POPULARITY
This episode of the TechOps series goes into high availability troubleshooting. Not just high availability, not just troubleshooting, but actually talking through what it takes to manage and maintain and fix HA systems. This is part of a longer discussion we've been having and so there's some really interesting ideas in the middle of these discussions that I hope will shape your thinking as you build high availability systems, diagnostics and troubleshooting for people who are in high availability very complex environments. Transcript: https://otter.ai/u/wM__4w1YIzZnhVdgLuXLsDDu0Ng?utm_source=copy_url References: https://status.openai.com/incidents/ctrsv3lwd797
We step back in this episode of our Tech Ops series and talk about cloud self managed infrastructure and how you balance the competing concerns. We started from a report that RackN had commissioned talking about on premises Kubernetes, and mixing that into your IT infrastructure. Can you have a cloud broker? Can you do multi cloud, some sort of tried and true topics for cloud consideration, but through a new filter and through this repatriation idea of mixing and matching your IT Infrastructure? Transcript: https://otter.ai/u/FKGuQpV-5bQFVASAYDhNQJtuoKM?utm_source=copy_url Resources: https://store.repebble.com/ https://rackn.com/2025/03/18/ready-for-kubernetes-on-bare-metal/ https://www.reuters.com/technology/cybersecurity/google-agrees-buy-cybersecurity-startup-wiz-32-bln-ft-reports-2025-03-18/ https://gabrielsimmer.com/blog/kubernetes-plus-oneplus
We deep dive into something seemingly very small, but with a lot of repercussions for how you manage and run a data center, and that is test scripts for servers. As you're going through a production cycle or a provisioning cycle, how do you test? What do you test? This topic was from a Reddit thread that we answered and then had a whole hour conversation about just how important and impactful this type of script is. Transcript: https://otter.ai/u/Cb3yac8JHvlM2yqh72bA_CBPWgs?utm_source=copy_url
The cloud2030 Tech Ops series is an ongoing discussion for us to create what I think of as 200 level content for tech and operations leaders, exploring really complex, deep topics in a thoughtful way to really extend your knowledge base and capabilities in the data center and infrastructure space. Today's episode talks about gitops and immutability, and what we're doing here is connecting together the operational concepts between controls and desired state communications and how that gets executed in infrastructure in an operations sense. Rather than a developer approach, this takes an operations approach. So if you are interested in how to manage immutability and what that means in infrastructure, this discussion is for you.
In this episode of Resilient Cyber, Ed Merrett, Director of Security & TechOps at Harmonic Security, will dive into AI Vendor Transparency.We discussed the nuances of understanding models and data and the potential for customer impact related to AI security risks.Ed and I dove into a lot of interesting GenAI Security topics, including:Harmonic's recent report on GenAI data leakage shows that nearly 10% of all organizational user prompts include sensitive data such as customer information, intellectual property, source code, and access keys.Guardrails and measures to prevent data leakage to external GenAI services and platformsThe intersection of SaaS Governance and Security and GenAI and how GenAI is exacerbating longstanding SaaS security challengesSupply chain risk management considerations with GenAI vendors and services, and key questions and risks organizations should be consideringSome of the nuances between self-hosted GenAI/LLM's and external GenAI SaaS providersThe role of compliance around GenAI and the different approaches we see between examples such as the EU with the EU AI Act, NIS2, DORA, and more, versus the U.S.-based approach
Greg Dunnell of Buckeye Mountain talks about his founder journey; how big challenges impact workers; & why Buckeye are stewards of technology for customers. IN THIS EPISODE WE DISCUSS: [05.17] An overview of Greg's journey – how he found supply chain, innovated in technology whilst working for some of the industry's biggest names, and ultimately co-founded Buckeye Mountain. “I grew up working on a farm, so transportation came naturally to me. And, when I graduated from college, I wasn't what you'd call an honors student…! I went back to what I knew, and ended up driving a truck.” [12.43] An overview of Buckeye Mountain – who they are, what they do, and how they help their customers. [15.47] The ideal client for Buckeye Mountain. “It's really about our history and experience because we feel our role – our obligation – is to share those lessons learned. We've been down the pothole of technology for many years… And the secret to success is failure. We've been on that journey.” [18.25] From visibility to productivity, the biggest challenges currently faced by landside logistics facilities, and how they impact frontline workers. “Those people, when the tech goes down – imagine the frustration. ‘I'm not paid to be a technology troubleshooter, I'm paid to operate.' That's the big migration.” [23.45] How Buckeye are helping customers solve their toughest problems remotely and out in the field with their TechOps teams, who ‘think like operators, but act like tech experts.' “It is about the technology, but it's more about: ‘What is the giant problem you're trying to solve?'” [27.28] Why Buckeye act as a steward of technology for their customers, and how TechOps are changing the game. [31.11] How and why Buckeye developed Rapid Deploy technology, and the importance of guaranteed connectivity. [34.28] A case study showing how Buckeye helped an isolated intermodal facility, with no power or network, to be operated as a modern facility with Rapid Deploy and solar technology. [37.30] What we can expect from the landside logistics facilities of tomorrow, and the future for Buckeye. “If we can pull things into an easy workplace environment, and still provide the benefits operationally, that's a no brainer – but you need the infrastructure to do it.” RESOURCES AND LINKS MENTIONED: Head over to Buckeye Mountain's website to find out more and discover how they could help you too. You can also connect with Buckeye and keep up to date with the latest over on LinkedIn, or you can connect with Greg on LinkedIn. If you enjoyed this episode, check out 424: Orchestrate and Optimize Your Terminal Operations, with Lynxis. Check out our other podcasts HERE.
We dive deep into the technical details of BootC - a Red Hat-led technology that uses container-like definitions to describe machine boot processes. BootC is an important development, especially as companies embrace containers and seek a unified approach to machine configuration. RackN CTO, Greg Althaus, provides an in-depth overview of how BootC works, its key capabilities, and the potential benefits and challenges for operations teams. They explore topics like BootC's relationship to containers, the concept of immutability, different deployment methods, and the operational considerations around managing BootC at scale. This conversation offers a balanced, non-Red Hat perspective on BootC, highlighting both its technical merits and the significant operational work required to successfully adopt and integrate it. Listeners will come away with a nuanced understanding of this emerging technology and the factors organizations should weigh as they evaluate BootC for their infrastructure.
This episode explores the challenges of processing events and logs in technical operations. The discussion covers the importance of understanding the intent and purpose of building systems downstream from eventing and logging systems. Key topics include the trade-offs between real-time and delayed event processing, the principle of least privilege, and strategies for handling event buffering and dropping. The conversation also touches on security concerns related to event and log data. The episode concludes with plans for future discussions on adding events and logging to scripts to make them more useful.
We dive deep into logging, tracing, metrics, observability, with a specific filter for automation and systems and infrastructure. There's a real challenge here of how you capture information from a running system in a way that provides the right information at the right time. That fundamentally is the question that we are working to answer throughout this really fascinating discussion about logging. Transcript: https://otter.ai/u/msNO2gn1b0FP2lK7rSfplQrCrPQ?utm_source=copy_url
This TechOps episode explores the challenges of processing events and logs in technical operations. The discussion covers the importance of understanding the intent and purpose of building systems downstream from eventing and logging systems. Key topics include the trade-offs between real-time and delayed event processing, the principle of least privilege, and strategies for handling event buffering and dropping. The conversation also touches on security concerns related to event and log data. The episode concludes with plans for future discussions on adding events and logging to scripts to make them more useful.
"In underserved markets, there's always a challenge of reaching patients due to political and economic pressures. Through smart packaging, logistics, and distribution, we're committed to providing healthcare solutions across our network of more than 100 distributors," says Samir El Nasharty, Chief Operations Officer at Acino. Samir El Nasharty leads an experienced global team of over 1,000 Tech Ops professionals at Acino, a Swiss pharmaceutical company established in 1836. As part of the Arcera Life Science platform, established by ADQ, an Abu Dhabi-based investment and holding company, Acino focuses on delivering high-quality pharmaceutical products to emerging markets across the Middle East, Africa, Ukraine, CIS, and Latin America. Speaking to the PharmaSource podcast at CPHI Milan, Samir provides detailed insights into managing complex manufacturing networks, implementing digital transformation initiatives, and steering the company's strategy through challenging market conditions while ensuring consistent medical supply to underserved regions. Read the full article
In this episode, we continue our TechOps series, diving deep into the topic of container management. As containers become increasingly mainstream, the need to effectively manage and orchestrate these lightweight, purpose-built environments is crucial. We'll explore the distinctions between container management and orchestration, discussing the different tools, techniques and trade-offs involved. We'll also hear insights from the RackN team on how they've approached container lifecycle management within their own infrastructure management platform, Digital Rebar. This is a rich discussion that touches on everything from Kubernetes to system design trade-offs. So let's jump in and learn how to wrangle those containers!
In this episode, we dive deep into a recent and highly sophisticated SSH intrusion attack that was discovered in the Linux kernel. We'll discuss how the attackers were able to inject a backdoor into a critical compression library, leveraging social engineering tactics to become a trusted maintainer over several years. The attack was designed to bypass security checks and evade detection, even from advanced techniques like eBPF monitoring. We'll explore the technical details of how the backdoor was triggered, the potential impact on various Linux distributions, and the broader implications for software supply chain security. This incident highlights the challenges of maintaining trust in open-source projects and the need for robust security measures to protect critical infrastructure. Join us as we unpack this fascinating case and consider the lessons it holds for the future of secure software development.
A software bill of materials is the idea that we can define and document exactly what goes into a system. We look at governance today and SBOMs as we put it together, both from a software and an operation side. From an operations perspective, it truly is a big challenge. This conversation is a little bit more theoretical than some of the TechOps discussions have been. Enjoy! Transcript: https://otter.ai/u/VXWwg-ltdlwYBFYI_jNCOUmJz6M?utm_source=copy_url
SSH and Secure Shell is one of those topics that people take for granted because it is a ubiquitous way to log in and access systems. True to form for the TechOps series, though, we break that down into much more detailed and granular components. We talk about how to secure it and what best practices are. We also discuss how to use it for tunneling, or, more specifically, not use it for tunneling, and why all of this matters to your operations environment. Listen to what new things we're doing that avoid having to have network access at all. Transcript: https://otter.ai/u/XSRBfnifZOF0-nlNU5Vo_hyoSVU?utm_source=copy_url
Is high availability always a good thing? Today our discussion takes an operations perspective. We look at places where you were over or under committing high availability, where you were confusing disaster recovery for high availability, and perhaps even securing the wrong service or looking at it the wrong way. We cover all of these scenarios with practical, hands-on examples that I know you will get a lot out of. This is good prep for talking about HA clusters, because the idea of coordinating and monitoring systems is core to HA and HA clusters. In our journey with RackN, a lot of customers who thought they needed very aggressive HA systems, once they are confronted with the overhead of maintaining an HA system, have to ask if you really need it. We started with an active/passive HA implementation using third party monitoring to monitor for when the system failed and spin up the second system, creating a live streaming back up to the failover system. Transcript: https://otter.ai/u/vOVZadHvRTFCZGqcI2DC3nQzDgY?utm_source=copy_url
Two are dead and another seriously injured after a morning explosion at Delta's TechOps facility; Georgia's Lt. Governor pushes for ban of transgender girls on female athletic teams in school; and why recent tropical weather has the state's Red Cross chapter sounding the alarm bells. See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
We continue our TechOps series, this case diving deep and cheap into out of band management. One of the things about out of band management is that it quickly turns into an alphabet soup of protocol names, vendor names, specific pieces and even the way we talk about out of band management. We have different acronyms for the same action. In this conversation. Greg Althouse reckons CTO and my co-founder explores lessons learned and things that you need to understand for technical details and a really core understanding of how to build BMC integrations. We even cover why it's so hard to do this well. Even if you have no plans in ever touching an out of band interface, the architectural lessons will help you. Transcript: https://otter.ai/u/Feahh05PQI-1fxVXDRuiFDkgt5M?utm_source=copy_url
System D is our topic for today discussing system processes, how do you manage and control processes, services, and fundamental components of Linux operating systems. In this discussion, we cover how to think about it, how it works, alternatives, process controls, and even how they get applied to containers. Containers were a nice bridge from our previous discussions when we were talking about container management systems. If you are interested in Linux and Linux management, Linux automation, this is a good episode for you! Transcript: https://otter.ai/u/KCK3f95lbUEAEzLgA60k-HbDlGk?utm_source=copy_url
TechOps series episode 3 covers how to automate against API's. We discuss exactly the ways in which you can use API's effectively, and ways you can run into trouble. We also discuss how we should be consuming API's, both as a consumer but also in times when we have produced API's. Many ideas discussed were pulled from learning how people consume our API's and what we can do to help make them better and safer. Enjoy this broader TechOps series where we are diving in deep in tips and techniques that improve your journey as an Automator. https://otter.ai/u/5akxcG83FBS1m9PBUnB4rjLzWac?utm_source=copy_url Image by Dall-E
Join us as we embark on a comprehensive journey to master intermediate and advanced skills crucial for operators, DevOps, and platform engineers. From scripting and service setup to running complex systems, we address the critical gap in training for building, automating, and maintaining resilient and robust systems. Over the coming months, the Cloud 2030 crew will delve into the core skill sets required in this rapidly evolving field. Our series will cover an array of topics, including tools, processes, and methodologies essential for excelling in tech operations. We plan to explore a variety of subjects, aiming to equip you with the knowledge to automate effectively and build resilient systems. This kickoff meeting sets the stage for a year-long exploration into the depths of tech operations, inviting you to contribute your expertise and curiosity. Prepare for an enlightening journey as we lay out our comprehensive Tech Ops agenda. Agenda: https://docs.google.com/document/d/1Yvr8loVNfkxKmaQN5XWEaskzrV9-OsJ4oeKnUcnQ90s/edit?usp=sharing Transcript: https://otter.ai/u/FP_1Ose_jJ7qLezuAVZjFovSyVE?utm_source=copy_url Photo by Bence Szemerey: https://www.pexels.com/photo/brown-wooden-frame-with-brown-metal-pipe-6804254/
United Airlines has discovered loose bolts and other parts on the plug doors of its 737 Max 9 aircraft during inspections following a rapid depressurisation incident on an Alaska Airlines flight. The bolts and parts have been found on at least five aircraft. United has confirmed the findings and stated that the issues will be addressed by their Tech Ops team. The discovery of these issues could have wider implications for Boeing and Spirit AeroSystems, who are responsible for the assembly and quality checks of the aircraft structure. SUPPORT THE PODCAST ❤️ Please consider supporting us on Patreon with a small monthly pledge, and help us continue to bring you quality content: https://www.patreon.com/bryanair PATREON & YOUTUBE MEMBERS
Sicco Naets is Director of Technical Operations with Moonbeam Foundation. Sicco is an experienced software development leader with a background in tech, politics, history and sociology. His technical expertise includes blockchain, distributed microservices architecture, messaging middleware and cloud deployments. Moonbeam is a smart contract platform for cross-chain connected applications that unites functionality from Ethereum, Polkadot and beyond. -- Follow Sicco on Twitter: @sicconaets Follow Moonbeam on Twitter: @MoonbeamNetwork -- Follow us on the socials: Twitter: @showcrypto TikTok: @showmethecrypto Instagram: @showmethecryptopodcast -- *Any financial compensation we receive will always be clearly identified as an advertisement or sponsored content. We don't accept payment to feature guests, and we don't accept payment to influence the coins/projects we discuss on Show Me The Crypto. Any ads will be clearly identified during the show, and information on our partners will be featured in the show notes.
PlastChicks Lynzie Nebel and Mercedes Landazuri host Mitch Rife, Engineering Manager for Additive Manufacturing, Delta TechOps. They discuss transitioning from subtractive to additive manufacturing processes; designing for 3D printing while considering injection molding requirements should production needs increase; producing 3D-printed tools, tool carriers and protectors to support aircraft mechanics; choosing materials for aerospace prototyping; use of 3D-printed parts in aircraft manufacturing; and designing wheelchair-accessible airplane seats.Watch the PlastChicks podcast on the SPE YouTube Channel.PlastChicks is sponsored by SPE-Inspiring Plastics Professionals. Look for new episodes the first Friday of every month.
Today we're talking to David Seidenfrau. He has been a leader of about every Tech focus you can imagine from AppDev, TechOps, DataEng, Program/Product Management, Implementation services - you name it, he has led it. Dave has had this opportunity as he's been part of 3 Successful startups 2 with Exits (1 IPO, 1 Acquisition). Most recently Dave has led an Eng. Org from seed to Series C. Dave sat on the board of https://primaryportal.com/ guiding the company from seed funding to a successful series A. Including finding them a CTO. Dave also actively participates as a VC investor primarily through https://www.ideafundpartners.com/portfolio. We're talking about the influence of the right champions in propelling your career forward and how to become a master networker without going to awkward networking events. Dave's sharing how you can spot the right champions, how they can help you identify superpowers you possess and might not even be aware of and use this knowledge to land your next opportunity. Along his career, Dave has become a master networker and relationship builder and he's sharing how it has served him and can serve you! Take a listen and I hope you walk away with at least one actionable insight you can apply to take your job and career in the direction of your dreams! Dave ended the conversation with challenging you to add 100 new connections on you LinkedIn to grow your network, plus one of those you can use to connect with him at https://www.linkedin.com/in/dseidenfrau/ Connect with me on IG at https://www.instagram.com/yourcareerintechnicolor where I share style ideas and fashion finds for career and life you can fall in love with!
In the latest edition of Tell Me Why, Evie Garces, VP of Line Maintenance discusses the important around-the-clock work Tech Ops performs, the critical role the team plays in our summer operation and steps American is taking to open doors to careers in aircraft maintenance, ensuring a full pipeline of aviation maintenance professionals for the future.
This week we are talking to mentor, business advisor and Head of Techops for Test Card, Selby Cary. Selby is a serial entrepreneur that has scaled businesses and in this podcast we talk about his experiences of scaling and the challenges that lie therein We cover the following areas: - What do we mean by scaling? - When do you feel the growing pains? - How hiring changes as you scale - Dealing with technical debt - How you maintain culture as you scale - How product development changes as you scale - Sweat equity - The challenges operationally when you scale
This week's guest is serial entrepreneur, advisor and Head of Techops for Test Card - Selby Cary. This week we will be talking about the challenges of scaling
Episode SummaryChris Farris, Cloud Security Nerd at Turbot, joins Corey on Screaming in the Cloud to discuss the latest events in cloud security, which leads to an interesting analysis from Chris on how legal departments obscure valuable information that could lead to fewer security failures in the name of protecting company liability, and what the future of accountability for security failures looks like. Chris and Corey also discuss the newest dangers in cloud security and billing practices, and Chris describes his upcoming cloud security conference, fwd:cloudsec. About ChrisChris Farris has been in the IT field since 1994 primarily focused on Linux, networking, and security. For the last 8 years, he has focused on public-cloud and public-cloud security. He has built and evolved multiple cloud security programs for major media companies, focusing on enabling the broader security team's objectives of secure design, incident response and vulnerability management. He has developed cloud security standards and baselines to provide risk-based guidance to development and operations teams. As a practitioner, he's architected and implemented multiple serverless and traditional cloud applications focused on deployment, security, operations, and financial modeling.Chris now does cloud security research for Turbot and evangelizes for the open source tool Steampipe. He is one of the organizers of the fwd:cloudsec conference (https://fwdcloudsec.org) and has given multiple presentations at AWS conferences and BSides events.When not building things with AWS's building blocks, he enjoys building Legos with his kid and figuring out what interesting part of the globe to travel to next. He opines on security and technology on Mastodon, Twitter and his website https://www.chrisfarris.comLinks Referenced: Turbot: https://turbot.com/ fwd:cloudsec: https://fwdcloudsec.org/ Mastodon: https://infosec.exchange/@jcfarris Personal website: https://chrisfarris.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn and we are here today to learn exciting things, steal exciting secrets, and make big trouble for Moose and Squirrel. Maybe that's the podcast; maybe that's the KGB, we're not entirely sure. But I am joined once again by Chris Farris, cloud security nerd at Turbot, which I will insist on pronouncing as ‘Turbo.' Chris, thanks for coming back.Chris: Thanks for having me.Corey: So, it's been a little while and it's been an uneventful time in cloud security with nothing particularly noteworthy happening, not a whole lot of things to point out, and honestly, we're just sort of scraping the bottom of the barrel for news… is what I wish I could say, but it isn't true. Instead, it's, “Oh, let's see what disastrous tire fire we have encountered this week.” What's top of mind for you as we record this?Chris: I think the most interesting one I thought was, you know, going back and seeing the guilty plea from Nickolas Sharp, who formerly was an employee at Ubiquiti and apparently had, like, complete access to everything there and then ran amok with it.Corey: Mm-hm.Chris: The details that were buried at the time in the indictment, but came out in the press releases were he was leveraging root keys, he was leveraging lifecycle policies to suppress the CloudTrail logs. And then of course, you know, just doing dumb things like exfiltrating all of this data from his home IP address, or exfiltrating it from his home through a VPN, which have accidentally dropped and then exposed his home IP address. Oops.Corey: There's so much to dive into there because I am not in any way shape or form, saying that what he did was good, or I endorse any of those things. And yeah, I think he belongs in prison for what he did; let's be very clear on this. But I personally did not have a business relationship with him. I am, however, Ubiquiti's customer. And after—whether it was an insider threat or whether it was someone external breaching them, Krebs On Security wound up doing a whole write-up on this and was single-sourcing some stuff from the person who it turned out, did this.And they made a lot of hay about this. They sued him at one point via some terrible law firm that's entire brand is suing media companies. And yeah, just wonderful, wonderful optics there and brilliant plan. But I don't care about the sourcing. I don't care about the exact accuracy of the reporting because what I'm seeing here is that what is not disputed is this person, who whether they were an employee or not was beside the point, deleted all of the audit logs and then as a customer of Ubiquiti, I received an email saying, “We have no indication or evidence that any customer data was misappropriated.” Yeah, you just turn off your logs and yeah, you could say that always and forever and save money on logging costs. [unintelligible 00:03:28] best practice just dropped, I guess. Clowns.Chris: So, yeah. And there's definitely, like, compliance and standards and everything else that say you turn on your logs and you protect your logs, and service control policies should have been able to detect that. If they had a security operations center, you know, the fact that somebody was using root keys should have been setting off red flags and causing escalations to occur. And that wasn't happening.Corey: My business partner and I have access to our AWS org, and when I was setting this stuff up for what we do here, at a very small company, neither of us can log in with root credentials without alarms going off that alert the other. Not that I don't trust the man; let's be very clear here. We both own the company.Chris: In business together. Yes.Corey: Ri—exactly. It is, in many ways, like a marriage in that one of us can absolutely ruin the other without a whole lot of effort. But there's still the idea of separation of duties, visibility into what's going on, and we don't use root API keys. Let me further point out that we are not pushing anything that requires you to send data to us. We're not providing a service that is software powered to people, much less one that is built around security. So, how is it that I have a better security posture than Ubiquiti?Chris: You understand AWS and in-depth cloud better. You know, it really comes down to how do you, as an AWS customer, understand all of the moving parts, all of the security tooling, all of the different ways that something can happen. And Amazon will say, “Well, it's in the documentation,” but you know, they have, what, 357 services? Are you reading the security pages of all of those? So, user education, I agree, you should have, and I have on all of my accounts, if anything pops up, if any IAM change happens, I'm getting text messages. Which is great if my account got compromised, but is really annoying when I'm actually making a change and my phone is blowing up.Corey: Yeah. It's worth pointing out as well that yes, Ubiquiti is publicly traded—that is understood and accepted—however, 93% of it is owned by their CEO-founder god-king. So, it is effectively one person's personal fiefdom. And I tend to take a very dim view as a direct result. When you're in cloud and you have suffered a breach, you have severely screwed something up somewhere. These breaches are never, “Someone stole a whole bunch of drives out of an AWS data center.” You have misconfigured something somewhere. And lashing out at people who reported on it is just a bad look.Chris: Definitely. Only error—now, of course, part of the problem here is that our legal system encourages people to not come forward and say, “I screwed up. Here's how I screwed up. Everybody come learn from my mistakes.” The legal professions are also there to manage risk for the company and they're like, “Don't say anything. Don't say anything. Don't even tell the government. Don't say anything.”Whereas we all need to learn from these errors. Which is why I think every time I do see a breach or I do see an indictment, I start diving into it to learn more. I did a blog post on some of the things that happened with Drizly and GitHub, and you know, I think the most interesting thing that came out of Drizly case was the ex-CEO of Drizly, who was CEO at the time of the breach, now has following him, for the rest of his life, an FTC order that says he must implement a security program wherever he goes and works. You know, I don't know what happens when he becomes a Starbucks barista or whatever, but that is on him. That is not on the company; that is on him.And I do think that, you know, we will start seeing more and more chief executive officers, chief security or information security officers becoming accountable to—or for the breaches and being personally accountable or professionally accountable for it. I think we kind of need it, even though, you know, there's only so much a CISO can do.Corey: One of the things that I did when I started consulting independently on AWS bills back in 2016 was, while I was looking at customer environments, I also would do a quick check for a few security baseline things. And I stopped doing it because I kept encountering a bunch of things that needed attention and it completely derailed the entire stated purpose of the engagement. And, frankly, I don't want to be running a security consultancy. There's a reason I focus on AWS bills. And people think I'm kidding, but I swear to you I'm not, when I say that the reason is in part because no one has a middle-of-the-night billing emergency. It is strictly a business-hours problem. Whereas with security, wake up.In fact, the one time I have been woken up in the middle of the night by a customer phone call, they were freaking out because it was a security incident and their bill had just pegged through the stratosphere. It's, “Cool. Fix the security problem first, then we'll worry about the bill during business hours. Bye.” And then I stopped leaving my phone off of Do Not Disturb at night.Chris: Your AWS bill is one of your indicators of compromise. Keep an eye on it.Corey: Oh, absolutely. We've had multiple engagements discover security issues on that. “So, what are these instances in Australia doing?” “We don't have anything there.” “I believe you're being sincere when you say this.”Chris: Yes.Corey: However.Chris: “Last month, you're at $1,000 and this month, you're at $50,000. And oh, by the way, it's the ninth, so you might want to go look at that.”Corey: Here's the problem that you start seeing in large-scale companies though. You or I wind up posting our IAM credentials on GitHub somewhere in public—and I do this from time to time, intentionally with absolutely no permissions attached to a thing—and I started look at the timeline of, “Okay 3, 2, 1, go,” with the push and now I start counting. What happens? At what time does the quarantine policy apply? When do I get an email alert? When do people start trying to exploit it? From where are they trying to exploit it?It's a really interesting thing to look into, just from the position of how this stuff all fits together and works. And that's great, but there's a whole ‘nother piece to it where if you or I were to do such a thing and actually give it admin credentials, okay, my, I don't know, what, $50, $100 a month account that I use for a lot of my test stuff now starts getting charged enormous piles of money that winds up looking like a mortgage in San Francisco, I'm going to notice that. But if you have a company that spending, I don't know, between ten and $20 million a month, do you have any idea how much Bitcoin you've got to be mining in that account to even make a slight dent in the overall trajectory of those accounts?Chris: In the overall bill, a lot. And in a particularly mismanaged account, my experience is you will notice it if you're monitoring billing anomalies on a per-account basis. I think it's important to note, you talked about that quarantine policy. If you look at what actually Amazon drops a deny on, it's effectively start EC2 instances and change IAM policies. It doesn't prevent anybody from listing all your buckets and exfiltrating all your data. It doesn't prevent anybody from firing up Lambdas and other less commonly used resources. Don't assume oh, Amazon dropped the quarantine policy. I'm safe.Corey: I was talking to somebody who spends $4 a month on S3 and they wound up suddenly getting $60 grand a day and Lambda charges, because max out the Lambda concurrency in every region and set it to mine crypto for 15 minutes apiece, yeah, you'll spend $60,000 a day to get, what $500 in crypto. But it's super economical as long as it's in someone else's account. And then Amazon hits them with a straight face on these things, where, “Please pay the bill.” Which is horrifying when there's several orders of magnitude difference between your normal bill and what happens post-breach. But what I did my whole post on “17 Ways to Run Containers on AWS,” followed by “17 More Ways to Run Containers on AWS,” and [unintelligible 00:12:00] about three services away from having a third one ready to go on that, the point is not, “Too many ways to run containers,” because yes, that is true and it's also amusing to me—less so to the containers team at AWS which does not have a sense of humor or sense of self-awareness of which they have been alerted—and fine, but every time you're running a container, it is a way to turn it into a crypto mining operation, in some way shape or form, which means there are almost 40-some-odd services now that can reasonably be used to spin up cryptocurrency mining. And that is the best-case breach scenario in a bunch of ways. It costs a bunch of money and things to clean up, but ‘we lost customer data.' That can destroy companies.Chris: Here's the worst part. Crypto mining is no longer profitable even when I've got stolen API keys because bitcoin's in the toilet. So, now they are going after different things. Actually, the most recent one is they look to see if your account is out of the SCS sandbox and if so, they go back to the tried-and-true way of doing internet scams, which is email spam.Corey: For me, having worked in operations for a very long time, I've been in situations where I worked at Expensify and had access to customer data there. I have worked in other finance companies—I worked at Blackrock. Where I work now, I have access to customer billing data. And let me be serious here for a second, I take all of these things seriously, but I also in all of those roles slept pretty well at night. The one that kept me up was a brief stint I did as the Director of Tech Ops at Grindr over ten years ago because unlike the stuff where I'm spending the rest of my career and my time now, it's not just money anymore.Whereas today, if I get popped, someone can get access to what a bunch of companies are paying AWS. It's scandalous, and I will be sued into oblivion and my company will not exist anymore and I will have a cloud hanging over my head forever. So, I have to be serious about it—Chris: But nobody will die.Corey: Nobody dies. Whereas, “Oh, this person is on Grindr and they're not out publicly,” or they live in a jurisdiction where that is punishable by imprisonment or death, you have blood on your hands, on some level, and I have never wanted that kind of responsibility.Chris: Yeah. It's reasonably scary. I've always been happy to say that, you know, the worst thing that I had to do was keep the Russians off CNN and my friends from downloading Rick and Morty.Corey: Exactly. It's, “Oh, heavens, you're winding up costing some giant conglomerate somewhere theoretical money on streaming subscriptions.” It's not material to the state of the world. And part of it, too, is—what's always informed my approach to things is, I'm not a data hoarder in the way that it seems our entire industry is. For the Last Week in AWS newsletter, the data that I collect and track is pretty freaking small.It's, “You want to sign up for the lastweekinaws.com newsletter. Great, I need your email address.” I don't need your name, I don't need the company you work at. You want to give me a tagged email address? Fine. You want to give me some special address that goes through some anonymizing thing? Terrific. I need to know where I'm sending the newsletter. And then I run a query on that for metrics sometimes, which is this really sophisticated database query called a count. How many subscribers do I have at any given point because that matters to our sponsors. But can we get—you give us any demographic? No, I cannot. I can't. I have people who [unintelligible 00:15:43] follow up surveys sometimes and that's it.Chris: And you're able to make money doing that. You don't have to collect, okay, you know, Chris's zip code is this and Bob's zip code is that and Frank's zip code is the other thing.Corey: Exactly.Chris: Or job titles, or you know, our mother's maiden name or anything else like that.Corey: I talk about what's going on in the world of AWS, so it sort of seems to me that if you're reading this stuff every week, either because of the humor or in spite of the humor, you probably are in a position where services and goods tied to that ecosystem would be well-received by you or one of the other 32,000 people who happen to be reading the newsletter or listening to the podcast or et cetera, et cetera, et cetera. It's an old-timey business model. It's okay, I want to wind up selling, I don't know, expensive wristwatches. Well, maybe I'll advertise in a magazine that caters to people who have an interest in wristwatches, or caters to a demographic that traditionally buys those wristwatches. And okay, we'll run an ad campaign and see if it works.Chris: It's been traditional advertising, not the micro-targeting stuff. And you know, television was the same way back in the broadcast era, you know? You watched a particular show, people of that demographic who watched that particular show had certain advertisers they wanted.Corey: That part of the challenge I've seen too, from sponsors of this show, for example, is they know it works, but they're trying to figure out how to do any form of attribution on this. And my answer—which sounds self-serving, but it's true—is, there's no effective way to do it because every time you try, like, “Enter this coupon code,” yeah, I assure you, some of these things wind up costing millions of dollars to deploy at large companies at scale and they provide value for doing it. No one's going to punch in a coupon code to get 10% off or something like that. Procurement is going to negotiate custom contracts and it's going to be brought up maybe by someone who heard the podcast ad. Maybe it just sits in the back of their mind until they hear something and it just winds of contributing to a growing awareness of these things.You're never going to do attribution that works on things like that. People try sometimes to, “Oh, you'll get $25 in credit,” or, “We'll give you a free t-shirt if you fill out the form.” Yeah, but now you're biasing for people who find that a material motivator. When I'm debating what security suite I'm going to roll out at my enterprise I don't want a free t-shirt for that. In fact, if I get a free t-shirt and I wear that shirt from the vendor around the office while I'm trying to champion bringing that thing in, I look a little compromised.Chris: Yeah. Yeah, I am—[laugh] I got no response to that [laugh].Corey: No, no. I hear you. One thing I do want to talk about is the last time we spoke, you mentioned you were involved in getting fwd:cloudsec—a conference—off the ground. Like all good cloud security conferences, it's named after an email subject line.It is co-located with re:Inforce this year in Anaheim, California. Somewhat ominously enough, I used to live a block-and-a-half away from the venue. But I don't anymore and in fact, because nobody checks the global event list when they schedule these things, I will be on the other side of the world officiating a wedding the same day. So, yet again, I will not be at re:Inforce.Chris: That is a shame because I think you would have made an excellent person to contribute to our call for papers and attend. So yes, fwd:cloudsec is deliberately actually named after a subject line because all of the other Amazon conferences seem to be that way. And we didn't want to be going backwards and thinking, you know, past tense. We were looking forward to our conference. Yeah, so we're effectively a vendor-neutral cloud security conference. We liked the idea of being able to take the talks that Amazon PR would never allow on stage at re:Inforce and run with it.Corey: I would question that. I do want to call that out because I gave a talk at re:Invent one year about a vulnerability I found and reported, with the help of two other people, Scott Piper and Brandon Sherman, to the AWS security team. And we were able to talk about that on stage with Zack Glick, who at the time, was one of basically God's own prototypes, working over in the AWS environment next to Dan [Erson 00:19:56]. Now, Dan remains the salt of the earth, and if he ever leaves basically just short the entire US economy. It's easier. He is amazing. I digress. The point being is that they were very open about talking about an awful lot of stuff that I would never have expected that they would be okay with.Chris: And last year at re:Inforce, they had an excellent, excellent chalk talk—but it was a chalk talk, not recorded—on how ransomware attacks operate. And they actually, like, revealed some internal, very anonymized patterns of how attacks are working. So, they're starting to realize what we've been saying in the cloud security community for a while, which is, we need more legitimate threat intelligence. On the other hand, they don't want to call it threat intelligence because the word threat is threatening, and therefore, you know, we're going to just call it, you know, patterns or whatever. And our conference is, again, also multi-cloud, a concept that until recently, AWS, you know, didn't really want to acknowledge that there were other clouds and that people would use both of them [crosstalk 00:21:01]—Corey: Multi-cloud security is a nightmare. It's just awful.Chris: Yeah, I don't like multi-cloud, but I've come to realize that it is a thing. That you will either start at a company that says, “We're AWS and we're uni-cloud,” and then next thing, you know, either some rogue developer out there has gone and spun up an Azure subscription or your acquire somebody who's in GCP, or heaven forbid, you have to go into some, you know, tinhorn dictator's jurisdiction and they require you to be on-prem or leverage Oracle Cloud or something. And suddenly, congratulations, you're now multi-cloud. So yes, our goal is really to be the things that aren't necessarily onstage or aren't all just, “It's great.” Even your talk was how great the incident response and vulnerability remediation process was.Corey: How great my experience with it was at the time, to be clear. Because I also have gotten to a point where I am very aware that, in many cases when dealing with AWS, my reputation precedes me. So, when I wind up tweeting about a problem or opening a support case, I do not accept as a given that my experience is what everyone is going to experience. But a lot of the things they did made a lot of sense and I was frankly, impressed that they were willing to just talk about anything that they did internally. Because previously that had not been a thing that they did in open forums like that.Chris: But you go back to the Glue incident where somebody found a bug and they literally went and went to every single CloudTrail event going back to the dawn of the service to validate that, okay, the, only two times we ever saw this happen were between the two researcher's accounts who disclosed it. And so, kudos to them for that level of forward communication to their customers because yeah, I think we still haven't heard anything out of Azure for last year's—or a year-and-a-half ago's Wiz findings.Corey: Well, they did do a broad blog post about this that they put out, which I thought, “Okay, that was great. More of this please.” Because until they start talking about security issues and culture and the remediation thereof, I don't give a shit what they have to say about almost anything else because it all comes back to security. The only things I use Azure for, which admittedly has some great stuff; their computer vision API? Brilliant—but the things I use them for are things that I start from a premise of security is not important to that service.The thing I use it for on the soon-to-be-pivoted to Mastodon Twitter thread client that I built, it writes alt-text for images that are about to be put out publicly. Yeah, there's no security issue from that perspective. I am very hard-pressed to imagine a scenario in which that were not true.Chris: I can come up with a couple, but you know—Corey: It feels really contrived. And honestly, that's the thing that concerns me, too: the fact that I finally read, somewhat recently, an AWS white paper talking about—was it a white paper or was it blog post? I forget the exact media that it took. But it was about how they are seeing ransomware attacks on S3, which was huge because before that, I assumed it was something that was being made up by vendors to sell me something.Chris: So, that was the chalk talk.Corey: Yes.Chris: They finally got the chalk talk from re:Inforce, they gave it again at re:Invent because it was so well received and now they have it as a blog post out there, so that, you know, it's not just for people who show up in the room, they can hear it; it's actually now documented out there. And so, kudos to the Amazon security team for really getting that sort of threat intelligence out there to the community.Corey: Now, it's in writing, and that's something that I can cite as opposed to, “Well, I was at re:Invent and I heard—” Yeah, we saw the drink tab. We know what you might have thought you heard or saw at re:Invent. Give us something we can take to the board.Chris: There were a lot of us on that bar tab, so it's not all you.Corey: Exactly. And it was my pleasure to do it, to be clear. But getting back to fwd:cloudsec, I'm going to do you a favor. Whether it's an actual favor or the word favor belongs in quotes, the way that I submit CFPs, or conference talks, is optimized because I don't want to build a talk that is never going to get picked up. Why bother to go through all the work until I have to give it somewhere?So, I start with a catchy title and then three to five sentences. And if people accept it, great, then I get to build the talk. This is a forcing function in some ways because if you get a little delayed, they will not move the conference for you. I've checked. But the title of a talk that I think someone should submit for fwd:cloudsec is, “I Am Smarter Than You, so Cloud Security is Easy.”And the format and the conceit of the talk is present it with sort of a stand-it-up-to-take-it-down level of approach where you are over-confident in the fact that you are smarter than everyone else and best practices don't apply to you and so much of this stuff is just security theater designed as a revenue extraction mechanism as opposed to something you should actually be doing. And talk about why none of these things matter because you use good security and you know, it's good because you came up with it and there's no way that you could come up with something that you couldn't break because you're smart. It says so right in the title and you're on stage and you have a microphone. They don't. Turn that into something. I feel like there's a great way to turn that in a bunch of different directions. I'd love to see someone give that talk.Chris: I think Nickolas Sharp thought that too.Corey: [laugh]. Exactly. In fact, that will be a great way to bring it back around at the end. And it's like, “And that's why I'm better at security than you are. If you have any questions beyond this, you can reach me at whatever correctional institute I go in on Thursday.” Exactly. There's ways to make it fun and engaging. Because from my perspective, talks have to be entertaining or people don't pay attention.Chris: They're either entertaining, or they're so new and advanced. We're definitely an advanced cloud security practice thing. They were 500 levels. Not to brag or anything, but you know, you want the two to 300-level stuff, you can go CCJ up the street. We're hitting and going above and beyond what a lot of the [unintelligible 00:27:18]—Corey: I am not as advanced on that path as you are; I want to be very clear on this. You speak, I listen. You're one of those people when it comes to security. Because again, no one's life is hanging in the balance with respect to what I do. I am confident in our security posture here, but nothing's perfect. Everything is exploitable, on some level.It's also not my core area of focus. It is yours. And if you are not better than I am at this, then I have done something sort of strange, or so of you, in the same way that it is a near certainty—but not absolute—that I am better at optimizing AWS bills than you are. Specialists exist for a reason and to discount that expertise is the peak of hubris. Put that in your talk.Chris: Yeah. So, one talk I really want to see, and I've been threatening to give it for a while, is okay, if there's seventeen ways—or sorry, seventeen times two, soon to be seventeen times three ways to run containers in AWS, there's that many ways to exfiltrate credentials from those containers. What are all of those things? Do we have a holistic way of understanding, this is how credentials can be exfiltrated so that we then as defenders can go figure out, okay, how do we build detections and mitigations for this?Corey: Yeah. I'm a huge fan of Canarytokens myself, for that exact purpose. There are many devices I have where the only credentials in plain text on disk are things that as soon as they get used, I wind up with a bunch of things screaming at me that there's been a problem and telling me where it is. I'm not saying that my posture is impenetrable. Far from it. But you're going to have to work for it a little bit harder than running some random off-the-shelf security scanner against my AWS account and finding, oops, I forgot to turn on a bucket protection.Chris: And the other area that I think is getting really interesting is, all of the things that have credentials into your Cloud account, whether it's something like CircleCI or GitHub. I was having a conversation with somebody just this morning and we were talking about Roles Anywhere, and I was like, “Roles Anywhere is great if you've got a good strong PKI solution and can keep that private certificate or that certificate you need safe.” If you just put it on a disk, like, you would have put your AKIA and secret on a desk, congratulations, you haven't really improved security. You've just gotten rid of the IAM users that are being flagged in your CSPM tool, and congratulations, you have, in fact, achieved security theater.Corey: It's obnoxious, on some level. And part of the problem is cost and security are aligned and that people care about them right after they really should have cared about them. The difference is you can beg, cry, whine, et cetera to AWS for concessions, you can raise another round of funding; there have solutions with money. But security? That ship has already sailed.Chris: Yeah. Once the data is out, the data is out. Now, I will say on the bill, you get reminded of it every month, about three or four days after. It's like, “Oh. Crap, yeah, I should have turned off that EC2 instance. I just burned $100.” Or, “Oh hey, we didn't turn off that application. I just burned $100,000.” That doesn't happen on security. Security events tend to be few and far between; they're just much bigger when they happen.Corey: I really want to thank you for taking the time to chat with me. I'm sure I'll have you back on between now and re:Inforce slash fwd:cloudsec or anything else we come up with that resembles an email subject line. If people want to learn more and follow along with your adventures—as they should—where's the best place for him to find you these days?Chris: So, I am now pretty much living on Mastodon on the InfoSec Exchange. And my website, chrisfarris.com is where you can find the link to that because it's not just at, you know, whatever. You have to give the whole big long URL in Mastodon. It's no longer—Corey: Yeah. It's like a full-on email address with weird domains.Chris: Exactly, yeah. So, find me at http colon slash slash infosec dot exchange slash at jcfarris. Or just hit Chris Farris and follow the links. For fwd:cloudsec, we are conveniently located at fwdcloudsec.org, which is F-W-D cloud sec dot org. No colons because I don't think those are valid in whois.Corey: Excellent choice. And of course, links to that go in the [show notes 00:31:32], so click the button. It's easier. Thanks again for your time. I really appreciate it.Chris: Thank you.Corey: Chris Farris, Cloud Security Nerd at Turbot slash Turbo. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment that resembles a lawsuit being filed, and then have it processed-served to me because presumably, you work at Ubiquiti.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
Gandeephan Ganeshalingam is the VP of Technical Operations at WestJet and former CIO of GE Canada.He joins Ara on this week's episode of #TheTamilCreator to discuss how leaving Toronto catalyzed his career trajectory, the importance of not delegating parenting responsibilities to others, “growing up” in the University of Lagos and Waterloo University, the changing landscape of education and work, what traits he looks for in new employees, and so much more.Follow Gandeephan:- LinkedIn (https://www.linkedin.com/in/gandeephan-ganeshalingam-986496197/) Timestamps00:19 - Ara introduces this week's guest, Gandeephan Ganeshalingam00:54 - His parents raised three 'successful' kids; what's the secret?02:57 - Were Gandeephan or his brothers ever annoyed at their parents?04:52 - How his dad balanced teaching and things outside of learning05:49 - Why he felt engineering wasn't enough; entering business08:58 - Has the value of an MBA diminished, and why?10:45 - Being in a position of leadership; what he looks for when hiring people13:40 - How the future of work will evolve16:59 - How to incentivize employees amidst the remote/hybrid revolution19:11 - Preparing himself to move and work abroad after graduation22:20 - Being Chief Innovation Officer at General Electric; his experience26:30 - Dealing with shared IP at GE28:02 - What led Gandeephan to leave GE for WestJet30:24 - Gandeephan's role and opinion on the future of travel33:12 - The thought leaders he looks up to and why37:59 - A learning lesson from the last few years; appreciating talent42:28 - The impact of networking on Gandeephan's career trajectory44:05 - Advice he would give his 16-year-old self47:12 - The personal legacy he wants to be remembered for48:29 - Creator Confessions50:41 - The Wrap UpIntro MusicProduced And Mixed By:- The Tamil Creator- YanchanWritten By:- Aravinthan Ehamparam- Yanchan Rajmohan
The average person probably has no idea what the FAA's Technical Operations, or Tech Ops, employees do or what an adventure the profession can be. And by adventure, we mean wild beasts, volcanoes, and camping in the middle of nowhere!In the latest ‘The Air Up There' podcast episode, “Adventures in Safety,” we talk about the extreme nature of Tech Ops and the great lengths our technicians go to maintain the airspace infrastructure so pilots can fly safely and air traffic controllers can communicate with pilots. Warning – the content in this episode may cause wide eyes, a fast heartbeat, and shock. Listen in to hear stories from experienced technicians Jeremy Withrow and Charles Barclay, who have maintained flight navigation equipment in the unique – and extreme – environments of arctic Alaska, Hawaii and California desert. If you're down for an adventure, you may develop a newfound interest in an exciting Tech Ops career. Nevertheless, you will walk away from this episode with a much higher appreciation for these unsung heroes! If you're #TeamAdventure and #TeamSafety, visit faa.gov/jobs to learn about the career and check out our job openings to see where you could be an asset to our national airspace system. And if you liked this episode, please share.
The CIO of FAT Brands, Michael Chachula, brings the heat to our CTO Trailblazer series talking about all things technology, customer experience, marketing hacks, and how the restaurant world evolved from a show to a dance post pandemic. Are you dancing with your customers? Or still operating a static show? Hot Takes: Training your guests on effectively using all the available order channels is critical to improving order accuracy and avoiding defection. 5 Components of FAT Brands tech organization - Technology, Data, Security, Digital, and Tech Ops. Best of Breed, Distilled. (hint: it's a mutt). Best of Breed is what's best for you.Biggest barriers facing CIO/CTOs - security, talent pool, supply chainHottest trends - metaverse, bitcoinHow FAT is building a technology toolbox that's flexible, future-proof and built on a solid foundation. Bolt-on is now glue-on. It's a living organism. The Vision (4 things) - Solid Foundation, Flexible Stack, Control of Data, Personalized Experiences.Don't give up your soul to pursue your dreams. Build a deep, rich network personally and professionally. Keep your people close, have fun at work, and include loved ones in your work travel!Michael's Advice - Listen and Love
Interview mit Josef Waltl, CEO und Founder von Software Defined Automation In der Mittagsfolge sprechen wir heute mit Josef Waltl, CEO und Founder von Software Defined Automation, über die erfolgreich abgeschlossene Seed-Finanzierungsrunde in Höhe von 10 Millionen US-Dollar. Software Defined Automation bietet eine Industrial-as-a-Service Lösung an, die Fabriken in Softwaresysteme transformiert. Dabei konzentriert sich das Angebot auf das Cloud-basierte Management von TechOps, DevOps und Virtual PLC. So können proprietäre Silos in Steuerungstechnologiestapeln aufgebrochen und eine API-basierte Microservices-Architektur aufgebaut werden. Damit ermöglicht die Lösung eine Virtualisierung und Abstraktion der Steuerungssoftware von der industriellen Automatisierungshardware und stattet Hersteller mit Werkzeugen aus, um die Flexibilität zu erhöhen und gleichzeitig eine deterministische Steuerungsausführung in Echtzeit zu gewährleisten. Die automatisierte Konfiguration, der Betrieb, die Wartung und der kontinuierliche Wandel von Produktionsanlagen bringen den Kunden nicht nur Effizienz, sondern schließen auch die Kommunikationslücke zwischen IT und Betriebstechnik. Software Defined Automation wurde im Jahr 2021 von Josef Waltl in München gegründet. Das Jungunternehmen verspricht mit seinen Lösungen Remote-Arbeit, erstklassige Sicherheit, Ausfallsicherheit, Tools für die Zusammenarbeit und Unabhängigkeit von Automatisierungsanbietern. Das Münchner Startup zur Ermöglichung eines industriellen Metaverse hat nun in einer Seed-Finanzierungsrunde unter der Leitung von Insight Partners 10 Millionen US-Dollar eingesammelt. Insight Partners ist eine US-amerikanische Investmentgesellschaft mit Sitz in New York City. Das Unternehmen investiert in Technologie-, Software- und Internetunternehmen in der Wachstumsphase. Der Wagniskapitalgeber hat ein verwaltetes Vermögen von knapp 100 Milliarden US-Dollar. Die Risikokapitalgeber Baukunst VC, Fly Ventures und First Momentum haben sich ebenfalls an der Runde beteiligt. Die Mittel sollen für den Ausbau der Kundenakzeptanz und die Erweiterung des Leistungsportfolios verwendet werden. Im Rahmen der Transaktion werden Jon Rosenbaum, Managing Director bei Insight Partners, sowie Axel Bichara, General Partner bei Baukunst, in den Vorstand von Software Defined Automation eintreten.
About MichaelMichael is the Director of Threat Research at Sysdig, managing a team of experts tasked with discovering and defending against novel security threats. Michael has more than 20 years of industry experience in many different roles, including incident response, threat intelligence, offensive security research, and software development at companies like Rapid7, ThreatQuotient, and Mantech. Prior to joining Sysdig, Michael worked as a Gartner analyst, advising enterprise clients on security operations topics.Links Referenced: Sysdig: https://sysdig.com/ “2022 Sysdig Cloud-Native Threat Report”: https://sysdig.com/threatreport TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Something interesting about this particular promoted guest episode that is brought to us by our friends at Sysdig is that when they reached out to set this up, one of the first things out of their mouth was, “We don't want to sell anything,” which is novel. And I said, “Tell me more,” because I was also slightly skeptical. But based upon the conversations that I've had, and what I've seen, they were being honest. So, my guest today—surprising as though it may be—is Mike Clark, Director of Threat Research at Sysdig. Mike, how are you doing?Michael: I'm doing great. Thanks for having me. How are you doing?Corey: Not dead yet. So, we take what we can get sometimes. You folks have just come out with the “2022 Sysdig Cloud-Native Threat Report”, which on one hand, it feels like it's kind of a wordy title, on the other it actually encompasses everything that it is, and you need every single word of that report. At a very high level, what is that thing?Michael: Sure. So, this is our first threat report we've ever done, and it's kind of a rite of passage, I think for any security company in the space; you have to have a threat report. And the cloud-native part, Sysdig specializes in cloud and containers, so we really wanted to focus in on those areas when we were making this threat report, which talks about, you know, some of the common threats and attacks we were seeing over the past year, and we just wanted to let people know what they are and how they protect themselves.Corey: One thing that I've found about a variety of threat reports is that they tend to excel at living in the fear, uncertainty, and doubt space. And invariably, they paint a very dire picture of the internet about become cascading down. And then at the end, there's always a, “But there is hope. Click here to set up a meeting with us.” It's basically a very thinly- veiled cover around what is fundamentally a fear, uncertainty, and doubt-driven marketing strategy, and then it tries to turn into a sales pitch.This does absolutely none of that. So, I have to ask, did you set out to intentionally make something that added value in that way and have contributed to the body of knowledge, or is it because it's your inaugural report; you didn't realize you were supposed to turn it into a terrible sales pitch.Michael: We definitely went into that on purpose. There's a lot of ways to fix things, especially these days with all the different technologies, so we can easily talk about the solutions without going into specific products. And that's kind of way we went about it. There's a lot of ways to fix each of the things we mentioned in the report. And hopefully, the person reading it finds a good way to do it.Corey: I'd like to unpack a fair bit of what's in the report. And let's be clear, I don't intend to read this report into a microphone; that is generally not a great way of conveying information that I have found. But I want to highlight a few things that leapt out to me that I find interesting. Before I do that, I'm curious to know, most people who write reports, especially ones of this quality, are not sitting there cogitating in their office by themselves, and they set pen to paper and emerge four days later with the finished treatise. There's a team involved, there's more than one person that weighs in. Who was behind this?Michael: Yeah, it was a pretty big team effort across several departments. But mostly, it came to the Sysdig threat research team. It's about ten people right now. It's grown quite a bit through the past year. And, you know, it's made up of all sorts of backgrounds and expertise.So, we have machine learning people, data scientists, data engineers, former pen-testers and red team, a lot of blue team people, people from the NSA, people from other government agencies as well. And we're also a global research team, so we have people in Europe and North America working on all of this. So, we try to get perspectives on how these threats are viewed by multiple areas, not just Silicon Valley, and express fixes that appeal to them, too.Corey: Your executive summary on this report starts off with a cloud adversary analysis of TeamTNT. And my initial throwaway joke on that, it was going to be, “Oh, when you start off talking about any entity that isn't you folks, they must have gotten the platinum sponsorship package.” But then I read the rest of that paragraph and I realized that wait a minute, this is actually interesting and germane to something that I see an awful lot. Specifically, they are—and please correct me if I'm wrong on any of this; you are definitionally the expert whereas I am, obviously the peanut gallery—but you talk about TeamTNT as being a threat actor that focuses on targeting the cloud via cryptojacking, which is a fanciful word for, “Okay, I've gotten access to your cloud environment; what am I going to do with it? Mine Bitcoin and other various cryptocurrencies.” Is that generally accurate or have I missed the boat somewhere fierce on that? Which is entirely possible.Michael: That's pretty accurate. We also think it just one person, actually, and they are very prolific. So, they were pretty hard to get that platinum support package because they are everywhere. And even though it's one person, they can do a lot of damage, especially with all the automation people can make now, one person can appear like a dozen.Corey: There was an old t-shirt that basically encompassed everything that was wrong with the culture of the sysadmin world back in the naughts, that said, “Go away, or I will replace you with a very small shell script.” But, on some level, you can get a surprising amount of work done on computers, just with things like for loops and whatnot. What I found interesting was that you have put numbers and data behind something that I've always taken for granted and just implicitly assumed that everyone knew. This is a common failure mode that we all have. We all have blind spots where we assume the things that we spend our time on is easy and the stuff that other people are good at and you're not good at, those are the hard things.It has always been intuitively obvious to me as a cloud economist, that when you wind up spending $10,000 in cloud resources to mine cryptocurrency, it does not generate $10,000 of cryptocurrency on the other end. In fact, the line I've been using for years is that it's totally economical to mine Bitcoin in the cloud; the only trick is you have to do it in someone else's account. And you've taken that joke and turned it into data. Something that you found was that in one case, that you were able to attribute $8,100 of cryptocurrency that were generated by stealing $430,000 of cloud resources to do it. And oh, my God, we now have a number and a ratio, and I can talk intelligently and sound four times smarter. So, ignoring anything else in this entire report, congratulations, you have successfully turned this into what is beginning to become a talking point of mine. Value unlocked. Good work. Tell me more.Michael: Oh, thank you. Cryptomining is kind of like viruses in the old on-prem environment. Normally it just cleaned up and never thought of again; the antivirus software does its thing, life goes on. And I think cryptominers are kind of treated like that. Oh, there's a miner; let's rebuild the instance or bring a new container online or something like that.So, it's often considered a nuisance rather than a serious threat. It also doesn't have the, you know, the dangerous ransomware connotation to it. So, a lot of people generally just think of as a nuisance, as I said. So, what we wanted to show was, it's not really a nuisance and it can cost you a lot of money if you don't take it seriously. And what we found was for every dollar that they make, it costs you $53. And, you know, as you mentioned, it really puts it into view of what it could cost you by not taking it seriously. And that number can scale very quickly, just like your cloud environment can scale very quickly.Corey: They say this cloud scales infinitely and that is not true. First, tried it; didn't work. Secondly, it scales, but there is an inherent limit, which is your budget, on some level. I promise they can add hard drives to S3 faster than you can stuff data into it. I've checked.One thing that I've seen recently was—speaking of S3—I had someone reach out in what I will charitably refer to as a blind panic because they were using AWS to do something. Their bill was largely $4 a month in S3 charges. Very reasonable. That carries us surprisingly far. And then they had a credential leak and they had a threat actor spin up all the Lambda functions in all of the regions, and it went from $4 a month to $60,000 a day and it wasn't caught for six days.And then AWS as they tend to do, very straight-faced, says, “Yeah, we would like our $360,000, please.” At which point, people start panicking because a lot of the people who experience this are not themselves sophisticated customers; they're students, they're learning how this stuff works. And when I'm paying $4 a month for something, it is logical and intuitive for me to think that, well, if I wind up being sloppy with their credentials, they could run that bill up to possibly $25 a month and that wouldn't be great, so I should keep an eye on it. Yeah, you dropped a whole bunch of zeros off the end of that. Here you go. And as AWS spins up more and more regions and as they spin up more and more services, the ability to exploit this becomes greater and greater. This problem is not getting better, it is only getting worse, by a lot.Michael: Oh, yeah, absolutely. And I feel really bad for those students who do have that happen to them. I've heard on occasion that the cloud providers will forgive some debts, but there's no guarantee of that happening, from breaches. And you know, the more that breaches happen, the less likely they are going to forgive it because they still to pay for it; someone's paying for it in the end. And if you don't improve and fix your environment and it keeps happening, one day, they're just going to stick you with the bill.Corey: To my understanding, they've always done the right thing when I've highlighted something to them. I don't have intimate visibility into it and of course, they have a threat model themselves of, okay, I'm going to spin up a bunch of stuff, mine cryptocurrency for a month—cry and scream and pretend I got hacked because fraud is very much a thing, there is a financial incentive attached to this—and they mostly seem to get it right. But the danger that I see for the cloud provider is not that they're going to stop being nice and giving money away, but assume you're a student who just winds up getting more than your entire college tuition as a surprise bill for this month from a cloud provider. Even assuming at the end of that everything gets wiped and you don't owe anything. I don't know about you, but I've never used that cloud provider again because I've just gotten a firsthand lesson in exactly what those risks are, it's bad for the brand.Michael: Yeah, it really does scare people off of that. Now, some cloud providers try to offer more proactive protections against this, try to shut down instances really quick. And you know, you can take advantage of limits and other things, but they don't make that really easy to do. And setting those up is critical for everybody.Corey: The one cloud provider that I've seen get this right, of all things, has been Oracle Cloud, where they have an always free tier. Until you affirmatively upgrade your account to chargeable, they will not charge you a penny. And I have experimented with this extensively, and they're right, they will not charge you a penny. They do have warnings plastered on the site, as they should, that until you upgrade your account, do understand that if you exceed a threshold, we will stop serving traffic, we will stop servicing your workload. And yeah, for a student learner, that's absolutely what I want. For a big enterprise gearing up for a giant Superbowl commercial or whatnot, it's, “Yeah, don't care what it costs, just make sure you continue serving traffic. We don't get a redo on this.” And without understanding exactly which profile of given customer falls into, whenever the cloud provider tries to make an assumption and a default in either direction, they're wrong.Michael: Yeah, I'm surprised that Oracle Cloud of all clouds. It's good to hear that they actually have a free tier. Now, we've seen attackers have used free tiers quite a bit. It all depends on how people set it up. And it's actually a little outside the threat report, but the CI/CD pipelines in DevOps, anywhere there's free compute, attackers will try to get their miners in because it's all about scale and not quality.Corey: Well, that is something I'd be curious to know. Because you talk about focusing specifically on cloud and containers as a company, which puts you in a position to be authoritative on this. That Lambda story that I mentioned about, surprise $60,000 a day in cryptomining, what struck me about that and caught me by surprise was not what I think would catch most people who didn't swim in this world by surprise of, “You can spend that much?” In my case, what I'm wondering about is, well hang on a minute. I did an article a year or two ago, “17 Ways to Run Containers On AWS” and listed 17 AWS services that you could use to run containers.And a few months later, I wrote another article called “17 More Ways to Run Containers On AWS.” And people thought I was belaboring the point and making a silly joke, and on some level, of course I was. But I was also highlighting very clearly that every one of those containers running in a service could be mining cryptocurrency. So, if you get access to someone else's AWS account, when you see those breaches happen, are people using just the one or two services they have things ready to go for, or are they proliferating as many containers as they can through every service that borderline supports it?Michael: From what we've seen, they usually just go after a compute, like EC2 for example, as it's most well understood, it gets the job done, it's very easy to use, and then get your miner set up. So, if they happen to compromise your credentials versus the other method that cryptominers or cryptojackers do is exploitation, then they'll try to spread throughout their all their EC2 they can and spin up as much as they can. But the other interesting thing is if they get into your system, maybe via an exploit or some other misconfiguration, they'll look for the IAM metadata service as soon as they get in, to try to get your IAM credentials and see if they can leverage them to also spin up things through the API. So, they'll spin up on the thing they compromised and then actively look for other ways to get even more.Corey: Restricting the permissions that anything has in your cloud environment is important. I mean, from my perspective, if I were to have my account breached, yes, they're going to cost me a giant pile of money, but I know the magic incantations to say to AWS and worst case, everyone has a pet or something they don't want to see unfortunate things happen to, so they'll waive my fee; that's fine. The bigger concern I've got—in seriousness—I think most companies do is the data. It is the access to things in the account. In my case, I have a number of my clients' AWS bills, given that that is what they pay me to work on.And I'm not trying to undersell the value of security here, but on the plus side that helps me sleep at night, that's only money. There are datasets that are far more damaging and valuable about that. The worst sleep I ever had in my career came during a very brief stint I had about 12 years ago when I was the director of TechOps at Grindr, the gay dating site. At that scenario, if that data had been breached, people could very well have died. They live in countries where that winds up not being something that is allowed, or their family now winds up shunning them and whatnot. And that's the stuff that keeps me up at night. Compared to that, it's, “Well, you cost us some money and embarrassed a company.” It doesn't really rank on the same scale to me.Michael: Yeah. I guess the interesting part is, data requires a lot of work to do something with for a lot of attackers. Like, it may be opportunistic and come across interesting data, but they need to do something with it, there's a lot more risk once they start trying to sell the data, or like you said, if it turns into something very unfortunate, then there's a lot more risk from law enforcement coming after them. Whereas with cryptomining, there's very little risk from being chased down by the authorities. Like you said, people, they rebuild things and ask AWS for credit, or whoever, and move on with their lives. So, that's one reason I think cryptomining is so popular among threat actors right now. It's just the low risk compared to other ways of doing things.Corey: It feels like it's a nuisance. One thing that I was dreading when I got this copy of the report was that there was going to be what I see so often, which is let's talk about ransomware in the cloud, where people talk about encrypting data in S3 buckets and sneakily polluting the backups that go into different accounts and how your air -gapping and the rest. And I don't see that in the wild. I see that in the fear-driven marketing from companies that have a thing that they say will fix that, but in practice, when you hear about ransomware attacks, it's much more frequently that it is their corporate network, it is on-premises environments, it is servers, perhaps running in AWS, but they're being treated like servers would be on-prem, and that is what winds up getting encrypted. I just don't see the attacks that everyone is warning about. But again, I am not primarily in the security space. What do you see in that area?Michael: You're absolutely right. Like we don't see that at all, either. It's certainly theoretically possible and it may have happened, but there just doesn't seem to be that appetite to do that. Now, the reasoning? I'm not a hundred percent sure why, but I think it's easier to make money with cryptomining, even with the crypto markets the way they are. It's essentially free money, no expenses on your part.So, maybe they're not looking because again, that requires more effort to understand especially if it's not targeted—what data is important. And then it's not exactly the same method to do the attack. There's versioning, there's all this other hoops you have to jump through to do an extortion attack with buckets and things like that.Corey: Oh, it's high risk and feels dirty, too. Whereas if you're just, I guess, on some level, psychologically, if you're just going to spin up a bunch of coin mining somewhere and then some company finds it and turns it off, whatever. You're not, as in some cases, shaking down a children's hospital. Like that's one of those great, I can't imagine how you deal with that as a human being, but I guess it takes all types. This doesn't get us to sort of the second tentpole of the report that you've put together, specifically around the idea of supply chain attacks against containers. There have been such a tremendous number of think pieces—thought pieces, whatever they're called these days—talking about a software bill of materials and supply chain threats. Break it down for me. What are you seeing?Michael: Sure. So, containers are very fun because, you know, you can define things as code about what gets put on it, and they become so popular that sharing sites have popped up, like Docker Hub and other public registries, where you can easily share your container, it has everything built, set up, so other people can use it. But you know, attackers have kind of taken notice of this, too. Where anything's easy, an attacker will be. So, we've seen a lot of malicious containers be uploaded to these systems.A lot of times, they're just hoping for a developer or user to come along and use them because your Docker Hub does have the official designation, so while they can try to pretend to be like Ubuntu, they won't be the official. But instead, they may try to see theirs and links and things like that to entice people to use theirs instead. And then when they do, it's already pre-loaded with a miner or, you know, other malware. So, we see quite a bit of these containers in Docker Hub. And they're disguised as many different popular packages.They don't stand up to too much scrutiny, but enough that, you know, a casual looker, even Docker file may not see it. So yeah, we see a lot of—and embedded credentials and other big part that we see in these containers. That could be an organizational issue, like just a leaked credential, but you can put malicious credentials into Docker files, to0, like, say an SSH private key that, you know, if they start this up, the attacker can now just log—SSH in. Or other API keys or other AWS changing commands you can put in there. You can put really anything in there, and wherever you load it, it's going to run. So, you have to be really careful.[midroll 00:22:15]Corey: Years ago, I gave a talk at the conference circuit called, “Terrible Ideas in Git” that purported to teach people how to get worked through hilarious examples of misadventure. And the demos that I did on that were, well, this was fun and great, but it was really annoying resetting them every time I gave the talk, so I stuffed them all into a Docker image and then pushed that up to Docker Hub. Great. It was awesome. I didn't publicize it and talk about it, but I also just left it as an open repository there because what are you going to do? It's just a few directories in the route that have very specific contrived scenarios with Git, set up and ready to go.There's nothing sensitive there. And the thing is called, “Terrible Ideas.” And I just kept watching the download numbers continue to increment week over week, and I took it down because it's, I don't know what people are going to do with that. Like, you see something on there and it says, “Terrible Ideas.” For all I know, some bank is like, “And that's what we're running in production now.” So, who knows?But the idea o—not that there was necessarily anything wrong with that, but the fact that there's this theoretical possibility someone could use that or put the wrong string in if I give an example, and then wind up running something that is fairly compromisable in a serious environment was just something I didn't want to be a part of. And you see that again, and again, and again. This idea of what Docker unlocks is amazing, but there's such a tremendous risk to it. I mean, I've never understood 15 years ago, how you're going to go and spin up a Linux server on top of EC2 and just grab a community AMI and use that. It's yeah, I used to take provisioning hardware very seriously to make sure that I wasn't inadvertently using something compromised. Here, it's like, “Oh, just grab whatever seems plausible from the catalog and go ahead and run that.” But it feels like there's so much of that, turtles all the way down.Michael: Yeah. And I mean, even if you've looked at the Docker file, with all the dependencies of the things you download, it really gets to be difficult. So, I mean, to protect yourself, it really becomes about, like, you know, you can do the static scanning of it, looking for bad strings in it or bad version numbers for vulnerabilities, but it really comes down to runtime analysis. So, when you start to Docker container, you really need the tools to have visibility to what's going on in the container. That's the only real way to know if it's safe or not in the end because you can't eyeball it and really see all that, and there could be a binary assortment of layers, too, that'll get run and things like that.Corey: Hell is other people's workflows, as I'm sure everyone's experienced themselves, but one of mine has always been that if I'm doing something as a proof of concept to build it up on a developer box—and I do keep my developer environments for these sorts of things isolated—I will absolutely go and grab something that is plausible- looking from Docker Hub as I go down that process. But when it comes time to wind up putting it into a production environment, okay, now we're going to build our own resources. Yeah, I'm sure the Postgres container or whatever it is that you're using is probably fine, but just so I can sleep at night, I'm going to take the public Docker file they have, and I'm going to go ahead and build that myself. And I feel better about doing that rather than trusting some rando user out there and whatever it is that they've put up there. Which on the one hand feels like a somewhat responsible thing to do, but on the other, it feels like I'm only fooling myself because some rando putting things up there is kind of what the entire open-source world is, to a point.Michael: Yeah, that's very true. At some point, you have to trust some product or some foundation to have done the right thing. But what's also true about containers is they're attacked and use for attacks, but they're also used to conduct attacks quite a bit. And we saw a lot of that with the Russian-Ukrainian conflict this year. Containers were released that were preloaded with denial-of-service software that automatically collected target lists from, I think, GitHub they were hosted on.So, all a user to get involved had to do was really just get the container and run it. That's it. And now they're participating in this cyberwar kind of activity. And they could also use this to put on a botnet or if they compromise an organization, they could spin up at all these instances with that Docker container on it. And now that company is implicated in that cyber war. So, they can also be used for evil.Corey: This gets to the third point of your report: “Geopolitical conflict influences attacker behaviors.” Something that happened in the early days of the Russian invasion was that a bunch of open-source maintainers would wind up either disabling what their software did or subverting it into something actively harmful if it detected it was running in the Russian language and/or in a Russian timezone. And I understand the desire to do that, truly I do. I am no Russian apologist. Let's be clear.But the counterpoint to that as well is that, well, to make a reference I made earlier, Russia has children's hospitals, too, and you don't necessarily know the impact of fallout like that, not to mention that you have completely made it untenable to use anything you're doing for a regulated industry or anyone else who gets caught in that and discovers that is now in their production environment. It really sets a lot of stuff back. I've never been a believer in that particular form of vigilantism, for lack of a better term. I'm not sure that I have a better answer, let's be clear. I just, I always knew that, on some level, the risk of opening that Pandora's box were significant.Michael: Yeah. Even if you're doing it for the right reasons. It still erodes trust.Corey: Yeah.Michael: Especially it erodes trust throughout open-source. Like, not just the one project because you'll start thinking, “Oh, how many other projects might do this?” And—Corey: Wait, maybe those dirty hippies did something in our—like, I don't know, they've let those people anywhere near this operating system Linux thing that we use? I don't think they would have done that. Red Hat seems trustworthy and reliable. And it's yo, [laugh] someone needs to crack open a history book, on some level. It's a sticky situation.I do want to call out something here that it might be easy to get the wrong idea from the summary that we just gave. Very few things wind up raising my hackles quite like companies using tragedy to wind up shilling whatever it is they're trying to sell. And I'll admit when I first got this report, and I saw, “Oh, you're talking about geopolitical conflict, great.” I'm not super proud of this, but I was prepared to read you the riot act, more or less when I inevitably got to that. And I never did. Nothing in this entire report even hints in that direction.Michael: Was it you never got to it, or, uh—Corey: Oh, no. I've read the whole thing, let's be clear. You're not using that to sell things in the way that I was afraid you were. And simultaneously I want to say—I want to just point that out because that is laudable. At the same time, I am deeply and bitterly resentful that that even is laudable. That should be the common state.Capitalizing on tragedy is just not something that ever leaves any customer feeling good about one of their vendors, and you've stayed away from that. I just want to call that out is doing the right thing.Michael: Thank you. Yeah, it was actually a big topic about how we should broach this. But we have a good data point on right after it started, there was a huge spike in denial-of-service installs. And that we have a bunch of data collection technology, honeypots and other things, and we saw the day after cryptomining started going down and denial-of-service installs started going up. So, it was just interesting how that community changed their behaviors, at least for a time, to participate in whatever you want to call it, the hacktivism.Over time, though, it kind of has gone back to the norm where maybe they've gotten bored or something or, you know, run out of funds, but they're starting cryptomining again. But these events can cause big changes in the hacktivism community. And like I mentioned, it's very easy to get involved. We saw over 150,000 downloads of those pre-canned denial-of-service containers, so it's definitely something that a lot of people participated in.Corey: It's a truism that war drives innovation and different ways of thinking about things. It's a driver of progress, which says something deeply troubling about us. But it's also clear that it serves as a driver for change, even in this space, where we start to see different applications of things, we see different threat patterns start to emerge. And one thing I do want to call out here that I think often gets overlooked in the larger ecosystem and industry as a whole is, “Well, no one's going to bother to hack my nonsense. I don't have anything interesting for them to look at.”And it's, on some level, an awful lot of people running tools like this aren't sophisticated enough themselves to determine that. And combined with your first point in the report as well that, well, you have an AWS account, don't you? Congratulations. You suddenly have enormous piles of money—from their perspective—sitting there relatively unguarded. Yay. Security has now become everyone's problem, once again.Michael: Right. And it's just easier now. It means, it was always everyone's problem, but now it's even easier for attackers to leverage almost everybody. Like before, you had to get something on your PC. You had to download something. Now, your search of GitHub can find API keys, and then that's it, you know? Things like that will make it game over or your account gets compromised and big bills get run up. And yeah, it's very easy for all that to happen.Corey: Ugh. I do want to ask at some point, and I know you asked me not to do it, but I'm going to do it anyway because I have this sneaking suspicion that given that you've spent this much time on studying this problem space, that you probably, as a company, have some answers around how to address the pain that lives in these problems. What exactly, at a high level, is it that Sysdig does? Like, how would you describe that in an elevator without sabotaging the elevator for 45 minutes to explain it in depth to someone?Michael: So, I would describe it as threat detection and response for cloud containers and workloads in general. And all the other kind of acronyms for cloud, like CSPM, CIEM.Corey: They're inventing new and exciting acronyms all the time. And I honestly at this point, I want to have almost an acronym challenge of, “Is this a cybersecurity acronym or is it an audio cable? Which is it?” Because it winds up going down that path, super easily. I was at RSA walking the expo floor and I had I think 15 different companies I counted pitching XDR, without a single one bothering to explain what that meant. Okay, I guess it's just the thing we've all decided we need. It feels like security people selling to security people, on some level.Michael: I was a Gartner analyst.Corey: Yeah. Oh… that would do it then. Terrific. So, it's partially your fault, then?Michael: No. I was going to say, don't know what it means either.Corey: Yeah.Michael: So, I have no idea [laugh]. I couldn't tell you.Corey: I'm only half kidding when I say in many cases, from the vendor perspective, it seems like what it means is whatever it is they're trying to shoehorn the thing that they built into filling. It's kind of like observability. Observability means what we've been doing for ten years already, just repurposed to catch the next hype wave.Michael: Yeah. The only thing I really understand is: detection and response is a very clear detect things and respond to things. So, that's a lot of what we do.Corey: It's got to beat the default detection mechanism for an awful lot of companies who in years past have found out that they have gotten breached in the headline of The New York Times. Like it's always fun when that, “Wait, what? What? That's u—what? How did we not know this was coming?”It's when a third party tells you that you've been breached, it's never as positive—not that it's a positive experience anyway—than discovering yourself internally. And this stuff is complicated, the entire space is fraught, and it always feels like no matter how far you go, you could always go further, but left to its inevitable conclusion, you'll burn through the entire company budget purely on security without advancing the other things that company does.Michael: Yeah.Corey: It's a balance.Michael: It's tough because it's a lot to know in the security discipline, so you have to balance how much you're spending and how much your people actually know and can use the things you've spent money on.Corey: I really want to thank you for taking the time to go through the findings of the report for me. I had skimmed it before we spoke, but talking to you about this in significantly more depth, every time I start going to cite something from it, I find myself coming away more impressed. This is now actively going on my calendar to see what the 2023 version looks like. Congratulations, you've gotten me hooked. If people want to download a copy of the report for themselves, where should they go to do that?Michael: They could just go to sysdig.com/threatreport. There's no email blocking or gating, so you just download it.Corey: I'm sure someone in your marketing team is twitching at that. Like, why can't we wind up using this as a lead magnet? But ugh. I look at this and my default is, oh, wow, you definitely understand your target market. Because we all hate that stuff. Every mandatory field you put on those things makes it less likely I'm going to download something here. Click it and have a copy that's awesome.Michael: Yep. And thank you for having me. It's a lot of fun.Corey: No, thank you for coming. Thanks for taking so much time to go through this, and thanks for keeping it to the high road, which I did not expect to discover because no one ever seems to. Thanks again for your time. I really appreciate it.Michael: Thanks. Have a great day.Corey: Mike Clark, Director of Threat Research at Sysdig. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry comment pointing out that I didn't disclose the biggest security risk at all to your AWS bill, an AWS Solutions Architect who is working on commission.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
Wolfman and Kalnock from Dragon Con's Tech-Ops school Leigh and Jon on the proper way to roll cables, crawl under stages, and run through crowds of people with 55 inch TVs. We really want to hear from you! Call our DODC comment line – (813) 321-0884 Also, be sure to check out our Facebook and Twitter social […] The post 50 Days Of Dragon Con 2022 (Day 48) – Technically Speaking first appeared on The Unique Geek.
Wolfman and Kalnock from Dragon Con's Tech-Ops school Leigh and Jon on the proper way to roll cables, crawl under stages, and run through crowds of people with 55 inch TVs. We really want to hear from you! Call our DODC comment line – (813) 321-0884 Also, be sure to check out our Facebook and Twitter social […] The post 50 Days Of Dragon Con 2022 (Day 48) – Technically Speaking first appeared on The Unique Geek.
In the early 1990s, many kids got into programming video games. Tina Huang enjoyed developing her GeoCities site but not making games. Huang loved automating her website. "It is not a lie to say that what got me excited about coding was automation," said Huang, co-founder of Transposit, in this week's episode of The New Stack Makers as part of our Tech Founder Series. "Now, you're probably going to think to yourself: 'what middle school kid likes automation?' " Huang loved the idea of automating mundane tasks with a bit of code, so she did not have to hand type – just like the Jetsons and Rosie the Robot -- the robot people want. There to fold your laundry but not take the joy away from what people like to do. Huang is like many of the founders we interview. Her job can be what she wants it to be. But Huang also has to take care of everything that needs to get done. All the work comes down to what the Transposit site says on the home page: Bring calm to the chaos. Through connected workflows, give TechOps and SREs visibility, context, and actionability across people, processes, and APIs. The statements reflect on her own experience in using automation to provide high-quality information. "I've always been swimming upstream against the tide when I worked at companies like Google and Twitter, where, you know, the tagline for Google News back then was "News by Robots," Huang said. "The ideal in their mind was how do you get robots to do all the news reporting. And that is funny because now I think we have a different opinion. But at the time, it was popular to think news by robots would be more factual, more Democratic." Huang worked on a project at Google exploring how to use algorithms to curate the first pass of curation for human editors to go in and then add that human touch to the news. The work reflected her love for long-form journalism and that human touch to information. Transport offers a similar next level of integration. Any RSS fans out there? Huang has a love/hate relationship with RSS. She loves it for what it can feed, but if the feed is not filtered, then it becomes overwhelming. Getting inundated with information happens when multiple integrations start to layer from Slack, for example, and other sources. "And suddenly, you're inundated with information because it was information designed for the consumption by machines, not at the human scale," Huang said. "You need that next layer of curation on top of it. Like how do you allow people to annotate that information? " Providing a choice in subscriptions can help. But at what level? And that's one of the areas that Huang hopes to tackle with Transposit."
About SheeriAfter almost 2 decades as a database administrator and award-winning thought leader, Sheeri Cabral pivoted to technical product management. Her super power of “new customer” empathy informs her presentations and explanations. Sheeri has developed unique insights into working together and planning, having survived numerous reorganizations, “best practices”, and efficiency models. Her experience is the result of having worked at everything from scrappy startups such as Guardium – later bought by IBM – to influential tech companies like Mozilla and MongoDB, to large established organizations like Salesforce.Links Referenced: Collibra: https://www.collibra.com WildAid GitHub: https://github.com/wildaid Twitter: https://twitter.com/sheeri Personal Blog: https://sheeri.org TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored by our friends at Fortinet. Fortinet's partnership with AWS is a better-together combination that ensures your workloads on AWS are protected by best-in-class security solutions powered by comprehensive threat intelligence and more than 20 years of cybersecurity experience. Integrations with key AWS services simplify security management, ensure full visibility across environments, and provide broad protection across your workloads and applications. Visit them at AWS re:Inforce to see the latest trends in cybersecurity on July 25-26 at the Boston Convention Center. Just go over to the Fortinet booth and tell them Corey Quinn sent you and watch for the flinch. My thanks again to my friends at Fortinet.Corey: Let's face it, on-call firefighting at 2am is stressful! So there's good news and there's bad news. The bad news is that you probably can't prevent incidents from happening, but the good news is that incident.io makes incidents less stressful and a lot more valuable. incident.io is a Slack-native incident management platform that allows you to automate incident processes, focus on fixing the issues and learn from incident insights to improve site reliability and fix your vulnerabilities. Try incident.io, recover faster and sleep more.Corey: Welcome to Screaming in the Cloud, I'm Corey Quinn. My guest today is Sheeri Cabral, who's a Senior Product Manager of ETL lineage at Collibra. And that is an awful lot of words that I understand approximately none of, except maybe manager. But we'll get there. The origin story has very little to do with that.I was following Sheeri on Twitter for a long time and really enjoyed the conversations that we had back and forth. And over time, I started to realize that there were a lot of things that didn't necessarily line up. And one of the more interesting and burning questions I had is, what is it you do, exactly? Because you're all over the map. First, thank you for taking the time to speak with me today. And what is it you'd say it is you do here? To quote a somewhat bizarre and aged movie now.Sheeri: Well, since your listeners are technical, I do like to match what I say with the audience. First of all, hi. Thanks for having me. I'm Sheeri Cabral. I am a product manager for technical and ETL tools and I can break that down for this technical audience. If it's not a technical audience, I might say something—like if I'm at a party, and people ask what I do—I'll say, “I'm a product manager for technical data tool.” And if they ask what a product manager does, I'll say I helped make sure that, you know, we deliver a product the customer wants. So, you know, ETL tools are tools that transform, extract, and load your data from one place to another.Corey: Like AWS Glue, but for some of them, reportedly, you don't have to pay AWS by the gigabyte-second.Sheeri: Correct. Correct. We actually have an AWS Glue technical lineage tool in beta right now. So, the technical lineage is how data flows from one place to another. So, when you're extracting, possibly transforming, and loading your data from one place to another, you're moving it around; you want to see where it goes. Why do you want to see where it goes? Glad you asked. You didn't really ask. Do you care? Do you want to know why it's important?Corey: Oh, I absolutely do. Because it's—again, people who are, like, “What do you do?” “Oh, it's boring, and you won't care.” It's like when people aren't even excited themselves about what they work on, it's always a strange dynamic. There's a sense that people aren't really invested in what they do.I'm not saying you have to have this overwhelming passion and do this in your spare time, necessarily, but you should, at least in an ideal world, like what you do enough to light up a bit when you talk about it. You very clearly do. I'm not wanting to stop you. Please continue.Sheeri: I do. I love data and I love helping people. So, technical lineage does a few things. For example, a DBA—which I used to be a DBA—can use technical lineage to predict the impact of a schema update or migration, right? So, if I'm going to change the name of this column, what uses it downstream? What's going to be affected? What scripts do I need to change? Because if the name changes other thing—you know, then I need to not get errors everywhere.And from a data governance perspective, which Collibra is data governance tool, it helps organizations see if, you know, you have private data in a source, does it remain private throughout its journey, right? So, you can take a column like email address or government ID number and see where it's used down the line, right? GDPR compliance, CCPA compliance. The CCPA is a little newer; people might not know that acronym. It's California Consumer Privacy Act.I forget what GDPR is, but it's another privacy act. It also can help the business see where data comes from so if you have technical lineage all the way down to your reports, then you know whether or not you can trust the data, right? So, you have a report and it shows salary ranges for job titles. So, where did the data come from? Did it come from a survey? Did it come from job sites? Or did it come from a government source like the IRS, right? So, now you know, like, what you get to trust the most.Corey: Wait, you can do that without a blockchain? I kid, I kid, I kid. Please don't make me talk about blockchains. No, it's important. The provenance of data, being able to establish a almost a chain-of-custody style approach for a lot of these things is extraordinarily important.Sheeri: Yep.Corey: I was always a little hazy on the whole idea of ETL until I started, you know, working with large-volume AWS bills. And it turns out that, “Well, why do you have to wind up moving and transforming all of these things?” “Oh, because in its raw form, it's complete nonsense. That's why. Thank you for asking.” It becomes a problem—Sheeri: [laugh]. Oh, I thought you're going to say because AWS has 14 different products for things, so you have to move it from one product to the other to use the features.Corey: And two of them are good. It's a wild experience.Sheeri: [laugh].Corey: But this is also something of a new career for you. You were a DBA for a long time. You're also incredibly engaging, you have a personality, you're extraordinarily creative, and that—if I can slander an entire profession for a second—does not feel like it is a common DBA trait. It's right up there with an overly creative accountant. When your accountant has done a stand-up comedy, you're watching and you're laughing and thinking, “I am going to federal prison.” It's one of those weird things that doesn't quite gel, if we're speaking purely in terms of stereotypes. What has your career been like?Sheeri: I was a nerd growing up. So, to kind of say, like, I have a personality, like, my personality is very nerdish. And I get along with other nerdy people and we have a lot of fun, but when I was younger, like, when I was, I don't know, seven or eight, one of the things I really love to do is I had a penny collection—you know, like you do—and I love to sort it by date. So, in the states anyway, we have these pennies that have the date that they were minted on it. And so, I would organize—and I probably had, like, five bucks worth a pennies.So, you're talking about 500 pennies and I would sort them and I'd be like, “Oh, this is 1969. This was 1971.” And then when I was done, I wanted to sort things more, so I would start to, like, sort them in order how shiny the pennies were. So, I think that from an early age, it was clear that I wanted to be a DBA from that sorting of my data and ordering it, but I never really had a, like, “Oh, I want to be this when I grew up.” I kind of had a stint when I was in, like, middle school where I was like, maybe I'll be a creative writer and I wasn't as creative a writer as I wanted to be, so I was like, “Ah, whatever.”And I ended up actually coming to computer science just completely through random circumstance. I wanted to do neuroscience because I thought it was completely fascinating at how the brain works and how, like, you and I are, like, 99.999—we're, like, five-nines the same except for, like, a couple of genetic, whatever. But, like, how our brain wiring right how the neuron, how the electricity flows through it—Corey: Yeah, it feels like I want to store a whole bunch of data, that's okay. I'll remember it. I'll keep it in my head. And you're, like, rolling up the sleeves and grabbing, like, the combination software package off the shelf and a scalpel. Like, “Not yet, but you're about to.” You're right, there is an interesting point of commonality on this. It comes down to almost data organization and the—Sheeri: Yeah.Corey: —relationship between data nodes if that's a fair assessment.Sheeri: Yeah. Well, so what happened was, so I went to university and in order to take introductory neuroscience, I had to take, like, chemistry, organic chemistry, biology, I was basically doing a pre-med track. And so, in the beginning of my junior year, I went to go take introductory neuroscience and I got a D-minus. And a D-minus level doesn't even count for the major. And I'm like, “Well, I want to graduate in three semesters.”And I had this—I got all my requirements done, except for the pesky little major thing. So, I was already starting to take, like, a computer science, you know, basic courses and so I kind of went whole-hog, all-in did four or five computer science courses a semester and got my degree in computer science. Because it was like math, so it kind of came a little easy to me. So taking, you know, logic courses, and you know, linear algebra courses was like, “Yeah, that's great.” And then it was the year 2000, when I got my bachelor's, the turn of the century.And my university offered a fifth-year master's degree program. And I said, I don't know who's going to look at me and say, conscious bias, unconscious bias, “She's a woman, she can't do computer science, so, like, let me just get this master's degree.” I, like, fill out a one page form, I didn't have to take a GRE. And it was the year 2000. You were around back then.You know what it was like. The jobs were like—they were handing jobs out like candy. I literally had a friend who was like, “My company”—that he founded. He's like, just come, you know, it's Monday in May—“Just start, you will just bring your resume the first day and we'll put it on file.” And I was like, no, no, I have this great opportunity to get a master's degree in one year at 25% off the cost because I got a tuition reduction or whatever for being in the program. I was like, “What could possibly go wrong in one year?”And what happened was his company didn't exist the next year, and, like, everyone was in a hiring freeze in 2001. So, it was the best decision I ever made without really knowing because I would have had a job for six months had been laid off with everyone else at the end of 2000 and… and that's it. So, that's how I became a DBA is I, you know, got a master's degree in computer science, really wanted to use databases. There weren't any database jobs in 2001, but I did get a job as a sysadmin, which we now call SREs.Corey: Well, for some of the younger folks in the audience, I do want to call out the fact that regardless of how they think we all rode dinosaurs to school, databases did absolutely exist back in that era. There's a reason that Oracle is as large as it is of a company. And it's not because people just love doing business with them, but technology was head and shoulders above everything else for a long time, to the point where people worked with them in spite of their reputation, not because of it. These days, it seems like in the database universe, you have an explosion of different options and different ways that are great at different things. The best, of course, is Route 53 or other DNS TXT records. Everything else is competing for second place on that. But no matter what it is, you're after, there are options available. This was not the case back then. It was like, you had a few options, all of them with serious drawbacks, but you had to pick your poison.Sheeri: Yeah. In fact, I learned on Postgres in university because you know, that was freely available. And you know, you'd like, “Well, why not MySQL? Isn't that kind of easier to learn?” It's like, yeah, but I went to college from '96 to 2001. MySQL 1.0 or whatever was released in '95. By the time I graduated, it was six years old.Corey: And academia is not usually the early adopter of a lot of emerging technologies like that. That's not a dig on them any because otherwise, you wind up with a major that doesn't exist by the time that the first crop of students graduates.Sheeri: Right. And they didn't have, you know, transactions. They didn't have—they barely had replication, you know? So, it wasn't a full-fledged database at the time. And then I became a MySQL DBA. But yeah, as a systems administrator, you know, we did websites, right? We did what web—are they called web administrators now? What are they called? Web admins? Webmaster?Corey: Web admins, I think that they became subsumed into sysadmins, by and large and now we call them DevOps, or SRE, which means the exact same thing except you get paid 60% more and your primary job is arguing about which one of those you're not.Sheeri: Right. Right. Like we were still separated from network operations, but database stuff that stuff and, you know, website stuff, it's stuff we all did, back when your [laugh] webmail was your Horde based on PHP and you had a database behind it. And yeah, it was fun times.Corey: I worked at a whole bunch of companies in that era. And that's where basically where I formed my early opinion of a bunch of DBA-leaning sysadmins. Like the DBA in and a lot of these companies, it was, I don't want to say toxic, but there's a reason that if I were to say, “I'm writing a memoir about a career track in tech called The Legend of Surly McBastard,” people are going to say, “Oh, is it about the DBA?” There's a reason behind this. It always felt like there was a sense of elitism and a sense of, “Well, that's not my job, so you do your job, but if anything goes even slightly wrong, it's certainly not my fault.” And to be fair, all of these fields have evolved significantly since then, but a lot of those biases that started early in our career are difficult to shake, particularly when they're unconscious.Sheeri: They are. I'd never ran into that person. Like, I never ran into anyone who—like a developer who treated me poorly because the last DBA was a jerk and whatever, but I heard a lot of stories, especially with things like granting access. In fact, I remember, my first job as an actual DBA and not as a sysadmin that also the DBA stuff was at an online gay dating site, and the CTO rage-quit. Literally yelled, stormed out of the office, slammed the door, and never came back.And a couple of weeks later, you know, we found out that the customer service guys who were in-house—and they were all guys, so I say guys although we also referred to them as ladies because it was an online gay dating site.Corey: Gals works well too, in those scenarios. “Oh, guys is unisex.” “Cool. So's ‘gals' by that theory. So gals, how we doing?” And people get very offended by that and suddenly, yeah, maybe ‘folks' is not a terrible direction to go in. I digress. Please continue.Sheeri: When they hired me, they were like, are you sure you're okay with this? I'm like, “I get it. There's, like, half-naked men posters on the wall. That's fine.” But they would call they'd be, like, “Ladies, let's go to our meeting.” And I'm like, “Do you want me also?” Because I had to ask because that was when ladies actually might not have included me because they meant, you know.Corey: I did a brief stint myself as the director of TechOps at Grindr. That was a wild experience in a variety of different ways.Sheeri: Yeah.Corey: It's over a decade ago, but it was still this… it was a very interesting experience in a bunch of ways. And still, to this day, it remains the single biggest source of InfoSec nightmares that kept me awake at night. Just because when I'm working at a bank—which I've also done—it's only money, which sounds ridiculous to say, especially if you're in a regulated profession, but here in reality where I'm talking about it, it's I'm dealing instead, with cool, this data leaks, people will die. Most of what I do is not life or death, but that was and that weighed very heavily on me.Sheeri: Yeah, there's a reason I don't work for a bank or a hospital. You know, I make mistakes. I'm human, right?Corey: There's a reason I work on databases for that exact same reason. Please, continue.Sheeri: Yeah. So, the CTO rage-quit. A couple of weeks later, the head of customer service comes to me and be like, “Can we have his spot as an admin for customer service?” And I'm like, “What do you mean?” He's like, “Well, he told us, we had, like, ten slots of permission and he was one of them so we could have have, like, nine people.”And, like, I went and looked, and they put permission in the htaccess file. So, this former CTO had just wielded his power to be like, “Nope, can't do that. Sorry, limitations.” When there weren't any. I'm like, “You could have a hundred. You want every customer service person to be an admin? Whatever. Here you go.” So, I did hear stories about that. And yeah, that's not the kind of DBA I was.Corey: No, it's the more senior you get, the less you want to have admin rights on things. But when I leave a job, like, the number one thing I want you to do is revoke my credentials. Not—Sheeri: Please.Corey: Because I'm going to do anything nefarious; because I don't want to get blamed for it. Because we have a long standing tradition in tech at a lot of places of, “Okay, something just broke. Whose fault is it? Well, who's the most recent person to leave the company? Let's blame them because they're not here to refute the character assassination and they're not going to be angling for a raise here; the rest of us are so let's see who we can throw under the bus that can't defend themselves.” Never a great plan.Sheeri: Yeah. So yeah, I mean, you know, my theory in life is I like helping. So, I liked helping developers as a DBA. I would often run workshops to be like, here's how to do an explain and find your explain plan and see if you have indexes and why isn't the database doing what you think it's supposed to do? And so, I like helping customers as a product manager, right? So…Corey: I am very interested in watching how people start drifting in a variety of different directions. It's a, you're doing product management now and it's an ETL lineage product, it is not something that is directly aligned with your previous positioning in the market. And those career transitions are always very interesting to me because there's often a mistaken belief by people in their career realizing they're doing something they don't want to do. They want to go work in a different field and there's this pervasive belief that, “Oh, time for me to go back to square one and take an entry level job.” No, you have a career. You have experience. Find the orthogonal move.Often, if that's challenging because it's too far apart, you find the half-step job that blends the thing you do now with something a lot closer, and then a year or two later, you complete the transition into that thing. But starting over from scratch, it's why would you do that? I can't quite wrap my head around jumping off the corporate ladder to go climb another one. You very clearly have done a lateral move in that direction into a career field that is surprisingly distant, at least in my view. How'd that happen?Sheeri: Yeah, so after being on call for 18 years or so, [laugh] I decided—no, I had a baby, actually. I had a baby. He was great. And then I another one. But after the first baby, I went back to work, and I was on call again. And you know, I had a good maternity leave or whatever, but you know, I had a newborn who was six, eight months old and I was getting paged.And I was like, you know, this is more exhausting than having a newborn. Like, having a baby who sleeps three hours at a time, like, in three hour chunks was less exhausting than being on call. Because when you have a baby, first of all, it's very rare that they wake up and crying in the midnight it's an emergency, right? Like they have to go to the hospital, right? Very rare. Thankfully, I never had to do it.But basically, like, as much as I had no brain cells, and sometimes I couldn't even go through this list, right: they need to be fed; they need to be comforted; they're tired, and they're crying because they're tired, right, you can't make them go to sleep, but you're like, just go to sleep—what is it—or their diaper needs changing, right? There's, like, four things. When you get that beep of that pager in the middle of the night it could be anything. It could be logs filling up disk space, you're like, “Alright, I'll rotate the logs and be done with it.” You know? It could be something you need snoozed.Corey: “Issue closed. Status, I no longer give a shit what it is.” At some point, it's one of those things where—Sheeri: Replication lag.Corey: Right.Sheeri: Not actionable.Corey: Don't get me started down that particular path. Yeah. This is the area where DBAs and my sysadmin roots started to overlap a bit. Like, as the DBA was great at data analysis, the table structure and the rest, but the backups of the thing, of course that fell to the sysadmin group. And replication lag, it's, “Okay.”“It's doing some work in the middle of the night; that's normal, and the network is fine. And why are you waking me up with things that are not actionable? Stop it.” I'm yelling at the computer at that point, not the person—Sheeri: Right,right.Corey: —to be very clear. But at some point, it's don't wake me up with trivial nonsense. If I'm getting woken up in the middle of the night, it better be a disaster. My entire business now is built around a problem that's business-hours only for that explicit reason. It's the not wanting to deal with that. And I don't envy that, but product management. That's a strange one.Sheeri: Yeah, so what happened was, I was unhappy at my job at the time, and I was like, “I need a new job.” So, I went to, like, the MySQL Slack instance because that was 2018, 2019. Very end of 2018, beginning of 2019. And I said, “I need something new.” Like, maybe a data architect, or maybe, like, a data analyst, or data scientist, which was pretty cool.And I was looking at data scientist jobs, and I was an expert MySQL DBA and it took a long time for me to be able to say, “I'm an expert,” without feeling like oh, you're just ballooning yourself up. And I was like, “No, I'm literally a world-renowned expert DBA.” Like, I just have to say it and get comfortable with it. And so, you know, I wasn't making a junior data scientist's salary. [laugh].I am the sole breadwinner for my household, so at that point, I had one kid and a husband and I was like, how do I support this family on a junior data scientist's salary when I live in the city of Boston? So, I needed something that could pay a little bit more. And a former I won't even say coworker, but colleague in the MySQL world—because is was the MySQL Slack after all—said, “I think you should come at MongoDB, be a product manager like me.”Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring. Corey: If I've ever said, “Hey, you should come work with me and do anything like me,” people will have the blood drain from their face. And like, “What did you just say to me? That's terrible.” Yeah, it turns out that I have very hard to explain slash predict, in some ways. It's always fun. It's always wild to go down that particular path, but, you know, here we are.Sheeri: Yeah. But I had the same question everybody else does, which was, what's a product manager? What does the product manager do? And he gave me a list of things a product manager does, which there was some stuff that I had the skills for, like, you have to talk to customers and listen to them.Well, I've done consulting. I could get yelled at; that's fine. You can tell me things are terrible and I have to fix it. I've done that. No problem with that. Then there are things like you have to give presentations about how features were okay, I can do that. I've done presentations. You know, I started the Boston MySQL Meetup group and ran it for ten years until I had a kid and foisted it off on somebody else.And then the things that I didn't have the skills in, like, running a beta program were like, “Ooh, that sounds fascinating. Tell me more.” So, I was like, “Yeah, let's do it.” And I talked to some folks, they were looking for a technical product manager for MongoDB's sharding product. And they had been looking for someone, like, insanely technical for a while, and they found me; I'm insanely technical.And so, that was great. And so, for a year, I did that at MongoDB. One of the nice things about them is that they invest in people, right? So, my manager left, the team was like, we really can't support someone who doesn't have the product management skills that we need yet because you know, I wasn't a master in a year, believe it or not. And so, they were like, “Why don't you find another department?” I was like, “Okay.”And I ended up finding a place in engineering communications, doing, like, you know, some keynote demos, doing some other projects and stuff. And then after—that was a kind of a year-long project, and after that ended, I ended up doing product management for developer relations at MongoDB. Also, this was during the pandemic, right, so this is 2019, until '21; beginning of 2019, to end of 2020, so it was, you know, three full years. You know, I kind of like woke up from the pandemic fog and I was like, “What am I doing? Do I want to really want to be a content product manager?” And I was like, “I want to get back to databases.”One of the interesting things I learned actually in looking for a job because I did it a couple of times at MongoDB because I changed departments and I was also looking externally when I did that. I had the idea when I became a product manager, I was like, “This is great because now I'm product manager for databases and so, I'm kind of leveraging that database skill and then I'll learn the product manager stuff. And then I can be a product manager for any technical product, right?”Corey: I like the idea. Of some level, it feels like the product managers likeliest to succeed at least have a grounding or baseline in the area that they're in. This gets into the age-old debate of how important is industry-specific experience? Very often you'll see a bunch of job ads just put that in as a matter of course. And for some roles, yeah, it's extremely important.For other roles it's—for example, I don't know, hypothetically, you're looking for someone to fix the AWS bill, it doesn't necessarily matter whether you're a services company, a product company, or a VC-backed company whose primary output is losing money, it doesn't matter because it's a bounded problem space and that does not transform much from company to company. Same story with sysadmin types to be very direct. But the product stuff does seem to get into that industry specific stuff.Sheeri: Yeah, and especially with tech stuff, you have to understand what your customer is saying when they're saying, “I have a problem doing X and Y,” right? The interesting part of my folly in that was that part of the time that I was looking was during the pandemic, when you know, everyone was like, “Oh, my God, it's a seller's market. If you're looking for a job, employers are chomping at the bit for you.” And I had trouble finding something because so many people were also looking for jobs, that if I went to look for something, for example, as a storage product manager, right—now, databases and storage solutions have a lot in common; databases are storage solutions, in fact; but file systems and databases have much in common—but all that they needed was one person with file system experience that had more experience than I did in storage solutions, right? And they were going to choose them over me. So, it was an interesting kind of wake-up call for me that, like, yeah, probably data and databases are going to be my niche. And that's okay because that is literally why they pay me the literal big bucks. If I'm going to go niche that I don't have 20 years of experience and they shouldn't pay me as big a bucks right?Corey: Yeah, depending on what you're doing, sure. I don't necessarily believe in the idea that well you're new to this particular type of role so we're going to basically pay you a lot less. From my perspective it's always been, like, there's a value in having a person in a role. The value to the company is X and, “Well, I have an excuse now to pay you less for that,” has never resonated with me. It's if you're not, I guess, worth—the value-added not worth being paid what the stated rate for a position is, you are probably not going to find success in that role and the role has to change. That has always been my baseline operating philosophy. Not to yell at people on this, but it's, uh, I am very tired of watching companies more or less dunk on people from a position of power.Sheeri: Yeah. And I mean, you can even take the power out of that and take, like, location-based. And yes, I understand the cost of living is different in different places, but why do people get paid differently if the value is the same? Like if I want to get a promotion, right, my company is going to be like, “Well, show me how you've added value. And we only pay your value. We don't pay because—you know, you don't just automatically get promoted after seven years, right? You have to show the value and whatever.” Which is, I believe, correct, right?And yet, there are seniority things, there are this many years experience. And you know, there's the old caveat of do you have ten years experience or do you have two years of experience five times?Corey: That is the big problem is that there has to be a sense of movement that pushes people forward. You're not the first person that I've had on the show and talked to about a 20 year career. But often, I do wind up talking to folks as I move through the world where they basically have one year of experience repeated 20 times. And as the industry continues to evolve and move on and skill sets don't keep current, in some cases, it feels like they have lost touch, on some level. And they're talking about the world that was and still is in some circles, but it's a market in long-term decline as opposed to keeping abreast of what is functionally a booming industry.Sheeri: Their skills have depreciated because they haven't learned more skills.Corey: Yeah. Tech across the board is a field where I feel like you have to constantly be learning. And there's a bit of an evolve-or-die dinosaur approach. And I have some, I do have some fallbacks on this. If I ever decide I am tired of learning and keeping up with AWS, all I have to do is go and work in an environment that uses GovCloud because that's, like, AWS five years ago.And that buys me the five years to find something else to be doing until a GovCloud catches up with the modern day of when I decided to make that decision. That's a little insulting and also very accurate for those who have found themselves in that environment. But I digress.Sheeri: No, and I find it to with myself. Like, I got to the point with MySQL where I was like, okay, great. I know MySQL back and forth. Do I want to learn all this other stuff? Literally just today, I was looking at my DMs on Twitter and somebody DMed me in May, saying, “Hi, ma'am. I am a DBA and how can I use below service: Lambda, Step Functions, DynamoDB, AWS Session Manager, and CloudWatch?”And I was like, “You know, I don't know. I have not ever used any of those technologies. And I haven't evolved my DBA skills because it's been, you know, six years since I was a DBA.” No, six years, four or five? I can't do math.Corey: Yeah. Which you think would be a limiting factor to a DBA but apparently not. One last question that [laugh] I want to ask you, before we wind up calling this a show. You've done an awful lot across the board. As you look at all of it, what is it you would say that you're the most proud of?Sheeri: Oh, great question. What I'm most proud of is my work with WildAid. So, when I was at MongoDB—I referenced a job with engineering communications, and they hired me to be a product manager because they wanted to do a collaboration with a not-for-profit and make a reference application. So, make an application using MongoDB technology and make it something that was going to be used, but people can also see it. So, we made this open-source project called o-fish.And you know, we can give GitHub links: it's github.com/wildaid, and it has—that's the organization's GitHub which we created, so it only has the o-fish projects in it. But it is a mobile and web app where governments who patrol waters, patrol, like, marine protected areas—which are like national parks but in the water, right, so they are these, you know, wildlife preserves in the water—and they make sure that people aren't doing things they shouldn't do: they're not throwing trash in the ocean, they're not taking turtles out of the Galapagos Island area, you know, things like that. And they need software to track that and do that because at the time, they were literally writing, you know, with pencil on paper, and, you know, had stacks and stacks of this paper to do data entry.And MongoDB had just bought the Realm database and had just integrated it, and so there was, you know, some great features about offline syncing that you didn't have to do; it did all the foundational plumbing for you. And then the reason though, that I'm proud of that project is not just because it's pretty freaking cool that, you know, doing something that actually makes a difference in the world and helps fight climate change and all that kind of stuff, the reason I was proud of it is I was the sole product manager. It was the first time that I'd really had sole ownership of a product and so all the mistakes were my own and the credit was my own, too. And so, it was really just a great learning experience and it turned out really well.Corey: There's a lot to be said for pitching in and helping out with good causes in a way that your skill set winds up benefitting. I found that I was a lot happier with a lot of the volunteer stuff that I did when it was instead of licking envelopes, it started being things that I had a bit of proficiency in. “Hey, can I fix your AWS bill?” It turns out as some value to certain nonprofits. You have to be at a certain scale before it makes sense, otherwise it's just easier to maybe not do it that way, but there's a lot of value to doing something that puts good back into the world. I wish more people did that.Sheeri: Yeah. And it's something to do in your off-time that you know is helping. It might feel like work, it might not feel like work, but it gives you a sense of accomplishment at the end of the day. I remember my first job, one of the interview questions was—no, it wasn't. [laugh]. It wasn't an interview question until after I was hired and they asked me the question, and then they made it an interview question.And the question was, what video games do you play? And I said, “I don't play video games. I spend all day at work staring at a computer screen. Why would I go home and spend another 12 hours till three in the morning, right—five in the morning—playing video games?” And they were like, we clearly need to change our interview questions. This was again, back when the dinosaurs roamed the earth. So, people are are culturally sensitive now.Corey: These days, people ask me, “What's your favorite video game?” My answer is, “Twitter.”Sheeri: Right. [laugh]. Exactly. It's like whack-a-mole—Corey: Yeah.Sheeri: —you know? So, for me having a tangible hobby, like, I do a lot of art, I knit, I paint, I carve stamps, I spin wool into yarn. I know that's not a metaphor for storytelling. That is I literally spin wool into yarn. And having something tangible, you work on something and you're like, “Look. It was nothing and now it's this,” is so satisfying.Corey: I really want to thank you for taking the time to speak with me today about where you've been, where you are, and where you're going, and as well as helping me put a little bit more of a human angle on Twitter, which is intensely dehumanizing at times. It turns out that 280 characters is not the best way to express the entirety of what makes someone a person. You need to use a multi-tweet thread for that. If people want to learn more about you, where can they find you?Sheeri: Oh, they can find me on Twitter. I'm @sheeri—S-H-E-E-R-I—on Twitter. And I've started to write a little bit more on my blog at sheeri.org. So hopefully, I'll continue that since I've now told people to go there.Corey: I really want to thank you again for being so generous with your time. I appreciate it.Sheeri: Thanks to you, Corey, too. You take the time to interview people, too, so I appreciate it.Corey: I do my best. Sheeri Cabral, Senior Product Manager of ETL lineage at Collibra. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice or smash the like and subscribe buttons on the YouTubes, whereas if you've hated it, do exactly the same thing—like and subscribe, hit those buttons, five-star review—but also leave a ridiculous comment where we will then use an ETL pipeline to transform it into something that isn't complete bullshit.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
Rob Bendall was the lead certification pilot for the launch of Virgin America. Along with certification Rob has had a role in most things involving the pilots at Virgin America. Hiring, checking, training, and otherwise supporting the pilots; he has acted as certification pilot, check airman, base chief pilot to system chief pilot. In this interview we talk about what it took to launch the airline from a pilot's perspective and many other aspects of the airline. Rob's integrity is something I have always admired. I hope you enjoy this conversation. Bendall Interview 00:00 Role in Certification 6:00 Pre-Virgin Background 12:25 How the FAA tests the operation via scenario cards on test flights. 16:45 Early VX manual sets 19:45 Pilot Culture and uniforms. 25:30 Goatees, FuManchus, and Professional looks. 44:00 The VA Inflight Entertainment System. 47:45 Ken Beiler Cabin 3.0 49:00 Unions and VX 53:00 ALPA organizing drive. 57:00 Biggest Challenges 60:00 Interviewing Pilots 69:00 Consolidation 71:00 B6/NK 76:50 Who owned the Planes 81:00 The Most Virgin Virgin Company 83:15 Own Safety 84:15 Props to Tech Ops 87:00 Protecting the dignity of the airline.
Italo Piroddi Head of Aruba Academy. Italo Piroddi è HR Training Manager & Head of Aruba Academy di Aruba S.p.A. Da 10 anni in Aruba è Responsabile del coordinamento della formazione aziendale a 360°, attraverso la Aruba Academy, la scuola del Gruppo Aruba che sviluppa, certifica e mantiene alto il livello delle competenze delle persone di Aruba tramite una formazione mirata e costante. Si occupa, in particolare, insieme al suo team, di gestire i percorsi formativi dei neo-assunti, progettare attività di training aziendali e implementare strumenti e progetti di Digital Learning e di Engaging. Guida, inoltre, la verifica e l'efficacia degli interventi formativi e valuta le azioni di follow-up previste per l'inserimento in azienda. Laureato in Comunicazione all'Università degli Studi di Cagliari, possiede ampia esperienza nei processi di training, nel project management, nel coaching e nel coordinamento di team di lavoro, acquisite precedentemente presso importanti realtà aziendali. Aruba S.p.A. è il principale cloud provider italiano e prima azienda in Italia per i servizi di data center, hosting, trust services, email, PEC e registrazione domini, rivolti a privati, professionisti, imprese e Pubblica Amministrazione. Fondata nel 1994, Aruba oggi gestisce 2,6 milioni di domini registrati, 9,4 milioni di caselle email, 8 milioni di caselle PEC, 130.000 server gestiti, per un totale di 16 milioni di utenti. Dal 2014 è Registro ufficiale dell'estensione '.cloud' per la registrazione in tutto il mondo dei domini Internet. Aruba PEC e Actalis sono le 2 Certification Authority di Aruba entrambe accreditate presso AgID (Agenzia per l'Italia Digitale). Nel 2021 l'azienda fa il suo ingresso nel mercato delle telecomunicazioni con un'offerta di servizi di connettività fibra broadband e ultrabroadband. Negli ultimi 20 anni Aruba ha progettato e costruito i propri Data Center in Italia sviluppando un know-how unico nel settore. Siti app e link utili Arubaacademy.com Aruba.it Arubanetworks.com Randstad.it Randstad.it Il Technical Operation (Tech Ops) La funzione del Technical Operation o Tech Ops è fondamentale in azienda, e anche in più aziende. Un Data Center può arrivare a tenere "in piedi" fino a 10 aziende; quindi, la figura del Tech Ops è fondamentale per garantire la continuità del business. In questa chiave possiamo definire il Data Center un punto cardine dell'industria Tech in fortissima espansione e la figura del Tech Ops una professionalità che sarà sempre più richiesta. Tra i suoi compiti l'assistenza e gestione di primo livello di tutti i sistemi presenti nel data center (principalmente basati su sistemi operativi Microsoft Windows Server, Linux e VMWare), il presidio fisico delle sale dati, il provisioning e deprovisioning fisico di prima installazione di tutti gli apparati informatici interni alle sale dati quali server, storage, cablaggi e qualsiasi altro asset contenuto all'interno dei rack. Ed è in partenza il 27 giugno uno di questi corsi di formazione professionale di Aruba Academy per TechOps, in partnership con Randstad Technologies - la divisione specializzata del gruppo Randstad che si occupa della ricerca e selezione di profili ICT - ha l'obiettivo di fornire agli studenti una conoscenza esaustiva dell'intera componente IT della sala dati, che deve essere mantenuta sicura, ordinata e presidiata, 24 ore su 24, 365 giorni l'anno. Il corso è aperto alla partecipazione di 12 diplomati in informatica, o neolaureati STEM, che desiderino acquisire skill tecnologiche sempre più specifiche ma anche competenze gestionali per affrontare un percorso di carriera in questo settore. La durata sarà di 6 settimane (dal 27 giugno al 5 agosto), con lezioni dal lunedì al venerdì, in modalità di aula virtuale per una durata di 240 ore. E la possibilità di entrare a far parte del team Technical Operation nei data center di Aruba o di ricevere una formazione per i lavori di domani.
La funzione del Technical Operation o Tech Ops è fondamentale in azienda, e anche in più aziende. Un Data Center può arrivare a tenere "in piedi" fino a 10 aziende; quindi, la figura del Tech Ops è fondamentale per garantire la continuità del business. In questa chiave possiamo definire il Data Center un punto cardine dell'industria Tech in fortissima espansione e la figura del Tech Ops una professionalità che sarà sempre più richiesta. Tra i suoi compiti l'assistenza e gestione di primo livello di tutti i sistemi presenti nel data center (principalmente basati su sistemi operativi Microsoft Windows Server, Linux e VMWare), il presidio fisico delle sale dati, il provisioning e deprovisioning fisico di prima installazione di tutti gli apparati informatici interni alle sale dati quali server, storage, cablaggi e qualsiasi altro asset contenuto all'interno dei rack. Ed è in partenza il 27 giugno uno di questi corsi di formazione professionale di Aruba Academy per TechOps, in partnership con Randstad Technologies - la divisione specializzata del gruppo Randstad che si occupa della ricerca e selezione di profili ICT - ha l'obiettivo di fornire agli studenti una conoscenza esaustiva dell'intera componente IT della sala dati, che deve essere mantenuta sicura, ordinata e presidiata, 24 ore su 24, 365 giorni l'anno. Il corso è aperto alla partecipazione di 12 diplomati in informatica, o neolaureati STEM, che desiderino acquisire skill tecnologiche sempre più specifiche ma anche competenze gestionali per affrontare un percorso di carriera in questo settore. La durata sarà di 6 settimane (dal 27 giugno al 5 agosto), con lezioni dal lunedì al venerdì, in modalità di aula virtuale per una durata di 240 ore. E la possibilità di entrare a far parte del team Technical Operation nei data center di Aruba o di ricevere una formazione per i lavori di domani.
It's that time again—and it's so hard to say goodbye! Ananda is joined by Princess, Director of Tech Ops, for The Blue Record's first in-person recording and second annual alumnae reflection episode. They reflect on their time at Spelman (and Zoom University), TBR's second season, and their hopes for adulthood and the future of The Blue Record. Cheers to the dynamic and enduring class of 2022. The Blue Record will return Fall 2022. — Visit us at https:// www.thebluerecordpodcast.com Follow us on Instagram and twitter @thebluerecord Email us at bluerecord@spelman.edu --- Send in a voice message: https://anchor.fm/the-blue-record/message
Today's guest has been working with the private equity community for most of his career. He's here to share his insights about how business owners and entrepreneurs can thrive in a PE-backed company. Dave Bookbinder goes Behind The Numbers with John Bova, Business Development Executive, Private Equity, at Amazon Web Services. In this episode, John shares the keys to successful growth and value creation via private equity, and what it's like to be a part of a private equity-backed organization. Given the typical holding period for PE investments, John discusses the importance of the first year, and how Tech-Ops fits into the value creation equation. Check out more of Behind The Numbers on YouTube Check out more of Behind The Numbers on RVN Television Behind The Numbers is available wherever you get your podcasts Please subscribe to keep up with the latest episodes, and please rate the podcast so that others might find it – and please let me know what part of the world you're tuning in from! About the Host: Dave Bookbinder is the person that clients reach out to when they need to know what their most important assets are worth. Dave is a Managing Director at B. Riley Advisory Services, where he works closely with business owners, CFOs, Controllers, and CEOs. Dave has conducted valuations of the securities and intangible assets of public and private companies for various purposes. Please connect with him on LinkedIn and check out https://www.NewROI.com Want to share your insights with the business community? Message Dave to learn how you can be a guest on Behind The Numbers. https://linktr.ee/BehindTheNumbers THANK YOU FOR PUTTING BEHIND THE NUMBERS IN THE TOP 5% MOST POPULAR PROGRAMS GLOBALLY, ACCORDING TO LISTEN NOTES!!
As the first success out of the Fraser Dove academy, Harry has progressed over the last four years to lead the Outsourcing Practice (CDMO/CRO) at Fraser Dove and heads up our newly-opened London office. Harry works with leading life science organisations to find and hire the very best Manufacturing & Tech Ops and Commercial & Strategy specialists in the CDMO space who can help my clients design, manufacture and distribute life-changing drugs, treatments and devices. He combines this approach with providing innovative insight, intelligence and on-demand consultancy to inform his clients' hiring strategy. In this episode of Talent Acquisition Matters Tom and Harry discuss how COVID 19 affected the CDMO market, the processes and procedures that are most important to the recruitment process, why if pleasing your customers is important to you that you need to put your people first and much more. Enjoy another insightful episode of Talent Acquisition Matters.
During this episode we spoke with Sai Adivi, Vice President of Technology at Inspire Brands.We discussed the digital transformation of the restaurant industry, which is modernizing everything from the kitchen to the customer experience and payment systems. We covered topics ranging from robotic process automation to platform and site reliability engineering. Sai talks about the importance of culture, people and process and how these are still the drivers for any technology transformation. Similar to most industries today, the war on talent is adding increasing pressure on pricing, strategy and growth. Sai shares some of the approaches he and Inspire Brands are taking to get ahead of the competition. Sai Adivi is currently the Vice President of Technology at Inspire Brands, a multi-brand restaurant company whose portfolio includes nearly 32,000 restaurants and 7 brands including Arby's, Baskin-Robbins, Buffalo Wild Wings, Dunkin', Jimmy John's, Rusty Taco, and SONIC Drive-In restaurants, worldwide. He is responsible for driving Inspire's technology infrastructure, Tech Ops & QA strategy, ensuring rapid evolution digital and data capabilities through technology, ensuring systems and technologies used are profitable, secure, and efficient, and driving innovation across all facets of the technology organization.
At Thoughtworks, our internal Techops team created a self-service developer platform — NEO — with the goal of slashing the time it takes for developers to build digital products within the company. We catch up with Swapnil Deshpande and Prakash Subramaniam about designing a platform that can deliver what developers need in an easy and intuitive manner — and deliver business value.
About JackieJackie Singh is an Information Security professional with more than 20 years of hacking experience, beginning in her preteen years. She began her career in the US Army, and deployed to Iraq in 2003. Jackie subsequently spent several years in Iraq and Africa in cleared roles for the Department of Defense.Since making the shift to the commercial world in 2012, Jackie has held a number of significant roles in operational cybersecurity, including Principal Consultant at Mandiant and FireEye, Global Director of Incident Response at Intel Security and McAfee, and CEO/Cofounder of a boutique consultancy, Spyglass Security.Jackie is currently Director of Technology and Operations at the Surveillance Technology Oversight Project (S.T.O.P.), a 501(C)(3), non-profit advocacy organization and legal services provider. S.T.O.P. litigates and advocates to abolish local governments' systems of mass surveillance.Jackie lives in New York City with her partner, their daughters, and their dog Ziggy.Links: Disclose.io: https://disclose.io Twitter: https://twitter.com/hackingbutlegal TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at VMware. Let's be honest—the past year has been far from easy. Due to, well, everything. It caused us to rush cloud migrations and digital transformation, which of course means long hours refactoring your apps, surprises on your cloud bill, misconfigurations and headache for everyone trying manage disparate and fractured cloud environments. VMware has an answer for this. With VMware multi-cloud solutions, organizations have the choice, speed, and control to migrate and optimizeapplications seamlessly without recoding, take the fastest path to modern infrastructure, and operate consistently across the data center, the edge, and any cloud. I urge to take a look at vmware.com/go/multicloud. You know my opinions on multi cloud by now, but there's a lot of stuff in here that works on any cloud. But don't take it from me thats: VMware.com/go/multicloud and my thanks to them again for sponsoring my ridiculous nonsense.Corey: This episode is sponsored in part by “you”—gabyte. Distributed technologies like Kubernetes are great, citation very much needed, because they make it easier to have resilient, scalable, systems. SQL databases haven't kept pace though, certainly not like no SQL databases have like Route 53, the world's greatest database. We're still, other than that, using legacy monolithic databases that require ever growing instances of compute. Sometimes we'll try and bolt them together to make them more resilient and scalable, but let's be honest it never works out well. Consider Yugabyte DB, its a distributed SQL database that solves basically all of this. It is 100% open source, and there's not asterisk next to the “open” on that one. And its designed to be resilient and scalable out of the box so you don't have to charge yourself to death. It's compatible with PostgreSQL, or “postgresqueal” as I insist on pronouncing it, so you can use it right away without having to learn a new language and refactor everything. And you can distribute it wherever your applications take you, from across availability zones to other regions or even other cloud providers should one of those happen to exist. Go to yugabyte.com, thats Y-U-G-A-B-Y-T-E dot com and try their free beta of Yugabyte Cloud, where they host and manage it for you. Or see what the open source project looks like—its effortless distributed SQL for global apps. My thanks to Yu—gabyte for sponsoring this episode.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. The best part about being me—well, there's a lot of great things about being me, but from my perspective, the absolute best part is that I get to interview people on the show who have done awesome and impressive things. Therefore by osmosis, you tend to assume that I'm smart slash know-what-the-living-hell-I'm-talking-about. This is proveably untrue, but that's okay.Even when I say it outright, this will fade into the depths of your mind and not take hold permanently. Today is, of course, no exception. My guest is Jackie Singh, who's an information security professional, which is probably the least interesting way to describe who she is and what she does. Most recently, she was a senior cybersecurity staffer at the Biden campaign. Thank you so much for joining me. What was that like?Jackie: Thank you so much for having me. What was that like? The most difficult and high-pressure, high-stress job I've ever had in my life. And, you know, I spent most of my early 20s in Iraq and Africa. [laugh].Corey: It's interesting, you're not the first person to make the observation that, “Well, I was in the military, and things are blowing up all around, and what I'm doing next to me is like—‘oh, the site is down and can't show ads to people?' Bah, that's not pressure.” You're going the other direction. It's like, yeah, this was higher stress than that. And that right there is not a common sentiment.Jackie: I couldn't anticipate, when I was contacted for the role—for which I had applied to through the front door like everyone else, sent in my resume, thought it looked pretty cool—I didn't expect to be contacted. And when I was interviewed and got through the interviews and accepted the role, I still did not properly anticipate how this would change my life and how it would modify my life in the span of just a few months; I was on the campaign for five to six months.Corey: Now, there's a couple of interesting elements to this. The first is it's rare that people will say, “Oh, I had a job for five to six months,” and, a, put it on their resume because that sounds like, “Ah, are you one of those job-hopper types?” But when you go into a political campaign, it's very clearly, win or lose, we're out of jobs in November. Ish. And that is something that is really neat from the perspective of career management and career planning. Usually is, “Hey, do you want a six-month job?” It's, “Why? Because I'm going to rage quit at the end of it. That seems a little on the weird side.” But with a campaign, it's a very different story. It seems like a different universe in some respects.Jackie: Yes, absolutely. It was different than any other role I'd ever had. And being a political dilettante, [laugh] essentially, walking into this, I couldn't possibly anticipate what that environment would be like. And, frankly, it is a bit gatekept in the sense that if you haven't participated on a campaign before, you really don't have any idea what to expect, and they're all a bit different to, like, their own special snowflake, based on the people who are there, and the moment in time during which you are campaigning, and who you are campaigning for. And it really does change a perspective on civic life and what you can do with your time if you chose to spend it doing something a little bigger than your typical TechOps.Corey: It also is a great answer, too, when people don't pay close enough attention. “So, why'd you leave your last job?” “He won.” Seems like a pretty—Jackie: [laugh].Corey: —easy answer to give, on some level.Jackie: Yes, absolutely. But imagine the opposite. Imagine if our candidate had lost, or if we had had data walk out the door like in 2016. The Democratic National Convention was breached in 2016 and some unflattering information was out the door, emails were hacked. And so it was difficult to anticipate… what we had control over and how much control we could actually exert over the process itself, knowing that if we failed, the repercussions would be extremely severe.Corey: It's a different story than a lot of InfoSec gigs. Companies love to talk like it is the end of the universe if they wind up having a data breach, in some effect. They talk about that the world ends because for them it kind of does because you have an ablative CSO who tries to also armor themselves with ablative interns that they can blame—if your SolarWinds. But the idea being that, “Oh yeah, if we get breached we are dunzo.”And it's, first, not really. Let's not inflate the risks here. Let's be honest; we're talking about something like you're a retailer; if you get breached, people lose a bunch of credit card numbers, the credit card companies have to reissue it to everyone, you get slapped with a fine, and you get dragged in the press, but statistically, look at your stock price a year later, it will be higher than at the time of the breach in almost every case. This is not the end of the world. You're talking about something though that has impacts that have impossible-to-calculate repercussions.We're talking about an entire administration shift; US foreign policy, domestic policy, how the world works and functions is in no small part tied to data security. That's a different level of stress than I think most security folks, if you get them honest enough, are going to admit that, yeah, what I do isn't that important from an InfoSec perspective. What you did is.Jackie: I appreciate that, especially having worked in the military. Since I left the military, I was always looking for a greater purpose and a larger mission to serve. And in this instance, the scope of work was somewhat limited, but the impact of failing would have been quite wide-ranging, as you've correctly identified. And walking into that role, I knew there was a limited time window to get the work done. I knew that as we progressed and got closer and closer to election day, we would have more resources, more money rolls in, more folks feel secure in the campaign and understand what the candidate stands for, and want to pump money into the coffers. And so you're also in an interesting situation because your resourcing is increasing, proportional to the threat, which is very time-bound.Corey: An inherent challenge is that unlike in a corporate environment, in many respects, where engineers can guard access to things and give the business clear lines of access to things and handle all of it in the background, one of the challenges with a campaign is that you are responsible for data security in a variety of different ways, and the interfaces to that data explode geometrically and to people with effectively no level whatsoever of technical sophistication. I'm not talking about the candidate necessarily—though that's of course, a concern—but I'm talking organizers, I'm talking volunteers, I'm talking folks who are lifelong political operatives, but they tend not to think in terms of, “Oh, I should enable multi-factor authentication on everything that I have,” because that is not what they are graded on; it's pass-fail. So, it's one of those things where it is not the number one priority for anyone else in your organization, but it is yours and you not only have to get things into fighting shape, you have to furthermore convince people to do the things that get them there. How do you approach that?Jackie: Security awareness [laugh] in a nutshell. We were lucky to work with Bob Lord, who is former CSO at Yahoo, OAuth, Rapid7, and has held a number of really important roles that were very wide in their scope, and responsible for very massive data sets. And we were lucky enough to, in the democratic ecosystem, have a CSO who really understood the nature of the problem, and the way that you described it just now is incredibly apt. You're working with folks that have no understanding or very limited understanding of what the threat actors were interested in breaching the campaign, what their capability set is, and how they might attempt to breach an organization. But you also had some positives out of that.When you're working with a campaign that is distributed, your workforce is distributed, and your systems are also distributed. And when you lose that centralization that many enterprises rely on to get the job done, you also reduce opportunities for attackers to compromise one system or one user and move laterally. So, that was something that we had working for us. So, security awareness was incredibly important. My boss worked on that quite a bit.We had an incredible IT help desk who really focused on connecting with users and running them through a checklist so everyone in the campaign had been onboarded with a specific set of capabilities and an understanding of what the security setup was and how to go about their business in a secure way. And luckily, very good decisions had been made on the IT side prior to the security team joining the organization, which set the stage for a strong architecture that was resistant to attack. So, I think a lot of the really solid decisions and security awareness propagation had occurred prior to myself and my boss joining the campaign.Corey: One of the things that I find interesting is that before you started that role—you mentioned you came in through the front door, which personally I've never successfully gotten a job like that; I always have to weasel my way in because I have an eighth-grade education and my resume—Jackie: [laugh].Corey: —well, tenure-wise, kind of, looks like a whole bunch of political campaigns. And that's fine, but before that, you were running your own company that was a focused security consultancy. Before that, your resume is a collection of impressive names. You were a principal consultant at Mandiant, you were at Accenture. You know what you're talking about.You were at McAfee slash Intel. You've done an awful lot of corporate world stuff. What made you decide to just wake up one day and decide, “You know what sounds awesome? Politics because the level of civil discourse there is awesome, and everyone treats everyone with respect and empathy, and no one gets heated or makes ridiculous arguments and the rest. That's the area I want to go into.” What flipped that switch for you?Jackie: If I'm completely honest, it was pure boredom. [laugh]. I started my business, Spyglass Security, with my co-founder, Jason [Shore 00:11:11]. And our purpose was to deliver boutique consulting services in a way that was efficient, in a way that built on prior work, and in a way that helped advance the security maturity of an organization without a lot of complex terminology, 150-page management consulting reports, right? What are the most effective operational changes we can make to an organization in how they work, in order to lead to some measurable improvement?And we had a good success at the New York City Board of Elections where we were a subcontractor to a large security firm. And we were in there for about a year, building them a vulnerability management program, which was great. But generally speaking, I have found myself bored with having the same conversations about cybersecurity again and again, at the startup level and really even at the enterprise level. And I was looking for something new to do, and the role was posted in a Slack that I co-founded that is full of digital forensics and information security folks, incident responders, those types of people.And I didn't hear of anyone else applying for the role. And I just thought, “Wow, maybe this is the kind of opportunity that I won't see again.” And I honestly sent my resume and didn't expect to hear anything back, so it was incredible to be contacted by the chief information security officer about a month after he was hired.Corey: One of the things that made it very clear that you were doing good work was the fact that there was a hit piece taken out on you in one of the absolute worst right-wing rags. I didn't remember what it was. It's one of those, oh, I'd been following you on Twitter for a bit before that, but it was one of those okay, but I tend to shortcut to figuring out who I align with based upon who yells at them. It's one of those—to extend it a bit further—I'm lazy, politically speaking. I wind up looking at two sides yelling at each other, I find out what side the actual literal flag-waving Nazis are on, and then I go to the other side because I don't ever want someone to mistake me for one of those people. And same story here. It's okay, you're clearly doing good work because people have bothered to yell at you in what we will very generously term ‘journalism.'Jackie: Yeah, I wouldn't refer to any of those folks—it was actually just one quote-unquote journalist from a Washington tabloid who decided to write a hit piece the week after I announced on Twitter that I'd had this role. And I took two months or so to think about whether I would announce my position at the campaign. I kept it very quiet, told a couple of my friends, but I was really busy and I wasn't sure if that was something I wanted to do. You know, as an InfoSec professional, that you need to keep your mouth shut about most things that happened in the workplace, period. It's a sensitive type of role and your discretion is critical.But Kamala really changed my mind. Kamala became the nominee and, you know, I have a similar background to hers. I'm half Dominican—my mother's from the Dominican Republic and my father is from India, so I have a similar background where I'm South Asian and Afro-Caribbean—and it just felt like the right time to bolster her profile by sharing that the Biden campaign was really interested in putting diverse candidates in the world of politics, and making sure that people like me have a seat at the table. I have three young daughters. I have a seven-year-old, a two-year-old, and a one-year-old.And the thing I want for them to know in their heart of hearts is that they can do anything they want. And so it felt really important and powerful for me to make a small public statement on Twitter about the role I had been in for a couple of months. And once I did that, Corey, all hell broke loose. I mean, I was suddenly the target of conspiracy theorists, I had people trying to reach out to me in every possible way. My LinkedIn messages, it just became a morass of—you know, on one hand, I had a lot of folks congratulate me and say nice things and provide support, and on the other, I just had a lot of, you know, kind of nutty folks reach out and have an idea of what I was working to accomplish that maybe was a bit off base.So yeah, I really wasn't surprised to find out that a right-wing or alt-right tabloid had attempted to write a hit piece on me. But at the end of the day, I had to keep moving even though it was difficult to be targeted like that. I mean, it's just not typical. You don't take a job and tell people you got a job, [laugh] and then get attacked for it on the national stage. It was really unsurprising on one hand, yet really quite shocking on another; something I had to adjust to very quickly. I did cry at work. I did get on the phone with legal and HR and cry like a baby. [laugh].Corey: Oh, yeah.Jackie: Yeah. It was scary.Corey: I guess this is an example of my naivete, but I do not understand people on the other side of the issue of InfoSec for a political campaign—and I want to be clear, I include that to every side of an aisle—I think there are some quote-unquote, “Political positions” that are absolutely abhorrent, but I also in the same breath will tell you that they should have and deserve data security and quality InfoSec representation. In a defensive capacity, to be clear. If you're—“I'm the offensive InfoSec coordinator for a campaign,” that's a different story. And we can have a nuanced argument about that.Jackie: [laugh].Corey: Also to be very clear, for the longest time—I would say almost all of my career until a few years ago—I was of the impression whatever I do, I keep my politics to myself. I don't talk about it in public because all I would realistically be doing is alienating potentially half of my audience. And what shifted that is two things. One of them, for me at least, is past a certain point, let's be very clear here: silence is consent. And I don't ever want to be even mistaken at a glance for being on the wrong side of some of these issues.On another, it's, I don't accept, frankly, that a lot of the things that are currently considered partisan are in fact, political issues. I can have a nuanced political debate on either side of the aisle on actual political issues—talking about things like tax policy, talking about foreign policy, talking about how we interact with the world, and how we fund things we care about and things that we don't—I can have those discussions. But I will not engage and I will not accept that, who gets to be people is a political issue. I will not accept that treating people with respect, regardless of how high or low their station, is a political issue. I will not accept that giving voice to our worst darkest impulses is a political position.I just won't take it. And maybe that makes me a dreamer. I don't consider myself a political animal. I really don't. I am not active in local politics. Or any politics for that matter. It's just, I will not compromise on treating people as people. And I never thought, until recently, that would be a political position, but apparently, it is.Jackie: Well, we were all taught the golden rule is children.Corey: There's a lot of weird things that were taught as children that it turns out, don't actually map to the real world. The classic example of that is sharing. It's so important that we teach the kids to share, and always share your toys and the rest. And now we're adults, how often do we actually share things with other people that aren't members of our immediate family? Turns out not that often. It's one of those lessons that ideally should take root and lead into being decent people and expressing some form of empathy, but the actual execution of it, it's yeah, sharing is not really a thing that we value in society.Jackie: Not in American society.Corey: Well, there is that. And that's the challenge, is we're always viewing the world through the lens of our own experiences, both culturally and personally, and it's easy to fall into the trap that is pernicious and it's always there, that our view of the world is objective and correct, and everyone else is seeing things from a perspective that is not nearly as rational and logical as our own. It's a spectrum of experience. No one wakes up in the morning and thinks that they are the villain in the story unless they work for Facebook's ethics department. It's one of those areas of just people have a vision of themselves that they generally try to live up to, and let's be honest people fell in love with one vision of themselves, it's the cognitive dissonance thing where people will shift their beliefs instead of their behavior because it's easier to do that, and reframe the narrative.It's strange how we got to this conversation from a starting position of, “Let's talk about InfoSec,” but it does come back around. It comes down to understanding the InfoSec posture of a political campaign. It's one of those things that until I started tracking who you were and what you were doing, it wasn't something really crossed my mind. Of course, now you think about, of course there's a whole InfoSec operation for every campaign, ever. But you don't think about it; it's behind the scenes; it's below the level of awareness that most people have.Now, what's really interesting to me, and I'm curious if you can talk about this, is historically the people working on the guts of a campaign—as it were—don't make public statements, they don't have public personas, they either don't use Twitter or turn their accounts private and the rest during the course of the campaign. You were active and engaging with people and identifying as someone who is active in the Biden campaign's InfoSec group. What made you decide to do that?Jackie: Well, on one hand, it did not feel useful to cut myself off from the world during the campaign because I have so many relationships in the cybersecurity community. And I was able to leverage those by connecting with folks who had useful information for me; folks outside of your organization often have useful information to bring back, for example, bug bounties and vulnerability disclosure programs that are established by companies in order to give hackers a outlet. If you find something on hardwarestore.com, and you want to share that with the company because you're a white hat hacker and you think that's the right thing to do, hopefully, there's some sort of a structure for you to be able to do that. And so, in the world of campaigning, I think information security is a relatively new development.It has been, maybe, given more resources in this past year on the presidential level than ever before. I think that we're going to continue to see an increase in the amount of resources given to the information security department on every campaign. But I'm also a public person. I really do appreciate the opportunity to interact with my community, to share and receive information about what it is that we do and what's happening in the world and what affects us from tech and information security perspective.Corey: It's just astonishing for me to see from the outside because you are working on something that is foundationally critically important. Meanwhile, people working on getting people to click ads or whatnot over at Amazon have to put ‘opinions my own' in their Twitter profile, whereas you were very outspoken about what you believe and who you are. And that's a valuable thing.Jackie: I think it's important. I think we often allow corporations to dictate our personality, we allow our jobs to dictate our personality, we allow corporate mores to dictate our behavior. And we have to ask ourselves who we want to be at the end of the day and what type of energy we want to put out into the world, and that's a choice that we make every day. So, what I can say is that it was a conscious decision. I can say that I worked 14 hours a day, or something, for five, six months. There were no weekends; there was no time off; there were a couple of overnights.Corey: “So, what do you get to sleep?” “November.”Jackie: Yeah. [laugh]. My partner took care of the kids. He was an absolute beast. I mean, he made sure that the house ran, and I paid no attention to it. I was just not a mom for those several months, in my own home.Corey: This episode is sponsored by our friends at Oracle HeatWave is a new high-performance accelerator for the Oracle MySQL Database Service. Although I insist on calling it “my squirrel.” While MySQL has long been the worlds most popular open source database, shifting from transacting to analytics required way too much overhead and, ya know, work. With HeatWave you can run your OLTP and OLAP, don't ask me to ever say those acronyms again, workloads directly from your MySQL database and eliminate the time consuming data movement and integration work, while also performing 1100X faster than Amazon Aurora, and 2.5X faster than Amazon Redshift, at a third of the cost. My thanks again to Oracle Cloud for sponsoring this ridiculous nonsense. Corey: Back in 2019, I gave a talk at re:Invent—which is always one of those things that's going to occasion comment—and the topic that we covered was building a vulnerability disclosure program built upon the story of a vulnerability that I reported into AWS. And it was a decent enough experience that I suggested at some point that you should talk about this publicly, and they said, “You should come talk about it with us.” And I did and it was a blast. But it suddenly became very clear, during the research for that talk and talking to people who've set those programs up is that look, one way or another, people are going to find vulnerabilities in what you do and how you do them. And if you don't give them an easy way to report them to you, that's okay.You'll find out about them in other scenarios when they're on the front page of the New York Times. So, you kind of want to be out there and accessible to people. Now, there's a whole story we can go into about the pros and cons of things like bug bounties and the rest, and of course, it's a nuanced issue, but the idea of at least making it easy for people to wind up reporting things from that perspective is one of those key areas of outreach. Back in the early days of InfoSec, people would explore different areas of systems that they had access to, and very often they were charged criminally. Intel wound up having charges against one of their—I believe it was their employee or something, who wound up founding something and reporting it in an ethical way.The idea of doing something like that is just ludicrous. You're in that space a lot more than I am. Do you still see that sort of chilling effect slash completely not getting it when someone is trying to, in good faith, report security issues? Or has the world largely moved on from that level of foolishness?Jackie: Both. The larger organizations that have mature security programs, and frankly, the organizations that have experienced a significant public breach, the organizations that have experienced pain are those that know better at this point and realize they do need to have a program, they do need to have a process and a procedure, and they need to have some kind of framework for folks to share information with them in a way that doesn't cause them to respond with, “Are you extorting me? Is this blackmail?” As a cybersecurity professional working at my own security firm and also doing security research, I have reported dozens of vulnerabilities that I've identified, open buckets, for example. My partner at Spyglass and I built a SaaS application called Data Drifter a few years ago.We were interviewed by NBC about this and NBC followed up on quite a few of our vulnerability disclosures and published an article. But what the software did was look for open buckets on Azure, AWS, and GCP and provide an analyst interface that allows a human to trawl through very large datasets and understand what they're looking at. So, for example, one of the finds that we had was that musical.ly—musical-dot-L-Y, which was purchased by TikTok, eventually—had a big, large open bucket with a lot of data, and we couldn't figure out how to report it properly. And they eventually took it down.But you really had to try to understand what you were looking at; if you have a big bucket full of different data types, you don't have a name on the bucket, and you don't know who it belongs to because you're not Google, or Amazon, or Microsoft, what do you do with this information? And so we spent a lot of time trying to reconcile open buckets with their owners and then contacting those owners. So, we've received a gamut of ranges of responses to vulnerability disclosure. On one hand, there is an established process at an organization that is visible by the way they respond and how they handle your inquiry. Some folks have ticketing systems, some folks respond directly to you from the security team, which is great, and you can really see and get an example of what their routing is inside the company.And then other organizations really have no point of reference for that kind of thing, and when something comes into either their support channels or even directly into the cybersecurity team, they're often scrambling for an effective way to respond to this. And it could go either way; it could get pretty messy at times. I've been threatened legally and I've been accused of extortion, even when we weren't trying to offer some type of a service. I mean, you really never walk into a vulnerability disclosure scenario and then offer consulting services because they are going to see it as a marketing ploy and you never want to make that a marketing ploy. I mean, it's just not… it's not effective and it's not ethical, it's not the right thing to do.So, it's been interesting. [laugh]. I would recommend, if you are a person listening to this podcast who has some sort of pull in the information security department at your organization, I would recommend that you start with disclose.io, which was put together by Casey John Ellis and some other folks over at Bugcrowd and some other volunteers. It's a really great starting point for understanding how to implement a vulnerability disclosure program and making sure that you are able to receive the information in a way that prevents a PR disaster.Corey: My approach is controversial—I know this—but I believe that the way that you're approaching this was entirely fatally flawed, of trying to report to people that they have an open S3 bucket. The proper way to do it is to upload reams of data to it because my operating theory is that they're going to ignore a politely worded note from a security researcher, but they're not going to ignore a $4 million surprise bill at the end of the month from AWS. That'll get fixed tout suite. To be clear to the audience, I am kidding on this. Don't do it. There's a great argument that you can be charged criminally for doing such a thing. I'm kidding. It's a fun joke. Don't do it. I cannot stress that enough. We now go to Jackie for her laughter at that comment.Jackie: [laugh].Corey: There we go.Jackie: I'm on cue. Well, a great thing about Data Drifter, that SaaS application that allowed analysts to review the contents of these open buckets, was that it was all JavaScript on the client-side, and so we weren't actually hosting any of that data ourselves. So, they must have noticed some transfer fees that were excessive, but if you're not looking at security and you have an infrastructure that isn't well monitored, you may not be looking at costs either.Corey: Costs are one of those things that are very aligned spiritually with security. It's a trailing function that you don't care about until right after you really should have cared about it. With security, it's a bit of a disaster when it hits, whereas with those surprise bills, “Oh, okay. We wasted some money.” That's usually, a, not front-page material and, b, it's okay, let's be responsible and fix that up where it makes sense, but it's something that is never a priority. It's never a ‘summon the board' story for anything short of complete and utter disaster. So, I do feel a sense of spiritual alignment here.Jackie: [laugh]. I can see that. That makes perfect sense.Corey: Before we call this an episode, one other area that you've been active within is something called ‘threat modeling.' What is it?Jackie: So, threat modeling is a way to think strategically about cybersecurity. You want to defend, effectively, by understanding your organization as a collection of people, and you want to help non-technical staff support the cybersecurity program. So, the way to do that is potentially to give a human-centric focus to threat modeling activities. Threat modeling is a methodology for linking humans to an effective set of prioritized defenses for the most likely types of adversaries that they might face. And so essentially the process is identifying your subject and defining the scope of what you would like to protect.Are you looking to protect this person's personal life? Are you exclusively protecting their professional life or what they're doing in relation to an organization? And you want to iterate through a few questions and document an attack tree. Then you would research some tactics and vulnerabilities, and implement defensive controls. So, in a nutshell, we want to know what assets does your subject have or have access to, that someone might want to spy, steal, or harm; you want to get an idea of what types of adversaries you can expect based on those assets or accesses that they have, and you then want to understand what tactics those adversaries are likely to use to compromise those assets or accesses, and you then transform that into the most effective defenses against those likely tactics.So, using that in practice, you would typically build an attack tree that starts with the human at the center and lists out all of their assets and accesses. And then off of those, each of those assets or accesses, you would want to map out their adversary personas. So, for example, if I work at a bank and I work on wire transfers, my likely adversary would be a financially motivated cybercriminal, right? Pretty standard stuff. And we want to understand what are the methods that these actors are going to employ in order to get the job done.So, in a common case, in a business email compromised context, folks might rely on a signer at a company to sign off on a wire transfer, and if the threat actor has an opportunity to gain access to that person's email address or the mechanism by which they make that approval, then they may be able to redirect funds to their own wallet that was intended for someone else or a partner of the company. Adversaries tend to employ the least difficult approach; whatever the easiest way in is what they're going to employ. I mean, we spend a lot of time in the field of information security and researching the latest vulnerabilities and attack paths and what are all the different ways that a system or a person or an application can be compromised, but in reality, the simplest stuff is usually what works, and that's what they're looking for. They're looking for the easiest way in. And you can really observe that with ransomware, where attackers are employing a spray and pray methodology.They're looking for whatever they can find in terms of open attack surface on the net, and then they're targeting organizations based on who they can compromise after the fact. So, they don't start with an organization in mind, they might start with a type of system that they know they can easily compromise and then they look for those, and then they decide whether they're going to ransomware that organization or not. So, it's really a useful way, when you're thinking about human-centric threat modeling, it's really a useful way to completely map your valuables and your critical assets to the most effective ways to protect those. I hope that makes sense.Corey: It very much does. It's understanding the nature of where you start, where you stop, what is reasonable, what is not reasonable. Because like a lot of different areas—DR, for example—security is one of those areas you could hurl infinite money into and still never be done. It's where do you consider it reasonable to start? Where do you consider it reasonable to stop? And without having an idea of what the model of threat you're guarding against is, the answer is, “All the money,” which it turns out, boards are surprisingly reluctant to greenlight.Jackie: Absolutely. We have a recurring problem and information security where we cannot measure return on investment. And so it becomes really difficult to try to validate a negative. It's kind of like the TSA; the TSA can say that they've spent a lot of money and that nothing has happened or that any incidents have been limited in their scope due to the work that they've done, but can we really quantify the amount of money that DHS has absorbed for the TSA's mission, and turned that into a really wonderful and measurable understanding of how we spent that money, and whether it was worth it? No, we can't really. And so we're always struggling with that insecurity, and I don't think we'll have an answer for it in the next ten years or so.Corey: No, I suspect not, on some level. It's one of those areas where I think the only people who are really going to have a holistic perspective on this are historians.Jackie: I agree.Corey: And sadly I'm not a cloud historian; I'm a cloud economist, a completely different thing I made up.Jackie: [laugh]. Well, from my perspective, I think it's a great title. And I agree with your thought about historians, and I look forward to finding out how they felt about what we did in the information security space, both political and non-political, 20, 30, and 40 years from now.Corey: I hope to live long enough to see that. Jackie, thank you so much for taking the time to speak with me today. If people want to learn more about what you're up to and how you view things, where can they find you?Jackie: You can find me on Twitter at @hackingbutlegal.Corey: Great handle. I love it.Jackie: Thank you so much for having me.Corey: Oh, of course. It is always great to talk with you. Jackie Singh, principal threat analyst, and incident responder at the Biden campaign. Obviously not there anymore. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast provider of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with a comment expressing an incoherent bigoted tirade that you will, of course, classify as a political opinion, and get you evicted from said podcast provider.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
Interview Begins 8:09Debrief 48:37Andy Hakes is the founder and CEO of AirExpert.AireXpert offers maintenance control, quality assurance, base, line, and vendor maintenance, enabling users to experience reduced repair times, decreased delays, and lowered time costs, while mitigating the risk of FAA compliance.Andy has been an aircraft maintenance guy & aviation geek since 1989. A founding member of the AireXpert crew, he's worked in Tech Ops and on the heavy iron for several decades. We discuss: Airplane Maintenance 10:49 Idea Behind AireXpert 13:20 Aviation Business Model 17:34 Outsource Maintenance 20:03 Airline Maintenance Process 22:53 AireXpert 27:39 Evolution of AireXpert 28:42 Target Airlines 30:22 Operational Validation 33:22 Pricing Model 35:44 AireXpert and 3rd Party Vendors 39:55 AireXpert Funding 45:36 AireXpert was founded in 2018 in Buffalo, New York.Learn more about AireXpertFollow upside on TwitterAdvertise with an upside classified–This episode of upside is sponsored by SPMB. SPMB is one of the fastest-growing retained executive search firms in the country, closing hundreds of C-level searches every year.For over 40 years, SPMB has specialized in recruiting upper management and board members to VC-funded startups everywhere from early-stage to growth stage.They can do the same for you. Visit upside.fm/spmb to learn more.–This episode of upside is sponsored by Ethos Wealth Management. Managing wealth with an eye toward the future demands vigilance and skill in today's global economy. Over the years, Ethos Wealth Management has worked with clients and their other professional advisors – including attorneys and accountants – to create comprehensive wealth management plans designed to make the best use of their wealth today and help ensure its endurance for future generations.They can do the same for you. Visit upside.fm/ethos to learn more.–This episode is sponsored by SavvyCal. SavvyCal is the most intuitive and powerful scheduling tool on the market. In fact, we just started SavvyCal to book interviews with our guests! You can create personalized links in seconds and even allow recipients to overlay their calendar on top of yours. You really gotta see how this works, and you'll wonder why it wasn't always this easy.Sign up to create a free account at savvycal.com/upside and when you're ready to test out a paid plan, use the code UPSIDE to get your first month free.–
Human Kangy is stuck in a thunderstorm with no power, so Human Hazy and Human Snoke bring in pinch-hitter extraordinaire TechOps to bring you this weeks show. The topics this week: -- How Tech Ops got into Earth2.io and streaming 1:12 -- The Earth2 is a scam video onslaught 10:42 -- Why are they right? -- Why were they wrong? -- Is Earth2 a scam? -- Shane's announcement 22:20 -- Essence/EPL's -- React vs. Riot 23:55 -- Blockchain confirmed 28:22 -- Resources (in a test nation!) 32:12 -- Earth2 MasterCard 36:33 -- Charitable causes on E2 38:40 -- 10 Questions with TechOps! 39:57 Guidebook Gaming on Twitch: https://www.twitch.tv/guidebookgaming Welcome to the Site Giveaway: https://mynameishumanpod.com/the-welcome-to-the-site-giveaway/ "My Name is Human" (cover) intro song performed by Oliver Jones Music: https://www.youtube.com/channel/UCwwTpYJlJfqrUqSR3Dk2IoA --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app
In the third episode, Ulrike Behrens welcomes Frank Martens, Senior Director of Sales Aviatar and Digital Products, who takes you on an exciting journey through Lufthansa Technik's digital power platform, AVIATAR. Discover how to optimize your entire operation and how participating airlines are already benefitting from AVIATAR.
TWU Air Division's Brad Brugger talks about the history, implementation, and success of “Just Culture” and “Just Policy” at American Airlines and why it's so important.
TWU/IAM TechOps - Recent ASAP Trends
This is the second in a series of episodes covering infosec-related careers, featuring several Accenture people from across its global infosec team. In this episode of InfoSec Beat, Accenture’s Kris Burkhardt talks with John Blasi who leads the Tech & Ops team for Accenture’s internal information security organization. John is responsible for making sure Accenture's entire work fleet and infrastructure is secure using the latest in approved security technologies, and working hand-in-hand with global IT teams to protect Accenture.
"How would you like to rebuild 600 drones?" Jordan rightly points out in our this segment that the Tech Ops team for DRL are the unsung heroes of the league. They have to manage, and often rebuild, 600 drones during and after an event, sometimes with only a week or two to spare. Jordan also talks about "the grind", the practice that's required to compete in DRL. Putting pack after pack in for hours on end just to stay competitive.You can find my Patreon here:https://www.patreon.com/michaelrollinsYou can find Jordan here:https://www.project399.com/https://www.instagram.com/jet.fpv/https://www.youtube.com/channel/UC3NlhIujLgJdZD2T2YOLkCQ
Meet: Chris Ham is the Engineering Operations Manager and Chief of Staff to the CTO at Novantas. He is responsible for DevOps, Cloud/on-prem implementation and integration, the interface between Engineering and Infrastructure, and Big-data infrastructure. Chris's career path has focused on blending leadership and deep technical expertise. His CV includes: -Continued service, including a deployment, as an officer in the US Navy Reserve -A background in corporate Tech Ops finance -Work as a quant in the bank treasury/risk space What you'll learn: Leveraging his military management experience Partnering with DevOps and the strategic technology roadmap Transitioning from the military to the private sector If you have any questions for Chris, please feel free to reach out via LinkedIn: https://www.linkedin.com/in/christopher-l-ham/
09. One Big Thing: Safety is Performance Relevant“As leaders, people are watching all the time…. if you are not genuinely committed to doing the right thing in terms of how you build a culture where everyone feels respected and included, that has a downstream effect that could be detrimental to the culture and the company.”Guest Info:Shane Portfolio is Senior Vice President of Field Ops Engineering for Comcast Cable where he leads One Network, XOC, Headend Operations, and Plant Maintenance. Prior to moving to the HQ team in 2019, Shane was Senior Vice President of Tech Ops and Engineering for the Comcast West Division, with responsibility for engineering, technical operations and advanced services serving approximately 11,000 employees and nine-million customers. In this role, he oversaw the Division’s fiber network and IP-based infrastructure; and was instrumental in overseeing testing and deployment of new technologies and resources to assist the Division’s technical operations and engineering teams in delivering a reliable network and customer experience, with innovative new products and services.Before joining the West Division team, Shane was Vice President, Engineering for the California Region, where he was responsible for the oversight, guidance, direction and vision for all Technical Engineering aspects throughout the Comcast California footprint. Shane served as the Vice President of Engineering and XOC in Comcast’s Central Division before moving to California. In that role, Shane was responsible for a team of 350 employees. Prior to that, Shane was the Sr. Director of Network Operations for Comcast’s TPX organization. He has also served as Comcast’s Senior Director of IP Operations.Shane began his career in cable as a Comcast Account Executive answering technical phone calls. Shane holds a bachelor’s degree from Metropolitan State University, master’s degrees from Regis University and Denver University, and completed programs at Dartmouth University, Stanford University, and Notre Dame University. He is currently pursuing his PhD in Organizational Leadership.Shane serves on the Board of Directors for Metro State University, National Diversity Council, and Big Brothers Big Sisters. He is also a former Platoon Sergeant and Leadership Instructor for the U.S. Army and successfully completed the Army’s Primary Leadership Course, Officer Candidate School, and Senior Leadership Course.Favorite quote: "Go forth and conquer."Resources:Shane PortfolioShannon Cassidy on YouTubeFor more information about R.O.G. Return on Generosity and host Shannon Cassidy, visit bridgebetween.com.Credits:Shane Portfolio, Comcast. Production team: Nani Shin, Sheep Jam Productions, qodpod
n the latest episode of Tell Me Why, two of American’s Boeing 737 experts stop by to discuss the latest as American prepares to return the Boeing 737 MAX to commercial service on Dec. 29. John DeLeeuw, Chair of the National Safety Committee of the Allied Pilots Association (APA) and Chair of APA’s 737 MAX Return to Service Ad Hoc Committee, and Chris Hurrell, American’s 737 Fleet Captain, explain the critical role American’s pilots played in the recertification process, changes as part of the aircraft’s return to service, pilot training and our Tech Ops team’s incredible work to maintain and ready the aircraft.
Host, TWU Air Division's Brad Brugger is joined in studio by the IAM's Bud Brown and special guest Scott Griffith, affectionately known as “The Godfather of ASAP“, in this multi-part episode in which Scott talks about the origins of ASAP, “Just Culture“, and speaks about general Airline Safety.
TechOps ASAP PodCast With Scott Griffith Part 1
Brad Brugger is joined by American Airlines pilot Captain John DeLeeuw to discuss the collaboration between the APA and the TWU/IAM regarding ASAP and other safety measures.
Host Brad Brugger is joined in the second of a two part interview with Dr. Terry Kelly PhD, a professor in the Aviation Science department of Saint Louis University's Parks College of Engineering, Aviation & Technology, to discuss the ASAP Program, it's benefits, and the culture surrounding aviation maintenance safety.
John Grange is a seasoned entrepreneur and is co-founder and CTO at OpsCompass, a leading SaaS product for managing compliance and security in clouds like Azure, AWS, and GCP. He has 15 years of experience building products and companies including co-founding a top 5 global Microsoft ASP.net hosting provider and creating SaaS products in areas as diverse as healthcare and marketing tech. John's passion is identifying those mega-trends that truly impact how technology is consumed and then building the tools necessary to help real customers leverage new technology and create value.
Host Brad Brugger is joined in the first of a two part interview with Dr. Terry Kelly PhD, a professor in the Aviation Science department of Saint Louis University's Parks College of Engineering, Aviation & Technology, to discuss the ASAP Program, it's benefits, and the culture surrounding aviation maintenance safety.
The FAA keeps 5,000 airplanes on average moving safely through the sky every hour. How is this possible? Listen to hear it from our experts.In this episode, you will learn how the puzzle pieces fit together in a cross-country flight — from takeoff to cruising altitude and back down — and how an orchestra of more than 14,000 air traffic controllers, in unison with pilots and airport personnel, creates a symphony of flights moving safely and efficiently across the nation while faced with a variety of constraints like weather, construction and heavy traffic areas. You'll also hear about the critical role of airway transportation specialists, our Tech Ops personnel, who keep thousands of pieces of critical FAA equipment tuned up for controllers and pilots to use in this complex dance.Read the show notes on our blog.
The FAA keeps 5,000 airplanes on average moving safely through the sky every hour. How is this possible? Listen to hear it from our experts. In this episode, you will learn how the puzzle pieces fit together in a cross-country flight — from takeoff to cruising altitude and back down — and how an orchestra of more than 14,000 air traffic controllers, in unison with pilots and airport personnel, creates a symphony of flights moving safely and efficiently across the nation while faced with a variety of constraints like weather, construction and heavy traffic areas. You'll also hear about the critical role of airway transportation specialists, our Tech Ops personnel, who keep thousands of pieces of critical FAA equipment tuned up for controllers and pilots to use in this complex dance.
Local 591 is proud to post the inaugural episode of the TWU-IAM Association, TechOps ASAP PodCast featuring host Safety of Flight and Compliance Coordinator Brad Brugger, along with TechOps ASAP ERC members Bud Brown from the IAM and Joe Absalon from TWU Local 591.
Vanessa Schneider: Hello and welcome to the Government Digital Service Podcast. My name is Vanessa Schneider and I am Senior Channels and Community Manager at GDS. Like last month's episode, this one will also be recorded via Hangouts as we're all remote working right now. We're going to be talking about the Digital, Data and Technology Fast Stream experience at GDS. The Digital, Data and Technology Fast Stream, also known as the DDaT Fast Stream for short, is one of 15 different schemes on the Civil Service Fast Stream. Applicants can choose up to 4 scheme preferences when they apply. As a DDaT Fast Streamer you're participating in a four year scheme with both six month long and year-long placements. GDS is one of the organisations in which Fast Streamers are placed. So we will be hearing from colleagues across GDS with experience of being on the DDaT scheme. Clare Robinson: I'm Clare Robinson. I'm a Fast Stream Performance Analyst working on GOV.UK. So that means that I look at the performance data that we have available and try to understand what it is that users are trying to do on GOV.UK, where they're going and what it is we need to do to make their journeys better. Vanessa Schneider: Do you think that the Fast Stream has lived up to what your expectation was before you applied? Clare Robinson: What I've really loved about working for government is the fact that people don't have another option, like there is no, there's nobody else that can give you a passport. We have to do it. And that confers on us a really different expectation because we can't ever decide that something is too hard. We have to do the best we can for everybody. And that was probably the thing that really defied my expectations. I came in thinking that it would be all about implementing government policy. And actually some of that is true. But most of it is about providing citizens with things that they need from government. And that's really a different mindset, perhaps, than I really expected to have. Vanessa Schneider: Do you mind going a little bit into detail about the different placements that you've had before arriving at GDS? Clare Robinson: So I started as a delivery manager in Bristol working on licencing and permitting services. My role was to make sure that we were delivering those projects on time when we needed to. So I learnt a lot from that, I learnt a lot about agile, so how to manage people in a really productive and sort of continuously improving way. And I learnt a lot about myself, like what I how I work, what I like, what I find more challenging. That led me to my next placement where I went to the Department of Transport to be a User Researcher. And that was really great 'cause I was working on a whole just a massive range of projects. And then I got to go on a secondment. So this is sort of an interesting feature of the Fast Stream is that you can go out to, often to charities or other partners. But I actually chose to go out to industry 'cause that was like I really wanted to take that opportunity just to see how digital services work from kind of a more commercial side. And so I got to go and be a Co-creationion Consultant at Fujitsu. And the kind of work I was doing that was really interesting because I was running what are called design-thinking workshops, which are very much, very much in some ways follow some of the user-centred principles that we have in government, and in GDS - it's all about starting like what do users need? It was really interesting to see how a sort of commercial enterprise used user-centred thinking and design-thinking to sort of challenge both themselves, and the customers that they working with to kind of co-create like solutions to complicated business problems. So that was that was really interesting. Vanessa Schneider: We often hear that GDS has that perception of being different to the other sort of areas of Whitehall. Have you found that to bear out? Clare Robinson: I think the biggest difference, I think, is how how much acceptance people have of kind of agile methodologies, and sort of uncertainty. I think we have to embrace the unknowns and we have to embrace the idea that we're not going to get things perfect the first time round. Vanessa Schneider: I was wondering, is there anything that you would change about your experience so far? Clare Robinson: There’s quite an emphasis on leadership and leading teams, but I think that that can sometimes, people who are perhaps more introverted, who perhaps have more technical skills, I think that can leave them behind or leave them with a sense that they're not doing the right thing. I think that I've been really lucky that I've had two really fantastic managers on the Fast Stream who have really helped me understand that that's not the case, and actually that leadership looks really, really different in different places. But I think that sometimes the Fast Stream can put quite a lot of emphasis on showing rather than doing, and I think there are people that are working to change that. And I think particularly I've been thinking about like what, when we talk about leadership, we often have a model in our mind. And that model is often, often white, it's often male, it's often went to a Russell Group university. And I think that that is a model that we all need to challenge. Jordan Testo: Hi. I'm Jordan Testo. I'm a DDaT Fast Streamer currently placed at GDS, working in the EU Transition and Future Relationships Team as the Digital Portfolio Coordination Advisor. Previously I've worked as a, a Product Owner on the tax platform at HMRC. I've worked as a Service Manager at the Home Office and I've been a Programme Delivery Manager at the Ministry of Defence working in Cyber Defence. Vanessa Schneider: And what caused you to apply to be on the Fast Stream? Jordan Testo: Finishing university, I fancied a challenge. I previously did an industrial placement in the Home Office whilst at university, and I thought, I want to go into the Civil Service. So why not give the Fast Stream a go and develop my leadership skills and see what I can do? So I'm currently coming towards the end of my second year. Currently the DDaT scheme is four years. So I've got another two placements - so the first two years are six month roles, switching every six months, and then the final two years are two year-long posts. So come October, I will be leaving GDS to another department, which as of yet is unknown to me. We find out in about three weeks, four weeks’ time where we'll be moving on to. Vanessa Schneider: Do you get any choice in that matter or is it very much predetermined? Jordan Testo: We get preference forms, so we put in the departments which we want to go to work for, job roles around the DDaT Framework and other areas that we want to develop personally as well. And all those developmental points are looked into as well as what previous job roles I've done. And the matching team then put, match me to a place in which they think benefits me the most in what I want to get out. Vanessa Schneider: Is it different working at GDS compared to other departments? Jordan Testo: GDS, it is a total different way of working. It's a lot more accessible, there's a lot more openness in terms of the software we can use, the types of communication methods. But GDS is just, it's such a different place. And what I quite like about it is there's less of a hierarchy as such. Everyone works together to get the job done rather than some of the departments I've been in where it's quite hierarchical. But yeah, I quite enjoy this. Vanessa Schneider: Yeah, so obviously it's great to hear that you're having a positive experience at GDS, and with the fast stream. But are there things that you've sort of found a bit more challenging? Jordan Testo: The challenging element of the Fast Stream is moving around every six months. It's been hard for me to let go of some departments, mainly because of the work I've been working on, and I start, I get to the midpoint where we've got a really important milestone or got to important sprint and then I have to go, and I never see the result and not seeing the fruits of their labour as such. Hence why I’m looking forward to having the year-long posts. And I think if someone asked me, what do you think of the Fast Stream, I say, just do it. Apply. See how it goes, because it's just totally worth it. I think that even if you don't get onto it, the application process is really interesting and a really good experience to do. If you get onto it, the Civil Service and the public sector world is open to you. You have a chance to go around different departments, work on different programmes, work with different people in different subject areas, and you build up such a knowledge of overall government - it's, it's priceless, really. Maxwell Reiss: My name is Maxwell Reiss. I'm a Product Manager on the GOV.UK programme, and I'm on the Civil Service Digital Fast Stream. Vanessa Schneider: So you are currently a Fast Streamer or have you finished the Fast Stream? Maxwell Riess: I am still currently a Fast Streamer. But I am, I am very much an outgoing Fast Streamer. I'm in my third year of the programme and I've just recently, within the last couple of weeks, been offered a permanent role at GDS. Vanessa Schneider: Well, congratulations to the job offer. Is it normal for a Fast Streamer to be offered a job before the scheme finishes? Maxwell Riess: It does happen. It is, it is very, it is normal. Yeah, I'll go as far as to say it's normal. I think of my cohort, there were about 60 of us that started in year one, bright-eyed and bushy-tailed digital Fast Streamers. And I think of that there are probably less than half that are still on the scheme. Vanessa Schneider: Would you mind telling us a little bit about the placements that you had previously? Maxwell Riess: So way back in September of 2000, was it 17, I started my very first placement on the Fast Stream in DWP Digital in the Portfolio Team. And this was a quite surprising placement to get. It actually wasn't what I was expecting at all because I was working in a private office role supporting a Deputy Director of the digital portfolio. I have had roles in HMRC working on digital services for collecting environmental taxes. I had a role working at the Department for International Trade, working in content on their Brexit transition. So, so I worked on, on policies and content for the public at DIT. And I previously had a role at GDS even before this one. I worked at GDS in GOV.UK in a, in another kind of content capacity, working on what we call mainstream, which is the kind of most popular content on GOV.UK itself and then I came back, I came back to GOV.UK after my last one at DIT. Vanessa Schneider: Were you aware of GDS before you joined the DDaT Fast Stream? Maxwell Riess: I, I was, actually. Yeah, I am. I tragically was a bit of a fan of. Vanessa Schneider: Oh! Don't apologise. Maxwell Riess: GOV.UK and of, of, of GDS. I just, you know, kind of struck me as a great a great thing, a good website, a place - and I worked, I did work in digital before joining the Civil Service in the private sector. And it always struck me, guess partly call it good storytelling, branding, propaganda, that that GDS was somewhere that was doing digital and agile well, you know, that it was, that this is where one could go to actually experience these techniques put into action in an effective way. Vanessa Schneider: Do you mind telling me a little bit about what led you to applying to the DDaT Fast Stream? Maxwell Riess: For me, it was very, very directly about wanting to work in the public sector for the public good. I got into technology because I was interested in, I guess, the power of new tools to like shape society and and create the modern world. So I knew I wanted to work in that area. And having had time in the private sector, I became more and more interested in devoting my efforts to something that was going to be for everyone's benefit. And because of the, because of the good that I think can be done there, but also because of the risk as well. I think you know government services still in so many places have a reputation for not being as good. And I think in order to build public trust in our society, we need to have services that people feel like are really high quality. And yeah, I wanted to, to lend my effort to do that. Vanessa Schneider: So you've obviously had a really good experience in the Fast Stream and at GDS, but were there some challenges that you faced? Maxwell Riess: I've said this to other people who are thinking about the Fast Stream and people who are in it who are struggling, by far, the best thing about the Fast Stream is its variability. The amount of different roles you can kind of gain experience in the different interactions you can get, the different circumstances and problems, spaces you'll get exposed to. That's all incredibly beneficial. But also it comes with a huge amount of variance and risk. And so I think that the challenges are all around whether or not you can deal with a slightly, ultimately, you can do you can do anything for six months. I think. And and really, it's about it's temporary. So it's about what you're going to get out of it. And if you think you can get something really valuable out of it, then it's worth sticking with. If not, then you need to be able to be a squeaky wheel and complain and kick up a fuss. Vanessa Schneider: That sounds like a lot of food for thought, then would you change anything if you had the opportunity to do what you wanted? Maxwell Riess: I mean, the Fast Stream itself is constantly changing like it is, it is really, you know because Fast Streamers are young and, and they've got ideas. They’re constantly giving feedback on the programme. And I think it can and should change. Daniel Owens: My name is Daniel Owens and I work as a Corporate Insight Lead at GDS. Vanessa Schneider: Did you always know you wanted to apply to the DDaT Fast Stream, or where did that decision come from for you? Daniel Owens: Well, I think I think I'm quite an unusual case in the sense that I'm probably a fair bit older than a lot of the other Fast Streamers. I know that the Fast Stream is becoming, it was originally created as a graduate scheme but increasingly it's becoming more of a developmental scheme. I decided to change careers and I was particularly interested in the tech sector. I thought that that is the most exciting and innovative area going forward. But also, I wanted to have meaningful and purposeful for work and feel that I was contributing to something rather than just the bottom line. And I've been particularly happy that I've been placed at GDS, the Government Digital Service, because of their excellent reputation. I have friends in the private sector and they all know about GDS. They know GOV.UK has a very good reputation around the world and in the private sector in terms of producing quality products. So I was quite excited to get this placement. Vanessa Schneider: So knowing what you know now, what kind of advice do you have to somebody who's considering applying to the DDaT Scheme? Daniel Owens: It's a tough question. In answering that, I would say, I think that my trajectory as an older, older starter is I would give different advice for an older person compared to a younger person. Because I think if you're straight out of uni or, you know, got just a couple of years of work experience, you're you're still sort of learning the world of work and like learning how to interact in that in that environment and what works for you and what doesn't. So, your sort of, your approach, I think, would be a bit different. For the son-if, for someone who's older, starting on the DDaT scheme, I would say first things first would be to work out what the key trajectories are, where the key roles are that you could go into, and from day one start thinking about to what extent they fit what you want to do and testing it all the time, like kind of, almost kind of like an agile approach, like a prototype, like going and meeting people. Vanessa Schneider: And is there anything you would change about your experience? Daniel Owens: I think, one thing that and this is advice I've got from a lot of Fast Streamers who are further along, is if the postings not working for you or you don't feel like you're doing the kind of work that is going to develop you, then you should push back and you should you should try and own the role and make the role. I mean, you know, there's going to be some mundane work that you're gonna have to do. It's inevitable. But you should also try and search for opportunities to do innovative, interesting things. And don't be afraid to approach people about that. James Lovatt: Hi, I'm James Lovatt. I'm one of the Assistant Private Secretaries in the Director General's Private Office at GDS. And I'm on the Fast Stream. Vanessa Schneider: To start us off. It'd be great to learn from you why you thought you wanted to apply to the DDaT Fast Stream. James Lovatt: So I applied for Fast Stream. I think ultimately for my own personal development. I found the previously I spent eight years working in the NGO sector. But I was really struggling to break through those digital marketing roles into more leadership positions. So I wanted to see how the Digital, Data and Technology Fast Stream could open up that world a bit wider for me, to, to see how the other ways of using digital technology to make an impact in the world. Vanessa Schneider: So your placement at GDS, what stage are you at in your placements? James Lovatt: So I've been on the Fast Stream for two years now. I've been in London for the last 12 months and with GDS for the last six months specifically. This is my fourth posting. Vanessa Schneider: Do you mind sharing what you've been doing in the Fast Stream so far, what your previous placements were about? James Lovatt: Yes, sure. So I joined two years ago. I started off with HMRC in a very technical team as a DevOps Product Team Lead. It's one of those where you kind of just get thrown in the deep end and you figure it out as you go along. But there was some really good people around me who helped in that journey. And then I moved up to Edinburgh to work in Scottish government as a Business Analyst where we were trying to onboard, or starting the process of onboarding, Office 365 to that 15,000 odd users. And then I moved down to London to work with DEFRA in a more data focussed role. Vanessa Schneider: And your role right now is as Assistant Private Secretary, you mentioned, right? James Lovatt: Correct. Yes. So I'm an APS in a team of about four people for Alison Pritchard. There's two APS's and then there's a private secretary and the head of private office. For me, this is has been the posting which has been most well suited to my career aspirations. I think I came in March just as the budget was being considered. And then within a couple of weeks, COVID also hit. So it also was a very insightful way to see how rapidly government can respond to a crisis, and how many services that GDS personally stood up as well to to make that an effective response. I'm fortunate that I've just found out that it's being extended. So I will be staying here for probably another 12 months as my third year posting as well. So it should hopefully give me some depth into what Private Offices can do. I enjoy seeing how senior leaders make their decisions and the influence and the end result of of that. So within six months, I've started to see the start of that process. But hopefully now I'll start to see the middle and end of some of those processes which I've been privy to so far. Vanessa Schneider: I'm so pleased to hear that that got extended. I was wondering if there was anything you would change about your Fast Stream experience or about the Fast Stream in general if there’s something you've noticed that could be improved? James Lovatt: I have had a good experience, but a lot of it's been in hindsight. At the time, it never necessarily felt that every posting was enjoyable for different reasons. But I think that's, because they were challenging me. So it meant that I was going through that growth, which was what I was initially seeking when I came on to the Fast Stream. I would poss-possibly change just how big sometimes the leap is between those and particularly with a six month postings, they don't let you get too grounded. I think the thing that I would change about it is, is some of the changes are already happening around diversity and inclusion. So I think my scheme intake in 2018 is reported on in media as not being very diverse. And that's something which I'm not particularly proud to be a part of that statistic. But it is something that drives the work that I do. So even working with Alison in Private Office, it, it's, it's been interesting to see how we can influence the future of the Fast Stream. And particularly in the last couple of years, a lot of those areas have been improving anyway, but I think there's always a lot further to go in there. There'll be unknowns as well in the future that we're not even thinking about right now. So trying to be ahead of a curve in that respect, in terms of inclusion and diversity rather than just catching up is what I'd like to change about the scheme. Jenny Sleeman: Hi, I'm Jenny Sleeman and I'm a Delivery Manager for the GOV.UK PaaS Team in GDS. So PaaS is Platform as a Service. So we are part of TechOps and Reliability Engineering. So our, our team has a platform that then other government services can host their services on our platform. And we look after kind of the security and the management of that platform, kind of providing backend services for all of our tenants. Vanessa Schneider: As this is our Fast Stream episode, are you doing this role as part of a Fast Stream placement or are you now a graduate of this Fast Stream? Jenny Sleeman: I'm a graduate of the Fast Stream. So I graduated from the Fast Stream a couple of years ago. My my last Fast Stream posting was actually at GDS. So I have been a Fast Streamer at GDS as well. But I'm now back at GDS. So yeah, seen it from both sides really. Vanessa Schneider: Do you mind telling us about your choice to apply for the DDaT Fast Stream? Jenny Sleeman: So I applied because I, I suppose I thought it was the most kind of interesting Fast Stream scheme. I was quite keen to pursue a career in the civil service. And I was I was interested in the digital side of things. I was working at Department for Education at the time and kind of we were having a think about some digital projects. So I was I was quite keen to sort of learn more really and try all the different postings. Vanessa Schneider: Do you mind taking us through the postings that you went through? Jenny Sleeman: So my first posting was with Ministry of Defence and I worked for the Navy in Portsmouth. So that was that was very, very different from kind of any of the jobs I'd had before that point. So I started my Fast Stream journey in MOD. And then I also had a posting in HMRC, a secondment out to the NHS, which was brilliant. And then also a six month posting at the Home Office. And then for the one year long postings, I worked for BEIS for one year and then GDS for my final year on the scheme. Vanessa Schneider: So you've been on a secondment. Do you mind telling me what that was like, whether there was a discernible difference to working for a civil service organisation compared to the NHS? Jenny Sleeman: Yeah, it was brilliant. In some ways, it was, it was probably the most interesting posting I had because it was so different to what I'd known in the civil service. It, it, I suppose it felt a lot more operational to some of the civil service postings I'd had because we were literally based in, in some offices in a hospital in London. So, you know, you were I felt so much closer to that kind of frontline, frontline workers, and your day to day activities could vary so much from kind of things that would be more similar to my role now kind of, you know, reporting in business cases, but then you could also find yourself actually going into one of the wards in the hospital and speaking to the family of patient, for example, if their surgery had had to be cancelled at short notice and kind of really trying to kind of reassure that that patient's family and the patient themselves. I have the utmost respect for people that work for the NHS because, yeah, it is it is a tough job, I think. Very tough. Vanessa Schneider: Are you still in touch with other members of your cohort? Jenny Sleeman: Yes, I am. Again, that's one that's one of the really, really nice things about the Fast Stream that you you start it with this cohort. And you're obviously always at the same point as them. So kind of when you rotate from one posting to another, you kind of have, you know, all of the chat about how has your first week gone? How are you finding things? Yeah, kind of that support was really important throughout the Fast Stream. And it's just really nice to see that the direction that different people have gone off in and kind of obviously some have stayed in government, some work outside government now. But yeah, it's really nice to have that group of people. Vanessa Schneider: And do you think that you had a different experience going into the Fast Stream because you were already an employee of the civil service? Jenny Sleeman: Possibly. I think I suppose the benefit to me was that I had a year of I suppose understanding how government worked a little bit from working for Department for Education. So I had some kind of prior experience. But as I say, because some of the postings are just so different, you kind of you know, you can work in one department and and working for another department is very, very different. So, yeah, I think if you already work for the civil service, there can be some benefits. But yeah, there's, there's, there's also no problem going in when you haven't worked for the civil service before. Lewis Dunne: Hi everyone. So my name is Lewis Dunne. I'm a Senior Technology Policy Adviser here at GDS. I sit within the Technology Policy Team and my role is focussed on researching, advising, briefing and producing guidance on ways to improve cross-government use of tech. And on top of that, I'm also a former DDaT Fast Streamer. I’m a bit fresh off the scheme, so I left and starting work at GDS in mid-March of this year - I was in the third year of the scheme when I left. Vanessa Schneider: So if you don't mind us casting back your mind to the beginnings of the GDS Fast Stream. I know it's not as long ago as some people who've completed the scheme, but I was wondering if you could share with us why you considered applying. Lewis Dunne: Yeah. So that there were a couple of different reasons. I applied in October 2016. At the time I was studying for a diploma in legal practise up in Scotland. I'd most enjoyed working on things that were linked to like public and administrative law, and I think I saw the Fast Stream as a better way of offering a route to be able to work in that broader area of public services a lot more. And certainly the idea of being able to contribute to improving public services felt far more real and more interesting to me than a lot of the more dry stuff that I was studying at the time. Vanessa Schneider: The law to data, digital and technology, that seems like a bit of a jump. Was there anything that had prepared you for that? Lewis Dunne: Yeah. No, it's a good point. So bit of context as well - I do come from a bit of a techie background: as a child, I was very into building websites, continued that at uni. My dad is a telecoms engineer. His dad helped build planes. And just before applying really in the year before my studies, I'd also been working on a research project that was trying to build a database of sort of peace agreements to allow them to be compared. And that was a really interesting use of what was a really interesting ability to actually see a digital system in a different way, helping to analyse a real world problem. So, so my head was very much still in that space. Vanessa Schneider: Do you mind telling me about your first placements? Lewis Dunne: So I've worked in a number of different places. So five placements in total. They've all actually had a bit of an international flavour, I suppose. I started off at Department for International Trade, working as a content designer on an export licencing programme. I then moved over to the Foreign Office where I was a product owner for their telecom system. I worked at the Department for Transport as a cyber security policy analyst, then back to GDS as a tech policy analyst. And then finally, just before this, I was working at the Department for International Development up in East Kilbride as a product owner, helping with their development data publishing. To some extent of a lot of my roles have been because I've been quite willing just to get my hands dirty and get involved in a lot of different things and also being willing just to be moved around a bit. Vanessa Schneider: You brought the scheme to an early end by accepting a job offer. Was there anything that you sort of feel like you've missed out on because you've exited the scheme early? Lewis Dunne: I mean, the whole thing about the scheme is that it is designed to get people to a stage of feeling like they are empowered and that they can go and make decisions and and lead, because I guess primarily as a leadership scheme, it's about getting, building us up as people. And when I compare where I am now and how I feel and how I act, everything like that to the to the timid, shy guy that walks into DIT back in I guess, like mid 2017, I have I had developed a lot as a person by the time I applied for this role at GDS, so I felt ready in that regard. Vanessa Schneider: Do you wish that you'd changed anything about your experience in the Fast Stream? I know, for instance, some people have gone on secondments to other public sector organisations or charities or even private sector companies. Lewis Dunne: I don't think there's any of my experiences on the Fast Stream that I'd want to give up or trade in for something else. I don't feel like any of the things was like a needless waste of time or anything or like not a waste of time, but, you know, was could be swapped out. So it's difficult to look back. And I think in terms of thinking about how we change things over the course of the Fast Stream, there's just a big angle about, you know, you develop so much as a person over those several years of being put into all of these different positions that if I was in different roles, I probably would have handled problems differently, and people acted with people differently in some areas. But I guess that's just part of, you know, learning and growing as a person more generally. Vanessa Schneider: Gosh, that got very philosophical. Lewis Dunne: I remember my cohort leader asking me about that. And she had suggested that I go on a secondment and that would have been, I guess, in place of my time at GDS, and I think actually my time I spent GDS helped me identify an organisation that I really I really liked, I really liked the culture and that I wanted to work in more. So if I've had lost that, I guess I would have gained something different. But I think it's, it's helped me get to where I am now. Vanessa Schneider: Do you think that it was good coming into the Fast Stream out of academia, or do you think that it makes a difference? Or is it just such a scheme that it doesn't matter what your previous knowledge is, you kind of start from ground zero? Lewis Dunne: It's, it's is a really interesting point, because I guess one of the things that I've developed a lot over the last couple years, but I think part of that has just been all these like different experiences, because it's it's kind of like how you imagined the people in Love Island must feel, you know. For you looking in, it looks like it's only a week but I think for them it feels like a year kind of thing. And I think a lot of postings feel a bit like that. You're only there for several months, but it can feel like a very long period of time for you. And so it does help you build up a lot of experiences and to help me build up a lot of experiences and get a lot of different. It's almost equivalent of doing, you know, like five different mini jobs in the space of, like a couple of years. And I think all of those contributions helped me develop. So I guess if maybe if I'd come into a bit like older and stuff than I might have had a bit more of like a solid base to start with. So, yeah, I, I think it is one of these things where by just so it can be both useful coming from academia and you know, it's also very useful to come in with a broader knowledge of it. I'm sure that will give you a huge leg up. And if people are thinking about like a change of role or a change of like career and things, I think, you know, in terms of getting like a crash course in digital in government, the Fast Stream is a great way of getting that. Vanessa Schneider: Thank you so much to all of our guests for coming on today. You can listen to all the episodes of the Government Digital Service podcast on Apple Music, Spotify and all other major podcast platforms. And the transcripts are available on Podbean. Goodbye.
Recorded in January 2020, we spoke with Sachin Chandran, who is currently Executive Director and Head of Pharmaceutical Sciences at Catabasis Pharmaceuticals, Inc. in Boston. Sachin’s responsibilities include oversight of CMC, Tech-Ops and supply chain along with matrixed interactions with regulatory, quality, biology, clinical and commercial. Working in a lean organization and a virtual environment, Sachin brings a strategic mindset while operationalizing with a can-do attitude with the goal to aid in the successful development and commercialization of edasalonexent. Previously, Sachin has been at Vertex Pharmaceuticals, Inc. and Bristol Myers Squibb Co. in roles of increasing responsibility, courtesy of which he is well-versed in the development of oral dosage forms, biologics and injectables, and inhalation. Over the course of his career, Sachin has been involved in the advancement of new therapies for diseases such as Alzheimer’s, and rare diseases like Cystic Fibrosis and Duchenne Muscular Dystrophy. Sachin holds a Ph.D. in Chemical and Biomolecular Engineering from the Johns Hopkins University where his graduate work was focused on new modalities in the treatment of prostate cancer.
Tips on how to be a niche marketing success story with James Soto By focusing on the industrial sector niche, really understanding it, we've been able to really build that empathy, knowledge and actually help them grow their businesses. I think the big lesson we learned is that you have to slow down in order to speed up. Further, you have to know that everything starts with strategy. One of my beliefs is I believe you've got to make your way of doing business obsolete before generational technology, market forces, or the competition does. "What do we really know about critical metrics that will either predict the success or failure of our efforts?" And you're willing to call out the fact that maybe there isn't a commitment to the marketing function. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ SHARE THIS EPISODE: A NICHE MARKETING SUCCESS STORY [just click to tweet] A NICHE MARKETING SUCCESS STORY By focusing on the industrial sector niche, really understanding it, we've been able to really build that empathy, knowledge and actually help them grow their businesses. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Doug Morneau: Well, welcome back listeners to another episode of Real Marketing Real Fast. Today my guest in studio is James Soto. He is an industrial marketing pioneer. I had a great conversation with him. He left some great tips in terms of strategy and tactics in marketing. I'll think you're really going to enjoy this episode. The big plus I want you to get away ... to get from this episode as well as listen to his business model, how he's niched down and he sells his services at a premium and he's in demand. A little bit about James. James is a three-time Inc 5000 fastest growing company leader. He's a keynote speaker and recognized contributor to Fabtech, HubSpot, Modern Machine Shop, Mashable, and LinkedIn events. As well, he is also the host of Industrial Strength Marketing on YouTube where he shares about his marketing insight that helps industrials make marketing the strengths of their business. As the founder and CEO of Industrial, one of North America's top marketing ENCs, James has worked with major B2B brands and industrial brands, such as motion and industry Schneider Electric, ABB, [Bulford 00:01:12], SKF, Coates, Hunter Fan, NIST, PAM Transport, AS&E, and Manufacturing USA. Doug Morneau: James is also a prolific visionary and he's responsible for branding and co-producing manufacturing day, which was the largest industrial sector promotion in US history. Now, he's the co-founder of Nashville Made. It's a community focused on making way for manufacturers to thrive in Nashville's urban core. Born industrial, raised digital, James shares his point of view as to why leaders, marketers, and sellers must make their way of living and marketing obsolete before generational technology market forces or the competition does. I'd like to welcome James to the Real Marketing Real Fast podcast today. Hey, James, so excited to have you on the show today. Welcome to the Real Marketing Real Fast podcast. James Soto: Great to be here, Doug. Doug Morneau: Do you want to take 30 seconds or a minute and just give a high-level view of what you guys are doing and how you're helping your clients move the dial? James Soto: Yeah. I'd be happy to. I'm the founder and CEO of Industrial. We are a brand business growth consultant. We're focused squarely on the industrial sector. Really what we do and what we ultimately promise is to help our clients be better marketers and sellers of their industrial products and services. Really, we help them with the mindset that they have to be great marketers where they are not. We built a strong business around that growth consultancy in a brand and business positioning strategy. The fully integrated marketing mix, digital marketing TechOps and enablement, and analytics and insights practice. By focusing on the industrial sector, really understanding it,
On today's episode, you’ll hear how Bethany Abbott went from filling prescriptions as a pharmacy tech to transforming the on-call culture at NS1 as the Tech Ops manager...but not before experiencing what it’s like to be the only woman in a massive lecture hall...in all of her classes. Now Bethany is on a mission to bring diversity to our industry by introducing young girls to math and tech early in their education through her organization. Bethany has some incredibly insightful tips for hiring and managing a diverse, resilient tech team that truly loves coming to work - you won’t want to miss this!
Sean McAfee, Director of TechOps at JazzHR, and Patrick Graham, technical lead on Postmark’s customer success team, talk to us about inbound email processing. We discuss how inbound processing and parsing works and then explore how JazzHR, a leader in the recruiting software industry, utilizes this functionality to power two-way messaging for their platform. By providing this behind the scenes look into two-way message processing, we hope that you’ll come away with some ideas on how you might be able to implement inbound email for your business or side-project.
En este episodio hablé con Manuela Morales, Colombiana, estudiante de Ingeniería Mecánica en UCF y Propulsion Engineering Co-Op en Delta Airlines. Hablamos de su pasión por los aviones, su trabajo en Delta como Co-Op, todo acerca de Delta Airlines y sus beneficios, y cómo es ser mujer, latina e inmigrante en un entorno tradicionalmente masculino. Conéctate con Manuela vía linkedin: Manuela Morales Recursos mencionados: AviancaSociety of Women Engineers Valencia CollegeSociety of Hispanic Professional Engineers - SHPECalm - aplicación para meditar; recomendable para los que no les gusta volarTurbulence ForecastAPUFly-by-wireRelay For Life Nos quieres ayudar a crecer?: Déjanos una reseña en ITunesMandanos un mensaje a ConexionesPodcast@gmail.comCompártelo con un amigo Timestamps: 01:00 – Dando la bienvenida a Manuela Morales01:57 – Acerca de Manuela y cómo llegó a Orlando02:41 – Compañías en las que ha trabajado Manuela04:37 – Cómo funciona un Co-Op06:54 – De dónde viene la pasión de Manuela por la aviación14:40 – El trabajo de Manuela en Delta16:29 – El trabajo de Manuela como pasante (co-op) en Delta21:27 – #Mujer, #Latina, #Ingeniera trabajando entre hombres con más de treinta años de experiencia30:36 – Mujeres mecánicas en Delta?33:10 – Cómo conseguir un Co-Op o trabajo en Delta41:15 – Beneficios de Delta, y el favorito de Manuela45:18 – Últimas palabras para la audiencia Acerca del episodio: Manuela es originalmente de Colombia y ha vivido en un entorno de vuelos y aviones. Su padre era piloto de Avianca volando más de seis veces por día, y cuando se retiró, toda la familia se mudó a Florida en EEUU. Manuela fue a Valencia College y se recibió con un Associate's Degree en Ingeniería. Actualmente está estudiando en la universidad de UCF cursando su licenciatura en Mechanical Engineering. Manuela tiene pasión por la aviación y comenzó cuando se puso a estudiar ingeniería. Unirse al grupo de “Society of Hispanic Professional Engineers”, empezar el capítulo de “Society of Women Engineers at Valencia College” y conocer a otros profesionales y estudiantes, le permitió ver con mayor interés todo lo que su padre comentaba acerca de la tarea de ser piloto. Otro motivo de su pasión es haber visto por primera vez en Honeywell la pequeña y potente turbina APU que permite el vuelo de un avión. Manuela ha trabajado en varias empresas como Cinnabar, Limbach, Lincoln Electric donde realizó su primera pasantía, Honeywell, Walt Disney World, y Siemens entre otros. Actualmente trabaja en Delta TechOps dentro del aeropuerto de Atlanta, una división de Delta Airlines, encargada de la reparación, revisión y mantenimiento de las turbinas de los aviones. Esta división también ofrece sus servicios a clientes, tanto aviones presidenciales como a los de transporte. Ella trabaja como Co-Op en el grupo de “Propulsion Engineering” y se ocupa del mantenimiento y la seguridad de las turbinas. Todos los aviones tienen diferentes turbinas, y es por ello que en cada equipo hay ingenieros trabajando en distintos componentes, así como también hay otros ingenieros trabajando y viendo los procesos para reparar y controlar la turbina del avión al momento de salir. Un Co-Op es una pasantía a largo plazo de tiempo completo, en donde el pasante trabaja un semestre y en el otro estudia. La pasantía en la empresa dura aproximadamente año y medio. En ese tiempo enseñan y preparan a los pasantes para la etapa final, en la que estarán haciendo el trabajo de un ingeniero full time en la empresa. Durante los semestres existen evaluaciones en las que el pasante coloca su meta y dice lo que espera de Delta, y la empresa que espera del pasante. Las evaluaciones se dividen en tres etapas: inicial, media y final y son documentadas para la decisión final cuando se eligen a tres o cuatro Co-Ops de los cien que han contratado en el año. En el primer semestre tratan de familiarizar a los pasantes con la turbina acomodandolos e...
En este episodio hablé con Manuela Morales, Colombiana, estudiante de Ingeniería Mecánica en UCF y Propulsion Engineering Co-Op en Delta Airlines. Hablamos de su pasión por los aviones, su trabajo en Delta como Co-Op, todo acerca de Delta Airlines y sus beneficios, y cómo es ser mujer, latina e inmigrante en un entorno tradicionalmente masculino. Conéctate con Manuela vía linkedin: Manuela Morales Recursos mencionados: AviancaSociety of Women Engineers Valencia CollegeSociety of Hispanic Professional Engineers - SHPECalm - aplicación para meditar; recomendable para los que no les gusta volarTurbulence ForecastAPUFly-by-wireRelay For Life Nos quieres ayudar a crecer?: Déjanos una reseña en ITunesMandanos un mensaje a ConexionesPodcast@gmail.comCompártelo con un amigo Timestamps: 01:00 – Dando la bienvenida a Manuela Morales01:57 – Acerca de Manuela y cómo llegó a Orlando02:41 – Compañías en las que ha trabajado Manuela04:37 – Cómo funciona un Co-Op06:54 – De dónde viene la pasión de Manuela por la aviación14:40 – El trabajo de Manuela en Delta16:29 – El trabajo de Manuela como pasante (co-op) en Delta21:27 – #Mujer, #Latina, #Ingeniera trabajando entre hombres con más de treinta años de experiencia30:36 – Mujeres mecánicas en Delta?33:10 – Cómo conseguir un Co-Op o trabajo en Delta41:15 – Beneficios de Delta, y el favorito de Manuela45:18 – Últimas palabras para la audiencia Acerca del episodio: Manuela es originalmente de Colombia y ha vivido en un entorno de vuelos y aviones. Su padre era piloto de Avianca volando más de seis veces por día, y cuando se retiró, toda la familia se mudó a Florida en EEUU. Manuela fue a Valencia College y se recibió con un Associate's Degree en Ingeniería. Actualmente está estudiando en la universidad de UCF cursando su licenciatura en Mechanical Engineering. Manuela tiene pasión por la aviación y comenzó cuando se puso a estudiar ingeniería. Unirse al grupo de “Society of Hispanic Professional Engineers”, empezar el capítulo de “Society of Women Engineers at Valencia College” y conocer a otros profesionales y estudiantes, le permitió ver con mayor interés todo lo que su padre comentaba acerca de la tarea de ser piloto. Otro motivo de su pasión es haber visto por primera vez en Honeywell la pequeña y potente turbina APU que permite el vuelo de un avión. Manuela ha trabajado en varias empresas como Cinnabar, Limbach, Lincoln Electric donde realizó su primera pasantía, Honeywell, Walt Disney World, y Siemens entre otros. Actualmente trabaja en Delta TechOps dentro del aeropuerto de Atlanta, una división de Delta Airlines, encargada de la reparación, revisión y mantenimiento de las turbinas de los aviones. Esta división también ofrece sus servicios a clientes, tanto aviones presidenciales como a los de transporte. Ella trabaja como Co-Op en el grupo de “Propulsion Engineering” y se ocupa del mantenimiento y la seguridad de las turbinas. Todos los aviones tienen diferentes turbinas, y es por ello que en cada equipo hay ingenieros trabajando en distintos componentes, así como también hay otros ingenieros trabajando y viendo los procesos para reparar y controlar la turbina del avión al momento de salir. Un Co-Op es una pasantía a largo plazo de tiempo completo, en donde el pasante trabaja un semestre y en el otro estudia. La pasantía en la empresa dura aproximadamente año y medio. En ese tiempo enseñan y preparan a los pasantes para la etapa final, en la que estarán haciendo el trabajo de un ingeniero full time en la empresa. Durante los semestres existen evaluaciones en las que el pasante coloca s...
En este episodio hablé con Manuela Morales, Colombiana, estudiante de Ingeniería Mecánica en UCF y Propulsion Engineering Co-Op en Delta Airlines. Hablamos de su pasión por los aviones, su trabajo en Delta como Co-Op, todo acerca de Delta Airlines y sus beneficios, y cómo es ser mujer, latina e inmigrante en un entorno tradicionalmente masculino. Conéctate con Manuela vía linkedin: Manuela Morales Recursos mencionados: AviancaSociety of Women Engineers Valencia CollegeSociety of Hispanic Professional Engineers - SHPECalm - aplicación para meditar; recomendable para los que no les gusta volarTurbulence ForecastAPUFly-by-wireRelay For Life Nos quieres ayudar a crecer?: Déjanos una reseña en ITunesMandanos un mensaje a ConexionesPodcast@gmail.comCompártelo con un amigo Timestamps: 01:00 – Dando la bienvenida a Manuela Morales01:57 – Acerca de Manuela y cómo llegó a Orlando02:41 – Compañías en las que ha trabajado Manuela04:37 – Cómo funciona un Co-Op06:54 – De dónde viene la pasión de Manuela por la aviación14:40 – El trabajo de Manuela en Delta16:29 – El trabajo de Manuela como pasante (co-op) en Delta21:27 – #Mujer, #Latina, #Ingeniera trabajando entre hombres con más de treinta años de experiencia30:36 – Mujeres mecánicas en Delta?33:10 – Cómo conseguir un Co-Op o trabajo en Delta41:15 – Beneficios de Delta, y el favorito de Manuela45:18 – Últimas palabras para la audiencia Acerca del episodio: Manuela es originalmente de Colombia y ha vivido en un entorno de vuelos y aviones. Su padre era piloto de Avianca volando más de seis veces por día, y cuando se retiró, toda la familia se mudó a Florida en EEUU. Manuela fue a Valencia College y se recibió con un Associate’s Degree en Ingeniería. Actualmente está estudiando en la universidad de UCF cursando su licenciatura en Mechanical Engineering. Manuela tiene pasión por la aviación y comenzó cuando se puso a estudiar ingeniería. Unirse al grupo de “Society of Hispanic Professional Engineers”, empezar el capítulo de “Society of Women Engineers at Valencia College” y conocer a otros profesionales y estudiantes, le permitió ver con mayor interés todo lo que su padre comentaba acerca de la tarea de ser piloto. Otro motivo de su pasión es haber visto por primera vez en Honeywell la pequeña y potente turbina APU que permite el vuelo de un avión. Manuela ha trabajado en varias empresas como Cinnabar, Limbach, Lincoln Electric donde realizó su primera pasantía, Honeywell, Walt Disney World, y Siemens entre otros. Actualmente trabaja en Delta TechOps dentro del aeropuerto de Atlanta, una división de Delta Airlines, encargada de la reparación, revisión y mantenimiento de las turbinas de los aviones. Esta división también ofrece sus servicios a clientes, tanto aviones presidenciales como a los de transporte. Ella trabaja como Co-Op en el grupo de “Propulsion Engineering” y se ocupa del mantenimiento y la seguridad de las turbinas. Todos los aviones tienen diferentes turbinas, y es por ello que en cada equipo hay ingenieros trabajando en distintos componentes, así como también hay otros ingenieros trabajando y viendo los procesos para reparar y controlar la turbina del avión al momento de salir. Un Co-Op es una pasantía a largo plazo de tiempo completo, en donde el pasante trabaja un semestre y en el otro estudia. La pasantía en la empresa dura aproximadamente año y medio. En ese tiempo enseñan y preparan a los pasantes para la etapa final, en la que estarán haciendo el trabajo de un ingeniero full time en la empresa. Durante los semestres existen evaluaciones en las que el pasante coloca s...
En este episodio hablé con Manuela Morales, Colombiana, estudiante de Ingeniería Mecánica en UCF y Propulsion Engineering Co-Op en Delta Airlines. Hablamos de su pasión por los aviones, su trabajo en Delta como Co-Op, todo acerca de Delta Airlines y sus beneficios, y cómo es ser mujer, latina e inmigrante en un entorno tradicionalmente masculino. Conéctate con Manuela vía linkedin: * Manuela Morales Recursos mencionados: * Avianca* Society of Women Engineers Valencia College* Society of Hispanic Professional Engineers - SHPE* Calm - aplicación para meditar; recomendable para los que no les gusta volar* Turbulence Forecast* * APU* Fly-by-wire* Relay For Life Nos quieres ayudar a crecer?: * Déjanos una reseña en ITunes* Mandanos un mensaje a ConexionesPodcast@gmail.com* Compártelo con un amigo Timestamps: * 01:00 – Dando la bienvenida a Manuela Morales* 01:57 – Acerca de Manuela y cómo llegó a Orlando* 02:41 – Compañías en las que ha trabajado Manuela* 04:37 – Cómo funciona un Co-Op* 06:54 – De dónde viene la pasión de Manuela por la aviación* 14:40 – El trabajo de Manuela en Delta* 16:29 – El trabajo de Manuela como pasante (co-op) en Delta* 21:27 – #Mujer, #Latina, #Ingeniera trabajando entre hombres con más de treinta años de experiencia* 30:36 – Mujeres mecánicas en Delta?* 33:10 – Cómo conseguir un Co-Op o trabajo en Delta* 41:15 – Beneficios de Delta, y el favorito de Manuela* 45:18 – Últimas palabras para la audiencia Acerca del episodio: Manuela es originalmente de Colombia y ha vivido en un entorno de vuelos y aviones. Su padre era piloto de Avianca volando más de seis veces por día, y cuando se retiró, toda la familia se mudó a Florida en EEUU. Manuela fue a Valencia College y se recibió con un Associate’s Degree en Ingeniería. Actualmente está estudiando en la universidad de UCF cursando su licenciatura en Mechanical Engineering. Manuela tiene pasión por la aviación y comenzó cuando se puso a estudiar ingeniería. Unirse al grupo de “Society of Hispanic Professional Engineers”, empezar el capítulo de “Society of Women Engineers at Valencia College” y conocer a otros profesionales y estudiantes, le permitió ver con mayor interés todo lo que su padre comentaba acerca de la tarea de ser piloto. Otro motivo de su pasión es haber visto por primera vez en Honeywell la pequeña y potente turbina APU que permite el vuelo de un avión. Manuela ha trabajado en varias empresas como Cinnabar, Limbach, Lincoln Electric donde realizó su primera pasantía, Honeywell, Walt Disney World, y Siemens entre otros. Actualmente trabaja en Delta TechOps dentro del aeropuerto de Atlanta, una división de Delta Airlines, encargada de la reparación, revisión y mantenimiento de las turbinas de los aviones. Esta división también ofrece sus servicios a clientes,
In today’s intensely competitive markets, most business leaders recognize the imperative to innovate. But that recognition doesn’t always lead to results. Many companies still struggle to deliver meaningful innovation — something that adds value to their customers. Our regular podcast host Alexey Boas is joined by Swapnil Deshpande, Global Head of Product Innovation and Incubation at ThoughtWorks. Together they explore how to break down the barriers to innovation, using practical examples from ThoughtWorks’ internal TechOps incubator initiative.
בפרק הזה שוחחנו עם ברק בן רחל Head of TechOps ורועי אמיתי, ר"צ devops בחברת Armis על איך זה עובד באמת ומה מחפשים באנשי פיתוח לחברה. DevInsider by develeap חברת develeap מאפשרת לארגוני פיתוח תוכנה למצות את הפוטנציאל של גוף הפיתוח שלהם. אנו סיירת של אנשי תוכנה ו-DevOps מנוסים המסייעת למנהל הפיתוח בבניית הארכיטקטורה, בבחירת הטכנולוגיה ובמימוש התהליכים המאפשרים העלאה מהירה של גרסאות לענן או לאתר. develeap היא חברת בוטסטראפ שמטרתה כחלק מחזון החברה לשתף את עובדיה בתהליך קבלת ההחלטות, וכן לדאוג להון אנושי מגוון. develeap מעסיקה כיום כ-50 עובדים, וכאמור מתעתדת להכשיר ולהעסיק כ-40 מומחי DevOps נוספים בשנת 2019. Armis: Under the hood
I sat with Janet Lamkin from United Airlines on February 28, 2019 after a ceremonial ground-breaking for the airline's new TechOps facility at Los Angeles International Airport.
Не успели мы провести выпуск 49 (и ведь действительно, не успели), как подошло время для выпуска с юбилейным номером полтишок. Мы попытались вместить невместимое и поговорить о трендах в тестировании, программировании, девопс-ировании, и конечно - как правильно носить носки в шлёпанцах в этом сезоне. Спойлер: оно не вместилось. Темы выпуска: Тренды в ИТ Тренды в процессах разработки Тренды в тестировании Визуальное тестирование eggplant.io мануальное тестирование автоматизация Что вы ходит из трендов Конференции и тренды Гости выпуска: Михаил Чумаков - давно занимается обеспечением качества, работает в компании TechOps., исторически из Петербурга, живёт в Москве, член ПК Гейзенбага и SQA Days. Многословен. Сева "За Питер и Умных коллег" Брекелов, разработчик с темным прошлым из ПК Гейзенбага, Санкт-Петербург Ведущие: Штурман - Сергей Атрощенков (Санкт-Петербург, коуч и тренер) Рулевой - Алексей Виноградов (Дормаген, 11 лет за рулём Vinogradov IT-Beratung)
Ready For Takeoff - Turn Your Aviation Passion Into A Career
I first attended the 23-acre United Airlines Flight Training Center in 1978. At the time, it was still a fairly-new facility, with the initial four buildings constructed in 1968. After completing my Initial Flight Officer training, I was invited to remain on campus as a B-727 instructor for a year before assuming my duties as a B-727 Second Officer (flight engineer) in San Francisco. Throughout my employment at United, I spent half my career - 13 years out of 26 - as an instructor at the Training Center. I saw numerous changes, including the closure of nearby Stapleton airport and the construction of the "new" F building, which housed additional offices and simulators. After retirement, I occasionally returned to the Training Center to administer simulator training as a private consultant for other companies. The last time I was there for work was about three years ago. I have to admit, the building was starting to look a bit long in the tooth. Last week I attended a New Pilot Expo at the United Flight Training Center, for the Metropolitan State University of Denver Aviation Department, where I teach. From the outside, the campus looks pretty much the same, except for some construction on the south side. Once I entered, I was blown away. Captain Mike McCasky, the Managing Director at United, made an impressive presentation, and every attendee was inspired to become a pilot with United. At the end of the presentations, we all received a tour, and were given the opportunity to see the simulators, flight training devices, and classrooms. The entire facility has been renovated, and it looks awesome! I recognized the hallways, but was completely lost among the new offices and state-of-the-art classrooms. There are currently 31 full flight simulators and 10 flight training devices in operation. Another 8 simulators and 4 flight training devices are planned. When the additional construction is complete, the Flight Training Center will be the largest airline training facility in the world. United will be conducting sixty thousand training events this year, and will use over one hundred thousand hotel rooms for trainees. In addition to pilot training, United conducts pilot interviews, flight attendant recurrent training, and Tech Ops training at the facility.
Venturi's Voice: Technology | Leadership | Staffing | Career | Innovation
In this episode Andy Davis talks to John Louis Petitbon, Sr Director, Platform Engineering at Lifion by ADP. Johnlouis discusses the role of SRE’s with Andy. They chats about the similarities SRE’s share with the DevOps methodology. Andy also asks Johnlouis about his move into management and later leadership. Johnlouis is a Senior technology professional specializing in TechOps, SRE and DevOps. He is experienced in building teams and managing rapid growth in small to medium enterprises. Show Notes: 1.09 What are the responsibilities of SRE? 4.17 Is there a linear path into a SRE team? 14.22 Do you see SRE as a methodology similar to agile? 19.45 Johnlouis Background and career development. 23.13 Johnlouis’ first steps into management and then leadership. 28.48 The importance of continued learning. 31.23 Do you think SRE’s are going to evolve in the ways that they operate?
In this final Agile Camp episode we talk with Stacey Louie, Enterprise Agile Coach and former CIO/CTO heading Product Management, Software Development, and TechOps and co-founder of Agile Camp. We some up our thoughts on the event and get Stacey's perspective and thoughts on how he has helped create an amazing opportunity for Agile professionals to meet.
NAB 2017 (episode 2) 1. The PowerRay from PowerVision. An underwater ROV (aka VIDEO DRONE): Interview w/ Greg Glover. For more into goto http://powervision.me/en/ 2. Light & Motion: Lighting for extreme remote video productions. Experience the speed and freedom of cable-free lighting - redefine what it means to 'run & gun" & untether your scene with perfect lighting. http://www.lightandmotion.com/ This episode of Pod Diver Radio is brought to you by Technical Operations. “Tech-Ops” is a technology services and staffing solutions provider, for Broadcast Engineering, Audio Visual Communication, and Information Technology. Since 1994, Tech-Ops has been an industry leader in introducing, integrating, and supporting the ever evolving AV, IT and Broadcast technologies for the corporate, financial, education, government, broadcast and entertainment industries. For more info contact Christopher Dole, at www.tech-ops.com
NAB 2017 (episode 1) 1. VR Technology for High End Production. Interview w/ Tarif Sayed (Digital Media Executive | Virtual Reality Expert) Nokia Technologies. Maker of the OZO VR Camera System https://ozo.nokia.com/vr 2. Broadcast Video-Audio-IP TECH. Interview w/ Tony Klick & Jesse Foster from COBALT DIGITAL. We discuss Broadcast Engineering and Open Gear technology. http://www.cobaltdigital.com/ This episode of Pod Diver Radio is brought to you by Technical Operations. “Tech-Ops” is a technology services and staffing solutions provider, for Broadcast Engineering, Audio Visual Communication, and Information Technology. Since 1994, Tech-Ops has been an industry leader in introducing, integrating, and supporting the ever evolving AV, IT and Broadcast technologies for the corporate, financial, education, government, broadcast and entertainment industries. For more info contact Christopher Dole, at www.tech-ops.com PD204:Direct Download click here
Ryan Black, Director of Technical Operations at Bugcrowd, sits down with Sam Houston to explore how the TechOps team triages and validates all of the bug submissions that come in to Bugcrowd. This team handles tens of thousands of bugs a year, so they see a bit of everything. Tune in to learn more about how Ryan's team handles this important task!
Staff Rep Rich (DJ Worldwide) joins Tech Ops Assistants Hanoi and Rachel for the perfect podcast. The discussion comes full circle talking about adobo seasoning, cinnamon crackers and hot chocolate, a drive around Freehold, and so much more. The official Tech Ops counter came to 14 with 1 Tech Ops and 2 Technicallys. End song: Harbinger, Protest the Hero
In episode 45 of WSOU’s podcast, The Conductor, DJ Vishy (Fishy) and Tech Ops assistant Bridget explore thrash metal, the Conductor’s vast knowledge of metal bands, and his favorite new music, none of which DJ Vishy realized came out; The recent WSOU Presents Show featuring Hatebreed and so much more!
The Conductor and graduating senior Dylan join Tech Ops assistant Rachel for episode 41 of the podcast. They discuss Florida, classic movies, and the recent news about Ozzy Osbourne. They also celebrate Twilight Zone Day and their love of Humphrey Bogart.’ (End Song: "A.D" By Hatebreed)
The new Tech Ops members sit down to start their terms and they don’t know each other’s names. New Tech Ops director Grant shows his age when he acts like a dad to his new assistants Charlotte and Rachel; Charlotte gets some craft ideas, our haunted station is discussed and a secret is revealed! Also, Michael J. Fox. All of this and more during this week’s podcast! (End Song: “Aggressive” by Beartooth)