macvoices. Show Notes: Links: Parallels Desktop 18 simplifies installing Windows 11 on Apple Silicon, adds new SSO licensing, and improves Xbox and PS4 controller support on 9-5 Mac:https://9to5mac.com/2022/08/08/parallels-18/ Use fall detection with Apple Watch on Apple.com:https://support.apple.com/en-us/HT208944 Guests: Web Bixby has been in the insurance business for 40 years and has been an Apple user for longer than that.You can catch up with him on Facebook, Twitter, and LinkedIn. Eric Bolden is into macOS, plants, sci-fi, food, and is a rural internet supporter. You can connect with him on Twitter by email at embolden@mac.com, and on his blog, Trending At Work. Jeff Gamet is a technology blogger, podcaster, author, and public speaker. Previously, he was The Mac Observer's Managing Editor, and the TextExpander Evangelist for Smile. He has presented at Macworld Expo, RSA Conference, several WordCamp events, along with many other conferences. You can find him on several podcasts such as The Mac Show, The Big Show, MacVoices, Mac OS Ken, This Week in iOS, and more. Jeff is easy to find on social media as @jgamet on Twitter and Instagram, and jeffgamet on LinkedIn., and on his YouTube Channel at YouTube.com/jgamet. David Ginsburg is the host of the weekly podcast In Touch With iOS where he discusses all things iOS, iPhone, iPad, Apple TV, Apple Watch, and related technologies. He is an IT professional supporting Mac, iOS and Windows users. Visit his YouTube channel at https://youtube.com/daveg65 and find and follow him on Twitter @daveg65. Jim Rea has been an independent Mac developer continuously since 1984. He is the founder of ProVUE Development, and the author of Panorama X, ProVUE's ultra fast RAM based database software for the macOS platform. Follow Jim at provue.com and via @provuejim on Twitter.   Support:      Become a MacVoices Patron on Patreon     http://patreon.com/macvoices      Enjoy this episode? Make a one-time donation with PayPal Connect:      Web:     http://macvoices.com      Twitter:     http://www.twitter.com/chuckjoiner     http://www.twitter.com/macvoices      Facebook:     http://www.facebook.com/chuck.joiner      MacVoices Page on Facebook:     http://www.facebook.com/macvoices/      MacVoices Group on Facebook:     http://www.facebook.com/groups/macvoice      LinkedIn:     https://www.linkedin.com/in/chuckjoiner/      Instagram:     https://www.instagram.com/chuckjoiner/ Subscribe:      Audio in iTunes     Video in iTunes      Subscribe manually via iTunes or any podcatcher:      Audio: http://www.macvoices.com/rss/macvoicesrss      Video: http://www.macvoices.com/rss/macvoicesvideorss

Modernize or Die ® Podcast - CFML News Edition
Modernize or Die® - CFML News Podcast for August 9th, 2022 - Episode 160

Modernize or Die ® Podcast - CFML News Edition

Play Episode Listen Later Aug 9, 2022 36:58


2022-08-09 Weekly News - Episode 160Watch the video version on YouTube at https://youtu.be/LZtoUnLPU38 Hosts:  Eric Peterson - Senior Developer at Ortus Solutions Gavin Pickin - Senior Developer at Ortus Solutions Thanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and all your favorite box-es out there. A few ways  to say thanks back to Ortus Solutions: BUY SOME ITB TICKETS - COME TO THE CONFERENCE - Have a few laughs! Like and subscribe to our videos on YouTube.  Help ORTUS reach for the Stars - Star and Fork our ReposStar all of your Github Box Dependencies from CommandBox with https://www.forgebox.io/view/commandbox-github  Subscribe to our Podcast on your Podcast Apps and leave us a review Sign up for a free or paid account on CFCasts, which is releasing new content every week BOXLife store: https://www.ortussolutions.com/about-us/shop Buy Ortus's Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)  Patreon SupportGoal 1 - We have 37 patreons providing 100% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions. Goal 2 - We are 44% of the way to fully fund the hosting of ForgeBox.io News and AnnouncementsLucee Release Roadmap, 6.0, 5.3.9 and 5.3.105.3.9 - Firstly, we have been working on the open regressions 11 with 5.3.9 and hope to release a quick RC this Friday.6.0.0-BETA - There are still a number of blockers which we still need to address, but we are getting very close.https://dev.lucee.org/t/lucee-release-roadmap-6-0-5-3-9-and-5-3-10/10810 WireBox Object Delegators are now born! WireBox Object Delegators are now born!  It's been committed with tests and hopefully this new design pattern will help you create beautiful object DSLs and just allow for less boilerplate in your code.https://ortussolutions.atlassian.net/browse/WIREBOX-131?atlOrigin=eyJpIjoiMGY4OTQwZGE2YTU5NGVkNGI2MDk5YzI1ZDM0MDA0ZGQiLCJwIjoiamlyYS1zbGFjay1pbnQifQ Lucee - Allow reducing the Priority of Concurrent RequestsMicha has been working on a new feature which will help to make uncoordinated DDOS attacks less effective against Lucee, by amongst other things reducing the thread priorityIt's been added to the 5.3.9.151-SNAPSHOT and 5.3.10.39-SNAPSHOTshttps://dev.lucee.org/t/allow-reducing-the-priority-of-concurrent-requests/10807/3 ICYMI - 117 ACF and Lucee roundtable (Part 3 – future CFML) with Charlie Arehart, Gert Franz, Mark Drew and Ben NadelCharlie Arehart, Gert Franz, Mark Drew and Ben Nadel talk about “ACF and Lucee roundtable (Part 3 – future CFML)” in this episode of ColdFusion Alive Podcast, with host Michaela Light.“We're gonna be talking about Adobe ColdFusion and Lucee and how they compare and contrast and all cool new features coming in the next five years that we prognosticate future performance. Improvements might be coming CFML engine updates and how you can best approach those confusion security. And we'll wrap up with some other questions about being a good CFML developer and conferences this year.”https://teratech.com/podcast/acf-and-lucee-roundtable-part-3-future-cfml-with-charlie-arehart-gert-franz-mark-drew-and-ben-nadel/INTO THE BOX - Updates1 month left until the start of the Pre-Conf, the Workshop and 2 days of 2 track content. ITB Pre-Conference Schedule Finalized on the Website (3 sessions TBA)Workshops are starting to fill up - don't miss your chance.https://intothebox.org/ New Releases and UpdatesLucee - Image Extension 1.2.0.1 and 1.0.0.44, isImageFile() invalid file locking fixedBugfix: locked temp image files - isImageFile()https://luceeserver.atlassian.net/browse/LDEV-3931When using isImageFile() for certain formats, if the file wasn't an image, Lucee was leaving the file locked.https://dev.lucee.org/t/image-extension-1-2-0-1-and-1-0-0-44-isimagefile-invalid-file-locking-fixed/10808 ICYMI - CFConfig - Now supports Scheduled Tasks in LuceeThanks to a sponsor, CFConfig now supports importing/exporting scheduled tasks for #Lucee Server (Adobe already had support)!  Please give it a test with the latest version and remember, tasks need imported into the web context of Lucee! #CommandBox #CFML #ColdFusionhttps://www.forgebox.io/view/commandbox-cfconfigICYMI - ColdBox 6.8.0 Released!I am incredibly excited to announce the release of ColdBox v6.8.0 and its standalone companion libraries: CacheBox, LogBox and WireBox. This update includes some important fixes and we managed to squeeze some nice improvements!Bug COLDBOX-1134 Router closure responses not marshaling complex content to JSON COLDBOX-1132 New virtual app was always starting up the virtual coldbox app instead of checking if it was running already Improvement COLDBOX-1131 Updated Missing Action Response Code to 404 instead of 405 COLDBOX-1127 All core async proxies should send exceptions to the error log New Feature COLDBOX-1130 New config/ColdBox.cfc global injections: webMapping, coldboxVersion COLDBOX-1126 Funnel all out and err logging on a ColdBox Scheduled Task to LogBox TaskCOLDBOX-1135 Remove HandlerTestCase as it is no longer in usage.https://www.ortussolutions.com/blog/coldbox-680-released/ICYMI - Adobe CFML VS Code Extension released (in Public Beta)https://marketplace.visualstudio.com/items?itemName=com-adobe-coldfusion.adobe-cfml-lspWebinar / Meetups and WorkshopsOrtus Webinar - August - Ortus Team - Into the Box Preview and Q&AAugust 26th, 2022: Time 11:00AM Central Time ( US and Canada )Join some of the Ortus Core Team as they discuss all the great things coming to you from Into the Box, with the Pre Conference Online Sessions, Full Day Workshops and then the 2 day 2 track in Person Conference.The session will be informal, with Q&A from the chat, with maybe a couple of last minute surprise announcements.Register now: https://bit.ly/3cW6LlM Adobe WorkshopsJoin the Adobe ColdFusion Workshop to learn how you and your agency can leverage ColdFusion to create amazing web content. This one-day training will cover all facets of Adobe ColdFusion that developers need to build applications that can run across multiple cloud providers or on-premiseTUESDAY, AUGUST 9, 20229.00 AM - 4.30 PM AESTColdFusion WorkshopBrian Sappeyhttps://coldfusion-1-day-training.meetus.adobeevents.com/ WEBINAR - THURSDAY, AUGUST 18, 202210:00 AM PDTMaking Games with Adobe ColdFusionMark Takatahttps://making-games-with-adobe-coldfusion.meetus.adobeevents.com/ WEBINAR - THURSDAY, SEPTEMBER 22, 202210:00 AM PDTBuilding Custom Adobe Connect Pods with CF2021Mark Takatahttps://building-custom-adobe-connect-pods-cf2021.meetus.adobeevents.com/ FREE :)Full list - https://meetus.adobeevents.com/coldfusion/ CFCasts Content Updateshttps://www.cfcasts.comJust Released LogBox 101 - 1 new videos - https://cfcasts.com/series/logbox-101 Episode 11 - Async Appender https://cfcasts.com/series/logbox-101/videos/async-appenders  2022 ForgeBox Module of the Week Series - 1 new Videohttps://cfcasts.com/series/2022-forgebox-modules-of-the-week 2022 VS Code Hint tip and Trick of the Week Series - 1 new Video https://cfcasts.com/series/2022-vs-code-hint-tip-and-trick-of-the-week  Coming Soon LogBox 101 from Eric Peterson - 3 more videos left! Koding with the Kiwi + Friends More ForgeBox and VS Code Podcast snippet videos Box-ifying a 3rd Party Library from Gavin ColdBox Elixir from Eric Conferences and TrainingRedis Hackathon on DevFrom now through August 29th, 2022, DEV has partnered up with Redis for a community hackathon that will give you the chance to build a new application using Redis or simplify a complex backend. Anyone who submits a valid project (including an official submission post, published on DEV) will be automatically entered to win a variety of fantastic prizes (including up to $2,000 USD).If you're familiar with our hackathons here on DEV, you know that the community has a lot of fun with them and gets pretty creative with what they build. Whether you've joined us in the past or not, we hope you'll throw your hat into the ring by participating in the Redis Hackathon on DEV!https://dev.to/devteam/announcing-the-redis-hackathon-on-dev-3248Into the Box - Pre ConferenceAug 29th - Sep 2nd, 20222 sessions a day, 5 days in the week - 10 sessions totalConference Website:https://intothebox.orgInto The Box 2022September 6, 7 and 8, 2022 in Houston, TexasOne day workshops before the two day conference!Sign up for the workshops before they fill up - couple are almost filledConference Website:https://intothebox.orgCF Summit - OfficialAt the Mirage in Las Vegas, NVOct 3rd & 4th - CFSummit ConferenceOct 5th - Adobe Certified Professional: Adobe ColdFusion Certification Classes & Testshttps://cfsummit.adobeevents.com/ https://www.adobe.com/products/coldfusion-family/certificate.html Registrations are now open.Ortus CF Summit Training WorkshopColdBox Zero to MegaHero : REST APIs + VueJS Mobile AppOct 5th and 6th - After CF Summit ConferenceLead by Luis Majano & Gavin PickinPrice: $799 - Early bird pricinghttps://www.eventbrite.com/e/ortus-cf-summit-training-workshop-tickets-375306340367Location: Aria - In the luxurious Executive Hospitality Suite like 2019The suite doubled it's prices but we're working hard to keep the costs to the attendees the sameInto the Box Latam 2022Dec 5th or 7thMore information is coming very soon.CFCampNo CFCAMP 2022, we're trying again for summer 2023TLDR is that it's just too hard and there's too much uncertainty right now.More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.https://confs.tech/Blogs, Tweets, and Videos of the WeekAdobe Corner8/4/22 - Blog - Mark Takata - ColdFusion Portal - ACF Builder Extension: Quick FixSometimes we all need a helping hand.Wait.Does an IDE even have a hand?Anyway, imagine if your VS Code was able to flag issues with your code, make suggestions, but then even make those suggestions come to life! The Builder extension for VS Code includes a “quick fix” capability.https://coldfusion.adobe.com/2022/08/acf-builder-extension-quick-fix/ 8/4/22 - Blog - Mark Takata - ColdFusion Portal - ACF Builder Extension: Code RefactoringWhat is “code refactoring”? Is it a cool new UK reality show where you win prizes by changing up your applications to work better? No, but if any tv producers from the UK read this and are interested, call me.https://coldfusion.adobe.com/2022/08/acf-builder-extension-code-refactoring/ 8/4/22 - Blog - Mark Takata - ColdFusion Portal - ACF Builder Extension: Code AssistOften, the main reason we use a purpose-built IDE for our development work is for getting help with things like code completion, hinting, scaffolding and other similar features. This is often a big differentiator from more simplified editors such as, for example, Notepad.https://coldfusion.adobe.com/2022/08/acf-builder-extension-code-assist/ 8/4/22 - Blog - Mark Takata - ColdFusion Portal - ACF Builder Extension: Security AnalyzerSecurity is a critical aspect of programming. The Security Analyzer is a powerful, useful tool for CFML developers to use to help prevent vulnerable code in their application. It can warn about potential threats, give you an idea on the level of the threat, and suggest potential solutions to the issues.https://coldfusion.adobe.com/2022/08/acf-builder-extension-security-analyzer/ 8/3/22 - Blog - Mark Takata - ColdFusion Portal - ACF Builder Extension: PMT Code ProfilerThe Performance Monitoring Toolkit (PMT) provides critical performance data for your running Adobe ColdFusion servers. It monitors all transactions and captures a variety of data metrics including response and run times, errors, and other data. The Builder Extension provides the ability to view data from the PMT server in a report.https://coldfusion.adobe.com/2022/08/acf-builder-extension-pmt-code-profiler/ 8/2/22 - Blog - Mark Takata - ColdFusion Portal - ACF Builder Extension: RDS IntegrationRDS has helped ColdFusion developers with their development workflows for a very long time, and ever since Adobe ColdFusion Builder version 1.0 (code named “Bolt”) CF developers have been able to interact with various aspects of their development environment using RDS. In the ACF Builder Extension, this is also the case, with powerful capabilities that become available when using & logging the extension into RDS.https://coldfusion.adobe.com/2022/08/acf-builder-extension-rds-integration/ 8/1/22 - Blog - Mark Takata - ColdFusion Portal - ACF Builder Extension: Server PanelOne of the incredible differentiating features of the Builder Extension is the ability to setup & control your servers directly from VS Code. This was a very popular feature in ColdFusion Builder (Eclipse) and provides nearly identical functionality here.https://coldfusion.adobe.com/2022/08/acf-builder-extension-server-panel/ Community Corner8/6/22 - Tweet - James Moberg - CFML Legacy ConverterAny #CFML developers working with legacy #ColdFusion code? I'm almost finished developing a CFC that will "standardize/modernize tags, functions, member functions, attributes, operators & SQL case." (I'm hoping to share sometime next week.) #NoMoreManualSearchReplacehttps://twitter.com/gamesover/status/1555990302564814850 https://twitter.com/gamesover8/5/22 - Blog - Ortus Solutions - Ortus Content Digest for week of August 5thIt's August 5th... what has Ortus been publishing this week? We have the CFML News Podcast, some CFCasts and YouTube Videos, lots of Ortus and ITB Blog Posts. We have a lot more planned for next week as well.https://www.ortussolutions.com/blog/ortus-content-digest-for-week-of-august-5th/?utm_medium=referral&utm_source=contentstudio.io 8/4/22 - Tweet - Brad Wood - Ortus Solutions - Client Cert AuthI think I've finally cracked the client cert auth in #CommandBox.  This was a huge project, but important for our government clients.  Let me know if you want to help test it. I've also refactored basic auth and laid roadwork for digest auth, SSO, and NTLM auth. #CFML #ColdFusion https://twitter.com/bdw429s/status/1555234073630674947 https://twitter.com/bdw429s 8/3/22 - Blog - Dan Card - Ortus Solutions - Integrating ColdBox with Existing Code Series Part 4: More IntegrationRecently, I did a webinar on Refactoring Legacy Code and the question came up about whether or not it was possible to use ColdBox with existing code without converting everything to a ColdBox module or making changes to the existing codebase.https://www.ortussolutions.com/blog/integrating-coldbox-with-existing-code-series-part-4-more-integration/?utm_medium=referral&utm_source=contentstudio.io 8/2/22 - Blog - Zac Spitzer - Lucee Release Roadmap, 6.0, 5.3.9 and 5.3.105.3.9 - Firstly, we have been working on the open regressions 11 with 5.3.9 and hope to release a quick RC this Friday.6.0.0-BETA - There are still a number of blockers which we still need to address, but we are getting very close.https://dev.lucee.org/t/lucee-release-roadmap-6-0-5-3-9-and-5-3-10/10810 7/30/22 - Blog - Bang Website - ColdFusion Development Alive & Well Says BANG! DevelopersAs an active ColdFusion Developer since 1998 (when it was still owned by Allaire, prior to being purchased by Macromedia and then Adobe) we laugh every time we hear "ColdFusion is Dead". We've used it non-stop for over two decades while other popular programming languages have come and gone.If you are looking for ColdFusion programmers or Web Developers fluent in Adobe ColdFusion mark-up language and the many uses of ColdFusion for software development, you are in the right place. View our Web Development page for more information about our services. For more information about the ColdFusion Web Development Platform and it's history read on.https://www.bangwebsitedesignphoenixaz.com/blog/ColdFusion-Development-Alive-Well-Says-BANG-Developers.cfm CFML JobsSeveral positions available on https://www.getcfmljobs.com/Listing over 116 ColdFusion positions from 62 companies across 55 locations in 5 Countries.2 new jobs listed this weekFull-Time - Web/Data Developer at Clinton, NY or Remote - United States Aug 09https://www.getcfmljobs.com/viewjob.cfm?jobid=11505 Full-Time - Application Developer IV - Temp (Coldfusion Developer) Remot.. - United States Aug 04https://www.getcfmljobs.com/jobs/index.cfm/united-states/Application-Developer-IV-Temp-Coldfusion-Developer-Remote-at-Des-Moines-IA/11504 Other Job Links Ortus Solution https://www.ortussolutions.com/about-us/careers  Tomorrow's Guides - Senior ColdFusion Developer - Remote (UK Based) https://www.tomorrows.co.uk/jobs.cfm  Hamilton https://apply.interfolio.com/110991  There is a jobs channel in the CFML slack team, and in the box team slack now too ForgeBox Module of the WeekError Filter A ColdBox Module to filter error messages to remove unwanted fields and items in the tagContext array to reduce noise and make error items more readable.Note: Based on ideas and work from John Wilson at Synaptrix! Thanks!https://www.forgebox.io/view/errorFilter VS Code Hint Tips and Tricks of the Weekgit nahCustom Git Aliasesgit config –global alias.nah=!git reset --hard && git clean -dfThis cleans whatever you have going on.`git nah`Thank you to all of our Patreon SupportersThese individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox,  ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox. You can support us on Patreon here https://www.patreon.com/ortussolutionsDon't forget, we have Annual Memberships, pay for the year and save 10% - great for businesses. Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription. All Patreon supporters have a Profile badge on the Community Website All Patreon supporters have their own Private Forum access on the Community Website All Patreon supporters have their own Private Channel access BoxTeam Slack Live Stream Access to Koding with the Kiwi + Friends https://community.ortussolutions.com/  Patreons John Wilson - Synaptrix Jordan Clark Gary Knight Mario Rodrigues Giancarlo Gomez David Belanger   Dan Card Jonathan Perret Jeffry McGee - Sunstar Media Dean Maunder Wil De Bruin Joseph Lamoree   Don Bellamy Jan Jannek   Laksma Tirtohadi   Brian Ghidinelli - Hagerty MotorsportReg Carl Von Stetten Jeremy Adams Didier Lesnicki Matthew Clemente Daniel Garcia Scott Steinbeck - Agri Tracking Systems Ben Nadel  Richard Herbet Brett DeLine Kai Koenig Charlie Arehart Jason Daiger Shawn Oden Matthew Darby Ross Phillips Edgardo Cabezas Patrick Flynn Stephany Monge  (Monghee) Kevin Wright John Whish Peter Amiri You can see an up to date list of all sponsors on Ortus Solutions' Websitehttps://ortussolutions.com/about-us/sponsors Thanks everyone!!! ★ Support this podcast on Patreon ★

The Nonlinear Library
EA - How technical safety standards could promote TAI safety by Cullen OKeefe

The Nonlinear Library

Play Episode Listen Later Aug 8, 2022 14:30


Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: How technical safety standards could promote TAI safety, published by Cullen OKeefe on August 8, 2022 on The Effective Altruism Forum. Cullen O'Keefe, Jade Leung, Markus Anderljung[1] [2] Summary Standard-setting is often an important component of technology safety regulation. However, we suspect that existing standard-setting infrastructure won't by default adequately address transformative AI (TAI) safety issues. We are therefore concerned that, on our default trajectory, good TAI safety best practices will be overlooked by policymakers due to the lack or insignificance of efforts which identify, refine, recommend, and legitimate TAI safety best practices in time for their incorporation into regulation. Given this, we suspect the TAI safety and governance communities should invest in capacity to influence technical standard setting for advanced AI systems. There is some urgency to these investments, as they move on institutional timescales. Concrete suggestions include deepening engagement with relevant standard setting organizations (SSOs) and AI regulation, translating emerging TAI safety best practices into technical safety standards, and investigating what an ideal SSO for TAI safety would look like. Standards Help Turn Technical Safety Discoveries Into Legal Safety Requirements A plausible high-level plan for achieving TAI safety is to (a) identify state-of-the-art technical safety and security measures that reduce the probability of catastrophic AI failures, then (b) ensure (such as by legal mandate) that actors at the frontier of AI development and deployment adopt those measures. This general structure of first identifying and then mandating safety measures is obviously not unique to AI. How do lawmakers choose which substantive safety measures to legally mandate for other technologies? Several options are possible and used in practice, including encoding such requirements directly into legislation, or delegating such decisions to regulatory agencies. One common strategy is to have the law incorporate by reference (i.e., “point” to) existing technical safety standards[3] previously developed by private standard-setting organizations (“SSOs”). Another strategy, common in the EU, is to first pass generally-phrased regulation, and later have the regulation operationalized via standards developed by SSOs.[4] Standardization accomplishes several important things. First, it provides a structured process for a consensus of technical safety experts to identify and recommend the best, well-tested technical safety ideas. As a result, policymakers have to spend less time developing governmental standards and exercise less non-expert judgment about which safety requirements should be adopted. Notably, standards can also be updated more rapidly than regulation, due to lower bureaucratic and legal overhead, therefore making it possible to keep more apace with technical developments. Second, standardization takes emerging safety practices that are under-specified or heterogeneous and restates them in a precise, consistent, and systematized form that is more readily adoptable by new actors and appropriately clear for a legal requirement. Supranational SSOs provide a routinized and reliable infrastructure for facilitating international harmonization and regulation via standards. Finally, well-structured standard-setting organizations (“SSOs”) operate on the basis of multistakeholder consensus, and therefore both aim to generate and provide evidence of politically viable standards. In the US, the path from standardization often roughly follows a pattern of: Informal, loose networks of industry safety experts identify, develop, and converge on safety-promoting best practices. Private[5] SSOs elevate some of these best practices into standards, through a well-defined, multista...

Screaming in the Cloud
Remote Work and Finding Your Voice with Jeff Smith

Screaming in the Cloud

Play Episode Listen Later Jul 26, 2022 40:42


About JeffJeff Smith has been in the technology industry for over 20 years, oscillating between management and individual contributor. Jeff currently serves as the Director of Production Operations for Basis Technologies (formerly Centro), an advertising software company headquartered in Chicago, Illinois. Before that he served as the Manager of Site Reliability Engineering at Grubhub.Jeff is passionate about DevOps transformations in organizations large and small, with a particular interest in the psychological aspects of problems in companies. He lives in Chicago with his wife Stephanie and their two kids Ella and Xander.Jeff is also the author of Operations Anti-Patterns, DevOps Solutions with Manning publishing. (https://www.manning.com/books/operations-anti-patterns-devops-solutions) Links Referenced: Basis Technologies: https://basis.net/ Operations Anti-Patterns: https://attainabledevops.com/book Personal Site: https://attainabledevops.com LinkedIn: https://www.linkedin.com/in/jeffery-smith-devops/ Twitter: https://twitter.com/DarkAndNerdy Medium: https://medium.com/@jefferysmith duckbillgroup.com: https://duckbillgroup.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored by our friends at Fortinet. Fortinet's partnership with AWS is a better-together combination that ensures your workloads on AWS are protected by best-in-class security solutions powered by comprehensive threat intelligence and more than 20 years of cybersecurity experience. Integrations with key AWS services simplify security management, ensure full visibility across environments, and provide broad protection across your workloads and applications. Visit them at AWS re:Inforce to see the latest trends in cybersecurity on July 25-26 at the Boston Convention Center. Just go over to the Fortinet booth and tell them Corey Quinn sent you and watch for the flinch. My thanks again to my friends at Fortinet.Corey: Let's face it, on-call firefighting at 2am is stressful! So there's good news and there's bad news. The bad news is that you probably can't prevent incidents from happening, but the good news is that incident.io makes incidents less stressful and a lot more valuable. incident.io is a Slack-native incident management platform that allows you to automate incident processes, focus on fixing the issues and learn from incident insights to improve site reliability and fix your vulnerabilities. Try incident.io, recover faster and sleep more.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. One of the fun things about doing this show for long enough is that you eventually get to catch up with people and follow up on previous conversations that you've had. Many years ago—which sounds like I'm being sarcastic, but is increasingly actually true—Jeff Smith was on the show talking about a book that was about to release. Well, time has passed and things have changed. And Jeff Smith is back once again. He's the Director of Product Operations at Basis Technologies, and the author of DevOps Anti-Patterns? Or what was the actual title of the book it was—Jeff: Operations Anti-Patterns.Corey: I got hung up in the anti-patterns part because it's amazing. I love the title.Jeff: Yeah, Operations Anti-Patterns, DevOps Solutions.Corey: Got you. Usually in my experience, alway been operations anti-patterns, and here I am to make them worse, probably by doing something like using DNS as a database or some godforsaken thing. But you were talking about the book aspirationally a few years ago, and now it's published and it has been sent out to the world. And it went well enough that they translated it to Japanese, I believe, and it has seen significant uptick. What was your experience of it? How did it go?Jeff: You know, it was a great experience. This is definitely the first book that I've written. And the Manning process was extremely smooth. You know, they sort of hold your hand through the entire process. But even after launch, just getting feedback from readers and hearing how it resonated with folks was extremely powerful.I was surprised to find out that they turned it into an audiobook as well. So, everyone reaches out and says, “Did you read the audiobook? I was going to buy it, but I wasn't sure.” I was like, “No, unfortunately, I don't read it.” But you know, still cool to have it out there.Corey: My theory has been for a while now that no one wants to actually write a book; they want to have written a book. Now that you're on the other side, how accurate is that? Are you in a position of, “Wow, sure glad that's done?” Or are you, “That was fun. Let's do it again because I like being sad all the time.” I mean, you do work Kubernetes for God's sake. I mean, there's a bit of masochism inherent to all of us in this space.Jeff: Yeah. Kubernetes makes me cry a little bit more than the writing process. But it's one of the things when you look back on it, you're like, “Wow, that was fun,” but not in the heat of the moment, right? So, I totally agree with the sentiment that people want to have written a book but not actually gone through the process. And that's evident by the fact that how many people try to start a book on their own without a publisher behind them, and they end up writing it for 15 years. The process is pretty grueling. The feedback is intense at first, but you start to get into a groove and you—I could see, you know, in a little while wanting to write another book. So, I can see the appeal.Corey: And the last time you were on the show, I didn't really bother to go in a particular topical direction because, what's the point? It didn't really seem like it was a top-of-mind issue to really bring up because what's it matter; it's a small percentage of the workforce. Now I feel like talking about remote work is suddenly taking on a bit of a different sheen than it was before the dark times arrived. Where do you land on the broad spectrum of opinions around the idea of remote work, given that you have specialized in anti-patterns, and well, as sarcastic as I am, I tend to look at almost every place I've ever worked is expressing different anti-patterns from time to time. So, where do you land on the topic?Jeff: So, it's funny, I started as a staunch office supporter, right? I like being in the office. I like collaborating in person; I thought we were way more productive. Since the pandemic, all of us are forced into remote work, I've hired almost half of my team now as remote. And I am somewhat of a convert, but I'm not on the bandwagon of remote work is just as good or is better as in person work.I've firmly landed in the camp of remote work is good. It's got its shortcomings, but it's worth the trade off. And I think acknowledging what those trade-offs are important to keeping the team afloat. We just recently had a conversation with the team where we were discussing, like, you know, there's definitely been a drop in productivity over the past six months to a year. And in that conversation, a lot of the things that came up were things that are different remote that were better in person, right, Slack etiquette—which is something, you know, I could talk a little bit about as well—but, you know, Slack etiquette in terms of getting feedback quickly, just the sort of camaraderie and the lack of building that camaraderie with new team members as they come on board and not having those rituals to replace the in-person rituals. But through all that, oddly enough, no one suggested going back into the office. [laugh].Corey: For some strange reason, yeah. I need to be careful what I say here, I want to disclaim the position that I'm in. There is a power imbalance and nothing I say is going to be able to necessarily address that because I own the company and if my team members are listening to this, they're going to read a lot into what I say that I might not necessarily intend. But The Duckbill Group, since its founding, has been a fully distributed company. My business partner lives in a different state than I do so there's never been the crappy version of remote, which is, well, we're all going to be in the same city, except for Theodore. Theodore is going to be timezones away and then wonder why he doesn't get to participate in some of the conversations where the real decisions get made.Like that's crappy. I don't like that striated approach to things. We don't have many people who are co-located in any real sense, nor have we for the majority of the company's life. But there are times when I am able to work on a project in a room with one of my colleagues, and things go a lot more smoothly. As much as we want to pretend that video is the same, it quite simply isn't.It is a somewhat poor substitute for the very high bandwidth of a face-to-face interaction. And yes, I understand this is also a somewhat neurotypical perspective, let's be clear with that as well, and it's not for everyone. But I think that for the base case, a lot of the remote work advocates are not being fully, I guess, honest with themselves about some of the shortcomings remote has. That is where I've mostly landed on this. Does that generally land with where you are?Jeff: Yeah, that's exactly where I'm at. I completely agree. And when we take work out of the equation, I think the shortcomings lay themselves bare, right? Like I was having a conversation with a friend and we were like, well, if you had a major breakup, right, I would never be like, “Oh, man. Grab a beer and hop on Zoom,” right? [laugh]. “Let's talk it out.”No, you're like, hey, let's get in person and let's talk, right? We can do all of that conversation over Zoom, but the magic of being in person and having that personal connection, you know, can't be replaced. So, you know, if it's not going to work, commiserating over beers, right? I can't imagine it's going to work, diagramming some complex workflows and trying to come to an answer or a solution on that. So again, not to say that, you know, remote work is not valuable, it's just different.And I think organizations are really going to have to figure out, like, okay, if I want to entice people back into the office, what are the things that I need to do to make this realistic? We've opened the floodgates on remote hiring, right, so now it's like, okay, everyone's janky office setup needs to get fixed, right? So, I can't have a scenario where it's like, “Oh, just point your laptop at the whiteboard, right?” [laugh]. Like that can't exist, we have to have office spaces that are first-class citizens for our remote counterparts as well.Corey: Right because otherwise, the alternative is, “Great, I expect you to take the home that you pay for and turn it into an area fit for office use. Of course, we're not going to compensate you for that, despite the fact that, let's be realistic, rent is often larger than the AWS bill.” Which I know, gasp, I'm as shocked as anyone affected by that, but it's true. “But oh, you want to work from home? Great. That just means you can work more hours.”I am not of the school of thought where I consider time in the office to be an indicator of anything meaningful. I care if the work gets done and at small-scale, this works. Let me also be clear, we're an 11-person company. A lot of what I'm talking about simply will not scale to companies that are orders of magnitude larger than this. And from where I sit, that's okay. It doesn't need to.Jeff: Right. And I think a lot of the things that you talk about will scale, right? Because in most scenarios, you're not scaling it organizationally so much as you are with a handful of teams, right? Because when I think about all the different teams I interact with, I never really interact with the organization as a whole, I interact with my little neighborhood in the organization. So, it is definitely something that scales.But again, when it comes to companies, like, enticing people back into the office, now that I'm talking about working from home five days a week, I've invested in my home setup. I've got the monitor I want, I've got the chair that I want, I've got the mouse and keyboard that I want. So, you're going to bring me back to the office so I can have some standard Dell keyboard and mouse with some janky, you know—maybe—21-inch monitor or something like that, right? Like, you really have to decide, like, okay, we're going to make the office a destination, we're going to make it where people want to go there where it's not just even about the collaboration aspect, but people can still work and be effective.And on top of that, I think how we look at what the office delivers is going to change, right? Because now when I go to the office now, I do very little work. It's connections, right? It's like, you know, “Oh, I haven't seen you in forever. Let's catch up.” And a lot of that stuff is valuable. You know, there's these hallway conversations that exist that just weren't happening previously because how do I accidentally bump into you on Slack? [laugh]. Right, it has to be much more it of a—Corey: Right. It takes some contrivance to wind up making that happen. I remember back in the days of working in offices, I remember here in San Francisco where we had unlimited sick time and unlimited PTO, I would often fake a sick day, but just stay home and get work done. Because I knew if I was in the office, I'd be constantly subjected to drive-bys the entire time of just drive-by requests, people stopping by to ask, “Oh, can you just help me with this one thing,” that completely derails my train of thought. Then at the end of the day, they'd tell me, “You seem distractible and you didn't get a lot of work done.”It's, “Well, no kidding. Of course not. Are you surprised?” And one of the nice things about starting your own company—because there are a lot of downsides, let me be very clear—one of the nice things is you get to decide how you want to work. And that was a study in, first, amazement, and then frustration.It was, “All right, I just landed a big customer. I'm off to the races and going to take this seriously for a good six to twelve months. Great sky's the limit, I'm going to do up my home office.” And then you see how little money it takes to have a nice chair, a good standing desk, a monitor that makes sense and you remember fighting tooth-and-nail for nothing that even approached this quality at companies and they acted like it was going to cost them 20-grand. And here, it's two grand at most, when I decorated this place the first time.And it was… “What the hell?” Like, it feels like the scales fall away from your eyes, and you start seeing things that you didn't realize were a thing. Now I worry that five years in, there's no way in the world I'm ever fit to be an employee again, so this is probably the last job I'll ever have. Just because I've basically made myself completely unemployable across six different axes.Jeff: [laugh]. And I think one of the things when it comes to, like, furniture, keyboard, stuff like that, I feel like part of it was just, like, this sort of enforced conformity, right, that the office provided us the ability to do. We can make sure everyone's got the same monitor, the same keyboard that way, when it breaks, we can replace it easily. In a lot of organizations that I've been in, you know, that sort of like, you know, even if it was the same amount or ordering a custom keyboard was a big exception process, right? Like, “Oh, we've got to do a whole thing.” And it's just like, “Well, it doesn't have to be that complicated.”And like you said, it doesn't cost much to allow someone to get the tools that they want and prefer and they're going to be more productive with. But to your point really quickly about work in the office, until the pandemic, I personally didn't recognize how difficult it actually was to get work done in the office. I don't think I appreciated it. And now that I'm remote, I'm like, wow, it is so much easier for me to close this door, put my headphones on, mute Slack and go heads down. You know, the only drive-by I've got is my wife wondering if I want to go for a walk, and that's usually a text message that I can ignore and come back to later.Corey: The thing that just continues to be strange for me and breaks in some of the weirdest ways has just been the growing awareness of how much of office life is unnecessary and ridiculous. When you're in the office every day, you have to find a way to make it work and be productive and you have this passive-aggressive story of this open office, it's for collaboration purposes. Yeah, I can definitively say that is not true. I had a boss who once told me that there was such benefits to working in an open plan office that if magically it were less expensive to give people individual offices, he would spare the extra expense for open plan. That was the day I learned he would lie to me while looking me in the eye. Because of course you wouldn't.And it's for collaboration. Yeah, it means two loud people—often me—are collaborating and everyone else wears noise-canceling headphones trying desperately to get work done, coming in early, hours before everyone else to get things done before people show up and distracted me. What the hell kind of day-to-day work environment is that?Jeff: What's interesting about that, though, is those same distractions are the things that get cited as being missed from the perspective of the person doing the distracting. So, everyone universally hates that sort of drive-by distractions, but everyone sort of universally misses the ability to say like, “Hey, can I just pull on your ear for a second and get your feedback on this?” Or, “Can we just walk through this really quickly?” That's the thing that people miss, and I don't think that they ever connect it to the idea that if you're not the interruptee, you're the interruptor, [laugh] and what that might do to someone else's productivity. So, you would think something like Slack would help with that, but in reality, what ends up happening is if you don't have proper Slack etiquette, there's a lot of signals that go out that get misconstrued, misinterpreted, internalized, and then it ends up impacting morale.Corey: And that's the most painful part of a lot of that too. Is that yeah, I want to go ahead and spend some time doing some nonsense—as one does; imagine that—and I know that if I'm going to go into an office or meet up with my colleagues, okay, that afternoon or that day, yeah, I'm planning that I'm probably not going to get a whole lot of deep coding done. Okay, great. But when that becomes 40 hours a week, well, that's a challenge. I feel like being full remote doesn't work out, but also being in the office 40 hours a week also feels a little sadistic, more than almost anything else.I don't know what the future looks like and I am privileged enough that I don't have to because we have been full remote the entire time. But what we don't spend on office space we spend on plane tickets back and forth so people can have meetings. In the before times, we were very good about that. Now it's, we're hesitant to do it just because it's we don't want people traveling before the feel that it's safe to do so. We've also learned, for example, when dealing with our clients, that we can get an awful lot done without being on site with them and be extraordinarily effective.It was always weird have traveled to some faraway city to meet with the client, and then you're on a Zoom call from their office with the rest of the team. It's… I could have done this from my living room.Jeff: Yeah. I find those sorts of hybrid meetings are often worse than if we were all just remote, right? It's just so much easier because now it's like, all right, three of us are going to crowd around one person's laptop, and then all of the things that we want to do to take advantage of being in person are excluding the people that are remote, so you got to do this careful dance. The way we've been sort of tackling it so far—and we're still experimenting—is we're not requiring anyone to come back into the office, but some people find it useful to go to the office as a change of scenery, to sort of, like break things up from their typical routine, and they like the break and the change. But it's something that they do sort of ad hoc.So, we've got a small group that meets, like, every Thursday, just as a day to sort of go into the office and switch things up. I think the idea of saying everyone has to come into the office two or three days a week is probably broken when there's no purpose behind it. So, my wife technically should go into the office twice a week, but her entire team is in Europe. [laugh]. So, what point does that make other than I am a body in a chair? So, I think companies are going to have to get flexible with this sort of hybrid environment.But then it makes you wonder, like, is it worth the office space and how many people are actually taking advantage of it when it's not mandated? We find that our office time centers around some event, right? And that event might be someone in town that's typically remote. That might be a particular project that we're working on where we want to get ideas and collaborate and have a workshop. But the idea of just, like, you know, we're going to systematically require people to be in the office x many days, I don't see that in our future.Corey: No, and I hope you're right. But it also feels like a lot of folks are also doing some weird things around the idea of remote such as, “Oh, we're full remote but we're going to pay you based upon where you happen to be sitting geographically.” And we find that the way that we've done this—and again, I'm not saying there's a right answer for everyone—but we wind up paying what the value of the work is for us. In many cases, that means that we would be hard-pressed to hire someone in the Bay Area, for example. On the other hand, it means that when we hire people who are in places with relatively low cost of living, they feel like they've just hit the lottery, on some level.And yeah, some of them, I guess it does sort of cause a weird imbalance if you're a large Amazon-scale company where you want to start not disrupting local economies. We're not hiring that many people, I promise. So, there's this idea of figuring out how that works out. And then where does the headquarters live? And well, what state laws do we wind up following on what we're doing? Just seems odd.Jeff: Yeah. So, you know, one thing I wanted to comment on that you'd mentioned earlier, too, was the weird things that people are doing, and organizations are doing with this, sort of, remote work thing, especially the geographic base pay. And you know, a lot of it is, how can we manipulate the situation to better us in a way that sounds good on paper, right? So, it sounds perfectly reasonable. Like, oh, you live in New York, I'm going to pay you in New York rates, right?But, like, you live in Des Moines, so I'm going to pay you Des Moines rates. And on the surface, when you just go you're like, oh, yeah, that makes sense, but then you think about it, you're like, “Wait, why does that matter?” Right? And then, like, how do I, as a manager, you know, level that across my employees, right? It's like, “Oh, so and so is getting paid 30 grand less. Oh, but they live in a cheaper area, right?” I don't know what your personal situation is, and how much that actually resonates or matters.Corey: Does the value that they provide to your company materially change based upon where they happen to be sitting that week?Jeff: Right, exactly. But it's a good story that you can tell, it sounds fair at first examination. But then when you start to scratch the surface, you're like, “Wait a second, this is BS.” So, that's one thing.Corey: It's like tipping on some level. If you can't afford the tip, you can't afford to eat out. Same story here. If you can't afford to compensate people the value that they're worth, you can't afford to employ people. And figure that out before you wind up disappointing people and possibly becoming today's Twitter main character.Jeff: Right. And then the state law thing is interesting. You know, when you see states like California adopting laws similar to, like, GDPR. And it's like, do you have to start planning for the most stringent possibility across every hire just to be safe and to avoid having to have this sort of patchwork of rules and policies based on where someone lives? You might say like, “Okay, Delaware has the most stringent employer law, so we're going to apply Delaware's laws across the board.” So, it'll be interesting to see how that sort of plays out in the long run. Luckily, that's not a problem I have to solve, but it'll be interesting to see how it shakes out.Corey: It is something we had to solve. We have an HR consultancy that helps out with a lot of these things, but the short answer is that we make sure that we obey with local laws, but the way that we operate is as if everyone were a San Francisco employee because that is—so far—the locale that, one, I live here, but also of every jurisdiction we've looked at in the United States, it tends to have the most advantageous to the employee restrictions and requirements. Like one thing we do is kind of ridiculous—and we have to do for me and one other person, but almost no one else, but we do it for everyone—is we have to provide stipends every month for electricity, for cellphone usage, for internet. They have to be broken out for each one of those categories, so we do 20 bucks a month for each of those. It adds up to 100 bucks, as I recall, and we call it good. And employees say, “Okay. Do we just send you receipts? Please don't.”I don't want to look at your cell phone bill. It's not my business. I don't want to know. We're doing this to comply with the law. I mean, if it were up to me, it would be this is ridiculous. Can we just give everyone $100 a month raise and call it good? Nope. The forms must be obeyed. So, all right.We do the same thing with PTO accrual. If you've acquired time off and you leave the company, we pay it out. Not every state requires that. But paying for cell phone access and internet access as well, is something Amazon is currently facing a class action about because they didn't do that for a number of their California employees. And even talking to Amazonians, like, “Well, they did, but you had to jump through a bunch of hoops.”We have the apparatus administratively to handle that in a way that employees don't. Why on earth would we make them do it unless we didn't want to pay them? Oh, I think I figured out this sneaky, sneaky plan. I'm not here to build a business by exploiting people. If that's the only way to succeed, and the business doesn't deserve to exist. That's my hot take of the day on that topic.Jeff: No, I totally agree. And what's interesting is these insidious costs that sneak up that employees tend to discount, like, one thing I always talk about with my team is all that time you're thinking about a problem at work, right, like when you're in the shower, when you're at dinner, when you're talking it over with your spouse, right? That's work. That's work. And it's work that you're doing on your time.But we don't account for it that way because we're not typing; we're not writing code. But, like, think about how much more effective as people, as employees, we would be if we had time dedicated to just sit and think, right? If I could just sit and think about a problem without needing to type but just critically think about it. But then it's like, well, what does that look like in the office, right? If I'm just sitting there in my chair like this, it doesn't look like I'm doing anything.But that's so important to be able to, like, break down and digest some of the complex problems that we're dealing with. And we just sort of write it off, right? So, I'm like, you know, you got to think about how that bleeds into your personal time and take that into account. So yeah, maybe you leave three hours early today, but I guarantee you, you're going to spend three hours throughout the week thinking about work. It's the same thing with these cellphone costs that you're talking about, right? “Oh, I've got a cell phone anyways; I've got internet anyways.” But still, that's something that you're contributing to the business that they're not on the hook for, so it seems fair that you get compensated for that.Corey: I just think about that stuff all the time from that perspective, and now that I you know, own the place, it's one of those which pocket of mine does it come out of? But I hold myself to a far higher standard about that stuff than I do the staff, where it's, for example, I could theoretically justify paying my internet bill here because we have business-class internet and an insane WiFi system because of all of the ridiculous video production I do. Now. It's like, like, if anyone else on the team was doing this, yes, I will insist we pay it, but for me, it just it feels a little close to the edge. So, it's one of those areas where I'm very conservative around things like that.The thing that also continues to just vex me, on some level, is this idea that time in a seat is somehow considered work. I'll never forget one of the last jobs I had before I started this place. My boss walked past me and saw that I was on Reddit. And, “Is that really the best use of your time right now?” May I use the bathroom when I'm done with this, sir?Yeah, of course it is. It sounds ridiculous, but one of the most valuable things I can do for The Duckbill Group now is go on the internet and start shit posting on Twitter, which sounds ridiculous, but it's also true. There's a brand awareness story there, on some level. And that's just wild to me. It's weird, we start treating people like adults, they start behaving that way. And if you start micromanaging them, they live up or down to the expectations you tend to hold. I'm a big believer in if I have to micromanage someone, I should just do the job myself.Jeff: Yeah. The Reddit story makes me think of, like, how few organizations have systematic ways of getting vital information. So, the first thing I think about is, like, security and security vulnerabilities, right? So, how does Basis Technologies, as an organization, know about these things? Right now, it's like, well, my team knows because we're plugged into Reddit and Twitter, right, but if we were gone Basis, right, may not necessarily get that information.So, that's something we're trying to correct, but it just sort of highlights the importance of freedom for these employees, right? Because yeah, I'm on Reddit, but I'm on /r/sysadmin. I'm on /r/AWS, right, I'm on /r/Atlassian. Now I'm finding out about this zero-day vulnerability and it's like, “Oh, guys, we got to act. I just heard about this thing.” And people are like, “Oh, where did this come from?” And it's like it came from my network, right? And my network—Corey: Mm-hm.Jeff: Is on Twitter, LinkedIn, Reddit. So, the idea that someone browsing the internet on any site, really, is somehow not a productive use of their time, you better be ready to itemize exactly what that means and what that looks like. “Oh, you can do this on Reddit but you can't do that on Reddit.”Corey: I have no boss now, I have no oversight, but somehow I still show up with a work ethic and get things done.Jeff: Right. [laugh].Corey: Wow, I guess I didn't need someone over my shoulder the whole time. Who knew?Jeff: Right. That's all that matters, right? And if you do it in 30 hours or 40 hours, that doesn't really matter to me, you know? You want to do it at night because you're more productive there, right, like, let's figure out a way to make that happen. And remote work is actually empowering us ways to really retain people that wasn't possible before I had an employee that was like, you know, I really want to travel. I'm like, “Dude, go to Europe. Work from Europe. Just do it. Work from Europe,” right? We've got senior leaders on the C-suite that are doing it. One of the chief—Corey: I'm told they have the internet, even there. Imagine that?Jeff: Yeah. [laugh]. So, our chief program officer, she was in Greece for four weeks. And it worked. It worked great. They had a process. You know, she would spent one week on and then one week off on vacation. But you know, she was able to have this incredible, long experience, and still deliver. And it's like, you know, we can use that as a model to say, like—Corey: And somehow the work got done. Wow, she must be amazing. No, that's the baseline expectation that people can be self-managing in that respect.Jeff: Right.Corey: They aren't toddlers.Jeff: So, if she can do that, I'm sure you can figure out how to code in China or wherever you want to visit. So, it's a great way to stay ahead of some of these companies that have a bit more lethargic policies around that stuff, where it's like, you know, all right, I'm not getting that insane salary, but guess what, I'm going to spend three weeks in New Zealand hanging out and not using any time off or anything like that, and you know, being able to enjoy life. I wish this pandemic had happened pre-kids because—Corey: Yeah. [laugh].Jeff: —you know, we would really take advantage of this.Corey: You and me both. It would have very different experience.Jeff: Yeah. [laugh]. Absolutely, right? But with kids in school, and all that stuff, we've been tethered down. But man, I you know, I want to encourage the young people or the single people on my team to just, like, hey, really, really embrace this time and take advantage of it.Corey: I come bearing ill tidings. Developers are responsible for more than ever these days. Not just the code that they write, but also the containers and the cloud infrastructure that their apps run on. Because serverless means it's still somebody's problem. And a big part of that responsibility is app security from code to cloud. And that's where our friend Snyk comes in. Snyk is a frictionless security platform that meets developers where they are - Finding and fixing vulnerabilities right from the CLI, IDEs, Repos, and Pipelines. Snyk integrates seamlessly with AWS offerings like code pipeline, EKS, ECR, and more! As well as things you're actually likely to be using. Deploy on AWS, secure with Snyk. Learn more at Snyk.co/scream That's S-N-Y-K.co/screamCorey: One last topic I want to get into before we call it an episode is, I admit, I read an awful lot of books, it's a guilty pleasure. And it's easy to fall into the trap, especially when you know the author, of assuming that snapshot of their state of mind at a very fixed point in time is somehow who they are, like a fly frozen in amber, and it's never true. So, my question for you is, quite simply, what have you learned since your book came out?Jeff: Oh, man, great question. So, when I was writing the book, I was really nervous about if my audience was as big as I thought it was, the people that I was targeting with the book.Corey: Okay, that keeps me up at night, too. I have no argument there.Jeff: Yeah. You know what I mean?Corey: Please, continue.Jeff: I'm surrounded, you know, by—Corey: Is anyone actually listening to this? Yeah.Jeff: Right. [laugh]. So, after the book got finished and it got published, I would get tons of feedback from people that so thoroughly enjoyed the book, they would say things like, you know, “It feels like you were in our office like a fly on the wall.” And that was exciting, one, because I felt like these were experiences that sort of resonated, but, two, it sort of proved this thesis that sometimes you don't have to do something revolutionary to be a positive contribution to other people, right? So, like, when I lay out the tips and things that I do in the book, it's nothing earth-shattering that I expect Google to adopt. Like, oh, my God, this is the most unique view ever.But being able to talk to an audience in a way that resonates with them, that connects with them, that shows that I understand their problem and have been there, it was really humbling and enlightening to just see that there are people out there that they're not on the bleeding edge, but they just need someone to talk to them in a language that they understand and resonate with. So, I think the biggest thing that I learned was this idea that your voice is important, your voice matters, and how you tell your story may be the difference between someone understanding a concept and someone not understanding a concept. So, there's always an audience for you out there as you're writing, whether it be your blog post, the videos that you produce, the podcasts that you make, somewhere there's someone that needs to hear what you have to say, and the unique way that you can say it. So, that was extremely powerful.Corey: Part of the challenge that I found is when I start talking to other people, back in the before times, trying to push them into conference talks and these days, write blog posts, the biggest objection I get sometimes is, “Well, I don't have anything worth saying.” That is provably not true. One of my favorite parts about writing Last Week in AWS is as I troll the internet looking for topics about AWS that I find interesting, I keep coming across people who are very involved in one area or another of this ecosystem and have stories they want to tell. And I love, “Hey, would you like to write a guest post for Last Week in AWS?” It's always invite only and every single one of them has been paid because people die of exposure and I'm not about that exploitation lifestyle.A couple have said, “Oh, I can't accept payment for a variety of reasons.” Great. Pick a charity that you would like it to go to instead because we do not accept volunteer work, we are a for-profit entity. That is the way it works here. And that has been just one of the absolute favorite parts about what I do just because you get to sort of discover new voices.And what I find really neat is that for a lot of these folks, this is their start to writing and telling the story, but they don't stop there, they start telling their story in other areas, too. It leads to interesting career opportunities for them, it leads to interesting exposure that they wouldn't have necessarily had—again, not that they're getting paid in exposure, but the fact that they are able to be exposed to different methodologies, different ways of thinking—I love that. It's one of my favorite parts about doing what I do. And it seems to scale a hell of a lot better than me sitting down with someone for two hours to help them build a CFP that they wind up not getting accepted or whatnot.Jeff: Right. It's a great opportunity that you provide folks, too, because of, like, an instant audience, I think that's one of the things that has made Medium so successful as, like, a blogging platform is, you know, everyone wants to go out and build their own WordPress site and launch it, but then it like, you write your blog post and it's crickets. So, the ability for you to, you know, use your platform to also expose those voices is great and extremely powerful. But you're right, once they do it, it lights a fire in a way that is admirable to watch. I have a person that I'm mentoring and that was my biggest piece of advice I can give. It was like, you know, write. Just write.It's the one thing that you can do without anyone else. And you can reinforce your own knowledge of a thing. If you just say, you know, I'm going to teach this thing that I just learned, just the writing process helps you solidify, like, okay, I know this stuff. I'm demonstrating that I know it and then four years from now, when you're applying for a job, someone's like, “Oh, I found your blog post and I see that you actually do know how to set up a Kubernetes cluster,” or whatever. It's just extremely great and it—Corey: It's always fun. You're googling for how to do something and you find something you wrote five years ago.Jeff: Right, yeah. [laugh]. And it's like code where you're like, “Oh, man, I would do that so much differently now.”Corey: Since we last spoke, one of the things I've been doing is I have been on the hook to write between a one to two-thousand-word blog post every week, and I've done that like clockwork, for about a year-and-a-half now. And I was no slouch at storytelling before I started doing that. I've given a few hundred conference talks in the before times. And I do obviously long Twitter threads in the past and I write reports a lot. But forcing me to go through that process every week and then sit with an editor and go ahead and get it improved, has made me a far better writer, it's made me a better storyteller, I am far better at articulating my point of view.It is absolutely just unlocking a host of benefits that I would have thought I was, oh, I passed all this. I'm already good at these things. And I was, but I'm better now. I think that writing is one of those things that people need to do a lot more of.Jeff: Absolutely. And it's funny that you mentioned that because I just recently, back in April, started to do the same thing I said, I'm going to write a blog post every week, right? I'm going to get three or four in the can, so that if life comes up and I miss a beat, right, I'm not actually missing the production schedule, so I have a steady—and you're right. Even after writing a book, I'm still learning stuff through the writing process, articulating my point of view.It's just something that carries over, and it carries over into the workforce, too. Like, if you've ever read a bad piece of documentation, right, that comes from—Corey: No.Jeff: Right? [laugh]. That comes from an inability to write. Like, you know, you end up asking these questions like who's the audience for this? What is ‘it' in this sentence? [laugh].Corey: Part of it too, is that people writing these things are so close to the problem themselves that the fact that, “Well, I'm not an expert in this.” That's why you should write about it. Talk about your experience. You're afraid everyone's going to say, “Oh, you're a fool. You didn't understand how this works.”Yeah, my lived experiences instead—and admittedly, I have the winds of privilege of my back on this—but it's also yeah, I didn't understand that either. It turns out that you're never the only person who has trouble with a concept. And by calling it out, you're normalizing it and doing a tremendous service for others in your shoes.Jeff: Especially when you're not an expert because I wrote some documentation about the SSL process and it didn't occur to me that these people don't use the AWS command line, right? Like, you know, in our organization, we sort of mask that from them through a bunch of in-house automation. Now we're starting to expose it to them and simple things like oh, you need to preface the AWS command with a profile name. So, then when we're going through the setup, we're like, “Oh. What if they already have an existing profile, right?” Like, we don't want to clobber that.SSo, it just changed the way you write the documentation. But like, that's not something that initially came to mind for me. It wasn't until someone went through the docs, and they're like, “Uh, this is blowing up in a weird way.” And I was like, “Oh, right. You know, like, I need to also teach you about profile management.”Corey: Also, everyone has a slightly different workflow for the way they interact with AWS accounts, and their shell prompts, and the way they set up local dev environments.Jeff: Yeah, absolutely. So, not being an expert on a thing is key because you're coming to it with virgin eyes, right, and you're able to look at it from a fresh perspective.Corey: So, much documentation out there is always coming from the perspective of someone who is intimately familiar with the problem space. Some of the more interesting episodes that I have, from a challenge perspective, are people who are deep technologists in a particular area and they love they fallen in love with the thing that they are building. Great. Can you explain it to the rest of us mere mortals so that we can actually we can share your excitement on this? And it's very hard to get them to come down to a level where it's coherent to folks who haven't spent years thinking deeply about that particular problem space.Jeff: Man, the number one culprit for that is, like, the AWS blogs where they have, like, a how-to article. You follow that thing and you're like, “None of this is working.” [laugh]. Right? And then you realize, oh, they made an assumption that I knew this, but I didn't right?So, it's like, you know, I didn't realize this was supposed to be, like, a handwritten JSON document just jammed into the value field. Because I didn't know that, I'm not pulling those values out as JSON. I'm expecting that just to be, like, a straight string value. And that has happened more and more times on the AWS blog than I can count. [laugh].Corey: Oh, yeah, very often. And then there's other problems, too. “Oh, yeah. Set up your IAM permissions properly.” That's left as an exercise for the reader. And then you wonder why everything's full of stars. Okay.Jeff: Right. Yep, exactly, exactly.Corey: Ugh. It's so great to catch up with you and see what you've been working on. If people want to learn more, where's the best place to find you?Jeff: So, the best place is probably my website, attainabledevops.com. That's a place where you can find me on all the other places. I don't really update that site much, but you can find me on LinkedIn, Twitter, from that jumping off point, links to the book are there if anyone's interested in that. Perfect stocking stuffers. Mom would love it, grandma would love it, so definitely, definitely buy multiple copies of that.Corey: Yeah, it's going to be one of my two-year-old's learning to read books, it'd be great.Jeff: Yeah, it's perfect. You know, you just throw it in the crib and walk away, right? They're asleep at no time. Like I said, I've also been taking to, you know, blogging on Medium, so you can catch me there, the links will be there on Attainable DevOps as well.Corey: Excellent. And that link will of course, be in the show notes. Thank you so much for being so generous with your time. I really do appreciate it. And it's great to talk to you again.Jeff: It was great to catch up.Corey: Really was. Jeff Smith, Director of Product Operations at Basis Technologies. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice or smash the like and subscribe buttons on the YouTubes, whereas if you've hated this podcast, do the exact same thing—five-star review, smash the buttons—but also leave an angry, incoherent comment that you're then going to have edited and every week you're going to come back and write another incoherent comment that you get edited. And in the fullness of time, you'll get much better at writing angry, incoherent comments.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Star Stable Podcast
Unruhige Gäste

Star Stable Podcast

Play Episode Listen Later Jul 14, 2022 28:36


Endlich konnten wir wieder zu zweit aufnehmen und sogar eine neue Quest zusammen spielen. Dabei helfen wir Ed Field, der ein paar angespannte Gäste im Wolf Hall Inn hat, die ihren Urlaub irgendwie noch nicht so richtig genießen können.

Screaming in the Cloud
Granted, Common Fate, and AWS Functionality with Chris Norman

Screaming in the Cloud

Play Episode Listen Later Jun 30, 2022 33:34


About ChrisChris is a robotics engineer turned cloud security practitioner. From building origami robots for NASA, to neuroscience wearables, to enterprise software consulting, he is a passionate builder at heart. Chris is a cofounder of Common Fate, a company with a mission to make cloud access simple and secure.Links: Common Fate: https://commonfate.io/ Granted: https://granted.dev Twitter: https://twitter.com/chr_norm TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Let's face it, on-call firefighting at 2am is stressful! So there's good news and there's bad news. The bad news is that you probably can't prevent incidents from happening, but the good news is that incident.io makes incidents less stressful and a lot more valuable. incident.io is a Slack-native incident management platform that allows you to automate incident processes, focus on fixing the issues and learn from incident insights to improve site reliability and fix your vulnerabilities. Try incident.io, recover faster and sleep more.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. It doesn't matter where you are on your journey in cloud—you could never have heard of Amazon the bookstore—and you encounter AWS and you spin up an account. And within 20 minutes, you will come to the realization that everyone in this space does. “Wow, logging in to AWS absolutely blows goats.”Today, my guest, obviously had that reaction, but unlike most people I talked to, decided to get up and do something about it. Chris Norman is the co-founder of Common Fate and most notably to how I know him is one of the original authors of the tool, Granted. Chris, thank you so much for joining me.Chris: Hey, Corey, thank you for having me.Corey: I have done podcasts before; I have done a blog post on it; I evangelize it on Twitter constantly, and even now, it is challenging in a few ways to explain holistically what Granted is. Rather than trying to tell your story for you, when someone says, “Oh, Granted, that seems interesting and impossible to Google for in isolation, so therefore, we know it's going to be good because all the open-source projects with hard to find names are,” what is Granted and what does it do?Chris: Granted is a command-line tool which makes it really easy for you to get access and assume roles when you're working with AWS. For me, when I'm using Granted day-to-day, I wake up, go to my computer—I'm working from home right now—crack open the MacBook and I log in and do some development work. I'm going to go and start working in the cloud.Corey: Oh, when I start first thing in the morning doing development work and logging into the cloud, I know. All right, I'm going to log in to AWS and now I know that my day is going downhill from here.Chris: [laugh]. Exactly, exactly. I think maybe the best days are when you don't need to log in at all. But when you do, I go and I open my terminal and I run this command. Using Granted, I ran this assume command and it authenticates me with single-sign-on into AWS, and then it opens up a console window in a particular account.Now, you might ask, “Well, that's a fairly standard thing.” And in fact, that's probably the way that the console and all of the tools work by default with AWS. Why do you need a third-party tool for this?Corey: Right. I've used a bunch of things that do varying forms of this and unlike Granted, you don't see me gushing about them. I want to be very clear, we have no business relationship. You're not sponsoring anything that I do. I'm not entirely clear on what your day job entails, but I have absolutely fallen in love with the Granted tool, which is why I'm dragging you on to this show, kicking and screaming, mostly to give me an excuse to rave about it some more.Chris: [laugh]. Exactly. And thank you for the kind words. And I'd say really what makes it special or why I've been so excited to be working on it is that it makes this access, particularly when you're working with multiple accounts, really, really easy. So, when I run assume and I open up that console window, you know, that's all fine and that's very similar to how a lot of the other tools and projects that are out there work, but when I want to open that second account and that second console window, maybe because I'm looking at like a development and a staging account at the same time, then Granted allows me to view both of those simultaneously in my browser. And we do that using some platform sort of tricks and building into the way that the browser works.Corey: Honestly, one of the biggest differences in how you describe what Granted is and how I view it is when you describe it as a CLI application because yes, it is that, but one of the distinguishing characteristics is you also have a Firefox extension that winds up leveraging the multi-container functionality extension that Firefox has. So, whenever I wind up running a single command—assume with a-c' flag, then I give it the name of my AWS profile, it opens the web console so I can ClickOps my heart's content inside of a tab that is locked to a container, which means I can have one or two or twenty different AWS accounts and/or regions up running simultaneously side-by-side, which is basically impossible any other way that I've ever looked at it.Chris: Absolutely, yeah. And that's, like, the big differentiating factor right now between Granted and between this sort of default, the native experience, if you're just using the AWS command line by itself. With Granted, you can—with these Firefox containers, all of your cookies, your profile, everything is all localized into that one container. It's actually it's a privacy features that are built into Firefox, which keeps everything really separate between your different profiles. And what we're doing with Granted is that we make it really easy to open a specific profiles that correspond with different AWS profiles that you're using.So, you'd have one which could be your development account, one which could be production or staging. And you can jump between these and navigate between them just as separate tabs in your browser, which is a massive improvement over, you know, what I've previously had to use in the past.Corey: The thing that really just strikes me about this is first, of course, the functionality and the rest, so I saw this—I forget how I even came across it—and immediately I started using it. On my Mac, it was great. I started using it when I was on the road, and it was less great because you built this thing in Go. It can compile and install on almost anything, but there were some assumptions that you had built into this in its early days that did not necessarily encompass all of the use cases that I use. For example, it hadn't really occurred to you that some lunatic would try and only use an iPad when they're on the road, so they have to be able to run this to get federated login links via SSHing into an EC2 instance running somewhere and not have it open locally.You seemed almost taken aback when I brought it up. Like, “What lunatic would do that?” Like, “Hi, I'm such a lunatic. Let's talk about this.” And it does that now, and it's awesome. It does seem to me though, and please correct me if I'm wrong on this assumption slash assessment that this is first and foremost aimed at desktop users, specifically people running Mac on the desktop, is that the genesis of it?Chris: It is indeed. And I think part of the cause behind that is that we originally built a tool for ourselves. And as we were building things and as we were working using the cloud, we were running things—you know, we like to think that we're following best practices when we're using AWS, and so we'd set up multiple accounts, we'd have a special account for development, a separate one for staging, a separate one for production, even internal tools that we would build, we would go and spin up an individual account for those. And then you know, we had lots of accounts. and to go and access those really easily was quite difficult.So, we definitely, we built it for ourselves first and I think that that's part of when we released it, it actually a little bit of cause for some of the initial problems. And some of the feedback that we had was that it's great to build tools for yourself, but when you're working in open-source, there's a lot of different diversity with how people are using things.Corey: We take different approaches. You want to try to align with existing best practices, whereas I am a loudmouth white guy who works in tech. So, what I do definitionally becomes a best practice in the ecosystem. It's easier to just comport with the ones that are already existing that smart people put together rather than just trying to competence your way through it, so you took a better path than I did.But there's been a lot of evolution to Granted as I've been using it for a while. I did a whole write-up on it and that got a whole bunch of eyes onto the project, which I can now admit was a nefarious plan on my part because popping into your community Slack and yelling at you for features I want was all well and good, but let's try and get some people with eyes on this who are smarter than me—which is not that high of a bar when it comes to SSO, and IAM, and federated login, and the rest—and they can start finding other enhancements that I'll probably benefit from. And sure enough, that's exactly what happened. My sneaky plan has come to fruition. Thanks for being a sucker, I guess. I mean—[laugh] it worked. I'm super thrilled by the product.Chris: [laugh]. I guess it's a great thing I think that the feedback and particularly something that's always been really exciting is just seeing new issues come through on GitHub because it really shows the kinds of interesting use cases and the kinds of interesting teams and companies that are using Granted to make their lives a little bit easier.Corey: When I go to the website—which again is impossible to Google—the website for those wondering is granted.dev. It's short, it's concise, I can say it on a podcast and people automatically know how to spell it. But at the top of the website—which is very well done by the way—it mentions that oh, you can, “Govern access to breakglass roles with Common Fate Cloud,” and it also says in the drop shadow nonsense thing in the upper corner, “Brought to you by Common Fate,” which is apparently the name of your company.So, the question I'll get to in a second is what does your company do, but first and foremost, is this going to be one of those rug-pull open-source projects where one day it's, “Oh, you want to log into your AWS accounts? Insert quarter to continue.” I'm mostly being a little over the top with that description, but we've all seen things that we love turn into molten garbage. What is the plan around this? Are you about to ruin this for the rest of us once you wind up raising a round or something? What's the deal?Chris: Yeah, it's a great question, Corey. And I think that to a degree, releasing anything like this that sits in the access workflow and helps you assume roles and helps you day-to-day, you know, we have a responsibility to uphold stability and reliability here and to not change things. And I think part of, like, not changing things includes not [laugh] rug-pulling, as you've alluded to. And I think that for some companies, it ends up that open-source becomes, like, a kind of a lead-generation tool, or you end up with, you know, now finally, let's go on add another login so that you have to log into Common Fate to use Granted. And I think that, to be honest, a tool like this where it's all about improving the speed of access, the incentives for us, like, it doesn't even make sense to try and add another login for to try to get people to, like, to say, login to Common Fate because that would make your signing process for AWS take even longer than it already does.Corey: Yeah, you decided that you know, what's the biggest problem? Oh, you can sleep at night, so let's go ahead and make it even worse, by now I want you to be this custodian of all my credentials to log into all of my accounts. And now you're going to be critical path, so if you're down, I'm not able to log into anything. And oh, by the way, I have to trust you with full access to my bank stuff. I just can't imagine that is a direction that you would be super excited about diving head-first into.Chris: No, no. Yeah, certainly not. And I think that the, you know, building anything in this space, and with what we're doing with Common Fate, you know, we're building a cloud platform to try to make IAM a little bit easier to work with, but it's really sensitive around granting any kind of permission and I think that you really do need that trust. So, trying to build trust, I guess, with our open-source projects is really important for us with Granted and with this project, that it's going to continue to be reliable and continue to work as it currently does.Corey: The way I see it, one of the dangers of doing anything that is particularly open-source—or that leans in the direction of building in Amazon's ecosystem—it leads to the natural question of, well, isn't this just going to be some people say stolen—and I don't think those people understand how open-source works—by AWS themselves? Or aren't they going to build something themselves at AWS that's going to wind up stomping this thing that you've built? And my honest and remarkably cynical answer is that, “You have built a tool that is a joy to use, that makes logging into AWS accounts streamlined and efficient in a variety of different patterns. Does that really sound like something AWS would do?” And followed by, “I wish they would because everyone would benefit from that rising tide.”I have to be very direct and very clear. Your product should not exist. This should be something the provider themselves handles. But nope. Instead, it has to exist. And while I'm glad it does, I also can't shake the feeling that I am incredibly annoyed by the fact that it has to.Chris: Yeah. Certainly, certainly. And it's something that I think about a little bit. I like to wonder whether there's maybe like a single feature flag or some single sort of configuration setting in AWS where they're not allowing different tabs to access different accounts, they're not allowing this kind of concurrent access. And maybe if we make enough noise about Granted, maybe one of the engineers will go and flick that switch and they'll just enable it by default.And then Granted itself will be a lot less relevant, but for everybody who's using AWS, that'll be a massive win because the big draw of using Granted is mainly just around being able to access different accounts at the same time. If AWS let you do that out of the box, hey, that would be great and, you know, I'd have a lot less stuff to maintain.Corey: Originally, I had you here to talk about Granted, but I took a glance at what you're actually building over at Common Fate and I'm about to basically hijack slash derail what probably is going to amount the rest of this conversation because you have a quick example on your site for by developers, for developers. You show a quick Python script that tries to access a S3 bucket object and it's denied. You copy the error message, you paste it into what you're building over a Common Fate, and in return, it's like, “Oh. Yeah, this is the policy that fixes it. Do you want us to apply it for you?”And I just about fell out of my chair because I have been asking for this explicit thing for a very long time. And AWS doesn't do it. Their IAM access analyzer claims to. Like, “Oh, just go look at CloudTrail and see what permissions it uses and we'll build a policy to scope it down.” “Okay. So, it's S3 access. Fair enough. To what object or what bucket?” “Guess,” is what it tells you there.And it's, this is crap. Who thinks this is a good user experience? You have built the thing that I wish AWS had built in natively. Because let's be honest here, I do what an awful lot of people do and overscope permissions massively just because messing around with the bare minimum set of permissions in many cases takes more time than building the damn thing in the first place.Chris: Oh, absolutely. Absolutely. And in fact, this—was a few years ago when I was consulting—I had a really similar sort of story where one of the clients that we were working with, the CTO of this company, he was needing to grant us access to AWS and we were needing to build a particular service. And he said, “Okay, can you just let me know the permissions that you will need and I'll go and deploy the role for this.” And I came back and I said, “Wait. I don't even know the permissions that I'm going to need because the damn thing isn't even built yet.”So, we went sort of back and forth around this. And the compromise ended up just being you know, way too much access. And that was sort of part of the inspiration for, you know, really this whole project and what we're building with Common Fate, just trying to make that feedback loop around getting to the right level of permissions a lot faster.Corey: Yeah, I am just so overwhelmingly impressed by the fact that you have built—and please don't take this as a criticism—but a set of very simple tools. Not simple in the terms of, “Oh, that's, like, three lines of bash, and a fool could write that on a weekend.” No. Simple in the sense of it solves a problem elegantly and well and it's straightforward—well, straightforward as anything in the world of access control goes—to wrap your head around exactly what it does. You don't tend to build these things by sitting around a table brainstorming with someone you met at co-founder dating pool or something and wind up figuring out, “Oh, we should go and solve that. That sounds like a billion-dollar problem.”This feels very much like the outcome of when you're sitting around talking to someone and let's start by drinking six beers so we become extraordinarily honest, followed immediately by let's talk about what sucks. What pisses you off the most? It feels like this is sort of the low-hanging fruit of things that upset people when it comes to AWS. I mean, if things had gone slightly differently, instead of focusing on AWS bills, IAM was next on my list of things to tackle just because I was tired of smacking my head into it.This is very clearly a problem space that you folks have analyzed deeply, worked within, and have put a lot of thought into. I want to be clear, I've thrown a lot of feature suggestions that you for Granted from start to finish. But all of them have been around interface stuff and usability and expanding use cases. None of them have been, “Well, that seems screamingly insecure.” Because it hasn't been.Chris: [laugh].Corey: It has been effective, start to finish, I think that from a security posture, you make terrific choices, in many cases better than ones I would have made a starting from scratch myself. Everything that I'm looking at in what you have built is from a position of this is absolutely amazing and it is transformative to my own workflows. Now, how can we improve it?Chris: Mmm. Thank you, Corey. And I'll say as well, maybe around the security angle, that one of the goals with Granted was to try and do things a little bit better than the default way that AWS does them when it comes to security. And it's actually been a bit of a source for challenges with some of the users that we've been working with with Granted because one of the things we wanted to do was encrypt the SSO token. And this is the token that when you sign in to AWS, kind of like, it allows you to then get access to all of the rest of the accounts.So, it's like a pretty—it's a short-lived token, but it's a really sensitive one. And you know, by default, it's just stored in plain text on your disk. So, we dump to a file and, you know, anything that can go and read that, they can go and get it. It's also a little bit hard to revoke and to lock people out. There's not really great workflows around that on AWS's side.So, we thought, “Okay, great. One of the goals for Granted can be that we will go and store this in your keychain in your system and we'll work natively with that.” And that's actually been a cause for a little bit of a hassle for some users, though, because by doing that and by storing all of this information in the keychain, it's actually broken some of the integrations with the rest of the tooling, which kind of expects tokens and things to be in certain places. So, we've actually had to, as part of dealing with that with Granted, we've had to give users the ability to opt out for that.Corey: DoorDash had a problem. As their cloud-native environment scaled and developers delivered new features, their monitoring system kept breaking down. In an organization where data is used to make better decisions about technology and about the business, losing observability means the entire company loses their competitive edge. With Chronosphere, DoorDash is no longer losing visibility into their applications suite. The key? Chronosphere is an open-source compatible, scalable, and reliable observability solution that gives the observability lead at DoorDash business, confidence, and peace of mind. Read the full success story at snark.cloud/chronosphere. That's snark.cloud slash C-H-R-O-N-O-S-P-H-E-R-E.Corey: That's why I find this so, I think, just across the board, fantastic. It's you are very clearly engaged with your community. There's a community Slack that you have set up for this. And I know, I know, too many Slacks; everyone has this problem. This is one of those that is worth hanging in, at least from my perspective, just because one of the problems that you have, I suspect, is on my Mac it's great because I wind up automatically updating it to whatever the most recent one is every time I do a brew upgrade.But on the Linux side of the world, you've discovered what many of us have discovered, and that is that packaging things for Linux is a freaking disaster. The current installation is, “Great. Here's basically a curl bash.” Or, “Here, grab this tarball and install it.” And that's fine, but there's no real way of keeping that updated and synced.So, I was checking the other day, oh wow, I'm something like eight versions behind on this box. But it still just works. I upgraded. Oh, wow. There's new functionality here. This is stuff that's actually really handy. I like this quite a bit. Let's see what else we can do.I'm just so impressed, start to finish, by just how receptive you've been to various community feedbacks. And as well—I want to be very clear on this point, too—I've had folks who actually know what they're doing in an InfoSec sense look at what you're up to, and none of them had any issues of note. I'm sure that they have a pile of things like, with that curl bash, they should really be doing a GPG check. Yes, yes, fine. Whatever. If that's your target threat model, okay, great. Here in reality-land for what I do, this is awesome.And they don't seem to have any problems with, “Oh, yeah. By the way, sending analytics back up”—which, okay, fine, whatever. “And it's not disclosing them.” Okay, that's bad. “And it's including the contents of your AWS credentials.”Ahhhh. I did encounter something that was doing that on the back-end once. [cough]—Serverless Framework—sorry, something caught in my throat for a second.Chris: [laugh].Corey: No faster way I can think of to erode trust in that. But everything you're doing just makes sense.Chris: Oh, I do remember that. And that was a little bit of a fiasco, really, around all of that, right? And it's great to hear actually around that InfoSec folks and security people being, you know, not unhappy, I guess, with a tool like this. It's been interesting for me personally. We've really come from a practitioner's background.You know, I wouldn't call myself a security engineer at all. I would call myself as a sometimes a software developer, I guess. I have been hacking my way around Go and definitely learning a lot about how the cloud has worked over the past seven, eight years or so, but I wouldn't call myself a security engineer, so being very cautious around how all of these things work. And we've really tried to defer to things like the system keychain and defer to things that we know are pretty safe and work.Corey: The thing that I also want to call out as well is that your licensing is under the MIT license. This is not one of those, “Oh, you're required to wind up doing a bunch of branding stuff around it.” And, like some people say, “Oh, you have to own the trademark for all of these things.” I mean, I'm not an expert in international trademark law, let's be very clear, but I also feel that trademarking a term that is already used heavily in the space such as the word ‘Granted,' feels like kind of an uphill battle. And let's further be clear that it doesn't matter what you call this thing.In fact, I will call attention to an oddity that I've encountered a fair bit. After installing it, the first thing you do is you run the command ‘granted.' That sets it up, it lets you configure your browser, what browser you want to use, and it now supports standard out for that headless, EC2 use case. Great. Awesome. Love it. But then the other binary that ships with it is Assume. And that's what I use day-to-day. It actually takes me a minute sometimes when it's been long enough to remember that the tool is called Granted and not Assume what's up with that?Chris: So, part of the challenge that we ran into when we were building the Granted project is that we needed to export some environment variables. And these are really important when you're logging into AWS because you have your access key, your secret key, your session token. All of those, when you run the assume command, need to go into the terminal session that you called it. This doesn't matter so much when you're using the console mode, which is what we mentioned earlier where you can open 100 different accounts if you want to view all of those at the same time in your browser. But if you want to use it in your terminal, we wanted to make it look as really smooth and seamless as possible here.And we were really inspired by this approach from—and I have to shout them out and kind of give credit to them—a tool called AWSume—they're spelled A-W-S-U-M-E—Python-based tool that they don't do as much with single-sign-on, but we thought they had a really nice, like, general approach to the way that they did the scripting and aliasing. And we were inspired by that and part of that means that we needed to have a shell script that called this executable, which then will export things back out into the shell script. And we're doing all this wizardry under the hood to make the user experience really smooth and seamless. Part of that meant that we separated the commands into granted and assume and the other part of the naming for everything is that I felt Granted had a far better ring to it than calling the whole project Assume.Corey: True. And when you say assume, is it AWS or not? I've used the AWSume project before; I've used AWS Vault out of 99 Designs for a while. I've used—for three minutes—the native AWS SSO config, and that is just trash. Again, they're so good at the plumbing, so bad at the porcelain, I think is the criticism that I would levy toward a lot of this stuff.Chris: Mmm.Corey: And it's odd to think there's an entire company built around just smoothing over these sharp, obnoxious edges, but I'm saying this as someone who runs a consultancy and have five years that just fixes the bill for this one company. So, there's definitely a series of cottage industries that spring up around these things. I would be thrilled, on some level, if you wound up being completely subsumed by their product advancements, but it's been 15 years for a lot of this stuff and we're still waiting. My big failure mode that I'm worried about is that you never are.Chris: Yeah, exactly, exactly. And it's really interesting when you think about all of these user experience gaps in AWS being opportunities for, I guess, for companies like us, I think, trying to simplify a lot of the complexity for things. I'm interested in sort of waiting for a startup to try and, like, rebuild the actual AWS console itself to make it a little bit faster and easier to use.Corey: It's been done and attempted a bunch of different times. The problem is that the console is a lot of different things to a lot of different people, and as you step through that, you can solve for your use case super easily. “Yeah, what do I care? I use RDS, I use some VPC nonsense, and I use EC2. The end.” “Great. What about IAM?”Because I promise you're using that whether you know it or not. And okay, well, I'm talking to someone else who's DynamoDB, and someone else is full-on serverless, and someone else has more money than sense, so they mostly use SageMaker, and so on and so forth. And it turns out that you're effectively trying to rebuild everything. I don't know if that necessarily works.Chris: Yeah, and I think that's a good point around maybe while we haven't seen anything around that sort of space so far. You go to the console, and you click down, you see that list of 200 different services and all of those have had teams go and actually, like, build the UI and work with those individual APIs. Yeah.Corey: Any ideas as far as what's next for features on Granted?Chris: I think that, for us, it's continuing to work with everybody who's using it, and with a focus of stability and performance. We actually had somebody in the community raise an issue because they have an AWS config file that's over 7000 lines long. And I kind of pity that person, potentially, for their day-to-day. They must deal with so much complexity. Granted is currently quite slow when the config files get very big. And for us, I think, you know, we built it for ourselves; we don't have that many accounts just yet, so working to try to, like, make it really performant and really reliable is something that's really important.Corey: If you don't mind a feature request while we're at it—and I understand that this is more challenging than it looks like—I'm willing to fund this as a feature bounty that makes sense. And this also feels like it might be a good first project for a very particular type of person, I would love to get tab completion working in Zsh. You have it—Chris: Oh.Corey: For Fish because there's a great library that automatically populates that out, but for the Zsh side of it, it's, “Oh, I should just wind up getting Zsh completion working,” and I fell down a rabbit hole, let me tell you. And I come away from this with the perception of yeah, I'm not going to do it. I have not smart enough to check those boxes. But a lot of people are so that is the next thing I would love to see. Because I will change my browser to log into the AWS console for you, but be damned if I'm changing my shell.Chris: [laugh]. I think autocomplete probably should be higher on our roadmap for the tool, to be honest because it's really, like, a key metric and what we're focusing on is how easy is it to log in. And you know, if you're not too sure what commands to use or if we can save you a few keystrokes, I think that would be the, kind of like, reaching our goals.Corey: From where I'm sitting, you definitely have. I really want to thank you for taking the time to not only build this in the first place, but also speak with me about it. If people want to learn more, where's the best place to find you?Chris: So, you can find me on Twitter, I'm @chr_norm, or you can go and visit granted.dev and you'll have a link to join the Slack community. And I'm very active on the Slack.Corey: You certainly are, although I will admit that I fall into the challenge of being in just the perfectly opposed timezone from you and your co-founder, who are in different time zones to my understanding; one of you is on Australia and one of you was in London; you're the London guy as best I'm aware. And as a result, invariably, I wind up putting in feature requests right when no one's around. And, for better or worse, in the middle of the night is not when I'm usually awake trying to log into AWS. That is Azure time.Chris: [laugh]. Yeah, no, we don't have the US time zone properly covered yet for our community support and help. But we do have a fair bit of the world timezone covered. The rest of the team for Common Fate is all based in Australia and I'm out here over in London.Corey: Yeah. I just want to thank you again, for just being so accessible and, like, honestly receptive to feedback. I want to be clear, there's a way to give feedback and I do strive to do it constructively. I didn't come crashing into your Slack one day with a, “You know what your problem is?” I prefer to take the, “This is awesome. Here's what I think would be even better. Does that make sense?” As opposed to the imperious demands and GitHub issues and whatnot? It's, “I'd love it if it did this thing. Doesn't do this thing. Can you please make it do this thing?” Turns out that's the better way to drive change. Who knew?Chris: Yeah. [laugh]. Yeah, definitely. And I think that one of the things that's been the best around our journey with Granted so far has been listening to feedback and hearing from people how they would like to use the tool. And a big thank you to you, Corey, for actually suggesting changes that make it not only better for you, but better for everybody else who's using Granted.Corey: Well, at least as long as we're using my particular byzantine workload patterns in some way, or shape, or form, I'll hear that. But no, it's been an absolute pleasure and I really want to thank you for your time as well.Chris: Yeah, thank you for having me.Corey: Chris Norman, co-founder of Common Fate, as well as one of the two primary developers originally behind the Granted project that logs you into AWS without you having to lose your mind. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry, incensed, raging comment that talks about just how terrible all of this is once you spend four hours logging into your AWS account by hand first.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

All TWiT.tv Shows (MP3)
This Week in Enterprise Tech 499: No Forklift Left Behind

All TWiT.tv Shows (MP3)

Play Episode Listen Later Jun 25, 2022 73:01 Very Popular


Beyond the password, Cybersecurity summer camps, Private 5G Google Warns of New Spyware Targeting iOS and Android Users Researchers Say Only 3% of Open Source Software Bugs Are Actually Attackable VPNs Persist Despite Zero-Trust Fervor NSA Is Funding Summer Camps to Teach Kids to Be Cyber Pros Evolving Beyond the Password 5G host roundtable! Hosts: Louis Maresca, Brian Chee, and Curt Franklin Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: plextrac.com/twit hover.com/twit canary.tools/twit - use code: TWIT

Brakeing Down Security Podcast
RSA conference, Zero Trust, SSO, 2FA, and multi-cloud tenancy with J Goerlich

Brakeing Down Security Podcast

Play Episode Listen Later Jun 25, 2022 34:08


This Week in Enterprise Tech (Video HD)
TWiET 499: No Forklift Left Behind - Beyond the password, Cybersecurity summer camps, Private 5G

This Week in Enterprise Tech (Video HD)

Play Episode Listen Later Jun 25, 2022 73:22


Beyond the password, Cybersecurity summer camps, Private 5G Google Warns of New Spyware Targeting iOS and Android Users Researchers Say Only 3% of Open Source Software Bugs Are Actually Attackable VPNs Persist Despite Zero-Trust Fervor NSA Is Funding Summer Camps to Teach Kids to Be Cyber Pros Evolving Beyond the Password 5G host roundtable! Hosts: Louis Maresca, Brian Chee, and Curt Franklin Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: plextrac.com/twit hover.com/twit canary.tools/twit - use code: TWIT

This Week in Enterprise Tech (MP3)
TWiET 499: No Forklift Left Behind - Beyond the password, Cybersecurity summer camps, Private 5G

This Week in Enterprise Tech (MP3)

Play Episode Listen Later Jun 25, 2022 73:01


Beyond the password, Cybersecurity summer camps, Private 5G Google Warns of New Spyware Targeting iOS and Android Users Researchers Say Only 3% of Open Source Software Bugs Are Actually Attackable VPNs Persist Despite Zero-Trust Fervor NSA Is Funding Summer Camps to Teach Kids to Be Cyber Pros Evolving Beyond the Password 5G host roundtable! Hosts: Louis Maresca, Brian Chee, and Curt Franklin Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: plextrac.com/twit hover.com/twit canary.tools/twit - use code: TWIT