Podcasts about YU

❗️未滿18歲禁止收聽❗️

In Chinese, when we point out someone hold a post without qualifications or make up a number without active work, we use the idiom “làn yú chōng shù”. The direct meaning of this idiom is that pretend to play the Yu (a wind instrument) in order to make up the number for an orchestra. In today's story, we are going to learn the original story behind this idiom. Join other motivated learners on your Chinese learning journey with maayot. Receive a daily chinese reading in Mandarin Chinese in your inbox. Full text in Chinese, daily quiz to test your understanding, one-click dictionary, new words, etc.
Got a question or comment? Reach out to us at contact[at]maayot.com

Welcome back to another episode of The K.A.M.E. House! The three of us are back again and we got some more info on the Astro World concert disaster. Bra he getting sued for 2 billi? What kind of apology did he think he was giving? and the different memes of said apology. (IT'S LIT!). Swype talks about how much he loves Yu-gi-oh and how the show gives the worst representation of the card game, and AROD goes over all the new shows and movies DisneyMarvel has coming out this week and in the near future. --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app --- Send in a voice message: https://anchor.fm/thekamehouse0703/message Support this podcast: https://anchor.fm/thekamehouse0703/support

❗️未滿18歲禁止收聽❗️

Can carbon dioxide be converted to food? Physicist Dr. Weiping Yu joins the show to comment on whether this is possible. Dr. Yu also comments on the recent news regarding black holes. What really lies at the center of the galaxy? Has Helion Energy cracked the code for fusion technology? Listen to the full segment to find out. Visit A Neighbor's Choice at aneighborschoice.com

❗️未滿18歲禁止收聽❗️

The Crew talks about the benefits of a new studio, lame ass kids who won't trade Yu-gi-oh cards, and Tom and Don's hot and steamy love connection.

❗️未滿18歲禁止收聽❗️

❗️未滿18歲禁止收聽❗️ 我們創業了：女子杯上市

CULT members, welcome to the another episode of the Criterion CULT Film Podcast. The Halloween season has come to an end and this is the last episode in our horror filled month. This week we eat your brains with Criterions release of George A. Romero's Night of the Living Dead. Host Jordan keeps the zombies alive with Sang-ho Yeon's 2016 film Train to Busan starring Gong Yoo, Yu-mi Jung, and Ma Dong-seok. Join the CULT and let the zombies eat your brains. 

Habituellement, la vision du couple portée par le jeu vidéo correspond plus à une phase de "séduction". Une fois qu'on a pécho, on pose la manette. Dans Haven c'est tout l'inverse puisque le dernier jeu des montpelliérains de The Game Bakers nous propose de suivre un couple qui s'aime déjà et fuit la Ruche, une société totalitaire qui case littéralement les gens selon un algorithme bien huilé. Réfugiés sur une planète inconnue (ou pas tant que ça...), Yu & Kay tentent de construire une nouvelle vie faite de glissades, de combats contre des monstres et de séances de cuisine coquine. Après le survolté Furi nous avons donc ici un jeu cocon, dans lequel tout le monde ne rentrera pas, mais qui veut lui aussi trouver sa place dans le grand tumulte des sorties. Après tout, si on ne peut pas vivre d'amour et d'eau fraîche, on peut toujours y jouer. Pour soutenir l'émission : https://www.patreon.com/findugame Rejoignez le club de lecture sur Discord : discord.gg/YTGbSkN

Cordell & Cordell Executive/Managing Partner, CEO Scott Trout and Dallas divorce attorney Angela Yu review the most effective ways to prepare for a virtual court hearing in your family case. Since the COVID-19 pandemic began, many court hearings have moved virtual. Mr. Trout and Ms. Yu go over proper etiquette, the proper way to prepare, and […] The post Preparing for Your Virtual Court Hearing – Men's Divorce Podcast appeared first on Cordell & Cordell.

Is offsetting bone losses in menopause with high impact safe? Is it recommended? Aren't you more prone to fractures? This episode explores the recent research in honor of Menopause Awareness Month (and Osteoporosis Day October 20, 2021). If you're trying to prevent, if you've been diagnosed, or if you've got younger women in your life who need this information NOW to be better prepared than we could have known to be… this is for you. Episode sponsor: Flipping50 Fitness Specialist (learn more here about how to become one and grow a successful business while you do it) Bone Losses in Menopause Average bone loss is 1.5% per year for the spine and 1.1% - 1.4% for the femoral neck in the first 4-5 years post menopause. Losses slow slightly after this and then increase again in latter decades. Just 6 months into the pandemic research began to emerge about the long-term health effects of short-term muscle loss. The possible devasting disability includes sarcopenia and osteoporosis both, as well as increases in risk of obesity. A combined loss of muscle, strength, bone, with or without increased body fat sets up females specifically for avoidable negative health effects. Osteoporosis & Exercise Exercise is recommended but often with poor and non-specific guidelines for having the most benefit. The purpose of this post is to: Present the continuum of activity results on bone mineral density Present other valuable components of exercise Support prioritization of exercise time for readers Consider a variety of exercises (and non-exercise) interventions and their results Integrating safety Optimal exercise interventions are those favoring a mechanical stimulus on bone both through antigravity loading and the stress exerted on muscles. Two types of activity for osteoporosis prevention and post-diagnosis therapeutic effects: Weight-bearing activities Strength/Resistance exercises What is weight-bearing activity? Defined as any activity one performs on one or more feet. Technically, however it would also include activity weight bearing on the upper body as in a downward facing dog. Where bone density is concerned, there are levels of weight-bearing. Standing in tree pose is weight bearing. Using an elliptical is weight bearing. Neither of those however has any striking force involved as when there is a heel strike in walking. The greater the strike the greater the force to bone. What is resistance exercise? Technically, resistance exercise is anything that provides additional overload to the muscle (and bone) beyond activities of daily living. Resistance exercise includes use of machine and free weights, body weight, tubing, bands, even water exercise or swimming is viewed as resistance training. Each activity falls along a continuum of benefits. As you might guess, use of machine or free weights will surpass swimming or water exercise for bone density benefits. Use of weight training also surpasses benefits from bands and tubing. Though use of bands and tubing may be a first step, an only option depending on access to dumbbells, or machine weights, or support lateral movements unachievable from free-weights alone, the application of heavy resistance is most beneficial and more closely mimics activity of daily life. Of the two activities for osteoporosis prevention and therapeutic effects, strength/resistance exercise have the greatest benefit. This is due to the overload and what is referred to as Minimal Effective Stress (MES). Minimum Effective Stress Walking alone does not improve bone mass. It may have a limited contribution to slowing bone losses. The limit to benefits of walking occurs due to an effect called Minimal Effective Stress. For example, if you walk 2 or 3 miles several times a week, neither walking more days a week or walking 4 or 5 miles offers more bone benefit. You're already adapted to the stress of your own body weight. What would potentially change or increase bone benefit would be jogging or adding a weighted vest during the walk. (Note: not handheld weights). Similarly, with jogging, once you can jog or run, you don't get greater benefits by running longer or more frequently. In fact, long distance runners who find low body fat, low body weight, may be at greater risk for low bone density. Older runners who do no resistance training with heavy weight are prone to fractures as much (or more if lower body weight) as general population. It's Not All Bone Strength There is also more than the strength of the bone and of the muscle in consideration of activity. As aforementioned, the balance or stability-enhancing benefit of an activity also plays a part in reducing risk of falls. Where heavy resistance exercise is not possible, lighter weight and balance activities alone will still be beneficial, though not to bone, to improved stability and balance. It's important that balance is specific to balance practice. Agility, balance and coordination don't come from strength alone, but must be practiced. For anyone seeking bone density and muscle strength, exercise selection should match those goals. For anyone limited by conditions, injuries, or access, a greater emphasis should be placed on balance and stability, each of which require less equipment. In either case, balance and agility/reaction skills are specific and need to be trained. They aren't just added benefits from strength training. The Research Women in menopause transition are susceptible to muscle and bone losses that lead to sarcopenia and osteoporosis, respectively. That makes them more prone to falls, fractures, and then increasing bedrest and instability leading to frailty and early death. How Much Muscle is Typically Lost? Traditionally, loss of muscle can be about 8% per decade beginning at age 30. There's an annual decline in total body LM during 4 to 5 years of the menopausal transition accelerates. The rapid acceleration of losses over a short period of time sets of alarms. If this isn't countered with sufficient resistance training during that time, or mitigated soon after, it leads to a cascade of events including bone losses.   The accelerated losses do slow again after the surge in early post menopause. Yet, in another decade or more they again accelerate to nearly 1% annual decline in leg LM among women between the ages of 70 and 79. Start at the Beginning The early research for exercise in osteoporosis prevention and treatment was conservative. The list of contraindications for those diagnosed with osteoporosis was long or at least limiting. Recent studies however, explore the intensity of exercise that does more than slows bone losses in favor of that which -even after menopause- where once thought game over, bone density can be improved. Conservative Start Early research scared many women who may have been avid exercise enthusiasts with a passion for downhill skiing or golf, into thinking they couldn't potentially participate any longer. It suggested they suddenly come with a “fragile” label and are resigned to light and safe exercise. One particular study in the Clinical Interventions in Aging journal I've spoke of before but bears mentioning as I kick off this section of a review of studies suggests otherwise. Post- diagnosis, there are considerations, and you have unique needs. You can however, and possibly should, find high intensity exercise that will start and wisely progress that includes both high impact weight bearing exercise and high intensity weight training. That is, includes jumping, as well as heavy weight training. A study intended to be 18 months long was cut short by Covid at 13 months when supervision was no longer possible in March 2020, revealed even without getting to the most intense phase of the program, bone density was improved. In addition, compliance was high, injuries were non-existent.  12-month high impact programs Significantly better results were found in women who did high impact exercise and medication and dietary changes than medication and dietary changes alone. High impact- jumping, hopping, explosive movements was safe and effective 24-week aerobic dance programs Another study in Medicine published in 2019 showed 3 times per week high impact exercise with women not taking HRT, improved bone density. Site-Specific Benefits High intensity exercise is a more effective stimulus for lumbar spine BMD than low or moderate intensity, but not femoral neck BMD, however, the latter finding may be due to lack of power in the exercises performed. Additional Proof for High Intensity High Impact for Bone Losses in Menopause A 2020 study published in the International Journal of Behavioral Nutrition and Physical Activity looked at women 65 and older. For them too higher doses of activity and particularly those involving resistance training are significantly more effective. Let's talk about dose where exercise for bone density is concerned. It's important to know increasing frequency beyond 2-3 times a week is not the best way to increase volume. The better application of volume is increased amount of resistance, and increased sets. This will result in a decreased number of repetitions. While muscle can benefit from greater repetitions (performed with smaller weights), bone cannot. If you are able to lift heavy (defined as reaching fatigue in 10 or fewer repetitions) you will have the most bone benefits. Recent Research is Most Specific While you may choose to believe that yoga, that pilates, that walking improves bone density, you'll want to keep this in mind. In a review of literature including 75 articles, published from 1989 to 2019, results were too variable to conclude exercise effects on osteoporosis. This is proof that some protocols DO and some DO NOT benefit bone density. This makes the statement, “something is better than nothing” questionable if you have a specific goal. You can't do your boyfriend's, your daughters, or your best friend's exercise program and expect the specific results you want without checking the match for your priorities. What we need is an exercisematch.com so you can sort through the prolific options and be sure that if your goal is bone density, or weight loss, or reducing arthritic pain, you are doing the right exercise to match this goal and any limitations. Flipping50's mission is to make this a little easier for you. Other Health Benefits High intensity aerobic activity in a small co-hort of post menopausal women increased HDL, decreased body fat, and improved VO2 (cardiovascular fitness) but did nothing to lean muscle mass. Now, at first glance this is good. At second you might not think entirely. Even with a loss of body fat, because of the decrease in overall weight, metabolism will be lower. Without adjustments in dietary intake ultimately weight regain is likely. A 2018 study in the Journal of Bone Mineral Research employed a protocol of high intensity loads (5 reps to fatigue x 5) for 4 different exercises, including high impact drop jumps. This study too had a high compliance level, one/100 adverse effects (low back spasm), and positive bone density improvements. Yoga Poses for Bone Density Some holes in the yoga study make it difficult to discern if the yoga was exclusively responsible for bone density improvement. There wasn't enough control in the activity and habits of the participants. Monthly gain in BMD was significant in spine (0.0029 g/cm2, P = .005) and femur (0.00022 g/cm2, P = .053). At 22, 22, and 24 months, respectively, 72, 81, and 83 of these subjects reported mean gains of 0.048, 0.088, and 0.0003 g/cm2 per month which is the equivalent 1.152 (22 mos) and .0072 (24 mos). Compare to 24 weeks strength training that include 3.1 ± 4.6%. There's a significant difference both in results. Yoga and Pilates for Bone Density A 2021 study published in PLoS One showed only non-significant results on BMD. Benefits do occur for balance and stability. As a means of risk reduction from fall-related fractures there is value in these activities. What we each need to do is determine what is our realistic time spend and co-create a program based on the most influential exercises for each of our unique goals. It is possible to create a program that is inclusive of the high intensity strength training, the high impact (where a wise choice) activity, and the balance and stability building movements. This doesn't have to mean many and separate sessions weekly. Minutes of balance and stability work regularly can be included in warm ups and cool downs. Whole Body Vibration for Bone Density Best indicated for the frail unable to perform other resistance exercises. For greatest effectiveness must contain a component of strength training. There is a degree of improvement in balance and stability from WBV. However, the biggest benefit is from resistance training combined with WBV, not in performing WBV alone. The additional benefit if the platform is available is worth it. The investment in the equipment for home, may not be the best or wisest use of time. There you have it. This summary of recent bone losses and menopause research (provided during Menopause Awareness Month) is intended to get you pointed in the right direction for your exercise journey. References Mentioned: 28 Day Kickstart Fitness Trainers & Health Coaches MasterClass Ageless Woman Summit Stop the Menopause Madness Summit References: Kirwan R, McCullough D, Butler T, Perez de Heredia F, Davies IG, Stewart C. Sarcopenia during COVID-19 lockdown restrictions: long-term health effects of short-term muscle loss. Geroscience. 2020 Dec;42(6):1547-1578. doi: 10.1007/s11357-020-00272-3. Epub 2020 Oct 1. PMID: 33001410; PMCID: PMC7528158. Sipilä S, Törmäkangas T, Sillanpää E, et al. Muscle and bone mass in middle-aged women: role of menopausal status and physical activity. J Cachexia Sarcopenia Muscle. 2020;11(3):698-709. doi:10.1002/jcsm.12547 Hettchen M, von Stengel S, Kohl M, Murphy MH, Shojaa M, Ghasemikaram M, Bragonzoni L, Benvenuti F, Ripamonti C, Benedetti MG, Julin M, Risto T, Kemmler W. Changes in Menopausal Risk Factors in Early Postmenopausal Osteopenic Women After 13 Months of High-Intensity Exercise: The Randomized Controlled ACTLIFE-RCT. Clin Interv Aging. 2021 Jan 11;16:83-96. doi: 10.2147/CIA.S283177. PMID: 33469276; PMCID: PMC7810823. Ilinca, Ilona & Avramescu, Taina & Shaao, Mirela & Rosulescu, Eugenia & Zavaleanu, Mihaela. (2010). The role of high - impact exercises in improve bone mineral density in postmenopausal women with osteopenia or osteoporosis. Citius Altius Fortius. 27. Yu, Pei-An MDa,b; Hsu, Wei-Hsiu MD, PhDa,b,c; Hsu, Wei-Bin PhDb; Kuo, Liang-Tseng MDa,b; Lin, Zin-Rong PhDd; Shen, Wun-Jer MDe; Hsu, Robert Wen-Wei MDa,b,c,∗ The effects of high impact exercise intervention on bone mineral density, physical fitness, and quality of life in postmenopausal women with osteopenia, Medicine: March 2019 - Volume 98 - Issue 11 - p e14898doi: 10.1097/MD.0000000000014898 Kistler-Fischbacher M, Weeks BK, Beck BR. The effect of exercise intensity on bone in postmenopausal women (part 2): A meta-analysis. Bone. 2021 Feb;143:115697. doi: 10.1016/j.bone.2020.115697. Epub 2020 Dec 24. PMID: 33357834. Pinheiro, M.B., Oliveira, J., Bauman, A. et al. Evidence on physical activity and osteoporosis prevention for people aged 65+ years: a systematic review to inform the WHO guidelines on physical activity and sedentary behaviour. Int J Behav Nutr Phys Act17, 150 (2020). https://doi.org/10.1186/s12966-020-01040-4 https://www.frontiersin.org/articles/10.3389/fphys.2020.00652/full https://www.frontiersin.org/articles/10.3389/fragi.2021.667519/full Watson, S.L., Weeks, B.K., Weis, L.J., Harding, A.T., Horan, S.A. and Beck, B.R. (2018), High-Intensity Resistance and Impact Training Improves Bone Mineral Density and Physical Function in Postmenopausal Women With Osteopenia and Osteoporosis: The LIFTMOR Randomized Controlled Trial. J Bone Miner Res, 33: 211-220. https://doi.org/10.1002/jbmr.3284 Lu YH, Rosner B, Chang G, Fishman LM. Twelve-Minute Daily Yoga Regimen Reverses Osteoporotic Bone Loss. Top Geriatr Rehabil. 2016;32(2):81-87. doi:10.1097/TGR.0000000000000085 Fernández-Rodríguez R, Alvarez-Bueno C, Reina-Gutiérrez S, Torres-Costoso A, Nuñez de Arenas-Arroyo S, Martínez-Vizcaíno V. Effectiveness of Pilates and Yoga to improve bone density in adult women: A systematic review and meta-analysis. PLoS One. 2021;16(5):e0251391. Published 2021 May 7. doi:10.1371/journal.pone.0251391

❗未滿18歲禁止收聽❗ 【本集來賓音質情況較差，不便之處敬請見諒】 我們創業了：女子杯上市

This week, Oz and D. Randle sit down to discuss the highlights of Oz's date, people dragging Lizzo...again, First Take's declining ratings, and Lil Fizz making up with Omarion. Also, Adele's latest single marks the beginning of Sad Girl Autumn, the price just went up for Rory & Mal and Oz rants about the culture's need to bring back love letters. Plus, your listener letters and the Top 3 STFUs. Pour Up! Song of the Week: Radio Galaxy- "YU" feat. Carl Thomas

Full show: https://kNOwBETTERHIPHOP.com Artists Played: The Do Gooders, SoyIsReal, conshus, Has-Lo, Mayyadda, Noveliss, Dixon Hill, Ego Ella May, Mr. SOS, Sundur, Adam Theis, maticulous, Uptown XO, yU, SGJAZZ, OriGn, SPS, Beginners, Common, Raphael Saadiq, Samm Henshaw, J57, Kristen Warren, Dirty Bungalow, PZ, NoSo, El Da Sensei, Jake Palumbo, John Robinson, Cee-Lo, OutKast, GOODie MOb, IMAKEMADBEATS

The idea that race is a biological reality has hung on longest and strongest in the parts of biological anthropology that deal with skeletal remains. In this episode we talk with two forensic anthropologists, Sean Tallman and Allysha Winburn, about how typological notions of race and ancestry have changed over time in this segment of the discipline. They have published a recent paper discussing this change (Tallman, S. D., Parr, N. M., & Winburn, A. P. (2021). Assumed Differences; Unquestioned Typologies: The Oversimplification of Race and Ancestry in Forensic Anthropology. Forensic Anthropology, Early View, 1-24. doi:https://doi.org/10.5744/fa.2020.0046). Additional resources: J. Bindon, M. Peterson, & L. J. Weaver (Producer). (2017, 11/14/2017). Race and the Human Genome Project [Retrieved from http://speakingofrace.ua.edu/podcast/race-and-the-human-genome-project Bindon, J. R. (2020). Race in the wake of the Human Genome Project. Retrieved from https://www.researchgate.net/publication/342215956_Race_in_the_wake_of_the_Human_Genome_Project Crews, D. E., & Bindon, J. R. (1991). Ethnicity as a taxonomic tool in biomedical and biosocial research. Ethnicity & disease, 1(1), 42-49. Dixon, R. B. (1923). The Racial History of Man. New York: C. Scribner's Sons. Holden, C. (2008). Personal genomics. The touchy subject of ‘race'. Science (New York, N.Y.), 322(5903), 839. Hooton, E. A. (1931). Up from the Ape. New York: Macmillan. Lieberman, L., Kirk, R. C., & Littlefield, A. (2003). Perishing Paradigm: Race—1931–99. American Anthropologist, 105(1), 110-113. Morning, A. (2011). The nature of race. Berkeley: University of California Press. Wagner, J. K., Yu, J. H., Ifekwunigwe, J. O., Harrell, T. M., Bamshad, M. J., & Royal, C. D. (2017). Anthropologists' views on race, ancestry, and genetics. American Journal of Physical Anthropology, 162(2), 318-327.

Three physicians share how implementing behavioral health integration (BHI) has helped to increase joy and satisfaction in their practice. They highlight the benefits brought by BHI in practice and underscore best practices that have helped to reduce administrative burden and increase physician satisfaction prior to and during the course of the pandemic. For more about the BHI Collaborative Overcoming Obstacles Series, go to www.ama-assn.org/bhiresources.

Sponsored by the AUA Young Urologists Committee, the Young Urologists of the Year Awards are presented annually to select AUA members who have been in practice for ten years or less in recognition of their efforts and commitment to advancing the development of fellow early-career urologists. Winners are nominated by their colleagues who serve on the Young Urologists Committee and approved by their Section Board of Directors. Southeastern Section winner Shenelle N. Wilson, MD, sits down with Patrick Selph, MD to talk about what being YU of the Year means to her.

We leverage Yu-kai Chou's Octalysis Framework to think through motivating customers. We test it out using a startup idea that's come across Brian's desk recently: a network of Airstream trailers, dropped on people's property, that digital nomads can subscribe to. How would we motivate these people to take action? What can we test? The framework leads the way as we kickstart the business. Tacklebox MethodYu-Kai Chou (Twitter)Yu-Kai Chou (Blog)Actionable Gamification

Enjoy another awesome episode from the Traffic Secrets book launch podcast. Want your Dream influencers to start promoting you, your business, and your products? It took Russell a decade of relationship building to get some of his biggest influencers. But now he's figured out the FORMULA. You'll learn... Why building a platform is the BEST way to infiltrate your Dream 100. How to choose what TYPE of platform you should build. Why you should publish NEW CONTENT every single day for an entire year. Listen in to learn more! Also, go get your FREE copy of Traffic Secrets here! Hit me up on IG! @russellbrunson Text Me! 208-231-3797 Join my newsletter at marketingsecrets.com ClubHouseWithRussell.com ---Transcript--- Hey everybody, this is Russell. Welcome back to our fun hangout time in quarantine, every single day. I am trying to set up, I'm sitting in a different spot, so I can actually sit in a chair today, because the last two weeks I've been sitting on the floor and my legs are burning. So we're hanging out a little differently. Hopefully this still works and you guys can all hear me. And right now, we are live on Facebook and Instagram, and I'm excited to be hanging out with you guys today. So, it is Friday. We are a couple of weeks into this whole crazy quarantine now. I think I told you guys, Boise officially got locked down a couple of days ago, which is good for you guys. Means we all get to hang out more often here, and we're going to start sharing more things from the books. And I'm curious, how many guys have had a chance to listen to the entire audiobook? I know that the new Traffic Secrets book doesn't actually ship until May fifth, but the audio book is available. I sat in a theater, or studio actually, for seven days. It took me three days to read the Traffic Secrets book, two days to read the DotCom Secrets, and two days read the Expert Secrets book. I got audiobooks done of all three of the new updated versions, but curious how many guys actually had a chance to listen to the whole thing? I know a bunch of guys were like, "I'm going to buy it. I'm going to get the audio book, and I'm going to listen to the whole thing before tomorrow." So hopefully a bunch of you guys had a chance to listen to it, which would be really fun. So, all right, Chris Baden said, "Me." All right, so, good. If not, it's time to... What are you guys doing? We're sitting around doing nothing anyway. Might as well be listening to sharpen your saw, sharpen your mind, and getting prepared for what's coming next. So, Austin said, "Russell, BJJ or wrestling?" Come on, now. Wrestling is the greatest sport of all time, but BJJ is number two. So, it is good. All right, are you guys excited for today, I'm going to read some more of the book. In fact, we are finishing up section number one today, here inside Traffic Secrets. I'm going to open this thing up. And this is the box set, this is the trilogy. And it's funny, I sent this to Liz Benny, a picture. I'm like, "This is the trilogy." And she's like, "Russell, there's four books. A trilogy only has three." And I was like, "Crap." Well, I'm like, "This is the trilogy, and this is the workbook that goes with the trilogy. So there's four books in a trilogy." I don't know. "Trilogy" sounds cooler. So, there you go. And check this out, if you see the book... Can you guys see the box set? It's really cool. It says, "The Secrets Trilogy by Russell Brunson." On the back, it's got the Dotcom Secrets is the framework, Expert Secrets is the fire, Traffic Secrets is the fuel, and then Unlock Secrets is your playbook. And then this side is a quote, I don't know, it might be backwards for you guys. It says "You're just one funnel away," and then a quote from Garrett White says, "The life you want, the marriage you want, and the family want are going to be fueled by the businesses you build." And so that's kind of what's in the box set. All right. Let's open this up. We're going back in Traffic Secrets. We've been doing this every single day now for almost two weeks, which has been a lot of fun for me. And we're almost to the end. Today we're going to finish up talking about the first section of the book, which is going to be cool. So we've covered a lot of stuff. So section number one in the book is all about... In fact, if you look at the title, section one is called "Your Dream Customer." It's really understanding and mastering your customer. Where are they at? How do we find them? How do we get a hold of them? What are the hooks, the stories, the offers for you to grab their attention, to pull them into your world? Who's already congregated? How do we follow up with those people? All the things we've been talking about. And so, secret number seven is infiltrating the Dream 100. How do you do that? It's going to be really fun. And then next week, we're getting into section number two of the book, which is called "Fill your Funnel." This is now where we started breaking down different networks. We're going to Facebook, Instagram, Google, YouTube, podcasting, and a bunch of other ones. I'll show you guys a pattern of how we dominate all of those. But when you understand the pattern, what's cool about it is we'll give you the ability to dominate anything. Cause you can use this process to dominate TikToks, Twitch, the new platforms coming out next week. Xavier said, "Throwing my wallet on the screen." That's amazing. I love it. I love it. All right. So we're going to Dream 100. So, infiltrating your Dream 100. How do you get into those people? This is the question a lot of people have, cause I've been talking about Dream 100 pretty consistently now for a decade. I tell people, "Build your Dream 100. Go find those people. Network with them, build relationships, get them to promote you." Things like that. And it's funny, because some people hear me say that, and they don't do anything about it. That's the majority of people. Some people hear me, they build the Dream 100 and start contacting, but they never get in with them. They never ask them to do anything. They just kind of start the exercise, but they don't actually finish it. And so this is going to help you guys understand how to finish this exercise. How do you take this Dream 100, and how do you infiltrate it? How do you build relationships? How do you get in with them? So secret number seven, we're on page 104. Those who are following along in your books, which haven't been shipped yet. They ship May fifth though, so you should be getting them about a month from now. You guys should all start getting your books. If you don't have your book yet, or the audiobook, you can go get a free copy at trafficsecrets.com. You just got to cover the shipping, which is not that much money. I think it's under 10 bucks in the U.S., And a little more international. If you go to trafficsecrets.com, you can get it. There's a bunch of amazing videos and you get immediately the bonuses. Plus, the order form bump is the audiobook. So if you want to listen to it this weekend, you can go upgrade your order and get the audiobook, and you can listen to me reading this entire book to you. And yeah, so it's kind of fun. All right. So, infiltrating the Dream 100. So I want to tell you guys a story that I tell in the book. How many of you guys remember the Arsenio Hall Show? How many of you guys are old enough? I turn 40 this year. So, old enough to remember that Arsenio Hall Show. He's the late-night "Who, who." That's Arsenio Hall, right? Now, I remember when I was growing up, my parents would not let me watch the Arsenio Hall Show for whatever reason. I think it was cause it was late-night. But my friend's parents let him watch it all the time. So he'd always talk about it, and he was always doing that thing. And so, I remember he would tell me stories and I always wanted to watch it. I never did, until one night, we had a sleepover at his house and I got to watch the Arsenio Hall Show. It was so cool, because he would run out, and he does this "Who, who, who," and everyone's excited. He's interviewing people, and they're funny people. And it was just this really cool thing. And what's interesting is, I started doing... Oh, actually, this was really funny. After we saw that, that became our thing. That was Arsenio Hall's thing, but that became our thing. We were playing basketball, we'd dunk on someone. We'd play football, catch a touchdown, and like, "Who, who." It became all of our things, right? Oh, someone said that their aunt worked on the show. How cool is that? All right. So, Arsenio Hall Show, at the peak of it, in fact, in June 1992, Bill Clinton, who was running for president at the time, came on the Arsenio Hall Show, played the saxophone. He played the song Heartbreak Hotel, and many people said that one of the main... Not the main reason, but a big reason why President Clinton won the election is because the people who watched Arsenio Hall Show. They said it helped build his popularity among minority and younger voters, which is one of the main... Not main, but one of the major reasons why he won the election. Which is very interesting, right? Anyway, so then two years after that, Arsenio Hall Show gets canceled, right? And then how many guys have heard of Arsenio Hall since then? No one has, right? He disappeared off the face of the planet. What happened? Until a couple years ago in 2012... I can't believe it was 2012. That was really 10 years ago? I don't know what year we're in right now. In quarantine time, I don't remember what year we're in. Anyway, 2012, we're watching Celebrity Apprentice, cause that's what we do. And all of a sudden, Arsenio Hall is one of the contestants on Celebrity Apprentice. Which we're like, "This is amazing," right? So we're watching this whole thing and there was something interesting that happened. So they do different fundraisers on Celebrity Apprentice, things are happening. And then one of the episodes was a fundraiser. And so all the contestants jump on the phone, they're calling all their friends, everyone they know, they're trying to raise money, right? And every single one of the celebrities get on the phone and raise money. Somebody raise 30 grand, some raise hundreds of thousands. Everyone's got different levels of it. A couple of people raised half a million or something. Everybody raised money, except for one contestant. Can you guess which contestant that was? The only contestant that raised not even a penny was Arsenio Hall. And you see the scene, he's on the phone with his address book, and he's calling person after person after person, nobody will return his call. He's like, "Why is nobody returning my calls?" And then at the very end, they tally up, and he's the only one that doesn't get any money. And they showed us a little clip of him in the boardroom or whatever, talking to the camera. And he's all frustrated. And he just looks at it, and he says, "You know what?" He said, "When I had my own show, everybody returned my call." Boom. Okay? Now, most people missed that. But for me, it rang in my head like a bell. When Arsenio Hall had a show, he had a platform. He was able to call anyone on earth, including Bill Clinton, who was currently running for president and say, "Do you want to be on my show, man?" And the next day, Bill Clinton's on his show, playing saxophone, right? He loses his show, loses his platform. No one returns his call. People ask me, "Russell, how in the world did you get in with Tony Robbins and Dean Grasiozi, and all these people?" And I would love to think that the reason why I got in with all these guys is because I'm so nice, or charismatic, or maybe think my haircut's cool, or whatever. Right? And as much as I wish that was the truth, I know, I'm fully aware that the reason why I was able to get into my Dream 100 is because the thing that I have to offer them is my platform. That is what I have to offer people. So when I met Tony, I'm like, "Hey Tony, I've got a whole bunch of entrepreneurs that follow me. Can I interview you? Can I get to know you? Can I..." I met Dean, "Hey Dean, I want to help promote you. Hey Dean, do you want to be on my show? Hey..." And you can name off all the people in my Dream 100, everyone I've tried to get, my platform is the thing that I had to offer my Dream 100. It's the tangible thing that I own, that I control, that provides value to people who are three, or four, or five levels above me. Right? And so, for you, the question is, you're building this Dream 100, and then how are you going to approach them? Like, "Hey, Dream 100, can you do this thing for me? Can you do this thing?" They're going to say "no," right? They have enough things happening in their lives. The thing you have to offer them is your platform, but you've got to have a platform. Right? And so that's this whole secret number seven is about, is building up your platform. So what does your platform look like? Well, for everyone it's going to be different. Some of you guys... In fact, I'm going to do a poll right here. How many of you guys right now who are listening to this love to write? Like, "I love writing. If I could just write all day, I'd be the happiest person in the world." Okay. If you are someone who loves to write, the platform you need to be building is you need to be starting a blog. You should be writing. How many of you guys are like, "Writing sounds like the worst thing on planet earth. I do not want to write ever, but I love to talk." Right? Okay. Maybe for you, you should be starting a podcast. That's the platform. You love talking and speaking, that should be your thing. How many of you guys are like, "I like writing, podcasting, but I love being on video. I want people to see my face. I want them to see my excitement. Oh, this is amazing." For those, you guys should be starting a video channel, a vlog, a YouTube channel, or Instagram, or Facebook, or somewhere. You got to find the spot that you're the most comfortable. Okay? Because if you're not comfortable, you're not going to be consistent with it. That's number one, figuring out, where do you want to build your platform at? Right? And then, you've got to start actually growing it. Okay? And I have a whole bunch of stuff here, I wish I could read all of it to you. Starting on page 112, it's like, how do you find your voice? Because when you first start your own show, it's scary, right? How do you know how to talk? If you listen to the first 40 plus episodes of my podcast, they were really bad. I was shy and awkward, nervous. And people are like, "Russell, you seem like such a natural communicator. How did you become so natural at it?" I became natural because I published 800 episodes of my podcast consistently three to five times a week, every single day for the last eight years. Okay? And I've been on Facebook Live hundreds of times. And I've been on tons of other… I sound natural because I've done it a lot. I found my voice and I continue to try to develop it and make it better. But it's consistency. Okay? Before any of you guys saw me up here talking to you, it was a decade of me putting in the time and the effort of publishing, and finding my voice, and doing it over and over and over again. And so what I want to recommend for all of you guys is you need to pick a platform, whatever one it is, especially now, especially during times when everyone's stressing out. This is your shot, your chance to step up as the leader that your people are looking for, and start talking. Start sharing. Start giving faith and hope and a brighter future for your people. Now is the time. So I want to challenge you guys to figure out... If you're a writer, you're starting a blog, and I would recommend going to medium.com, starting a blog there. If you're a speaker, you're going to start a podcast. If you like video, you can start a video vlog. And I don't care if it's on Facebook Live, YouTube Live, I don't care. Pick a platform and stick with it. And then, I challenge you to publish every single day for the next year. Starting today. Not mañana, starting today. I want you to publish every single day for an entire year. Okay? And at first you're like, "I don't have stuff to talk about for entire year." I get it. Okay? But what's magic is that you start speaking, more things will come to you. Okay? As you open up your mouth, the Lord will bless you with more ideas, more inspiration, more things. As you share, as you give, as you're helping other people, more stuff will come to you. So it's very important to understand that. Okay? So you got to publish every single day for at least a year. And the reason why we do this is a couple of things. Number one, at first, you are going to be very, very bad. Okay? So you need to start publishing to be able to find your voice, this is the big part of it. If you don't start publishing now, you will never find your voice. The reason I'm good today is because eight years ago, I started publishing every single day. Okay? So you start publishing to find your voice. And first you're like, "Oh, but no one's listening to me." That's good. Cause you suck right now. So it's okay that no one's listening to you. You shouldn't worry about it. Now's the time for you to find your voice and learn how to actually speak and figure out what people actually want to hear. Number two... So number one is for you to find your voice. Number two is you have to publish long enough for people to find you. Okay? Number one, you're finding your voice. Number two, it's you're publishing long enough for them to find you. And there's a really cool blog post that my buddy, Nathan Barry, wrote on his blog. It's called Endure Long Enough to Get Noticed. I'm going to read it, cause it's one of the most powerful things I could possibly share for you guys. He said, "How many great TV shows have you discovered in season three or later? I started watching Game of Thrones after they had released five seasons. Pat Flynn had released at least 100 episodes of his podcast before I even knew it existed. I discovered Hardcore History years after Dan Carlin started producing it. This is such a common experience. There's so much content being produced that we can't possibly discover it all. So instead, we wait for the best content to float to the surface after time. If step number one in building an audience is to create great content, step number two is to endure long enough to get it noticed. Seth Godin is very generous with his time and will appear in almost any relevant podcast, but you have to have recorded at least 100 episodes first. His filter is creators who have shown they're willing to show up consistently for a long time." Oh, oh, this is so good. Do you guys get this? All right. So step number one, you're doing this, publishing everyday for a year on your chosen platform. I don't care what it is. Okay? Number one reason is for you to find your voice. At first, no one is going to be listening and you're going to suck at it, and that's okay. That's the plan. That's the process. Okay? Number two is you're doing it so that your audience can find you. If you just published three episodes, they're never going to find you. You publish 100, they're going to start finding you. You publish every day for a year, you'll have endured long enough that your people will start finding you. Okay, when I launched my first podcast, it was called Marketing in your Car. And I did the same exercise I'm asking you. I was like, "What am I going to be most comfortable with? What can I be most consistent with?" I was like, "If I do an interview show, I have to have microphones and stuff. I'll never do it because it will be too hard." But I was like, "I'm in my car every day for 10 minutes. I'm just going to record a podcast while I'm driving." So I called it Marketing in your Car podcast. And I knew I'm going to be consistent, and do it at least three times a week, and maybe more. And I had days where I did it every single day. And I did it for years. Now, I was lucky at the beginning. I didn't know how to check my stats. So because of that, I never checked my stats. And so what's amazing is, I think I was three years into publishing my podcast before I learned how to find out if people were actually listening. And I am so grateful I never knew. Cause if I had known that the first 40, 50, 60 episodes had 10 listens each, I probably wouldn't have kept doing it, if I'm completely honest. But now I've done this many. Every episode that I publish gets tens of thousands of downloads. Okay? But I had to keep doing it consistently for long enough for my people to find me. And I do it consistently long enough to find my voice. And so that's the secret to Dream 100. And then, when you have your own platform, now you can go to these people who are your Dream 100, and be like, "Hey, I've got a podcast. Yu want to be on it? Hey, I got a YouTube show. You want to be on it? Hey..." And now you have something of value to provide to them. That's the thing you have to provide your Dream 100 is your platform. That is the big secret. And some of you guys are like, "Russell, do I have to publish if I'm going to get Traffic Secrets?" You don't have to. There's a lot of ways to drive traffic. But I promise you, this will make a very holistic traffic. It gives you the ability to find your voice. It gives you the ability to infiltrate your Dream 100, to build the relationships with people you didn't have the ability to before. In fact, as you read this, it's... This is your journey, right? In your podcast, you're documenting your journey of the result you're trying to get for yourself. And here, you're telling your story along the way. I wish I could go on for two days about this alone. But my job is, I'm documenting my journey. Every single podcast, I'm telling my story. I'm talking about what I'm learning today, where I'm going, what I'm trying to figure out, as you're doing this journey to get a certain result for yourself. So don't think, "I'll start my podcast after I figure it out." No, you start today. Figure out what's the result you're trying to get for yourself. Okay? And then document your journey along the way. Every episode is a documentation. Then, in between here, this is your Dream 100. You're pulling people in and you're interviewing them. You're pulling them in, you're interviewing them, and you're building relationships. You have a chance to interview someone for 30 minutes or an hour on your podcast, on your show, on your video, you build the relationship with your Dream 100 you can't get in any other way. Okay? It opens up so many doors, so many gates, and that is the big secret. So infiltrating your Dream 100, you guys, it all starts with building out your own show. I wish that I could just fly to your house and force you to do it. Most of you won't, but the ones who do are the ones who are going to thrive during this time of economic uncertainty, okay? Your people are waiting for you. They're waiting for your voice. They're waiting for your guidance, your leadership. And unless you start doing it, they're never going to find you. And so they always say... This is an old Chinese proverb. "The best time to plant a tree was 20 years ago. The second best time is right now." So, today. This is the time you guys. You're sitting around and you're in quarantine. You got a whole weekend to figure it out. Figure out, how do we blog? It's easy. You go to medium.com, create an account. Boom. You can start blogging today. Okay? "I don't know how to start a podcast." There's an app called anchor.fm, I think. It's free or five bucks on your phone. You download it. Boom. You can be podcasting today. Okay? A video, I went to Facebook, I put "Go Live." Boom. I'm live. YouTube, same thing. You don't have to wait. Now is the time. Start publishing, start finding your voice, document your journey towards something that you're trying to create, something you're trying to learn, and just share what you're doing. You don't have to make things highly-produced. You're just talking and telling your stories and what you're learning along the way. And as you do that, two things will happen. Number one, you will find your voice. And number two, you endure long enough that your people will be able to find you. All right, guys, I got to bounce, cause I've got an interview with one of my Dream 100 starting two minutes. Yes, I practice what I preach. So I got to jump off here. If you don't have a copy of your book yet, go to trafficsecrets.com and get it. The hardbounds don't ship till May fifth, but the audiobook is available right now. So go and get it. I highly recommend get the order form bump, which is the audiobook. You can listen, for seven hours, me read this entire book to you. So by this time on Monday, when we're hanging out again, you can have this whole book in your brain and done. All right, I have to go, guys. I start in one minute. Appreciate you all. Thanks for everything, you guys. Start publishing. Now is the time. Your people are waiting for you. Let's go. All right. Thanks, you guys. Talk soon.

It's time for Science and U and Dr. Weiping Yu returns with another refreshing analysis of the latest science news. Is transmutation of elements possible? If transmutation is possible, how can it be used to solve the climate crisis? To what extent is magnetism ingrained into the nature of the cosmos? Listen to the full segment for Dr. Yu's answers to these questions and more. Visit A Neighbor's Choice website at aneighborschoice.com

BANG! @southernvangard #radio Ep305! Y'all ready for the fourth quarter blitz? This is always an exciting (and relentless) time of year for new music, but don't fret if you can't keep up - this is exactly where you need to be to catch the cream of the crop every week. Doe is flying solo this week but still manages to keep it lively and of course there's tons of new music, including TWO WORLD EXCLUSIVES from our mid-mix interview guests BODY BAG BEN & J SCIENIDE! They have a new album dropping this week that features ROME STREETZ, WORDSWORTH, NAPOLEON DA LEGEND & RASHEED CHAPPELL. At the end of the mix you'll get a preview of our Thursday interview session with Brooklyn's MATICULOUS, who just dropped a banger of a producer project called “NO CAPS”. You can hear a few joints from this record at the top of the mix, the full interview drops Thursday! From the very bottom of our hearts…YOU'RE WAAAAALCOME for this #SmithsonianGrade #TwiceAWeek #WeAreTheGard // southernvangard.com // @southernvangard on #applepodcasts #stitcherradio #soundcloud #mixcloud #youtube // #hiphop #rap #undergroundhiphop #boombap #DJ #mixshow #interview #podcast #ATL #WORLDWIDE #RIPCOMBATJACK Recorded live October 4, 2021 @ Dirty Blanket Studios, Marietta, GA southernvangard.com @southernvangard on #applepodcasts #soundcloud #youtube #spotifypodcast #googlepodcasts #stitcherradio #mixcloud #SmithsonianGrade #TwiceAWeek #WeAreTheGard twitter/IG: @southernvangard @jondoeatl @cappuccinomeeks Talk Break Inst. - "Mainframe" - Graymatter "Close Range" - maticulous ft. Kev Brown & J Scienide "Bein' This Nice" - maticulous ft. Uptown XO & yU "Take Heed" - maticulous ft. Breeze Brewin, Al Skratch & DJ Jon Doe "Today's Special" - Czarface ft. Facepuller "Raynathan And Romello" - Curly Castro (prod. Blueprint) "Peace Bridge: - Psych Major ft. Jamal Gasol, Wyze Wonda, DNTE & Toneyboi Talk Break Inst. - "Marijuana Futures" - Graymatter "EveryDay Struggle Pt. 2" - John Creasy x Serious Beats "Tax Season (Takin' It With Me Pt. 2)" - Ea$y Money x Melks "Free Kutter" - Westside Gunn ft. Jay Electronica (prod. Jay Versace) "Blu(e) World" - Blu (prod. Exile) "M.D.M." - Killah Priest x Shaka Amazulu The 7th ft. Planet Asia & Hus Kingpin "Simple Demonstration" - Defari Talk Break Inst. - "Visa Virus" - Graymatter ** Mid-Mix Interview - BodyBagBen & J Scienide ** Mid-Mix Interview Inst. - "Draco's Theme" / "World Famous Jenkem" - Graymatter "Double Dragon" - Body Bag Ben & J Scienide ft. Wordsworth ** WORLD EXCLUSIVE ** "Despicable" - Body Bag Ben & J Scienide ft. Napoleon Da Legend & Rasheed Chappell ** WORLD EXCLUSIVE ** "For My Pain" - Illa Ghee (prod. Black Milk) "Brick O' Dope" - UFO Fev ft. Red Inf (prod. Vanderslice) "Ermine" - Lukah ft. Estee Nack "Some More Paper" - DJ Muggs & Crimeapple "Pluses And Minuses" - M.A.V. x Spanish Ran Talk Break Inst. - "Short Report" - Graymatter ** Interview Snippets - maticulous - FULL INTERVIEW DROPS THURS 10/7 **

On the last instalment of the ‘Time Warped' miniseries, Alex and Simona discuss animal exploitation in the Medieval period. Also ineffective door-to-door Beaker salesmen, snail-riding cats and confusing cave site stratigraphy. Links https://www.english-heritage.org.uk/learn/story-of-england/medieval/ https://www.medievalists.net/2012/08/when-were-the-middle-ages-2/ Ashby, S.P. (2002) The role of zooarchaeology in the interpretation of socioeconomic status: a discussion with reference to Medieval Europe. Archaeological Review from Cambridge. pp. 37-59. http://bestiary.ca/intro.htm Fitzpatrick, A. (2019) Identification of avian remains from Covesea Cave 2, on the Moray Firth coast, northeastern Scotland. Cave and Karst. Yu, H. et al. (2021) Palaeogenomic analysis of black rat (Rattus rattus) reveals multiple European introductions associated with human economic history. Biorxiv [Preprint]. - Bramanti, B. et al. (2021) Assessing the origins of the European Plagues following the Black Death: A synthesis of genomic, historical, and ecological information. Proceedings of the National Academy of Sciences Sep 2021, 118 (36). - Hodges, R. (2012) Dark Age Economics, Bloomsbury Publishing Contact Alex FitzpatrickTwitter: @archaeologyfitz Simona FalangaTwitter: @CrazyBoneLady Alex's Blog: Animal Archaeology Music "Coconut - (dyalla remix)" https://www.youtube.com/watch?v=_2UiKoouqaY Affiliates Wildnote TeePublic Timeular

On the last instalment of the ‘Time Warped' miniseries, Alex and Simona discuss animal exploitation in the Medieval period. Also ineffective door-to-door Beaker salesmen, snail-riding cats and confusing cave site stratigraphy. Links https://www.english-heritage.org.uk/learn/story-of-england/medieval/ https://www.medievalists.net/2012/08/when-were-the-middle-ages-2/ Ashby, S.P. (2002) The role of zooarchaeology in the interpretation of socioeconomic status: a discussion with reference to Medieval Europe. Archaeological Review from Cambridge. pp. 37-59. http://bestiary.ca/intro.htm Fitzpatrick, A. (2019) Identification of avian remains from Covesea Cave 2, on the Moray Firth coast, northeastern Scotland. Cave and Karst. Yu, H. et al. (2021) Palaeogenomic analysis of black rat (Rattus rattus) reveals multiple European introductions associated with human economic history. Biorxiv [Preprint]. - Bramanti, B. et al. (2021) Assessing the origins of the European Plagues following the Black Death: A synthesis of genomic, historical, and ecological information. Proceedings of the National Academy of Sciences Sep 2021, 118 (36). - Hodges, R. (2012) Dark Age Economics, Bloomsbury Publishing Contact Alex FitzpatrickTwitter: @archaeologyfitz Simona FalangaTwitter: @CrazyBoneLady Alex's Blog: Animal Archaeology Music "Coconut - (dyalla remix)" https://www.youtube.com/watch?v=_2UiKoouqaY Affiliates Wildnote TeePublic Timeular

我們創業了：女子杯上市

Topic: Enjoy your coffee, but know your limits   Many people choose to drink coffee for refreshment when they feel weary, but it would be wrong to think that coffee is the only thing that contains caffeine. There is caffeine in tea, cocoa, cola drinks and so on. 許多民眾在精神不濟時，會選擇飲用咖啡來提神，但別以為咖啡因只有在咖啡、茶裡有，可可亞、可樂等都含有咖啡因。 Is caffeine good or bad for your health? Nutritionists say that getting an appropriate amount of caffeine can promote gastrointestinal peristalsis and perk you up, but remember not to take too much, otherwise it may put even more strain on your body. 究竟咖啡因對身體是好還是壞？營養師表示，攝取適量的咖啡因能夠有助腸胃蠕動及提振精神，但切記勿攝取過量，否則可能會造成身體更多的負擔。 On Aug. 24, nutritionist Yu Chu-ching wrote a post on her “Julie dietician” Facebook page, saying that the main benefits of caffeine are lifting one's spirits, promoting gastrointestinal peristalsis, reducing fluid retention and moderating one's appetite. Caffeine has its strongest effect about one hour after drinking, and it takes about 40 hours to fully metabolize 200 milligrams (mg) of caffeine. However, people's metabolic responses are not all exactly the same. In addition, people should beware of consuming too much, which can cause discomfort such as anxiety, palpitations and insomnia. Healthy adults can consume up to about 300mg in one day. The average commercially available large cup of coffee contains 200mg of caffeine, so drinking two cups will take you over the limit. 營養師余朱青八月二十四日在臉書粉專「余朱青Julie營養師」發文指出，咖啡因的優點，主要是提振精神、促進腸胃蠕動、消水腫、減緩食慾。而咖啡因最強的時候是喝完一小時後，大約四十個小時才會代謝完兩百毫克的咖啡因，不過每個人新陳代謝反應並不完全相同。此外，小心攝取過量引起身體不適，如焦慮、心悸、失眠等，對健康成人而言，一天可以攝取的咖啡因量大約於三百毫克內。一般市售大杯咖啡就含有兩百毫克咖啡因，喝兩杯就會超標！ Yu said that those who suffer from heart disease should reduce this amount to about one half and not take more than 150 to 200mg of caffeine a day. Children under 12 years old should not touch caffeine, while teenagers should not exceed 100mg a day. As for pregnant women, they should go easy on it and not consume more than 100 to 200mg in one day. 余朱青表示，如果有心臟疾病的人，份量大概是要減到一半，一天不要攝取超過一百五十到兩百毫克的咖啡因；小於十二歲不要碰咖啡因，青少年一天不要超過一百毫克；然而孕婦要比較節制，一天不要超過一百到兩百毫克。 Yu reminded her readers not to eat a load of excess sugar at the same time as consuming caffeine, otherwise it may cancel out many of the benefits. She also said that carbonated beverages and energy drinks contain sugar and other additives, so it is best not to drink them very often. 余朱青提醒，攝取咖啡因時記得不要同時吃進一堆多餘的糖，這可能會讓咖啡因的好處大打折扣，而碳酸飲料或能量飲料，因含有糖和其他添加物，不宜常喝。Source article: https://www.taipeitimes.com/News/lang/archives/2021/09/14/2003764311   Next Article   Topic: Seattle startup rolling out new coffee product without coffee beans   There's a new guilt-free product underway that is planning to perk up the coffee industry. 有個新的無罪惡感產品正在進行，計畫振興咖啡產業。 Seattle-based Atomo Coffee Inc. is grinding up what it dubs as coffeeless coffee - derived from sunflower seed husks and watermelon seeds, which undergo a patented chemical process. 位於西雅圖的「原子咖啡」正在研磨其所稱的無咖啡咖啡，源自葵花籽殼與西瓜籽，並經過專利的化學過程處理。 The processing of such ingredients results into molecules that set out to mimic the flavor and feel of real java. 將這些成分加工會產生一些分子，來模仿真實爪哇（咖啡）的味道與感覺。 The product's grounds are brewed just like a regular cup of coffee and will still contain caffeine. 這款產品的咖啡渣就像普通咖啡一樣沖泡，並且仍然含有咖啡因。 The company cites the devastating effects of climate change and the deforestation of approximately 250,000 acres of land per year as the catalyst behind its ''naturally derived ingredients'' delivering ''the same great coffee experience without the negative environmental impacts.'' 該公司援引氣候變遷的破壞性影響，與每年約25萬畝森林被砍伐為其「天然衍生成分」背後的催化劑，提供「同樣優秀且沒有對環境造成負面影響的咖啡體驗」。   Next article   Topic: Saudi Society Is Changing Just Take a Look at These Coffeehouses   For insight into these head-spinning times in Saudi Arabia, where the ultraconservative social and religious codes that micromanage daily life seem to spring a new leak every month — women driving! movie theaters! Usher and Akon rapping to sold-out crowds! — it sometimes pays to read the Google Maps reviews of specialty coffee shops. 沙烏地阿拉伯極度保守的社會和宗教規範控制了日常生活每個細節，最近這些規範似乎每個月都出現新的破口：允許女性開車！准許電影院營運！美國節奏藍調歌手亞瑟小子和阿肯到沙國表演說唱樂的門票賣光！為了深刻了解沙國這些令人頭暈目眩的時刻，有時值得讀讀谷歌地圖中針對沙國精品咖啡店的網友評價。 “I visited this place and was in a total shock!” Tarak Alhamood, a customer at Nabt Fenjan, a Riyadh coffee shop, raged online recently. “YOU r VIOLATING the rules of this country. I hope this place get closed permanently.” 首都利雅德「納特芬詹」咖啡店的顧客艾哈穆德，最近在網路上開罵：「我去過這個地方，非常震驚！你們這家店違反我國規定。希望這裡永遠關門。」 The issue was the decision that made Nabt Fenjan a daring outpost of the new Riyadh: Originally opened only for women, the coffee shop began allowing male and female customers to mix in late 2018. 問題出在一個決定，這決定使納特芬詹成了新風貌利雅德大無畏的前哨站：這家咖啡店原本只限女性入內，2018年底開始允許男女顧客共聚一堂。 The move propelled the cafe ahead of the law in the kingdom, where most restaurants and coffee shops are divided, by law and custom, into all-male “singles” sections and “family” sections for women and mixed family groups. Men enter through separate doors and pay in separate lines; women sometimes eat behind partitions to ensure privacy from male strangers. 這個舉動使納特芬詹比沙國法律還先進。沙國多數餐廳和咖啡館都依照法律和習俗實行男女隔離制度，分成全是男性的「單身」區和女性及男女混合家庭團體的「家庭」區。男性從另外的門口進入，付帳時也在另外的動線上排隊。女性有時在隔板後方進餐，確保不被陌生男性看到。 In early December, however, the government announced that businesses would no longer be required to segregate customers — the latest expansion of the social reforms initiated by the de facto Saudi ruler, Crown Prince Mohammed bin Salman. 但去年12月初，沙國政府宣布，商家無須再把男女顧客隔開。這是沙國實質領袖、王儲穆罕默德所發動社會改革的最新進展。 Yet Nabt Fenjan was far from the only Saudi establishment to discreetly drop separate sections over the last few years, after the crown prince defanged the religious police, which once enforced conservative social norms. Nor was it the only place to thrive partly as a result. 不過，在王儲限制宗教警察的權力之後，納特芬詹絕非沙國近年小心翼翼捨棄男女隔離體制的唯一機構，也不是或多或少因而生意興隆的唯一地方。沙國宗教警察曾嚴格執行保守的社會規範。 “I think the reason coffee shops became a trend is because people are more open to change,” said Shaden Alkhalifah, 30, who was studying at Draft Café in Riyadh on a recent evening. 30歲的雪登．阿爾哈利法最近一個晚上在利雅德「草圖咖啡廳」研讀資料，她說：「咖啡館流行起來，是因為人們更歡迎改變。」 Notwithstanding Alhamood's Google pan of Nabt Fenjan, even traditionalists have begun to unbend amid the general loosening-up, in larger cities if not yet in smaller ones or rural areas. 儘管艾哈穆德在谷歌上痛批納特芬詹，但就連恪守傳統的人也在這波社會風氣鬆綁的大潮中開始放鬆，或許尚未及於小城市和鄉間，卻已出現在大城市。 Some women whose families might previously have allowed them to work only in the privacy of offices, if at all, now hold barista jobs. Saudis can now mingle with the opposite sex not only at home but also at movie theaters, concerts and even wrestling matches. 一些沙國女性原本即使家人允許她們出來工作，也只能在具私密性的辦公室內工作，如今卻幹起了咖啡師。沙國人現在可以跟異性共處一堂，不只在家裡，在電影院、音樂會，甚至摔角比賽都行。Source article: https://udn.com/news/story/6904/4414614   Next Article   Topic: South Korea's coffee market to reach W6.8tr－韓咖啡市場達6.8兆韓元 The size of the South Korean coffee market will reach 6.8 trillion won by the end of this year, according to a report released by the Hyundai Research Institute. 根據「現代經濟研究院」一份報告，今年底前，南韓咖啡市場的規模將達6.8兆韓元。 Koreans, aged over 20, drank a total of 353 cups of coffee per person on average last year, the report said. The average per capita coffee consumption in the world was 132 cups in the same year, which is one-third of domestic consumption. 該報告指稱，20歲以上的南韓人，去年每人平均總計喝了353杯咖啡。同年全球人均咖啡消費量則為132杯，乃（南韓）國內消費量的3分之1。 Shinhan Card said Thursday it has started running "Shinhan Face Pay," a facial recognition-based payment system. Its employees are able to make payments with the system at the cafeteria, coffee shop and CU convenience store inside the company's headquarters building. 「新韓信用卡」週四表示，該公司已開辦「新韓人臉支付」（服務），這是一種以臉部辨識為基礎的支付系統。其員工能在該公司總部大樓內的自助餐廳、咖啡廳和「CU」（南韓便利商店品牌）便利商店，藉由該系統進行付款。

Many have said Catholic literature has produced nothing new since Tolkien and O'Connor. First time novelist, Katy Carl in her beautifully written new book "As Earth Without Water" published by Wiseblood Books  shows Catholic writers are indeed producing new faithful creative masterpieces.  Ms. Carl's book is truly astounding in her literary prose and masterful story telling.  The story follows the lives of two artists as they come to know themselves and eventually come to know  God.  This weaving of a story between the reality of relationships and the journey toward faith is nothing short of beautiful.  One of the rare times when a reader can realize  that within a young artist, like Katy Carl a of literary genius is unfolding.    Highly recommend for a book club reading and discussion. Ms. Carl is part of the newly launched Masters of Fine Arts in Catholic and Creative writing at the University of St Thomas.  You can find a link to the program here.          ttps://www.stthom.edu/Academics/School-of-Arts-and-Sciences/Division-of-Liberal-Studies/Graduate/Master-of-Fine-Arts-in-Creative-Writing/   This beautiful book can be ordered from Wiseblood.com    @  https://www.wisebloodbooks.com/Yu can follow me on twitter @michelemcaloon1

About JackieJackie Singh is an Information Security professional with more than 20 years of hacking experience, beginning in her preteen years. She began her career in the US Army, and deployed to Iraq in 2003. Jackie subsequently spent several years in Iraq and Africa in cleared roles for the Department of Defense.Since making the shift to the commercial world in 2012, Jackie has held a number of significant roles in operational cybersecurity, including Principal Consultant at Mandiant and FireEye, Global Director of Incident Response at Intel Security and McAfee, and CEO/Cofounder of a boutique consultancy, Spyglass Security.Jackie is currently Director of Technology and Operations at the Surveillance Technology Oversight Project (S.T.O.P.), a 501(C)(3), non-profit advocacy organization and legal services provider. S.T.O.P. litigates and advocates to abolish local governments' systems of mass surveillance.Jackie lives in New York City with her partner, their daughters, and their dog Ziggy.Links: Disclose.io: https://disclose.io Twitter: https://twitter.com/hackingbutlegal TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at VMware. Let's be honest—the past year has been far from easy. Due to, well, everything. It caused us to rush cloud migrations and digital transformation, which of course means long hours refactoring your apps, surprises on your cloud bill, misconfigurations and headache for everyone trying manage disparate and fractured cloud environments. VMware has an answer for this. With VMware multi-cloud solutions, organizations have the choice, speed, and control to migrate and optimizeapplications seamlessly without recoding, take the fastest path to modern infrastructure, and operate consistently across the data center, the edge, and any cloud. I urge to take a look at vmware.com/go/multicloud. You know my opinions on multi cloud by now, but there's a lot of stuff in here that works on any cloud. But don't take it from me thats: VMware.com/go/multicloud and my thanks to them again for sponsoring my ridiculous nonsense.Corey: This episode is sponsored in part by “you”—gabyte. Distributed technologies like Kubernetes are great, citation very much needed, because they make it easier to have resilient, scalable, systems. SQL databases haven't kept pace though, certainly not like no SQL databases have like Route 53, the world's greatest database. We're still, other than that, using legacy monolithic databases that require ever growing instances of compute. Sometimes we'll try and bolt them together to make them more resilient and scalable, but let's be honest it never works out well. Consider Yugabyte DB, its a distributed SQL database that solves basically all of this. It is 100% open source, and there's not asterisk next to the “open” on that one. And its designed to be resilient and scalable out of the box so you don't have to charge yourself to death. It's compatible with PostgreSQL, or “postgresqueal” as I insist on pronouncing it, so you can use it right away without having to learn a new language and refactor everything. And you can distribute it wherever your applications take you, from across availability zones to other regions or even other cloud providers should one of those happen to exist. Go to yugabyte.com, thats Y-U-G-A-B-Y-T-E dot com and try their free beta of Yugabyte Cloud, where they host and manage it for you. Or see what the open source project looks like—its effortless distributed SQL for global apps. My thanks to Yu—gabyte for sponsoring this episode.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. The best part about being me—well, there's a lot of great things about being me, but from my perspective, the absolute best part is that I get to interview people on the show who have done awesome and impressive things. Therefore by osmosis, you tend to assume that I'm smart slash know-what-the-living-hell-I'm-talking-about. This is proveably untrue, but that's okay.Even when I say it outright, this will fade into the depths of your mind and not take hold permanently. Today is, of course, no exception. My guest is Jackie Singh, who's an information security professional, which is probably the least interesting way to describe who she is and what she does. Most recently, she was a senior cybersecurity staffer at the Biden campaign. Thank you so much for joining me. What was that like?Jackie: Thank you so much for having me. What was that like? The most difficult and high-pressure, high-stress job I've ever had in my life. And, you know, I spent most of my early 20s in Iraq and Africa. [laugh].Corey: It's interesting, you're not the first person to make the observation that, “Well, I was in the military, and things are blowing up all around, and what I'm doing next to me is like—‘oh, the site is down and can't show ads to people?' Bah, that's not pressure.” You're going the other direction. It's like, yeah, this was higher stress than that. And that right there is not a common sentiment.Jackie: I couldn't anticipate, when I was contacted for the role—for which I had applied to through the front door like everyone else, sent in my resume, thought it looked pretty cool—I didn't expect to be contacted. And when I was interviewed and got through the interviews and accepted the role, I still did not properly anticipate how this would change my life and how it would modify my life in the span of just a few months; I was on the campaign for five to six months.Corey: Now, there's a couple of interesting elements to this. The first is it's rare that people will say, “Oh, I had a job for five to six months,” and, a, put it on their resume because that sounds like, “Ah, are you one of those job-hopper types?” But when you go into a political campaign, it's very clearly, win or lose, we're out of jobs in November. Ish. And that is something that is really neat from the perspective of career management and career planning. Usually is, “Hey, do you want a six-month job?” It's, “Why? Because I'm going to rage quit at the end of it. That seems a little on the weird side.” But with a campaign, it's a very different story. It seems like a different universe in some respects.Jackie: Yes, absolutely. It was different than any other role I'd ever had. And being a political dilettante, [laugh] essentially, walking into this, I couldn't possibly anticipate what that environment would be like. And, frankly, it is a bit gatekept in the sense that if you haven't participated on a campaign before, you really don't have any idea what to expect, and they're all a bit different to, like, their own special snowflake, based on the people who are there, and the moment in time during which you are campaigning, and who you are campaigning for. And it really does change a perspective on civic life and what you can do with your time if you chose to spend it doing something a little bigger than your typical TechOps.Corey: It also is a great answer, too, when people don't pay close enough attention. “So, why'd you leave your last job?” “He won.” Seems like a pretty—Jackie: [laugh].Corey: —easy answer to give, on some level.Jackie: Yes, absolutely. But imagine the opposite. Imagine if our candidate had lost, or if we had had data walk out the door like in 2016. The Democratic National Convention was breached in 2016 and some unflattering information was out the door, emails were hacked. And so it was difficult to anticipate… what we had control over and how much control we could actually exert over the process itself, knowing that if we failed, the repercussions would be extremely severe.Corey: It's a different story than a lot of InfoSec gigs. Companies love to talk like it is the end of the universe if they wind up having a data breach, in some effect. They talk about that the world ends because for them it kind of does because you have an ablative CSO who tries to also armor themselves with ablative interns that they can blame—if your SolarWinds. But the idea being that, “Oh yeah, if we get breached we are dunzo.”And it's, first, not really. Let's not inflate the risks here. Let's be honest; we're talking about something like you're a retailer; if you get breached, people lose a bunch of credit card numbers, the credit card companies have to reissue it to everyone, you get slapped with a fine, and you get dragged in the press, but statistically, look at your stock price a year later, it will be higher than at the time of the breach in almost every case. This is not the end of the world. You're talking about something though that has impacts that have impossible-to-calculate repercussions.We're talking about an entire administration shift; US foreign policy, domestic policy, how the world works and functions is in no small part tied to data security. That's a different level of stress than I think most security folks, if you get them honest enough, are going to admit that, yeah, what I do isn't that important from an InfoSec perspective. What you did is.Jackie: I appreciate that, especially having worked in the military. Since I left the military, I was always looking for a greater purpose and a larger mission to serve. And in this instance, the scope of work was somewhat limited, but the impact of failing would have been quite wide-ranging, as you've correctly identified. And walking into that role, I knew there was a limited time window to get the work done. I knew that as we progressed and got closer and closer to election day, we would have more resources, more money rolls in, more folks feel secure in the campaign and understand what the candidate stands for, and want to pump money into the coffers. And so you're also in an interesting situation because your resourcing is increasing, proportional to the threat, which is very time-bound.Corey: An inherent challenge is that unlike in a corporate environment, in many respects, where engineers can guard access to things and give the business clear lines of access to things and handle all of it in the background, one of the challenges with a campaign is that you are responsible for data security in a variety of different ways, and the interfaces to that data explode geometrically and to people with effectively no level whatsoever of technical sophistication. I'm not talking about the candidate necessarily—though that's of course, a concern—but I'm talking organizers, I'm talking volunteers, I'm talking folks who are lifelong political operatives, but they tend not to think in terms of, “Oh, I should enable multi-factor authentication on everything that I have,” because that is not what they are graded on; it's pass-fail. So, it's one of those things where it is not the number one priority for anyone else in your organization, but it is yours and you not only have to get things into fighting shape, you have to furthermore convince people to do the things that get them there. How do you approach that?Jackie: Security awareness [laugh] in a nutshell. We were lucky to work with Bob Lord, who is former CSO at Yahoo, OAuth, Rapid7, and has held a number of really important roles that were very wide in their scope, and responsible for very massive data sets. And we were lucky enough to, in the democratic ecosystem, have a CSO who really understood the nature of the problem, and the way that you described it just now is incredibly apt. You're working with folks that have no understanding or very limited understanding of what the threat actors were interested in breaching the campaign, what their capability set is, and how they might attempt to breach an organization. But you also had some positives out of that.When you're working with a campaign that is distributed, your workforce is distributed, and your systems are also distributed. And when you lose that centralization that many enterprises rely on to get the job done, you also reduce opportunities for attackers to compromise one system or one user and move laterally. So, that was something that we had working for us. So, security awareness was incredibly important. My boss worked on that quite a bit.We had an incredible IT help desk who really focused on connecting with users and running them through a checklist so everyone in the campaign had been onboarded with a specific set of capabilities and an understanding of what the security setup was and how to go about their business in a secure way. And luckily, very good decisions had been made on the IT side prior to the security team joining the organization, which set the stage for a strong architecture that was resistant to attack. So, I think a lot of the really solid decisions and security awareness propagation had occurred prior to myself and my boss joining the campaign.Corey: One of the things that I find interesting is that before you started that role—you mentioned you came in through the front door, which personally I've never successfully gotten a job like that; I always have to weasel my way in because I have an eighth-grade education and my resume—Jackie: [laugh].Corey: —well, tenure-wise, kind of, looks like a whole bunch of political campaigns. And that's fine, but before that, you were running your own company that was a focused security consultancy. Before that, your resume is a collection of impressive names. You were a principal consultant at Mandiant, you were at Accenture. You know what you're talking about.You were at McAfee slash Intel. You've done an awful lot of corporate world stuff. What made you decide to just wake up one day and decide, “You know what sounds awesome? Politics because the level of civil discourse there is awesome, and everyone treats everyone with respect and empathy, and no one gets heated or makes ridiculous arguments and the rest. That's the area I want to go into.” What flipped that switch for you?Jackie: If I'm completely honest, it was pure boredom. [laugh]. I started my business, Spyglass Security, with my co-founder, Jason [Shore 00:11:11]. And our purpose was to deliver boutique consulting services in a way that was efficient, in a way that built on prior work, and in a way that helped advance the security maturity of an organization without a lot of complex terminology, 150-page management consulting reports, right? What are the most effective operational changes we can make to an organization in how they work, in order to lead to some measurable improvement?And we had a good success at the New York City Board of Elections where we were a subcontractor to a large security firm. And we were in there for about a year, building them a vulnerability management program, which was great. But generally speaking, I have found myself bored with having the same conversations about cybersecurity again and again, at the startup level and really even at the enterprise level. And I was looking for something new to do, and the role was posted in a Slack that I co-founded that is full of digital forensics and information security folks, incident responders, those types of people.And I didn't hear of anyone else applying for the role. And I just thought, “Wow, maybe this is the kind of opportunity that I won't see again.” And I honestly sent my resume and didn't expect to hear anything back, so it was incredible to be contacted by the chief information security officer about a month after he was hired.Corey: One of the things that made it very clear that you were doing good work was the fact that there was a hit piece taken out on you in one of the absolute worst right-wing rags. I didn't remember what it was. It's one of those, oh, I'd been following you on Twitter for a bit before that, but it was one of those okay, but I tend to shortcut to figuring out who I align with based upon who yells at them. It's one of those—to extend it a bit further—I'm lazy, politically speaking. I wind up looking at two sides yelling at each other, I find out what side the actual literal flag-waving Nazis are on, and then I go to the other side because I don't ever want someone to mistake me for one of those people. And same story here. It's okay, you're clearly doing good work because people have bothered to yell at you in what we will very generously term ‘journalism.'Jackie: Yeah, I wouldn't refer to any of those folks—it was actually just one quote-unquote journalist from a Washington tabloid who decided to write a hit piece the week after I announced on Twitter that I'd had this role. And I took two months or so to think about whether I would announce my position at the campaign. I kept it very quiet, told a couple of my friends, but I was really busy and I wasn't sure if that was something I wanted to do. You know, as an InfoSec professional, that you need to keep your mouth shut about most things that happened in the workplace, period. It's a sensitive type of role and your discretion is critical.But Kamala really changed my mind. Kamala became the nominee and, you know, I have a similar background to hers. I'm half Dominican—my mother's from the Dominican Republic and my father is from India, so I have a similar background where I'm South Asian and Afro-Caribbean—and it just felt like the right time to bolster her profile by sharing that the Biden campaign was really interested in putting diverse candidates in the world of politics, and making sure that people like me have a seat at the table. I have three young daughters. I have a seven-year-old, a two-year-old, and a one-year-old.And the thing I want for them to know in their heart of hearts is that they can do anything they want. And so it felt really important and powerful for me to make a small public statement on Twitter about the role I had been in for a couple of months. And once I did that, Corey, all hell broke loose. I mean, I was suddenly the target of conspiracy theorists, I had people trying to reach out to me in every possible way. My LinkedIn messages, it just became a morass of—you know, on one hand, I had a lot of folks congratulate me and say nice things and provide support, and on the other, I just had a lot of, you know, kind of nutty folks reach out and have an idea of what I was working to accomplish that maybe was a bit off base.So yeah, I really wasn't surprised to find out that a right-wing or alt-right tabloid had attempted to write a hit piece on me. But at the end of the day, I had to keep moving even though it was difficult to be targeted like that. I mean, it's just not typical. You don't take a job and tell people you got a job, [laugh] and then get attacked for it on the national stage. It was really unsurprising on one hand, yet really quite shocking on another; something I had to adjust to very quickly. I did cry at work. I did get on the phone with legal and HR and cry like a baby. [laugh].Corey: Oh, yeah.Jackie: Yeah. It was scary.Corey: I guess this is an example of my naivete, but I do not understand people on the other side of the issue of InfoSec for a political campaign—and I want to be clear, I include that to every side of an aisle—I think there are some quote-unquote, “Political positions” that are absolutely abhorrent, but I also in the same breath will tell you that they should have and deserve data security and quality InfoSec representation. In a defensive capacity, to be clear. If you're—“I'm the offensive InfoSec coordinator for a campaign,” that's a different story. And we can have a nuanced argument about that.Jackie: [laugh].Corey: Also to be very clear, for the longest time—I would say almost all of my career until a few years ago—I was of the impression whatever I do, I keep my politics to myself. I don't talk about it in public because all I would realistically be doing is alienating potentially half of my audience. And what shifted that is two things. One of them, for me at least, is past a certain point, let's be very clear here: silence is consent. And I don't ever want to be even mistaken at a glance for being on the wrong side of some of these issues.On another, it's, I don't accept, frankly, that a lot of the things that are currently considered partisan are in fact, political issues. I can have a nuanced political debate on either side of the aisle on actual political issues—talking about things like tax policy, talking about foreign policy, talking about how we interact with the world, and how we fund things we care about and things that we don't—I can have those discussions. But I will not engage and I will not accept that, who gets to be people is a political issue. I will not accept that treating people with respect, regardless of how high or low their station, is a political issue. I will not accept that giving voice to our worst darkest impulses is a political position.I just won't take it. And maybe that makes me a dreamer. I don't consider myself a political animal. I really don't. I am not active in local politics. Or any politics for that matter. It's just, I will not compromise on treating people as people. And I never thought, until recently, that would be a political position, but apparently, it is.Jackie: Well, we were all taught the golden rule is children.Corey: There's a lot of weird things that were taught as children that it turns out, don't actually map to the real world. The classic example of that is sharing. It's so important that we teach the kids to share, and always share your toys and the rest. And now we're adults, how often do we actually share things with other people that aren't members of our immediate family? Turns out not that often. It's one of those lessons that ideally should take root and lead into being decent people and expressing some form of empathy, but the actual execution of it, it's yeah, sharing is not really a thing that we value in society.Jackie: Not in American society.Corey: Well, there is that. And that's the challenge, is we're always viewing the world through the lens of our own experiences, both culturally and personally, and it's easy to fall into the trap that is pernicious and it's always there, that our view of the world is objective and correct, and everyone else is seeing things from a perspective that is not nearly as rational and logical as our own. It's a spectrum of experience. No one wakes up in the morning and thinks that they are the villain in the story unless they work for Facebook's ethics department. It's one of those areas of just people have a vision of themselves that they generally try to live up to, and let's be honest people fell in love with one vision of themselves, it's the cognitive dissonance thing where people will shift their beliefs instead of their behavior because it's easier to do that, and reframe the narrative.It's strange how we got to this conversation from a starting position of, “Let's talk about InfoSec,” but it does come back around. It comes down to understanding the InfoSec posture of a political campaign. It's one of those things that until I started tracking who you were and what you were doing, it wasn't something really crossed my mind. Of course, now you think about, of course there's a whole InfoSec operation for every campaign, ever. But you don't think about it; it's behind the scenes; it's below the level of awareness that most people have.Now, what's really interesting to me, and I'm curious if you can talk about this, is historically the people working on the guts of a campaign—as it were—don't make public statements, they don't have public personas, they either don't use Twitter or turn their accounts private and the rest during the course of the campaign. You were active and engaging with people and identifying as someone who is active in the Biden campaign's InfoSec group. What made you decide to do that?Jackie: Well, on one hand, it did not feel useful to cut myself off from the world during the campaign because I have so many relationships in the cybersecurity community. And I was able to leverage those by connecting with folks who had useful information for me; folks outside of your organization often have useful information to bring back, for example, bug bounties and vulnerability disclosure programs that are established by companies in order to give hackers a outlet. If you find something on hardwarestore.com, and you want to share that with the company because you're a white hat hacker and you think that's the right thing to do, hopefully, there's some sort of a structure for you to be able to do that. And so, in the world of campaigning, I think information security is a relatively new development.It has been, maybe, given more resources in this past year on the presidential level than ever before. I think that we're going to continue to see an increase in the amount of resources given to the information security department on every campaign. But I'm also a public person. I really do appreciate the opportunity to interact with my community, to share and receive information about what it is that we do and what's happening in the world and what affects us from tech and information security perspective.Corey: It's just astonishing for me to see from the outside because you are working on something that is foundationally critically important. Meanwhile, people working on getting people to click ads or whatnot over at Amazon have to put ‘opinions my own' in their Twitter profile, whereas you were very outspoken about what you believe and who you are. And that's a valuable thing.Jackie: I think it's important. I think we often allow corporations to dictate our personality, we allow our jobs to dictate our personality, we allow corporate mores to dictate our behavior. And we have to ask ourselves who we want to be at the end of the day and what type of energy we want to put out into the world, and that's a choice that we make every day. So, what I can say is that it was a conscious decision. I can say that I worked 14 hours a day, or something, for five, six months. There were no weekends; there was no time off; there were a couple of overnights.Corey: “So, what do you get to sleep?” “November.”Jackie: Yeah. [laugh]. My partner took care of the kids. He was an absolute beast. I mean, he made sure that the house ran, and I paid no attention to it. I was just not a mom for those several months, in my own home.Corey: This episode is sponsored by our friends at Oracle HeatWave is a new high-performance accelerator for the Oracle MySQL Database Service. Although I insist on calling it “my squirrel.” While MySQL has long been the worlds most popular open source database, shifting from transacting to analytics required way too much overhead and, ya know, work. With HeatWave you can run your OLTP and OLAP, don't ask me to ever say those acronyms again, workloads directly from your MySQL database and eliminate the time consuming data movement and integration work, while also performing 1100X faster than Amazon Aurora, and 2.5X faster than Amazon Redshift, at a third of the cost. My thanks again to Oracle Cloud for sponsoring this ridiculous nonsense. Corey: Back in 2019, I gave a talk at re:Invent—which is always one of those things that's going to occasion comment—and the topic that we covered was building a vulnerability disclosure program built upon the story of a vulnerability that I reported into AWS. And it was a decent enough experience that I suggested at some point that you should talk about this publicly, and they said, “You should come talk about it with us.” And I did and it was a blast. But it suddenly became very clear, during the research for that talk and talking to people who've set those programs up is that look, one way or another, people are going to find vulnerabilities in what you do and how you do them. And if you don't give them an easy way to report them to you, that's okay.You'll find out about them in other scenarios when they're on the front page of the New York Times. So, you kind of want to be out there and accessible to people. Now, there's a whole story we can go into about the pros and cons of things like bug bounties and the rest, and of course, it's a nuanced issue, but the idea of at least making it easy for people to wind up reporting things from that perspective is one of those key areas of outreach. Back in the early days of InfoSec, people would explore different areas of systems that they had access to, and very often they were charged criminally. Intel wound up having charges against one of their—I believe it was their employee or something, who wound up founding something and reporting it in an ethical way.The idea of doing something like that is just ludicrous. You're in that space a lot more than I am. Do you still see that sort of chilling effect slash completely not getting it when someone is trying to, in good faith, report security issues? Or has the world largely moved on from that level of foolishness?Jackie: Both. The larger organizations that have mature security programs, and frankly, the organizations that have experienced a significant public breach, the organizations that have experienced pain are those that know better at this point and realize they do need to have a program, they do need to have a process and a procedure, and they need to have some kind of framework for folks to share information with them in a way that doesn't cause them to respond with, “Are you extorting me? Is this blackmail?” As a cybersecurity professional working at my own security firm and also doing security research, I have reported dozens of vulnerabilities that I've identified, open buckets, for example. My partner at Spyglass and I built a SaaS application called Data Drifter a few years ago.We were interviewed by NBC about this and NBC followed up on quite a few of our vulnerability disclosures and published an article. But what the software did was look for open buckets on Azure, AWS, and GCP and provide an analyst interface that allows a human to trawl through very large datasets and understand what they're looking at. So, for example, one of the finds that we had was that musical.ly—musical-dot-L-Y, which was purchased by TikTok, eventually—had a big, large open bucket with a lot of data, and we couldn't figure out how to report it properly. And they eventually took it down.But you really had to try to understand what you were looking at; if you have a big bucket full of different data types, you don't have a name on the bucket, and you don't know who it belongs to because you're not Google, or Amazon, or Microsoft, what do you do with this information? And so we spent a lot of time trying to reconcile open buckets with their owners and then contacting those owners. So, we've received a gamut of ranges of responses to vulnerability disclosure. On one hand, there is an established process at an organization that is visible by the way they respond and how they handle your inquiry. Some folks have ticketing systems, some folks respond directly to you from the security team, which is great, and you can really see and get an example of what their routing is inside the company.And then other organizations really have no point of reference for that kind of thing, and when something comes into either their support channels or even directly into the cybersecurity team, they're often scrambling for an effective way to respond to this. And it could go either way; it could get pretty messy at times. I've been threatened legally and I've been accused of extortion, even when we weren't trying to offer some type of a service. I mean, you really never walk into a vulnerability disclosure scenario and then offer consulting services because they are going to see it as a marketing ploy and you never want to make that a marketing ploy. I mean, it's just not… it's not effective and it's not ethical, it's not the right thing to do.So, it's been interesting. [laugh]. I would recommend, if you are a person listening to this podcast who has some sort of pull in the information security department at your organization, I would recommend that you start with disclose.io, which was put together by Casey John Ellis and some other folks over at Bugcrowd and some other volunteers. It's a really great starting point for understanding how to implement a vulnerability disclosure program and making sure that you are able to receive the information in a way that prevents a PR disaster.Corey: My approach is controversial—I know this—but I believe that the way that you're approaching this was entirely fatally flawed, of trying to report to people that they have an open S3 bucket. The proper way to do it is to upload reams of data to it because my operating theory is that they're going to ignore a politely worded note from a security researcher, but they're not going to ignore a $4 million surprise bill at the end of the month from AWS. That'll get fixed tout suite. To be clear to the audience, I am kidding on this. Don't do it. There's a great argument that you can be charged criminally for doing such a thing. I'm kidding. It's a fun joke. Don't do it. I cannot stress that enough. We now go to Jackie for her laughter at that comment.Jackie: [laugh].Corey: There we go.Jackie: I'm on cue. Well, a great thing about Data Drifter, that SaaS application that allowed analysts to review the contents of these open buckets, was that it was all JavaScript on the client-side, and so we weren't actually hosting any of that data ourselves. So, they must have noticed some transfer fees that were excessive, but if you're not looking at security and you have an infrastructure that isn't well monitored, you may not be looking at costs either.Corey: Costs are one of those things that are very aligned spiritually with security. It's a trailing function that you don't care about until right after you really should have cared about it. With security, it's a bit of a disaster when it hits, whereas with those surprise bills, “Oh, okay. We wasted some money.” That's usually, a, not front-page material and, b, it's okay, let's be responsible and fix that up where it makes sense, but it's something that is never a priority. It's never a ‘summon the board' story for anything short of complete and utter disaster. So, I do feel a sense of spiritual alignment here.Jackie: [laugh]. I can see that. That makes perfect sense.Corey: Before we call this an episode, one other area that you've been active within is something called ‘threat modeling.' What is it?Jackie: So, threat modeling is a way to think strategically about cybersecurity. You want to defend, effectively, by understanding your organization as a collection of people, and you want to help non-technical staff support the cybersecurity program. So, the way to do that is potentially to give a human-centric focus to threat modeling activities. Threat modeling is a methodology for linking humans to an effective set of prioritized defenses for the most likely types of adversaries that they might face. And so essentially the process is identifying your subject and defining the scope of what you would like to protect.Are you looking to protect this person's personal life? Are you exclusively protecting their professional life or what they're doing in relation to an organization? And you want to iterate through a few questions and document an attack tree. Then you would research some tactics and vulnerabilities, and implement defensive controls. So, in a nutshell, we want to know what assets does your subject have or have access to, that someone might want to spy, steal, or harm; you want to get an idea of what types of adversaries you can expect based on those assets or accesses that they have, and you then want to understand what tactics those adversaries are likely to use to compromise those assets or accesses, and you then transform that into the most effective defenses against those likely tactics.So, using that in practice, you would typically build an attack tree that starts with the human at the center and lists out all of their assets and accesses. And then off of those, each of those assets or accesses, you would want to map out their adversary personas. So, for example, if I work at a bank and I work on wire transfers, my likely adversary would be a financially motivated cybercriminal, right? Pretty standard stuff. And we want to understand what are the methods that these actors are going to employ in order to get the job done.So, in a common case, in a business email compromised context, folks might rely on a signer at a company to sign off on a wire transfer, and if the threat actor has an opportunity to gain access to that person's email address or the mechanism by which they make that approval, then they may be able to redirect funds to their own wallet that was intended for someone else or a partner of the company. Adversaries tend to employ the least difficult approach; whatever the easiest way in is what they're going to employ. I mean, we spend a lot of time in the field of information security and researching the latest vulnerabilities and attack paths and what are all the different ways that a system or a person or an application can be compromised, but in reality, the simplest stuff is usually what works, and that's what they're looking for. They're looking for the easiest way in. And you can really observe that with ransomware, where attackers are employing a spray and pray methodology.They're looking for whatever they can find in terms of open attack surface on the net, and then they're targeting organizations based on who they can compromise after the fact. So, they don't start with an organization in mind, they might start with a type of system that they know they can easily compromise and then they look for those, and then they decide whether they're going to ransomware that organization or not. So, it's really a useful way, when you're thinking about human-centric threat modeling, it's really a useful way to completely map your valuables and your critical assets to the most effective ways to protect those. I hope that makes sense.Corey: It very much does. It's understanding the nature of where you start, where you stop, what is reasonable, what is not reasonable. Because like a lot of different areas—DR, for example—security is one of those areas you could hurl infinite money into and still never be done. It's where do you consider it reasonable to start? Where do you consider it reasonable to stop? And without having an idea of what the model of threat you're guarding against is, the answer is, “All the money,” which it turns out, boards are surprisingly reluctant to greenlight.Jackie: Absolutely. We have a recurring problem and information security where we cannot measure return on investment. And so it becomes really difficult to try to validate a negative. It's kind of like the TSA; the TSA can say that they've spent a lot of money and that nothing has happened or that any incidents have been limited in their scope due to the work that they've done, but can we really quantify the amount of money that DHS has absorbed for the TSA's mission, and turned that into a really wonderful and measurable understanding of how we spent that money, and whether it was worth it? No, we can't really. And so we're always struggling with that insecurity, and I don't think we'll have an answer for it in the next ten years or so.Corey: No, I suspect not, on some level. It's one of those areas where I think the only people who are really going to have a holistic perspective on this are historians.Jackie: I agree.Corey: And sadly I'm not a cloud historian; I'm a cloud economist, a completely different thing I made up.Jackie: [laugh]. Well, from my perspective, I think it's a great title. And I agree with your thought about historians, and I look forward to finding out how they felt about what we did in the information security space, both political and non-political, 20, 30, and 40 years from now.Corey: I hope to live long enough to see that. Jackie, thank you so much for taking the time to speak with me today. If people want to learn more about what you're up to and how you view things, where can they find you?Jackie: You can find me on Twitter at @hackingbutlegal.Corey: Great handle. I love it.Jackie: Thank you so much for having me.Corey: Oh, of course. It is always great to talk with you. Jackie Singh, principal threat analyst, and incident responder at the Biden campaign. Obviously not there anymore. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast provider of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with a comment expressing an incoherent bigoted tirade that you will, of course, classify as a political opinion, and get you evicted from said podcast provider.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

About JordanJordan is a self proclaimed “hacker.” Links:Twitter: https://twitter.com/jordansissel TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by “you”—gabyte. Distributed technologies like Kubernetes are great, citation very much needed, because they make it easier to have resilient, scalable, systems. SQL databases haven't kept pace though, certainly not like no SQL databases have like Route 53, the world's greatest database. We're still, other than that, using legacy monolithic databases that require ever growing instances of compute. Sometimes we'll try and bolt them together to make them more resilient and scalable, but let's be honest it never works out well. Consider Yugabyte DB, its a distributed SQL database that solves basically all of this. It is 100% open source, and there's not asterisk next to the “open” on that one. And its designed to be resilient and scalable out of the box so you don't have to charge yourself to death. It's compatible with PostgreSQL, or “postgresqueal” as I insist on pronouncing it, so you can use it right away without having to learn a new language and refactor everything. And you can distribute it wherever your applications take you, from across availability zones to other regions or even other cloud providers should one of those happen to exist. Go to yugabyte.com, thats Y-U-G-A-B-Y-T-E dot com and try their free beta of Yugabyte Cloud, where they host and manage it for you. Or see what the open source project looks like—its effortless distributed SQL for global apps. My thanks to Yu—gabyte for sponsoring this episode.Corey: This episode is sponsored in part by our friends at VMware. Let's be honest—the past year has been far from easy. Due to, well, everything. It caused us to rush cloud migrations and digital transformation, which of course means long hours refactoring your apps, surprises on your cloud bill, misconfigurations and headache for everyone trying manage disparate and fractured cloud environments. VMware has an answer for this. With VMware multi-cloud solutions, organizations have the choice, speed, and control to migrate and optimize applications seamlessly without recoding, take the fastest path to modern infrastructure, and operate consistently across the data center, the edge, and any cloud. I urge to take a look at vmware.com/go/multicloud. You know my opinions on multi cloud by now, but there's a lot of stuff in here that works on any cloud. But don't take it from me thats: VMware.com/go/multicloud and my thanks to them again for sponsoring my ridiculous nonsense.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I've been to a lot of conference talks in my life. I've seen good ones, I've seen terrible ones, and then I've seen the ones that are way worse than that. But we don't tend to think in terms of impact very often, about how conference talks can move the audience.In fact, that's the only purpose of giving a talk ever—to my mind—is you're trying to spark some form of alchemy or shift in the audience and convince them to do something. Maybe in the banal sense, it's to sign up for something that you're selling, or to go look at your website, or to contribute to a project, or maybe it's to change the way they view things. One of the more transformative talks I've ever seen that shifted my outlook on a lot of things was at [SCALE 00:01:11] in 2012. Person who gave that talk is my guest today, Jordan Sissel, who, among many other things in his career, was the original creator behind logstash, which is the L in ELK Stack. Jordan, thank you for joining me.Jordan: Thanks for having me, Corey.Corey: I don't know how well you remember those days in 2012. It was the dark times; we thought oh, the world is going to end; that wouldn't happen until 2020. But it was an interesting conference full of a bunch of open-source folks, it was my local conference because I lived in Los Angeles. And it was the thing I looked forward to every year because I would always go and learn something new. I was in the trenches in those days, and I had a bunch of problems that looked an awful lot like other people's problems, and having a hallway track where, “Hey, how are you solving this problem?” Was a big deal. I missed those days in some ways.Jordan: Yeah, SCALE was a particularly good conference. I think I made it twice. Traveling down to LA was infrequent for me, but I always enjoyed how it was a very communal setting. They had dedicated hallway tracks. They had kids tracks, which I thought was great because folks couldn't usually come to conferences if they couldn't bring their kids or they had to take care of that stuff. But having a kids track was great, they had kids presenting. It felt more organic than a lot of other conferences did, and that's kind of what drew me to it initially.Corey: Yeah, it was my local network. It turns out that the Southern California tech community is relatively small, and we all go different lives. And it's LA, let's face it, I lived there for over a decade. Flaking as a way of life. So yeah, well, “Oh, we'll go out and catch dinner. Ooh, have to flake at the last minute.” If you're one of the good people, you tell people you're flaking instead of just no-showing, but it happens.But this was the thing that we would gather and catch up every year. And, “Oh, what have you been doing?” “Wow, you work in that company now? Congratulations, slash, what's wrong with you?” It was fun, just sort of a central sync point. It started off as hanging out with friends.And in those days, I was approaching the idea of, “You know what? I should learn to give a conference talk someday. But let's be clear. People don't give conference talks; legends give conference talks. And one day, I'll be good enough to get on stage and give a talk to my peers at a conference.”Now, the easy, cynical interpretation would be, “Well, but I saw your talk and I figured, hey, any jackhole can get up there. If he can do it, anyone can.” But that's not at all how it wound up impacting me. You were talking about logstash, which let's start there because that's a good entry point. Logstash was transformative for me.Before that, I'd spent a lot of time playing around with syslog, usually rsyslog, but there are other stories here of when a system does something and it spits out logs—ideally—how do you make sure you capture those logs in a reliable way so if you restart a computer, you don't wind up with a gap in your logs? If it's the right computer, it could be a gap in everything's logs while that thing is coming back up. And let's avoid single points of failure and the rest. And I had done all kinds of horrible monstrosities, and someone asked me at one point—Jordan: [laugh]. Guilty.Corey: Yeah. Someone said, “Well, there are a couple of options. Why don't you use Splunk?” And the answer is that I don't have a spare princess lying around that I can ransom back to her kingdom, so I can't afford it. “Okay, what about logstash?” And my answer was, “What's a logstash?” And thus that sound was Pandora's Box creaking open.So, I started playing with it and realized, “Okay, this is interesting.” And I lost track of it because we have demands on our time. Then I was dragged into a session that you gave and you explained what logstash was. I'm not going to do nearly as good of a job as you can on this. What the hell was logstash, for folks who are not screaming at syslog while they first hear of it.Jordan: All right. So, you mentioned rsyslog, and there's—old is often a pejorative of more established projects because I don't think these projects are bad. But rsyslog, syslog-ng, things like that were common to see for me as a sysadmin. But to talk about logstash, we need to go back a little further than 2012. So, the logstash project started—Corey: I disagree because I wasn't aware of it until 2012. Until I become aware of something it doesn't really exist. That's right, I have the object permanence of an infant.Jordan: [laugh].That's fair. And I've always felt like perception is reality, so if someone—this gets into something I like to say, but if someone is having a bad time or someone doesn't know about something, then it might as well not exist. So, logstash as a project started in 2008, 2009. I don't remember when the first commits landed, but it was, gosh, it's more than ten years ago now.But even before that in college, I was fortunate to, through a network of friends, get a job as a sysadmin. And as a sysadmin, you stare at logs a lot to figure out what's going on. And I wanted a more interesting way to process the logs. I had taught myself regular expressions and it wasn't finding joy in it… at all, like pretty much most people, probably. Either they look at regular expressions and just… evacuate with disgust, which is absolutely an appropriate response, or they dive into it and they have to use it for their job.But it wasn't enjoyable, and I found myself repeating stuff a lot. Matching IP addresses, matching strings, URLs, just trying to pull out useful information about what is going on?Corey: Oh, and the timestamp problem, too. One of the things that I think people don't understand who have not played in this space, is that all systems do have logs unless you've really pooched something somewhere—Jordan: Yeah.Corey: —and it shows that at this point in time, this thing happened. As we start talking about multiple computers and distributed systems—but even on the same computer—great, so at this time there was something that showed up in the system log because there was a disk event or something, and at the same time you have application logs that are talking about what the application running is talking about. And that is ideally using a somewhat similar system to do this, but often not. And the way that timestamps are expressed in these are radically different and the way that the log files themselves are structured. One might be timestamp followed by hostname followed by error code.The other one might be hostname followed by a timestamp—in a different format—followed by a copyright notice because a big company got to it followed by the actual event notice, and trying to disambiguate all of these into a standardized form was first obnoxious, and secondly, very important because you want to see the exact chain of events. This also leads to a separate sidebar on making sure that all the clocks are synchronized, but that's a separate story for another time. And that's where you enter the story in many respects.Jordan: Right. So, my thought around what led to logstash is you can take a sysadmin or software IT developer—whatever—expert, and you can sit them in front of a bunch of logs and they can read them and say, “That's the time it happened. That's the user who caused this action. This is the action.” But if you try and abstract and step away, and so you ask how many times did this action happen? When did this user appear? What time did this happen?You start losing the ability to ask those questions without being an expert yourself, or sitting next to an expert and having them be your keyboard. Kind of a phenomenon I call the human keyboard problem where you're speaking to a computer, but someone has to translate for you. And so in around 2004, I was super into Perl. No shocker that I enjoyed—ish. I sort of enjoyed regular expressions, but I was super into Perl, and there was a Perl module called Regexp::Common which is a library of regular expressions to match known things: IP addresses, certain kinds of timestamps, quoted strings, and whatnot.Corey: And this stuff is always challenging because it sounds like oh, an IP address. One of the interview questions I hated the most someone asked me was write a regular expression to detect an IP address. It turns out that to do this correctly, even if you bound it to ipv4 only, the answer takes up multiple lines on a screen.Jordan: Oh, for sure.Corey: It's enormous.Jordan: It's like a full page of—Corey: It is.Jordan: —of code you can't read. And that's one of the things that, it was sort of like standing on the shoulders of the person who came before; it was kind of an epiphany to me.Corey: Yeah. So, I can copy and paste that into my code, but someone who has to maintain that thing after I get fired is going to be, “What the hell is this and what does it do?” It's like it's the blessed artifact that the ancients built it and left it there like it's a Stargate sitting in your code. And it's, “We don't know how it works; we're scared to break it, so we don't even look at that thing directly. We just know that we put nonsense in, an IP address comes out, and let's not touch it, ever again.”Jordan: Exactly. And even to your example, even before you get fired and someone replaces you and looks at your regular expression, the problem I was having was, I would have this library of copy and pasteable things, and then I would find a bug, and edge case. And I would fix that edge case but the other 15 scripts that were using the same way regular expression, I can't even read them anymore because I don't carry that kind of context in my head for all of that syntax. So, you either have to go back and copy and paste and fix all those old regular expressions. Or you just say, “You know what? We're not going to fix the old code. We have a new version of it that works here, but everywhere else this edge case fails.”So, that's one of the things that drew me to the Regexp::Common library in Perl was that it was reusable and things had names. It was, “I want to match an IP address.” You didn't have to memorize that long piece of text to precisely and accurately accept only regular expressions and rejects things that are not. You just said, “Give me the regular expression that matches an IP.” And from that library gave me the idea to write grok.Well, if we could name things, then maybe we could turn that into some kind of data structure, sort of the combination of, “I have a piece of log data, and I as an expert, I know that's an IP address, that's the username, and that's the timestamp.” Well, now I can apply this library of regular expressions that I didn't have to write and hopefully has a unit test suite, and say, now we can pull out instead of that plain piece of text that is hard to read as a non-expert, now I can have a data structure we can format however we want, that non-experts can see. And even experts can just relax and not have to be full experts all the time, using that part of your brain. So, now you can start getting towards answering search-oriented questions. “How many login attempts happened yesterday from this IP address?”Corey: Right. And back then, the way that people would do these things was Elasticsearch. So, that's the thing you shove all your data into in a bunch of different ways and you can run full-text queries on it. And that's great, but now we want to have that stuff actually structured, and that is sort of the magic of logstash—which was used in conjunction with Elasticsearch a lot—and it turns out that typing random SQL queries in the command line is not generally how most business users like to interact with this stuff, seems to be something dashboard-y-like, and the project that folks use for that was Kibana. And ELK Stack became a thing because Elasticsearch in isolation can do a lot but it doesn't get you all the way there for what people were using to look at logs.Jordan: You're right.Corey: And Kibana is also one of the projects that Elastic owned, and at some point, someone looks around, like, “Oh, logstash. People are using that with us an awful lot. How big is the company that built that? Oh, it's an open-source project run by some guy? Can we hire that guy?” And the answer is, “Apparently,” because you wound up working as an Elastic employee for a while.Jordan: Yeah. It was kind of an interesting journey. So, in the beginning of logstash in 2009, I kind of had this picture of how I wanted to solve log processing search challenges. And I broke it down into a couple of parts of visualization—to be clear, I broke it down in my head, not into code, but visualization, kind of exploration, there's the processing and transmission, and then there's storage and search. And I only felt confident really attending to a solution for one of those parts. And I picked log processing partly because I already had a jumpstart from a couple of years prior, working on grok and feeling really comfortable with regular expressions. I don't want to say good because that's—Corey: You heard it here first—Jordan: [laugh].Corey: —we found the person that knows regular expressions. [laugh].Jordan: [laugh]. And logstash was being worked on to solve this problem of taking your data, processing it, and getting it somewhere. That's why logstash has so many outputs, has so many inputs, and lots of filters. And about I think a year into building logstash, I had experimented with storage and search backends, and I never found something that really clicked with me. And I was experimenting with Leucine, and knowing that I could not complete this journey because that the problem space is so large, it would be foolish of me to try to do distributed log stores or anything like that, plus visualization.I just didn't have the skills or the time in the day. I ended up writing a frontend for logstash called logstash-web—naming things is hard—and I wasn't particularly skilled or attentive to that project, and it was more of a very lightweight frontend to solve the visualization, the exploration aspect. And about a year into logstash being alive, I found Elasticsearch. And what clicked with me from being a sysadmin and having worked at large data center companies in the past is I know the logs on a single system are going to quickly outgrow it. So, whatever storage system will accept these logs, it's got to be easy to add new storage.And Elasticsearch first-day promise was it's distributed; you can add more nodes and go about your day. And it fulfilled that promise and I think it still fulfills that promise that if you're going to be processing terabytes of data, yeah, just keep dumping it in there. That's one of the reasons I didn't try and even use MySQL, or Postgres, or other data systems because it didn't seem obvious how to have multiple storage servers collecting this data with those solutions, for me at the time.Corey: It turns out that solving problems like this that are global and universal lead to massive adoption very quickly. I want to get this back a bit before you wound up joining Elastic because you get up on stage and you talked through what this is. And I mentioned at the start of this recording, that it was one of those transformative talks. But let's be clear here, I don't remember 95% of how logstash works. Like, the technology you talked about ten years ago is largely outmoded slash replaced slash outdated today. I assure you, I did not take anything of note whatsoever from your talk regarding regular expressions, I promise. And—Jordan: [laugh]. Good.Corey: But that's not the stuff that was transformative to me. What was, was the way that you talked about these things. And there was the first time I'd ever heard the phrase that if a new user has a bad time, it's a bug. This was 2012. The idea of empathy hadn't really penetrated into the ops and engineering spaces in any meaningful way yet. It was about gatekeeping, it was about, “Read the manual fool”—Jordan: Yes.Corey: —if people had questions. And it was actively user-hostile. And it was something that I found transformative of, forget the technology piece for a second; this is a story about how it could be different. Because logstash was the vehicle to deliver a message that transcended far beyond the boundaries of how to structure your logs, or maybe the other boundaries of regular expressions, I'm never quite sure where those things start and stop. But it was something that was actively transformative where you're on stage as someone who is a recognized authority in the space, and you're getting up there and you're sending an implicit message—both explicitly and by example—of be nice to people; demonstrate empathy. And that left a hell of an impact. And—Jordan: Thank you.Corey: I wound up doing a spot check just now, and I wound up looking at this and sure enough, early in 2013, I wound up committing—it's still in the history of the changelog for logstash because it's open-source—I committed two pull requests and minutes apart, two submissions—I don't know if pull requests were even a thing back then—but it wound up in the log. Because another project you were renowned for was fpm: Effing Package Manager if I'm—is that what the acronym stands for, or am I misremembering?Jordan: [laugh]. We'll go with that. I'm sure, vulgar viewers will know what the F stands for, but you don't have to say it. It's just Effing Package Management.Corey: Yeah.Jordan: But yeah, I think I really do believe that if a user, especially if a new user has a bad time, it's a bug, and that came from many years of participating at various levels in open-source, where if you came at it with a tinkerer's or a hacker's mindset and you think, “This project is great. I would like it to do one additional thing, and I would like to talk to someone about how to make it do that one additional thing.” And you go find the owners or the maintainers of that project, and you come in with gusto and energy, and you describe what you want to do and, first, they say, “What you want to do is not possible.” They don't even say they don't want to do it; they frame the whole universe against you. “It's not possible. Why would you want to do that? If you want to make that, do it yourself.”You know, none of these things are an extended hand, a lowered ladder, an open door, none of those. It's always, “You're bothering me. Go away. Please read the documentation and see where we clearly”—which they don't—“Document that this is not a thing we're interested in.” And I came to the conclusion that any future open-source or collaborative work that I worked on, it's got to be from a place where, “You're welcome, and whatever contributions or participation levels you choose, are okay. And if you have an idea, let's talk about it. If you're having a bad time, let's figure out how to solve it.”Maybe the solution is we point you in the right direction to the documentation, if documentation exists; maybe we find a bug that we need to fix. The idea that the way to build communities is through kindness and collaboration, not through walls or gatekeeping or just being rude. And I really do think that's one of the reasons logstash became so successful. I mean, any particular technology could have succeeded in the space that logstash did, but I believe that it did so because of that one piece of framework where if a new user has a bad time, it's a bug. Because to me, that opens the door to say, “Yeah, you know what? Some of the code I write is not going to be good. Or, the thing you want to do is undocumented. Or the documentation is out of date. It told you a lie and you followed the documentation and it misled you because it's incorrect.”We can fix that. Maybe we don't have time to fix it right now. Maybe there's no one around to fix it, but we can at least say, “You know what? That information is incorrect, and I'm sorry you were misled. Come on into the community and we'll figure it out.” And one of the patterns I know is, on the IRC channel, which is where the logstash real-time community chat… I don't know how to describe that.Corey: No, it was on freenode. That's part of the reason I felt okay, talking to you. At that point. I was volunteer network staff. This is before freenode turned into basically a haven for Nazis this past year.Jordan: Yeah. It was still called lilo… lilonet [crosstalk 00:20:20]—Corey: No, the open freenode network, that predates me. This was—yeah, lilo—Jordan: Okay.Corey: —died about six years prior. But—Jordan: Oh, all right.Corey: Freenode's been around a long time. What make this thing work was that I was network staff, and that means that I had a bit of perceived authority—it's a chat room; not really—but it was one of those things where it was at least, “Okay, this is not just some sketchy drive-by rando,” which I very much was, but I didn't present that way, so I could strike up conversations. But with you talking about this stuff, I never needed to be that person. It was just if someone wants to pitch in on this, great; more hands make lighter work. Sure.Jordan: Yeah, for sure.Corey: And for me, the interesting part is not even around the logstash aspects so much; it's your other project, fbm. Well, one of your other projects. Back in 2012, that was an interesting year for me. Another area that got very near and dear to my heart in open-source world was the SaltStack project; I was contributor number 15. And I didn't know how Python worked. Not that I do now, but I can fake it better now.And Tom Hatch, the guy that ran the project before it was a company was famous for this where I could send in horrifying levels of code, and every time he would merge it in and then ten minutes later, there would be another patch that comes in that fixes all bugs I just introduced and it was just such a warm onboarding. I'm not suggesting that approach and I'm not saying it's scalable, but I started contributing. And I became the first Debian and Ubuntu packager for SaltStack, which was great. And I did a terrible job at it because—let me explain. I don't know if it's any better now, but back in those days, there were multiple documentation sources on the proper way to package software.They were all contradictory with each other, there was no guidance as to when to follow each one, there was never a, “You know nothing about packaging; here's what you need to know, step-by-step,” and when you get it wrong, they yell at you. And it turns out that the best practice then to get it formally accepted upstream—which is what I did—is do a crap-ass job, and then you'll wind up with a grownup coming in, like, “This is awful. Move.” And then they'll fix it and yell at you, and gatekeep like hell, and then you have a package that works and gets accepted upstream because the magic incantation has been said somewhere. And what I loved about fpm was that I could take any random repo or any source tarball or anything I wanted, run it through with a single command, and it would wind up building out a RPM and a Deb file—and I don't know what else it's supported; those are the ones I cared about—that I could then install on a system. I put in a repo and add that to a sources list on systems, and get to automatically install so I could use configuration management—like SaltStack—to wind up installing custom local packages. And oh, my God, did the packaging communities for multiple different distros hate you—Jordan: Yep.Corey: —and specifically what you had built because this was not the proper way to package. How dare you solve an actual business problem someone has instead of forcing them to go to packaging school where the address is secret, and you have to learn that. It was awful. It was the clearest example that I can come up with of gatekeeping, and then you're coming up with fbm which gets rid of user pain, and I realized that in that fight between the church of orthodoxy of, “This is how it should be done,” and the, “You're having a problem; here's a tool that makes it simple,” I know exactly what side of that line I wanted to be on. And I hadn't always been previously, and that is what clarified it for me.Jordan: Yeah, fbm was a really delightful enjoyment for me to build. The origins of that was I worked at a company and they were all… I think, at that time, we were RPM-based, and then as folks tend to do, I bounced around between jobs almost every year, so I went from one place that—Corey: Hey, it's me.Jordan: [laugh]. Right? And there's absolutely nothing wrong with leaving every year or staying longer. It's just whatever progresses your career in the way that you want and keeps you safe and your family safe. But we were using RPM and we were building packages already not following the orthodoxy.A lot of times if you ask someone how to build a package for Fedora, they'll point you at the Maximum RPM book, and that's… a lot of pages, and honestly, I'm not going to sit down and read it. I just want to take a bunch of files, name it, and install it on 30 machines with Puppet. And that's what we were doing. Cue one year later, I moved to a new company, and we were using Debian packages. And they're the same thing.What struck me is they are identical. It's a bunch of files—and don't pedant me about this—it's a bunch of files with a name, with some other sometimes useful metadata, like other names that you might depend on. And I really didn't find it enjoyable to transfer my knowledge of how to build RPMs, and the tooling and the structures and the syntaxes, to building Debian packages. And this was not for greater publication; this was I have a bunch of internal applications I needed to package and deploy with, at the time it was Puppet. And it wasn't fun.So, I did what we did with grok which was codify that knowledge to reduce the burden. And after a few, probably a year or so of that, it really dawned on me that a generality is all packaging formats are largely solving the same problem and I wanted to build something that was solving problems for folks like you and me: sysadmins, who were handed a pile of code and they needed to get it into production. And I wasn't interested in formalities or appeasing any priesthoods or orthodoxies about what really—you know, “You should really shine your package with this special wax,” kind of thing. Because all of the documentation for Debian packages, Fedora packages are often dedicated to those projects. You're going to submit a package to Fedora so that the rest of the world can use it on Fedora. That wasn't my use case.Corey: Right. I built a thing and a thing that I built is awesome and I want the world to use it, so now I have to go to packaging school? Not just once but twice—Jordan: Right.Corey: —and possibly more. That's awful.Jordan: Or more. Yeah. And it's tough.Corey: This episode is sponsored in part by our friends at Jellyfish. So, you're sitting in front of your office chair, bleary eyed, parked in front of a powerpoint and—oh my sweet feathery Jesus its the night before the board meeting, because of course it is! As you slot that crappy screenshot of traffic light colored excel tables into your deck, or sift through endless spreadsheets looking for just the right data set, have you ever wondered, why is it that sales and marketing get all this shiny, awesome analytics and inside tools? Whereas, engineering basically gets left with the dregs. Well, the founders of Jellyfish certainly did. That's why they created the Jellyfish Engineering Management Platform, but don't you dare call it JEMP! Designed to make it simple to analyze your engineering organization, Jellyfish ingests signals from your tech stack. Including JIRA, Git, and collaborative tools. Yes, depressing to think of those things as your tech stack but this is 2021. They use that to create a model that accurately reflects just how the breakdown of engineering work aligns with your wider business objectives. In other words, it translates from code into spreadsheet. When you have to explain what you're doing from an engineering perspective to people whose primary IDE is Microsoft Powerpoint, consider Jellyfish. Thats Jellyfish.co and tell them Corey sent you! Watch for the wince, thats my favorite part.Corey: And this gets back to what I found of—it was rare that I could find a way to contribute to something meaningfully, and I was using logstash after your talk, I'd started using it and rolling it out somewhere, and I discovered that there wasn't a Debian package for it—the environment I was in at that time—or Ubuntu package, and, “Hey Jordan, are you the guy that wrote fpm and there isn't a package here?” And the thing is is that you would never frame it this way, but the answer was, of course, “Pull requests welcome,” which is often an invitation to do free volunteer work for companies, but this was an open-source project that was not backed by a publicly-traded company; it was some guy. And of course, I'll pitch in on that. And I checked the commit log on this for what it is that I see, and sure enough, I have two commits. The first one was on Sunday night in February of 2013, and my commit message was, “Initial packaging work for Deb building.” And sure enough, there's a bunch of files I put up there and that's great. And my second and last commit was 12 minutes later saying, “Remove large binary because I'm foolish.” Yeah.Jordan: Was that you? [laugh].Corey: Yeah. Oh, yeah, I'm sure—yeah, it was great. I didn't know how Git worked back then. I'm sure it's still in the history there. I wonder how big that binary is, and exactly how much I have screwed people over in the last decade since.Jordan: I've noticed this over time. And every now and then you'd be—I would be or someone would be on a slow internet connection—which again, is something that we need to optimize for, or at least be aware of and help where we can—someone would be cloning logstash on an airplane or something like that, or rural setting, and they would say, “It gets stuck at 76% for, like, ten minutes.” And you would go back and dust off your tome of how to use Git because it's very difficult piece of software to use, and you would find this one blob and I never even looked at it who committed it or whatever, but it was like I think it was 80 Megs of a JAR file or a Debian package that was [unintelligible 00:28:31] logstash release. And… [laugh] it's such a small world that you're like, yep, that was me.Corey: Oh, yeah. Oh, yeah. Let's check this just for fun here. To be clear, the entire repository right now is 167 Megs, so that file that I had up there for all of 13 minutes lives indelibly in Git history, and it is fully half of the size—Jordan: Yep.Corey: —of the entirety of the logstash project. All right, then. I didn't realize this was one of those confess your sins episodes, but here we are.Jordan: Look, sometimes we put flags on the moon, sometimes we put big files in git. You could just for posterity, we could go back and edit the history and remove that, but it never became important to do it, it wasn't loud, people weren't upset enough by it, or it didn't come up enough to say, “You know what? This is a big file.” So, it's there. You left your mark.Corey: You know, we take what we can get. It's an odd time. I'll have to do some digging around; I'm sure I'll tweet about this as soon as I get a bit more data on it, but I wonder how often people have had frustration caused by that. There's no ill intent here, to be very clear, but it was instead, I didn't know how Git worked very well. I didn't know what I was doing in a lot of respects, and sure enough in the fullness of time, some condescending package people came in and actually made this right.And there is a reasonable, responsible package now because, surprise, of course there is. But I wonder how much inadvertent pain I caused people by that ridiculous commit. And it's the idea of impact and how this stuff works. I'm not happy that people are on a plane with a slow connection had a wait an extra minute or two to download that nonsense. It's one of those things that is, oops. I feel like a bit of a heel for that, not for not knowing something, but for causing harm to folks. Intent doesn't outweigh impact. There is a lesson in there for it.Jordan: Agreed. On that example, I think one of the things… code is not the most important thing I can contribute to a project, even though I feel very confident in my skills in programming in a variety of environments. I think the number one thing I can do is listen and look for sources of pain. And people would come in and say, “I can't get this to work.” And we would work together and figure out how to make it work for their use case, and that could result in a new feature, a bug fix, or some documentation improvements, or a blog post, or something like that.And I think in this case, I don't really recall any amount of noise for someone saying, “Cloning the Git repository is just a pain in the butt.” And I think a lot of that is because either the people who would be negatively impacted by that weren't doing that use case, they were downloading the releases, which were as small as we can possibly get them, or they were editing files using the GitHub online edit the file thing, which is a totally acceptable, it's perfectly fine way to do things in Git. So, I don't remember anyone complaining about that particular file size issue. The Elasticsearch repository is massive and I don't think it even has binaries. It just has so much more—Corey: Someone accidentally committed their entire production test data set at one point and oops-a-doozy. Yeah, it's not the most egregious harm I've ever caused—Jordan: Yeah.Corey: —but it's there. The thing that, I guess, resonates with me and still does is the lessons I learned from you, I could sum them up as being not just empathy-driven—because that's the easy answer—but the other layers were that you didn't need to be the world's greatest expert in a thing in order to credibly give a conference talk. To be clear, you were miles ahead of me and still are in a lot of different areas—Jordan: Thanks.Corey: —and that's fine. But you don't need to be the—like, you are not the world's greatest expert on empathy, but that's what I took from the talk and that's what it was about. It also taught me that things you can pick up from talks—and other means—there are things you can talk about in terms of technology and there are things you can talk about in terms of people, and the things about people do not have expiration dates in the same way that technology does. And if I'm going to be remembered for impact on people versus impact on technology, for me, there's no contest. And you forced me to really think about a lot of those things that it started my path to, I guess, becoming a public speaker and then later all the rest that followed, like this podcast, the nonsense on Twitter, and all the rest. So, it is, I guess, we can lay the responsibility for all that at your feet. Enjoy the hate mail.Jordan: Uhh, my email address is now closed. I'm sorry.Corey: Exactly.Jordan: Well, I appreciate the kind words.Corey: We'll get letters on this one.Jordan: [laugh].Corey: It's the impact that people have, and someti—I don't think you knew at the time that that's the impact you were having. It matters.Jordan: I agree. I think a lot of it came from how do I want to experience this? And it was much later that it became something that was really outside of me, in the sense that it was building communities. One of the things I learned shortly after—or even just before—joining Elastic was how many folks were looking to solve a problem, found logstash, became a participant in the community, and that participation could just be anything, just hanging out on IRC, on the mailing list, whatever, and the next step for them was to get a better paying job in an environment they enjoyed that helped them take the next step in their career. Some of those people came to work with me at Elastic; some of them started to work on the logstash team at some point they decided because a lot of logstash users were sysadmins.And on the logstash team, we were all developers; we weren't sysadmins, there was nothing to operate. And a lot of folks would come on board and they were like, “You know what? I'm not enjoying writing Ruby for my job.” And they could take the next step to transition to the support team or the sales engineer team, or cloud operations team at Elastic. So, it was really, like you mentioned, it has nothing to do with the technology of—to me—why these projects are important.They became an amplifier and a hand to pull people up to go the next step they need to go. And on the way maybe they can make a positive impact in the communities they participate in. If those happen to be fpm or logstash, that's great, but I think I want folks to see that technology doesn't have to be a grind of getting through gatekeepers, meeting artificial barriers, and things like that.Corey: The thing that I took, too, is that I gave a talk in 2015 or'16, which is strangely appropriate now: “Terrible ideas in Git.” And yes, checking large binaries in is one of the terrible ideas I talk about. It's Git through counter-example. And around that time, I also gave a talk for a while on how to handle a job interview and advance your career. Only one of those talks has resulted in people approaching me even years later saying that what I did had changed aspects of their life. It wasn't the Git one. And that's the impact it comes down to. That is the change that I wanted to start having because I saw someone else do it and realized, you know, maybe I could possibly be that good someday. Well, I'd like to think I made it, on some level.Jordan: [laugh]. I'm proud of the impact you've made. And I agree with you, it is about people. Even with fpm where I was very selfishly tickling my own itch, I don't want to remember all of this stuff and I also enjoy operating outside of the boundaries of a church or whatever the priesthoods that say, “This is how you must do a thing,” I knew there was a lot of folks who worked at jobs and they didn't have authority, and they had to deploy something, and they knew if they could just package it into a Debian format, or an RPM format, or whatever they needed to do, they could get it deployed and it would make their lives easier. Well, they didn't have the time or the energy or the support in order to learn how to do that and fpm brought them that success where you can say, “Here's a bunch of files; here's a name, poof, you have a package for whatever format you want.”Where I found fpm really take off is when Gem and Python and Node.js support were added. The sysadmins were kind of sandwiched in between—in two impossible worlds where they are only authorized to deploy a certain package format, but all of their internal application developer teams were using Node.js and newer technologies, and all of those package formats were not permitted by whoever had the authority to permit those things at their job. But now they had a tool that said, “You know what? We can just take that thing, we'll take Django and Python, and we'll make it an RPM and we won't have to think a lot about it.”And that really, I think—to me, my hope was that it de-stresses that sort of work environment where you're not having to do three weeks of brand new work every time someone releases something internally in your company; you can just run a script that you wrote a month ago and maintain it as you go.Corey: Wouldn't that be something?Jordan: [laugh]. Ideally, ideally.Corey: Jordan, I want to thank you for not only the stuff you did ten years ago, but also the stuff you just said now. If people want to learn more about you, how you view the world, see what you're up to these days, where can they find you?Jordan: I'm mostly active on Twitter, at @jordansissel, all one word. Mostly these days, I post repair stuff I do on the house. I'm a stay-at-home full0 time dad these days, and… I'm still doing maintenance on the projects that need maintenance, like fpm or xdotool, so if you're one of those users, I hope you're happy. If you're not happy, please reach out and we'll figure out what the next steps can be. But yeah. If you like bugs, especially spiders—or if you don't like spiders and you want to like spiders, check me out on Twitter. I'm often posting macro photos, close-up photos of butterflies, bees, spiders, and the like.Corey: And we will, of course, throw links to that in the [show notes 00:38:10]. Jordan, thank you so much for your time today. It's appreciated.Jordan: Thank you, Corey. It's good talking to you.Corey: Jordan Sissel, founder of logstash and currently, blissfully, not working on a particular corporate job. I envy him, some days. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment in which you have also embedded a large binary.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Dr. Weiping Yu, the chief science advisor of A Neighbor's Choice, returns with another exciting segment of Science and U. In this episode, Dr. Yu comments on the claim by Cambridge scientists that they may have discovered dark energy; the creation of a new solid-state battery; whether Earth's magnetic field is flipping; and more. Visit A Neighbor's Choice website at aneighborschoice.com

我們創業了：女子杯上市

About KarthikKarthik was one of the original database engineers at Facebook responsible for building distributed databases including Cassandra and HBase. He is an Apache HBase committer, and also an early contributor to Cassandra, before it was open-sourced by Facebook. He is currently the co-founder and CTO of the company behind YugabyteDB, a fully open-source distributed SQL database for building cloud-native and geo-distributed applications.Links: Yugabyte community Slack channel: https://yugabyte-db.slack.com/ Distributed SQL Summit: https://distributedsql.org Twitter: https://twitter.com/YugaByte TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: You could build you go ahead and build your own coding and mapping notification system, but it takes time, and it sucks! Alternately, consider Courier, who is sponsoring this episode. They make it easy. You can call a single send API for all of your notifications and channels. You can control the complexity around routing, retries, and deliverability and simplify your notification sequences with automation rules. Visit courier.com today and get started for free. If you wind up talking to them, tell them I sent you and watch them wince—because everyone does when you bring up my name. Thats the glorious part of being me. Once again, you could build your own notification system but why on god's flat earth would you do that?Corey: This episode is sponsored in part by “you”—gabyte. Distributed technologies like Kubernetes are great, citation very much needed, because they make it easier to have resilient, scalable, systems. SQL databases haven't kept pace though, certainly not like no SQL databases have like Route 53, the world's greatest database. We're still, other than that, using legacy monolithic databases that require ever growing instances of compute. Sometimes we'll try and bolt them together to make them more resilient and scalable, but let's be honest it never works out well. Consider Yugabyte DB, its a distributed SQL database that solves basically all of this. It is 100% open source, and there's not asterisk next to the “open” on that one. And its designed to be resilient and scalable out of the box so you don't have to charge yourself to death. It's compatible with PostgreSQL, or “postgresqueal” as I insist on pronouncing it, so you can use it right away without having to learn a new language and refactor everything. And you can distribute it wherever your applications take you, from across availability zones to other regions or even other cloud providers should one of those happen to exist. Go to yugabyte.com, thats Y-U-G-A-B-Y-T-E dot com and try their free beta of Yugabyte Cloud, where they host and manage it for you. Or see what the open source project looks like—its effortless distributed SQL for global apps. My thanks to Yu—gabyte for sponsoring this episode.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Today's promoted episode comes from the place where a lot of my episodes do: I loudly and stridently insist that Route 53—or DNS in general—is the world's greatest database, and then what happens is a whole bunch of people who work at database companies get upset with what I've said. Now, please don't misunderstand me; they're wrong, but I'm thrilled to have them come on and demonstrate that, which is what's happening today. My guest is CTO and co-founder of Yugabyte. Karthik Ranganathan, thank you so much for spending the time to speak with me today. How are you?Karthik: I'm doing great. Thanks for having me, Corey. We'll just go for YugabyteDB being the second-best database. Let's just keep the first [crosstalk 00:01:13]—Corey: Okay. We're all fighting for number two, there. And besides, number two tries harder. It's like that whole branding thing from years past. So, you were one of the original database engineers at Facebook, responsible for building a bunch of nonsense, like Cassandra and HBase. You were an HBase committer, early contributor to Cassandra, even before it was open-sourced.And then you look around and said, “All right, I'm going to go start a company”—roughly around 2016, if memory serves—“And I'm going to go and build a database and bring it to the world.” Let's start at the beginning. Why on God's flat earth do we need another database?Karthik: Yeah, that's the question. That's the million-dollar question isn't it, Corey? So, this is one, fortunately, that we've had to answer so many times from 2016, that I guess we've gotten a little good at it. So, here's the learning that a lot of us had from Facebook: we were the original team, like, all three of us founders, we met at Facebook, and we not only build databases, we also ran them. And let me paint a picture.Back in 2007, the public cloud really wasn't very common, and people were just going into multi-region, multi-datacenter deployments, and Facebook was just starting to take off, to really scale. Now, forward to 2013—I was there through the entire journey—a number of things happened in Facebook: we saw the rise of the equivalent of Kubernetes which was internally built; we saw, for example, microservice—Corey: Yeah, the Tupperware equivalent, there.Karthik: Tupperware, exactly. You know the name. Yeah, exactly. And we saw how we went from two data centers to multiple data centers, and nearby and faraway data centers—zones and regions, what do you know as today—and a number of such technologies come up. And I was on the database side, and we saw how existing databases wouldn't work to distribute data across nodes, failover, et cetera, et cetera.So, we had to build a new class of databases, what we now know is NoSQL. Now, back in Facebook, I mean, the typical difference between Facebook and an enterprise at large is Facebook has a few really massive applications. For example, you do a set of interactions, you view profiles, you add friends, you talk with them, et cetera, right? These are supermassive in their usage, but they were very few in their access patterns. At Facebook, we were mostly interested in dealing with scale and availability.Existing databases couldn't do it, so we built NoSQL. Now, forward a number of years, I can't tell you how many times I've had conversations with other people building applications that will say, “Hey, can I get a secondary index on the SQL database?” Or, “How about that transaction? I only need it a couple of times; I don't need it all the time, but could you, for example, do multi-row transactions?” And the answer was always, “Not,” because it was never built for that.So today, what we're seeing is that transactional data and transactional applications are all going cloud-native, and they all need to deal with scale and availability. And so the existing databases don't quite cut it. So, the simple answer to why we need it is we need a relational database that can run in the cloud to satisfy just three properties: it needs to be highly available, failures or no, upgrades or no, it needs to be available; it needs to scale on demand, so simply add or remove nodes and scale up or down; and it needs to be able to replicate data across zones, across regions, and a variety of different topologies. So availability, scale, and geographic distribution, along with retaining most of the RDBMS features, the SQL features. That's really what the gap we're trying to solve.Corey: I don't know that I've ever told this story on the podcast, but I want to say it was back in 2009. I flew up to Palo Alto and interviewed at Facebook, and it was a different time, a different era; it turns out that I'm not as good on the whiteboard as I am at running my mouth, so all right, I did not receive an offer, but I think everyone can agree at this point that was for the best. But I saw one of the most impressive things I've ever seen, during a part of that interview process. My interview is scheduled for a conference room for must have been 11 o'clock or something like that, and at 10:59, they're looking at their watch, like, “Hang on ten seconds.” And then the person I was with reached out to knock on the door to let the person know that their meeting was over and the door opened.So, it's very clear that even in large companies, which Facebook very much was at the time, people had synchronized clocks. This seems to be a thing, as I've learned from reading the parts that I could understand of the Google Spanner paper: when you're doing distributed databases, clocks are super important. At places like Facebook, that is, I'm not going to say it's easy, let's be clear here. Nothing is easy, particularly at scale, but Facebook has advantages in that they can mandate how clocks are going to be handled throughout every piece of their infrastructure. You're building an open-source database and you can't guarantee in what environment and on what hardware that's going to run, and, “You must have an atomic clock hooked up,” is not something you're generally allowed to tell people. How do you get around that?Karthik: That's a great question. Very insightful, cutting right to the chase. So, the reality is, we cannot rely on atomic clocks, we cannot mandate our users to use them, or, you know, we'd not be very popularly used in a variety of different deployments. In fact, we also work in on-prem private clouds and hybrid deployments where you really cannot get these atomic clocks. So, the way we do this is we come up with other algorithms to make sure that we're able to get the clocks as synchronized as we can.So, think about at a higher level; the reason Google uses atomic clocks is to make sure that they can wait to make sure every other machine is synchronized with them, and the wait time is about seven milliseconds. So, the atomic clock service, or the true time service, says no two machines are farther apart than about seven milliseconds. So, you just wait for seven milliseconds, you know everybody else has caught up with you. And the reason you need this is you don't want to write on a machine, you don't want to write some data, and then go to a machine that has a future or an older time and get inconsistent results. So, just by waiting seven milliseconds, they can ensure that no one is going to be older and therefore serve an older version of the data, so every write that was written on the other machine see it.Now, the way we do this is we only have NTP, the Network Time Protocol, which does synchronization of time across machines, except it takes 150 to 200 milliseconds. Now, we wouldn't be a very good database, if we said, “Look, every operation is going to take 150 milliseconds.” So, within these 150 milliseconds, we actually do the synchronization in software. So, we replaced the notion of an atomic clock with what is called a hybrid logical clock. So, one part using NTP and physical time, and another part using counters and logical time and keep exchanging RPCs—which are needed in the course of the database functioning anyway—to make sure we start normalizing time very quickly.This in fact has some advantages—and disadvantages, everything was a trade-offs—but the advantage it has over a true time-style deployment is you don't even have to wait that seven milliseconds in a number of scenarios, you can just instantly respond. So, that means you get even lower latencies in some cases. Of course, the trade-off is there are other cases where you have to do more work, and therefore more latency.Corey: The idea absolutely makes sense. You started this as an open-source project, and it's thriving. Who's using it and for what purposes?Karthik: Okay, so one of the fundamental tenets of building this database—I think back to your question of why does the world need another database—is that the hypothesis is not so much the world needs another database API; that's really what users complain against, right? You create a new API and—even if it's SQL—and you tell people, “Look. Here's a new database. It does everything for you,” it'll take them two years to figure out what the hell it does, and build an app, and then put it in production, and then they'll build a second and a third, and then by the time they hit the tenth app, they find out, “Okay, this database cannot do the following things.” But you're five years in; you're stuck, you can only add another database.That's really the story of how NoSQL evolved. And it wasn't built as a general-purpose database, right? So, in the meanwhile, databases like Postgres, for example, have been around for so long that they absorb and have such a large ecosystem, and usage, and people who know how to use Postgres and so on. So, we made the decision that we're going to keep the database API compatible with known things, so people really know how to use them from the get-go and enhance it at a lower level to make a cloud-native. So, what is YugabyteDB do for people?It is the same as Postgres and Postgres features of the upper half—it reuses the code—but it is built on the lower half to be [shared nothing 00:09:10], scalable, resilient, and geographically distributed. So, we're using the public cloud managed database context, the upper half is built like Amazon Aurora, the lower half is built like Google Spanner. Now, when you think about workloads that can benefit from this, we're a transactional database that can serve user-facing applications and real-time applications that have lower latency. So, the best way to think about it is, people that are building transactional applications on top of, say, a database like Postgres, but the application itself is cloud-native. You'd have to do a lot of work to make this Postgres piece be highly available, and scalable, and replicate data, and so on in the cloud.Well, with YugabyteDB, we've done all that work for you and it's as open-source as Postgres, so if you're building a cloud-native app on Postgres that's user-facing or transactional, YugabyteDB takes care of making the database layer behave like Postgres but become cloud-native.Corey: Do you find that your users are using the same database instance, for lack of a better term? I know that instance is sort of a nebulous term; we're talking about something that's distributed. But are they having database instances that span multiple cloud providers, or is that something that is more talk than you're actually seeing in the wild?Karthik: So, I'd probably replace the word ‘instance' with ‘cluster', just for clarity, right?Corey: Excellent. Okay.Karthik: So, a cluster has a bunch—Corey: I concede the point, absolutely.Karthik: Okay. [laugh]. Okay. So, we'll still keep Route 53 on top, though, so it's good. [laugh].Corey: At that point, the replication strategy is called a zone transfer, but that's neither here nor there. Please, by all means, continue.Karthik: [laugh]. Okay. So, a cluster database like YugabyteDB has a number of instances. Now, I think the question is, is it theoretical or real? What we're seeing is, it is real, and it is real perhaps in slightly different ways than people imagine it to be.So, I'll explain what I mean by that. Now, there's one notion of being multi-cloud where you can imagine there's like, say, the same cluster that spans multiple different clouds, and you have your data being written in one cloud and being read from another. This is not a common pattern, although we have had one or two deployments that are attempting to do this. Now, a second deployment shifted once over from there is where you have your multiple instances in a single public cloud, and a bunch of other instances in a private cloud. So, it stretches the database across public and private—you would call this a hybrid deployment topology—that is more common.So, one of the unique things about YugabyteDB is we support asynchronous replication of data, just like your RDBMSs do, the traditional RDBMSs. In fact, we're the only one that straddles both synchronous replication of data as well as asynchronous replication of data. We do both. So, once shifted over would be a cluster that's deployed in one of the clouds but an asynchronous replica of the data going to another cloud, and so you can keep your reads and writes—even though they're a little stale, you can serve it from a different cloud. And then once again, you can make it an on-prem private cloud, and another public cloud.And we see all of those deployments, those are massively common. And then the last one over would be the same instance of an app, or perhaps even different applications, some of them running on one public cloud and some of them running on a different public cloud, and you want the same database underneath to have characteristics of scale and failover. Like for example, if you built an app on Spanner, what would you do if you went to Amazon and wanted to run it for a different set of users?Corey: That is part of the reason I tend to avoid the idea of picking a database that does not have at least theoretical exit path because reimagining your entire application's data model in order to migrate is not going to happen, so—Karthik: Exactly.Corey: —come hell or high water, you're stuck with something like that where it lives. So, even though I'm a big proponent as a best practice—and again, there are exceptions where this does not make sense, but as a general piece of guidance—I always suggest, pick a provider—I don't care which one—and go all-in. But that also should be shaded with the nuance of, but also, at least have an eye toward theoretically, if you had to leave, consider that if there's a viable alternative. And in some cases in the early days of Spanner, there really wasn't. So, if you needed that functionality, okay, go ahead and use it, but understand the trade-off you're making.Now, this really comes down to, from my perspective, understand the trade-offs. But the reason I'm interested in your perspective on this is because you are providing an open-source database to people who are actually doing things in the wild. There's not much agenda there, in the same way, among a user community of people reporting what they're doing. So, you have in many ways, one of the least biased perspectives on the entire enterprise.Karthik: Oh, yeah, absolutely. And like I said, I started from the least common to the most common; maybe I should have gone the other way. But we absolutely see people that want to run the same application stack in multiple different clouds for a variety of reasons.Corey: Oh, if you're a SaaS vendor, for example, it's, “Oh, we're only in this one cloud,” potential customers who in other clouds say, “Well, if that changes, we'll give you money.” “Oh, money. Did you say ‘other cloud?' I thought you said something completely different. Here you go.” Yeah, you've got to at some point. But the core of what you do, beyond what it takes to get that application present somewhere else, you usually keep in your primary cloud provider.Karthik: Exactly. Yep, exactly. Crazy things sometimes dictate or have to dictate architectural decisions. For example, you're seeing the rise of compliance. Different countries have different regulatory reasons to say, “Keep my data local,” or, “Keep some subset of data are local.”And you simply may not find the right cloud providers present in those countries; you may be a PaaS or an API provider that's helping other people build applications, and the applications that the API provider's customers are running could be across different clouds. And so they would want the data local, otherwise, the transfer costs would be really high. So, a number of reasons dictate—or like a large company may acquire another company that was operating in yet another cloud; everything else is great, but they're in another cloud; they're not going to say, “No because you're operating on another cloud.” It still does what they want, but they still need to be able to have a common base of expertise for their app builders, and so on. So, a number of things dictate why people started looking at cross-cloud databases with common performance and operational characteristics and security characteristics, but don't compromise on the feature set, right?That's starting to become super important, from our perspective. I think what's most important is the ability to run the database with ease while not compromising on your developer agility or the ability to build your application. That's the most important thing.Corey: When you founded the company back in 2016, you are VC-backed, so I imagine your investor pitch meetings must have been something a little bit surreal. They ask hard questions such as, “Why do you think that in 2016, starting a company to go and sell databases to people is a viable business model?” At which point you obviously corrected them and said, “Oh, you misunderstand. We're building an open-source database. We're not charging for it; we're giving it away.”And they apparently said, “Oh, that's more like it.” And then invested, as of the time of this recording, over $100 million in your company. Let me to be the first to say there are aspects of money that I don't fully understand and this is one of those. But what is the plan here? How do you wind up building a business case around effectively giving something away for free?And I want to be clear here, Yugabyte is open-source, and I don't have an asterisk next to that. It is not one of those ‘source available' licenses, or ‘anyone can do anything they want with it except Amazon' or ‘you're not allowed to host it and offer it as a paid service to other people.' So, how do you have a business, I guess is really my question here?Karthik: You're right, Corey. We're 100% open-source under Apache 2.0—I mean the database. So, our theory on day one—I mean, of course, this was a hard question and people did ask us this, and then I'll take you guys back to 2016. It was unclear, even as of 2016, if open-source companies were going to succeed. It was just unclear.And people were like, “Hey, look at Snowflake; it's a completely managed service. They're not open-source; they're doing a great job. Do you really need open-source to succeed?” There were a lot of such questions. And every company, every project, every space has to follow its own path, just applying learnings.Like for example, Red Hat was open-source and that really succeeded, but there's a number of others that may or may not have succeeded. So, our plan back then was to tread the waters carefully in the sense we really had to make sure open-source was the business model we wanted to go for. So, under the advisement from our VCs, we said we'd take it slowly; we want to open-source on day one. We've talked to a number of our users and customers and make sure that is indeed the path we've wanted to go. The conversations pretty clearly told us people wanted an open database that was very easy for them to understand because if they are trusting their crown jewels, their most critical data, their systems of record—this is what the business depends on—into a database, they sure as hell want to have some control over it and some transparency as to what goes on, what's planned, what's on the roadmap. “Look, if you don't have time, I will hire my people to go build for it.” They want it to be able to invest in the database.So, open-source was absolutely non-negotiable for us. We tried the traditional technique for a couple of years of keeping a small portion of the features of the database itself closed, so it's what you'd call ‘open core.' But on day one, we were pretty clear that the world was headed towards DBaaS—Database as a Service—and make it really easy to consume.Corey: At least the bad patterns as well, like, “Oh, if you want security, that's a paid feature.”Karthik: Exactly.Corey: No. That is not optional. And the list then of what you can wind up adding as paid versus not gets murky, and you're effectively fighting your community when they try and merge some of those features in and it just turns into a mess.Karthik: Exactly. So, it did for us for a couple of years, and then we said, “Look, we're not doing this nonsense. We're just going to make everything open and just make it simple.” Because our promise to the users was, we're building everything that looks like Postgres, so it's as valuable as Postgres, and it'll work in the cloud. And people said, “Look, Postgres is completely open and you guys are keeping a few features not open. What gives?”And so after that, we had to concede the point and just do that. But one of the other founding pieces of a company, the business side, was that DBaaS and ability to consume the database is actually far more critical than whether the database itself is open-source or not. I would compare this to, for example, MySQL and Postgres being completely open-source, but you know, Amazon's Aurora being actually a big business, and similarly, it happens all over the place. So, it is really the ability to consume and run business-critical workloads that seem to be more important for our customers and enterprises that paid us. So, the day-one thesis was, look, the world is headed towards DBaaS.We saw that already happen with inside Facebook; everybody was automated operations, simplified operations, and so on. But the reality is, we're a startup, we're a new database, no one's going to trust everything to us: the database, the operations, the data, “Hey, why don't we put it on this tiny company. And oh, it's just my most business-critical data, so what could go wrong?” So, we said we're going to build a version of our DBaaS that is in software. So, we call this Yugabyte Platform, and it actually understands public clouds: it can spin up machines, it can completely orchestrate software installs, rolling upgrades, turnkey encryption, alerting, the whole nine yards.That's a completely different offering from the database. It's not the database, it's just on top of the database and helps you run your own private cloud. So, effectively if you install it on your Amazon account or your Google account, it will convert it into what looks like a DynamoDB, or a Spanner, or what have you with you, with Yugabyte as DB as the database inside. So, that is our commercial product; that's source available and that's what we charge for. The database itself, completely open.Again, the other piece of the thinking is, if we ever charge too much, our customers have the option to say, “Look, I don't want your DBaaS thing; I'm going to the open-source database and we're fine with that.” So, we really want to charge for value. And obviously, we have a completely managed version of our database as well. So, we reuse this platform for our managed version, so you can kind of think of it as portability, not just of the database but also of the control plane, the DBaaS plane.They can run it themselves, we can run it for them, they could take it to a different cloud, so on and so forth.Corey: I like that monetization model a lot better than a couple of others. I mean, let's be clear here, you've spent a lot of time developing some of these concepts for the industry when you were at Facebook. And because at Facebook, the other monetization models are kind of terrifying, like, “Okay. We're going to just monetize the data you store in the open-source database,” is terrifying. Only slightly less would be the Google approach of, “Ah, every time you wind up running a SQL query, we're going to insert ads.”So, I like the model of being able to offer features that only folks who already have expensive problems with money to burn on those problems to solve them will gravitate towards. You're not disadvantaging the community or the small startup who wants it but can't afford it. I like that model.Karthik: Actually, the funny thing is, we are seeing a lot of startups also consume our product a lot. And the reason is because we only charge for the value we bring. Typically the problems that a startup faces are actually much simpler than the complex requirements of an enterprise at scale. They are different. So, the value is also proportional to what they want and how much they want to consume, and that takes care of itself.So, for us, we see that startups, equally so as enterprises, have only limited amount of bandwidth. They don't really want to spend time on operationalizing the database, especially if they have an out to say, “Look, tomorrow, this gets expensive; I can actually put in the time and money to move out and go run this myself. Why don't I just get started because the budget seems fine, and I couldn't have done it better myself anyway because I'd have to put people on it and that's more expensive at this point.” So, it doesn't change the fundamentals of the model; I just want to point out, both sides are actually gravitating to this model.Corey: This episode is sponsored in part by our friends at Jellyfish. So, you're sitting in front of your office chair, bleary eyed, parked in front of a powerpoint and—oh my sweet feathery Jesus its the night before the board meeting, because of course it is! As you slot that crappy screenshot of traffic light colored excel tables into your deck, or sift through endless spreadsheets looking for just the right data set, have you ever wondered, why is it that sales and marketing get all this shiny, awesome analytics and inside tools? Whereas, engineering basically gets left with the dregs. Well, the founders of Jellyfish certainly did. That's why they created the Jellyfish Engineering Management Platform, but don't you dare call it JEMP! Designed to make it simple to analyze your engineering organization, Jellyfish ingests signals from your tech stack. Including JIRA, Git, and collaborative tools. Yes, depressing to think of those things as your tech stack but this is 2021. They use that to create a model that accurately reflects just how the breakdown of engineering work aligns with your wider business objectives. In other words, it translates from code into spreadsheet. When you have to explain what you're doing from an engineering perspective to people whose primary IDE is Microsoft Powerpoint, consider Jellyfish. Thats Jellyfish.co and tell them Corey sent you! Watch for the wince, thats my favorite part.Corey: A number of different surveys have come out that say overwhelmingly companies prefer open-source databases, and this is waved around as a banner of victory by a lot of—well, let's be honest—open-source database companies. I posit that is in fact crap and also bad data because what the open-source purists—of which I admit, I used to be one, and now I solve business problems instead—believe that people are talking about freedom, and choice, and the rest. In practice, in my experience, what people are really distilling that down to is they don't want a commercial database. And it's not even about they're not willing to pay money for it, but they don't want to have a per-core licensing challenge, or even having to track licensing of where it is installed and how, and wind up having to cut checks for folks. For example, I'm going to dunk on someone because why not?Azure for a while has had this campaign that it is five times cheaper to run some Microsoft SQL workloads in Azure than it is on AWS as if this was some magic engineering feat of strength or something. It's absolutely not, it's that it is really expensive licensing-wise to run it on things that aren't Azure. And that doesn't make customers feel good. That's the thing they want to get away from, and what open-source license it is, and in many cases, until the source-available stuff starts trending towards, “Oh, you're going to pay us or you're not going to run it at all,” that scares the living hell out of people, then they don't actually care about it being open. So, at the risk of alienating, I'm sure, some of the more vocal parts of your constituency, where do you fall on that?Karthik: We are completely open, but for a few reasons right? Like, multiple different reasons. The debate of whether it purely is open or is completely permissible, to me, I tend to think a little more where people care about the openness more so than just the ability to consume at will without worrying about the license, but for a few different reasons, and it depends on which segment of the market you look at. If you're talking about small and medium businesses and startups, you're absolutely right; it doesn't matter. But if you're looking at larger companies, they actually care that, like for example, if they want a feature, they are able to control their destiny because you don't want to be half-wedded to a database that cannot solve everything, especially when the time pressure comes or you need to do something.So, you want to be able to control or to influence the roadmap of the project. You want to know how the product is built—the good and the bad—you want a lot of people testing the product and their feedback to come out in the open, so you at least know what's wrong. Many times people often feel like, “Hey, my product doesn't work in these areas,” is actually a bad thing. It's actually a good thing because at least those people won't try it and [laugh] they'll be safe. Customer satisfaction is more important than just the apparent whatever it is that you want to project about the product.At least that's what I've learned in all these years working with databases. But there's a number of reasons why open-source is actually good. There's also a very subtle reason that people may not understand which is that legal teams—engineering teams that want to build products don't want to get caught up in a legal review that takes many months to really make sure, look, this may be a unique version of a license, but it's not a license the legal team as seen before, and there's going to be a back and forth for many months, and it's just going to derail their product and their timelines, not because the database didn't do its job or because the team wasn't ready, but because the company doesn't know what the risk it'll face in the future is. There's a number of these aspects where open-source starts to matter for real. I'm not a purist, I would say.I'm a pragmatist, and I have always been, but I would say that a number of reasons why–you know, I might be sounding like a purist, but a number of reasons why a true open-source is actually useful, right? And at the end of the day, if we have already established, at least at Yugabyte, we're pretty clear about that, the value is in the consumption and is not in the tech if we're pretty clear about that. Because if you want to run a tier-two workload or a hobbyist app at home, would you want to pay for a database? Probably not. I just want to do something for a while and then shut it down and go do my thing. I don't care if the database is commercial or open-source. In that case, being open-source doesn't really take away. But if you're a large company betting, it does take away. So.Corey: Oh, it goes beyond that because it's not even, in the large company story, whether it costs money because regardless, I assure you, open-source is not free; the most expensive thing that we see in all of our customer accounts—again, our consultancy fixes AWS bills, an expensive problem that hits everyone—the environment in AWS is always less expensive than the people who are working on the environment. Payroll is an expense that dwarfs the AWS bill for anyone that is not a tiny startup that is still not paying a market-rate salary to its founders. It doesn't work that way. And the idea, for those folks is, not about the money, it's about the predictability. And if there's a 5x price hike from their database manager that suddenly completely disrupts their unit economic model, and they're in trouble. That's the value of open-source in that it can go anywhere. It's a form of not being locked into any vendor where it's hosted, as well as, now, no one company that has put it out there into the world.Karthik: Yeah, and the source-available license, we considered that also. The reason to vote against that was you can get into scenarios where the company gets competitive with his open-source site where the open-source wants a couple other features to really make it work for their own use case, like you know, case in point is the startup, but the company wants to hold those features for the commercial side, and now the startup has that 5x price jump anyway. So, at this point, it comes to a head-on where the company—the startup—is being charged not for value, but because of the monetization model or the business model. So, we said, “You know what? The best way to do this is to truly compete against open-source. If someone wants to operationalize the database, great. But we've already done it for you.” If you think that you can operationalize it at a lower cost than what we've done, great. That's fine.Corey: I have to ask, there has to have been a question somewhere along the way, during the investment process of, what if AWS moves into your market? And I can already say part of the problem with that line of reasoning is, okay, let's assume that AWS turns Yugabyte into a managed database offering. First, they're not going to be able to articulate for crap why you should use that over anything else because they tend to mumble when it comes time to explain what it is that they do. But it has to be perceived as a competitive threat. How do you think about that?Karthik: Yeah, this absolutely came up quite a bit. And like I said, in 2016, this wasn't news back then; this is something that was happening in the world already. So, I'll give you a couple of different points of view on this. The reason why AWS got so successful in building a cloud is not because they wanted to get into the database space; they simply wanted their cloud to be super successful and required value-added services like these databases. Now, every time a new technology shift happens, it gives some set of people an unfair advantage.In this case, database vendors probably didn't recognize how important the cloud was and how important it was to build a first-class experience on the cloud on day one, as the cloud came up because it wasn't proven, and they had twenty other things to do, and it's rightfully so. Now, AWS comes up, and they're trying to prove a point that the cloud is really useful and absolutely valuable for their customers, and so they start putting value-added services, and now suddenly you're in this open-source battle. At least that's how I would view that it kind of developed. With Yugabyte, obviously, the cloud's already here; we know on day one, so we're kind of putting out our managed service so we'll be as good as AWS or better. The database has its value, but the managed service has its own value, and so we'd want to make sure we provide at least as much value as AWS, but on any cloud, anywhere.So, that's the other part. And we also talked about the mobility of the DBaaS itself, the moving it to your private account and running the same thing, as well as for public. So, these are some of the things that we have built that we believe makes us super valuable.Corey: It's a better approach than a lot of your predecessor companies who decided, “Oh, well, we built the thing; obviously, we're going to be the best at running it. The end.” Because they dramatically sold AWS's operational excellence short. And it turns out, they're very good at running things at scale. So, that's a challenging thing to beat them on.And even if you're able to, it's hard to differentiate among the differences because at that caliber of operational rigor, it's one of those, you can only tell in the very niche cases; it's a hard thing to differentiate on. I like your approach a lot better. Before we go, I have one last question for you, and normally, it's one of those positive uplifting ones of what workloads are best for Yugabyte, but I think that's boring; let's be more cynical and negative. What workloads would run like absolute crap on YugabyteDB?Karthik: [laugh]. Okay, we do have a thing for this because we don't want to take on workloads and, you know, everybody have a bad experience around. So, we're a transactional database built for user-facing applications, real-time, and so on, right? We're not good at warehousing and analytic workloads. So, for example, if you were using a Snowflake or a Redshift, those workloads are not going to work very well on top of Yugabyte.Now, we do work with other external systems like Spark, and Presto, which are real-time analytic systems, but they translate the queries that the end-user have into a more operational type of query pattern. However, if you're using it straight-up for analytics, we're not a good bet. Similarly, there's cases where people want very high number of IOPS by reusing a cache or even a persistent cache. Amazon just came out with a [number of 00:31:04] persistent cache that does very high throughput and low-latency serving. We're not good at that.We can do reasonably low-latency serving and reasonably high IOPS at scale, but we're not the use case where you want to hit that same lookup over and over and over, millions of times in a second; that's not the use case for us. The third thing I'd say is, we're a system of record, so people care about the data they put, and they don't absolutely don't want to lose it and they want to show that it's transactional. So, if there's a workload where there's a lot of data and you're okay if you want to lose, and it's just some sensor data, and your reasoning is like, “Okay, if I lose a few data points, it's fine.” I mean, you could still use us, but at that point you'd really have to be a fanboy or something for Yugabyte. I mean, there's other databases that probably do it better.Corey: Yeah, that's the problem is whenever someone says, “Oh, yeah. Database”—or any tool that they've built—“Like, this is great.” “What workloads is it not a fit for?” And their answer is, “Oh, nothing. It's perfect for everything.”Yeah, I want to believe you, but my inner bullshit sense is tingling on that one because nothing's fit for all purposes; it doesn't work that way. Honestly, this is going to be, I guess, heresy in the engineering world, but even computers aren't always the right answer for things. Who knew?Karthik: As a founder, I struggled with this answer a lot, initially. I think the problem is, when you're thinking about a problem space, that's all you're thinking about, you don't know what other problem spaces exist, and when you are asked the question, “What workloads is it a fit for?” At least I used to say, initially, “Everything,” because I'm only thinking about that problem space as the world, and it's fit for everything in that problem space, except I don't know how to articulate the problem space—Corey: Right—Karthik: —[crosstalk 00:32:33]. [laugh].Corey: —and at some point, too, you get so locked into one particular way of thinking that the world that people ask about other cases like, “Oh, that wouldn't count.” And then your follow-up question is, “Wait, what's a bank?” And it becomes a different story. It's, how do you wind up reasoning about these things? I want to thank you for taking all the time you have today to speak with me. If people want to learn more about Yugabyte—either the company or the DB—how can they do that?Karthik: Yeah, thank you as well for having me. I think to learn about Yugabyte, just come join our community Slack channel. There's a lot of people; there's, like, over 3000 people. They're all talking interesting questions. There's a lot of interesting chatter on there, so that's one way.We have an industry-wide event, it's called the Distributed SQL Summit. It's coming up September 22nd, 23rd, I think a couple of days; it's a two-day event. That would be a great place to actually learn from practitioners, and people building applications, and people in the general space and its adjacencies. And it's not necessarily just about Yugabyte; it's generally about distributed SQL databases, in general, hence it's called the Distributed SQL Summit. And then you can ask us on Twitter or any of the usual social channels as well. So, we love interaction, so we are pretty open and transparent company. We love to talk to you guys.Corey: Well, thank you so much for taking the time to speak with me. Well, of course, throw links to that into the [show notes 00:33:43]. Thank you again.Karthik: Awesome. Thanks a lot for having me. It was really fun. Thank you.Corey: Likewise. Karthik Ranganathan, CTO, and co-founder of YugabyteDB. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry comment, halfway through realizing that I'm not charging you anything for this podcast and converting the angry comment into a term sheet for $100 million investment.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

In this episode of Chase the Vision, I sit down with Blitzmetrics' founder and CEO, Dennis Yu in what I would call my most captivating interview to date. With a less technical and more personal approach, our conversation covers Yu's early years and his experiences with mentors, to recent challenges he has been faced with within his businesses. If you want to learn from somebody who's worked at Yahoo, has a course coming out with Jake Paul, and has spoken on literally hundreds of stages, this is for you. If you want a glitz and glamour, fake guru, I'd suggest looking elsewhere.

About EvEv Kontsevoy is Co-Founder and CEO of Teleport. An engineer by training, Kontsevoy launched Teleport in 2015 to provide other engineers solutions that allow them to quickly access and run any computing resource anywhere on the planet without having to worry about security and compliance issues. A serial entrepreneur, Ev was CEO and co-founder of Mailgun, which he successfully sold to Rackspace. Prior to Mailgun, Ev has had a variety of engineering roles. He holds a BS degree in Mathematics from Siberian Federal University, and has a passion for trains and vintage-film cameras.Links: Teleport: https://goteleport.com Teleport GitHub: https://github.com/gravitational/teleport Teleport Slack: https://goteleport.slack.com/join/shared_invite/zt-midnn9bn-AQKcq5NNDs9ojELKlgwJUA Previous episode with Ev Kontsevoy: https://www.lastweekinaws.com/podcast/screaming-in-the-cloud/the-gravitational-pull-of-simplicity-with-ev-kontsevoy/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at VMware. Let's be honest—the past year has been far from easy. Due to, well, everything. It caused us to rush cloud migrations and digital transformation, which of course means long hours refactoring your apps, surprises on your cloud bill, misconfigurations and headache for everyone trying manage disparate and fractured cloud environments. VMware has an answer for this. With VMware multi-cloud solutions, organizations have the choice, speed, and control to migrate and optimizeapplications seamlessly without recoding, take the fastest path to modern infrastructure, and operate consistently across the data center, the edge, and any cloud. I urge to take a look at vmware.com/go/multicloud. You know my opinions on multi cloud by now, but there's a lot of stuff in here that works on any cloud. But don't take it from me thats: vmware.com/go/multicloud and my thanks to them again for sponsoring my ridiculous nonsense.Corey: You could build you go ahead and build your own coding and mapping notification system, but it takes time, and it sucks! Alternately, consider Courier, who is sponsoring this episode. They make it easy. You can call a single send API for all of your notifications and channels. You can control the complexity around routing, retries, and deliverability and simplify your notification sequences with automation rules. Visit courier.com today and get started for free. If you wind up talking to them, tell them I sent you and watch them wince—because everyone does when you bring up my name. Thats the glorious part of being me. Once again, you could build your own notification system but why on god's flat earth would you do that?Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Roughly a year ago, I had a promoted guest episode featuring Ev Kontsevoy, the co-founder and CEO of Teleport.A year has passed and what a year it's been. Ev is back to tell us more about what they've been up to for the past year and, ideally, how things may have changed over in the security space. Ev, thank you for coming back to suffer the slings and arrows I will no doubt be hurling your way almost immediately.Ev: Thanks for having me back, Corey.Corey: So, it's been a heck of a year. We were basically settling into the pandemic when last we recorded, and people's security requirements when everyone is remote were dramatically changing. A year later, what's changed? It seems like the frantic, grab a bucket and start bailing philosophy has largely been accepted with something that feels almost like a new normal, ish. What are you seeing?Ev: Yes, we're seeing exact same thing, that it's really hard to tell what is normal. So, at the beginning of the pandemic, our company, Teleport was, so we were about 25 people. And then once we got the vaccines, and the government restrictions started to, kind of, disappear, people started to ask, “So, when are we going to go back to normal?” But the thing is, we're 100 employees now, which means that three-quarters of the company, they joined us during the pandemic, so we have no normal to go back to. So, now we have to redefine—not redefined, we just basically need to get comfortable with this new, fully remote culture with fully remote identity that we have, and become comfortable with it. And that's what we're doing.Corey: Beyond what, I guess, you're seeing, as far as the culture goes, internally as well, it feels like there's been a distinct shift in the past year or so, the entire security industry. I mean, I can sit here and talk about what I've seen, but again, I'm all over the place and I deal with a very select series of conversations. And I try not to confuse anecdotes with data. Anecdata is not the most reliable thing. You're working in this space. That is the entire industry you're in. How has the conversation in the industry around security shifted? What's new? What trends are emerging?Ev: So, there are several things actually happening. So, first of all, I wouldn't call ourselves, like, we do all of security. So, we're experts in access; like, how do you act this everything that you have in your cloud or in your data centers? And that space has been going through one transformation after another. It's been basically under the same scaling stress as the rest of cloud computing industry.And we can talk about historical changes that have been happening, and then we can talk a little bit about, kind of, latest and greatest. And in terms of what challenges companies have with secure access, maybe it helps if I just quickly describe what ‘access' actually means.Corey: Please, by all means. It's one of those words that everyone knows, but if you ask three people to define it, you'll get five definitions—Ev: [laugh]. Exactly.Corey: —and they don't really align. So please, you're the expert on this; I am here to listen because I guarantee you I am guilty of misusing the term at least once so far, today.Ev: Can't blame you. Can't blame you. We are—I was same way until I got into this space. So, access basically means four things. So, if you want to have access done properly into your cloud resources, you need to think about four things.First is connectivity. That's basically a physical ability to deliver an encrypted packet from a client to destination, to a resource whatever that is, could be database, could be, like, SSH machine, or whatever it is you're connecting to. So, connectivity is number one. So, then you need to authenticate. Authentication, that's when the resource decides if you should have access or not, based on who you are, hopefully.So, then authorization, that's the third component. Authorization, the difference—like, sometimes people confuse the two—the difference between authentication and authorization is that authorization is when you already authenticated, but the resource decides what actions you are allowed to perform. The typical example is, like, is it read-only or read-write access? So, that's authorization, deciding on which actions you're allowed to perform. And the final component of having access properly is having audit or visibility which is, again, it could be real-time and historical.So ideally, you need to have both. So, once you have those two solved, then you solved your access problem. And historically, if you look at how access has been done—so we had these giant machines, then we had microcomputers, then we had PCs, and they all have these things. So, you login into your Mac, and then if you try to delete certain file, you might get access denied. So, you see there is connectivity—in this case, it's physical, a keyboard is physically connected to the [laugh] actual machine; so then you have authentication that you log in in the beginning; then authorization, if you can or cannot do certain things in your machine; and finally, your Mac keeps an audit log.But then once the industry, we got the internet, we got all these clouds, so amount of these components that we're now operating on, we have hundreds of thousands of servers, and load-balancers, and databases, and Kubernetes clusters, and dashboards, all of these things, all of them implement these four things: connectivity, authentication, authorization, audit.Corey: Let me drive into that for a minute first, to make sure I'm clear on something. Connectivity makes sense. The network is the computer, et cetera. When you don't have a network to something, it may as well not exist. I get that.And the last one you mentioned, audit of a trail of who done it and who did what, when, that makes sense to me. But authentication and authorization are the two slippery ones in my mind that tend to converge a fair bit. Can you dive a little bit in delineate what the difference is between those two, please?Ev: So authentication, if you try to authenticate into a database, database needs to check if you are on the list of people who should be allowed to access. That's authentication, you need to prove that you are who you claim you are.Corey: Do you have an account and credentials to get into that account?Ev: Correct. And they're good ways to do authentication and bad ways to do authentication. So, bad way to do authentication—and a lot of companies actually guilty of that—if you're using shared credentials. Let's say you have a user called ‘admin' and that user has a password, and those are stored in some kind of stored—in, like 1Password, or something like Vault, some kind of encrypted Vault, and then when someone needs to access a database, they go and borrow this credentials and they go and do that. So, that is an awful way to do authentication.Corey: Now, another way I've seen that's terrible as been also, “Oh, if you're connecting from this network, you must be allowed in,” which is just… yeee.Ev: Oh, yeah. That's a different sin. And that's a perimeter security sin. But a much better way to do authentication is what is called identity-based authentication. Identity means that you always use your identity of who you are within the company.So, you would go in through corporate SSO, something like Okta, or Active Directory, or even Google, or GitHub, and then based on that information, you're given access. So, the resource in this case database, [unintelligible 00:07:39] say, “Oh, it's Corey. And Corey is a member of this group, and also a member of that group.” And based on that it allows you to get in, but that's where authentication ends. And now, if you want to do something, like let's say you want to delete some data, now a database needs to check, ah, can you actually perform that action? That is the authorization process.And to do that, usually, we use some mechanism like role-based access control. It will look into which group are you in. Oh, you are an admin, so admins have more privileges than regular people. So, then that's the process of authorization.And the importance of separating the two, and important to use identity because remember, audit is another important component of implementing access properly. So, if you're sharing credentials, for example, you will see in your audit log, “Admin did this. Admin did that.” It's exact same admin, but you don't know who actually was behind that action. So, by sharing credentials, you're also obscuring your own audit which is why it's not really a good thing.And going back to this industry trends is that because the amount of these resources, like databases and servers and so on, in the cloud has gotten so huge, so we now have this hardware pain, we just have too many things that need access. And all of these things, the software itself is getting more complicated, so now we have a software pain as well, that you have so many different layers in your stack that they need to access. That's another dimension for introducing access pain. And also, we just have more developers, and the development teams are getting bigger and bigger, the software is eating the world, so there is a people-ware pain. So, on the one hand, you have these four problems you need to solve—connectivity, authentication, authorization, access—and on the other hand, you have more hardware, more software, more people, these pain points.And so you need to consolidate, and that's really what we do is that we allow you to have a single place where you can do connectivity, authentication, authorization, and audit, for everything that you have in the cloud. We basically believe that the future is going to be like metaverse, like in those books. So, all of these cloud resources are slowly converging into this one giant planetary-scale computer.Corey: Suddenly, “I live on Twitter,” is no longer going to be quite as much of a metaphor as it is today.Ev: [laugh]. No, no. Yeah, I think we're getting better. If you look into what is actually happening on our computing devices that we buy, the answer is not the lot, so everything is running in data centers, the paradigm of thin client seems to be winning. Let's just embrace that.Corey: Yeah. You're never going to be able to shove data centers worth compute into a phone. By the time you can get there, data centers will have gotten better. It's the constant question of where do you want things to live? How do you want that to interact?I talk periodically about multi-cloud, I talk about lock-in, everyone is concerned about vendor lock-in, but the thing that people tend to mostly ignore is that you're already locked in throught a variety of different ways. And one way is both the networking side of it as well as the identity management piece because every cloud handles that differently and equating those same things between different providers that work different ways is monstrous. Is that the story of what you're approaching from a Teleport perspective? Is that the primary use case, is that an ancillary use case, or are we thinking about this in too small a term?Ev: So, you're absolutely right, being locked in, in and—like, by itself is not a bad thing. It's a trade-off. So, if you lack expertise in something and you outsourcing certain capability to a provider, then you're developing that dependency, you may call it lock-in or not, but that needs to be a conscious decision. Like, well, you didn't know how to do it, then someone else was doing it for you, so you should be okay with the lock-in. However, there is a danger, that, kind of, industry-wide danger about everyone relying on one single provider.So, that is really what we all try to avoid. And with identity specifically, I feel like we're in a really good spot that fairly early, I don't see a single provider emerging as owning everyone's identity. You know, some people use Okta; others totally happy tying everything to Google Apps. So, then you have people that rely on Amazon AWS native credentials, then plenty of smaller companies, they totally happy having all of their engineers authenticate through GitHub, so they use GitHub as a source of identity. And the fact that all of these providers are more or less compatible with each other—so we have protocols like OpenID Connect and SAML, so I'm not that concerned that identity itself is getting captured by a single player.And Teleport is not even playing in that space; we don't keep your identity. We integrate with everybody because, at the end of the day, we want to be the solution of choice for a company, regardless of which identity platform they're using. And some of them using several, like all of the developers might be authenticating via GitHub, but everyone else goes through Google Apps, for example.Corey: And the different product problem. Oh, my stars, I was at a relatively small startup going through an acquisition at one point in my career, and, “All right. Let's list all of the SaaS vendors that we use.” And the answer was something on an average of five per employee by the time you did the numbers out, and—there were hundreds of them—and most of them because it started off small, and great, everyone has their own individual account, we set it up there. I mean, my identity management system here for what most of what I do is LastPass.I have individual accounts there, two-factor auth enabled for anything that supports it, and that is it. Some vendors don't support that: we have to use shared accounts, which is just terrifying. We make sure that we don't use those for anything that's important. But it comes down to, from our perspective, that everyone has their own ridiculous series of approaches, and even if we were to, “All right, it's time to grow up and be a responsible business, and go for a single-sign-on approach.” Which is inevitable as companies scale, and there's nothing wrong with that—but there's still so many of these edge cases and corner case stories that don't integrate.So, it makes the problem smaller, but it's still there rather persistently. And that doesn't even get into the fact that for a lot of these tools, “Oh, you want SAML integration? Smells like enterprise to us.” And suddenly they wind up having an additional surcharge on top of that for accessing it via a federated source of identity, which means there are active incentives early on to not do that. So it's—Ev: It's absolutely insane. Yeah, you're right. You're right. It's almost like you get penalized for being small, like, in the early days. It's not that easy if you have a small project you're working on. Say it's a company of three people and they're just cranking in the garage, and it's just so easy to default to using shared credentials and storing them in LastPass or 1Password. And then the interesting way—like, the longer you wait, the harder it is to go back to use a proper SSO for everything. Yeah.Corey: I do want to call out that Teleport has a free and open-source community edition that supports GitHub SSO, and in order to support enterprise SSO, you have to go to your paid offering. I have no problem with this, to be clear, that you have to at least be our customer before we'll integrate with your SSO solution makes perfect sense, but you don't have a tiering system where, “Oh, you want to add that other SSO thing? And well, then it's going to go from X dollars per employee to Y dollars.” Which is the path that I don't like. I think it's very reasonable to say that their features flat-out you don't get as a free user. And even then you do offer SSO just not the one that some people will want to pick.Ev: Correct. So, the open-source version of Teleport supports SSO that smaller companies use, versus our enterprise offering, we shaped it to be more appealing for companies at certain scale.Corey: Yeah. And you've absolutely nailed it. There are a number of companies in the security space who enraged people about how they wind up doing their differentiation around things like SSO or, God forbid, two-factor auth, or once upon a time, SSL. This is not that problem. I just want to be explicitly clear on that, that is not what I'm talking about. But please, continue.Ev: Look, we see it the same way. We sometimes say that we do not charge for security, like, top-level security you get, is available even in the open-source. And look, it's a common problem for most startups who, when you have an open-source offering, where do you draw the line? And sometimes you can find answers in very unexpected places. For example, let's look into security space.One common reason that companies get compromised is, unfortunately, human factor. You could use the best tool in the world, but if you just by mistake, like, just put a comma in the wrong place and one of your config files just suddenly is out of shape, right, so—Corey: People make mistakes and you can't say, “Never make a mistake.” If you can get your entire company compromised by someone in your office clicking on the wrong link, the solution is not to teach people not to click on links; it's to mitigate the damage and blast radius of someone clicking on a link that they shouldn't. That is resilience that understand their human factors at play.Ev: Yep, exactly. And here's an enterprise feature that was basically given to us by customer requests. So, they would say we want to have FedRAMP compliance because we want to work with federal government, or maybe because we want to work with financial institutions who require us to have that level of compliance. And we tell them, “Yeah, sure. You can configure Teleport to be compliant. Look, here's all the different things that you need to tweak in the config file.”And the answer is, “Well, what if we make a mistake? It's just too costly. Can we have Teleport just automatically works in that mode?” In other words, if you feed it the config file with an error, it will just refuse to work. So basically, you take your product, and you chop off things that are not compliant, which means that it's impossible to feed an incorrect config file into it, and here you got an enterprise edition.It's a version that we call its FIPS mode. So, when it runs FIPS mode, it has different runtime inside, it basically doesn't even have a crypto that is not approved, which you can turn on by mistake. It will just not work.Corey: By the time we're talking about different levels of regulatory compliance, yeah, we are long past the point where I'm going to have any comments in the slightest is about differentiation of pricing tiers and the rest. Yeah, your free tier doesn't support FedRAMP is one of those ludicrous things that—who would say that [laugh] actually be sincere [insane 00:18:28]?Ev: [laugh].Corey: That's just mind-boggling to me.Ev: Hold on a second. I don't want anyone to be misinformed. You can be FedRAMP compliant with the free tier; you just need to configure it properly. Like the enterprise feature, in this case, we give you a thing that only works in this mode; it is impossible to misconfigure it.Corey: It's an attestation and it's a control that you need—Ev: Yep. Yep.Corey: —in order to demonstrate compliance because half the joy of regulatory compliance is not doing the thing, it's proving you do the thing. That is a joy, and those of you who've worked in regulated environments know exactly what I'm talking about. And those of you who have not, are happy but please—Ev: Frankly, I think anyone can do it using some other open-source tools. You can even take, like, OpenSSH, sshd, and then you can probably build a different makefile for just the build pipeline that changes the linking, that it doesn't even have the crypto that is not on the approved list. So, then if someone feeds a config file into it that has, like, a hashing function that is not approved, it will simply refuse to work. So, maybe you can even turn it into something that you could say here's a hardened version of sshd, or whatever. So, same thing.Corey: I see now you're talking about the four aspects of this, the connectivity, the authentication, the authorization, and the audit components of access. How does that map to a software product, if that makes sense? Because it sounds like a series of principles, great, it's good to understand and hold those in your head both, separately and distinct, but also combining to mean access both [technical 00:19:51] and the common parlance. How do you express that in Teleport?Ev: So, Teleport doesn't really add authorization, for example, to something that doesn't have it natively. The problem that we have is just the overall increasing complexity of computing environments. So, when you're deploying something into, let's say, AWS East region, so what is it that you have there? You have some virtual machines, then you have something like Kubernetes on top, then you have Docker registry, so you have these containers running inside, then you have maybe MongoDB, then you might have some web UI to manage MongoDB and Grafana dashboard. So, all of that is software; we're only consuming more and more of it so that our own code that we're deploying, it's icing on a really, really tall cake.And every layer in that layer cake is listening on a socket; it needs encryption; it has a login, so it has authentication; it has its own idea of role-based access control; it has its own config file. So, if you want to do cloud computing properly, so you got to have this expertise on your team, how to configure those four pillars of access for every layer in your stack. That is really the pain. And the Teleport value is that we're letting you do it in one place. We're saying, consolidate all of this four-axis pillars in one location.That's really what we do. It's not like we invented a better way to authorize, or authenticate; no, we natively integrate with the cake, with all of these different layers. But consolidation, that is the key value of Teleport because we simply remove so much pain associated with configuring all of these things. Like, think of someone like—I'm trying not to disclose any names or customers, but let's pick, uh, I don't know, something like Tesla. So, Tesla has compute all over the world.So, how can you implement authentication, authorization, audit log, and connectivity, too, for every vehicle that's on the road? Because all of these things need software updates, they're all components of a giant machine—Corey: They're all intermittent. You can't say, “Oh, at this time of the day, we should absolutely make sure everything in the world is connected to the internet and ready to grab the update.” It doesn't work that way; you've got to be… understand that connectivity is fickle.Ev: So, most—and because computers growing generally, you could expect most companies in the future to be more like Tesla, so companies like that will probably want to look into Teleport technology.Corey: This episode is sponsored in part by “you”—gabyte. Distributed technologies like Kubernetes are great, citation very much needed, because they make it easier to have resilient, scalable, systems. SQL databases haven't kept pace though, certainly not like no SQL databases have like Route 53, the world's greatest database. We're still, other than that, using legacy monolithic databases that require ever growing instances of compute. Sometimes we'll try and bolt them together to make them more resilient and scalable, but let's be honest it never works out well. Consider Yugabyte DB, its a distributed SQL database that solves basically all of this. It is 100% open source, and there's not asterisk next to the “open” on that one. And its designed to be resilient and scalable out of the box so you don't have to charge yourself to death. It's compatible with PostgreSQL, or “postgresqueal” as I insist on pronouncing it, so you can use it right away without having to learn a new language and refactor everything. And you can distribute it wherever your applications take you, from across availability zones to other regions or even other cloud providers should one of those happen to exist. Go to yugabyte.com, thats Y-U-G-A-B-Y-T-E dot com and try their free beta of Yugabyte Cloud, where they host and manage it for you. Or see what the open source project looks like—its effortless distributed SQL for global apps. My thanks to Yu—gabyte for sponsoring this episode.Corey: If we take a look at the four tenets that you've identified—connectivity, authentication, authorization, and audit—it makes perfect sense. It is something that goes back to the days when computers were basically glorified pocket calculators as opposed to my pocket calculator now being basically a supercomputer. Does that change as you hit cloud-scale where we have companies that are doing what seem to be relatively pedestrian things, but also having 100,000 EC2 instances hanging out in AWS? Does this add additional levels of complexity on top of those four things?Ev: Yes. So, there is one that I should have mentioned earlier. So, in addition to software, hardware, and people-ware—so those are three things that are exploding, more compute, more software, more engineers needing access—there is one more dimension that is kind of unique, now, at the scale that we're in today, and that's time. So, let's just say that you are a member of really privileged group like you're a DBA, or maybe you are a chief security officer, so you should have access to a certain privileged database. But do you really use that access 24/7, all the time? No, but you have it.So, your laptop has an ability, if you type certain things into it, to actually receive credentials, like, certificates to go and talk to this database all the time. It's an anti-pattern that is now getting noticed. So, the new approach to access is to make a tie to an intent. So, by default, no one in an organization has access to anything. So, if you want to access a database, or a server, or Kubernetes cluster, you need to issue what's called ‘access request.'It's similar to pull request if you're trying to commit code into Git. So, you send an access request—using Teleport for example; you could probably do it some other way—and it will go into something like Slack or PagerDuty, so your team members will see that, “Oh, Corey is trying to access that database, and he listed a ticket number, like, some issue he is trying to troubleshoot with that particular database instance. Yeah, we'll approve access for 30 minutes.” So, then you go and do that, and the access is revoked automatically after 30 minutes. So, that is this new trend that's happening in our space, and it makes you feel nice, too, it means that if someone hacks into your laptop at this very second, right after you finished authenticating and authorization, you're still okay because there is no access; access will be created for you if you request it based on the intent, so it dramatically reduces the attack surface, using time as additional dimension.Corey: The minimum viable permission to do a thing. In principle, least-access is important in these areas. It's like, “Oh, yeah, my user account, you mean root?” “Yeah, I guess that works in a developer environment,” looks like a Docker container that will be done as soon as you're finished, but for most use cases—and probably even that one—that's not the direction to go in. Having things scoped down and—Ev: Exactly.Corey: —not just by what the permission is, but by time.Ev: Exactly.Corey: Yeah.Ev: This system basically allows you to move away from root-type accounts completely, for everything. So, which means that there is no root to attack anymore.Corey: What really strikes me is how, I guess, different aspects of technology that this winds up getting to. And to illustrate that in the form of question, let me go back to my own history because, you know, let's make it about me here. I've mentioned it before on the show, but I started off my technical career as someone who specialized in large-scale email systems. That was a niche I found really interesting, and I got into it. So did you.I worked on running email servers, and you were the CEO and co-founder of Mailgun, which later you sold the Rackspace. You're a slightly bigger scale than I am, but it was clear to me that even then, in the 2006 era when I was doing this, that there was not going to be the same need going forward for an email admin at every company; the cloudification of email had begun, and I realized I could either dig my heels in and fight the tide, or I could find other things to specialize in. And I've told that part of the story, but what I haven't told is that it was challenging at first as I tried to do that because all the jobs I talked to looked at my resume and said, “Ah, you're the email admin. Great. We don't need one of those.”It was a matter of almost being pigeonholed or boxed into the idea of being the email person. I would argue that Teleport is not synonymous with email in any meaningful sense as far as how it is perceived in the industry; you are very clearly no longer the email guy. Does the idea being boxed in, I guess—Ev: [laugh].Corey: —[unintelligible 00:27:05] resonate at all with you? And if so, how did you get past it?Ev: Absolutely. The interesting thing is, before starting the Mailgun, I was not an email person. I would just say that I was just general-purpose technologist, and I always enjoyed building infrastructure frameworks. Basically, I always enjoyed building tools for other engineers. But then gotten into this email space, and even though Mailgun was a software product, which actually had surprisingly huge, kind of, scalability requirements early on because email is much heavier than HTTP traffic; people just send a lot of data via emails.So, we were solving interesting technical challenges, but when I would meet other engineers, I would experience the exact same thing you did. They would put me into this box of, “That's an email guy. He knows email technology, but seemingly doesn't know much about scaling web apps.” Which was totally not true. And it bothered me a little bit.Frankly, it was one of the reasons we decided to get acquired by Rackspace because they effectively said, “Why don't you come join us and we'll continue to operate as independent company, but you can join our cloud team and help us reinvent cloud computing.” It was really appealing. So, I actually moved to Texas after acquisition; I worked on the Rackspace cloud team for a while. So, that's how my transition from this being in the email box happened. So, I went from an email expert to just generally cloud computing expert. And cloud computing expert sounds awesome, and it allows me to work—Corey: I promise, it's not awesome—Ev: [laugh].Corey: —for people listening to this. Also, it's one of those, are you a cloud expert? Everyone says no to that because who in the world would claim that? It's so broad in so many different expressions of it. Because you know the follow-up question to anyone who says, “Yeah,” is going to be some esoteric thing about a system you've never heard of before because there's so many ridiculous services across totally different providers, of course, it's probably a thing. Maybe it's actually a Pokemon, we don't know. But it's hard to consider yourself an expert in this. It's like, “Well, I have some damage from [laugh] getting smacked around by clouds and, yeah, we'll call that expertise; why not?”Ev: Exactly. And also how frequently people mispronounce, like, cloud with clown. And it's like, “Oh, I'm clown computing expert.” [laugh].Corey: People mostly call me a loud computing expert. But that's a separate problem.Ev: But the point is that if you work on a product that's called cloud, so you definitely get to claim expertise of that. And the interesting thing that Mailgun being, effectively, an infrastructure-level product—so it's part of the platform—every company builds their own cloud platform and runs it, and so Teleport is part of that. So, that allowed us to get out of the box. So, if you working on, right now we're in the access space, so we're working closely with Kubernetes community, with Linux kernel community, with databases, so by extension, we have expertise in all of these different areas, and it actually feels much nicer. So, if you are computing security access company, people tend to look at you, it's like, “Yeah, you know, a little bit of everything.” So, that feels pretty nice.Corey: It's of those cross-functional things—Ev: Yeah, yeah.Corey: —whereas on some level, you just assume, well, email isn't either, but let's face it: email is the default API that everything, there's very little that you cannot configure to send email. The hard part is how to get them to stop emailing you. But it started off as far—from my world at least—the idea that all roads lead to email. In fact, we want to talk security, a long time ago the internet collectively decided one day that our email inbox was the entire cornerstone of our online identity. Give me access to your email, I, for all intents and purposes, can become you on the internet without some serious controls around this.So, those conversations, I feel like they were heading in that direction by the time I left email world, but it's very clear to me that what you're doing now at Teleport is a much clearer ability to cross boundaries into other areas where you have to touch an awful lot of different things because security touches everything, and I still maintain it has to be baked-in and an intentional thing, rather than, “Oh yeah, we're going to bolt security on after the fact.” It's, yeah, you hear about companies that do that, usually in headlines about data breaches, or worse. It's a hard problem.Ev: Actually, it's an interesting dilemma you're talking about. Is security built-in into everything or is it an add-on? And logically—talk to anyone, and most people say, “Yeah, it needs to be a core component of whatever it is you're building; making security as an add-on is not possible.” But then reality hits in, and the reality is that we're running on—we're standing on the shoulder of giants.There is so much legacy technologies that we built this cloud monster on top of… no, nothing was built in, so we actually need to be very crafty at adding security on top of what we already have, if we want to take advantage of all this pre-existing things that we've built for decades. So, that's really what's happening, I think, with security and access. So, if you ask me if Teleport is a bolt-on security, I say, “Yes, we are, but it works really well.” And it's extremely pragmatic and reasonable, and it gives you security compliance, but most of all, very, very good user experience out of the box.Corey: It's amazing to me how few security products focus on user experience out of the box, but they have to. You cannot launch or maintain a security product successfully—to my mind—without making it non-adversarial to the user. The [days of security is no 00:32:26] are gone.Ev: Because of that human element insecurity. If you make something complicated, if you make something that's hard to reason about, then it will never be secure.Corey: Yeah.Ev: Don't copy-paste IP table rules without understanding what they do. [laugh].Corey: Yeah, I think we all have been around long enough in data center universes remember those middle of the night drives to the data center for exactly that sort of thing. Yeah, it's one of those hindsight things of, set a cron job to reset the IP table rules for, you know, ten minutes from now in case you get this hilariously wrong. It's the sort of thing that you learn right after you really could have used that knowledge. Same story. But those are the easy, safe examples of I screwed up on a security thing. The worst ones can be company-ending.Ev: Exactly, yeah. So, in this sense, when it comes to security, and access specifically, so this old Python rule that there is only one way to do something, it's the most important thing you can do. So, when it comes to security and access, we basically—it's one of the things that Teleport is designed around, that for all protocols, for all different resources, from SSH to Kubernetes to web apps to databases; we never support passwords. It's not even in the codebase. No, you cannot configure Teleport to use passwords.We never support things like public keys, for example, because it's just another form of a password. It's just extremely long password. So, we have this approach that certificates, it's the best method because it supports both authentication and authorization, and then you have to do it for everything, just one way of doing everything. And then you apply this to connectivity: so there is a single proxy that speaks all protocols and everyone goes to that proxy. Then you apply the same principle to audit: there is one audit where everything goes into.So, that's how this consolidation, that's where the simplicity comes down to. So, one way of doing something; one way of configuring everything. So, that's where you get both ease of use and security at the same time.Corey: One last question that I want to ask you before we wind up calling this an episode is that I've been using Teleport as a reference for a while when I talk to companies, generally in the security space, as an example of what you can do to tell a story about a product that isn't built on fear, uncertainty, and doubt. And for those who are listening who don't know what I'm referring specifically, I'm talking about pick any random security company and pull up their website and see what it is that they talk about and how they talk about themselves. Very often, you'll see stories where, “Data breaches will cost you extraordinary piles of money,” or they'll play into the shame of what will happen to your career if you're named in the New York Times for being the CSO when the data gets breached, and whatnot. But everything that I've seen from Teleport to date has instead not even gone slightly in that direction; it talks again and again, in what I see on your site, about how quickly it is to access things, access that doesn't get in the way, easily implement security and compliance, visibility into access and behavior. It's all about user experience and smoothing the way and not explaining to people what the dire problems that they're going to face are if they don't care about security in general and buy your product specifically. It is such a refreshing way of viewing storytelling around a security product. How did you get there? And how do I make other people do it, too?Ev: I think it just happened organically. Teleport originally—the interesting story of Teleport, it was not built to be sold. Teleport was built as a side project that we started for another system that we were working on at the time. So, there was a autonomous Kubernetes platform called Grá—it doesn't really matter in this context, but we had this problem that we had a lot of remote sites with a lot of infrastructure on them, with extremely strict security and compliance requirements, and we needed to access those sites or build tools to access those sites. So, Teleport was built like, okay, it's way better than just stitching a bunch of open-source components together because it's faster and easier to use, so we're optimizing for that.And as a side effect of that simplification, consolidation, and better user experience is a security compliance. And then the interesting thing that happened is that people who we're trying to sell the big platform to, they started to notice about, “Oh, this access thing you have is actually pretty awesome. Can we just use that separately?” And that's how it turned into a product. So, we built an amazing secure access solution almost by accident because there was only one customer in mind, and that was us, in the early days. So yeah, that's how you do it, [laugh] basically. But it's surprisingly similar to Slack, right? Why is Slack awesome? Because the team behind it was a gaming company in the beginning.Corey: They were trying to build a game. Yeah.Ev: Yeah, they built for themselves. They—[laugh] I guess that's the trick: make yourself happy.Corey: I think the team founded Flickr before that, and they were trying to build a game. And like, the joke I heard is, like, “All right, the year is 2040. Stuart and his team have now raised $8 billion trying to build a game, and yet again it fails upward into another productivity tool company, or something else entirely that”—but it's a recurring pattern. Someday they'll get their game made; I have faith in them. But yeah, building a tool that scratches your own itch is either a great path or a terrible mistake, depending entirely upon whether you first check and see if there's an existing solution that solves the problem for you. The failure mode of this is, “Ah, we're going to build our own database engine,” in almost every case.Ev: Yeah. So just, kind of like, interesting story about the two, people will [unintelligible 00:38:07] surprised that Teleport is a single binary. It's basically a drop-in replacement that you put on a box, and it runs instead of sshd. But it wasn't initially this way. Initially, it was [unintelligible 00:38:16], like, few files in different parts of a file system. But because internally, I really wanted to run it on a bunch of Raspberry Pi's at home, and it would have been a lot easier if it was just a single file because then I just could quickly update them all. So, it just took a little bit of effort to compress it down to a single binary that can run in different modes depending on the key. And now look at that; it's a major benefit that a lot of people who deploy Teleport on hundreds of thousands of pieces of infrastructure, they definitely taking advantage of the fact that it's that simple.Corey: Simplicity is the only thing that scales. As soon as it gets complex, it's more things to break. Ev, thank you so much for taking the time to sit with me, yet again, to talk about Teleport and how you're approaching things. If people want to learn more about you, about the company, about the product in all likelihood, where can they go?Ev: The easiest place to go would be goteleport.com where you can find everything, but we're also on GitHub. If you search for Teleport in GitHub, you'll find this there. So, join our Slack channel, join our community mailing list and most importantly, download Teleport, put it on your Raspberry Pi, play with it and see how awesome it is to have the best industry, best security practice, that don't get in the way.Corey: I love the tagline. Thank you so much, once again. Ev Kontsevoy, co-founder and CEO of Teleport. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with a comment that goes into a deranged rant about how I'm completely wrong, and the only way to sell security products—specifically yours—is by threatening me with the New York Times data breach story.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

In this special episode of Tiffany & Yu, we're sharing a conversation that happened in the Diversability Leadership Collective (http://diversability.mn.co), Diversability's members-only community to accelerate disability leadership, influence, and advocacy. We were joined by voice and presence coach Elissa Weinzimmer and DLC member Alissa Lauzon to discuss the ways in which we can speak our truth about our disability and access needs at work. ---- Show notes & transcript: http://tiffanyyu.com/podcast/040 ---- Sign up for the free masterclass on September 15: https://www.voicebodyconnection.com/a/2147494525/d7M62uKP --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app --- Send in a voice message: https://anchor.fm/imtiffanyyu/message

This week's episode of Scrambling with Dylan Otto features Korn Ferry Tour Player Kevin (Chun An) Yu. Kevin talks about how his Dad, who was a professional golfer as well, got him into the game of golf at the age of 5 and what his journey to the United States to play college golf was like. Yu goes in depth on how his years at Arizona State University were and stories about playing in huge major championships as an amateur like the U.S. Open. Kevin graduated from ASU and went straight to the Korn Ferry Tour since he gained status through the PGA Tour University rankings and he talks about his experiences on tour along with some amazing advice for college golfers who are looking to turn professional. Enjoy the show! --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app

Hello Fellow Fools! This is the continuation of episode 24 after its corruption. We touch on some same topics, however we are more risqué in the morning apparently. Ivan gets weird with pills. We all talk about Yu-gi-oh! And recommend watching Team Four Stars Beastars S1 in 8 min video https://youtu.be/DIHy6J23FVk . Conspiracy theories are talked about. Ivan accuses Galo, of what? Listen to the episode and find out. We discuss Tony Revolori's Flash Thompson and fan cast a live action Incredibles. Ivan geeks out on Tech Deck dudes and tech cards. Ivan summarizes American History X, and ends the episode with love for Paddy “The Baddy” Pimblett, and the recent AEW All Out 2021 pay-per-view of CM punk vs. Darby Allin. Enjoy!

The Padres a 44.4% chance of getting that final wild card spot, so we're rolling with the fours for this podcast. Since we last talked, Blake has been DOMINANT, Yu got his 1st win in 11 starts, Mark the Shark Melancon gets his 37th, and El Cajon's finest Joe Musgrove has been Mr. Consistent. What hasn't been consistent is our batting order or our bats. Highlights include, Nando hitting his 37th, Manny & Frazier starting to warm up. We scored 8 runs in 18 innings and they all came in one frame. We have a one game lead in the Wild Card, so for all you Friar Faithful out there, stay #HungryForMore and #StayHungryForTheWildCard!

About FrancescaFrancessca is the leader of the AWS Technology Worldwide Commercial Operations organization. She is recognized as a thought leader of business technology cloud transformations and digital innovation, advising thousands of startups, small-midsize businesses, and enterprises. She is also the cofounder of AWS workforce transformation initiatives that inspire inclusion, diversity, and equity to foster more careers in science and technology.Links: Twitter: https://twitter.com/FrancesscaV/ LinkedIn: https://www.linkedin.com/in/francesscavasquez/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by “you”—gabyte. Distributed technologies like Kubernetes are great, citation very much needed, because they make it easier to have resilient, scalable, systems. SQL databases haven't kept pace though, certainly not like no SQL databases have like Route 53, the world's greatest database. We're still, other than that, using legacy monolithic databases that require ever growing instances of compute. Sometimes we'll try and bolt them together to make them more resilient and scalable, but let's be honest it never works out well. Consider Yugabyte DB, its a distributed SQL database that solves basically all of this. It is 100% open source, and there's not asterisk next to the “open” on that one. And its designed to be resilient and scalable out of the box so you don't have to charge yourself to death. It's compatible with PostgreSQL, or “postgresqueal” as I insist on pronouncing it, so you can use it right away without having to learn a new language and refactor everything. And you can distribute it wherever your applications take you, from across availability zones to other regions or even other cloud providers should one of those happen to exist. Go to yugabyte.com, thats Y-U-G-A-B-Y-T-E dot com and try their free beta of Yugabyte Cloud, where they host and manage it for you. Or see what the open source project looks like—its effortless distributed SQL for global apps. My thanks to Yu—gabyte for sponsoring this episode. Corey: And now for something completely different!Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. It's pretty common for me to sit here and make fun of large cloud companies, and there's no cloud company that I make fun of more than AWS, given that that's where my business generally revolves around. I'm joined today by VP of Technology, Francessca Vasquez, who is apparently going to sit and take my slings and arrows in person. Francessca, thank you for joining me.Francessca: Hi, Corey, and thanks for having me. I'm so excited to spend this time with you, snarking away. I'm thrilled.Corey: So, we've met before, and at the time you were the Head of Solutions Architecture and Customer Solutions Management because apparently someone gets paid by every word they wind up shoving into a job title and that's great. And I vaguely sort of understood what you did. But back in March of this year, you were promoted to Vice President of Technology, which is both impressive, and largely non-descriptive when one works for a technology company. What is it you'd say it is you do now? And congratulations, by the way.Francessca: Thank you, I appreciate it. By the way, as a part of that, I also relocated to our second headquarters, so I'm broadcasting with you out of HQ2, or Arlington, Virginia. But my team, essentially, we're a customer-facing organization, Corey. We work with thousands of customers all over the globe, from startups to enterprises, and we ultimately try to ensure that they're making the right technology architecture decisions on AWS. We help them in driving people and culture transformation when they decide to migrate onto the cloud.And the last thing that we try to do is ensure that we're giving them tools so that they can build cultures of innovation within the places that they work. And we do this for customers every day, 365 days a year. And that's what I do. And I've been doing this for over 20 years, so I'm having a blast.Corey: It's interesting because when I talk to customers who are looking at what their cloud story is going to be—not just where it is, but where they're going—there's a shared delusion that they all participate in—and I'm as guilty as anyone. I have this same, I guess, misapprehension as well—that after this next sprint concludes, I'm going to suddenly start making smart decisions; I'm going to pay off all of my technical debt; I'm going to stop doing this silly thing and start doing the smart thing, and so on and so forth. And of course, it's a myth. That technical debt is load-bearing; it's there for a reason. But foundationally, when talking to customers at different points along their paths, I often find that the conversation that I'm having with them is less around what they should be doing differently from a tactical and execution perspective and a lot more about changing the culture.As a consultant, I've never found a way to successfully do that, that sticks. If I could I'd be in a vastly different, vastly more lucrative consulting business. But it seems like culture is one of those things that, in my experience, has to be driven from within. Do you find that there's a different story when you are speaking as AWS where, “Yeah, we're outsiders, but at the same time, you're going to be running production on us, which means you're our partner whether you want to be or not because you can't treat someone who owns production as a vendor anymore.” Does that position you better to shift culture?Francessca: I don't know if it positions us better. But I do think that many organizations, you know, all of them are looking at different business drivers, whether that be they want to move to more digital, especially since we're going through COVID-19 and coming out of it. Many of them are looking at things like cost reduction, some organizations are going through mergers and acquisitions. Right now I can tell you new customer experiences driven by digital is pretty big, and I think what a lot of companies do, some of them want to be the north star; some of them aspire to be like other companies that they may see in or outside the industry. And I think that sometimes we often get a brand as having this culture of innovation, and so organizations very much want to understand what does that look like: what are the ingredients on being able to build cultures of innovation?And sometimes organizations take parts of what we've been able to do here at AWS and sometimes they look at pieces from other companies that they view as north star, and I see this across multiple industries. And I think the one that is the toughest when you're trying to drive big change—even with moving to the cloud—oftentimes it's not the services or the tech. [smile]. It's the culture. It's people. It's the governance. And how do you get rallied around that? So yeah, we do spend some time just trying to offer our perspective. And it doesn't always mean it's the right one, but it certainly has—it's worked for us.Corey: On some level, I've seen cloud adoptions stall, in some scenarios, by vendors being a little too honest with the customer, if that doesn't—Francessca: Mmm. Mm-hm.Corey: —sound ridiculous, where it's—so they take the customer will [unintelligible 00:05:24], reasonable request. “Here's what we built. Here's how we want to migrate to the cloud. How will this work in your environment?” And the overly honest answer from a certain provider—I don't feel the need to name at the moment—is, “Well, great. What you've written is actually really terrible, and if you were to write it better, with smarter engineers, it would run great in the cloud. So, do that then call us.”Surprisingly, that didn't win the deal, though it was, unfortunately, honest. There was a time where AWS offerings were very much aligned with that, and depending on how you wind up viewing what customers should be doing is going to depend on what year it was. In the early days, there was no persistent storage on EC2—Francessca: Mm-hm.Corey: So, if you had a use case that required there had to be a local disk that could survive a reboot, well, that wasn't really the place for you to run. In time, it has changed, and we're still seeing that evolution to the point where there are a bunch of services that come out on a consistent, ongoing basis that the cloud-native set will look at and say, “Oh, that hasn't been written in the last 18 months on the latest MacBook and targeting the developer version of Chrome. Then why would I ever care about that?” Yeah, there's a bigger world than San Francisco. I'm sorry but it's true.And there are solutions that are aimed at customer segments that don't look anything like a San Francisco startup. And it's easy to look at those and say, “Oh, well, why in the world would I wind up needing something like that?” And people point at the mainframe and say, “Because of that thing.” Which, “Well, what does that ancient piece of crap do?” “Oh, billions a year in revenue, so maybe show some respect.” ‘Legacy,' the condescending engineering term for ‘it makes money.'Francessca: [smile]. Yeah, well, first off, I think that our approach today is you have to be able to meet customers where they are. And there are some customers, I think, that are in a position where they've been able to build their business in a far more advanced state cloud-natively, whether that be through tools like serverless, or Lambda, et cetera. And then there are other organizations that it will take a little longer, and the reason for that is everyone has a different starting point. Some of their starting points might be multiple years of on-premise technology.To your point, you talked about tech debt earlier that they've got to look at and in hundreds of applications that oftentimes when you're starting these journeys, you really have to have a good baseline of your application portfolio. One of my favorite stories—hopefully, I can share this customer name, but one of my favorite stories has been our organization working with Nationwide, who sort of started their journey back in 2017 and they had a goal, a pretty aggressive one, but their goal is about 80% of their applications that they wanted to get migrated to the cloud in, like, three to four years. And this was, like, 319 different migrations that we started with them, 80 or so production cut-overs. And to your point, as a result of us doing this application portfolio review, we identified 63 new things that needed to be built. And those new things we were able to develop jointly with them that were more cloud-native. Mainframe is another one that's still around, and there's a lot of customers still working on the mainframe. We work with a very—Corey: There is no AWS/400 yet.Francessca: [smile]. There is no AWS [smile] AS/400. But we do have mainframe migration competency partners to help customers that do want to move into more–I don't really prefer the term modernize, but more of a cloud-native approach. And mostly because they want to deliver new capability, depending on what the industry is. And that normally happens through applications.So yeah, I think we have to meet customers where they are. And that's why we think about our customers in their stage of cloud adoption. Some that are business-to-consumer, more digital native-based, you know, startups, of course; enterprises that tend to be global in nature, multinational; ISVs, independent software vendors. We just think about our customers differently.Corey: Nationwide is such a great customer story. There was a whole press release bonanza late last year about how they selected AWS as their preferred cloud provider. Great. And I like seeing stories like that because it's easy on some level—easy—to wind up having those modernized startups that are pure web properties and nothing more than that—not to besmirch what customers do, but if you're a social media site, or you're a streaming video company, et cetera, it feels differently than it does—oh, yeah, you're a significantly advanced financial services and insurance company where you're part of the Fortune 100. And yeah, when it turns out that the computers that calculate out your amortization tables don't do what you think they're going to do, those are the kinds of mistakes that show. It's a vote of confidence in being able to have a customer testimonial from a quote-unquote, “More serious company.” I wouldn't say it's about modernization; I'd say it's about evolution more than anything else.Francessca: Yeah, I think you're spot on, and I also think we're starting to see more of this. We've done work at places like GE—in Latin America, Itaú is the bank that I was just referring to on their mainframe digital transformation. Capital One, of course, who many of the audience probably knows we've worked with for a long time. And, you know, I think we're going to see more of this it for a variety of reasons, Corey. I think that definitely, the pandemic has played some role in this digital acceleration.I mean, it just has; there's nothing I can say about that. And then there are some other things that we're also starting to see, like sustainability, quite frankly, is becoming of interest for a lot of our customers as well, and as I mentioned earlier, customer experience. So, we often tend to think of these migration cloud journeys as just moving to infrastructure, but in the first part of the pandemic, one of the interesting trends that we also saw was this push around contact centers wanting to differentiate their customer experience, which we saw a huge increase in Amazon Connect adoption as well. So, it's just another way to think about it.Corey: What else have you seen shift during the pandemic now that we're—I guess, you could call it post-pandemic because here in the US, at least at this time of this recording, things are definitely trending in the right direction. And then you take a step back and realize that globally we are nowhere near the end of this thing on a global stage. How have you seen what customers are doing and how customers are thinking about things shift?Francessca: Yeah, it's such a great question. And definitely, so much has changed. And it's bigger than just migrations. The pandemic, as you rightfully stated, we're certainly far more advanced in the US in terms of the vaccine rollout, but if you start looking at some of our other emerging markets in Asia Pacific, Japan, or even AMEA, it's a slower rollout. I'll tell you what we've seen.We've seen that organizations are definitely focused on the shift in their company culture. We've also seen that digital will play a permanent fixture; just, that will be what it is. And we definitely saw a lot of growth in education tech, and collaboration companies like Zoom here in the US. They ended up having to scale from 10 million daily users up to, like, 300. In Singapore, there is an all-in company called Grab; they do a lot of different things, but in their top three delivery offerings—what they call Grabfood, Grabmart, and GrabExpress—they saw, like, an increase of 30% user adoption during that time, too.So, I think we're going to continue to see that. We're also going to continue to see non-technical themes come into play like inclusion, diversity, and equity in talent as people are thinking about how to change and evolve their workforce. I love that term you used; it's about an evolution: workforce and skills is going to be pretty important. And then globally, the need around stronger data privacy and governance, again, is something else that we've started to see in a post-COVID kind of era. So, all industries; there's no one industry doing anything any different than the others, but these are just some observations from the last, you know, 18 months.Corey: In the early days of the pandemic, there was a great meme that was going around of who was the most responsible for your digital transformation: CIO, CTO, or COVID-19?Francessca: [smile].Corey: And, yeah, on some level, it's one of those ‘necessity breeds innovation' type of moments. And we're seeing a bunch of acceleration in the world of digital adoption. And I don't think you get to put the genie back in that particular bottle in a bunch of different respects. One area that we're seeing industry-wide is talent discovering that suddenly you can do a whole bunch of things that don't require you being in the same eight square miles of an earthquake zone in California. And the line that I heard once that really resonated with me was that talent is evenly distributed; opportunity is not. And it seems that when you see a bunch of companies opening up to working in new ways and new places, suddenly it taps a bunch of talent that previously was considered inaccessible.Francessca: That's right. And I think it's one of those things where—[smile] I love the meme—you'll have to send me that meme by the way—that just by necessity, this has been brought to the forefront. And if you just think about the number of countries that, sort of, account for almost half the global population, there's only, like, we'll say eight of them that at least represent close to 60-plus percent. I don't think that there's a company out there today that can really build a comprehensive strategy to drive business agility or to look at cost, or any of those things digitally without having an equally determined workforce strategy. And that workforce strategy, how that shows up with us is through having the right skills to be able to operate in the cloud, looking at the diversity of where your customer base is, and making sure that you're driving a workforce plan that looks at those markets.And then I think the other great thing—and honestly, Corey, maybe why I even got into this business—is looking at, also, untapped talent. You know, technology's so pervasive right now. A lot of it's being designed where it's prescriptive, easier to use, accessible. And so I also think we're tapping into a global workforce that we can reskill, retrain, in all sorts of different facets, which just opens up the labor market even more. And I get really excited about that because we can take what is perceived as, sort of, traditional talent, you know, computer science and we can skill a lot of people who have, again, non-traditional tech backgrounds. I think that's the opportunity.Corey: Early on in my career, I was very interested in opening the door for people who looked a lot like me, in terms of where their experience level was, what they'd done because I'd come from a quote-unquote, non-traditional background; I don't even have a high school diploma at this point. And opening doors for folks and teaching them to come up the way that I did made sense for a while. The problem that I ran into pretty quickly is that the world has moved on. It turns out that if you want to start working in cloud in 2021, the path I walked is closed. You don't get to go be an email systems administrator who's really good at Unix and later Linux as your starting point because those jobs don't exist the way that they once did.Before that, the help desk roles aren't really there the way that they once were either, and they've become much more systematized. You don't have nearly as much opportunity to break the mold because now there is a mold. It used to be that we were all these artisanally crafted, bespoke technologists. And now there are training curriculums for this. So, it leads to a recurring theme on the show of, where does the next generation really wind up coming from?Because trying to tell people to come up the way that I did is increasingly reminiscent of advice of our parents' generation, “Oh, go out and pound the bricks, and have a firm handshake, and hand your resume to the person at the front desk, and you'll get a job today.” Yeah, sure you will. How do you see it?Francessca: You know, I see it where we have an opportunity to drive this talent, long-term, in a variety of different places. First off, I think the personas around IT have shifted quite a bit where, back in the day, you had a storage admin, a sysadmin, maybe you had a Solaris, .NET, Linux developer. But pretty straightforward. I think now we've evolved these roles where the starting point can be in data, the starting point can be in architecture.The personas have shifted from my perspective, and I think you have more starting points. I also think our funnel has also changed. So, for people that are going down the education route—and I'm a big proponent of that—I think we're trying to introduce more programs like AWS Educate, which allows you to go and start helping students in universities really get a handle on cloud, the curriculum, all the components that make up the technology. That's one. I think there are a lot of people that have had career pivots, Corey, where maybe they've taken time out of the workforce.We disproportionately, by the way, see this from our female and women who identify, coming back to the workforce, maybe after caring for parents or having children. So, we've got—there are different programs that we try to leverage for returners. My family and I, we've grown up all around the military veterans as well, and so we also look at when people come out of, perhaps in the US, military status, how do we spend time reskilling those veterans who share some of the same principles around mission, team, the things that are important to us for customers. And then to your point, it's reskill, just, non-traditional backgrounds. I mean, a lot of these technologies, again, they're prescriptive; we're trying to find ways to make them certainly more accessible, right, equitable sort of distribution of how you can get access to them.But, anyone can start programming in things like Python now. So, reskill non-traditional backgrounds; I don't think it's just one funnel, I think you have to tap into all these funnels. And that's why, in addition to being here in AWS, I also try to spend time on supporting and volunteering at nonprofit companies that really drive a focus on underserved-based communities or non-traditional communities as different pathways to tech. So, I think it's all of the above. [smile].Corey: This episode is sponsored in part by CircleCI. CircleCI is the leading platform for software innovation at scale. With intelligent automation and delivery tools, more than 25,000 engineering organizations worldwide—including most of the ones that you've heard of—are using CircleCI to radically reduce the time from idea to execution to—if you were Google—deprecating the entire product. Check out CircleCI and stop trying to build these things yourself from scratch, when people are solving this problem better than you are internally. I promise. To learn more, visit circleci.com.Corey: Yeah, I have no patience left, what little I had at the beginning, for gatekeeping. And so much of technical interviewing seems to be built around that in ways that are the obvious ones that need not even be called out, but then the ones that are a little bit more subtle. For example, the software developer roles that have the algorithm questions on a whiteboard. Well, great. You take a look at the average work of software development style work, you don't see those things coming up in day-to-day. Usually.But, “Implement quicksort.” There's a library for that. Move on. So, it turns out that biases for folks who've recently had either a computer science formal education or computer science formal-like education, and that winds up in many ways, weeding people out have been in the workforce for a while. I take a look at some of the technical interviews I used to pass for grumpy Unix sysadmin jobs; I don't remember half of the terminology.I was looking through some my old question lists of what I used to ask candidates, and I don't remember how 90% of this stuff works. I'd have to sit there and freshen up on it if I were to go and take a job interview. But it doesn't work in the same way. It's more pernicious than that, though, because I look at what I do and how I approach it; the skills you use in a job interview are orthogonal, in many cases, to the skills you'll need in the workforce. How someone performs with their career on the line at a whiteboard in front of a few very judgy, judgy people is not representative of how they're going to perform in a collaborative technical environment, trying to solve an interesting problem, at least in my experience.Francessca: Yeah, it's interesting because in some of our programs, we have this conversation with a lot of the universities, as well, in their curriculums, and I think ultimately, whether you're a software developer, or you're an architect, or just in the field of tech and you're dealing with customers, I think you have to be very good at things like problem-solving, and being able to work in teams. I have a mental model that many of the tech details, you can teach. Those things are teachable.Corey: “Oh, you don't know what port some protocol listens on. Oh, it's a shame you never going to be able to learn that. You didn't know that in the interview off the top of your head and there's no possible way you could learn that. It's an intrinsic piece of knowledge you're born with.” No, it's not.Francessca: [smile]. Yeah, yeah, those are still things every now and then I have to go search for, or I've written myself some nice little Textract. Uh… [smile] [unintelligible 00:22:28] to go and search my handwritten notes for things. But yeah, so problem-solving, being able to effectively communicate. In our case, writing has been a muscle that I've really had to work at hard since joining here.I haven't done that in a while, so that is a skill that's come back. And I think the one that I see around software development is, really, teams. It's interesting because when you're going through some of the curriculums, a lot of the projects that are assigned to you are individual, and what happens when you get into the workplaces, the projects become very team-oriented, and they're more than one people. We're all looking at how we publish code together to create a process, and I think that's one of the biggest surprises making a transition [smile] into the workforce is, you will work in teams. [smile].Corey: Oh, dear Lord. The group project; the things that they do in schools is one of those, great, there's one person who's going to be diligent—which was let's be clear, never me—they're going to do 90% of the work on it and everyone shares credit equally. The real world very rarely works that way with that sense of one person carries the team, at least ideally. But on the other side of it, too, you don't wind up necessarily having to do these things alone, you don't have to wind up with dealing with those weird personal dynamics in small teams, for the most part, and setting people up with the expectation, as students, that this is how the real world works is radically different. One of the things that always surprised me growing up was hearing teachers in middle school and occasionally beyond, say things like, “When you're in the real world”—always ‘the real world' as if education is somehow not the real world—that, “Oh, your boss is never going to be okay with this, or that, or the other thing.”And in hindsight, looking back at that almost 30 years later, it's, “Yeah, how would you know? You've been in academia your entire life.” I'm sorry, but the workplace environment of a public middle school and the workplace environment of a corporate entity are very culturally different. And I feel confident in saying that because my first Unix admin job was at a university. It is a different universe entirely.Francessca: Yeah. It's an area where you have to be able to balance the academia component with practitioner. And by the way, we talk about this in our solutions architecture and our customer solutions team—that's a mouthful—in our organization, that how we like to differentiate our capabilities with customers is that we are users, we are practitioners of the services, we have gone out and obtained certifications. We don't always just speak about it, we'd like to say that we've been in the empty chair with the customer, and we've also done. So yeah, I think it's a huge balance, by the way, and I just hope that over the next several years, Corey, that again, we start really shifting the landscape by tapping into what I think is an incredible global workforce, and of users that we've just not inspired enough to go into these disciplines for STEM, so I hope we do more of that.And I think our customers will benefit better from it because you'll get more diversity in thought, you'll get different types of innovation for your solution set, and you'll maybe mirror the customer segments that you're responsible for serving. So, I'm pretty bullish on this topic. [smile].Corey: I think it's hard not to be because, sure, things are a lot more complex now, technically. It's a broader world, and what's a tech company? Well, every company, unless they are asleep at the wheel, is a tech company. And that that can be awfully discouraging on some level, but the other side of it has really been, as I look at it, is the sheer, I guess, brilliance of the talent that's coming up. I'm not talking the legend of industry that's been in the field for 30 years; I'm talking some of the folks I know who are barely out of high school. I'm talking very early career folks who just have such a drive, and such an appetite for being able to look at how these things can solve problems, the ability to start thinking in innovative ways that I've never considered when I was that age, I look at this. And I think that, yeah, we have massive challenges in front of us as people, as a society, et cetera, but the kids are all right, for lack of a better term.Francessca: [smile].Corey: And I want to be clear as well; when we talk about new to tech, I'm not just talking new grads; I'm talking about people who are career-changing, where they wound up working in healthcare or some other field for the first 10 years of their career—20 years—and they want to move into tech. Great. How do we throw those doors open, not say, “Well, have you considered going back and getting a degree, and then taking a very entry-level job?” No. A lateral move, find the niches between the skill you have and the skill you want to pick up and move into the field in half steps. It takes a little longer, sure, but it also means you're not starting over from square one; you're making a lateral transition which, because it's tech, generally comes with a sizable pay bump, too.Francessca: One of the biggest surprises that I've had since joining the organization, and—you know, we have a very diverse, large global field organization, and if you look at our architecture teams, our customer solution teams, even our product engineering teams, one of the things that might surprise many people is many of them have come from customers; they've not come from what I would consider a traditional, perhaps, sales and marketing background. And that's by design. They give us different perspective, they help us ensure that, again, what we're designing and building is applicable from an end-user perspective, or even an industry, to your point. We have lots of different services now, over a hundred and seventy-five plus. I mean, we've—close to two hundred, now.And there are some customers who want the freedom to be able to build in the various domains, and then we have some customers who need more help and want us to put it together as solutions. And so having that diversity in some of the folks that we've been able to hire from a customer or developer standpoint—or quite frankly, co-founder standpoint—has really been amazing for us. So.Corey: It's always interesting whenever I get the opportunity to talk to folks who don't look like me—and I mean that across every axis you can imagine: people who didn't come up, first off, drowning in the privilege that I did; people who wound up coming at this from different industries; coming at this from different points of education; different career trajectories. And when people say, “Oh, yeah. Well, look at our team page. Everyone looks different from one another.” Great. That is not the entirety what diversity is.Francessca: Right.Corey: “Yeah, but you all went to Stanford together and so let's be very realistic here.” This idea that excellence isn't somehow situational, the story we see about, “Oh, I get this from recruiters constantly,” or people wanting to talk about their companies where, yes, ‘founded by Google graduates' is one of my personal favorites. Google has 140,000 people and they founded a company that currently has five folks, so you're telling me that the things that work at Google somehow magically work at that very small scale? I don't buy that for a second because excellence is always situational. When you have tens of thousands of people building infrastructure for you to work on, back in the early days was always the story that, that empowered folks who worked at places like Google to do amazing things.What AWS built, fundamentally, was the power to have that infrastructure at the click of a button where the only bound—let's be realistic here—is your budget. Suddenly, that same global infrastructure and easy provisioning—‘easy,' quote-unquote—becomes something everyone can appreciate and get access to. But in the early days, that wasn't the thing at all. Watching our technology has evolved the state of the art and opened doors for folks to be just as awesome where they don't need to be in a place like Google to access that, that's the magic of cloud to me.Francessca: Yeah. Well, I'm a huge, just, technology evangelist. I think I just was born with tech. I like breaking things and putting stuff together. I'll tell you just maybe two other things because you talked about excellence and equity.There's two nonprofits that I participate in. One I got introduced through AWS, our current CEO, Andy Jassy, and our Head of Sales and Marketing, Matt Garman. But it's called Rainier Scholars, and it's a 12-year program. They offer a pathway to college graduation for low-income students of color. And really, ultimately, their mission is to answer the question of how do we build a much more equitable society?And for this particular nonprofit, education is that gateway, and so spent some time volunteering there. But then to your point on the opportunity side, there's another organization I just recently became a part of called Year Up. I don't know if you've heard of them or worked with them before—Corey: I was an instructor at Year Up, for their [unintelligible 00:31:19] course.Francessca: Ahh. [smile].Corey: Oh, big fan of those folks.Francessca: So, I just got introduced, and I'm going to be hopefully joining part of their board soon to offer up, again, some guidance and even figuring out how we can help. But so you know, right? They're then focused on serving a student population and decreasing, shrinking the opportunity divide. Again, focused on equitable access. And that is what tech should be about; democratizing technology such that everyone has access. And by the way, it doesn't mean that I don't have favorite services and things like that, but it does mean—[smile] providing [crosstalk 00:31:58]—Corey: They're like my children; I can't stand any of them.Francessca: [smile]. That's right. I do have favorite services, by the way.Corey: Oh, as do we all. It's just rude to name them because everyone else feels left out.Francessca: [smile] that's right. I'll tell you offline. Providing that equitable access, I just think is so key. And we'll be able to tap in, again, to more of this talent. For many of these companies who are trying to transform their business model, and some—like last year, we saw companies just surviving, we saw some companies that were thriving, right, with what was going on.So again, I think you can't really talk about a comprehensive tech strategy that will empower your business strategy without thinking about your workforce plan in the process. I think it would be very naive for many companies to do that.Corey: So, one question that I want to get to here has been that if I take a look at the AWS service landscape, it feels like Perl did back when that was the language that I basically knew the best, which is not saying much.Francessca: You know you're dating yourself now, Corey.Corey: Oh, who else would date me these days?Francessca: [smile].Corey: My God. But, “There's more than one way to do it,” was the language's motto. And I look at AWS environments, and I had a throwaway quip a few weeks back from the time of this recording of, “There are 17 ways to deploy containers on AWS.” And apparently, it turned into an internal meme at AWS, which is just—I love the fact that I can influence company cultures without working there, but I'll take what I can get. But it is a hard problem of, “Great, I want to wind up doing some of these things. What's the right path?” And the answer is always, “It depends.” What are you folks doing to simplify the onboarding journey for customers because, frankly, it is overwhelming and confusing to me, so I can only imagine what someone who is new to the space feels. And from customers, that's no small thing.Francessca: I am so glad that you asked this question. And I think we hear this question from many of our customers. Again, I've mentioned earlier in the show that we have to meet customers where they are, and some customers will be at a stage where they need, maybe, less prescriptive guidance: they just want us to point them to the building blocks, and other customers who need more prescriptive guidance. We have actually taken a combination of our programs and what we call our solutions and we've wrapped that into much stronger prescriptive guidance under our migration and again, our modernization initiative; we have a program around this. What we try to help them do first is assess just where they are on the adoption phase.That tends to drive then how we guide them. And that guidance sometimes could be as simple as a solution deployment where we just kind of give them the scripts, the APIs, a CloudFormation template, and off they go. Sometimes it comes in the form of people and advice, Corey. It really depends on what they want. But we've tried to wrap all of this under our migration acceleration program where we can help them do a fast, sort of, assessment on where they are inclusive of driving, you know, a quick business case; most companies aren't doing anything without that.We then put together a fairly fast mobilization plan. So, how do they get started? Does it mean—can they launch a control foundation, control tower solutions to set up things like accounts, identity and access management, governance. Like, how do you get them doing? And then we have some prescriptive guidance in our program that allows them to look at, again, different solution sets to solve, whether that be data, security. [smile].You mentioned containers. What's the right path? Do I go containers? Do I go serverless? Depending on where they are. Do I go EKS, ECS Anywhere, or Fargate? Yeah. So, we try to provide them, again, with some prescriptive guidance, again, based on where they are. We do that through our migration acceleration initiative. To simplify. So.Corey: Oh, yeah. Absolutely. And I give an awful lot of guidance in public about how X is terrible; B is the better path; never do C. And whenever I talk—for example, I'm famous for saying multi-cloud is the wrong direction. Don't do it.And then I talk to customers who are doing it and they expect me to harangue them, and my response is, “Yeah, you're probably right.” And they're taken aback by this. “Does this mean you're saying things you don't believe?” No, not at all. I'm speaking to the general case, where if, in the absence of external guidance, this is how I would approach things.You are not the general case by definition of having a one-on-one conversation with me. You have almost certainly weighed the trade-offs, looked at the context behind what you're doing and why, and have come to the right decision. I don't pretend to know your business, or your constraints, or your capabilities, so me sitting here with no outside expertise, looking at what you've done, and saying, “Oh, that's not the right way to do it,” is ignorant. Why would anyone do that? People are surprised by that because context matters an awful lot.Francessca: Context does matter, and the reason why we try not to just be overly prescribed, again, is all customers are different. We try to group pattern; so we do see themes with patterns. And then the other thing that we try to do is much of our scale happens through our partner ecosystem, Corey, so we try to make sure that we provide the same frameworks and guidance to our partners with enough flexibility where our partners and their IP can also support that for our customers. We have a pretty robust partner ecosystem and about 150-plus partners that are actually with our migration, you know, modernization competency. So yeah, it's ongoing, and we're going to continue to iterate on it based on customer feedback. And also, again, our portfolio of where customers are: a startup is going to look very different than 100-year-old enterprise, or an independent software vendor, who's moving to SaaS. [smile].Corey: Exactly. And my ridiculous build-out for my newsletter pipeline system leverages something like a dozen different AWS services. Is this the way that I would recommend it for most folks? No, but for what I do, it works for me; it provides a great technology testbed. And I think that people lose sight pretty quickly of the fact that there is in fact, an awful lot of variance out there between use cases' constraints. If I break my newsletter, I have to write it by hand one morning. Oh, heavens, not that. As opposed to, you know, if Capital One goes down and suddenly ATMs starts spitting out the wrong balance, well, there's a slightly different failure domain there.Francessca: [smile].Corey: I'm not saying which is worse, mind you, particularly from my perspective, however, I'm just saying it's different.Francessca: I was going to tell you, your newsletter is important to us, so we want to make sure there's reliability and resiliency baked into that.Corey: But there isn't any because of my code. It's terrible. This—if—like, forget a region outage. It's far more likely I'm going to make a bad push or discover some weird edge case and have to spend an hour or two late at night fixing something, as might have happened the night before this recording. Ahem.Francessca: [smile]. Well, by the way, I'm obligated, as your Chief Solution Architect, to have you look at some form of a prototype or proof of concept for Textract if you're having to handwrite out all the newsletters. You let me know when you'd like me to come in and walk you through how we might be able to streamline that. [smile].Corey: Oh, I want to talk about what I've done. I want to start a new sub-series on your site. You have the This is my Architecture. I want to have something, This is my Nonsense Architecture. In other words, one of these learning by counterexample stories.Francessca: [smile]. Yeah, Matt Yanchyshyn will love that. [smile].Corey: I'm sure he will. Francessca, thank you so much for taking the time to speak with me. If people want to learn more about who you are, what you believe, and what you're up to, where can they find you?Francessca: Well, they can certainly find me out on Twitter at @FrancesscaV. I'm also on LinkedIn. And I also want to thank you, Corey. It's been great just spending this time with you. Keep up the snark, keep giving us feedback, and keep doing the great things you're doing with customers, which is most important.Corey: Excellent. I look forward to hearing more about what you folks have in store. And we'll, of course, put links to that in the [show notes 00:40:01]. Thank you so much for taking the time to speak with me.Francessca: Thank you. Have a good one.Corey: Francessca Vasquez, VP of Technology at AWS. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with a comment telling me why there is in fact an AWS/400 mainframe; I just haven't seen it yet.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

BANG! @southernvangard #radio Ep302! Time to tighten up Vangardians, Doe & Meeks are back for another week of the usual shenanigans - although we have to say the talk break banter is on another level this week. As you might guess, heaps of new music and we have a mid-mix interview with the DMV's DJ 2-TONE JONES, who recently dropped the incredible “CONTRABAND FROM INDIA” concept album that's out everywhere now. For our Thursday interview session, we head to Orlando to build with MIDAZ THE BEAST, who just released physicals for his 2020 release “WHERE THE SIDEWALK ENDS” on CHONG WIZARD RECORDS, and also recently dropped EP with New York producer SHARP. You can check interview snippets at the end of the mix until the full drops on Thursday! Better believe it's that #SmithsonianGrade #TwiceAWeek #WeAreTheGard // southernvangard.com // @southernvangard on #applepodcasts #stitcherradio #soundcloud #mixcloud #youtube // #hiphop #rap #undergroundhiphop #boombap #DJ #mixshow #interview #podcast #ATL #WORLDWIDE #RIPCOMBATJACK Recorded live August 29, 2021 @ Dirty Blanket Studios, Marietta, GA southernvangard.com @southernvangard on #applepodcasts #soundcloud #youtube #spotifypodcast #googlepodcasts #stitcherradio #mixcloud #SmithsonianGrade #TwiceAWeek #WeAreTheGard twitter/IG: @southernvangard @jondoeatl @cappuccinomeeks Talk Break Inst. - "DeDeux" - DJ Jon Doe "Tony Dorsett" - MidaZ The Beast & Delle Digga "All Praises Due" - MidaZ The Beast & Delle Digga "Kyrie" - MidaZ The BEAST (prod. SHARP) "Peri Peri" - Westside Gunn ft. Rome Streetz (prod. Denny Laflare) "Chicharrones" - CJ Fly (prod. Inf) "S33N" - Brother Ali "Psalm" - 7xvethegenius (prod. Camoflauge Monk) Talk Break Inst. - "Giorgo" - DJ Jon Doe "The Process" (Presyce Remix) - Oxygen ft. Dr. Becket & Emskee "Momentous" - 1773 "Wife Of Odin" - Pitch 92 ft. Doctor Outer "Moore's Law" - MOOKNETO "Better Believe" - Neek The Exotic & Large Pro ft. Raw Wattage "Guess Who's Back" - Paula Perry x Castle Money Beats x Boogie Blind Talk Break Inst - "Who Gets Your Love" - DJ Jon Doe Mid-Mix Interview - DJ 2-Tone Jones Mid-Mix Interview Inst. - "The Curry Out" / "St. Karen" DJ 2-Tone Jones / Drew Dave / KO "Not Down" - DJ 2-Tone Jones ft. Prince Po, Asheru, Joe. D & yU (prod. Diamond D, cuts DJ RBI) "PAIN!" - Ayun Bassa & Jacob Rochester "Peak Lapel Tux" - DNTE (prod. DrkTheLegend) "The Lox!" - Grip ft. Tate228 (prod. DJ Khalil, Tedd Boyd & TU!) "Right Now" - Westside Gunn ft. Stove God Cooks & Jadakiss (prod. Denny Laflare) Talk Break Inst. - "Reassure Me" - DJ Jon Doe "Blessed Times" - Westside Gunn ft. AA Rashid (prod. Conductor Williams) Interview Snippets - MidaZ The Beast

During the month of Elul, hundreds of high school graduates flock to Israel for their gap year programs, yeshivot, and seminaries. This year offers experiences of high level learning, spiritual growth, increased maturity, new friendships, and fun. But many students experience confusion, particularly around their developing sexuality. The legendary “Night of Tears” refers to the night that some yeshiva boys and seminary girls are encouraged to end their boyfriend/girlfriend relationships for the greater good of full time Torah study. On the other hand, the phenomenon of clubbing, drinking, and hooking up is real. Are our educational institutions teaching agency and self-control, or fear and self-loathing? What are the consequences of negative messaging about sex? How can we educate religious kids to navigate intimate relationships with respect for boundaries, and with consent and safety, while simultaneously emphasizing halacha and Jewish values? Finally, in light of a recent incident of rape reported at YU, how do we keep our institutions safe? Join Talli Rosenbaum and Rabbi Scott Kahn for this difficult but necessary discussion. Become an Intimate Judaism Patreon subscriber to get additional episodes, merch, and more, including an upcoming Q and A. Just go to https://www.patreon.com/intimatejudaism.