POPULARITY
On this week's show, Patrick Gray and Adam Boileau discuss the week's cybersecurity news, including: Cleo file transfer products have a remote code exec, here we go again! Snowflake phases out password-based auth Chinese Sophos-exploit-dev company gets sanctioned Romania's election gets rolled back after Tiktok changed the outcome AMD's encrypted VM tech bamboozled by RAM with one extra address bit Some cool OpenWRT research And much, much more. This week's episode is sponsored by Thinkst, who love sneaky canary token traps. Jacob Torrey previews an upcoming Blackhat talk filled with interesting operating system tricks you can use to trigger canaries in your environment. You wont believe the third trick! Attackers hate him! This episode is also available on Youtube. Show notes Cleo Software Actively Being Exploited in the Wild CVE-2024-50623 | Huntress Blue Yonder investigating data leak claim following ransomware attack | Cybersecurity Dive Snowflake to phase out single-factor authentication by late 2025 | Cybersecurity Dive Treasury Sanctions Cybersecurity Company Involved in Compromise of Firewall Products and Attempted Ransomware Attacks | U.S. Department of the Treasury Another teenage hacker charged as feds continue Scattered Spider crackdown | The Record from Recorded Future News Germany arrests suspected admin of country's largest criminal marketplace | The Record from Recorded Future News FCC, for first time, proposes cybersecurity rules tied to wiretapping law | CyberScoop Russian state hackers abuse Cloudflare services to spy on Ukrainian targets | The Record from Recorded Future News Cloudflare's pages.dev and workers.dev Domains Increasingly Abused for Romania annuls presidential election over alleged Russian interference | The Record from Recorded Future News EU demands TikTok 'freeze and preserve data' over alleged Russian interference in Romanian elections | The Record from Recorded Future News Research Note: Meta's Role in Romania's 2024 Presidential Election - CheckFirst Key electricity distributor in Romania warns of ‘cyber attack in progress' | The Record from Recorded Future News Backdoor slipped into popular code library, drains ~$155k from digital wallets - Ars Technica AMD's trusted execution environment blown wide open by new BadRAM attack - Ars Technica New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader – PT SWARM Telegram partners with child safety group to scan content for sexual abuse material Apple hit with $1.2B lawsuit after killing controversial CSAM-detecting tool - Ars Technica Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Flatt Security Research How do I turn on the Do Not Track feature? | Firefox Help
In this Soap Box edition of the podcast Patrick Gray chats with Thinkst Canary founder Haroon Meer about his “decade of deception”, including: A history of Thinkst Canary including a recap of what they actually do A look at why they're still really the only major player in the deception game A look at what companies like Microsoft are doing with deception Why security startups should have conference booths
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Haroon Meer, Founder and CEO at Thinkst, about the company's evolution over the past 15 years, its focus on hacker-like internal culture, and the UK NCSC's new deception network. Show notes Building a nation-scale evidence base for cyber deception Hacking as a pathway to building better Products
On today's Demo Day Trey Ford and RSnake sit down with Haroon Meer, the CEO of Thinkst and discuss his Canary product, which is a super simple honeypot and honeytoken product allowing customers to get extremely high signal to noise ratio and reduce dwell time.
We've made a slight tweak to the news format, only focusing on the most interesting funding and acquisition stories. As always, you can go check out Mike Privette's Return on Security newsletter for the full list of funded and acquired companies every week. This week, we discuss two $100M+ rounds, from Huntress and Semperis. We also discuss NetSPI's acquisition of Hubble, and the future of the CAASM market. We focus on the important of detection engineering, echoing some of Martin Roesch's thoughts from our interview with him just before the news. One story is from the excellent DFIR report, a website and newsletter you should absolutely be subscribed to if detection engineering is important to you. The other story is from Thinkst, and showcases their ability to create file share honeypots with file listings that can now be tailored to specific industries. We discuss the results of some polls that RSnake ran on Twitter, to get feedback from folks on what they think about these models where CISOs are reportedly getting kickbacks for buying products from companies they advise. We also discuss the latest whistleblower insights about Microsoft and the state of security there, and the recent Polyfill.io incident that targeted over 100k websites with malware. Finally, we spend the rest of the news segment discussing the current state of Generative AI, from our own perspectives, but also through the lens of Bruce Schneier's latest blog post, a year old post from Marc Andreesen, and a rage-fueled rant from an angry Aussie. Don't miss the squirrel story - we highly recommend sending it to all your PhD friends (or not, if they're easily insulted and/or likely to hold a grudge). Show Notes: https://securityweekly.com/esw-366
We've made a slight tweak to the news format, only focusing on the most interesting funding and acquisition stories. As always, you can go check out Mike Privette's Return on Security newsletter for the full list of funded and acquired companies every week. This week, we discuss two $100M+ rounds, from Huntress and Semperis. We also discuss NetSPI's acquisition of Hubble, and the future of the CAASM market. We focus on the important of detection engineering, echoing some of Martin Roesch's thoughts from our interview with him just before the news. One story is from the excellent DFIR report, a website and newsletter you should absolutely be subscribed to if detection engineering is important to you. The other story is from Thinkst, and showcases their ability to create file share honeypots with file listings that can now be tailored to specific industries. We discuss the results of some polls that RSnake ran on Twitter, to get feedback from folks on what they think about these models where CISOs are reportedly getting kickbacks for buying products from companies they advise. We also discuss the latest whistleblower insights about Microsoft and the state of security there, and the recent Polyfill.io incident that targeted over 100k websites with malware. Finally, we spend the rest of the news segment discussing the current state of Generative AI, from our own perspectives, but also through the lens of Bruce Schneier's latest blog post, a year old post from Marc Andreesen, and a rage-fueled rant from an angry Aussie. Don't miss the squirrel story - we highly recommend sending it to all your PhD friends (or not, if they're easily insulted and/or likely to hold a grudge). Show Notes: https://securityweekly.com/esw-366
We all might be a little worn out on this topic, but there's no escaping it. Executives want to adopt GenAI and it is being embedded into nearly every software product we use in both our professional and personal lives. In this interview, Anurag joins us to discuss how his company evaluated and ultimately integrated AI-based technologies into their products. We discuss: What to be aware of when deploying GenAI Key use cases and successes organizations are having with GenAI Some of the risks to be aware of How to prepare employees for GenAI Best practices to prepare for evolving threats For decades, security teams have been focused on preventing and detecting threats, only to find themselves buried so deep in alerts, they can't detect anything at all! We clearly need a different approach, which will be the topic of our conversation today with Marty. We'll be discussing a shift in philosophy and tactics. We'll discuss whether SecOps has a hoarding problem, and possible paths out of the current situation preventing today's teams from successfully detecting attacks. Finally, we'll discuss the impact AI has on all this (if any). Segment Resources: Why It's Time to Evolve from Threat-centric to Compromise-centric Security Evolve from Threat-Centric to Compromise-Centric Security How to Close the Visibility Gaps Across Your Multi-Cloud Environment Defend HPC Data Centers with Frictionless Security & Observability We've made a slight tweak to the news format, only focusing on the most interesting funding and acquisition stories. As always, you can go check out Mike Privette's Return on Security newsletter for the full list of funded and acquired companies every week. This week, we discuss two $100M+ rounds, from Huntress and Semperis. We also discuss NetSPI's acquisition of Hubble, and the future of the CAASM market. We focus on the important of detection engineering, echoing some of Martin Roesch's thoughts from our interview with him just before the news. One story is from the excellent DFIR report, a website and newsletter you should absolutely be subscribed to if detection engineering is important to you. The other story is from Thinkst, and showcases their ability to create file share honeypots with file listings that can now be tailored to specific industries. We discuss the results of some polls that RSnake ran on Twitter, to get feedback from folks on what they think about these models where CISOs are reportedly getting kickbacks for buying products from companies they advise. We also discuss the latest whistleblower insights about Microsoft and the state of security there, and the recent Polyfill.io incident that targeted over 100k websites with malware. Finally, we spend the rest of the news segment discussing the current state of Generative AI, from our own perspectives, but also through the lens of Bruce Schneier's latest blog post, a year old post from Marc Andreesen, and a rage-fueled rant from an angry Aussie. Don't miss the squirrel story - we highly recommend sending it to all your PhD friends (or not, if they're easily insulted and/or likely to hold a grudge). Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-366
We all might be a little worn out on this topic, but there's no escaping it. Executives want to adopt GenAI and it is being embedded into nearly every software product we use in both our professional and personal lives. In this interview, Anurag joins us to discuss how his company evaluated and ultimately integrated AI-based technologies into their products. We discuss: What to be aware of when deploying GenAI Key use cases and successes organizations are having with GenAI Some of the risks to be aware of How to prepare employees for GenAI Best practices to prepare for evolving threats For decades, security teams have been focused on preventing and detecting threats, only to find themselves buried so deep in alerts, they can't detect anything at all! We clearly need a different approach, which will be the topic of our conversation today with Marty. We'll be discussing a shift in philosophy and tactics. We'll discuss whether SecOps has a hoarding problem, and possible paths out of the current situation preventing today's teams from successfully detecting attacks. Finally, we'll discuss the impact AI has on all this (if any). Segment Resources: Why It's Time to Evolve from Threat-centric to Compromise-centric Security Evolve from Threat-Centric to Compromise-Centric Security How to Close the Visibility Gaps Across Your Multi-Cloud Environment Defend HPC Data Centers with Frictionless Security & Observability We've made a slight tweak to the news format, only focusing on the most interesting funding and acquisition stories. As always, you can go check out Mike Privette's Return on Security newsletter for the full list of funded and acquired companies every week. This week, we discuss two $100M+ rounds, from Huntress and Semperis. We also discuss NetSPI's acquisition of Hubble, and the future of the CAASM market. We focus on the important of detection engineering, echoing some of Martin Roesch's thoughts from our interview with him just before the news. One story is from the excellent DFIR report, a website and newsletter you should absolutely be subscribed to if detection engineering is important to you. The other story is from Thinkst, and showcases their ability to create file share honeypots with file listings that can now be tailored to specific industries. We discuss the results of some polls that RSnake ran on Twitter, to get feedback from folks on what they think about these models where CISOs are reportedly getting kickbacks for buying products from companies they advise. We also discuss the latest whistleblower insights about Microsoft and the state of security there, and the recent Polyfill.io incident that targeted over 100k websites with malware. Finally, we spend the rest of the news segment discussing the current state of Generative AI, from our own perspectives, but also through the lens of Bruce Schneier's latest blog post, a year old post from Marc Andreesen, and a rage-fueled rant from an angry Aussie. Don't miss the squirrel story - we highly recommend sending it to all your PhD friends (or not, if they're easily insulted and/or likely to hold a grudge). Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-366
In this Risky Business News sponsored interview, Tom Uren talks to Marco Slaveiro, Thinkst's CTO about staying current with modern attack trends and not falling for the trap of optimising to catch red teams.
In this Risky Business News sponsor interview Tom Uren talks to Haroon Meer of Thinkst Canary. They discuss how network attackers win, how their tactics have changed over time and what this means for network defenders.
In this Risky Business News sponsor interview Tom Uren talks to Haroon Meer of Thinkst Canary. They discuss how network attackers win, how their tactics have changed over time and what this means for network defenders.
In this week's edition of the show Patrick Gray and guest co-host Dmitri Alperovitch discuss: Major telco in Ukraine taken down by Russia Apple and Facebook go all in on e2ee Why 702 reauthorisation is looking a bit sketchy The USG wants your push notifications The year in review, plus some predictions for 2024 This week's show is brought to you by Thinkst Canary. Haroon Meer, Thinkst's founder, is this week's sponsor guest. He joins us to talk about APT groups pivoting to living-off-the-land techniques.
In this week's edition of the show Patrick Gray and guest co-host Dmitri Alperovitch discuss: Major telco in Ukraine taken down by Russia Apple and Facebook go all in on e2ee Why 702 reauthorisation is looking a bit sketchy The USG wants your push notifications The year in review, plus some predictions for 2024 This week's show is brought to you by Thinkst Canary. Haroon Meer, Thinkst's founder, is this week's sponsor guest. He joins us to talk about APT groups pivoting to living-off-the-land techniques.
This week we're joined by Haroon Meer from Thinkst — the makers of Canary and Canary Tokens. Haroon walks us through a network getting compromised, what it takes to deploy a Canary on your network, how they maintain low false-positive numbers, their thoughts and principles on building their business (major wisdom shared!), and how a Canary helps surface network attacks in real time.
This week we're joined by Haroon Meer from Thinkst — the makers of Canary and Canary Tokens. Haroon walks us through a network getting compromised, what it takes to deploy a Canary on your network, how they maintain low false-positive numbers, their thoughts and principles on building their business (major wisdom shared!), and how a Canary helps surface network attacks in real time.
A hosted panel discussion with industry leaders to explore what advantages the SecOps Cloud Platform confers for ecosystem builders.The panel is moderated by LimaCharlie's Head of Product, Matt Bromiley. The panel participants are:Senior Security Researcher at Thinkst, Casey SmithSecurity Evangelist at RunZero, Huxley BarbeeHead of Tines Labs, John TucknerWhat is the SecOps Cloud Platform?The SecOps Cloud Platform is a construct for delivering the core components needed to secure and monitor any given organization: things like, deploying endpoint capabilities through a single agent regardless of the technology, alerting and correlating from logs regardless of the source, automating analysis and response regardless of the environment.The SecOps Cloud Platform is:An environment where many solutions can exist, not as a collection of random tools, but as a series of cybersecurity solutions designed to interoperate in an un-opinionated way, from the ground up; where powerful systems can be put in place at incredible speeds.An environment fundamentally open through APIs, documentation, integrability, affordability; making it a neutral space for all cybersecurity professionals, whether they're in enterprise, services or vendors to build appropriate solutions.The Cybersecurity Defenders Podcast: a show about cybersecurity and the people that defend the internet.
OpenTF announces they're forking Terraform and joining the Linux Foundation, Meta gets in the LLM-for-codegen game with Code Llama, Matt Mullenweg announces WordPress.com's new 100-year plan, Paul Gichuki from Thinkst learns that default behaviors stick (and so do examples) & Marco Otte-Witte makes his case for Rust on the web.
OpenTF announces they're forking Terraform and joining the Linux Foundation, Meta gets in the LLM-for-codegen game with Code Llama, Matt Mullenweg announces WordPress.com's new 100-year plan, Paul Gichuki from Thinkst learns that default behaviors stick (and so do examples) & Marco Otte-Witte makes his case for Rust on the web.
OpenTF announces they're forking Terraform and joining the Linux Foundation, Meta gets in the LLM-for-codegen game with Code Llama, Matt Mullenweg announces WordPress.com's new 100-year plan, Paul Gichuki from Thinkst learns that default behaviors stick (and so do examples) & Marco Otte-Witte makes his case for Rust on the web.
Incredibly, the seemingly simple task of managing corporate-owned devices is still a struggle for most organizations in 2023. Maybe best MDM for Mac doesn't work with Windows, or the best MDM for Windows doesn't work with Mac. Maybe neither have Linux support. Perhaps they don't provide enough insight into the endpoint, or control over it. Whatever the case, security leaders never seem satisfied with their MDM solution and are always investigating new ones. Now, Kolide has stepped in with a unique approach to device management, combining the flexibility and industry support for OSQuery and built to integrate with IdP giant Okta. We discuss Kolide's entrance into the device management space and the current state of MDM - what's wrong with it, and how does Kolide propose to fix it? This segment is sponsored by Kolide. Visit https://securityweekly.com/kolide to learn more about them! Segment description coming soon! Record funding levels over the last two weeks top 2023 and the same time last year. We discuss Palo Alto's plans for the future, CISA's analysis of the LAPSUS$ hacking group, and the uselessness of Quantum Security pitches. Chrome adds the ability to alert users about malicious extensions. A great post from Thinkst has us talking about why vendors (and buyers) need to be careful about default behaviors and documentation. You won't want to miss the excellent squirrel story - a front end for Reddit that looks like Microsoft Outlook. During this segment, Jon will explore today's ransomware economy players from IABS to RaaS affiliates, to money launders and now C2Ps. For the discussion, Jon will leverage Halcyon's latest research, which demonstrates a new technique to uncover how C2Ps, like Cloudzy, are used to identify upcoming ransomware campaigns and other advanced attacks. The research revealed that Cloudzy, knowingly or not, provided services to attackers while assuming a legitimate business profile. Threat actors that leveraged Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines. This segment is sponsored by Halcyon. Visit https://securityweekly.com/halcyonbh to learn more about them! In this session, Snehal will discuss several real-world examples of what autonomous pentesting discovered in networks just like yours. You'll hear more about how fast and easy it was to safely compromise some of the biggest (and smallest) networks in the world - with full domain takeover in a little more than a few hours. Learn how you can safely do the same in your own network today! This segment is sponsored by Horizon3.ai. Visit https://securityweekly.com/horizon3aibh to learn more about them! In this Black Hat 2023 interview, CRA's Bill Brenner and Sophos' John Shier discuss the company's latest research on the Royal ransomware gang. Though Royal is a notoriously closed off group that doesn't openly solicit affiliates from underground forums, granular similarities in the forensics of the attacks suggest all three groups are sharing either affiliates or highly specific technical details of their activities. This segment is sponsored by Sophos. Visit https://securityweekly.com/sophosbh to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-329
Incredibly, the seemingly simple task of managing corporate-owned devices is still a struggle for most organizations in 2023. Maybe best MDM for Mac doesn't work with Windows, or the best MDM for Windows doesn't work with Mac. Maybe neither have Linux support. Perhaps they don't provide enough insight into the endpoint, or control over it. Whatever the case, security leaders never seem satisfied with their MDM solution and are always investigating new ones. Now, Kolide has stepped in with a unique approach to device management, combining the flexibility and industry support for OSQuery and built to integrate with IdP giant Okta. We discuss Kolide's entrance into the device management space and the current state of MDM - what's wrong with it, and how does Kolide propose to fix it? This segment is sponsored by Kolide. Visit https://securityweekly.com/kolide to learn more about them! Segment description coming soon! Record funding levels over the last two weeks top 2023 and the same time last year. We discuss Palo Alto's plans for the future, CISA's analysis of the LAPSUS$ hacking group, and the uselessness of Quantum Security pitches. Chrome adds the ability to alert users about malicious extensions. A great post from Thinkst has us talking about why vendors (and buyers) need to be careful about default behaviors and documentation. You won't want to miss the excellent squirrel story - a front end for Reddit that looks like Microsoft Outlook. During this segment, Jon will explore today's ransomware economy players from IABS to RaaS affiliates, to money launders and now C2Ps. For the discussion, Jon will leverage Halcyon's latest research, which demonstrates a new technique to uncover how C2Ps, like Cloudzy, are used to identify upcoming ransomware campaigns and other advanced attacks. The research revealed that Cloudzy, knowingly or not, provided services to attackers while assuming a legitimate business profile. Threat actors that leveraged Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines. This segment is sponsored by Halcyon. Visit https://securityweekly.com/halcyonbh to learn more about them! In this session, Snehal will discuss several real-world examples of what autonomous pentesting discovered in networks just like yours. You'll hear more about how fast and easy it was to safely compromise some of the biggest (and smallest) networks in the world - with full domain takeover in a little more than a few hours. Learn how you can safely do the same in your own network today! This segment is sponsored by Horizon3.ai. Visit https://securityweekly.com/horizon3aibh to learn more about them! In this Black Hat 2023 interview, CRA's Bill Brenner and Sophos' John Shier discuss the company's latest research on the Royal ransomware gang. Though Royal is a notoriously closed off group that doesn't openly solicit affiliates from underground forums, granular similarities in the forensics of the attacks suggest all three groups are sharing either affiliates or highly specific technical details of their activities. This segment is sponsored by Sophos. Visit https://securityweekly.com/sophosbh to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw-329
Record funding levels over the last two weeks top 2023 and the same time last year. We discuss Palo Alto's plans for the future, CISA's analysis of the LAPSUS$ hacking group, and the uselessness of Quantum Security pitches. Chrome adds the ability to alert users about malicious extensions. A great post from Thinkst has us talking about why vendors (and buyers) need to be careful about default behaviors and documentation. You won't want to miss the excellent squirrel story - a front end for Reddit that looks like Microsoft Outlook. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-329
Record funding levels over the last two weeks top 2023 and the same time last year. We discuss Palo Alto's plans for the future, CISA's analysis of the LAPSUS$ hacking group, and the uselessness of Quantum Security pitches. Chrome adds the ability to alert users about malicious extensions. A great post from Thinkst has us talking about why vendors (and buyers) need to be careful about default behaviors and documentation. You won't want to miss the excellent squirrel story - a front end for Reddit that looks like Microsoft Outlook. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-329
In this Risky Business News sponsor interview Tom Uren talks to Jacob Torrey, Thinkst's Head of Labs. Jacob produces ThinkstScapes, a brilliant quarterly summary of the most interesting security research from around the world. In this interview Jacob talks about his favourite research of this issue, why Thinkst invests the time and effort in producing ThinkstScapes and also talks about Thinkst Citation, a companion product that contains information about nearly 70,000 security talks going all the way back to 1993.
Kartanolla vieraili kybermerimies Karo Vallittu. Keskustelimme Karon kanssa merenkulun lainsäädännöstä ja kyberturvallisuuden vaikutuksesta merenkulkuun. Karo kertoi meille merenkulkuun liittyvistä termeistä kuten konossementti käytännöstä, miehityssopimuksista sekä luokituslaitoksista. Lisäksi kävimme läpi mielenkiintoisia esimerkkejä satamiin ja laivan lastaukseen liittyvistä toiminnanohjausjärjestelmistä ja niihin liittyvistä kyberriskeistä. Merenkulkuun liittyen esille nousi myös Maerskin vuoden 2017 mittava kyberhyökkäys ja muutamia vastaavia esimerkkejä. Äänijulkaisun lähdeluettelo: Vieras Karo Vallittu https://twitter.com/kvallittu Herrasmieshakkerit: Suomen suosituin teknologiapodcast saapuu TAMKiin https://www.tuni.fi/fi/ajankohtaista/herrasmieshakkerit-suomen-suosituin-teknologiapodcast-saapuu-tamkiin Suomen Pelimuseo https://www.vapriikki.fi/pelimuseo/ Paha Juttu https://fi.wikipedia.org/wiki/Paha_Juttu Rahankäytöstä tulossa täysin ilmaista eri puolilla euroaluetta – keskuspankki aikoo tarjota kansalaisille digieuron maksukorttien tilalle https://yle.fi/a/74-20028976 t2 infosec conference https://t2.fi t2 infosec youtube -kanava https://www.youtube.com/channel/UCCpvGjg08W0YXxdZaQc7yWg Mikon RSA-boikotti https://archive.f-secure.com/weblog/archives/00002651.html Marinetraffic https://www.marinetraffic.com TED 2023; OpenAI https://youtu.be/C_78DM8fG6E Gambler Who Beat Roulette Found Way to Win Beyond Red or Black https://www.bloomberg.com/features/2023-how-to-beat-roulette-gambler-figures-it-out/ Datakapitalismi -kirja https://www.siltalapublishing.fi/product/datakapitalismi-kriisien-maailmassa/ Thinkst canary tokens https://canarytokens.org/generate
Tap, tap - is this thing on? Why do defenders still struggle to detect attacks and attacker activities? Why do so many tools struggle to detect attacks? Today, we've got an expert on detection engineering to help us answer these questions. Thinkst's Canary and Canarytokens make in catching penetration testers and attackers stupidly simple. Thinkst Labs aims to push these tools even further. Casey will share some of the latest research coming out of labs, and we'll ponder why using deception for detection isn't yet a de facto best practice. Segment Resources: https://canary.tools https://canarytokens.org https://blog.thinkst.com Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw309
Tap, tap - is this thing on? Why do defenders still struggle to detect attacks and attacker activities? Why do so many tools struggle to detect attacks? Today, we've got an expert on detection engineering to help us answer these questions. Thinkst's Canary and Canarytokens make in catching penetration testers and attackers stupidly simple. Thinkst Labs aims to push these tools even further. Casey will share some of the latest research coming out of labs, and we'll ponder why using deception for detection isn't yet a de facto best practice. Segment Resources: https://canary.tools https://canarytokens.org https://blog.thinkst.com Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw309
The CI/CD pipeline is the backbone of the software development process, so it's critical to ensure you are meeting and exceeding the most critical security measures. Throughout this podcast, Tal Morgenstern, Co-founder and CSO of Vulcan Cyber, will break down the process of how organizations can properly secure a CI/CD pipeline into a checklist of four key steps, as well as offer a handful of tools and tactics security leadership can use to bake risk-based vulnerability management into their CI/CD pipelines. He will explain how securing your CI/CD pipelines alone is not enough to reduce the chances of cyber attacks and the importance for organizations to not only maintain security at speed and scale, but quality at speed and scale. Finally, Tal will dive into how Vulcan Cyber helps organizations to streamline security tasks in every stage of the cyber-risk management process, integrating with their existing tools for true end-to-end risk management. Segment Resources: https://vulcan.io/ https://vulcan.io/platform/ https://vulcan.io/blog/ci-cd-security-5-best-practices/ https://www.youtube.com/watch?v=nosAxWc-4dc Tap, tap - is this thing on? Why do defenders still struggle to detect attacks and attacker activities? Why do so many tools struggle to detect attacks? Today, we've got an expert on detection engineering to help us answer these questions. Thinkst's Canary and Canarytokens make in catching penetration testers and attackers stupidly simple. Thinkst Labs aims to push these tools even further. Casey will share some of the latest research coming out of labs, and we'll ponder why using deception for detection isn't yet a de facto best practice. Segment Resources: https://canary.tools https://canarytokens.org https://blog.thinkst.com Finally, in the enterprise security news, We quickly explain the SVB collapse, A few interesting fundings, Rapid7 acquires Minerva who? We'll explain. GPT-4 - what's new? Detect text written by an AI! Then, produce text that can't be detected as written by an AI! The K-Shaped recovery of the cybersecurity industry, Software Security is More than Vulnerabilities, Microsoft Outlook hacks itself, Robert Downey Jr. gets into teh cyberz, & Reversing intoxication! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw309
The CI/CD pipeline is the backbone of the software development process, so it's critical to ensure you are meeting and exceeding the most critical security measures. Throughout this podcast, Tal Morgenstern, Co-founder and CSO of Vulcan Cyber, will break down the process of how organizations can properly secure a CI/CD pipeline into a checklist of four key steps, as well as offer a handful of tools and tactics security leadership can use to bake risk-based vulnerability management into their CI/CD pipelines. He will explain how securing your CI/CD pipelines alone is not enough to reduce the chances of cyber attacks and the importance for organizations to not only maintain security at speed and scale, but quality at speed and scale. Finally, Tal will dive into how Vulcan Cyber helps organizations to streamline security tasks in every stage of the cyber-risk management process, integrating with their existing tools for true end-to-end risk management. Segment Resources: https://vulcan.io/ https://vulcan.io/platform/ https://vulcan.io/blog/ci-cd-security-5-best-practices/ https://www.youtube.com/watch?v=nosAxWc-4dc Tap, tap - is this thing on? Why do defenders still struggle to detect attacks and attacker activities? Why do so many tools struggle to detect attacks? Today, we've got an expert on detection engineering to help us answer these questions. Thinkst's Canary and Canarytokens make in catching penetration testers and attackers stupidly simple. Thinkst Labs aims to push these tools even further. Casey will share some of the latest research coming out of labs, and we'll ponder why using deception for detection isn't yet a de facto best practice. Segment Resources: https://canary.tools https://canarytokens.org https://blog.thinkst.com Finally, in the enterprise security news, We quickly explain the SVB collapse, A few interesting fundings, Rapid7 acquires Minerva who? We'll explain. GPT-4 - what's new? Detect text written by an AI! Then, produce text that can't be detected as written by an AI! The K-Shaped recovery of the cybersecurity industry, Software Security is More than Vulnerabilities, Microsoft Outlook hacks itself, Robert Downey Jr. gets into teh cyberz, & Reversing intoxication! Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw309
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: North Korea is ransomwaring hospitals with homegrown and Russian strains Russia proposes law greenlighting “patriotic hacks” It's 702 renewal time… again CISA releases ESXiArgs recovery script (yay!) UK mulls crimephone ban Much, much more This week's show is brought to you by Thinkst Canary. Haroon Meer is this week's sponsor guest and joins us to talk about Thinkst's latest release: the credit card canary. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes North Korean hackers extort health care organizations to fund further cyberattacks, US and South Korea say | CNN Politics Risky Biz News: US and UK sanction seven Trickbot members United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang | U.S. Department of the Treasury Risky Biz News: Russia wants to absolve patriotic hackers from any criminal liability The FBI's Most Controversial Surveillance Tool Is Under Threat | WIRED Meet the Creator of North Korea's Favorite Crypto Privacy Service | WIRED CISA publishes recovery script for ESXiArgs ransomware as Florida courts, universities reel - The Record from Recorded Future News decrypt your crypted files in ESXi servers affected by CVE-2020-3992 / CryptoLocker attack Tonga is the latest Pacific Island nation hit with ransomware - The Record from Recorded Future News UK Proposes Making the Sale and Possession of Encrypted Phones Illegal UK High Court allows Bahraini activists to sue government over spyware - The Record from Recorded Future News Russian cybersecurity expert convicted of charges in $90M hack-to-trade case | CyberScoop Deepfake 'news anchors' appear in pro-China footage on social media, research group says - ABC News Geotargeting tools are allowing phishing campaigns to home in on potential victims - The Record from Recorded Future News This week's Reddit breach shows company's security is (still) woefully inadequate | Ars Technica Namecheap denies system breach after email service used to spread phishing scams - The Record from Recorded Future News Mysterious leak of Booking.com reservation data is being used to scam customers | Ars Technica DOM XSS vulnerability in Gartner Peer Insights widget patched | The Daily Swig Dota 2 Under Attack: How a V8 Bug Was Exploited in the Game - Avast Threat Labs OAuth ‘masterclass' crowned top web hacking technique of 2022 | The Daily Swig New XSS Hunter host Truffle Security faces privacy backlash | The Daily Swig 'No evidence of malicious access,' Toyota says about serious bug exploited by outside researcher - The Record from Recorded Future News A year after outcry, IRS still doesn't offer taxpayers alternative to ID.me | CyberScoop
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: North Korea is ransomwaring hospitals with homegrown and Russian strains Russia proposes law greenlighting “patriotic hacks” It's 702 renewal time… again CISA releases ESXiArgs recovery script (yay!) UK mulls crimephone ban Much, much more This week's show is brought to you by Thinkst Canary. Haroon Meer is this week's sponsor guest and joins us to talk about Thinkst's latest release: the credit card canary. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes North Korean hackers extort health care organizations to fund further cyberattacks, US and South Korea say | CNN Politics Risky Biz News: US and UK sanction seven Trickbot members United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang | U.S. Department of the Treasury Risky Biz News: Russia wants to absolve patriotic hackers from any criminal liability The FBI's Most Controversial Surveillance Tool Is Under Threat | WIRED Meet the Creator of North Korea's Favorite Crypto Privacy Service | WIRED CISA publishes recovery script for ESXiArgs ransomware as Florida courts, universities reel - The Record from Recorded Future News decrypt your crypted files in ESXi servers affected by CVE-2020-3992 / CryptoLocker attack Tonga is the latest Pacific Island nation hit with ransomware - The Record from Recorded Future News UK Proposes Making the Sale and Possession of Encrypted Phones Illegal UK High Court allows Bahraini activists to sue government over spyware - The Record from Recorded Future News Russian cybersecurity expert convicted of charges in $90M hack-to-trade case | CyberScoop Deepfake 'news anchors' appear in pro-China footage on social media, research group says - ABC News Geotargeting tools are allowing phishing campaigns to home in on potential victims - The Record from Recorded Future News This week's Reddit breach shows company's security is (still) woefully inadequate | Ars Technica Namecheap denies system breach after email service used to spread phishing scams - The Record from Recorded Future News Mysterious leak of Booking.com reservation data is being used to scam customers | Ars Technica DOM XSS vulnerability in Gartner Peer Insights widget patched | The Daily Swig Dota 2 Under Attack: How a V8 Bug Was Exploited in the Game - Avast Threat Labs OAuth ‘masterclass' crowned top web hacking technique of 2022 | The Daily Swig New XSS Hunter host Truffle Security faces privacy backlash | The Daily Swig 'No evidence of malicious access,' Toyota says about serious bug exploited by outside researcher - The Record from Recorded Future News A year after outcry, IRS still doesn't offer taxpayers alternative to ID.me | CyberScoop
Links: Azure messed up a regular expression GitHub's blog has a piece on passwordless deployments to the cloud LastPass has now admitted that the attackers stole customers' backups and encryption key Deploy a dashboard for AWS WAF with minimal effort Thinkst's free service now supports credit card tokens. precloud is a suite of dynamic tests for infrastructure as code.
Haroon Meer of Thinkst joins Dennis Fisher to talk about the state of the security industry, the value of treating customers with respect, and what the economic downturn could mean for the security community.
Crossing tenants with AWS AppSync, more zeros in C++ to defeat vulns, HTTP/3 connection contamination, Thinkst Quarterly review of research, building a research team Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw221
Crossing tenants with AWS AppSync, more zeros in C++ to defeat vulns, HTTP/3 connection contamination, Thinkst Quarterly review of research, building a research team Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw221
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Twitter bluechecks face phishing barrage Australian government goes berserk on Medibank hack response Former WSJ journalist sues law firm over email hack and info op that got him fired OpenSSL bug lands with a whimper Apple macOS Ventura update breaks security tools Much, much more This week's show is brought to you by Thinkst Canary. Marco Slaviero, Thinkst's head of engineering, joins us this week to talk through the company's latest release, codenamed Quokka. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Twitter's verification chaos is now a cybersecurity problem | TechCrunch Unconfirmed hack of Liz Truss' phone prompts calls for “urgent investigation” | Ars Technica Chinese hackers are scanning state political party headquarters, FBI says - The Washington Post Former WSJ reporter says law firm used Indian hackers to sabotage his career | Reuters The source - Columbia Journalism Review Upcoming ‘critical' OpenSSL update prompts feverish speculation | The Daily Swig OpenSSL vulnerability downgraded to ‘high' severity | The Daily Swig Medibank says hackers had access to ‘all personal data' belonging to all customers - The Record by Recorded Future Australia to tighten privacy laws, increase fines after series of data breaches - The Record by Recorded Future Votes in Slovakia's parliament suspended after alleged ‘cybersecurity incident' - The Record by Recorded Future NY Post confirms hack after website, Twitter feed flooded with threats toward Biden, AOC - The Record by Recorded Future Apple MacOS Ventura Bug Breaks Third-Party Security Tools | WIRED Microsoft ties Vice Society hackers to additional ransomware strains - The Record by Recorded Future How Vice Society Got Away With a Global Ransomware Spree | WIRED FTC seeks action against Drizly — and its CEO — for cybersecurity failures - The Record by Recorded Future Critical authentication bug in Fortinet products actively exploited in the wild | The Daily Swig Google Play apps with >20M downloads depleted batteries and network bandwidth | Ars Technica Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn – Krebs on Security Microsoft leaked 2.4TB of data belonging to sensitive customer. Critics are furious | Ars Technica Microsoft disputes report on Office 365 Message encryption issue after awarding bug bounty - The Record by Recorded Future Microsoft Office Online Server open to SSRF-to-RCE exploit | The Daily Swig Microsoft's Sociopathic Cybersecurity Pedantry Brazilian police announce arrest of alleged Lapsus$ member - The Record by Recorded Future Accused ‘Raccoon' Malware Developer Fled Ukraine After Russian Invasion – Krebs on Security European gang that sold car hacking tools to thieves arrested - The Record by Recorded Future How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica
On this week's show Patrick Gray, Adam Boileau and Dmitri Alperovitch discuss the week's security news, including: Twitter bluechecks face phishing barrage Australian government goes berserk on Medibank hack response Former WSJ journalist sues law firm over email hack and info op that got him fired OpenSSL bug lands with a whimper Apple macOS Ventura update breaks security tools Much, much more This week's show is brought to you by Thinkst Canary. Marco Slaviero, Thinkst's head of engineering, joins us this week to talk through the company's latest release, codenamed Quokka. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Twitter's verification chaos is now a cybersecurity problem | TechCrunch Unconfirmed hack of Liz Truss' phone prompts calls for “urgent investigation” | Ars Technica Chinese hackers are scanning state political party headquarters, FBI says - The Washington Post Former WSJ reporter says law firm used Indian hackers to sabotage his career | Reuters The source - Columbia Journalism Review Upcoming ‘critical' OpenSSL update prompts feverish speculation | The Daily Swig OpenSSL vulnerability downgraded to ‘high' severity | The Daily Swig Medibank says hackers had access to ‘all personal data' belonging to all customers - The Record by Recorded Future Australia to tighten privacy laws, increase fines after series of data breaches - The Record by Recorded Future Votes in Slovakia's parliament suspended after alleged ‘cybersecurity incident' - The Record by Recorded Future NY Post confirms hack after website, Twitter feed flooded with threats toward Biden, AOC - The Record by Recorded Future Apple MacOS Ventura Bug Breaks Third-Party Security Tools | WIRED Microsoft ties Vice Society hackers to additional ransomware strains - The Record by Recorded Future How Vice Society Got Away With a Global Ransomware Spree | WIRED FTC seeks action against Drizly — and its CEO — for cybersecurity failures - The Record by Recorded Future Critical authentication bug in Fortinet products actively exploited in the wild | The Daily Swig Google Play apps with >20M downloads depleted batteries and network bandwidth | Ars Technica Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn – Krebs on Security Microsoft leaked 2.4TB of data belonging to sensitive customer. Critics are furious | Ars Technica Microsoft disputes report on Office 365 Message encryption issue after awarding bug bounty - The Record by Recorded Future Microsoft Office Online Server open to SSRF-to-RCE exploit | The Daily Swig Microsoft's Sociopathic Cybersecurity Pedantry Brazilian police announce arrest of alleged Lapsus$ member - The Record by Recorded Future Accused ‘Raccoon' Malware Developer Fled Ukraine After Russian Invasion – Krebs on Security European gang that sold car hacking tools to thieves arrested - The Record by Recorded Future How a Microsoft blunder opened millions of PCs to potent malware attacks | Ars Technica
Haroon Meer is the Founder of Thinkst Canary, a fast growing cybersecurity company that enables companies to put “honeypots” on their network to catch attackers in minutes. On today's episode, Jon Sakoda speaks with Haroon Meer about how growing up during the tail end of Apartheid influenced his leadership style and how he bootstrapped Thinkst Canary to success.You Need to Build a Better Mousetrap [9:09 - 12:27] - After spending 10 years in consulting, Haroon was itching to start a product company. Many cybersecurity consultants need to learn how to incorporate highly opinionated customer feedback into their product design. Listen to his philosophy of shifting away from being the “expert” in the room and his humble approach when listening to customers.Find Ideas In Unexpected Places [13:05 - 16:29] - Haroon decided he wanted to build a product and told his colleagues he was shifting away from consulting. When one colleague kept asking for his services, Haroon realized he found a huge problem to solve and founded Thinkst Canary. Listen to learn how tapping into the need of friendly customers can be the inspiration for your next startup idea.Don't Forget Who Pays the Bills [26:26 - 31:59] - When founders start raising VC funding, Haroon thinks it is easy to lose sight of the most important priorities. Some founders lose focus on making customers successful when trying to appease future investors. Listen to learn why bootstrapping your startup might be the best route in the beginning of a company's journey.
This week in the AppSec News: ExtraReplica in Azure, Chrome disfavors document.domain, appsec presentations highlighted in the latest Thinkst Quarterly, Nimbuspwn Vuln in Linux, & more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw195
This week in the AppSec News: ExtraReplica in Azure, Chrome disfavors document.domain, appsec presentations highlighted in the latest Thinkst Quarterly, Nimbuspwn Vuln in Linux, & more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw195
For the second episode in a row, we've caught a seasoned entrepreneur at that perfect moment when they've started a new company but still have time for a conversation before their new adventure kicks into high gear. Oliver Friedrichs, founder of several security companies including Immunenet and Phantom, joins us to talk product strategy as he embarks on a new journey to disrupt the security industry once again with his new venture Pangea.The most critical, first question for any young company is “what are we making”? And equally important is the follow-on question of what category does the offering fit into or how should people think about it? Is it a better version of something that exists? A new type of something that's meaningfully different? Or is it an entirely new category of product they've never seen before?Oliver and Dave discuss examples of each type of strategy from their own experience and the industry in general. The “better mousetrap” approach is covered with examples from antivirus and more recently cloud security posture management. We discuss when it is a good time to “next gen” a category to revitalize it and return it to growth. Examples here include Palo Alto Networks firewall and Vulnerability Management (from its early days as vulnerability assessment). Oliver and Dave call out the fatal mistake so many market incumbents make that result in them missing out on a refresh cycle.Creating new categories dominates our conversation and we explore Oliver's case study of Phantom in depth. We start by explaining the core principles of a new category and lay bare some indicators that a product group hasn't yet made the leap to a full blown category. Oliver then shares the spark of idea that led him to found Phantom as the first SOAR followed by how he built the boundaries for their product and ultimately the companies that followed their lead as the first mover. While most of our time is spent discussing what worked and didn't from a product perspective, Oliver also shares his go-to-market playbook, including what he will avoid this time around and what he intends to do again with Pangea.We wrap up with a quick look at the future of SOAR and Oliver shares an early peek at what he's building now at his new company. This episode is perfect for early cybersecurity companies looking for product advice, product professionals wrestling with category questions, or anyone who wants to listen in on a dialogue between 2 industry veterans geeking out on product. BioFriedrichs serves as Founder and CEO of Pangea. Prior to Pangea, Friedrichs served as Vice President, Security Products at Splunk, driving the vision and direction of Splunk's security portfolio. With a record in building four successful enterprise security companies over the past two decades, Friedrichs founded and served as CEO of Phantom (creators of the SOAR category, acquired by Splunk), founder and CEO of Immunet (early innovators in the cloud EDR category, acquired by Sourcefire/Cisco), co-founder of SecurityFocus (creators of Bugtraq and DeepSight, the world's first Internet early warning system, acquired by Symantec), and Secure Networks (one of the industry's first vulnerability management solutions, acquired by McAfee). Friedrichs also architected and developed a prototype of the first commercial penetration-testing product, SNIPER, acquired by Core Security Technologies in 2001 and further developed into CORE IMPACT. He attended the University of Manitoba and is the co-author of three security books and a recipient of 33 patents.
Thinkst founder and CEO Haroon Meer joins Ryan Naraine on the show to talk about building a successful cybersecurity company without venture capital investment, fast-moving attack surfaces and the never-ending battle to mitigate memory corruption issues.
Watch the live stream: Watch on YouTube About the show Sponsored by us: Check out the courses over at Talk Python And Brian's book too! Special guest: Kim van Wyk Michael #0: Take our survey: Should we try to shorten the episodes? Please fill out the 3 question Google Form here We'll be taking a break so see you in two weeks. Also feedback / rate us in your podcast player app Brian #1: Jupyter Games Thorsten Beier “Making their own tiny video games can be a great way for kids to learn programming in a playful matter.” For 2D physics-based games, Box2D, (written in C++), is a 2D rigid body simulation library One Python binding, pyb2d, is from Thorsten Game examples use Ipycanvas, Ipywidgets, and Ipyevents for a place to draw and input events. There are Box2D examples for physics simulations, like internal combustion and a wind tunnel. Game examples, with code, and not that much code billiards Angry Shapes (like Angry birds) World of Goo homage Rocket Color Mixing (it's oddly satisfying to play with, and it's like 73 lines of code, including blank lines and docstring) several more examples Demo games/examples in binder Being able to play with a game engine through Jupyter is kind of amazing. Cool teaching/learning tool. Michael #2: Canary Tokens First, what are canaries (from Thinkst)? These tokens might be useful for finding fallout of Log4Shell But also generally useful Kim #3: pywinauto and PyAutoGUI - libraries for programmatically controlling a GUI-based tool. These can be very handy for simplifying the use of complex GUIs with dozens of options you need to set every time you run them and also for automating GUI tooling as part of a pipeline. Brian #4: A reverse chronology of some Python features Brett Cannon Partly for people wishing for the “good old days” of some old version of Python Brett recommends going down the list and stopping at the first feature you can't live without. If you can't go very far, better not complain about language bloat. I had to stop at 3.10, since I really like the new error messages. Here's an abbreviated list of new features in different Python versions. (And I'm abbreviating it even more for the podcast) Python 3.10 Better error messages, Union operator for types, paraenthesized context managers, match statement (pattern matching) Brett notes that the match statement required a new parser for Python the new parser made better error messages possible so, you can't toss pattern matching without being willing to give up better error messages Python 3.9 dict support for | and |=, type hinting generics for built-in collections Python 3.8 f-string support for =, f``"``{val=}``", := walrus operator (assignment expressions) Python 3.7 dictionaries preserve insertion order, breakpoint() Python 3.6 f-strings, (need we say more) also underscores in numeric literals, async generators and comprehensions, preserving keyword argument order … goes back to 3.1 Michael #5: Hyperactive GCs and ORMs/ODMs Does Python do extremely too many GCs for ORMs? Hint: yes During the execution of that single query against SQLAlchemy, without adjusting Python's GC settings, we get an extreme number of GC collections (1,859 GCs for a single SQLAlchemy query of 20k records). Our fix at Talk Python has been to increase the number of surviving allocations required to force a GC from 700 to 50,000. What can be done to improve this? Maybe someday Python will have an adaptive GC where if it runs a collection and finds zero cycles it backs off and if it starts finding more cycles it ramps up or something like that. For now, test adjusting the thresholds Here are a few presentations / resources: Michael's presentation at Python Web Conf 2021 Talk Python Memory Deep Dive course allocations, gen1, gen2 = gc.get_threshold() # GC every 50K not 700 surviving container allocations. allocations = 50_000 gc.set_threshold(allocations, gen1, gen2) Kim #6: DockerSlim- A tool to reduce the size and improve the security of Docker images. I've used it a little and got some 1Gb Ubuntu-based images down to 50Mb and that was barely scratching the surface. Extras Michael: Emojis for comments Kim: python -m http.server - a small reminder to people that this is a quick way to get files off a Python-equipped system by standing up a simple web server. Mess with DNS - Julia Evans released this really impressive learning tool last week to let people explore DNS settings without breaking real sites. Magit - a slightly tongue-in-cheek addition to last week's discussion on git via both CLI and by mashing buttons in VS Code. Anyone using emacs should strongly consider magit for git - I've kept emacs open even while trying to use other editors because I find magit so indispensable. I've included these just as small items off the top of my head that may or may not be worth a mention. Joke: We use cookies candle (and I don't care about cookies extension) Little Bobby Jindi And more Log4Shell memes
This isn't the normal weekly news episode of the show, if you're looking for the regular weekly Risky Business podcast, scroll one back in your podcast feed. This is a Soap Box edition, a wholly sponsored podcast brought to you in this instance by Thinkst Canary. For those who don't know, Thinkst makes hardware and virtual honeypots you can put on your network or into your cloud environments – they'll start chirping if an attacker interacts with them. They're a low cost and extremely effective detection tool. But you might not know that Thinkst also operates canarytokens.org where you can go set up a bunch of honeytokens for free. Hundreds of thousands of people are using canarytokens.org, but Thinkst doesn't charge anything for it, it's free to use. They'll even give you a docker container of the whole thing so you can run it yourself. Our guest today is Thinkst's founder and infosec legend Haroon Meer. He spent a chunk of his career at the South African security consultancy SensePost before founding Thinkst Applied Research and eventually launching Canary.Tools. In this interview we talk about what the industry is getting wrong, supply chain security, effective detections and more. But I started off by asking him why Thinkst hasn't tried to monetise canarytokens.org given how many people use it.
What if there was someone who could take all of the best security research over recent months and distill it down into the greatest hits? Sort of like a Spotify “Release Radar”, but for the best talks at conferences. There is. It's not in Blinkist. It's (back) at ThinkstScapes after a multiyear hiatus.And it's now gloriously free.This episode of Security Voices covers the return of Thinkstscapes with Jacob Torrey who led the reboot of the now quarterly report. In the interview with Jack and Dave, Jacob explains how he and the team at Thinkst devour and summarize the very best security research from thousands of presentations and hundreds of conferences across the globe.Jacob starts with some of his favorites, which focuses on an innovative research project not from a startup or researcher, but from a multi-decade antivirus company that went all in on an industrial controls system honeypot project. From there we cover ground that ranges from speculative execution vulnerabilities to a spate of embedded vulnerabilities, including a Hollywood style attack using laser pointers to compromise voice activated devices such as Amazon's Alexa. In continuity from our last episode with Frank Pound, we also discuss a TCP timing attack that threatens to allow eavesdropping over satellite base station connections.Look for our next episodes to resume their normal, monthly cadence as we've found a means of streamlining our audio production and we now have a recording waiting in the wings. Enjoy the show!
About NickNick Heudecker leads market strategy and competitive intelligence at Cribl, the observability pipeline company. Prior to Cribl, Nick spent eight years as an industry analyst at Gartner, covering data and analytics. Before that, he led engineering and product teams at multiple startups, with a bias towards open source software and adoption, and served as a cryptologist in the US Navy. Join Corey and Nick as they discuss the differences between observability and monitoring, why organizations struggle to get value from observability data, why observability requires new data management approaches, how observability pipelines are creating opportunities for SRE and SecOps teams, the balance between budgets and insight, why goats are the world's best mammal, and more.Links: Cribl: https://cribl.io/ Cribl Community: https://cribl.io/community Twitter: https://twitter.com/nheudecker Try Cribl hosted solution: https://cribl.cloud TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It's an awesome approach. I've used something similar for years. Check them out. But wait, there's more. They also have an enterprise option that you should be very much aware of canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It's awesome. If you don't do something like this, you're likely to find out that you've gotten breached, the hard way. Take a look at this. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That's canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I'm a big fan of this. More from them in the coming weeks.Corey: This episode is sponsored in part by our friends at Jellyfish. So, you're sitting in front of your office chair, bleary eyed, parked in front of a powerpoint and—oh my sweet feathery Jesus its the night before the board meeting, because of course it is! As you slot that crappy screenshot of traffic light colored excel tables into your deck, or sift through endless spreadsheets looking for just the right data set, have you ever wondered, why is it that sales and marketing get all this shiny, awesome analytics and inside tools? Whereas, engineering basically gets left with the dregs. Well, the founders of Jellyfish certainly did. That's why they created the Jellyfish Engineering Management Platform, but don't you dare call it JEMP! Designed to make it simple to analyze your engineering organization, Jellyfish ingests signals from your tech stack. Including JIRA, Git, and collaborative tools. Yes, depressing to think of those things as your tech stack but this is 2021. They use that to create a model that accurately reflects just how the breakdown of engineering work aligns with your wider business objectives. In other words, it translates from code into spreadsheet. When you have to explain what you're doing from an engineering perspective to people whose primary IDE is Microsoft Powerpoint, consider Jellyfish. Thats Jellyfish.co and tell them Corey sent you! Watch for the wince, thats my favorite part.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. This promoted episode is a bit fun because I'm joined by someone that I have a fair bit in common with. Sure, I moonlight sometimes as an analyst because I don't really seem to know what that means, and he spent significant amounts of time as a VP analyst at Gartner. But more importantly than that, a lot of the reason that I am the way that I am is that I spent almost a decade growing up in Maine, and in Maine, there's not a lot to do other than sit inside for the nine months of winter every year and develop personality problems.You've already seen what that looks like with me. Please welcome Nick Heudecker, who presumably will disprove that, but maybe not. He is currently a senior director of market strategy and competitive intelligence at Cribl. Nick, thanks for joining me.Nick: Thanks for having me. Excited to be here.Corey: So, let's start at the very beginning. I like playing with people's titles, and you certainly have a lofty one. ‘competitive intelligence' feels an awful lot like jeopardy. What am I missing?Nick: Well, I'm basically an internal analyst at the company. So, I spend a lot of time looking at the broader market, seeing what trends are happening out there; looking at what kind of thought leadership content that I can create to help people discover Cribl, get interested in the products and services that we offer. So, I'm mostly—you mentioned my time in Maine. I was a cryptologist in the Navy and I spent almost all of my time focused on what the bad guys do. And in this job, I focus on what our potential competitors do in the market. So, I'm very externally focused. Does that help? Does that explain it?Corey: No, it absolutely does. I mean, you folks have been sponsoring our nonsense for which we thank you, but the biggest problem that I have with telling the story of Cribl was that originally—initially it was, from my perspective, “What is this hokey nonsense?” And then I learned and got an answer and then finish the sentence with, “And where can I buy it?” Because it seems that the big competitive threat that you have is something crappy that some rando sysadmin has cobbled together. And I say that as the rando sysadmin, who has cobbled a lot of things like that together. And it's awful. I wasn't aware you folks had direct competitors.Nick: Today we don't. There's a couple that it might be emerging a little bit, but in general, no, it's mostly us, and that's what I analyze every day. Are there other emerging companies in the space? Are there open-source projects? But you're right, most of the things that we compete against are DIY today. Absolutely.Corey: In your previous role, which you were at for a very long time in tech terms—which in a lot of other cases is, “Okay, that doesn't seem that long,” but seven and a half years is a respectable stint at a company. And you were at Gartner doing a number of analyst-like activities. Let's start at the beginning because I assure you, I'm asking this purely for the audience and not because I don't know the answer myself, but what exactly is the purpose of an analyst firm, of which Gartner is the most broadly known and, follow up, why do companies care what Gartner thinks?Nick: Yeah. It's a good question, one that I answer a lot. So, what is the purpose of an analyst firm? The purpose of an analyst firm is to get impartial information about something, whether that is supply chain technology, big data tech, human resource management technologies. And it's often difficult if you're an end-user and you're interested in say, acquiring a new piece of technology, what really works well, what doesn't.And so the analyst firm because in the course of a given year, I would talk to nearly a thousand companies and both end-users and vendors as well as investors about what they're doing, what challenges they're having, and I would distill that down into 30-minute conversations with everyone else. And so we provided impartial information in aggregate to people who just wanted to help. And that's the purpose of an analyst firm. Your second question, why do people care? Well, I didn't get paid by vendors.I got paid by the company that I worked for, and so I got to be Tron; I fought for the users. And because I talk to so many different companies in different geographies, in different industries, and I share that information with my colleagues, they shared with me, we had a very robust understanding of what's actually happening in any technology market. And that's uncommon kind of insight to really have in any kind of industry. So, that's the purpose and that's why people care.Corey: It's easy from the engineering perspective that I used to inhabit to make fun of it. It's oh, it's purely justification when you're making a big decision, so if it goes sideways—because find me a technology project that doesn't eventually go sideways—I want to be able to make sure that I'm not the one that catches heat for it because Gartner said it was good. They have an amazing credibility story going on there, and I used to have that very dismissive perspective. But the more I started talking to folks who are Gartner customers themselves and some of the analyst-style things that I do with a variety of different companies, it's turned into, “No, no. They're after insight.”Because it turns out, from my perspective at least, the more that you are focused on building a product that solves a problem, you sort of lose touch with the broader market because the only people you're really talking to are either in your space or have already acknowledged and been right there and become your customer and have been jaded to see things from your point of view. Getting a more objective viewpoint from an impartial third party does have value.Nick: Absolutely. And I want you to succeed, I want you to be successful, I want to carry on a relationship with all the clients that I would speak with, and so one of the fun things I would always ask is, “Why are you asking me this question now?” Sometimes it would come in, they'd be very innocuous;, “Compare these databases,” or, “Compare these cloud services.” “Well, why are you asking?” And that's when you get to, kind of like, the psychology of it.“Oh, we just hired a new CIO and he or she hates vendor X, so we have to get rid of it.” “Well, all right. Let's figure out how we solve this problem for you.” And so it wasn't always just technology comparisons. Technology is easy, you write a check and you hope for the best.But when you're dealing with large teams and maybe a globally distributed company, it really comes down to culture, and personality, and all the harder factors. And so it was always—those were always the most fun and certainly the most challenging conversations to have.Corey: One challenge that I find in this space is—in my narrow niche of the world where I focus on AWS bills, where things are extraordinarily yes or no, black or white, binary choices—that I talked to companies, like during the pandemic, and they were super happy that, “Oh, yeah. Our infrastructure has auto-scaling and it works super well.” And I look at the bill and the spend graph over time is so flat you could basically play a game of pool on top of it. And I don't believe that I'm talking to people who are lying to me. I truly don't believe that people make that decision, but what they believe versus what is evidenced in reality are not necessarily congruent. How do you disambiguate from the stories that people want to tell about themselves? And what they're actually doing?Nick: You have to unpack it. I think you have to ask a series of questions to figure out what their motivation is. Who else is on the call, as well? I would sometimes drop into a phone call and there would be a dozen people on the line. Those inquiry calls would go the worst because everyone wants to stake a claim, everyone wants to be heard, no one's going to be honest with you or with anyone else on the call.So, you typically need to have a pretty personal conversation about what does this person want to accomplish, what does the company want to accomplish, and what are the factors that are pushing against what those things are? It's like a novel, right? You have a character, the character wants to achieve something, and there are multiple obstacles in that person's way. And so by act five, ideally everything wraps up and it's perfect. And so my job is to get the character out of the tree that is on fire and onto the beach where the person can relax.So, you have to unpack a lot of different questions and answers to figure out, well, are they telling me what their boss wants to hear or are they really looking for help? Sometimes you're successful, sometimes you're not. Not everyone does want to be open and honest. In other cases, you would have a team show up to a call with maybe a junior engineer and they really just want you to tell them that the junior engineer's architecture is not a good idea. And so you do a lot of couples therapy as well. I don't know if this is really answering the question for you, but there are no easy answers. And people are defensive, they have biases, companies overall are risk-averse. I think you know this.Corey: Oh, yeah.Nick: And so it can be difficult to get to the bottom of what their real motivation is.Corey: My approach has always been that if you want serious data, you go talk to Gartner. If you want [anec-data 00:09:48] and some understanding, well, maybe we can have that conversation, but they're empowering different decisions at different levels, and that's fine. To be clear, I do not consider Gartner to be a competitor to what I do in any respect. It turns out that I am not very good at drawing charts in varying shades of blue and positioning things just so with repeatable methodology, and they're not particularly good at having cartoon animals as their mascot that they put into ridiculous situations. We each have our portion of the universe, and that's working out reasonably well.Nick: Well, and there's also something to unpack there as well because I would say that people look at Gartner and they think they have a lot of data. To a certain degree they do, but a lot of it is not quantifiable data. If you look at a firm like IDC, they specialize in—like, they are a data house; that is what they do. And so their view of the world and how they advise their clients is different. So, even within analyst firms, there is differentiation in what approach they take, how consultative they might be with their clients, one versus another. So, there certainly are differences that you could find the more exposure you get into the industry.Corey: For a while, I've been making a recurring joke that Route 53—Amazon's managed DNS service—is in fact a database. And then at some point, I saw a post on Reddit where someone said, “Yeah, I see the joke and it's great, but why should I actually not do this?” At which point I had to jump in and say, “Okay, look. Jokes are all well and good, but as soon as people start taking me seriously, it's very much time to come clean.” Because I think that's the only ethical and responsible thing to do in this ecosystem.Similarly, there was another great joke once upon a time. It was an April Fool's Day prank, and Google put out a paper about this thing they called MapReduce. Hilarious prank that Yahoo fell for hook, line, and sinker, and wound up building Hadoop out of it and we're still paying the price for that, years later. You have a bit of a reputation from your time at Gartner as being—and I quote—“The man who killed Hadoop.” What happened there? What's the story? And I appreciate your finally making clear to the rest of us that it was, in fact, a joke. What happened there?Nick: Well, one of the pieces of research that Gartner puts out every year is this thing called a Hype Cycle. And we've all seen it, it looks like a roller coaster in profile; big mountain goes up really high and then comes down steeply, drops into a valley, and then—Corey: ‘the trough of disillusionment,' as I recall.Nick: Yes, my favorite. And then plateaus out. And one of the profiles on that curve was Hadoop distributions. And after years of taking inquiry calls, and writing documents, and speaking with everybody about what they were doing, we realized that this really isn't taking off like everyone thinks it is. Cluster sizes weren't getting bigger, people were having a lot of challenges with the complexity, people couldn't find skills to run it themselves if they wanted to.And then the cloud providers came in and said, “Well, we'll make a lot of this really simple for you, and we'll get rid of HDFS,” which is—was a good idea, but it didn't really scale well. I think that the challenge of having to acquire computers with compute storage and memory again, and again, and again, and again, just was not sustainable for the majority of enterprises. And so we flagged it as this will be obsolete before plateau. And at that point, we got a lot of hate mail, but it just seemed like the right decision to make, right? Once again, we're Tron; we fight for the users.And that seemed like the right advice and direction to provide to the end-users. And so didn't make a lot of friends, but I think I was long-term right about what happened in the Hadoop space. Certainly, some fragments of it are left over and we're still seeing—you know, Spark is going strong, there's a lot of Hive still around, but Hadoop as this amalgamation of open-source projects, I think is effectively dead.Corey: I sure hope you're right. I think it has a long tail like most things that are there. Legacy is the condescending engineering term for ‘it makes money.' You were at Gartner for almost eight years and then you left to go work at Cribl. What triggered that? What was it that made you decide, “This is great. I've been here a long time. I've obviously made it work for me. I'm going to go work at a startup that apparently, even though it recently raised a $200 million funding round”—congratulations on that, by the way—“It still apparently can't afford to buy a vowel in its name.” That's C-R-I-B-L because, of course, it is. Maybe another consonant, while you're shopping. But okay, great. It's oddly spelled, it is hard to explain in some cases, to folks who are not already feeling pain in that space. What was it that made you decide to sit up and, “All right, this is where I want to be?”Nick: Well, I met the co-founders when I was an analyst. They were working at Splunk and oddly enough—this is going to be an interesting transition compared to the previous thing we talked about—they were working on Hunk, which was, let's use HDFS to store Splunk data. Made a lot of sense, right? It could be much more cost-effective than high-cost infrastructure for Splunk. And so they told me about this; I was interested.And so I met the co-founders and then I reconnected with them after they left and formed Cribl. And I thought the story was really cool because where they're sitting is between sources and destinations of observability data. And they were solving a problem that all of my customers had, but they couldn't resolve. They would try and build it themselves. They would look at—Kafka was a popular choice, but that had some challenges for observability data—works fantastically well for application data.And they were just—had a very pragmatic view of the world that they were inhabiting and the problem that they were looking to solve. And it looked kind of like a no-brainer of a problem to solve. But when you double-click on it, when you really look down and say, “All right, what are the challenges with doing this?” They're really insurmountable for a lot of organizations. So, even though they may try and take a DIY approach, they often run into trouble after just a few weeks because of all the protocols you have to support, all the different data formats, and all the destinations, and role-based access control, and everything else that goes along with it.And so I really liked the team. I thought the product inhabited a unique space in the market—we've already talked about the lack of competitors in the space—and I just felt like the company was on a rocket ship—or is a rocket ship—that basically had unbounded success potential. And so when the opportunity arose to join the team and do a lot of the things I like doing as an analyst—examining the market, talking to people looking at competitive aspects—I jumped at it.Corey: It's nice when you see those opportunities that show up in front of you, and the stars sort of align. It's like, this is not just something that I'm excited about and enthused about, but hey, they can use me. I can add something to where they're going and help them get there better, faster, sooner, et cetera, et cetera.Nick: When you're an analyst, you look at dozens of companies a month and I'd never seen an opportunity that looked like that. Everything kind of looked the same. There's a bunch of data integration companies, there's a bunch of companies with Spark and things like that, but this company was unique; the product was unique, and no one was really recognizing the opportunity. So, it was just a great set of things that all happen at the same time.Corey: It's always fun to see stars align like that. So—Nick: Yeah.Corey: —help me understand in a way that can be articulated to folks who don't have 15 years of grumpy sysadmin experience under their belts, what does Cribl do?Nick: So, Cribl does a couple of things. Our flagship product is called LogStream, and the easiest way to describe that is as an abstraction between sources and destinations of data. And that doesn't sound very interesting, but if you, from your sysadmin background, you're always dealing with events, logs, now there's traces, metrics are also hanging around—Corey: Oh, and of course, the time is never synchronized with anything either, so it's sort of a giant whodunit, mystery, where half the eyewitnesses lie.Nick: Well, there's that. There's a lot of data silos. If you got an agent deployed on a system, it's only going to talk to one destination platform. And you repeat this, maybe a dozen times per server, and you might have 100,000 or 200,000 servers, with all of these different agents running on it, each one locked into one destination. So, you might want to be able to mix and match that data; you can't. You're locked in.One of the things LogStream does is it lets you do that exact mixing and matching. Another thing that this product does, that LogStream does, is it gives you ability to manage that data. And then what I mean by that is, you may want to reduce how much stuff you're sending into a given platform because maybe that platform charges you by your daily ingest rates or some other kind of event-based charges. And so not all that data is valuable, so why pay to store it if it's not going to be valuable? Just dump it or reduce the amount of volume that you've got in that payload, like a Windows XML log.And so that's another aspect that it allows you to do, better management of that stuff. You can redact sensitive fields, you can enrich the data with maybe, say, GeoIPs so you know what kind of data privacy laws you fall under and so on. And so, the story has always been, land the data in your destination platform first, then do all those things. Well, of course, because that's how they charge you; they charge you based on daily ingest. And so now the story is, make those decisions upfront in one place without having to spread this logic all over, and then send the data where you want it to go.So, that's really, that's the core product today, LogStream. We call ourselves an observability pipeline for observability data. The other thing we've got going on is this project called AppScope, and I think this is pretty cool. AppScope is a black box instrumentation tool that basically resides between the application runtime and the kernel and any shared libraries. And so it provides—without you having to go back and instrument code—it instruments the application for you based on every call that it makes and then can send that data through something like LogStream or to another destination.So, you don't have to go back and say, “Well, I'm going to try and find the source code for this 30-year old c++ application.” I can simply run AppScope against the process, and find out exactly what that application is doing for me, and then relay that information to some other destination.Corey: This episode is sponsored in part by Liquibase. If you're anything like me, you've screwed up the database part of a deployment so severely that you've been banned from touching every anything that remotely sounds like SQL, at at least three different companies. We've mostly got code deployments solved for, but when it comes to databases we basically rely on desperate hope, with a roll back plan of keeping our resumes up to date. It doesn't have to be that way. Meet Liquibase. It is both an open source project and a commercial offering. Liquibase lets you track, modify, and automate database schema changes across almost any database, with guardrails to ensure you'll still have a company left after you deploy the change. No matter where your database lives, Liquibase can help you solve your database deployment issues. Check them out today at liquibase.com. Offer does not apply to Route 53.Corey: I have to ask because I love what you're doing, don't get me wrong. The counterargument that always comes up in this type of conversation is, “Who in their right mind looks at the state of the industry today and says, ‘You know what we need? That's right; another observability tool.'” what differentiates what you folks are building from a lot of the existing names in the space? And to be clear, a lot of the existing names in the space are treating observability simply as hipster monitoring. I'm not entirely sure they're wrong, but that's a different fight for a different time.Nick: Yeah. I'm happy to come back and talk about that aspect of it, too. What's different about what we're doing is we don't care where the data goes. We don't have a dog in that fight. We want you to have better control over where it goes and what kind of shape it's in when it gets there.And so I'll give an example. One of our customers wanted to deploy a new SIEM—Security Information Event Management—tool. But they didn't want to have to deploy a couple hundred-thousand new agents to go along with it. They already had the data coming in from another agent, they just couldn't get the data to it. So, they use LogStream to send that data to their new desired platform.Worked great. They were able to go from zero to a brand new platform in just a couple days, versus fighting with rolling out agents and having to update them. Did they conflict with existing agents? How much performance did it impact on the servers, and so on? So, we don't care about the destination. We like everybody. We're agnostic when it comes to where that data goes. And—Corey: Oh, it's not about the destination. It's about the journey. Everyone's been saying it, but you've turned it into a product.Nick: It's very spiritual. So, we [laugh] send, we send your observability data on a spiritual [laugh] journey to its destination, and we can do quite a bit with it on the way.Corey: So, you said you offered to go back as well and visit the, “Oh, it's monitoring, but we're going to call it observability because otherwise we get yelled out on Twitter by Charity Majors.” How do you view that?Nick: Monitoring is the things you already know. Right? You know what questions you want to ask, you get an alert if something goes out of bounds or something goes from green to red. Think about monitoring as a data warehouse. You shape your data, you get it all in just the right condition so you can ask the same question over and over again, over different time domains.That's how I think about monitoring. It's prepackaged, you know exactly what you want to do with it. Observability is more like a data lake. I have no idea what I'm going to do with this stuff. I think there's going to be some signals in here that I can use, and I'm going to go explore that data.So, if monitoring is your known knowns, observability is your unknown unknowns. So, an ideal observability solution gives you an opportunity to discover what those are. Once you discover them. Great. Now, you can talk about how to get them into your monitoring system. So, for me, it's kind of a process of discovery.Corey: Which makes an awful lot of sense. The problem I've always had with the monitoring approach is it falls into this terrible pattern of enumerate the badness. In other words, “Imagine all the ways that this system can fail,” and then build an alerting that lets you know when any of those things happen. And what happens next is inevitable to anyone who's ever dealt with the tricksy devils known as computers, and what happens, of course, is that they find new ways to fail and you generally get to add to the list of things to check for, usually at two o'clock in the morning.Nick: On a Sunday.Corey: Oh, absolutely. It almost doesn't matter when. The real problem is when these things happen, it's, “What day, actually, is it?” And you have to check the calendar to figure out because your third time that week being woken up in the dead of night. It's like an infant but less than endearing.So, that has been the old school approach, and there's unfortunately still an awful lot of, we'll just call it nonsense, in the industry that still does exactly the same thing, except now they call it observability because—hearkening back to earlier in our conversation—there's a certain point in the Gartner Hype Cycle that we are all existing within. What's the deal with that?Nick: Well, I think that there are a lot of entrenched interests in the monitoring space. And so I think you always see this when a new term comes around. Vendors will say, “All right, well, there's a lot of confusion about this. Let me back-fit my product into this term so that I can continue to look like I'm on the leading edge and I'm not going to put any of my revenues in jeopardy.” I know, that's a cynical view, but I've seen it over and over again.And I think that's unfortunate because there's a real opportunity to have a better understanding of your systems, to better understand what's happening in all the containers you're deploying and not tearing down the way that you should, to better understand what's happening in distributed systems. And it's going to be a real missed opportunity if that is what happens. If we just call this ‘Monitoring 2.0' it's going to leave a lot of unrealized potential in the market.Corey: The big problem that I've seen in a lot of different areas is—I'll be direct—consolidation where you have a company that starts to do a thing—and that's great—and then they start doing other things that are tied to it. And in turn, they start, I guess, gathering everything in the ecosystem. If you break down observability into various constituent parts, I—know, I know, the pillars thing is going to upset people; ignore that for now—and if you have an offering that's weak in a particular area, okay, instead of building it organically into the product, or saying, “Yeah, that's not what we do,” there's an instinct to acquire a company or build that functionality out. And it turns out that we're building what feels the lot to me like the SaaS equivalent of multifunction printers: they can print, they can scan, they can fax, and none of those three very well, so it winds up with something that dissatisfies everyone, rather than a best-of-breed solution that has a very clear and narrow starting and stopping point. How do you view that?Nick: Well, what you've described is a compromise, right? A compromise is everyone can work and no one's happy. And I think that's the advantage of where LogStream comes in. The reality is best-of-breed. Most enterprises today have 30 or more different monitoring tools—call them observability tools if you want to—and you will never pry those tools from the dead hands of those sysadmins, DevOps engineers, SREs, et cetera.They all integrate those tools into how they work and their processes. So, we're living in a best-of-breed world. It's like that in data and analytics—my former beat—and it's like that in monitoring and observability. People really gravitate towards the tools they like, they gravitate towards the tools their friends are using. And so you need a way to be able to mix and match that stuff.And just because I want to stay [laugh] on message, that's really where the LogStream story kind of blends in because we do that; we allow you to mix and match all those different pieces.Corey: Joke's on you. I use Nagios and I have no friends. I'm not convinced those two things are entirely unrelated, but here we are. So here's, I guess, the big burning question that a lot of folks—certainly not me, but other undefined folks, ‘lots of people are saying'—so you built something interesting that actually works. I want to be clear on this.I have spoken to customers of yours. They swear by it instead of swearing at it, which happens with other companies. Awesome. You have traction, you're moving forward, things are going great. Here's $200 million is the next part of that story, and on some level, my immediate reaction—which does need updating, let's be clear here—is like, all right.I'm trying to build a product. I can see how I could spend a few million bucks. “Well, what can you do with I don't know, 100 times that?” My easy answer is, “Something monstrous.” I don't believe that is the case here. What is the growth plan? What are you doing that makes having that kind of a war chest a useful and valuable thing to have?Nick: Well, if you speak with the co-founders—and they've been open about this—we view ourselves as a generational company. We're not just building one product. We've been thinking about, how do we deliver on observability as this idea of discovery? What does that take? And it doesn't mean that we're going to be less agnostic to other destinations, we still think there's an incredible amount of value there and that's not going away, but we think there's maybe an interim step that we build out, potentially this idea of an observability data lake where you can explore these environments.Certainly, there's other types of options in the space today. Most of them are SQL-based, which is interesting because the audience that uses monitoring and observability tools couldn't care less about SQL right? They want search, they want regex, and so you've got to have the right tool for that audience. And so we're thinking about what that looks like going forward. We're doubling down on people.Surprisingly, this is a very—like anything else in software, it is people-intensive. And so certainly those are other aspects that we're exploring with the recent investment, but definitely, multiproduct company is our future and continued expansion.Corey: Expansion is always a fun one. It's the idea of, great, are you looking at going deeper into the areas you're already active within, or is it more of a, “Ah, so we've solved the, effectively, log routing problem. That's great. Let's solve other problems, too.” Or is it more of a, I guess, a doubling down and focusing on what's working? And again, that probably sounds judgmental in a way I don't intend it to at all. I just have a hard time contextualizing that level of scale coming from a small company perspective the way that I do.Nick: Yeah. Our plan is to focus more intently on the areas that we're in. We have a huge basis of experience there. We don't want to be all things to all people; that dilutes the message down to nothing, so we want to be very specific in the audiences we talk to, the problems we're trying to solve, and how we try to solve them.Corey: The problem I've always found with a lot of the acquisition, growth thrashing of—let me call it what I think it is: companies in decline trying to strain relevancy, it feels almost like a, “We don't see a growth strategy. So, we're going to try and acquire everything that hold still long enough, at some level, trying to add more revenue to the pile, but also thrashing in the sense of, okay. They're going to teach us how to do things in creative, awesome ways,” but it never works out that way. When you have a 50,000 person company acquiring a 200 person company, invariably the bigger culture is going to dominate. And I don't understand why that mistake seems to continually happen again, and again, and again.And people think I'm effectively alluding to—or whenever the spoken word version of subtweeting is—a particular company or a particular acquisition. I'm absolutely not, there are probably 50 different companies listening right now who thinks, “Oh, God. He's talking about us.” It's the common repeating trend. What is that?Nick: It's hard to say. In some cases, these acquisitions might just be talent. “We need to know how to do X. They know how to do X. Let's do it.” They may have very unique niche technology or software that another company thinks they can more broadly apply.Also, some of these big companies, these may not be board-level or CEO-level decisions. A business unit might decide, “Oh, I like what that company is doing. I'm going to go acquire it.” And so it looks like MegaCorp bought TinyCorp, but it's really, this tiny business unit within MegaCorp bought tiny company. The reality is often different from what it looks like on the outside.So, that's one way. Another is, you know, if they're going to teach us to be more effective with tech or something like that, you're never going to beat culture. You're never going to be the existing culture. If it's 50,000, against 200, obviously we know who wins there. And so I don't know if that's realistic.I don't know if the big companies are genuine when they say that, but it could just be the messaging that they use to make people happy and hopefully retain as many of those new employees for as long as they can. Does that make sense?Corey: No, it makes perfect sense. It's the right answer. It does articulate what is happening there, and I think I keep falling prey to the same failure. And it's hard. It's pernicious, but companies are not monolithic entities.There's no one person at all of these companies each who is making these giant unilateral decisions. It's always some product manager or some particular person who has a vision and a strategy in the department. It is not something that the company board is agreeing on every little decision that gets made. They're distributed entities in many respects.Nick: Absolutely. And that's only getting more pervasive as companies get larger [laugh] through acquisition. So, you're going to see more and more of that, and so it's going to look like we're going to put one label on it, one brand. Often, I think internally, that's the exact opposite of what actually happened, how that decision got made.Corey: Nick, I want to thank you for taking so much time to speak with me about what you're up to over there, how your path has shaped, how you view the world, and also what Cribl does these days. If people want to learn more about what you're up to, how you think about the world, or even possibly going to work at Cribl which, having spoken to a number of people over there, I would endorse it. How do they find you?Nick: Best place to find us is by joining our community: cribl.io/community, and Cribl is spelled C-R-I-B-L. You can certainly reach out there, we've got about 2300 people in our community Slack, so it's a great group. You can also reach out to me on Twitter, I'm @nheudecker, N-H-E-U-D-E-C-K-E-R. Tell me what you thought of the episode; love to hear it. And then beyond that, you can also sign up for our free cloud tier at cribl.cloud. It's a pretty generous one terabyte a day processing, so you can start to send data in and send it wherever you'd like to be.Corey: To be clear, this free as in beer, not free as an AWS free tier?Nick: This is free as in beer.Corey: Excellent. Excellent.Nick: I think I'm getting that right. I think it's free as in beer. And the other thing you can try is our hosted solution on AWS, fully managed cloud at cribl.cloud, we offer a free one terabyte per day processing, so you can start to send data into that environment and send it wherever you'd like to go, in whatever shape that data needs to be in when it gets there.Corey: And we will, of course, put links to that in the [show notes 00:35:21]. Thank you so much for your time today. I really appreciate it.Nick: No, thank you for having me. This was a lot of fun.Corey: Nick Heudecker, senior director, market strategy and competitive intelligence at Cribl. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with a comment explaining that the only real reason a startup should raise a $200 million funding round is to pay that month's AWS bill.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
About KatieKatie Sylor-Miller, Frontend Architect at Etsy, has a passion for design systems, web performance, accessibility, and frontend infrastructure. She co-authored the Design Systems Handbook to spread her love of reusable components to engineers and designers. She's spoken at conferences like Smashing Conf, PerfMatters Conf, JamStack Conf, JSConf US, and FrontendConf.ch (to name a few). Her website ohshitgit.com (and the swear-free version dangitgit.com) has helped millions of people worldwide get out of their Git messes, and has been translated into 23 different languages and counting.Links: Etsy: https://www.etsy.com/ Design Systems Handbook: https://www.designbetter.co/design-systems-handbook Book of staff engineering stories: https://www.amazon.com/dp/B08RMSHYGG staffeng.com: https://staffeng.com ohshitgit.com: https://ohshitgit.com dangitgit.com: https://dangitgit.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It's an awesome approach. I've used something similar for years. Check them out. But wait, there's more. They also have an enterprise option that you should be very much aware of canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It's awesome. If you don't do something like this, you're likely to find out that you've gotten breached, the hard way. Take a look at this. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That's canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I'm a big fan of this. More from them in the coming weeks.Corey: This episode is sponsored in part by our friends at Jellyfish. So, you're sitting in front of your office chair, bleary eyed, parked in front of a powerpoint and—oh my sweet feathery Jesus its the night before the board meeting, because of course it is! As you slot that crappy screenshot of traffic light colored excel tables into your deck, or sift through endless spreadsheets looking for just the right data set, have you ever wondered, why is it that sales and marketing get all this shiny, awesome analytics and inside tools? Whereas, engineering basically gets left with the dregs. Well, the founders of Jellyfish certainly did. That's why they created the Jellyfish Engineering Management Platform, but don't you dare call it JEMP! Designed to make it simple to analyze your engineering organization, Jellyfish ingests signals from your tech stack. Including JIRA, Git, and collaborative tools. Yes, depressing to think of those things as your tech stack but this is 2021. They use that to create a model that accurately reflects just how the breakdown of engineering work aligns with your wider business objectives. In other words, it translates from code into spreadsheet. When you have to explain what you're doing from an engineering perspective to people whose primary IDE is Microsoft Powerpoint, consider Jellyfish. Thats Jellyfish.co and tell them Corey sent you! Watch for the wince, thats my favorite part. Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I'm joined this week by Katie Sylor-Miller, who is a frontend architect at Etsy. Katie, thank you for joining me.Katie: Hi, Corey. Thanks for having me.Corey: So, I met you a long time ago—before anyone had ever heard of me and the world was happier for it—but since then you've done a lot of things. You're obviously a frontend architect at Etsy. You're a co-author of the Design Systems Handbook, and you were recently interviewed and included Will Larson's book of staff engineering stories that people are mostly familiar with at staffeng.com.Katie: Yeah.Corey: So, you've done a lot of writing; you've done some talking, but let's begin with the time that we met. To my understanding, it's the only time we've ever met in person. And this harkens back to the first half—as I recall—of 2016 at the frontend conference in Zurich.Katie: Yes, before either of us were known for anything. [laugh].Corey: Exactly. And it was, oh, great. And I wound up getting invited to speak at a frontend conference. And my response was, “Uh, okay. Zurich sounds lovely. I'm thrilled to do it. Do you understand who you're asking?”There are frontend folks—which, according to the worst people on the internet is the easiest form of programming; it isn't a real engineering job, and if that's your opinion, please stop listening to anything I do ever again—secondly, then there's the backend folks who write the API side of things and what the deep [unintelligible 00:02:03] and oh, that's the way of the future. And people look at me and they think, “Oh, you're a backend person,” if their frontend. If they're backend, they look at me and think, “Oh, you're a DevOps person.” Great. And if you're on the DevOps space, you look at me and think, “What is wrong with this person?” And that's mostly it.But I was actually invited to speak at a frontend conference. And the reason that they invited me at all—turns out wasn't a mistake—was that I was giving a talk that year called, “Terrible Ideas in Git,” which is the unifying force that ties all of those different specialties together by confusing the living hell out of us.Katie: Yes. [laugh].Corey: So, I gave a talk. I thought it was pretty decent. I've done some Twitter threads on similar themes. You did something actually useful that helps people and is more lasting—and right at that same conference, I believe, you were building slash kicking it off—ohshitgit.com.Katie: Yes. Yeah. It was—Corey: Which is amazing.Katie: Thank you. Yeah, it was shortly thereafter. I think the ideas were kind of starting to percolate at that conference. Because you know—yeah I was—Corey: Because someone gave a talk about Git. Oh, I'm absolutely stealing credit for your work.Katie: No, Corey—Corey: “Oh, yeah. You know, that was my idea.”Katie: [laugh].Corey: Five years from now, I'm going to call myself the founder of it, and you're just on the implementation details.Katie: I don't—nonononono—Corey: That's right. I'm going to D.C. Bro my way through all of this.Katie: [laugh]. No, no, no, no. See, my recollection is that my talk about being a team player and a frontend expert with a T-shape happened at exactly the same time as your talk about Git because I remember I wanted to go watch your talk because at the time, I absolutely hated Git. I was still kind of learning it. So yeah, so I don't think you really get any credit because I have never actually heard that talk that you gave. [laugh].Corey: A likely story.Katie: [laugh]. However, however, I will say—so, before I was up to give my talk, the emcee of the conference was teasing me, you know, in a very good-natured ribbing sort of way, he was teasing me about my blog being totally empty and having absolutely nothing in it. And I got on the plane home from Zurich, and I was starting to think, “Oh, okay. What are some things that I could blog about? What do I have to say that would be at all interesting or new to anyone else?”And like I think a lot of people do, I had a really hard time figuring out, okay, what can I say that's, maybe, different? And, I went back home, I went back to work, and at one point, I had this idea, I had this file that I had been keeping ever since I started learning Git and I call it, like, gitshit.txt. And hopefully, your listeners don't mind lots of swears because I'm probably going to swear quite a bit.Corey: No, no. I do want to point out, you're accessible to all folks: dangitgit.com, also works but doesn't have the internal rhyming mechanism which makes it, obviously, nowhere near where it needs to be.Katie: [laugh]. Well—Corey: It's sort of a Subversion to Git if you will.Katie: Yes, exactly.Corey: I—Subversion fans, don't yell at me.Katie: [laugh]. Anyways, so I remember I tweeted something like, “Oh, what about if I took this text file that I had,” where every time I got into a Git mess, I would go on to Stack Overflow—as you do—and I would Google and I—it was so hard. I couldn't find the words to find the answers to what I was trying to fix. Because one of the big problems with Git that we can talk about it a bit more in detail later is that Git doesn't describe workflows, Git describes internal plumbing commands and everything that it exposes in its API. So, I had a really hard time with it; I had a hard time learning it.And, you know, what I said, “Okay, well, maybe if I published on my blog about these Git tips that I had saved for myself.” And I remember I tweeted, and I got a handful of likes on the tweet, including from Eric Meyer, who is one of my big idols in the frontend world. He's one of the godfathers of modern CSS. And he liked my tweet, and I was like, “Oh, okay. Maybe this is a real thing. Maybe people will actually find this interesting.”And then I had this brilliant idea for this URL, ohshitgit.com, and it was available, and I bought it. And I swear to you, I think I spent two hours writing some HTML around my text file and publishing it up to my server. And I tweeted about it, and then I went to bed.And I kind of expected maybe half a dozen of my coworkers would get a little sensible chuckle out of it, and like, that would be the end of it. But I woke up the next morning and my Twitter had blown up; I was on the front page of Hacker News. I had coworkers pinging me being like, “Oh, my God, Katie, you're on Hacker News. This is insane.” And—Corey: Wait, wait, for a good thing, or the horrifying kind of thing because, Hacker News?Katie: Well, [laugh] as I have discovered with Hacker News, whenever my site ends up on Hacker News, the response is generally, like, a mix of, “Ha ha ha, this is great. This is funny,” and, “Oh, my God, somebody actually doesn't understand Git and needs this. Wow, people are really stupid.” Which I fundamentally disagree with and I'm sure that you fundamentally [laugh] disagree with as well.Corey: Oh, absolutely.Katie: Yeah. So—Corey: It's one of those, “Oh, Git confuses you. You know what that means? It means you're human.” It confuses everyone. The only question is, at what point does it escape your fragile mortal understanding? And if you are listening to this and you don't believe me, great. I'm easy to find, I will absolutely have that discussion with you in public because I promise, one of us is going to learn something.Katie: [laugh]. Awesome. I love—I hope that people take you up on that because—Corey: Oh, that would be an amazing live stream, wouldn't it?Katie: It would. It would because Git is one of those things that I think that people who don't understand it, look at it and think, “Gosh, you know, I must be stupid,” or, “I must not be cut out to be a developer,” or, “I must not know what I'm doing.” And I know that this is how people feel because that's exactly how I felt myself, even when I made ohshitgit.com, that became this big reference that everybody looks at to help them with Git, like, I still didn't understand it. I didn't get Git at all.And since then, I've kind of been forced because people started asking me all these questions, and, “Well, what about this? What about that?” And I was just like, “Uh… I don't know. Uh…” and I didn't like that feeling, so I did what, you know, obviously, anyone would do in my situation and I sent out a proposal to give a talk about Git at a conference. [laugh].And what that did is when my talk got accepted, I had to then go off and actually learn Git and understand how it works so that I could go and teach it to other people at this conference. But it ended up being great, I think because I found a lot of really awesome books. There's A Book Apart book called Git for Humans, which is incredibly good. There's a couple of websites like learngitbranching.com.There's a bunch more that I can't think of off the top of my head. But I went out and I sort of slowly but surely developed this mental model, internally, of how Git works. And I'm a visual thinker and I'm a visual learner, and so it's a very visual model. And for what it's worth, I think that was my biggest problem with Git was, like, I came from Microsoft .NET environment before that, and we used a program called TFS, Team Foundation Server, which is basically like a SVN or a CVS type source control system that was completely integrated into Visual Studio.So, it was completely visual; you could see everything happening in your IDE as you were doing it. And then making this switch to the command line, I just could not figure it out until I had this visual mental model. So yeah, so ever since then I've just been going around and trying to teach people about Git and teach people this visual mental model that I've developed, and the tips and the tricks that I've learned for navigating Git especially on the command line. And I give talks, I do full-day training workshops, I do training workshops at work. And it's become my thing now, which is flabbergasting [laugh] because I never intended [laugh] for—I didn't set out to go and be this Git expert or to be, quote-unquote, “Famous” for a given value of famous, for knowing stuff about Git. I'm a frontend engineer. There's still a piece of me that looks at it, and is like, “How on earth did this even happen to me?” So, yeah, I don't know. So, that's my Oh shit, Git!?! story. And now—Corey: It's a great one. It's—Katie: Thank you.Corey: Git is one of those weird things where the honest truth of were, “Terrible Ideas in Git”—my talk—came from was that I kept trying and failing to understand Git, and I realized, “How do I fix this? I know. I will give a talk about something.” That is what we know as a forcing function. If I'm not quite ready, they will not move the conference. I know because I checked.Katie: Yep. [laugh]Corey: And one in Zurich was not the first time I'd given it, but it was very clearly something that everyone had problems with. The first version of that talk would have absolutely killed it, if I'd been able to give it to the core Git maintainers. And all, you know, seven of those people would have absolutely loved it, and everyone else would have been incredibly confused. So, I took the opposite tack and said, “All right. How do I expand this to as broad an audience as possible?”And in one of the times I gave it, I said, “Look, I want to make sure it is accessible to everyone, not just people who are super deep into the weeds but also be able to explain Git to my mother.” And unlike virtually every other time where that, “Let me explain something to my mom.” And that is basically coded ageism and sexism built into one. In that case, it was because my mother was sitting in the front row and does not understand what Git is. And she got part of the talk and then did the supportive mother thing of, and as for the rest of it. “Oh, you're so well-spoken. You're so funny. And people seem to love it.” Like, “Did you enjoy my discussion of rebases?”Katie: [laugh].Corey: She says, “Just so good at talking. So, good.” And it was yeah.Katie: [laugh]. Oh, yeah. No, I, I—totally—I understand that. There's this book that I picked up when I was doing all of this research, and I'm looking over at my bookshelf, it's called Version Control with Git. It's an O'Reilly book.And if I remember correctly, it was written by somebody who actually worked at Git. And the way that they started to describe how Git works to people was, they talked about all kinds of deep internals of Unix, and correlated these pieces of the deep internals of Git to these deep Unix internals, which, at the time, makes sense because Git came out of the Unix kernel project as their source control methodology, but, like, really? Like, [laugh] this book, it says at the beginning, that it's supposed to teach people who are new to Git about how to use it. And it's like, well, the first assumption that they make is that you understand the 15 years' worth of history of the Linux kernel project and how Linux works under the hood. And it's like, you've got to be absolutely kidding me that this is how anyone could think, “Oh, this is the right way to teach people Git.”I mean, it's great now, going back in and rereading that book more recently, now that I've already got that understanding of how it works under the hood. This is giving me all of this detail, but for a new person or beginner, it's absolutely the wrong way to approach teaching Git.Corey: When I first sat down to learn Git myself it was in 2008, 2009, Scott Chacon from GitHub at the time wound up doing a multi-day training at the company I worked at the time. And it was very challenging. I'm not saying that he was a bad teacher by any stretch of the imagination, but back in those days, Git was a lot less user-friendly—[laugh] not that it's tremendously good at it now—and people didn't understand how to talk about it, how to teach it, et cetera. You go to GitHub or GitLab or any of the other sites that do this stuff, and there's a 15-step intro that you can learn in 15 minutes and someone who has never used Git before now knows the basics and is not likely to completely shatter things. They've gotten the minimum viable knowledge to get started down to a very repeatable, very robust thing. And that is no small feat. Teaching people effectively is super hard.Katie: It really is. And I totally agree with you that if you go to these providers that they've invested in improving the user experience and making things easier to learn. But I think there's still this problem of what happens when everything goes wrong? What happens if you make a mistake, or what happens if you commit a file on the wrong branch? Or what happens if you make a commit but you forgot to add one of the files you wanted to put in the commit?Or what happens if you want to undo something that you did in a previous commit? And I think these are things that are still really, for some reason, not well understood. And I think that's kind of why Oh Shit, Git!?! has fallen into this little niche corner of the Git world is because the focus is really like, “Oh, shit. I just made a mistake and I don't know what to do, and I don't know what terminology to even Google for to help me figure out how to fix this problem.” And I've come out and put these very simple, like, here: step one, step two, step three.And people might disagree or argue [laugh] with some of the commands and some of the orders, but really, the focus is, like, people have this idea in their head, I think, particularly at their jobs, that Git is this big, important thing and if you screw up, you can't fix it. When really a lot of helping people to become more familiar and comfortable with Git is about ensuring them that no, no, no, the whole point of Git is that just about everything can be undone, and just about everything is fixable, and here's how you do it. So, I still think that we have a long way to go when it comes to teaching Git.Corey: I would agree wholeheartedly. And I think that most people are not thinking about this from a position of educators, they're thinking about it from the position of engineering, and it's a weird combination of the two. You're not going to generally find someone who has no engineering experience to be able to explain things in a context that resonates with the people who will need to apply it. And on the other side, you're not going to find that engineers are great at explaining things without having specific experience in that space. There are exceptions, and they are incredibly rare and extremely valuable as a result. The ability to explain complex things simply is a gift.Katie: It really is.Corey: It's also a skill and you can get better at it, but a lot of folks just seem to never put the work in in the first place.Katie: Well, you know, it's quote-unquote, “soft skills.” So [laugh].Corey: Oh, God. They're hard as hell, so it's a terrible name.Katie: [laugh]. Yeah. Though I could not agree more, I think something that I really look at as a trait of a super senior engineer is that they are somebody who has intentionally worked on and practiced developing that skill of taking something that's a really complex technical concept, and understanding your audience, and having some empathy to put yourself in the shoes of your audience and figure out okay, how do I break this down and explain it to someone who maybe doesn't have all the context that I do? Because when you think about it, if you're working at a big company, and you're an engineer, and you want to, like, do the new hotness, cool thing, and you want to make Kubernetes the thing or whatever other buzzword term you want to use, in order to get that prioritized and on a team's backlog, you have to turn around and explain to a product person why it's important for product reasons, or what benefits is this going to bring to the organization as far as scalability, and reliability. And you have to be able to put yourself in the shoes of someone whose goals are totally different than yours.Like, product people's goals are all around timelines, they're around costs, they're around things short-term versus long-term improvements. And if you can't put yourself into the shoes of that person, and figure out how to explain your cool hot tech thing to them, then you're never going to get your project off the ground. No one's ever going to approve it, nobody's going to give budget, nobody's going to put it in a team's backlog unless you have that skill.Corey: That's the hard part is that people tend to view advancement as an individual contributor or engineer purely through a lens of technical ability. And it's not. The higher you rise, the more your job involves talking to people, and the less it involves writing code in almost every case.Katie: One hundred percent. That's absolutely been my experience as an architect is that, gosh, I almost never write code these days. My entire job is basically writing docs, talking to people, meeting with people, trying to figure out, where, what is the left hand doing and what is the right hand doing so I can somehow create a bridge between them. You know, I'm trying to influence teams, and their approach, and the way that they think about writing software. And, yes there is a foundation of technical ability that has to be there.You have to have that knowledge and that experience, but at this point, it's like, my God—you know, I write more SQL as a frontend architect that I write HTML, or CSS, or JavaScript because I'm doing data analysis and [laugh] I'm doing—I'm trying to figure out what does the numbers tell us about the right thing to choose or the right way to go, or where are we having issues? And, yeah, I think that people's perceptions and the reality don't always match up when it comes to looking at the senior IC technical track.Corey: This episode is sponsored by our friends at Oracle Cloud. Counting the pennies, but still dreaming of deploying apps instead of "Hello, World" demos? Allow me to introduce you to Oracle's Always Free tier. It provides over 20 free services and infrastructure, networking databases, observability, management, and security.And - let me be clear here - it's actually free. There's no surprise billing until you intentionally and proactively upgrade your account. This means you can provision a virtual machine instance or spin up an autonomous database that manages itself all while gaining the networking load, balancing and storage resources that somehow never quite make it into most free tiers needed to support the application that you want to build.With Always Free you can do things like run small scale applications, or do proof of concept testing without spending a dime. You know that I always like to put asterisks next to the word free. This is actually free. No asterisk. Start now. Visit https://snark.cloud/oci-free that's https://snark.cloud/oci-free.Corey: At some level, you hear people talking about wanting to get promoted, and what they're really saying—and it doesn't seem that they realize this—is, “I love what I do, so I'm really trying to get promoted so I can do less of what I love and a lot more of things I hate.”Katie: [laugh]. Yes. Yeah. Yeah. [laugh]. In some ways, in some ways, I think that you've got to kind of learn to accept it. And there are some people, I think that once you get past the senior engineer, or maybe even the staff engineer, maybe they don't even want to go there because they don't want to do the kind of sales pitch, people person, data numbers pitching, trying to get people to agree with you on the right way forward is really hard, and I don't think it's for everyone. But I love it. [laugh]. I absolutely love it. It's been great for me. And I feel like it really—it plays to my strengths in a lot of ways.Corey: What I always found that worked for me, as far as getting folks on board with my vision of the world is, first, I feel like I have to grab their attention, and my way is humor. With the Git talk, I have to say giving that talk a few times made me pretty confident in it. And then I was invited to the frontend conference. And in hindsight, I really, really should have seen this coming, but I'm there, I'm speaking in the afternoon, I'm watching the morning talks, and the slides are all gorgeous.Katie: Yes. [laugh].Corey: And then looking at my own, and they are dogshit. Because this was before I had the sense to hire a designer to help with these things. It was effectively black Helvetica text on a white background. And I figured, “All right, this is a problem. I only have a few hours to go, what do I do?”And my answer was, “Well, I'm not going to suddenly become an amazing designer in the four hours I have.” So, I changed some of the text to Comic Sans because if you're doing something bad, do it worse, and then make it look intentional. It was a weird experience, and it was a successful talk in that no one knew what the hell to make of what I was doing. And it really got me thinking that this was the first time I'd spoken to an audience who was frontend, and it reminded me that the DevOps problems that I normally talked about, were usually fairly restricted to DevOps. But the things that everyone touches, like Git, for example, start to be things that resonate and break down walls and silos better than a given conference ever can. But talking instead about shared pain and shared frustrations.Katie: Yes. Yes. Everyone likes to know that they are not alone in the world, particularly folks who are maybe underrepresented minorities in tech and who are afraid to speak up and say, “Oh, I don't understand.” Or, “That doesn't make any sense to me,” because they're worried that they're already being taken not as seriously as their white, male counterparts. And I feel like something I really try to lean into as a very senior woman in a very male-dominated field is if I don't understand something, or if I have a question, or something doesn't make sense is I try to raise my hand and ask those questions and say, out loud, “Okay, I don't get this.”Because I can't even tell you, Corey, the number of times I've had somebody reach out to me after a meeting and say, “Thank you. I didn't understand it either.” Or, “I thought maybe I just didn't understand the problem space, or maybe I just wasn't smart enough to understand their explanation.” And having somebody who's very senior who folks look up to, to be able to say, “Wait a minute, this doesn't make sense.” Or, you know, I don't understand that explanation.Can you explain it a different way? It's so powerful and it unblocks people and it gives them this confidence that, hey, if that person up on stage, or leading this meeting, or writing this blog post doesn't get this either, maybe I'm not so stupid, or maybe I do deserve to be in this industry, or maybe it's not just me. And I really hope that more and more people can feel empowered to do that in their daily lives more. I think that's been something that has been a tremendous learning through all of this experience with Oh shit, Git!?!For me is the number of people that come up to me after conference talks, or tweet me, or send me a message, just saying, “Thank you. I thought I was alone. I thought I was the only one that didn't get this.” And knowing that not just am I not the only one, but that people are universally frustrated, and universally Git makes them want to swear all the time, I mean, that's the best compliments that I get is when folks come up to me and say, “Thank you, I thought I was alone.”Corey: That's one of the things that I find that is simultaneously the most encouraging and also the most galling. Every once in a while I will have some company reach out to me—over a Twitter thread or something—where I'm going through their product from a naive user perspective of, like, I'm not coming at this with 15 years of experience and instinct that feed into how I approach this, but instead the, I actually haven't used this product before. I'm not going to jump ahead and make assumptions that tend to be right. I'm going to follow the predictable user path flow. And they are very often times where, “Okay. I'm hitting something. I don't understand this. Why is it like this? This is not good.”And usually, companies are appreciative when I do stuff like that, but every once in a while, I'll get some dingus who will come in, and like, “I didn't appreciate the fact that you end up intentionally misinterpreting what we're saying.” And that's basically license for me to take the gloves off and say, “No, this was not me being intentionally dumb. Sure, I didn't apply a whole bunch of outside resources I could have to this, but it wasn't me intentionally failing to get the point. I did not understand this, and you're coming back to me now reinforces that you are too close to the problem. And, on some level, when your actual customers have problems with this, they are hearing an element of contempt from you.”Katie: Totally.Corey: “This is an opportunity to fix it and make it more approachable because spoiler, not a lot of people love paying money to something that makes them feel stupid.”Katie: [laugh]. See, Corey, I don't know. You say that you're not really a frontend person, but that is a very strong UX mindset. Like that—Corey: Oh, my frontend stuff is actually pretty awesome because as soon as I have to do something that even borders on frontend, I have the insight and I guess, willingness to do the smart thing, which is to immediately stop talking and pay someone who knows what they're doing.Katie: [laugh]. Thank you. On behalf of all frontend engineers everywhere, I applaud that, and I appreciate it.Corey: It comes down to specialty. I mean, again, it would also be sort of weird from my perspective, which is my entire corporate position is I fix the horrifying AWS bill. So, if you're struggling with the bill in various capacities, first, join basically everyone, but two, you're not alone so maybe hire someone who is an expert in this specific thing to come in and help you with it. And wouldn't it be a little hypocritical of me to go in and say, “Oh, yeah, but I'm just going to YOLO my way through this nonsense?”Katie: Mm-hm. [laugh]. Yeah, [laugh] I don't know we'll want to include this in the final recording, but I have a really hilarious story, actually, about Amazon. So—Corey: Oh, please. They listen to this and they love customer feedback.Katie: [laugh].Corey: I'm not being sarcastic. I'm very sincere here.Katie: Well, this is many, many, many years ago. I mean, probably, oh, gosh, this is probably eight years ago at this point. I was interviewing for a job at Amazon. It was a job to be a frontend engineer on the homepage team, which at the time, I was like, “Oh, my God, this is Amazon. This is such an honor. I'm so excited.”Corey: And you look at amazon.com's front page, and it's, “Oh, I can fix this. There's so much to fix here.”Katie: Yes.Corey: And then reality catches up if I might not be the first person in the world to have made that observation.Katie: [laugh].Corey: What's—Katie: Well—Corey: Going on in there?Katie: Yeah. Well, I'll tell you what's going on. So, I think I did five different phone interviews. You know, before they invite you out to Seattle, there's—and again, this was eight years ago, so this was well before everyone was working at home. And in those five hours of phone interviews, I want you to make a guess at how many minutes we spent talking about HTML, CSS, and JavaScript.Corey: I am so unfamiliar with the frontend world, I don't know what the right answer is for an interview, but it's either going to be all the time or none of it, based on the way you're framing it.Katie: Yes. [laugh]. It was basically, like, half an hour. So, when you are a frontend engineer, your job is to write HTML, CSS, and JavaScript. And in five hours, I talked about that for probably half an hour.It was one small question and one small discussion, and all the rest of the time was algorithms, and data structures, and big O notation, and oh, gosh, I think they even did the whole, like, “I typed something into my browser, tell me what happens after I type a URL into my browser.” And I think that just told [laugh] me everything that I needed to know about how Amazon approached the frontend and why their website was such a hot mess was because they weren't actually hiring anyone with real frontend skills to work on the frontend. They were hiring backend people who probably—not to say that they weren't capable or didn't care, but I don't know. That's my favorite Amazon story that I have is trying to go work there, and they basically were like, “Yes, we want a frontend engineer.” And then they didn't actually ask about any frontend engineering skill sets in the job. They didn't offer me anyth—I don't think I got invited to go to Seattle, but I probably wouldn't have anyways.Corey: No. Having done it a couple of times now, again, I like the people I meet at Amazon very, very much. I want to be very clear on that. But some of their processes on the other hand, oh, my God. It shows that being a big company is clearly not necessarily a signal that you solved all of these problems. In some cases, you're basically just crashing through the problem space by sheer power of inertia.Katie: Yeah, definitely. I think you can see that when looking at their frontend. Harkening back a little bit to what we were talking about earlier is you don't go to Amazon and learn patterns of interaction that are applicable to every single site on the web. Amazon kind of expects that users are going to learn the Amazon way of shopping and that users are going to adjust how they navigate the web in order to accommodate Amazon. You know, people learn, “Oh, this is what I do on Amazon.” And then, you know, they're—Corey: Oh, that's the biggest problem with bad user experience is people feel dumb.Katie: Mm-hm.Corey: They don't think, “This company sucks at this thing.” They think, “I must not get it.” And I know this, and I am subject to it. I run into this problem all the time myself.Katie: Oh, yes.Corey: And that is a problem.Katie: Yeah. It's why I think, like you said earlier, it's so important when you work somewhere to figure out how do you get that distance between being a power user enough so that you can understand and appreciate what it's like for a regular user who's not a power user of your site. And what do they do? And UX researchers are amazing. A good UX researcher is worth absolutely their weight in gold because, I don't know if you've ever sat in on a UX session where the researcher is walking a user through completing a specific task on a website, but oh my God, it's painful.It's because [laugh] you just want to, you want to push them in the right direction, and you want to be like, “Oh, but what about in the upper right over there, that big orange button,” and you can't do that. You can't push people. You have to be very open-ended, you have to ask them questions. And every single time I've listened in on a UX research recording, or a call, I want to scream through the computer and be like, “Oh, my gosh. This is how you do it.”But, you know, you can't do that. So, [laugh] I think it's important to try to develop that kind of skill set on your own of, “Okay, if I didn't stare at this website every day, what would it be like for me to try to navigate? If I was using a keyboard for navigation or a screen reader instead of a mouse, what would my experience be like?” Having that empathy, and that ability to get outside of yourself is just really important to be a successful engineer on the web, I think.Corey: Yeah. And you really wish, on some level, that they would be able to articulate this as an industry. And I say ‘they,' I guess I'm speaking of about three companies in particular. I have a lot more sympathy for a small startup that is having problems with UX than I am for enormous companies who can basically hurl all the money at it. And maybe that's unfair, but I feel like, at some point of market dominance, it is beholden on you to set the shining example for how these things are going to work.I don't feel that way, necessarily about architecture on the backend. Sure, it can be a dangerous, scary tire fire, but that's not something your customers or users need to think about or worry about, as long as it is up from their perspective. UX is very much the opposite of that.Katie: Totally. And I think, working at a former startup, there's a tendency to really focus a lot on those backend problems. You know, you really look at, “Okay, we're going to nitpick every single RPC request. We're going to have all kinds of logging and monitoring about, okay, this is the time that it takes for a database API request to return.” And just the slightest movement and people freak out.But it's been a process that I've been working really hard on the last couple of years, to get folks to have that same kind of care and attention to the stuff that they ship to the frontend, especially for a lot of organizations that really focus on, “Well, we're a tech company,” it's easy to get into this, oh, engineering is all of these big hard systems problems, when really your customers don't care about all of that. Yes, ultimately, it does affect them because if your database calls are really, really slow, then it has an effect on how quickly the user gets a response back and we know that slow-performing websites, folks are more likely to abandon them. Not that it doesn't matter completely, but personally, I would really love it to see more universally around the industry that frontend is seen as this is the entirety of your product and if you get that wrong, then none of the rest of your architecture, or your infrastructure, or how great your DevOps is matters because you need customers to come to your site and buy things.Corey: It turns out that the relationship between customers coming to your site and buying things and the salaries engineering likes to command is sometimes attenuated in ways that potentially shouldn't be. These are interesting times, and it does help to remember the larger context of the work we do, but honestly, at some point, you wind up thinking about that all the time, and not the thing that you're brought in specifically to fix. These are weird times.Katie: Yes.Corey: Katie, thank you so much for taking the time to speak with me about several things. Usually—it's weird. Normally, when someone says thank you for speaking to me about Git, there is no way that isn't a sarcastic—Katie: [laugh].Corey: —statement. But in this case, it is in fact genuine.Katie: Yes, I will bitch about Git until I am blue on the face, so I appreciate you having me on board to talk about it, Corey. Thank you.Corey: Of course. If people want to learn more, where can they find you?Katie: They can find me at ohshitgit.com, or as you pointed out, the dangitgit.com swear-free version. As a little plug for the site, we now have had the site translated by volunteers in the community into 28 different languages. So, if English is not your first language, there's a really good chance you'll find a version of OSG—as I like to call it—that is in your language.Corey: Terrific. And we will, of course, put links to these wonderful things in the [show notes 00:39:16]. Thank you so much for taking the time to speak with me. I really appreciate it.Katie: Thank you, Corey. It's been lovely to reconnect, and gosh, look at where we are now compared to where we were almost five years ago.Corey: I know. It's amazing how the world works.Katie: Really.Corey: Katie Sylor-Miller, frontend architect at Etsy. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with a comment written in what is clearly your preferred user interface: raw XML.Katie: [laugh].Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.This has been a HumblePod production. Stay humble.
Michelle Wilson, CISO at Celebrity Financial is our guest this week, interviewed by Jason Jaques. News from Palantir, Swimlane, Ping Identity, Thinkst, VirtualArmour, Coalfire and a lot more! Support us on Patreon! Fun swag available - all proceeds will directly support the Colorado = Security infrastructure. Come join us on the new Colorado = Security Slack channel to meet old and new friends. Sign up for our mailing list on the main site to receive weekly updates - https://www.colorado-security.com/. If you have any questions or comments, or any organizations or events we should highlight, contact Alex and Robb at info@colorado-security.com This week's news: Join the Colorado = Security Slack channel 169 Colorado laws went into effect Tuesday. A state parks pass with your vehicle registration is one of them. An Innovative Solution to Denver's Housing Woes is Taking Shape on West Colfax Here's what Palantir's been up to since quietly moving to Denver one year ago Colorado County Clerk Charged with Cybercrime The Unbundling of Authentication vs Authorization - What You Need to Know Executive Order on Zero Trust — What it Means for Federal Agencies Good attacks make good detections make good attacks make.. The Risks of Public WiFi (& How to Protect Yourself) Rumors of an upcoming, major change to ISO 27002 Job Openings: Red Canary - Director, Corporate Security Red Canary - Product Security Engineer Red Canary - IT Support Manager State of Colorado - Director of Cyber - Security & Investigations Crocs - Sr. Manager, IT Security Red Robin - Manager of IT Security Operations CoBank - Security Manager- Threat Management TriState Generation - Cyber Security Engineer Computershare - Security Monitoring Analyst Guild Education - Information Security Analyst Upcoming Events: This Week and Next: ASIS - Coffee Chat with DEN - 9/14 ISSA C.Springs - 11th Annual Peak Cyber Symposium - 9/14-16 ISSA Denver - Women in Security September Meeting - 9/15 ISACA Denver - September "Imagine a World Without Passwords & IT Fraud Investigations" - 9/16 CSA Colorado - September Meeting | Protecting Ephemeral Workloads" - 9/20 OWASP Denver/Boulder - September | Cover your ass(ets) - 9/21 ISC2 Pike's Peak - September Hybrid Meeting - 9/22 SecureSet - [Virtual] Intro to Machine Learning for Cybersecurity - 9/23 View our events page for a full list of upcoming events * Thanks to CJ Adams for our intro and exit! If you need any voiceover work, you can contact him here at carrrladams@gmail.com. Check out his other voice work here. * Intro and exit song: "The Language of Blame" by The Agrarians is licensed under CC BY 2.0
Links: Cloud Security Basics CIOs and CTOs Should Know: https://www.informationweek.com/cloud/cloud-security-basics-cios-and-ctos-should-know/a/d-id/1341578? Spring 2021 PCI DSS report now available with nine services added in scope: https://aws.amazon.com/blogs/security/spring-2021-pci-dss-report-now-available-with-nine-services-added-in-scope/ Top 5 Benefits of Cloud Infrastructure Security: https://www.kratikal.com/blog/top-5-benefits-of-cloud-infrastructure-security/ The three most important AWS WAF rate-based rules: https://aws.amazon.com/blogs/security/three-most-important-aws-waf-rate-based-rules/ Researchers Call for ‘CVE' Approach for Cloud Vulnerabilities: https://www.darkreading.com/cloud/researchers-call-for-cve-approach-for-cloud-vulnerabilities Managed Private Cloud: It's all About Simplification: https://www.computerworld.com/article/3623118/managed-private-cloud-its-all-about-simplification.html 100 percent of companies experience public cloud security incidents: https://betanews.com/2021/08/04/100-percent-public-cloud-security-incidents/ Why cloud security is the key to unlocking value from hybrid working: https://www.welivesecurity.com/2021/08/05/why-cloud-security-key-unlocking-value-hybrid-working/ Organizations Still Struggle to Hire & Retain Infosec Employees: Report: https://www.darkreading.com/careers-and-people/organizations-still-struggle-to-hire-retain-infosec-employees-report NSA, CISA release Kubernetes Hardening Guidance: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/ HTTP/2 Implementation Errors Exposing Websites to Serious Risks: https://www.darkreading.com/application-security/http-2-implementation-errors-exposing-websites-to-serious-risks Ransomware Gangs and the Name Game Distraction: https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ Using versioning in S3 buckets: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It's an awesome approach. I've used something similar for years. Check them out. But wait, there's more. They also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It's awesome. If you don't do something like this, you're likely to find out that you've gotten breached, the hard way. Take a look at this. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That's canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I'm a big fan of this. More from them in the coming weeks.Jesse: The general theme in security news and trends show us that perimeter defense has a whole new meaning. There is no large perimeter anymore. Nearly every device is on a public or otherwise hostile network, from servers to phones to laptops. Every device needs scanning, protecting, monitoring, and analyzing. None of these devices can be viewed in a vacuum, as separate entities without the context of behavior of systems and services accessed from across a network.This is why zero trust and cloud native applications and services go so well in these hard times. If you can't trust anything without checking on current events, then you have to authenticate and analyze in real-time to determine if something is safe to allow. In the ancient days of yore, everything was default allow and you stopped things you knew were bad. Then along came default deny, where you allowed only those things you white listed. But that was a full-time allowance of bad things to happen when an account was compromised.Ditch the white list and just implement real-time contextual security. If you do this, does it really matter if someone gets a hostile device on your network? Nope. If you treat everything, including owned and managed assets, as hostile, some new unmanaged device or service doesn't change your operations or exposure much if at all.Meanwhile in the news. Cloud Security Basics CIOs and CTOs Should Know. Some of the critical things non-cybersecurity execs ought to know: moving to the cloud isn't a security easy button, cybersecurity insurance generally sucks, and moving to the cloud takes a lot more work than people think to get operationally secure.Spring 2021 PCI DSS report now available with nine services added in scope. When you do compliance and use cloud infrastructures and SaaS services, you need to prove your services support compliance requirements. This AWS report can help. Also, review the new services added to see if you can improve your service delivery and applications supporting PCI.Top 5 Benefits of Cloud Infrastructure Security. Using the cloud doesn't make you more secure, but there are advantages that can make security more manageable in the cloud than it is in legacy data centers.The three most important AWS WAF rate-based rules. Sometimes ya just got to geek out. Also, your security person won't always be there to set up things like Web Application Firewalls with DDOS mitigation and other nifty security and compliance tools.Researchers Call for ‘CVE' Approach for Cloud Vulnerabilities. If there is a vulnerability in cloud service provider services, they should get a CVE like anyone else, right? After all, it's just software, which is what the CVE is supposed to track.I understand shining light on the problems to force cloud companies to fix them, but that is partly what the CVE system is for. If there are configurations that open gaping security holes, they need to be in CVE. Why do they want to make a new thing to replace a perfectly good thing?Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Managed Private Cloud: It's all About Simplification. So, let's see if I understand this. Several article sources talk about the benefits of using private cloud citing the exact same benefits as using a public cloud service, except claiming it's more secure for finance and medical verticals. Hello folks, AWS Outposts anyone? The only difference is the shared responsibility model, except that now you have an outside agency managing everything. Neither are more or less secure than the other. They are different approaches to risk acceptance and mitigation.100 percent of companies experience public cloud security incidents. Despite the sensationally alluring feel of the headline, the real news from this is that moving to cloud operations exposes the horrible lack of processes around custom development and production management that most organizations have. Don't blame being in the cloud for your poor operations, just don't be stupid.Why cloud security is the key to unlocking value from hybrid working. [sigh]. Hybrid cloud, hybrid cars, hybrid corn, and now hybrid work. I haven't understood why it's so hard to understand that there are additional security concerns and either increased or displaced risk pushing workloads and data to the cloud. The only common answer I can think of is that security in general is full of theater and drama. Of course, there's more risk. Obfuscated risk is dangerous.Organizations Still Struggle to Hire & Retain Infosec Employees: Report. The extreme lack of trained and/or experienced cybersecurity talent underscores the importance of all of us knowing security well enough to mitigate most risks. Sure, having someone dedicated to the work is far superior to having security tacked onto the duties of others, but without the ability to fill those dedicated roles, someone has to keep the script kiddies and APTs out.NSA, CISA release Kubernetes Hardening Guidance. This is pure IT security gold. The spooks often hold secrets most of us haven't figured out, partially due to the immense resources they throw at cybersecurity. This report is 52 pages of great advice. Also, now everyone knows security issues in Kubernetes environments. Don't be stupid. Go read this now.HTTP/2 Implementation Errors Exposing Websites to Serious Risks. Black hat and other security conferences are famous for gloom and doom pronouncements that are just theoretical attacks that likely won't ever be practical in real-world production systems. However, this one may have some legs.Ransomware Gangs and the Name Game Distraction. With ransomware groups regularly getting international media attention, they're retreating to the shadows when the heat turns up on them. They will vanish from headlines, but they will simply rebrand and move forward as if they were a new group. This is why following Indicators Of Compromise, or IOCs, is more important than worrying about the exact behavior profile or name of a group.And now for the tip of the week. Don't lose overwritten file data. Use S3 versioning. Enabling versioning on your S3 buckets allows disaster recovery and an audit trail for changes in your data objects. The docs are fairly straightforward, as well. Check out the AWS doc section called: Using versioning in S3 buckets. And that's it for the week, folks. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.
Links: 4 Factors that Should Be Part of Your Cybersecurity Strategy: https://www.csoonline.com/article/3625254/4-factors-that-should-be-part-of-your-cybersecurity-strategy.html Software Bill of Materials'—not just good for security, good for business: https://thehill.com/opinion/cybersecurity/564787-software-bill-of-materials-not-just-good-for-security-good-for-business Third Party Security Failure Caused 1 TB Data Breach at Saudi Aramco; Hackers Play Puzzle Games With Oil Giant: https://www.cpomagazine.com/cyber-security/third-party-security-failure-caused-1-tb-data-breach-at-saudi-aramco-hackers-play-puzzle-games-with-oil-giant/amp/ Federal Tech Leaders Outline Future of FedRAMP: https://governmentciomedia.com/federal-tech-leaders-outline-future-fedramp ‘Holy moly!': Inside Texas' fight against a ransomware hack: https://apnews.com/article/technology-government-and-politics-business-texas-hacking-47e23be2d9d90d67383c1bd6cee5aef7 Firefox 90 Drops Support for FTP Protocol: https://www.securityweek.com/firefox-90-drops-support-ftp-protocol Lower-Level Employees Become Top Spear-Phishing Targets: https://www.darkreading.com/attacks-breaches/lower-level-employees-become-top-spearphishing-targets U.S. Government unlikely to ban ransomware payments: https://U.S. Government unlikely to ban ransomware payments The Power of Comedy for Cybersecurity Awareness Training: https://www.darkreading.com/careers-and-people/the-power-of-comedy-for-cybersecurity-awareness-training Inside the Famed Black Hat NOC: https://www.darkreading.com/edge-articles/inside-the-famed-black-hat-noc Cloud Security Alliance Releases Guide to Facilitate Cloud Threat Modeling: https://cloudsecurityalliance.org/press-releases/2021/07/29/cloud-security-alliance-releases-guide-to-facilitate-cloud-threat-modeling/ 5 Benefits of Disaster Recovery in the Cloud: https://securityboulevard.com/2021/08/5-benefits-of-disaster-recovery-in-the-cloud/ Black Hat USA 2021 and DEF CON 29: What to expect from the security events: https://www.techrepublic.com/article/black-hat-usa-2021-and-def-con-29-what-to-expect-from-the-security-events/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It's an awesome approach. I've used something similar for years. Check them out. But wait, there's more. They also have an enterprise option that you should be very much aware of canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It's awesome. If you don't do something like this, you're likely to find out that you've gotten breached, the hard way. Take a look at this. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That's canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I'm a big fan of this. More from them in the coming weeks.Jesse: As more services are delivered by cloud-native microservices with dynamic scaling, compliance management and monitoring becomes terrifyingly complex and difficult. The way around this is to implement processes and tools that can continuously monitor and manage compliance-related configurations using automated analysis and reporting of your cloud-native services. This collection of processes and tools is called Cloud Security Posture Management, or CSPM. CSPM generally involves a fair amount of automation to ensure secure practices are used and compliance requirements are continuously met. Implementing CSPM alongside DevSecOps and an organizational focus on shifting left in services development rounds out a tripod to support your cloud initiatives.Meanwhile, in the news. 4 Factors that Should Be Part of Your Cybersecurity Strategy. Our security perimeters are no longer controlled by our organizations. With so many people working remote, every device on their network has become part of the threat landscape, from connected fridges to game consoles.‘Software Bill of Materials'—not just good for security, good for business. SBOMs, as they're called, are coming. Even if there is never a law forcing SBOMs like food ingredients labels, there could be an ever-increasing requirement for vendors to supply them. It might be a good idea to start building these, even if they're only supplied when legally or contractually required.Third Party Security Failure Caused 1 TB Data Breach at Saudi Aramco; Hackers Play Puzzle Games With Oil Giant. This case study is like slowing down to see the aftermath of a crash and trying to piece together what happened. Given the breach came from a vendor, it's a sideways attack on Aramco. Are you sure your vendors are secure? Thoroughly analyze all your third-party tools and services to ensure they aren't the weaker link.Federal Tech Leaders Outline Future of FedRAMP. Changes to FedRAMP are a big deal if they open up options for US federal agencies, or if the FedRAMP process—or its replacement—speed up certification. Many FedRAMP SaaS services lag their commercial counterparts because it takes so long to jump through the FedRAMP approval process. This hurts the market and the federal agencies.‘Holy moly!': Inside Texas' fight against a ransomware hack. Learn from the plight of others before others learn from your plight. Reading case studies of disclosed incidents gives us insight into how doomed we are if we don't get our act together.Firefox 90 Drops Support for FTP Protocol. [sigh]. This is the end of an era of wide-open access and abuse. But I'm a little sad and nostalgic for my early computing days. I remember using FTP to get things to my internet-connected host account where I could then use Zmodem or Kermit to download things to my local machine. I remember when using HTML sites were new, but you could still get everything from FTP sites. Ugh, the bad old days.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Lower-Level Employees Become Top Spear-Phishing Targets. We always protect the big fish but the better target for phishing are the people not being closely monitored. If you can trick a system into lateral movement or privilege escalations, you can start with any non-admin user and infiltrate silently. This is why good SIM tools and behavior analysis mechanisms are critical to modern security.U.S. Government unlikely to ban ransomware payments. Now, this is a relief. This is like making it illegal to pay a kidnapper, even when the kidnapper is not within the U.S. Please try to solve your ransomware problems without paying, but if you must, you must.The Power of Comedy for Cybersecurity Awareness Training. The Duckbill Group's own Corey Quinn is the living embodiment of teaching through humor. When we laugh, we remember. Also, there's a lot of hilarity in security if you lean back and see it all at once. Aren't we just a series of bad sitcom reruns where all the same tropes are trotted out every season, and you can't even tell a rerun from a first-run? It's the same attacks and mostly the same old tired defenses, day in and day out.Inside the Famed Black Hat NOC. I was inside the DEFCON SOC once and the concentration of security skill and experience in the room was amazing. They were friendly and collegial and great to work with. If a couple dozen people can build a world-class SOC or NOC for an event that lasts only a few days, we can all make some great improvements with the limited resources at home.Cloud Security Alliance Releases Guide to Facilitate Cloud Threat Modeling. When shifting left and doing DevSecOps, there has to be methods for assessing security issues faced by the systems you build. If you don't have at least a flashlight, you won't notably improve security.5 Benefits of Disaster Recovery in the Cloud. When I first worked with disaster recovery and business continuity, we would ship tapes to a vendor who sets up hardware we were using for recovery from backups exercise on bare-metal systems. Whoo. Wow, have times changed. DR in the cloud could be more about distributed active sites split across regions, and other such fun things instead of slow hardware solutions.Black Hat USA 2021 and DEF CON 29: What to expect from the security events. The last week of July and/or the first week of August each year is ‘Security Summer Camp' in Las Vegas, Nevada, in the United States of America. We've called this week that for years because in the same week in the same city, there is Black Hat, one of the largest security conferences in the world, DEF CON the largest hacker conference in the world, and besides—although this year it's virtual again—as well as a variety of other events.And now for the tip of the week. Use Kubernetes. If you want to decouple your services delivery from the underlying systems and infrastructure, look to Kubernetes. If you are building a multi-cloud hybrid strategy, using Kubernetes is likely a great option to reduce your complexity and overhead. And that's it for the week. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.