37 Burst results for "Anton"
Cloud Security Podcast by Google
A highlight from EP141 Cloud Security Coast to Coast: From 2015 to 2023, What's Changed and What's the Same?
"Hi there, welcome to the Cloud Security Podcast by Google. Thanks for joining us today. Your hosts here are myself, Timothy Peacock, the Senior Product Manager for Threat Detection here at Google Cloud, and Anne Hunchuvakian, a reformed analyst and senior staff in Google Cloud's Office of the CISO. You can find and subscribe to this podcast wherever you get your podcasts, as well as at our website, cloud .google .com slash podcast. If you enjoy our content and want it delivered to you piping hot every Monday, please do hit that subscribe button in your podcasting app of choice. You can follow the show, argue with your hosts and the rest of our Cloud Security Podcast listeners on our LinkedIn page. Anton, this is a fun CISO episode that's full of growth lessons, leadership lessons, interesting stories of migrating to cloud and one of the strongest endorsements of cloud as both risk reduction and business velocity improvement I think we've gotten on the show to date. What did you think today? I think so too. I think that we should not lament that the episode did not cover how to improve configurations of your cloud armor or how to run SIEM or any of this. It's a really good episode with a guest who experienced some of the lessons that clients are learning today, but eight years ago. So it's really fascinating that it's like for many companies, his past is the future and that makes his lessons hugely valuable. Hugely valuable and his advice is applicable to both CISOs all the way down to people who want to get started and get promoted in our field. And so maybe with that, let's turn things over to today's guest. With that listeners, I'm delighted to introduce today's guest. Today we're joined by Jeremiah Kung at AppLovin. Jeremiah, thank you so much for joining us today. I'm excited to have you here because we have something in common. We've both had the East Coast to West Coast experience. I started my career in Washington, DC, and I swear to God, the people I worked with at the startup I worked at First Shape, to this day, if I get drinks with them, they rip on me for wearing a suit to my interview with them. So the East Coast to West Coast interview, the whole thing is very real. So what's your take on that distinction aside from costumes for interviews? Yeah, I totally get it. I'm not a big fan of wearing ties either. It feels like a weak pair of hands slowly strangling me all day long. Yeah, for me, it's more of a metaphorical one. I was born a West Coast surfer kind of guy for the longest time, but career wise, especially making the moves, working for bigger banks, which I saw them as East Coast, let's face it, the bigger banks are New York, North Carolina. It's very suit and tie, very more button down, very much more about the controls, the frameworks, the committees, and infosec has to give the go ahead further than it goes to production. West Coast being out here with places like Palo Alto, where innovation is rampant and it's wonderful, you got to move fast. So you live by the speed and the velocity of your releases. And if someone's slowing you down, they're going to keep you from getting to market faster than your competitors. So it's a very different approach to information security. I remember earlier when I started speaking about this about a year ago, you can tell all sorts of funny stories about being at an East Coast company. And you know, all the red tape you have to go through and everyone kind of sighs and kind of agrees with that. But you know, at the end of the day, the West Coast, you have other risks you need to be aware of too, as well. And it's about trying to find that balance and attending to what the risks are. So the fundamentals don't really change, but out here, you have to innovate faster? Innovate faster. And I think really what you need to understand to have is a clarity of the risk, right, to really understand what the risk is. Coming from a big bank, of course, losing data is a huge thing, operational risk, regulatory risk, and there's all of that layers that you need to go through. With the West Coast, you really need to kind of understand, okay, how's this company making money? Where's all our data sitting? And you know, what are all our attack surfaces? So I think this is a basic step for anybody information security is to really understand what the asset inventory is, including intellectual and data assets. But it's not just small company, large company, though, because it sounds like if you're in the West Coast startup, your risk of just dying, the risk of startup going kaput, deep in my heart, I think it's more important than cybersecurity risk. I'm joking about it. But ultimately, I understand if I am a startup guy, the startup going out of business is a higher risk than security issue. Of course, security issues can also drive you out of business. Yeah, I get that. But that's not just what you're talking about, right? There are other issues. Yeah, absolutely. Other issues on that, because operational risk is again, if your competitors beat you, and you lose market share, okay, yeah, regulators are going to come after me or something like that. But it doesn't really matter. I'm out of business. What's the big deal there. But at the same time, if you do get breached, that's going to make you lose market share as well. So you need to kind of figure out what that balance is. Okay, that makes sense. So let's shift gears. This was actually kind of a cool intro. And it introduced the whole concept in my mind. Now I kind of think, hi, are you East Coast CISO or West Coast CISO? Maybe my greeting for the foreseeable. One other thing we wanted to explore, and this may have something to do with this cost dimension is, initially, when cloud computing public cloud showed up, the default stance from any CISOs was kind of slightly negative and, or maybe strongly negative or get this cloud out. I'm not allowing it in my company. So this was probably like a good number of years ago. Now, certainly this changed, and we see a lot of CISOs embracing cloud. But here's the thing. We hypothesize that there are CISOs who are active cloud fans who kind of want cloud because it's better. And admittedly, we have a CISO here, Phil Danables, who is of that type, but he joins Google Cloud because of the belief, presumably. Now, are there other CISOs who think cloud is just superior for security and they're driving cloud adoption as opposed to resisting it? What is your take on this? Yeah, that's a great point. I've seen both sides of the coin. I've talked to people on both sides of the coin on this one, and I'm kind of obviously in the more cloud -centric side, but I'm a little bit more in the middle to the left of that, if that makes any sense. I'm very pro -cloud. I think it deals with, very efficiently, a lot of the old concerns that you would have about security, patching updates and Vone scans and Vone updates and all that other type of stuff, because you can spin these things up so quickly, the fixes and release it out there. It's not, back in the old days, some guy with a CD running around from every server trying to load and update patches and stuff like that. You know, that's such a funny thing to pause on, because maybe this is my youth speaking. I sometimes forget that people had to do that. And I think for a lot of our listeners, it's hard to appreciate that, yeah, really, that's how it used to work. If you had to patch something, it wasn't Terraform Apply, my new version. It was a dude with a CD in a server room somewhere. That's crazy. Oh, yeah. Yeah. And if you were in a freeze period to try to do patches, you had to go through all sorts of updates and things like that to try to get in, and it gets all sorts of approvals. I think the dude with a CD is the least of your problems, is the talking to all the layers for making a change, submitting requests in paper forms, you know, ideal bureaucrats. I think the dude with a CD would be like, dude comes in, sticks a CD, and does the patching. That's fast. No, no, no. But some of that still exists, right? You still need change windows, you still need approval. So maybe here's the question is, how does Cloud, for you as a CISO, change that part of the equation? What's the non -technical changes? Improved. Not changed. Take the pessimistic stuff out. How did Cloud improve this for you? Anton, I think that's known as leading the witness. Okay, fine. Yeah. I feel like you're trying to give me what the answer is there. But I mean, I'm already on that side. It's really the visibility. Because, you know, being at Apple, we're strong partners with Google Cloud and being all in Google Cloud, I can really see where our assets are, I could see trends over time, I could see the logging and the monitoring and all the alerts and the phones all in one spot, which is very nice. But I get it, not every company can be 100 % in the cloud. I would imagine that a bank, you're going to at best be some kind of hybrid approach to that, depending on the size of the bank. And I could see and outsource a lot of the running around changing. I just had this question the other day dealing with some audits. Hey, show me when's the last time you changed and rotated your keys and how often that is? Well, being in Google Cloud, they do that for you. And you guys do a random rotation of that. Whereas AWS does it to make sure the keys are rotated every 365 days, according to NIST and TIP standards. You guys do a random rotation, which it could be two weeks, it could be 365 days, but at some point, those keys will be rotated. So that's kind of the intelligence behind to keep it random, to keep it fresh, to keep it on top. I appreciate that from a security perspective. And I don't have to rely on a team to constantly run, again, running it out and changing keys and this and that, even at a cloud level where you have to, you know, you can just terminal in and do that. This is just handled for you. And as we moved more and more to Kubernetes, more and more to serverless environments, these ways old of needing to do security become less and less impactful. But then again, there's always a new attack surface that has yet to be discovered. New problems are going to come and show and raise their heads from a security perspective. We're just on the way of discovering what those are. Yeah, that makes a lot of sense. So I want to go back in time a little bit to maybe when cloud was newer for you. I understand you were part of some big migrations back in the day. What did you learn about doing those, quote unquote, right? It was really lucky to be with Capital One 2015, 2016, sometime when they were deciding to be the first big bank to move everything 100 % into the cloud. So famously cloud forward. Yeah, very cloud forward. Yeah. So how did that go? It was a lot of sleepless nights, a lot of work, but it was really interesting. It was great to be part of that team to really learn how cloud can mitigate, how to move quickly, how to combine the teams. I think one of the things that I found to be the right way of doing things was they took a very strong two in the box approach, really kind of a three in the box approach. And what they mean by that is for those teams to move forward, the development team would have one lead that was the business lead and say, hey, this is what the customers want. This is what the industry and market trends are looking at. And then there would be a tech lead say, okay, this is what the teams can develop and how long it's going to take. And then I kind of squeezed my way in there to become that three in the box, the security perspective to listen, okay, this is what the business wants. This is what tech can provide. And here's the risk and the risk we need to mitigate. And to have that conversation was invaluable because you got it from every angle. You didn't just hear what IT said that I can only do so much and why is the business wanting that? You got to hear it from the business exactly what they wanted, how they wanted to do things and why too, and why this was important for the business. That makes a ton of sense. So what were maybe some, for people in a similar boat in the future, how did you get effective at communicating the risk to people? How did you help business understand that? How did you help IT understand that? What was it? The saying that they say, fools talk, cowards stay silent, wise people listen. And that was really kind of key for me on that one was at first listening to the business, understanding their pains, understanding what they were challenged with. This really helped me to assess my risk and also come up with mitigation plans that would work for the business. Again, same approach with IT is understanding, okay, what are their pains? Where are they coming from? And this way I can come up with what the plans should look like with considerations for everybody across the board. Okay, so... Wait, wait, wait. Sorry, Tim. I am kind of curious about it, but I'm nervous that we are kind of reducing all this to effective communication only. Is this... Sorry, this doesn't sound very right. But the point is that effective communication clearly had a huge role, but there are other pillars for success because a huge migration of the first half of bank to the cloud had other tricky elements, right? Yes. So that was another one. What we had was a very strong partnership with our cloud partners at the time. They had been sitting and working with, especially since there were no frameworks, there was no really references. I remember even the regulators at the time were sitting, okay, that's great. You guys are doing that. Can we just sit and listen to see what you guys are doing so we can kind of spread this out with the rest of the banks and standards out there? I think the key partnerships with your vendor, your cloud vendor specifically, was invaluable, providing advice and having that back and forth feeds. I remember working with one particular tool. We said, hey, this encryption standard is not really up to snuff. Could you guys work on that and develop something? And sure enough, I think within two or three dev cycles, they had something that was what we needed. To this day, I find that to be an ideal approach, working with my cloud vendors or just any vendors that I have. I appreciate those who will sit down, listen to me and hear my complaints and do the whole listening and coming up with an approach. I think almost all my security vendors I'm using, as well as the cloud vendors with you guys, have that type of approach. Okay. That does sound like real magic for a lot of more technically minded leaders I've met. So this is solid. This advice is worth the price of podcast alone in my mind. So to sort of progress further, like you mentioned that you learned those lessons quite some time ago and many companies are still learning them even now. And for some of them, cloud is with the future, funny enough. So now that you've went through all this and other lessons, how are you approaching securing cloud given differently the lessons? Like what are you doing better in 2023 regarding securing cloud compared to the original lessons? For me personally, it's a little bit different. Talking to some of my peers who still haven't made that jump, they seem to have that lack of trust of having their data set somewhere not on a server that they're under control over at some point and at their own personalized data center that they have, their own physical security, own the HVAC systems and all other type of stuff. They want to have that data. Okay. That's an approach. It's going to be tough to scale over time. I think one of the things that I found to be very successful here that's helped is reading a lot, a lot of reading, a lot of talking to other peers in the industries and a lot of vendors going to these discussions to stay on top of what the recent threat is and what the other trends are and what the solutions are out there. I think that's key. We're a community and that has to be pushed forward if that makes any sense to continue to talk to folks. I think sitting in your own little silo is not going to work very well. Well, I don't think I know. Yeah. I forget who it was on the show, but they said that security is a team sport. Yeah, absolutely. So I guess on that thread, actually, I want to pull on this a little more. I often joke with CISOs on the show that what they need is not another piece of technology, but rather a family therapist to help their relationships with other teams. What advice would you give to other CISOs, security leaders on first building better relationships with other teams, and two, how to get out of the saying no mentality and into that real collaborative listening mode? Yeah, that saying no mentality. I've talked to some CISOs like that who said, yeah, I'm looking to hire and I need people to join my team because I need them to get out there and say no as much as humanly possible. No, people don't actually say that? Explicitly said that? Oh, wow. Yeah. I just remember I stopped and I looked at him and I said, how are you doing, man? Are you doing okay? Wow. I can imagine his life was pretty miserable. Maybe if you're working on a highly top secret government project where you got to hide the alien bodies, maybe. That's a good example. Yikes. Yeah. I think a family therapist is a great way to do that, to work with their teams, but I think really at the end of the day, it's not that hard. Everyone wants to do a good job when they come to work, hopefully, and everyone wants to get along with their work base. I think the thing is just the key is to be available for them if they have questions. Try to initiate those conversations and also learn when to back off. Everyone's busy. They have a lot of their own success metrics they have to shoot for, so if you can be part of that formula, great on a day -to -day basis, but if they're a little too busy for you to come back at a better time, pizza and beer is always a good way to go as well, but I think it's just trying to be as value -add as possible at all times and be understanding that everyone's trying to get their jobs done as well. I think that's key. That's good advice not just for security leaders, but for PMs as well. One of my favorite pieces of advice for PMs I ever heard was framed as bring the donuts, and I think security is kind of this way too. With PMs, nobody invited you, and they can get along just fine without you for the most part, so you've got to really understand where they're coming from and what value you're bringing to the equation if you want people to work with you constructively. Yeah, it's knowing your role. Security can be a value -add and can be positive for the business, but a majority of the time we're kind of a cost to that business, a necessary cost and maybe, hopefully, a helpful business benefiting cost, but at a cost, nonetheless, people aren't usually going to go to the company for how secure it is, especially on the West Coast. It's about how much money or how handy their product is first. Security is kind of a second thought, but we can definitely work together on that. I have heard some pretty inspiring stories on this show and in my professional life of how security helps teams move faster by taking, say, risk out of the equation or automating away some risk, and so I think maybe in cloud, due to its nature, there's unique opportunities for security teams to be helpful there. Oh, yeah, absolutely. Usually, if you're already moving into the cloud, you're kind of taking a fresh start, and that's where you can really do the security by design. I get it. If you're on mainframes and you've been around for 30 years and now you're the new security person, it's really to go back and difficult to do security by design from the start, right? You're kind of retroactively trying to find fits here or there. But starting fresh into the cloud, it's like, okay, we could do this by design. AppLovin's been great about kind of doing that with protecting their data by saying, hey, I don't need a lot of sensitive data. We're going to try to use our own attribution formats and other types of formulas to grow our customers' business without taking on a lot of that sensitive information. So that helps reduce the risk, again, secure by design. So this is good, especially excellent. Okay, Tim, you can make fun of me for saying excellent, but this is excellent. However, excellence hasn't spread uniformly, right? And you do see people who are still in the saying no mentality. And regarding architecture, we do see a lot of people still stuck essentially in the 90s regarding architecture. They want to lift and shift, or they're even debating whether this new cloud thing is for them. So given your experience, what's your best advice for the leaders of these organizations where either the CISO is blocking cloud or maybe even CIO doesn't want it? So basically, they are not getting any of the benefits. And when they start doing cloud, they do it in a very on -premise way, the lift and shift way. Yeah, that's a tough one, because you're really trying to tell somebody to change their entire point of view. Yes, that's exactly right. Yeah, you need to have that aha moment, travel to Damascus moment for them. And I don't think I could give them individual advice to have that aha moment other than travel the world, talk to folks and, you know, experience and see what else is out there. I know for AppLovin, when we jumped over 100 % into the cloud, our business just naturally spiked because of the efficiencies, how quickly automating compute usage was with that intelligence to go up and down for what our demands were. That's amazing. And, you know, again, that's a strong partnership with Google on that, having just an incredible team that really kind of jumped to everything that we needed, which was fantastic. Not easy to find in the industries all over the world. So that was really helpful. But I think they need to talk to people who have those success stories and just to see what it is. I think at the end of the day, if those folks would talk to the business more and to see what the business needs, they'll kind of start to see, yeah, that it makes sense. That's where we need to kind of move towards. But that has to be that personality of I got to get out of my silo. I got to talk to people out of my comfort zone, because you may not be a business person. You could be a genius infosec person. But if you don't get the business and have that background, it's going to be difficult to travel far. Yeah, that's for sure, Drew. It reminds me of that saying, if you want to go fast, go alone, if you want to go far, go together. You really can't go far in security unless you can bring other people on board. And that's one of the things we've talked about on another show, I think, a CISO episode, talking about the challenge of developing people who've excelled for their technical skills as they rise in their career to then excel on non -technical skills. What advice do you have for those people to make that leap from I'm great because I can understand X .509 to I'm great because I can convince the person down the hall that our interests actually are aligned? Yeah, that's a great point. So even on my own team right now, I have people who are very smart, very technically have done some great things, and they want to get to that next level. So for me, to that level, to try to help coach them along those lines, I recommend understanding all the different domains and then having a very strong relationship with the business and spend time with them. I think peer mentorships and things like that to do exchange programs within the company are also very important to understand how the business works and just spending time with them. I think that's, I guess, it's almost like what a social CISO type of thing. It's just very social, and it's really about getting outside of your shell and understanding everyone else's pains and what their goals are to win for their game. That's really kind of at the end of the day, yes, technical, that's good. You need that, absolutely. But it's all about people, processes, and tools. It's a three -legged chair, right? So people are so key, and I think I find a lot of the really, really smart infosec folks tend to focus on the tools, and everyone ignores processes, right? No one wants to document anything, but that's also very important too. So those are the kind of key aspects. But this sounds like hard work. It can be, but it's really depending on your personality types. But it's really not too hard. There's a lot of great classes out there to kind of coach yourself through, and just the ways of thinking about stuff, which is good. I read this great book called Superforecasting, which was, Phil Tetlock wrote this, and it was really about a way of how to think of things differently. You don't have to be highly educated. There's these experiments that are to use folks to become, quote, unquote, superforecasters. Some of the best performers, one of them was a housewife who just had a high school education, but because once she learned how to use the little levers and stuff to do the math on this, it became about how did she see things and how she thought about things. And it was about, okay, most people would see an event and automatically change their opinion about something broadly. For her, it was about, okay, that changes my opinion a little bit towards this direction. And then she would gather more and more data, and each time it would move the dial to the left or to the right. And eventually, she was able to call out, yeah, in six months, this is going to happen. And she was right. I think it was close to 87 % of the time. People like that had that kind of approach is really helpful. And I think, again, that kind of breaks down from what we were talking about today is about seeing the trends and kind of seeing the forest of the trees and then looking at every piece of information. And they'll just stick to one piece of information, which might be legitimate, but have that kind of shade your whole approach. You got to see all sorts of factors to kind of come in and see at the end of the day. And I think if you do that, you're going to see that cloud's going to be, for most cases, not all. Again, if you're hiding UFO bodies, okay, maybe not. We'll see that it's an advantage. Well, Jeremiah, I hate to do this on such a note, but I have to ask you our traditional closing questions. Sure. First, do you have a tip to help people improve their security when migrating to cloud? And two, aside from super forecasting, which sounds great, do you have recommended reading for our listeners? Yes. Super forecasting was a great one. I read another great one recently called American generalship. I'm just about finishing it up right now. It's pretty good. It's ideal of how to become a stronger leader and a stronger follower at the same time too. This kind of helps you coach of, okay, this is how I can mentor somebody. And this is also how to be a good mentee at the end of the day. It also has a lot of really great military stories in the background on that too. So fun stuff there if you're a fan of the military. And I'm sorry, what was the other question? One tip, one easy to follow tip for people. Yeah. I'd say try to make a new friend inside the business. At least once a month, have these one -on -ones and have a cup of coffee. I think it goes a long way. I remember getting on an airplane ride home from one of these other team events, talking to sat down two folks that I don't normally work with and got to spend five hours instead of watching a stupid movie, sitting there and talking about their business and what they're seeing, talks of AI and how they're using co -pilot and chat GPT and all that other type of stuff. It was really fascinating to hear their point of view of what they saw from a line of business that I didn't normally do a lot of work in. That's a fascinating answer and fits with the theme of the episode, which I think might be listeners, go make some new friends. So with that, Jeremiah, thank you so much for joining us today. Thanks guys. Really appreciate it. And now we are at time. Thank you very much for listening and of course for subscribing. You can find this podcast at Google Podcasts, Apple Podcasts, Spotify or wherever else you get your podcasts. Also, you can find us at our website cloud .withgoogle .com slash cloud security slash podcast. Please subscribe so that you don't miss episodes. You can follow us on Twitter, twitter .com slash cloud sec podcast. Your hosts are also on Twitter at Anton underscore Jovian and underscore Tim Pico. Tweet at us, email us, argue with us. And if you like or hate what we hear, we can invite you to the next episode. See you on the next cloud security podcast episode. Bye.
Simply Bitcoin
Fresh update on "anton" discussed on Simply Bitcoin
"Let's just hope we don't see another day or maybe you want another day. Maybe you haven't got to your stacking goals yet. But anyway, drop your meme review score on the other side of Nico over there and we will cover them live. My meme review score for today is some balloon bubble wrap, bubble wrap, bubble wrap, bubble wrap from my new microphone coming in here. All right. Anyways, Nico, what is your meme review score for today? A leveler, a leveler, leveler. It has and it has all these different. Can't even get a level, though, look at you. All right, Zia, meme review score for today, good sir. What? Sorry. You got a what? Wait, hold on. Do I have a what in here? Oh, no, I don't have a yellow what. A meme review score. What do you think about the memes? Oh, yeah. So I don't know. I don't follow a lot of memes, but I like the Lagarde one. Yeah. All right. So what? It's a great score. All right. So, yes, all right, everybody, before we get to the meme scores, guys, check out our Simply Bitcoin merch, support the show, support us, help us stay on the air, buy our merch or wine. We'll we'll get you the hat soon. We will get you women's sizes soon. Where? No, we're coming out with actual Simply Bitcoin. Sophie's taking care of it. Simply Bitcoin women merch. Right. So it's going to be awesome. But yeah, please support the show. Get yourself some Simply Bitcoin merch and you can scan the QR code or you can check in the video description and you can find it there. All right. Opti, is it time for the music? It is time for the music. Bitcoin for Canadians, I give the memes warm weather and a cold Canadian beer. McLovin, this is my last meme score until I reach my short term goal in Bitcoin. Opti says, when you're looking at those pics of praying Mantis Lagarde and your waifu is giving you that jealous look. Igor, I give the memes a slayed fake hero. Phil, Philip Ruzzo, what, what, what? Next one by Anton Los, score seed signer plus steel plate for backup. Get through the game. This one seems CG Nico, I don't know. Philip Ruzzo, meme Opti eating the bugs, La God. Phil, Phil C, I give the memes she mates and then she kills me. Yo, XX1 Elon as an alien clone. That means we're out of time, guys. Thank you so much for tuning in to Simply Bitcoin Live. We appreciate you guys tuning in. This week's going to be a little bit hectic just because Opti and I are traveling to California for Pacific Bitcoin this week. So we will try to make all of the shows, but we might miss one here and there just because of the setting up and setting up backstage and all the equipment and all that stuff. Tomorrow's I'm ninety nine point ninety nine percent sure I'll be back tomorrow with my Cobart or Rustin. So we should be able to do a show. And then on Wednesday, if everything works out, we should be able to do a show and then Thursday, Friday, we should be able to do a show from the floor of Pacific Bitcoin. Stay tuned. Also, spaces will probably be off all week until like the festival. I think we're streaming. Yeah, yeah. Yeah, we got some surprises in stock for spaces as well. So stay tuned for for Monday. We're going to change some things around. This should be a lot of fun. But anyways, I want to thank our very special guest, Zia. Thank you so much for tuning in. I appreciate it.Bitcoin is a worldwide phenomenon. And thank you so much for sharing your insights into the Bitcoin movement in Iran. Thanks for having me. Appreciate it, man. Thank you so much for joining us. All right, guys, if you enjoy the show, you know what to do. Smash that like button. Consider subscribing if you feel like we provided you value. But the number one thing you could do to push the peaceful Bitcoin revolution forward is share this content. In fact, share all Bitcoin content. Don't be exclusive. Be inclusive. Don't share your coin content. That's counterproductive. We love you all. I'll see you tomorrow from Los Angeles, California, for another episode of Simply Bitcoin Live. Peace out.
Book Club with Julia and Victoria
A highlight from 117 Beyond the Story by BTS & Kang Myeong-seok A Memoir or an Official Wiki?
"What is book what the heck is this book what is it the main thing i got from it was like this sense of feeling seen and validated well why does it have to be this way this book was placed in my hand for this moment insightful learned a lot wrote some quotes that i'm ready to like paint on my wall i love this book that we just kind of pull out some some of the big things that we see and talk about a few different ones i apologize if most my contribution has k -pop references alternative book title the feminine mystique part two you're really just gay welcome to book club with julia and victoria we are two friends who find making and presenting power points on their special interest via super fun way to spend two hours on a saturday night it was the best time i had such a great time with you yesterday and we'd like to be your book friends this is a podcast for the books we just can't shut up about and this one is truly for julia and i'm here as the bestest of friends along with two lovely guests we will introduce in just a moment this week we're talking about beyond the story a 10 -year record of bts written by kang myung suk along with bts's interviews and translated by anton herr claire the first official biography charting the inception and rise of the global sensation kpop boy group bts and this is very much an official biography sort of by and about the company as much as about the artist so we're here to kind of talk about what exactly is going on with this book and bring in some special guests very very quickly before we introduce them if you'd like to support the show you can rate review and subscribe on any and all podcast platforms. If you're in the market for buying some books, you can go down into the show notes. Any book links that are there will take you to our affiliate page on bookshop .org and we get a very small kickback from those. And if you'd like to join the club, you can go to buymeacoffee .com slash book club with JB, where we have all of our archived episodes, a bunch of bonus content, all kinds of fun stuff. And that's it. Our special guests, husbands Adam and RJ are here. They have been podcast hosts since 2015 and can currently be found on the Ampliverse channel, hosting and producing shows like Did You Read the Group Chat, Showgaze, a movie musical podcast, and their own Boys Love series, where they recap idol survival shows like Boys Planet and Queen Dumb Puzzle, dating shows like His Man and BL series like The 8th Sense, and they're currently recapping Cherry Magic. Victoria doesn't know what any of this is. It's okay. The word salad.
Cloud Security Podcast by Google
Fresh update on "anton" discussed on Cloud Security Podcast by Google
"Hi there, welcome to the Cloud Security Podcast by Google. Thanks for joining us today. Your hosts here are myself, Timothy Peacock, the Senior Product Manager for Threat Detection here at Google Cloud, and Anne Hunchuvakian, a reformed analyst and senior staff in Google Cloud's Office of the CISO. You can find and subscribe to this podcast wherever you get your podcasts, as well as at our website, cloud.google.com slash podcast. If you enjoy our content and want it delivered to you piping hot every Monday, please do hit that subscribe button in your podcasting app of choice. You can follow the show, argue with your hosts and the rest of our Cloud Security Podcast listeners on our LinkedIn page. Anton, this is a fun CISO episode that's full of growth lessons, leadership lessons, interesting stories of migrating to cloud and one of the strongest endorsements of cloud as both risk reduction and business velocity improvement I think we've gotten on the show to date. What did you think today? I think so too. I think that we should not lament that the episode did not cover how to improve configurations of your cloud armor or how to run SIEM or any of this. It's a really good episode with a guest who experienced some of the lessons that clients are learning today, but eight years ago. So it's really fascinating that it's like for many companies, his past is the future and that makes his lessons hugely valuable. Hugely valuable and his advice is applicable to both CISOs all the way down to people who want to get started and get promoted in our field. And so maybe with that, let's turn things over to today's guest. With that listeners, I'm delighted to introduce today's guest. Today we're joined by Jeremiah Kung at AppLovin. Jeremiah, thank you so much for joining us today. I'm excited to have you here because we have something in common. We've both had the East Coast to West Coast experience. I started my career in Washington, DC, and I swear to God, the people I worked with at the startup I worked at First Shape, to this day, if I get drinks with them, they rip on me for wearing a suit to my interview with them. So the East Coast to West Coast interview, the whole thing is very real. So what's your take on that distinction aside from costumes for interviews? Yeah, I totally get it. I'm not a big fan of wearing ties either. It feels like a weak pair of hands slowly strangling me all day long. Yeah, for me, it's more of a metaphorical one. I was born a West Coast surfer kind of guy for the longest time, but career wise, especially making the moves, working for bigger banks, which I saw them as East Coast, let's face it, the bigger banks are New York, North Carolina. It's very suit and tie, very more button down, very much more about the controls, the frameworks, the committees, and infosec has to give the go ahead further than it goes to production. West Coast being out here with places like Palo Alto, where innovation is rampant and it's wonderful, you got to move fast. So you live by the speed and the velocity of your releases. And if someone's slowing you down, they're going to keep you from getting to market faster than your competitors. So it's a very different approach to information security. I remember earlier when I started speaking about this about a year ago, you can tell all sorts of funny stories about being at an East Coast company. And you know, all the red tape you have to go through and everyone kind of sighs and kind of agrees with that. But you know, at the end of the day, the West Coast, you have other risks you need to be aware of too, as well. And it's about trying to find that balance and attending to what the risks are. So the fundamentals don't really change, but out here, you have to innovate faster? Innovate faster. And I think really what you need to understand to have is a clarity of the risk, right, to really understand what the risk is. Coming from a big bank, of course, losing data is a huge thing, operational risk, regulatory risk, and there's all of that layers that you need to go through. With the West Coast, you really need to kind of understand, okay, how's this company making money? Where's all our data sitting? And you know, what are all our attack surfaces? So I think this is a basic step for anybody information security is to really understand what the asset inventory is, including intellectual and data assets. But it's not just small company, large company, though, because it sounds like if you're in the West Coast startup, your risk of just dying, the risk of startup going kaput, deep in my heart, I think it's more important than cybersecurity risk. I'm joking about it. But ultimately, I understand if I am a startup guy, the startup going out of business is a higher risk than security issue. Of course, security issues can also drive you out of business. Yeah, I get that. But that's not just what you're talking about, right? There are other issues. Yeah, absolutely. Other issues on that, because operational risk is again, if your competitors beat you, and you lose market share, okay, yeah, regulators are going to come after me or something like that. But it doesn't really matter. I'm out of business. What's the big deal there. But at the same time, if you do get breached, that's going to make you lose market share as well. So you need to kind of figure out what that balance is. Okay, that makes sense. So let's shift gears. This was actually kind of a cool intro. And it introduced the whole concept in my mind. Now I kind of think, hi, are you East Coast CISO or West Coast CISO? Maybe my greeting for the foreseeable. One other thing we wanted to explore, and this may have something to do with this cost dimension is, initially, when cloud computing public cloud showed up, the default stance from any CISOs was kind of slightly negative and, or maybe strongly negative or get this cloud out. I'm not allowing it in my company. So this was probably like a good number of years ago. Now, certainly this changed, and we see a lot of CISOs embracing cloud. But here's the thing. We hypothesize that there are CISOs who are active cloud fans who kind of want cloud because it's better. And admittedly, we have a CISO here, Phil Danables, who is of that type, but he joins Google Cloud because of the belief, presumably. Now, are there other CISOs who think cloud is just superior for security and they're driving cloud adoption as opposed to resisting it? What is your take on this? Yeah, that's a great point. I've seen both sides of the coin. I've talked to people on both sides of the coin on this one, and I'm kind of obviously in the more cloud-centric side, but I'm a little bit more in the middle to the left of that, if that makes any sense. I'm very pro-cloud. I think it deals with, very efficiently, a lot of the old concerns that you would have about security, patching updates and Vone scans and Vone updates and all that other type of stuff, because you can spin these things up so quickly, the fixes and release it out there. It's not, back in the old days, some guy with a CD running around from every server trying to load and update patches and stuff like that. You know, that's such a funny thing to pause on, because maybe this is my youth speaking. I sometimes forget that people had to do that. And I think for a lot of our listeners, it's hard to appreciate that, yeah, really, that's how it used to work. If you had to patch something, it wasn't Terraform Apply, my new version. It was a dude with a CD in a server room somewhere. That's crazy. Oh, yeah. Yeah. And if you were in a freeze period to try to do patches, you had to go through all sorts of updates and things like that to try to get in, and it gets all sorts of approvals. I think the dude with a CD is the least of your problems, is the talking to all the layers for making a change, submitting requests in paper forms, you know, ideal bureaucrats. I think the dude with a CD would be like, dude comes in, sticks a CD, and does the patching. That's fast. No, no, no. But some of that still exists, right? You still need change windows, you still need approval. So maybe here's the question is, how does Cloud, for you as a CISO, change that part of the equation? What's the non-technical changes? Improved. Not changed. Take the pessimistic stuff out. How did Cloud improve this for you? Anton, I think that's known as leading the witness. Okay, fine. Yeah. I feel like you're trying to give me what the answer is there. But I mean, I'm already on that side. It's really the visibility. Because, you know, being at Apple, we're strong partners with Google Cloud and being all in Google Cloud, I can really see where our assets are, I could see trends over time, I could see the logging and the monitoring and all the alerts and the phones all in one spot, which is very nice. But I get it, not every company can be 100% in the cloud. I would imagine that a bank, you're going to at best be some kind of hybrid approach to that, depending on the size of the bank. And I could see and outsource a lot of the running around changing. I just had this question the other day dealing with some audits. Hey, show me when's the last time you changed and rotated your keys and how often that is? Well, being in Google Cloud, they do that for you. And you guys do a random rotation of that. Whereas AWS does it to make sure the keys are rotated every 365 days, according to NIST and TIP standards. You guys do a random rotation, which it could be two weeks, it could be 365 days, but at some point, those keys will be rotated. So that's kind of the intelligence behind to keep it random, to keep it fresh, to keep it on top. I appreciate that from a security perspective. And I don't have to rely on a team to constantly run, again, running it out and changing keys and this and that, even at a cloud level where you have to, you know, you can just terminal in and do that. This is just handled for you. And as we moved more and more to Kubernetes, more and more to serverless environments, these old ways of needing to do security become less and less impactful. But then again, there's always a new attack surface that has yet to be discovered. New problems are going to come and show and raise their heads from a security perspective. We're just on the way of discovering what those are. Yeah, that makes a lot of sense. So I want to go back in time a little bit to maybe when cloud was newer for you. I understand you were part of some big migrations back in the day. What did you learn about doing those, quote unquote, right? It was really lucky to be with Capital One 2015, 2016, sometime when they were deciding to be the first big bank to move everything 100% into the cloud. So famously cloud forward. Yeah, very cloud forward. Yeah. So how did that go? It was a lot of sleepless nights, a lot of work, but it was really interesting. It was great to be part of that team to really learn how cloud can mitigate, how to move quickly, how to combine the teams. I think one of the things that I found to be the right way of doing things was they took a very strong two in the box approach, really kind of a three in the box approach. And what they mean by that is for those teams to move forward, the development team would have one lead that was the business lead and say, hey, this is what the customers want. This is what the industry and market trends are looking at. And then there would be a tech lead say, okay, this is what the teams can develop and how long it's going to take. And then I kind of squeezed my way in there to become that three in the box, the security perspective to listen, okay, this is what the business wants. This is what tech can provide. And here's the risk and the risk we need to mitigate. And to have that conversation was invaluable because you got it from every angle. You didn't just hear what IT said that I can only do so much and why is the business wanting that? You got to hear it from the business exactly what they wanted, how they wanted to do things and why too, and why this was important for the business. That makes a ton of sense. So what were maybe some, for people in a similar boat in the future, how did you get effective at communicating the risk to people? How did you help business understand that? How did you help IT understand that? What was it? The saying that they say, fools talk, cowards stay silent, wise people listen. And that was really kind of key for me on that one was at first listening to the business, understanding their pains, understanding what they were challenged with. This really helped me to assess my risk and also come up with mitigation plans that would work for the business. Again, same approach with IT is understanding, okay, what are their pains? Where are they coming from? And this way I can come up with what the plans should look like with considerations for everybody across the board. Okay, so... Wait, wait, wait. Sorry, Tim. I am kind of curious about it, but I'm nervous that we are kind of reducing all this to effective communication only. Is this... Sorry, this doesn't sound very right. But the point is that effective communication clearly had a huge role, but there are other pillars for success because a huge migration of the first half of bank to the cloud had other tricky elements, right? Yes. So that was another one. What we had was a very strong partnership with our cloud partners at the time. They had been sitting and working with, especially since there were no frameworks, there was no really references. I remember even the regulators at the time were sitting, okay, that's great. You guys are doing that. Can we just sit and listen to see what you guys are doing so we can kind of spread this out with the rest of the banks and standards out there? I think the key partnerships with your vendor, your cloud vendor specifically, was invaluable, providing advice and having that back and forth feeds. I remember working with one particular tool. We said, hey, this encryption standard is not really up to snuff. Could you guys work on that and develop something? And sure enough, I think within two or three dev cycles, they had something that was what we needed. To this day, I find that to be an ideal approach, working with my cloud vendors or just any vendors that I have. I appreciate those who will sit down, listen to me and hear my complaints and do the whole listening and coming up with an approach. I think almost all my security vendors I'm using, as well as the cloud vendors with you guys, have that type of approach. Okay. That does sound like real magic for a lot of more technically minded leaders I've met. So this is solid. This advice is worth the price of podcast alone in my mind. So to sort of progress further, like you mentioned that you learned those lessons quite some time ago and many companies are still learning them even now. And for some of them, cloud is with the future, funny enough. So now that you've went through all this and other lessons, how are you approaching securing cloud differently given the lessons? Like what are you doing better in 2023 regarding securing cloud compared to the original lessons? For me personally, it's a little bit different. Talking to some of my peers who still haven't made that jump, they seem to have that lack of trust of having their data set somewhere not on a server that they're under control over at some point and at their own personalized data center that they have, their own physical security, own the HVAC systems and all other type of stuff. They want to have that data. Okay. That's an approach. It's going to be tough to scale over time. I think one of the things that I found to be very successful here that's helped is reading a lot, a lot of reading, a lot of talking to other peers in the industries and a lot of vendors going to these discussions to stay on top of what the recent threat is and what the other trends are and what the solutions are out there. I think that's key. We're a community and that has to be pushed forward if that makes any sense to continue to talk to folks. I think sitting in your own little silo is not going to work very well. Well, I don't think I know. Yeah. I forget who it was on the show, but they said that security is a team sport. Yeah, absolutely. So I guess on that thread, actually, I want to pull on this a little more. I often joke with CISOs on the show that what they need is not another piece of technology, but rather a family therapist to help their relationships with other teams. What advice would you give to other CISOs, security leaders on first building better relationships with other teams, and two, how to get out of the saying no mentality and into that real collaborative listening mode? Yeah, that saying no mentality. I've talked to some CISOs like that who said, yeah, I'm looking to hire and I need people to join my team because I need them to get out there and say no as much as humanly possible. No, people don't actually say that? Explicitly said that? Oh, wow. Yeah. I just remember I stopped and I looked at him and I said, how are you doing, man? Are you doing okay? Wow. I can imagine his life was pretty miserable. Maybe if you're working on a highly top secret government project where you got to hide the alien bodies, maybe. That's a good example. Yikes. Yeah. I think a family therapist is a great way to do that, to work with their teams, but I think really at the end of the day, it's not that hard. Everyone wants to do a good job when they come to work, hopefully, and everyone wants to get along with their work base. I think the thing is just the key is to be available for them if they have questions. Try to initiate those conversations and also learn when to back off. Everyone's busy. They have a lot of their own success metrics they have to shoot for, so if you can be part of that formula, great on a day-to-day basis, but if they're a little too busy for you to come back at a better time, pizza and beer is always a good way to go as well, but I think it's just trying to be as value-add as possible at all times and be understanding that everyone's trying to get their jobs done as well. I think that's key. That's good advice not just for security leaders, but for PMs as well. One of my favorite pieces of advice for PMs I ever heard was framed as bring the donuts, and I think security is kind of this way too. With PMs, nobody invited you, and they can get along just fine without you for the most part, so you've got to really understand where they're coming from and what value you're bringing to the equation if you want people to work with you constructively. Yeah, it's knowing your role. Security can be a value-add and can be positive for the business, but a majority of the time we're kind of a cost to that business, a necessary cost and maybe, hopefully, a helpful business benefiting cost, but at a cost, nonetheless, people aren't usually going to go to the company for how secure it is, especially on the West Coast. It's about how much money or how handy their product is first. Security is kind of a second thought, but we can definitely work together on that. I have heard some pretty inspiring stories on this show and in my professional life of how security helps teams move faster by taking, say, risk out of the equation or automating away some risk, and so I think maybe in cloud, due to its nature, there's unique opportunities for security teams to be helpful there. Oh, yeah, absolutely. Usually, if you're already moving into the cloud, you're kind of taking a fresh start, and that's where you can really do the security by design. I get it. If you're on mainframes and you've been around for 30 years and now you're the new security person, it's really to go back and difficult to do security by design from the start, right? You're kind of retroactively trying to find fits here or there. But starting fresh into the cloud, it's like, okay, we could do this by design. AppLovin's been great about kind of doing that with protecting their data by saying, hey, I don't need a lot of sensitive data. We're going to try to use our own attribution formats and other types of formulas to grow our customers' business without taking on a lot of that sensitive information. So that helps reduce the risk, again, secure by design. So this is good, especially excellent. Okay, Tim, you can make fun of me for saying excellent, but this is excellent. However, excellence hasn't spread uniformly, right? And you do see people who are still in the saying no mentality. And regarding architecture, we do see a lot of people still stuck essentially in the 90s regarding architecture. They want to lift and shift, or they're even debating whether this new cloud thing is for them. So given your experience, what's your best advice for the leaders of these organizations where either the CISO is blocking cloud or maybe even CIO doesn't want it? So basically, they are not getting any of the benefits. And when they start doing cloud, they do it in a very on-premise way, the lift and shift way. Yeah, that's a tough one, because you're really trying to tell somebody to change their entire point of view. Yes, that's exactly right. Yeah, you need to have that aha moment, travel to Damascus moment for them. And I don't think I could give them individual advice to have that aha moment other than travel the world, talk to folks and, you know, experience and see what else is out there. I know for AppLovin, when we jumped over 100% into the cloud, our business just naturally spiked because of the efficiencies, how quickly automating compute usage was with that intelligence to go up and down for what our demands were. That's amazing. And, you know, again, that's a strong partnership with Google on that, having just an incredible team that really kind of jumped to everything that we needed, which was fantastic. Not easy to find in the industries all over the world. So that was really helpful. But I think they need to talk to people who have those success stories and just to see what it is. I think at the end of the day, if those folks would talk to the business more and to see what the business needs, they'll kind of start to see, yeah, that it makes sense. That's where we need to kind of move towards. But that has to be that personality of I got to get out of my silo. I got to talk to people out of my comfort zone, because you may not be a business person. You could be a genius infosec person. But if you don't get the business and have that background, it's going to be difficult to travel far. Yeah, that's for sure, Drew. It reminds me of that saying, if you want to go fast, go alone, if you want to go far, go together. You really can't go far in security unless you can bring other people on board. And that's one of the things we've talked about on another show, I think, a CISO episode, talking about the challenge of developing people who've excelled for their technical skills as they rise in their career to then excel on non-technical skills. What advice do you have for those people to make that leap from I'm great because I can understand X.509 to I'm great because I can convince the person down the hall that our interests actually are aligned? Yeah, that's a great point. So even on my own team right now, I have people who are very smart, very technically have done some great things, and they want to get to that next level. So for me, to that level, to try to help coach them along those lines, I recommend understanding all the different domains and then having a very strong relationship with the business and spend time with them. I think peer mentorships and things like that to do exchange programs within the company are also very important to understand how the business works and just spending time with them. I think that's, I guess, it's almost like what a social CISO type of thing. It's just very social, and it's really about getting outside of your shell and understanding everyone else's pains and what their goals are to win for their game. That's really kind of at the end of the day, yes, technical, that's good. You need that, absolutely. But it's all about people, processes, and tools. It's a three-legged chair, right? So people are so key, and I think I find a lot of the really, really smart infosec folks tend to focus on the tools, and everyone ignores processes, right? No one wants to document anything, but that's also very important too. So those are the kind of key aspects. But this sounds like hard work. It can be, but it's really depending on your personality types. But it's really not too hard. There's a lot of great classes out there to kind of coach yourself through, and just the ways of thinking about stuff, which is good. I read this great book called Superforecasting, which was, Phil Tetlock wrote this, and it was really about a way of how to think of things differently. You don't have to be highly educated. There's these experiments that are to use folks to become, quote, unquote, superforecasters. Some of the best performers, one of them was a housewife who just had a high school education, but because once she learned how to use the little levers and stuff to do the math on this, it became about how did she see things and how she thought about things. And it was about, okay, most people would see an event and automatically change their opinion about something broadly. For her, it was about, okay, that changes my opinion a little bit towards this direction. And then she would gather more and more data, and each time it would move the dial to the left or to the right. And eventually, she was able to call out, yeah, in six months, this is going to happen. And she was right. I think it was close to 87% of the time. People like that had that kind of approach is really helpful. And I think, again, that kind of breaks down from what we were talking about today is about seeing the trends and kind of seeing the forest of the trees and then looking at every piece of information. And they'll just stick to one piece of information, which might be legitimate, but have that kind of shade your whole approach. You got to see all sorts of factors to kind of come in and see at the end of the day. And I think if you do that, you're going to see that cloud's going to be, for most cases, not all. Again, if you're hiding UFO bodies, okay, maybe not. We'll see that it's an advantage. Well, Jeremiah, I hate to do this on such a note, but I have to ask you our traditional closing questions. Sure. First, do you have a tip to help people improve their security when migrating to cloud? And two, aside from super forecasting, which sounds great, do you have recommended reading for our listeners? Yes. Super forecasting was a great one. I read another great one recently called American generalship. I'm just about finishing it up right now. It's pretty good. It's ideal of how to become a stronger leader and a stronger follower at the same time too. This kind of helps you coach of, okay, this is how I can mentor somebody. And this is also how to be a good mentee at the end of the day. It also has a lot of really great military stories in the background on that too. So fun stuff there if you're a fan of the military. And I'm sorry, what was the other question? One tip, one easy to follow tip for people. Yeah. I'd say try to make a new friend inside the business. At least once a month, have these one-on-ones and have a cup of coffee. I think it goes a long way. I remember getting on an airplane ride home from one of these other team events, talking to sat down two folks that I don't normally work with and got to spend five hours instead of watching a stupid movie, sitting there and talking about their business and what they're seeing, talks of AI and how they're using co-pilot and chat GPT and all that other type of stuff. It was really fascinating to hear their point of view of what they saw from a line of business that I didn't normally do a lot of work in. That's a fascinating answer and fits with the theme of the episode, which I think might be listeners, go make some new friends. So with that, Jeremiah, thank you so much for joining us today. Thanks guys. Really appreciate it. And now we are at time. Thank you very much for listening and of course for subscribing. You can find this podcast at Google Podcasts, Apple Podcasts, Spotify or wherever else you get your podcasts. Also, you can find us at our website cloud.withgoogle.com slash cloud security slash podcast. Please subscribe so that you don't miss episodes. You can follow us on Twitter, twitter.com slash cloud sec podcast. Your hosts are also on Twitter at Anton underscore Jovian and underscore Tim Pico. Tweet at us, email us, argue with us. And if you like or hate what we hear, we can invite you to the next episode. See you on the next cloud security podcast episode. Bye.
Cloud Security Podcast by Google
A highlight from EP140 System Hardening at Google Scale: New Challenges, New Solutions
"Hi there, welcome to Cloud Security Podcast by Google. Thanks for joining us today. Your hosts here are myself, Timothy Peacock, the Senior Product Manager for Threat Detection here at Google Cloud, and Anton Chevakin, a reformed analyst and senior staff in Google Cloud's Office of the CISO. You can find and subscribe to this podcast wherever you get your podcasts, as well as at our website cloud .google .com slash podcasts. If you enjoy our content and want it delivered to you piping hot every Monday, please do hit that subscribe button. You can follow the show, argue with us and the rest of the Cloud Security Podcast listeners on LinkedIn. Anton, we are talking about what I think is one of the greatest investments teams can make today, which is preventing issues in the first place. Talk about hardening, which is great. Yes, but it's also, some people would say that this is a take from 2002 and now everybody needs a system that has AI and like big data and scale and good UX and not hardening. And to me, this is a fight that would go on because I feel like you're right, yet this take has become unpopular over the years. And this is, I'm not, what do we do with it? Well, I mean, I've never been afraid of being unpopular. If I was afraid of that, I wouldn't get out of bed in the morning. I think what's interesting here maybe about our guest is he's been doing it for a very long time at Google scale and his metric, his first metric he cited for whether he knows his team is doing a good job or not, I bet our listeners will not guess what it is. And so with that tease of something that doesn't come until 15 minutes into the episode, let's turn things over to today's guest. I'm delighted to introduce today's guest. Today we are joined by Andrew Huang, senior security engineering manager at Google. Andrew, I'm really excited about talking about hardening today because I spend so much time doing threat detection. It's like I'm where hardening has fallen short and I really think most orgs are probably better served by hardening than trying to catch the bad guys after they're already in. So maybe I want to start with a bit of a step backwards in time and ask, you know, when we think about hardening systems at scale today, hardening cloud systems at scale, what's different and what should people who are leading programs hardening clouds keep in mind that's different today than what they know for say the past 20 years? Yeah, great. Thank you. So if we go back 20 years ago, the early 2000s, that was really the rise of the computer worms. You know, we saw first email worms. We had I love you, Melissa virus. Then we saw sort of direct machine to machine worms, Code Red, Nimda, and then we were really hit by SQL slammer and blaster and so on. But these worms had in common is that they were definitely operationally disruptive. They were occasionally mildly destructive, but they were not anywhere near sort of the capacity or the abilities of the viruses we see today. But what they really did was raise the awareness that, hey, we need to invest in basic hardening or our systems are going to get taken down time and again. We have to have good perimeter controls and protection. We have to invest in vulnerability management and patching. We have to do isolation between different workloads so that we don't see lateral movements. So this was really the starting point of sort of hardening industry. We invested in firewalls. We invested in intrusion detection systems, patch management, as I said, and that was really good groundwork. It was effective against these types of sort of broad worms and the things that we were seeing at the time. But year over year, there's been a steady increase in the sophistication of the attacks we have to defend against. And there's been an increase in the impact of those attacks as the attackers have gotten deeper access to our systems and the data that is really important to our businesses and all of the people who depend on us. And so we have to take that into account and continue to modernize our approach to security. Today the threat landscape is complex and the role of the security defender is critical for businesses of all sizes. At the same time, the amount of technology choice we have is ever expanding, and this is creating a number of new attack surfaces that we all have to understand and stay on top of. Cloud, of course, has brought a whole new dimension to this in terms of our understanding of identity and perimeter and the key areas that those are integrated into our business. So one of the ways that I think we all need to stay ahead is we really need to hold to our software vendors, our platform providers, and others, and across our technology supply chain to take a shared fate model with us, where we're really working together to build systems that are securable, but also secure, secure by default, secure in operation. And so that's sort of one of the key takeaways that I'd have is as a community of defenders, we need to work together to make our systems secure. What you just said, shared fate. That's clearly super different, right? There wasn't even cloud 20 years ago, really. So how does maybe, aside from the shared fate and the fact that there's this different relationship between say a cloud vendor versus a I sold you some servers and now you put them in your own rack, how does that change the picture for hardening as well? It starts from let's make sure that we're not having products that come out of the box and have default ways that an attacker could get into them, like having hardened systems that we rely on, whether that is from a software vendor or from a cloud provider is really key. The next is making sure that we are training our people on how to use the systems in a way that is secure. So when we have examples from vendors or examples from partners, that those examples take the security best practices into account and aren't asking people to do things that are short, that are a little easier, but take shortcuts that leave them vulnerable. And then last is where we have a shared platform investing in the security of that platform so it keeps all customers safe. And we don't have to, like there's never going to be as many security engineers as the industry needs that we need to really scale out our approach to security. I think the scale out part is I wanted to kind of drill into a little bit because I vaguely recall the time when kind of the previous era of people being obsessed about hardening of course, when there was a question about sure, you can give me a bunch of config advice and a bunch of things and I can apply it to a server. But once I have to apply them to 5000 servers, suddenly a lot of things change. Nowadays we're not talking about 5000 servers, we may be talking about the millions or if you talk about cloud instances, probably even larger numbers. So what is the magic in scaling the hardening? Because ultimately I still have this possibly misguided view that hardening is easy, scaling it is hard.
Cloud Security Podcast by Google
A highlight from EP139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations
"Hi there, welcome to the Cloud Security Podcast by Google. Thanks for joining us today. Your host here, actually recorded in person today, are myself, Tim Peacock, the Senior Product Manager for Threat Detection here at Google Cloud, and sitting next to me, unusually, Anton Juvakin, a reformed analyst and senior staff in Google Cloud's Office of the CISO. You can find and subscribe to this podcast wherever you get your podcasts, as well as at our website, cloud .google .com slash podcast. If you enjoy our content and want it delivered to you piping hot every Monday, please do hit the subscribe button in your podcasting app of choice. You can follow the show and argue with us and the rest of the Cloud Security Podcast listeners on LinkedIn. Anton, this is a fun episode because we have a former manager of mine, the head of Chronicle, a great guy from New Jersey, and worst of all, a Mets fan, join us for a really interesting conversation about Sim and Chronicle and EDR somehow. What did you think? I thought this was great. It felt like we did briefly hover over a precipice of discussing XDR. We did. In fact, we started there. We leapt off into space to start the episode. Yes. So I think I felt like we had this moment when the whole conversation could have fallen into the chasm of, oh, no, XDR, no, no, no, not again. But ended up, we ended up in a very useful place. Moreover, I would say that Chris, oh, I did say the guest name, but again, that's fine. Yes. That's good. I extracted some of the useful lessons that led him to the XDR discussion. So it's kind of interesting that XDR was mentioned in a very positive context. Yes. I think the other maybe most interesting tidbit in this episode listeners to listen for is the conversation around process versus tooling and where Chris sees the role of vendors in that equation. And so maybe with that teaser on what I thought was a shockingly interesting insight from Chris, let's turn things over to today's guest. Today we're joined by Chris Cord, senior director here at Google Cloud. Chris, it's been a wild time for you and me working at Google together. I'm delighted to finally have you on the show after countless jibes about the show. It's fantastic. It's hard first to believe that you're here, but harder still to believe we haven't done a proper Chronicle episode yet. So here we are to do a Chronicle episode. I want to start off with an easy question. Chronicle's not XDR, right? So what is it? Right. Yeah. The great XDR debate. I mean, we started this when I first started and Anton has definitely been a good foe in the debate. You did say good, right? You did say good, right? But listen, he said foe, not foiled. There's degrees here. Exactly. Anton has never been on the same side that I've been on. Yeah. I mean, look, I've always stated that XDR to me is a use case. I don't believe that XDR is some magical category where it's going to redefine the way we're doing security operations or anything to that degree. But I do think it's reflective of people's desire to want to have their SIM platforms do more than just log collection. Sure. Right? So in my point of view, the industry evolved to be just a log collection platform. Everything else was do it yourself. You had to build all of these dashboards and your own rules on top of it. And I think the gravity that people have at least started with XDR, and it seems to have teared off now, kind of began with this notion of, can you just give me more value in this thing I'm spending so much money on? It should provide me with more actual security value, outcome -oriented value. Is that what Chronicle is then? That's what Chronicle does. Our primarily strategy is about delivering quality outcomes through detection and response, built into a scalable data platform. And I think to me XDR is a use case that Chronicle can deliver, but ultimately we're fighting against the SIM vendors on a regular basis. So it's a SIM that delivers security outcomes that produce value because it's smarter than the other SIMs. Absolutely. Okay. Easy. So that was an easy question, right? Yeah. And so I guess the second one is kind of in the same ballpark, rightly. Roughly Tim occasionally makes fun of me for only using faint praise, like, yeah, I guess it's pretty good. That's actually an okay idea. That's one of his favorite things to say. That's actually an okay idea. Yes. I've said this several times on air. But ultimately I loved Chronicle so much that I left the safety of Gartner and joined it in 2019, right? So in that sense, and I think I've posted a very like excited awesome plus blog about like, oh my God, my dream has come true. I'm at Chronicle. So, so this was 2019, this is 2023. So since you joined the team, what is your, oh my God, it's such a happy place. It's the proudest thing I've done. Like what are you the most proud of shipping? Yeah. I mean like putting aside the love fist, you're okay with it. I was going to say, aside from shipping me out of his org chart, what are you most proud of shipping me? Right. Right. But putting aside like the acquisition stuff, which we'll touch on, you know, maybe later in this conversation, I think from a pure Chronicle feature perspective, you know, I joined the team in 2021, like mid 2021. And, you know, I had this firm vision, like I talked about just now of like Sims needed to do more than just simple blog collection and aggregation and dashboarding. And so we shipped a curated detection feature in early 2022, I think Q2 2022, which basically provided out of the box detections out of the box analytics and things that were curated and managed by our own Google cloud threat Intel team. And like, I, to me, that was a seminal moment for the product. Like it moved it from really being this like data platform that was just doing log collection and doing it well because we were very scalable, but really kind of started to deliver on this vision of having an outcome oriented tool. And we've been able to build on it ever since like, and so I was super proud that we were able to get that out the door when we did. I think that was a great launch and I really liked the degree to which it made you more opinionated about the data you were ingesting. But to add to this, funny enough, and this was like a case where I think we've pretty virtually argued a little bit because when we started doing curated detections, at least on the market inside, the perception was, wait a second, everything had canned detections and every SIM going back to 1998 would say, here, customer, here's a rule, bye. They're not really curated. They're kind of canned rules and customers developed a bit of a disdainful attitude about canned rules. Do they work? Do they not work? But curated detections in our case, we stand behind them. We give them to a customer and we almost, I think of them in my mind and that's when I flipped the switch towards loving them is that they're sort of guaranteed. They're sort of like, we say, do these work? If they don't work slightly, here's how to make them work. So unlike other teams having canned detections that are kind of more like samples or like, here, you tried, but the results outcomes are in your hands. In our case, we shipped something that we stand behind. Curated means they're going to work. You hit the nail on the head. That's the magic. That is legit magic. Most other SIMs, they're delivering a set of safe searches basically that they're giving you as templates and then you have to operate over those templates and they're not actually managing the effectiveness of those detections over the course of their lifecycle. That's the big difference for us is the fact that these things are managed from an effectiveness perspective. Again, the analogy I always like to use is how the EDR market evolved and how it went from being this forensic platform where you had to do a bunch of stuff yourself and then you had to maybe grab a bunch of saved queries from the vendor to being in this place that had a lot of out -of -the -box value, like detection value, and they actually kept tuning that over time with additional cloud oversight and managed defense oversight and IR engagements and that just made those detections that much better. That's the kind of experience that we have in Chronicle, which is, I agree with you, very game -changing over traditional SIMs. What I love about that story there is, listeners, I was a political science major and the story of how it became a PM we'll talk about on the AMA episode, but what I love about that is it presents an asymmetry where Chronicle gets better at detecting bad guys across its whole pool of users and then every user benefits from that. It's unlike a traditional SIM because you keep learning and getting better. I want to shift gears and speaking about catching bad guys, you were part of Google's second largest acquisition in history. How does it feel, first of all, to be number two to an acquisition that I would bet, one pure bonus most listeners couldn't name, and then now that we're a year into it, what's been a happy surprise about all of it and what are you looking forward to still with it? What is the biggest one? There's Motorola. Oh, yeah. It was when we purchased Motorola. Got it. That was actually more than twice the size of what you purchased. I think Mandarin is the happiest story, though. It's already very clear. It's very clear at this point. I don't think there's anything wrong with the Motorola acquisition. I just think it might have been forgotten in the sands of time. Well, that's a good tidbit. I didn't even think of that one. Because you're 5X bigger than YouTube by purchase size. Exactly. Yeah, and for 5X more important, clearly. I think, to me, it shows a lot of commitment in the space. As a security practitioner joining Google, when I did, there was obviously a lot of momentum and a lot of desire to get more serious about security, but it was still a very nascent business in 2021 when I joined and, in some ways, still very nascent business now in terms of its profile in the industry. But the desire for our organization to get serious about it was real. I felt it at the time that I joined, and I think the opportunity when Mandarin came along as an acquisition opportunity, that the fact that we were able to jump on it and we had so much support going up through the leadership chain was pretty shocking to me. So I think it was a great signal that we're serious about security and that we'll continue to be serious about security and that we're willing to invest in it pretty aggressively. We also got some decent products with it as well. Apart from, obviously, the world -class IR services, we got some decent products. My personal opinion is the reputational bump that we got immediately out of the gate has been game -changing. There's been so many different opportunities that we're in now with Chronicle, maybe not even with Mandiant standalone products, but with Chronicle. But we're in those opportunities specifically because of the Mandiant acquisition. Because number one, people say, oh, Google's serious about this. Number two, they have a higher degree of trust that all those detection capabilities that we just talked about are going to be way higher fidelity because now you're pulling in all of that advanced Intel and IR engagements that Mandiant is doing, and you're feeding those into the product to create value. And then they just have great relationships with CISOs. And so I think when you combine all of those things, it's created a huge amount of momentum for us in the business. And I think the products themselves, while we're in the process of integrating a lot of those in different parts of the portfolio, they do give us a lot of interesting functionality that we wouldn't have had otherwise. In fact, even merging ASM into the SOC, into the detection response function, to me is kind of interesting because it makes SOC look kind of to the left from the incident. To me, this is kind of, I mean, from all the Mandiant products, I felt like ASM, bringing ASM into the SOC vision is kind of a strong argument that we are unique. I mean, we're not like pretty unique. We aren't that unique by doing it. I agree. I agree. I think like, you know, we're referring to that as the addition of contexts, right? And so the more context you can bring into a log event, the better off you are. And making decisions and being proactive in terms of how you determine risk and not only ASM, but also security validation with Mandiant helps bring in and introduce that context, which I agree is a very unique point of view. So to sort of briefly go on a short tangent here, of course you are a senior product leader, but some people would say that security operations success at a company connects to how mature their processes are and of course what products they use. So what's your take on kind of the balance of tools versus practices at the company if I'm building a DNR team or SOC. Or refactoring. Or refactoring one. That's right. Right. Right. That's a good point. How should I think about buying the absolute best products, but keeping the mature practices or boosting the practices, but maybe keeping the products? Like what's the best route here? Don't say both. Both is the right answer though. Well, don't tell him what the right answer is. Chris, what's your answer? You're right. I might be a little biased, but I think that the emphasis on people needing to solve problems themselves through practices is a manifestation of our inability of delivering the right level of value in SIEM in particular or security operations. Hang on. Say that again. Say what you just said. The overemphasis that we're placing on like, hey, improve your overall security processes, include your manual kind of playbooks for how you handle certain types of events or incidents. All those types of things that we overemphasize is only there because SIEM products have not delivered on the type of value that they should be creating. So they are covering holes in broken products by trying to polish practice. This is actually - It's a good answer. Kind of profound. It's better than your answer. It's not profound. It's actually kind of profound. See, that's the Slavic phrase right there. That's what we were talking about. But that's a great answer and way better than I thought. I like that a lot. And so my point of view is like, look, our promise as vendors needs to be to make the products better so that people are better at doing their job. And again, I think, not to keep using this analogy, but Endpoint did that super well. I don't think anyone would have said like, hey, once you had just data collection and Endpoint, job done because everything else is process oriented. But instead, the ball had to keep moving forward in terms of making sure that we're stopping bad guys consistently, making sure that we're doing that with higher degrees of fidelity and expertise and capability and accuracy and all those types of things kept moving that market forward. And to me, we're on the early stages of SIEM doing the same thing. So SIEM is going to go through the same transformation and reputation that we had of AV, dirty disgusting product to EDR, cool useful product. We'll have that for SIEM. I think even beyond just AB to EDR, but AB to EDR to like what I would refer to as the Endpoint protection suite or platform. Like that iteration is the way SIEM is moving, right? So I think it's going from this kind of like checkbox compliance thing to, okay, collecting a bunch of forensic data. And then now I think hopefully to this outcome oriented security focused platform. So to me that the logic is that you would want, it's not like you want to make SIEM look like AV, but you want to focus on kind of like outcomes that you get right after you deploy the product. Not deploy the product and then start your journey that takes you through 14 months of hard work to a value, but you want something that you deploy the product and you see the outcomes soon without doing any hard labor. That's the short version of that. You should be able to get value immediately. Like as soon as I start ingesting event data, especially event data from high fidelity sources, immediately I should start getting some understanding. Is there anything indicative of an active breach? Is there any behavior that's going on that I should be aware of or alerted of that might be, you know, attacker driven behavior like these kind of things should be out of the box value. And it shouldn't require hiring a team of ex NSA guys to make it work. Absolutely. It should be easy process, not crazy process. Because if it does require a team of people from the NSA, then like zero chance that most organizations are going to be able to do it. Right. The fortune five will win and everybody else will suffer. That's not a good outcome for anyone. But for a lot of SIEM products, they're still stuck in the old mentality where they give you the tool and they give you some sample content and ultimately people and then give you some good luck, you know, charms to succeed. And even large, highly visible SIEM competitors are doing that. So in essence, we are doing something different, but many of the customers seem to be stuck in the, Oh, SIEM, yeah, I got to write my own rules because canned rules are probably bad. There's a lot of work. I can't handle it. How are we changing the minds? Like if somebody is trained on certain logs or changing that wants to be a SIEM or some other products, how are we changing their minds? How are we making them actually, if you get Chronicle, you're going to get results and you wouldn't have to suffer for 12 months or for 14 months to get the results. So what is the secret to change in their minds, if it makes sense? It's probably a little too philosophical, but I think it's a good question. I wanted to ask you slightly differently, which is how do you convince people they don't need to port over and invest in porting over 18 years worth of rules written in another language? To be honest, like this is the hardest part. Like if you're going to look at tactically when we are in the middle of trying to switch out incumbent vendors, the hardest part is convincing them that maybe a one for one, like for like type comparison is not necessarily what they should be doing. And then after even we've convinced them to switch, trying not to just simply port over all the old stuff. You know, I used to work in a virtual firewall business and like there was a joke where like no one ever wanted to touch a firewall rule that was in there because it's like a game of Jenga and no one ever wanted to pull anything out because you're concerned that whole thing is going to topple over. That's kind of the way people feel like they're sim rules. They may have a thousand of them, 2000 of them. They have no idea if they're valuable, but they refuse to want to touch them because if they try to cut them down at all, they're concerned they'll miss something. And so it is extremely hard to get them to just say, let's use this opportunity to slim down the rule set. The whole vendor is trying to do analytics of that, funny enough. Like there's a whole little segment of a market when people deploy tech to kind of like go through sim rules and see if they're good, which is amazing, right? People will pay money for it to actually have the tool do that. Sounds like somebody's buying a dowsing rod to me. That doesn't sound easy. No, it's based on real quote unquote machine learning. Okay. Okay. So back to dowsing rods. This is one area where I actually think Mandiant helps a lot, right? So Mandiant has a product called security validation that can be run like in a managed version or can be run in a product driven version. But that product does help people go through breach and attack simulations with real world examples of like, look, these are 10 or 12 different attack vectors. These are different types of threat actors. These are campaigns and you can run those simulations against your environment. You can see in my tools catching them are my sim tools like alerting on me or detecting these kind of events. And so we're, the plan right now is for us to use a lot of that breach and attack simulation to showcase, okay, if you care about these parts of the MITRE ATT &CK matrix, then we'll be able to validate that the rules that we have in place with Chronicle are able to catch them. That's really cool. So that product effectively turns somebody's organization in its current state into a bit of a cyber test range for their own stuff. That's a fancy way of saying it, but like that was the old VeriDIN stack that Mandiant acquired. So I remember it from the Gartner days and it's kind of impressive in terms of what they would simulate and how deep they would integrate to the detection stack. So it's genuinely cool and it genuinely delivers that type of insight about are your detections any good or are you only pretending you're collecting and then pretending you're detecting. And then we want to keep using that over time. This goes into the context thing, like not only you want to do that at a point in time, but if we can continuously validate and then let's say we see that, okay, this portion of your environment is susceptible to ransomware or some other attack vector, we can adjust the alerting risk score associated with those events or we can highlight certain areas because the events should matter more because we know that you're susceptible to an attack. So that's kind of the context part, which Peter pointed out before, I think are things that only we're doing really versus any other event. That's really interesting. I want to switch gears one more time before we get to our traditional closing questions. We have a lot of people listening to the show who are interested in careers in security, interested in careers in security PM. You've been doing PM for security products for a long time, not to call you old. You've been called worse things by fancier people than me lately. What advice do you have for people who are thinking about security PM as a path? Well, yeah, I mean, I think security is one of those tough areas to break in from a product perspective, mostly because the domain knowledge is not super relevant to a lot of folks, meaning that it's, you know, you can put yourself in the shoes of a, of a user of a product that's very open and visible in many cases. I can imagine using the Uber app, like if you want to be, you know, a PM in maps or a PM in Gmail, it's like in that context, you're at least a user on a regular basis and it's much easier for to put your mind into it. I think security is harder, right? Because it's even a step removed from traditional it. And most people don't have that necessarily that depth of knowledge to be able to be a domain expert. Personally, I think a lot of people can get a ton of value at being tier one analysts right out of the gate. Right. And so there are so many organizations that I know that are looking for younger talent, people coming into organizations to act as tier one analysts and the amount of information that you can gather about the domain and about the problem is huge. You know, for people that are still in school, like there's a number of schools that are now focused on cybersecurity programs in school, like Carnegie Mellon has been kind of the forefront of having a cyber shop or a cyber program in school. Then absent of that, like sometimes people can just basically switch domains and just spend the time and focus and energy on learning some of the individuality of security, but just bring really good PM discipline to the, to the equation. Like I think one thing that security in general hasn't done well is we haven't been really good at actually building products with simplicity, right? And so like, under statement of the episode, other disciplines are good at that. And so if you can bring that kind of discipline into security, even as a relative novice in the domain, you might actually be better off. We might bring some beginners versus someone who's done it for years. Usually at the very end of the episode, we ask two questions. Any give the audience one tip in this case on improving security operations would assume and give us some recommended reading. And of course it's fine to say Chronicle website or whatever else. And it's not okay to say Anton's blog. And please don't say, but don't say anything about New York Mets because that's too depressing right now. Yeah. That's way too depressing. Yeah. I recommended reading. I mean like, you know, I think there's a number of SIM books out there, right? Like if you really wanted to go deeper into how SIMs operate, like I think there's one called the infosec playbook, right? Which kind of walks you through how you operate and manage a SIM or our SOC, sorry. And kind of build a security operations playbook. Yeah. There's a number of really good books about malware in general. Like I think I forget the root kid book, but it's like the root kid Bible or something like that that I read early on in my career, which is another good one. Listeners just so you know, nothing from Chris's early career is still technologically relevant. Exactly. Yeah. So that might be that. That might be that. Yeah. I think like any type of those kind of protect practitioner level books that you can read about, like how people operate in the SOC would be great starting points. And then one tip to improve security operations outcomes, maybe. In general, like as a user? Yeah. As somebody operationally responsible. Or as a director. Or as a CISO. Whatever. Yeah. I mean, whatever you're feeling. I think in most cases, people don't put enough emphasis on trying to build proactive controls in the right spots. And so like, this is an area where laziness is somewhat taken over to a certain degree. And we know that there's good best practices out there around zero trust around, you know, locking down policies and procedures more so than what we have done. And we've just been too lazy to deliver that. And so we default into a, you know, operational detection and response mode versus trying to be more proactive in terms of how we control things. And so I would say that lean in a little bit more into having the right protective controls in place from the ground up. Well, Chris, I think that's a surprisingly left -leaning answer for somebody who builds a SIM product. I really like that it was not a self -serving answer. So Chris, thank you so much for joining us today. It's my pleasure. Thank you both. And now we are at time. Thank you very much for listening, and of course for subscribing. You can find this podcast at Google Podcasts, Apple Podcasts, Spotify, or wherever else you get your podcasts. Also, you can find us at our website cloud .withgoogle .com slash cloud security slash podcast. Please subscribe so that you don't miss episodes. You can follow us on Twitter, twitter .com slash cloud sec podcast. Your hosts are also on Twitter at Anton underscore Chiwaki and N underscore Tim Pico. Tweet at us, email us, argue with us. And if you like or hate what we hear, we can invite you to the next episode. See you on the next cloud security podcast episode. Bye.
Cloud Security Podcast by Google
A highlight from EP138 Terraform for Security Teams: How to Use IaC to Secure the Cloud
"Hi there, welcome to the Cloud Security Podcast by Google. Thanks for joining us today. Your hosts here are myself, Timothy Peacock, the Senior Product Manager for Threat Detection here at Google Cloud, and Anton Chuvakin, a reformed analyst and senior staff in Google Cloud's Office of the CISO. You can find and subscribe to this podcast wherever you get your podcasts, as well as at our website, cloud .google .com slash podcasts. If you enjoy our content and want it delivered to you piping hot every Monday, please do hit that subscribe button in your podcasting app of choice. You can follow the show, argue with us, and the rest of the Cloud Security Podcast listeners all on our LinkedIn page. Anton, this is a fun one because not only is the video available on YouTube, I thought it was the perfect distillation of everything people wanted to know about Terraform but were afraid to ask. Yes, but it's also a really good episode from the point of view of interaction of IT automation and security automation because maybe it's my ex -Gartner fear is that when I used to write about things like SOAR and other type of security automation approaches, I kind of realized there was this whole other world of IT automation, but neither myself nor many of the clients actually cared at all about this. How could that be? Well, that's the thing because it's all very siloed at many companies. The security team wanted to automate, and they didn't even check what does Chef do, what does Puppet do, what does Terraform do, what does all this other stuff that IT built over the years that provides automation does. They said, we're going to buy a SOAR, and it's interesting what results it leads to. This sounds like another great example of one more tool syndrome versus sit down and talk to your neighbor's syndrome. Yes, I think so, too, and I think that it's our tool. We are the security people, and these other tools are not ours, so we don't care about them. I think it's also a silo mentality of sorts. Yeah, I wonder so much how I as a vendor can help people with that, but listeners, before Anton and I lament the common dysfunctions we see again and again in different themes like fractal dysfunction, let's turn things over to today's highly functional and not fractal guest. Everybody who's live with us today and everybody who's joining us later, welcome to the show. Thank you for joining us. Today, I'm delighted to introduce Rosemary Wong, developer advocate at HashiCorp. Rosemary, I'm delighted to have you here because this is a particularly, I think, cloudy episode on the Cloud Security Podcast, which sometimes we end up more security, sometimes more cloud. Today I think we will be a little more cloud. For our audience members who are new to cloud, could you give us the two -minute picture on actually what is Terraform and how does it plug into the security life cycle for cloud teams? Sure. So Terraform is an infrastructure as code tool, and it lets you build, change, and version infrastructure safely and efficiently. Infrastructure as code is overall a set of patterns and practices that borrow from software development space and allows you to apply it to your infrastructure. So some of the benefits that you get from doing infrastructure as code includes consolidating and standardizing all of the configuration of infrastructure. So from a security standpoint, it means that you can actually see what your infrastructure configuration is rather than guessing as to whatever has been deployed. It's a little bit easier to audit and secure any infrastructure changes that go into that configuration, and by extension it allows you to do static analysis of infrastructure configuration. So it means that you could possibly catch when someone's misconfigured a bucket or misconfigured a set of permissions somewhere before it makes it to your production environment. Overall though, I think the most important part of Terraform is that it's handling the provisioning as well as the configuration of cloud infrastructure. And it's not just cloud infrastructure. It can be any infrastructure API or API in general that you choose. So it doesn't have to be a cloud provider. It could also be a security tool. It could be a monitoring tool. It doesn't really matter as long as there's a plugin for it, you're able to configure it. So that's really cool. So let me ask you a strange question. So this is really good, and I think Tim got it really, and I got it and sort of knew it already. But how do you explain it to somebody who is used to like pre -cloud way of doing things? Because we discovered that in some cases, security teams are kind of still in the, okay, I keep saying in the nineties, but really in the pre -cloud era. So how would you explain Terraform to somebody who doesn't get the cloud native stuff? So I came from a network engineering space, so we're going to go with that. Thank you. Okay. That's for network engineers. Okay. So typically you would create a set of network commands and those would configure a network switch, for example. And so when you have all of these commands in place, well, you don't really know if the logic is correct or not. You copy and paste it and hope it's correct. And it does all of the changes in place on that network switch. What happens in the cloud, however, is that you have to be a little bit smarter about the order of operations in which things are configured. For example, if you wanted to create a server, you have to have a network first. And so what a lot of the logic behind Terraform is driving is what's the correct order of operations? How do we actually get a better sense of what's the current state of infrastructure and get to it? Rather than you as an operator or a systems administrator or security engineer trying to piecemeal and find the right logic to get to the end state that you want, you're allowing Terraform to help you get to the desired state, which means more predictable set of changes, a lot more stability in how you're making infrastructure changes as a whole. That makes a ton of sense. And plus the automation won't fat finger your config. So you take away a whole class of human driven errors here. Yes, exactly. So this isn't just like the change from using shovels to backhoes. This is the change from shovels to GPS guided millimeter precision backhoes. Very close. That's actually a pretty good analogy. Metahorse is so juicy today. We had a whole conversation a couple of weeks ago, listeners, about the difference between shovels and backhoes and gateways to hell. I don't think we're going to open gateways to hell here, right? That's not the goal? That's not the goal. But you could do it by accident, right? You know, no one's stopping you from doing it, you could Terraform apply and then open a gateway to hell. That's okay. Okay. So how would a security team or maybe our religious compliance team prevent somebody from opening gateways to hell? Are there ways to put like anti gateways to hell guardrails into Terraform? Like how does that work? So there are a couple of things within Terraform that can help you. But as a practices standpoint, you'll want to modularize your Terraform configuration, which means building in the best set of practices into some configuration that someone can self serve and use, right? So a lot of the Terraform you'll see out there and you'll end up using is something that's going to be captured in a module. And they'll have defaults. They'll have defaults for various purposes for function, but also for security. And it allows you to give someone the opportunity to build something securely out of the box. And so that's one way that you can make sure that your Terraform is secure and you're not accidentally doing some kind of misconfiguration. The other way that you can approach it is through a series of either preconditions, post conditions or testing security testing. This is where policy as code comes into play. But within Terraform, there's also these blocks called preconditions, post conditions. And what they'll do is they can test attributes before you plan to check some kind of configuration and after you apply a configuration as well. And so what that will do is it's a little mini test, right? That asserts whether or not this attribute is the way you expect it to be. And so some of these attributes may be, did you turn on encryption? Are you adding a security group rule that you shouldn't have added? Are these things the way that we expect it to be from a security standpoint? And then there's the policy as code side, which is a different kind of framework entirely, not within Terraform necessarily. Okay. So hang on, hang on. Let me make sure I understood this. There's a couple of things before we get to policy as code. There's like teams can modularize this. They can reuse modules that trusted developers then push down to distributed teams. That's one option. Two, you can do checks at like check -in time and three, you can build checks into the code itself. Exactly. Yep. Okay. So that's like normal software engineering best practices kind of applied to the world of engineering or infrastructure. What's the policy as code now? Cause that feels like we're bringing a whole nother can of worms. Even before we go to policy as code, let me ask another tangentially related question because I just realized that some of the tech like Terraform in this case, we sort of have two things using it securely and using it sort of for the benefits of deploying automating security. So it's kind of like, how do you not cause problems with Terraform, but also how do you add security? It sounds like some of it can be useful for security automation. I'm thinking like people build whole sort tools with UIs and stuff, but Terraform is already doing some of the automation at that level. So are there benefits and other use cases of Terraform to sort of automate security operation tasks, for example, or other security tasks? So there are a number of them. And I think the biggest use case that I hear with Terraform and I use it every day is actually around identity and access management. So let's say you wanted to grant someone additional access temporarily. Someone can open a pull request and say, I need this temporarily. It gets some kind of review. It gets approved, merged. They get added. And then someone has the audit trail to go back and maybe take away that access if they need to. So you have the ability to either add users, add service accounts, add some kind of policy that you want, additional permissions. And I think that's one of the more common use cases that we hear around Terraform. It makes it a lot easier for someone to decide they need that access and get the approvals that they need without adding additional friction. And so that's one way that you can think about it. There are other reasons why folks use Terraform from a security standpoint. Some of them use it to set up security tools themselves. When you have different dashboards that you need to reproduce, if you have different configuration settings that you need for ingesting logs or putting them somewhere, that's also a reason to use Terraform as well. As long as there is a Terraform provider, which is effectively the plug -in ecosystem, as long as there's a Terraform provider available to that tool, you are able to use Terraform to configure it. So it sounds like security teams that are trying to automate tasks using SOAR or using whatever other security specific tech should really learn this. That's my impression. At least I do recall back from my Gartner days when this came up quite a few times, people came up and said, why are you talking to us about this SOAR? We can use Terraform. And it's like, yes, you can, but a lot of your peers are buying SOAR without even knowing the Terraform exists. And so it sounds like there's a bit of a friction between security automation and like proper modern IT automation. Yeah. Is that pushing it too far or not? No, but I think it's more of an indicator of the fear of automation, right? With Terraform, it's opinionated. You have to do things a certain way. It's really hard to say, I'm going to type out a domain specific language and define my security configuration or infrastructure configuration. There's a bit of a fear cycle with automation in general.
Cloud Security Podcast by Google
A highlight from EP137 Next 2023 Special: Conference Recap - AI, Cloud, Security, Magical Hallway Conversations
"Hi there, welcome to the Cloud Security Podcast by Google. Thanks for joining us today. Your hosts here are myself, Timothy Peacock, the Senior Product Manager for Threat Detection here at Google Cloud, and Anton Chevakin, a reformed analyst and senior staff in Google Cloud's Office of the CISO. You can find and subscribe to this podcast wherever you get your podcasts, as well as on our website, cloud .google .com slash podcasts. If you enjoy our content and want it delivered to you piping hot every Monday, please do hit that subscribe button. You can follow the show, argue with us, and the rest of our Cloud Security Podcast listeners all on LinkedIn. Anton, this is a fun episode today because we're talking and recording about stuff that's happening right now. Yes, we are doing it. I can't say we're doing it live from Google Cloud Next Conference because we're actually doing it from the Google Office. Four blocks away. Four blocks away, exactly. I wouldn't say next to next because it's going to be funny, but sorry for the four blocks thing. It was next to next, and this is airing next week. Yes, correct. It's airing next week, right after next. Got it. That's a mouthful. Listeners, this is fun though because Anton and I happen to be in the same room today, which we very rarely do. This is cool. Why did you see it next that you thought was interesting? As you know, I hate general broad questions. Hey, what are the trends? It's true, listeners. You told me this Monday, actually. Yeah. But I think that one thought that came to me, I was observing the expo floor in Moscone and watching the presentations, obviously, I got this intense RSA vibe, even though I realized that not every vendor is a security vendor in the next show floor. But it's interesting that I found our own booth for Google Cloud Security. So I thought, hey, we're finally a security vendor. And of course, that statement is probably like years overdue, but it sort of dawned on me when I was wandering the expo floor that we are now a bona fide real security vendor that delivers stuff to secures not just our cloud, but other clouds, other clients. Not just our browser, every browser. Yeah. We're a real security company. And this is like somehow dawned on me, and I guess maybe it's more of a personal observation rather than a fact or new launch, but I kind of felt it very intensely that we are a security vendor. We are the real thing. You know, it was funny, the RSA comparison you bring up because, listeners, the event happens in the same place as RSA happens every year. When you walk through show floor at RSA, everybody's a security vendor. At this event, there were vendors of all kinds of stuff. And it was kind of like, you know, I'm bi, so I hang out in both gay and straight spaces. It's kind of like when you're a gay bar, almost everybody's gay. But this time it was as if my usual gay bar was full of straight people. Not everybody was a security vendor. It was very strange. I didn't know what was going on. Felt so out of place. But it was nice to realize that, yeah, we're a real security vendor. We sell, we make, we secure a meaningful portion of the world now. It's really cool. So you have a presentation. I had a presentation. What other presentations did you think was cool, and then I want to talk about some of the stuff in my presentation. Yeah, I guess, yeah, it's the self -serving bit. It's a little self -serving. So rarely are we self -serving. We are very rarely self -serving, but I think that I kind of want to have a meta idea on this first before I go into the presentation I did. So one other thing that I observed, we observed when we were working in the vendor expo, is that a lot of security we see in the expo floor is sold to security people, obviously RSA, back to the traditional security show, security is meant to be sold to security teams, security leaders, but some cloud security is actually sold to cloud people, and it's used by cloud people, not security people. So my presentation is kind of about the encounter between these two worlds. It's a story about a more traditional security operation center, or SOC, that suddenly encounters cloud. So I'm taking the view that I'm talking to security people who met cloud for the first time, and maybe their encounters weren't very friendly in the beginning, but I'm also realizing that at this conference, it's more normal to have cloud people encounter security for the first time. So it gives me kind of a weird vibe in my brain. You know what's fun? My talk is about security people helping cloud people learn about security. So in my talk with two speakers from Uber, they describe how, as security professionals, they've integrated my product with the rest of Uber, and they use that to help the rest of Uber's cloud people understand security and respond to security, which is really great. You know, listeners, what you say in cloud, you really, because of the scale, because of the distributed responsibility, back to the Sunil Yu episode, security teams can't do it on their own. And we were talking about this earlier in the week, too, of how do we, as people move to the cloud, how do we abandon the traditional no -mindset and gatekeeper mindset of security, and instead have our security organizations become enablers of engineering and business teams to move quickly and safely? And I think there are other notable presentations, but I've noticed one by the team from Mandiant about cloud threats, which felt almost like a perfect prequel for my presentation, because I talk about how Salk, that just landed in the cloud, need to be aware of cloud threats, and there Prezo is a very solid view of what's real in the cloud, what's happening, and it's not just all crypto miners, there's actually fun stuff going on, not just crypto miners, crypto miners. Tim would say these are solved, these are solved, right? Well, I did talk about my million -dollar protection program against undetected crypto mining attacks, but did you see Kevin's slide during the keynote? No, I have not. Ah, so Kevin had a slide during the keynote, and I haven't actually seen it, I've just had it described to me, so this is third -hand description now, but in that slide, he talked about the number of critical vulnerabilities in public cloud providers that have been publicly disclosed over the past couple of years. Yeah, no, this was biased against us, meaning we don't have enough.
The Charlie Kirk Show
A highlight from The Central Contradiction of the Modern Left with Glenn Ellmers
"The U .S. dollar has lost 85 % of its value since the 70s, when the dollar decoupled from gold, and the government seems bent on continuing the tradition. Charlie Kirk here. From now until after the elections, the government can print as much money as they want. The last time they did that, inflation went up 9%. Gold is the only asset that has proven to withstand inflation. Invest in gold with Noble Gold Investments. You will get a 24 -carat, one -fourth of an ounce gold standard coin for free. Just use promo code kirk. Go to noblegoldinvestments .com. That's noblegoldinvestments .com, the only gold company I trust. Hey everybody, Glenn Elmers joins us for the full hour. Plato, Foucault, political philosophy and more. Great conversation. As always, you can email us freedom at charliekirk .com. Please give us a five -star review on the Apple podcast app. And I encourage all of you to get involved with Turning Point USA. That is tpusa .com. We have some very exciting campus tour stops coming up this fall. We have Amfest coming at amfest .com, America Fest in Phoenix, Arizona. Start a high school or college chapter to join our nationwide educational movement at tpusa .com. Turning Point USA is making hope happen on the front lines, tpusa .com. That is tpusa .com. Also consider becoming a member of our program. You could do that at charliekirk .com and follow the cues. It's affordable for all income levels. We are adding exclusive interviews, ad -free episodes and more. That is charliekirk .com and click on that member button and follow the cues. I love hearing from all of you, so email me freedom at charliekirk .com. That is freedom .com. at charliekirk Buckle up, everybody. Here we go. Charlie, what you've done is incredible here. Maybe Charlie Kirk is on the college campus. I want you to know we are lucky to have Charlie Kirk. Charlie Kirk's running the White House, folks. I want to thank Charlie. He's an incredible guy. His spirit, his love of this country. He's done an amazing job building one of the most powerful youth organizations ever created, Turning Point USA. We will not embrace the ideas that have destroyed countries, destroyed lives, and we are going to fight for freedom on campuses across the country. That's why we are here. Brought to you by the loan experts I trust, Andrew and Todd at Sierra Pacific Mortgage at andrewandtodd .com. Very important guest, someone that has taught me a lot the last, I think, six months. I'm taking several classes, enough to make your head spin, with the amazing Claremont Institute. They have these online evening courses that push you intellectually, and they're just amazing. And right now I'm doing with Michael Anton on Machiavelli, if you can get a word in edgewise. But the guest is the man behind all of that with a very, very important book called The Narrow Passage, Plato, Foucault, and the Possibility of Political Philosophy, by Glenn Elmers. Glenn, thank you for taking time. Welcome to the program. Thank you, Charlie. Great to be here. You're one of my favorite students. Well, thank you. I actually do the reading. And I have a lot to catch up for because I didn't go to college. Tell us about your book, Glenn. Excited to talk about this. Sure. The elevator pitch is I'm trying to understand some of the philosophical background behind what we could call the woke regime crisis. So the country's in bad shape. We're under a lot of stress. There's tremendous tension. We seem to be under the rule of a kind of strange deranged ideology. So I'm trying to make sense of both the left and the right, some contradictions and internal incoherence on the left. Why? Why does woke ideology seem so strange and bizarre and angry? And so I'm trying to think through some of the ideas, the deeper issues that brought us to where we are. So let's start with the first, Plato. You know, an elementary understanding of Plato, you know, you'd contrast with Aristotle kind of more into abstractions, more into the ideals. The famous, I think, was Raphael's School of Athens pointing to the sky, kind of talking about that in the clouds, Aristotle focusing more on what we can materially see or empirically see. So Plato, obviously being prolific, not something that I consider myself an expert in, nor any of our audience. How would Plato connect with the modern woke? What did he, the first ever philosopher, start the modern project of woke liberalism? He did sort of, and I don't want to make this sound too simplistic, and it would be too simplistic to say all this can be traced directly to Plato's feet, but in a way he is the original source both of our problems and I would say our solutions. Okay, what do I mean by that? The problem is in a way Plato, following his great teacher Socrates, introduced the idea of bringing reason into political life. And in a way that's perfectly sensible, right? We don't want to be governed by superstition and mindless barbaric traditions. We want to be able to make intelligent distinctions. We don't want to live according to deranged, disgusting, primitive religious idolatries, right? And so we want to think reasonably and rationally about how we should conduct ourselves and organize our politics. And Plato is in a way the first to do that, to think about bringing reason and rational thought into politics. But in a way that's also the source of our problems because in a way that's now become deranged, especially in the course of modern philosophy, introducing the idea that experts should rule us without our consent. That you can have people who are so wise, so smart, so well trained, that they can become philosopher kings and we no longer need the consent of government. We can get rid of limits on the government and the wise expert class will simply rule us for our own good. That's obviously a real problem. So Plato in a way is the source of the problems, but in a way I would also say points us to the solution, which is to get back to taking political philosophy seriously. So let's focus on the philosopher king aspect of this. There has been this repeated incantation in the media. Trust the experts, trust the experts, trust the experts. I can't help but think that this is in some ways an extension of the administrative state and I do want to get into that because I think that is what happens when you have this group of people that almost could be say they have the secret gnosis, the secret mind, the secret society, that they know better than us. So can you help build this out? There's a fair amount of pride or hubris, but also Plato said this is how politics should be formed, that you have people that know better because they've been trained and because they went to the right schools. And in some ways, Glenn, the problem with the American project as it is today, we're living under the tyranny of living in the clouds who call themselves philosopher kings. Right. Now it's important to remember when Plato wrote this famous book, The Republic, where he talks about the philosopher kings, he makes it so extreme, so radical, so outrageous and unreasonable that a lot of intelligent scholars say he was being ironic. He was trying to show you just how crazy it would be to live under this regime of philosopher kings in order to point to the limits of politics, precisely to show you the limits of trying to make all political life rational. And in a way then to show we have to be more moderate in our expectations from politics. We have to be sensible about what we can actually achieve in political life. And so it's a lesson in moderation if you understand the philosopher king as sort of an ironic, outrageous idea, which points to something then more sensible. But in modern philosophy, the idea of the philosopher king is taken seriously. And why that happens is an interesting story. It partly has to do with this idea of the end of history. You know, Charlie, Fukuyama and this German thinker Hegel. And the idea is history is unfolding in a process, right? There's an element of that that leads to Marx. And we now are much wiser than the people in the past. We figured things out. We have all the answers. And since we have all the answers and we figured everything out, let's just go ahead and implement all the all the solutions. And that's the presumption of the left, which is we figured everything out. We're so smart and wise and we don't need any limits. We don't need your consent. We're just going to go ahead and do what we think is best. Yeah. As Wilson said, we don't want to muddy up the business of government with politics, a .k .a. we don't want elections to get in the way because we figured it out. Hilariously, Glenn, as a side note, this has been a theme we've talked about is that we're told by our leaders they figured it all out. Yet we can't fight fires anymore. We can't manage our border. We can't do the very basic stuff. I think this would be a time for mass humility, not massive narcissistic pride. Right. No, that's an excellent point. The crisis of expertise is that the bigger their ambitions, the bigger their goals, the less competent they are in doing it. The ordinary things that were actually done. Like making your bed. Yeah, exactly. You know, people complain about the corrupt city machines of the 19th century, you know, Mayor Curly and the big city. But, you know, they built bridges and libraries and roads and things worked and they actually got a lot done during this so -called era of corruption. Oh, I mean, I'm a child of the Chicago suburbs. I've always said that I would rather have the corrupt politician than the ideological one. And our audience attacks me for saying that. I would rather have Mayor Daley who sells out for a buck with the unions. But there was low crime. The trains ran on time. It was a beautiful city. And yeah, he was obviously on the dole. He was obviously cutting deals, but he didn't have some sort of abstract revolution that he was trying to bring forth to Chicago. He just wanted to get paid. That's the idea, right? So this petty corruption in a way, you know, is the idea that if you can make politics perfect and get rid of all the corruption, you make matters worse. This utopian idea that we can achieve perfection, we can achieve heaven here on earth, it doesn't solve the problem of corruption because people are still self -interested. What it does, though, is introduce these vast unrealistic schemes that leave ordinary day -to -day function behind. And so we can't, our bridges and our roads and our schools don't work anymore while we're trying to achieve, you know, diversity and economic justice and all these ridiculous things. And basic infrastructure falls by the wayside. Yeah, I mean, our military, unfortunately, is falling apart. And basic infrastructure, basic things like getting your kids to read, having your young people not kill themselves at record rates, like really kind of basic indicators that your society is healthy. Almost every single one of those is going in the wrong direction. And yet the lecturing we receive is about viva la revolution. We will bring forth diversity and equity. There's this amazing clip, which is Hegel. It's Al Sharpton and Kamala Harris. And I don't know if you saw this, it was MSNBC. You have to have a trained ear to catch it. And Obama said something similar where they talk about this arc of justice, right? How history folds itself out. And meanwhile, you know, the observer that is walking around the cities, these people govern is like the people are defecating, they're doing drugs. The kids aren't in school, but they're like, hey, no, but the revolution is what matters. There's a lot there that I want to unpack. The book, I want you guys to read it, The Narrow Passage, Plato, Foucault, and the Possibility of Political Philosophy. And oh boy, we are going to get to Michel Foucault because that, he was a trickster. I'll tell you what.
Cloud Security Podcast by Google
A highlight from EP136 Next 2023 Special: Building AI-powered Security Tools - How We Do It?
"Hi there, welcome to the Cloud Security podcast by Google. Thanks for joining us today. Your hosts here as ever are myself Timothy Peacock, the Senior Product Manager for Threat Detection here at Google Cloud, and Anton Chevakin, a reformed analyst and senior staff in Google Cloud's Office of the CISO. You can find and subscribe to this podcast wherever you get your podcasts as well as at our website cloud .google .com slash podcasts. If you enjoy our content and want it delivered to you piping hot every Monday, please do hit that subscribe button. You can follow the show, argue with your hosts and all the other listeners of the Cloud Security podcast on our LinkedIn page. Anton, this is a special just in time for our next conference this week. And like many technology conferences this year, AI is a core theme. And today's guest, I'm really stoked about because he's been at the forefront of leading the engineering charge on building not just security for AI, but AI for security. Indeed, this is a very fun one. And I feel like today, some of the listeners may expect the deep secrets about how we really did it. And actually, yes, some of it will be revealed. But at the same time, it's a really good conversation about somebody who is in the middle of building AI for security. And of course, secure and AI as well, who is a senior leader in the organization. I thought what was really interesting on that deep secrets front was when he broke down the problem, it seemed so simple. Yes, and at the risk of spoiling, I would not say a word. I think that's exactly right. Yes. And I think maybe that's a mark of good leadership and good communication that you can take this hairy intractable thing, securing AI, AI for security, and make it sound like it's not rocket surgery at all. And so maybe with that, listeners, let's turn things over to today's guest. Today, we are joined by first, an expense approver in chief, and second, one of the best VPS of engineering I've had the pleasure of working with here in Google Cloud Security. Eric Durr, thank you so much for joining us today. This is a fun episode, because we get to talk about one of our favorite topics of skeptical eyebrow raised contention, AI. And now I understand this week at next, you're talking about AI. So tell me with my eyebrows cocked and ready to go. What are you talking about? So I'm going to talk a little bit about what we're doing with security use cases and AI. And one of the exciting things we announced at RSA is that not only are we taking Google's generative AI, and building that deeply into the different security products, but on top of that, we realize there's kind of a gap in the system everybody for out there who's trying to protect themselves, their infrastructure, build security applications, etc. So we're well on the way to that. And I'll give an update on everything we're learning and have some partners and customers come on stage with me and talk about it. It's really exciting. So a couple of parts of that, then how we're using AI, how we're building a platform for AI for security. Was there a third piece, two pieces, three pieces? I think there's two pieces, two pieces, we're using it everywhere. And we're building a platform. Okay.
The Dan Bongino Show
Michael Anton: The Left Doesn't Learn Unless There's Real Loss
"Know believe it was a good friend of the show Michael Anton who had said I could be wrong but I think I read it in his work where he said the left has no ability to learn from their mistakes unless you impose real material losses on them because they don't want to learn from their mistakes communists know putting people up against the wall and killing them and torturing them and imprisoning them you think they don't know that's wrong I mean they've probably read some book about some religion with like hey whacking people that's probably bad a idea it's only like in that ten commandments thing and like basically every other religion like you probably shouldn't whack dudes or ladies it's just not a good idea okay so they don't really care the only lessons they will learn are when real material losses are imposed upon them and those material losses I material is probably a bad word I think I think that was a word he used much of his Anton or someone else so I forgive me it has to be something of substance it matters to them that has to go way where its influence clout money could be material homes freedom the left learns nothing from any incident
Woz Happening!!!!
A highlight from Drive My Car (2021}, (Japanese) Movie Review
"What's happening everybody? We're back again and this time Ben and I are covering another 2001 film. This one is a Japanese one called Drive My Car. Ben? Again, this is a movie that was told to us by one of our listeners. It was suggested so we threw it into the mix. We have a lot of stuff that we have to review from you people for sending us your suggestions. So don't think we don't listen. We do go off on our own because we do have our own agenda also, but we do have your stuff ready and about to be done. You're giving us time. Yeah, we're only two people. We can only watch so many movies a week, but let's get into Drive My Car. We had just covered Celine Sakama's Petit Maman which was an hour and 12 minutes and this movie is three hours long. This movie is, I will say, mesmerizing in parts and very atmospheric, but I get a little tedious in parts. A lot of scenes of driving the car, which I understand it's in the name, but... Yes, I agree. Three hours, I felt that it did not need to be three hours long. I really did. The movie's good and there's a lot of things in it that make you think. There's a lot of metaphoric phrases in it that we'll get into, but the three hour part, I was sitting there going, okay, I got up and got coffee, came back, sat back down and I didn't felt I'd miss a beat of the movie. I just like to say that. I'm telling you, it is a good, good, good, good movie, but for me, three hours was just really long to sit through. I find three hour movies to be long as well. Just a sidebar, I did go see Oppenheimer in the theater. That movie is three hours long and I felt the same exact way. I was like, why am I seeing all these shots of people riding horses? I don't know. I think there's a time and a place for a long movie and if you're filling it with things that are meaningful, not saying that this movie had a lot of frivolous moments, but I do think that it could have been whittled down just a little bit. This movie is based on a short story, which also shocked me because it was three hours long, but I have not read the story. Have you been? No. No, I didn't know it was a short story until you just told me, so I'm like, oh really? I'm like, how? How? One thing that I think is very interesting in this movie and one thing that was a very conscious choice by the director was that they don't drop the title card until 40 minutes in and I was like, that's a power move. All this was just exposition. Yeah, it was really confusing for me because my is television broken right now and it tells you everything people are doing, so it actually instead of just coming up on the screen, I actually was like, and the director is, and I'm like, oh, what is going on here? That would drive me legitimately insane. I would be like, no, I can read. No, so the movie is very good. It follows a screenwriter and actor in living Tokyo or yeah, Tokyo, and he goes to Hiroshima sometimes to do panels and to put on a play. He is doing a play of Uncle Vanya written by Anton Chekhov, so I will say starting off, it is a Japanese movie and one of the main points of it is a Russian play, so it is bleak. There it is. It is a bleak film, so if you're looking for any hope in this movie, there's some at the end, but it is barely there. It follows this playwright or this actor and his screenwriter wife and they work together. She's a screenwriter. He's an actor and obviously in the beginning of the movie, she is alive. He's attached to his red car. It looks like they have a good relationship. They do this thing where they will have sex in after or during. She will tell him stories and she won't remember them at the end and she'll ask him about it and be like, oh, what did you think? What did you think? Then he tells them back to her. We'll get more into that later because that plays a bigger part later. One day, he leaves to go to Hiroshima, but his flight gets canceled, so he comes back home. When he comes back home, he sees her obviously having an affair, but he doesn't say anything and he leaves. Then he comes back from his trip and everything is fine. Then he has to go out for a meeting one day, but instead we find out that he just ends up driving around and she's like, hey, when you get back, we should talk. When he gets back, she has suffered a brain hemorrhage and has died. Then the movie picks up two years after that. The person she's having an affair with is the lead actor of her newest play. He plays into this movie a lot. You'll find out later on why. The part when she had the brain hemorrhage and died, I wasn't expecting that. I was not expecting that and I knew that she was going to die because you read it in the description. It's not a secret that she's dead. I thought it was going to happen in a car accident. I kept waiting and then the car accident happened when it was just him. You find out that he has glaucoma and is going to go blind if he doesn't use these eyedrops. This is devastating to him because he loves driving. Then we see some scenes where they're driving together and then of course after she dies, he does drive himself. Then he gets a two -month residency as directing this play in Hiroshima for a festival. What I thought was really cool about this play was that it was a multilingual play. It wasn't just in Japanese. They had it in Japanese, Korean. Some people spoke English. There was a Korean sign language or Filipino. I thought that that aspect of it was actually very cool. I liked how they had all the different languages on the screen behind them and showing how stories are universal even though language is not. We have all these language barriers but we can still tell the same stories and have it be important and matter. I thought that was really cool. I really, really appreciated that. As he's casting this play, the actor that was having an affair with his wife comes in and auditions. You can see he's kind of distraught by this but he also gives him the lead role of Uncle Vanya. The guy's confused. He's like, Uncle Vanya should be old. Why aren't you playing this? He's like, no, no, no, no. We'll age you up with old age makeup. You can do this. You can do this. I thought that was really interesting because you kind of get the idea that he has this sort of, not ill will, but he has some reservations about him. He has some aggression. You can see it during his audition. He kind of cuts the audition short even though he's doing a great job. I thought that that, and then you kind of see that dissipate as they start to understand a little bit about each other. I thought he cut the scene short because he was trying to kiss the girl. I thought it reflected on his wife, his memory of the moment. He was like, that's enough. I think that's what he wanted to say when he went in the house but he didn't. He just decided to leave. When he saw him doing that to that girl, he wanted to step in and be like, no, done. I thought that's why he did that. Yeah, agree. Then they're going through the play and as a stipulation of his, he has some requests. He likes to live an hour away so he can rehearse lines in the car. How he does that is it is through a tape. The tape has every part but Vanya's because he would read Vanya's lines. A stipulation of the festival is that talent cannot drive themselves because they had a car accident a while ago and they're like, we're trying to avoid that. To avoid that, he has a driver and she is a great driver.
Cloud Security Podcast by Google
A highlight from EP135 AI and Security: The Good, the Bad, and the Magical
"Hi there. Welcome to the Cloud Security Podcast by Google. Thanks for joining us today. Your hosts here are myself, Timothy Peacock, the Senior Product Manager for Threat Detection here at Google Cloud, and Anton Juvakin, a reformed analyst and senior staff in Google Cloud's Office of the CISO. You can find and subscribe to this podcast wherever you get your podcasts, as well as on our website, cloud .google .com slash podcasts. If you enjoy our content and want it delivered to you piping hot every Monday, please do hit that subscribe button in your podcasting app of choice. You can follow the show, argue with us, and the rest of the Cloud Security Podcast listeners on our LinkedIn page. Anton, we have returning guest Phil Venables today talking about, well, I guess it's a returning topic as well, AI and security. Correct. But you would see as expected with this guest, you would have a lot of surprises. You have a lot of deep thoughts. You'd have practical things. It's just a really good episode because it's a really good guest. Is he your skip level? I think he might be. Can we avoid this topic for now and just proceed with the show? Yes. Listeners, why don't we get right to it? Let's turn things over to today's guest. And with that, listeners, I'm delighted to welcome back to the podcast, Phil Venables, CISO here at Google Cloud. Phil, thank you so much for joining us once again on the show. We are talking about, I think, a fun topic. We're talking about AI for security. And I want to start with, this seems like kind of a softball question, but why is AI such a game changer for security? And to question my own question, can we even have game changers in cyber at this point? Does what I'm saying make sense? Yeah. Well, so look, first of all, it's great to be back. I'm still an avid listener of the podcast, so I always feel it's still a privilege to come back on. You know, it's an interesting question because everybody talks about, is AI going to be a game changer for security? And I think most of us would look back and say, already has been a game changer for security. When you look at, perhaps not generative AI yet, but more traditional types of machine learning across everything we do on malware filtering, spam filtering, safe browsing. You know, you had Panos on a few episodes ago talking about safe browsing. That's powered by machine learning. Some of Tim, your own products have got a lot of machine learning under the hubs. Everything we've done with AI recommend has got machine learning under the hood. So it's already been transformational, and I think we've got to remember that. But I think certainly what has started to happen and what is coming with large language models and other transformer based generative AI is going to be significant in the future. I think we probably won't feel like it's game changing because certainly what we're starting to see already, whether it's use on software security, on configuration recommendation, on malware analysis, on suggesting detections based on threat information, it all feels kind of very incremental and it's great incremental steps. But I think it's happening so quickly and so incrementally that it won't feel like it's game changing in the moment, but we'll look back in 12 months, in 24 months, in 36 months and think like, holy cow, this really was game changing. So it is incremental, but it's going to be game changing over time, even though it doesn't feel like quantum leaps every day. It's just incremental, which is great. I think that makes sense. Like a rapid, quick step incremental in a year is game changing. That actually, that logic makes perfect sense to me as well. Let me ask you a bit of a strange sub question to this. We do see sometimes other vendors assume that generative AI would like generate stuff and they would just run the code. And when I hear this, I'm usually a little freaked out inside. So as far as use cases where this type of rapid incremental change leading to game changing may happen, what are you thinking? Detecting threats, reducing toil, where is your mind? Both. Yeah, I mean, it's a bunch of stuff. I mean, certainly I'm excited by generative AI in its ability to enhance the productivity by reducing the toil of everything from people doing security analysis roles, coming up with new operations, detections, many other things like that. I think what is going to be really interesting though is, and you kind of touched on this Anton, is the notion of how do we use this as part of secure software development or establishing secure configurations? And I think that's going to be pretty interesting. And while I wouldn't say any of this technology yet can generate software for all purposes that has no vulnerabilities in it, I think we're a ways away from that. But when you look at very specific use cases around generating code, framework boilerplate code, generating other types of code, I think it does radically transform developer productivity. And you can imagine the use case of it. Imagine if you're in an IDE with a generative AI coding assistant and it watches you code up some SQL query and then says, look, don't do that. I'm going to give you my automated framework for safe injection SQL proof queries to the database, or I see you typing up this web server call and I'm now going to give you the automatic boilerplate to make that a secure call with all of the cross -site scripting mitigations in and all of the cross -site requests for you. That calling up predefined boilerplate within the enterprise context is going to be transformational for security. I mean, that's clearly possible today with many IDEs, but doing it in a generative way that has a much deeper insight into the context of the code is going to be pretty significant. And then overlaying on top of that, the whole controls as code in infrastructure or cloud configuration to be able to generate. And we're doing this, as you both know, with our duet system, taking our AI and applying that to configuration generation. Imagine doing that. And so you're auto generating secure configuration as part of systems development will improve security as well as transforming productivity. That makes sense. And I think to me, much of the excitement is there. And I think that occasionally I do have a fear that the Gen AI would go kind of the opposite way, namely that it would give you something it learned from bad programmers somewhere and instead of secure framework, it would give you the very opposite. So I want to switch it briefly to fears from excitement. I mean, you are a CISO and the classic, almost like a mainstream press question to CISOs is, do you lose sleep at night? So is there any AI security issue where you kind of lose sleep at night? I think not in the way people might expect. So I think there's a lot of great work going on here at Google and in many organizations to take the risks you might expect with AI around training data, making sure that you're putting the right data in that will yield the right outputs, managing the tests, managing the security of the model weights and all the other parameters. So there's lots of challenges there, but there's also lots and lots of work going on, including our own secure AI framework that prescribes a bunch of controls for that. I think the things I worry about is when you think about coupling AI to critical systems that then actuate physical activity or cause transactions to occur or cause some type of activity to occur, and then thinking about whether organizations are building in the right input and output guards around those processes, if you like, circuit breakers to make sure the AI is doing the right thing. I think many organizations have the, if you like, the DNA of how to think about that problem of putting AI in the context of a surrounding set of controls or guards. I worry sometimes that there's some organizations that have not come up in almost that safety engineering culture that won't necessarily think to do that. And then the other thing I worry about is the unintended consequences of the use of AI because AI in many business processes is going to transform those in a way that may create unintended risks that have not been foreseen. And so again, it's definitely encouraging when organizations are deploying that AI they're not just involving their security team, they're thinking about the risk, the trust and safety, the compliance obligations. And that's definitely more than anything I've seen before, a whole of risk management approach to get this right, not just a whole of security team approach. That's really encouraging that you think this is going better than other things you've seen. On that sort of thread, I want to pick at that a little bit. Do you think AI is going to help the good guys more or the bad guys more? And if the good guys have security and privacy and risk and safety engineering all in the room, might the bad guys be able to move faster and do more bad stuff faster than we can do good stuff? What's the right way to think about this race? Well, I'll give a predictably non -committal answer and say it depends, you know, so it depends on the attacker, it depends on the defender. I'm actually optimistic that all things being equal, AI should give defenders an advantage because AI is good at amplifying capability based on the data and the configuration the organization has that the AI can apply to, which in the general case, attackers don't have as much visibility into that. Of course, attackers at certain stages will have visibility into that. But when you think about the possibilities for an organization to use AI to manage its own territory, that's inherently a defender's advantage. And again, when you think about the classic trope that I don't actually agree with, this trope of defenders have to be right all the time and only attackers once. I actually think I prefer the alternate framing of that, which is attackers have to evade detection all the time, but good defenders only have to spot and respond to the attacker making a misstep once. And I think AI, especially for that, tips in the favor of the defenders, but defenders have got to make a good use of it. I think the one mistake, this has been always my motto for hunting efforts, right? What you just said with attacker making one mistake and a good blue team detects them and the breach is discovered or prevented. So that to me makes sense. And I think that AI superpower for that is a really good idea. And I think it's almost like it's worth the price for the entire podcast is that line. Because to me, this actually makes sense. And it's also very rarely represented in other communication. People don't really focus there. That's a way where AI can give defenders superpower to turn this from the best teams can get it to many teams can get it. Yeah, I think that's right. And then you look where people are paying a lot of attention to how attackers may use AI, for example, in constructing new and more sophisticated phishing attacks and other types of social engineering attacks that will thwart authentication systems. My answer to that is people should probably be upgrading their authentication systems to phishing resistant cryptographic token based technology, such that we're putting in defenses against all forms of phishing, not some super powered AI phishing. So I think we don't necessarily need to think of how to use AI to counter an attacker's use of AI if there's a better control that takes the game to a different place anyway. That makes sense. I really like that answer. People get so wrapped up about AI versus AI instead of solving the problem, where AI is just the tool that's used to accomplish it. That's right. Yeah. And similarly, again, if you think about attackers using AI to probe your configuration, to look for weaknesses, to identify vulnerabilities, yeah, of course they could do that. But also as defenders, we can do that. And like we talked about before, the defenders are applying that to superpower their identification of the most critical vulnerabilities, to focus resources on resolving those vulnerabilities before the attacker sees them. It's part of the things we've talked about before, which is the goal of defenders is to have your OODA loop go a lot faster than the attackers. And I think, again, I'm optimistic on this, that AI powers that part of the defender more than it would power that part of the attacker. So let me probe very quickly at one argument, one part of the logical argument is that when we were presenting, preparing the question, I was nervous that attackers would have an inherent advantage in the adoption speed of because they are less constrained by the rules. So I almost feel like I have to ask you, do you have a good counter argument to that? Because the fear is that attackers would just go faster because they have less rules to follow them being the bad guys. Well, it's interesting. I mean, I think defenders in defending themselves don't have as many rules to follow as people might think. Now, there would be some significant constraints. So if a defender is putting in place an AI system, automatically finds attacks and then responds by crafting defenses, and then that automatically then adjust defenses, and the AI is in charge of your entire security, then if that's your goal, then you probably do want to move slowly and make sure that you're actually doing that in a safe way. And clearly the attackers don't have to be measured in how they do this, unless they really wanted to be careful about whether they're detected or not. But I think when look at all things being equal, if the attacker can move quickly because they're not constrained by rules, they are constrained by the absence of the data they might need about your environment or the environment that they're attacking, and they're constrained about being careful so that they're not detected in unexpected ways. Stealth means they're slow. Yeah, exactly. Then on the flip side, as a defender, you may have some constraints because you're operating on the side of safety and managing your change risk, but at the same time, you've got or you could have perfect knowledge of your environment, you've got access to all of your data, and you've got the ability to change your environment in the favor of the defender. I think there's another interesting asymmetry that gets highlighted by the AML model that Google recently released, where defenders can work together, but adversaries are constrained in their ability to work together. I think given that AI systems require data and large amounts of data for training, this is an area where if we can get good at cooperative data sharing without releasing our secrets to each other, I think we actually have a really interesting ecosystem opportunity to be asymmetrically advantaged in training ourselves since we're all on the same side at the end of the day, unlike adversaries who are competing to defraud companies for the same limited pool of dollars. Yeah, I think that's absolutely right. I think, as you know, adversaries do share data with each other, but it's usually in the context of a black market supply chain rather than the well -intentioned sharing of data for common defensive purposes. You're absolutely right. In a world where the AI is powered by broader and broader knowledge of what's going on, the more that we can share information in appropriate ways, the more we're going to be able to power that collective defense. Yeah. So I want to shift gears a little bit and talk about defending AI systems and securing our AI lifecycle maybe. Does that look like defending any other app lifecycle? Is it different? Is it just a big data problem? What does defending AI look like? Well, it's starting to interest me a lot because it's a combination of things. So on one level, it's like software security. So you have a whole bunch of elements of your AI system that you have to manage their provenance. You have to manage their secure build. You have to manage the lifecycle. You have to manage the testing and the regression testing. But on another level, it's like data security and data governance because you have to manage the training data, the test data, the weights and the parameters. You have to show that there's provenance of that data. You've got to worry about the intellectual property. You've got to worry about all sorts of aspects of the data that is then used by the software to implement the AI system. You've got to think about input and output management in terms of the prompts and the output. And then like we talked about before, you've got to think about the guards and the circuit breakers and the API gateways and all of the other things that surround the AI system that act as constraints on how it is used and how it can be prompted to not reveal sensitive information, to not do any outputs that you don't expect or not create actions in transaction and other systems that you may not want or expect. And that's a really interesting combination of controls and risks. And it's funny, the environment it always brings to mind for me is in financial services where you have security and risk management of algorithmic trading systems. If you think about these high -speed trading systems, they're models, in some case, machine learning -based models. They have input, outputs, testing software, data controls, and then they have a bunch of guards and circuit breakers around their behavior to make sure they're operating within pre -specified parameters. And so you've got to imagine, I was thinking this the other day, you've got to imagine that the security and risk teams in large banks, trading houses, or brokerages should get to grips with this set of risks in somewhat pretty intuitive ways, whereas other organizations may have to kind of come up the learning curve of how to arrange together the software security, the data governance and control, and the surrounding environmental guards for the end -to -end risk management of AI systems. That actually makes sense. But you also pointed out that some other similarities, I certainly seek similarities to early cloud years, where, for example, people didn't really get the whole shared responsibility. I mean, admittedly, I still see people out on the street who don't get shared responsibility for cloud even today. But for AI, it seems like we host the system, somebody else tunes the model, we give the foundational model. There are a lot of parties playing here, and it feels like So we, of course, pioneered the shared fate model at Google. So do you have any view or any kind of vision or anything on how shared fate would apply to AI? Yeah, I mean, I think it's somewhat similar to the cloud as we think about layering shared fate on shared responsibility in the sense that, as you pointed out, we provide a lot of the models, the model execution environment, many of the testing tools. And so we invest a lot in our foundation models that we provide as part of the vertex AI model garden environment. And then we also provide a bunch of end to end data governance tools, surrounding tools that control the environment. So we're investing a lot of our opinionated knowledge of how to run these models that we use in other parts of Google into those products. So very, very similar to what we do with many of the cloud products and layering in that opinionated guidance and taking responsibility for how we've done that is a similar moving up the stack that we've seen in other applications of the shared fate philosophy. And that means that we would have similar kind of mechanisms for helping clients with what's on their end of the shared dispensability model. So like pre -secured elements to assemble, landing zones, basically some of the ideas from how we manifest shared fate on the cloud would apply to AI systems. Yeah, exactly. And then how you think about taking the foundation models, helping customers develop their data governance practices to bring their training data inside their secured customer project, where the training data that develops the adapter weights that sit on top of the foundation model, don't make it back into the Google environment. So customers get to protect that, but they then get the apparatus within the vertex system to be able to manage that. Again, it's giving people the tools to run by default in a controlled way as they bring their data to then use the foundation models to deliver a specific use case for them. That makes a lot of sense. And it pains me as always to do this, Phil, but I am at the point where I have to ask our traditional closing questions. One, do you have recommended reading, maybe specifically in the area of AI security, and then two, a recommended tip for organizations to want to start pulling AI into how they defend themselves? Yeah, so like the reading is, you know, I'll be a little bit parochial, is that, you know, there's so much good Google content, either within Google research, and I'm sure you guys can add to the show notes the link to the research website, but then we've done a lot of secure AI framework that we published. And then we also published recently a Google -wide red team guide on how to think about red teaming. AI models, a big part of the testing of these models is not just to do the normal data -driven testing, but do adversarial testing against not just the security, but their overall behavior. And we produced a really good red team guide. That's worth looking at. The other thing I would say as well is, you know, in terms of, and I've kind of touched on this at a few points in the conversation, the important thing about AI security is security is not just the only risk attribute to pay attention to. There's many, many different risks here, whether it's everything from intellectual property to trust and safety and compliance and behavior, as well as all the operating risks of how an AI is plugged into your wider business or mission process. And I think one of the key success factors for many organizations is not just how good a job the security team does, but how good a job all of the teams that manage all of those risks partner together to deliver an integrated risk framework for that organization. And then also, I mean, we've talked a number of occasions about the role of the board of directors, the many major companies that's also involving the board, because I'm finding the board is also very, very conscious and highly thoughtful about how to think about the responsible deployment of AI. And that's something that we've partnered with many customers on as they build their whole risk framework. So again, not just the security aspects, but how the security team works with all of the risk functions to deliver safe and responsible use of AI while driving innovation forward as well. That's such an interesting answer. And I wish we'd had more time to actually talk about the board piece, because I think there's so much interesting stuff happening at that level too. It really, I don't know, sometimes I feel like security can be a bit of an afterthought for people. And this is one place where the intersection of AI and security and board governance are just, they're really coming together right now. Well, it's funny because like I said, you know, we've been spending a lot of time with boards and I find it really refreshing that this is a topic as security overall increasingly is, but it's a topic that boards are considering as they think about how their companies are going to innovate with AI. I've yet to come across a board that isn't also very, very focused on their trustworthiness, safety, responsible AI. And it's been particularly pleasing for all of us at Google where I think we more than pretty much anybody through the development of this technology have been very, very focused on that responsible and bold use, but really thinking about trust and safety and security and compliance and privacy and all of those risk mitigants as a core of what we build to have customers, boards, call that out and thank us for being focused on those topics because they are focused on it even amidst the pressure to innovate is actually a big positive for all the people at Google that work on these things. And listeners, Phil's not just saying that. I mean, you go use the restroom at Google and there are signs in the bathroom teaching you about AI ethics and compliance. It's really everywhere here, listeners. And I think it's easy to say, oh, Phil's just saying that, but really we really do care about these things. And so maybe on that note of Google really does care about this stuff and it's great to see everybody else caring about it. I want to thank you, Phil, for joining us once again. Yeah, always a pleasure. Thanks, guys. And now we are at time. Thank you very much for listening and, of course, for subscribing. You can find this podcast at Google Podcasts, Apple Podcasts, Spotify, or wherever else you get your podcasts. Also, you can find us at our website, cloud .withgoogle .com slash cloud security slash podcast. Please subscribe so that you don't miss episodes. You can follow us on Twitter, twitter .com slash cloudsecpodcast. Your hosts are also on YouTube. We can invite you to the next episode. See you on the next Cloud Security Podcast episode.
Bloomberg Radio New York - Recording Feed
Monitor Show 14:00 08-15-2023 14:00
"Ron, get over the mouse. Move on. It's not helping. We love the mouse. I hear the mouse can roar. I don't know about that. Let's see where we're going. But just remember this. On the 15th of August, Ron DeSantis asking Disney to drop the suit. Many thanks to Rick Davis and Jeannie Shanzano. A fascinating conversation every day here on Bloomberg Radio. We've got a lot more to cover with this fourth indictment now in the bag. Hour two of Sound On starts right now. Broadcasting 24 hours a day at Bloomberg .com and the Bloomberg Business Act, this is Bloomberg Radio. Now from our nation's capital, this is Bloomberg Sound On. Former President Trump has a protected constitutional right to make statements, even if the statements are knowingly false. Israel is a democracy. A third of the country has been protesting these judicial reforms. Bloomberg Sound On. Politics, policy and perspective from DC's top names. China may be less of a desirable investment target because of their own economic issues. I would hope that both the Senate and the House can get a plan in place and avoid any kind of a government shutdown. Bloomberg Sound On with Joe Matthew and Kaylee Lyons on Bloomberg Radio. 98 pages, 41 counts, 19 defendants. Welcome to hour two of Bloomberg Sound On as we seek answers to the fourth criminal indictment against Donald Trump, this time from Georgia, where the Fulton County D .A. goes far beyond special counsel Jack Smith in this indictment. Does it go too far? We'll get the latest from Bloomberg's Atlanta bureau chief, Brett Pulley, and we'll dive into the indictment with Jim Zirin, the former assistant U .S. attorney in the Southern districts of New York. Later, we take the temperature of Republicans in Georgia GOP strategist Julie Anton.
Cloud Security Podcast by Google
A highlight from EP134 How to Prioritize UX and Security in the Cloud: UX as a Security Capability
"Hi there, welcome to Cloud Security Podcast by Google. Thanks for joining us today. Your hosts here are myself, Timothy Peacock, the Senior Product Manager for Threat Detection here at Google Cloud, and Anton Chubakin, a reformed analyst and senior staff in Google Cloud's Office of the CISO. You can find and subscribe to this podcast wherever you get your podcasts, as well as at our website, cloud .google .com slash podcasts. If you enjoy our content and want it delivered to you piping hot every Monday, please do hit that subscribe button. You can follow the show, argue with your hosts and the rest of the Cloud Security Podcast listeners on LinkedIn. Anton, I am delighted about today's episode because it's one of those ones where we had high expectations, and then I think it really just kicked into a special gear throughout the course of the recording. It felt great. It did feel great, and I can tell you that my impression is that we'll have a solid episode, but we actually have a magically good episode as a result. So the result is just like that much better. And it's also a topic that kind of maybe not doesn't trigger people, but it's a topic that confuses and befuddles people in the industry, right? Cloud security, security. Yeah. And we have somebody who really knows how to make it come to life. And I think for maybe the more cynical listeners we have, you might look at the episode title and go, that doesn't exist in my industry. And this episode is maybe designed as balm for those people to talk about. No, it really should. And we're really trying, and this is how we're thinking about that problem. So perhaps with that intro listeners, let's turn things over to today's guest. I'm delighted to introduce today's guest today. We are joined by Steph Hay, director of UX for Google Cloud Security. Steph, first off, thank you so much for joining us today. I'm delighted to have you here because I work with your team all the time. And I think of the PMs in cloud security. I may be one of the more UX oriented ones. It's important to me, and I think it's important, but for a lot of people, UX and security kind of go together like peanut butter and pickles, and they just don't get it. So maybe, could you, could you tell us about the importance of UX in security? You bet. Pickles and peanut butter, is that what you said? Not a good combination. It's the opposite of peanut butter and chocolate. That's his metaphor of the day. No. Anyway, I mean, it was a big reason why I got into security in the first place, having been on the receiving end of working for a company that was doing its very best and experienced a data breach. And just sort of in, you know, a split second realizing that a usability challenge where like a thousand notifications went off at the same time and no human could parse through those thousand notifications. And by then the perpetrator had already been in and out. Well, that seemed like a usability challenge for sure. And so that was sort of one moment for me. But there are just countless moments of, you know, somebody really trying their best and having a hard time understanding something both presents a really good obstacle for a bad guy. But also, there are a lot of good guys who are trying to make security, make more secure outcomes for their organizations. They're having a hard time doing it without the right tooling design for them. So that's why I think UX and security are more like peanut butter and jelly, Tim. They should be where you can make security understandable and usable and still also have the right hurdles for the bad actors who are trying to exploit it. And that's the security challenge that I think we all face. So to sort of pick on the theme, I think that the whole uneasy relationship, I'm not going to go to the peanut butter and pickles, frankly. I don't know. This to me sounds a little as my four year old would say, yucky. But idea the is that there's an uneasy relationship. And sometimes it feels like bad or inferior or bad UX is almost like a security problem. Because in your scenario, when there are many alerts, they're produced and shown in such a way that a human cannot comprehend them. Ultimately, the UX designer is almost like a guilty party in the breach, almost like the almost a little far. Oh, I'm pushing the little far. But like, what's your take on this? How can we, like, if bad UX is problematic from security point of view, why aren't we in security don't pay more attention to it? Well, I think we are. I mean, there's a reason why I'm here for sure. But generally speaking, I think it's actually bigger than security. Generally, enterprise tooling has not gotten the same TLC from a user experience perspective as consumer facing products. And I think that's, you know, having seen this in multiple different contexts. One of the opportunities for user experience as an industry is to come into what are the operational tooling that practitioners need to do their jobs every single day. Security is one of them. But you can imagine, like, you know, workflow management for anything that is highly complex. When you think about doing something like that, where I might not actually be the end user every single day, versus something like another music sharing service, or, you know, whatever that I might actually use every single day, my job as a designer is actually much harder. So it's harder, I think, to attract and retain UX practitioners in spaces where they're not the everyday end user, and they're not actually practicing, in this case, security. So the opportunity, I think, which we're obviously exploring here in Google, is to bring the right UX thinking and do the right research with end users, in our case, what are the stock admins doing, what are the stock engineers doing to try to get their jobs done and to focus on their jobs to be done and to enable them through better tooling, is in the enterprise space, I think it's newer, sort of elevate user experience as a primary part of the development process. And certainly for UX practitioners to be working in that space, it's a little bit newer, at least in a critical mass where you've got UX design and research and writing and prototyping and like the same kind of full stack design team that you would have for a consumer facing app that's been doing it for 30 years. There's something in there. Consumers, I'm going to talk over Tim this time, I'm sorry, Tim, I insist, because you said something that I've been trying to have us use more, and us in this case means Google, because you pointed out that in some consumer facing app, we do amazing amount of that. And it really pays off. But in enterprise slash securities areas, we haven't until recently. So it's kind of a reason why our consumer, Google's consumer kind of focus originally is a strength, not a weakness. Because our UX is in fact superior and should withstand the testing by billions if it's a consumer facing app. Well, and that's why I also think like we see startups in the security space in particular who have been investing in their user experience right from the jump, because they can actually differentiate by taking a more consumer centric approach. Whereas maybe for, you know, others, us included in several areas, we focus more on the developer who might not actually even be using a UI, we might be looking for the person who's going to be integrating at the API level, not thinking about what the end user experience is going to be for the practitioner who's new, you know, two years down the road, and that got us up and running, but it's not good enough anymore to compete with those startups. I'm really interested in something else you said there, and I'll accept Anton talking over me, it's allowed to happen sometimes. You talked about motivating UX people, and the motivation here, but you also talked about your motivation of getting into this around being present when a data breach happened and the challenges there. How important is like mission orientation in the people that you're hiring and retaining and making successful in these roles? How do you get UX people who could work on an app that's used by billions versus work on apps that are used by thousands? Yeah, it's a great question, a daily challenge, and everybody's different. Okay, so our mission is to make security understandable, so we can deliver peace of mind to customers worldwide. And speaking, generally for like I shared my example, right, but for the way the world is moving to the cloud, everyone at the end of the day is going to benefit, and especially the UXers on our team, who are at the sort of forefront of designing these experiences, everyone is going to benefit from having more secure organizations in the cloud, everyone. And that's not a hard sell, when you are flying every day, your healthcare companies, your governments, like all of these organizations that have your data, want to protect your data. And our team, our collective cross -functional team, are at the forefront of designing the tooling to fortify that data and yet make it accessible to the right people, so that they can do a better job of fortifying it as the sort of cybersecurity landscape continues to face new challenges every day. So what is your story? Like, why did you come here? Everybody's is different, right? But at the end of the day, if you are not actually motivated to secure the world's data, and by saying that like your own, it's probably not a long -term gig for you. That actually makes sense. And I think to me, this is probably a good test, right? For people coming in, do they have that part of the story? But let me try to go into the devil advocate mode a little bit. And of course, sometimes here at Google Cloud, we have people who express the view that security should be invisible. And sometimes when that's naively heard, that means there's no UX, because there's no X, you don't interact, you don't have an experience, it's invisible, so you're magically secure. And of course, we can do this for like hard drive encryption, or some other areas where things are magically secure. And that's all there is to it. There's no UX. But how do you kind of harmonize the desire for invisible security with the desire for superior UX? So say mistakes don't happen. So what are the intersections here? Yeah, it's such a great question, Anton. Thank you. I wrote that question. I wrote that. Tim wrote this question. So that's very good. Thank you for catching. There's a sort of basic trust and need for control that's at the heart of that reaction, I think, right? I don't trust that anybody except me as a security engineer who's been doing this, let's say for 20 years, knows this environment as well as I do, I have to sort of verify everything. I don't want a system doing it on its own. No way. Right? So like the controls and the trust have to be, the affordance has to be obvious in the user experience. And so I do think we should be taking away some of the toil that keeps that person from focusing on the more specialized, complex tasks that they're really trained to do. And so when I think about invisible security, I think, how far can we move the toil? How much toil can we remove from the manual experience that the security practitioners are used to doing but still enable them to retain their control? And so we might say, hey, we think that you should, like let's take some of our Gen AI capabilities, right? We think that you should do this and this based on this. We're making it really transparent why we're making that recommendation. That's also to boost trust. Do you want this to happen? Yes or no? That little bit of a UX construct there, which we're all used to in life, is going to do two things. One, it's going to enable that end user to retain control. And two, it's going to teach us whether or not our recommendation was right and whether that person actually took that action, which would help us make better recommendations, by the way. So I think we have to get that lifecycle, that feedback loop really crisp, so that we can actually bake more security into controls into the the applications that folks are using every single day. So from my side, I'm happy that you're not just building chatbots. I think that I think that people who over over over -indulged on the chatbots a little bit, and I've met some of them and I think that, yeah, okay, you're smiling. So that's good. By the way, that past life though, like early conversational AI work in a regulated company, that was another thing that taught me about the importance of data privacy and how to go about ensuring that somebody's sessions are retained. But maybe, you know, in a case of a voice -based experience that you're not saying things out loud without getting particular sort of permissions from the end user, because in fact, that might be a data privacy issue. If a voice -based object is saying things like, I don't know, your cash balance or something like that, right, in a banking app, sort of in a scenario. But anyway, so I am a big fan of chatbots. So Anton, I'm like, I'm just saying that not all security should be done in there probably, that's for sure. I love that because, well, who hasn't made fun of Google for building yet another chat app and what PM and UX pair at Google has not aspired to do it themselves. I want to shift gears a little bit and talk, if we could, about your time at Google and maybe what you've seen happen here. You've been here two and a half years now, and I bet you've seen a lot of design reviews. Can you think of one, like the best single UX change you've seen that would improve security outcomes? I think it's easy for us in security to think about, oh, what will sell, what will do this, but actually changing security outcomes is hard. Have you seen a UX change that really moves that needle for you? Oh yeah, and this is a big hat tip to a former guest that you had, I think, Vandy, original UX researcher switched to PM. On my team now. Pickled to a peanut butter, I guess, I don't know. That's right. Yeah, our IAM recommender is one example where, in context, people don't want to be over -permissioned, but at the end of the day, if they're trying to unblock somebody, they have this really bad habit of giving somebody more permissions than they really deserve or need. And something like IAM recommender, which analyzes the last 30 days of your activity and suggests which things might be over -permissioned, actually drove about 43 % fewer over -grants. The average is 69 % of folks. So this is for folks in context of their experience going to IAM. There's lots of opportunities to integrate those IAM recommendations throughout the experience where folks might not be having to go to IAM to see that. And that's been a big change in the way that that team has been integrating that service throughout GCP so that we can actually get to more of a least privileged state by default. That's one example. Another one, though, I'm just going to throw on there, too, is reCAPTCHA Enterprise. The experience onboarding itself was a little onerous at first, and they just made some changes to that because people didn't even know that they hadn't fully installed reCAPTCHA and weren't getting the full benefits of that sort of broad capability on their site. So some changes to the onboarding experience combined with some simple email updates. No, this wasn't the grand change of an entire experience. There's a small micro -moments using some of the user data at our disposal and introducing great user experience in the context of what they're trying to get done, which improves their security outcomes. So we've seen a big jump in the number of people who've actually finished the full install and are now actually getting protected by reCAPTCHA Enterprise. How's that? Two? Those are great examples. I only asked for one. So extra credit and double extra credit for calling out Vandy, who's among my favorite colleagues on the SCC team. Yeah, okay, good. Nice. And I think that I love the reCAPTCHA recommender example because it's also felt like it does this kind of AI magic in a very kind of non -annoying, helpful manner. And that means that, I mean, obviously I'm very far from a UX designer, but I felt like a UX designer captured the essence of what they're trying to solve. Yeah. Because it's like helpful, but not annoying. Not like, yeah, I'm not going to give any examples from our project, but they're likely done elsewhere. No, it's such a good example because I was talking to a very secure user just last week, and they were describing this kind of like security paradise. You know, they've got this control, they've got this system, they've got this operating model. And then they described some particular challenge, and I'm like, well, why is that hard? Why can't you just not give them the permission to do that? And after describing this beautiful universe, they said, oh, well, every engineer in our org has a project owner. Wow. And I was like, how does that fit with the rest of your model? And they explained why it did, because velocity is very important to them. But it was so funny to see a user go from like A +, A +, A +, to, wait a minute, hang on? Yeah, not exactly zero trust, or maybe a culture of full trust. I don't know. But, I mean, this is really the crux, back to this question about invisible security, too, but this is the crux of user experience design, which is to understand the intent of what somebody is trying to achieve, their job to be done, and to infuse in context of that particular workflow the right thing at the right time, the thing that is contextually relevant to them, that tells them before they make the choice what's about to happen so they understand the implication of that choice, and they can make that choice more confidently, and quite frankly, I think, in the enterprise design space, there has been more of a focus on UI than user experience. As long as I have a dashboard, as long as I have a dropdown, as long as I have a button, I'm good. And that's not what we experience from the consumer applications, which are designed around workflows, and that's why I think our opportunity and what we've been doing more and more is designing for workflows, for these jobs to be done, end to end, instead of sort of point UIs. I hate to jump in and ask this question. Steph, what's the difference in UI and UX for the people following along at home? Because I think I know, but you just said they're different, and I would love to know how you see them as different. I know we don't have 30 minutes to cover that, just real quick. Don't worry about it. This is some of the nuance probably in the UX community, but user experience, you want to think about something like the services, the blueprint of the workflow that you go through when you're trying to get a job done. The UIs are the mechanisms. User interface are the mechanisms by which you might actually go through that workflow. And so user experience should think about, and user experience research as well, what are all of the touch points that may or may not actually require me to be in, let's say, a dashboard. Maybe it's in my email, maybe it's my alert, maybe there's actually no UI here, but that's part of the user experience. Oh, so, wait, wait, wait. Let's see. If I don't have UI because I access system over API, I still have UX. You do. Haha. So in that sense, that's the answer, right? Like, oh yeah, I'm going to use CLI, which means not UI, right? That's right. That's right. So the user experience, and it's not to say a UI engineer wouldn't do this too, but the roles can be interchangeable, as you said too. PMs can do this too, right? But generally, what are the front and back of house expectations of the touch points? We might call them a journey, we might call them a job to be done, that somebody should traverse through, which may include, for example, an API or CLI, not just a GUI. When we say UI, I think we generally think of GUI, though, graphical user. So I want to latch on, though, this actually makes sense, and I think it was helpful. So I guess, especially for the security audience, right? Because who may not know, you may assume it's the same, right? I want to clarify something for Steph and our listeners. I guess this was helpful. This was actually quite helpful. Thank you for sharing. Was it a compliment? Excellent. This is actually really helpful. That was a compliment. It's a translation thing. Yeah, the actual word always throws me off a little bit. I've worked with Anton a long time. Now I'm happy to be the Anton whisperer. Got it. Thank you. That was a compliment. So we are doing a little bit of Anton psychotherapy on the air, and I think that's not exactly the best use case podcast, for the but to latch on to something that Steph said, and it was the jobs to be done. So I guess I do work for Cesar, so I'm not involved with product as much. But once I was dragged into the product discussion and there was a lot of JTBD things there, and I had to kind of learn, teach myself what that is. And when I was learning this new approach for jobs to be done, I kind of kept thinking, well, it's kind of mostly about use cases, but can you explain jobs to be done as an approach and maybe explain how it helps? And Tim, who wrote this question as well, has a really good side question for this, which I will ask kind of on his behalf. It's like, if you use this approach, what gets better? Yeah. Like if we adopt JTBD, what gets better? Yeah. So I've had a lot of success using the jobs to be done approach after Anthony Olweck and a whole host of people published this in the first place as a framework. So I would just encourage everybody to check out. It's an industry framework with lots of smart people having contributed to it. But what I found is that, generally speaking, well, two things. One is, and I even said this earlier and kicked myself a little bit for doing it, but when we think about user experience, I have found in my career that people say, what's the end -to -end experience, which sort of suggests that there's a start and a stop. And I think, first of all, in user experience, that's a bit of a false construct. User experiences are largely endless, at least when we're talking about somebody moving throughout their day. So how do you design a system that can sort of pick up and drop off and pick up again and drop off versus this idea of start and stop finite? And that's where something like jobs to be done is very helpful, is because it considers that there's this ultimate motivation that somebody has to do and that certain technologies come out to support that motivation over time and that those technologies get better and better. And that people will not adopt you if you are actually not providing the service for them as they're going throughout their day that supports them best. So as an example, to take it way back, originally, the only way to get from point A to point B was with your feet, and then there were like horses, and then somebody invented the wheel. And this is sort of the advancement of technology, right, and then it got to be like cars and bikes and cars and airplanes. And generally speaking, all of these advancements help somebody get from point A to point B, and we have the same sort of construct where photography is another example. I used to need to, you know, put a drape over my head and have a tripod on like a giant thing and like hold a thing up and it would like create smoke and that was how I took pictures and you had to sit still for 20 minutes or something like that and now we just walk around with, you know, phones in our pocket and those have cameras on them. These are the kinds of things that are, the jobs to be done have not changed at all. I need to get from point A to point B or I want to capture this memory, but the technology has. And it can shift user expectations. I think we have the same thing with security and back to this idea of invisible security, right, like the job to be done for an on -prem environment to secure that versus a cloud environment, that I still want to, it hasn't changed, I want to secure my organization, but the technology has changed and it has shifted the context by which I'm now going to execute that job and that's going to continue to advance. So jobs to be done, that was a very long explanation that I hope you'll edit out a bunch of. Not at all. Is a framework that keeps that sort of intent that life just continues to move on and on and it's a start and stop and new technology will come out, but my job doesn't really change. And that's a little different than something when I think about like how we might normally do software development where we have, I think, sometimes an over -focus on the UI. Well, somebody needs to be able to filter that thing. It's like, great, you don't need an entire user research team to do that, but why are they trying to filter that thing anyway and like are they only trying to filter that thing because we put that thing in front of them in the first place? What are they actually trying to get done? That has to be done keeps bringing us back to that ultimate motivation that enables us to design better user experiences for real humans. Okay, actually that did answer my narrow sub -question of that, namely the difference between that and the use case. So to me it became very clear that it's not like the filter would have a use case. Filter in the UI would have a use case, but the fact that filter is there and people use it in furtherance of some goal is part of the job to be done and the job may be whatever that is. And that that goal is somewhat invariant with respect to technology or change over time. You got it. You got it. It's completely agnostic. My goal is completely agnostic of the technology and I'm going to hire whatever technology is best to help me achieve that goal. So we better be good at creating technology if we want to win over and over again. I really like that answer. Steph, I hate to do this, but we're at the point in the show where I have to ask our traditional closing questions. First, do you have one tip for our audience to help them improve their maybe security UX journey other than check out all those awesome jobs to be done resources we're going to put in the show notes? And two, again, accepting that, do you have recommended reading? Yeah, I do think that jobs to be done, I have kind of the same answer to both of those questions, but I do think jobs to be done is a foundational way to improve any experience but the security experience especially and, of course, hire GCP. Why wouldn't you hire GCP for your security journey? I love that. I think we've gotten about 140 episodes in, listeners, without anybody saying that so directly, but we'll take it. Okay, cool. I'm glad I could break the ice. Steph, thank you so much for joining us today. Thank you for having me. Appreciate it. And now we are at time. Thank you very much for listening and, of course, for subscribing. You can find this podcast at Google Podcasts, Apple Podcasts, Spotify, or wherever else you get your podcasts. Also, you can find us at our website, cloud .withgoogle .com slash cloudsecurity slash podcast. Please subscribe so that you don't miss episodes. You can follow us on Twitter, twitter .com slash cloudsecpodcast. Your hosts are also on Twitter at Anton underscore Chiwaki and N underscore Tim Pico. Tweet at us, email us, argue with us, and if you like or hate what we hear, we can invite you to the next episode. See you on the next Cloud Security Podcast episode.
Game of Crimes
A highlight from 110: Part 2: Ryan Steck is a Spy - The Real Book Spy
"Navy SEALs are so played out. The Delta boys are so played out. I'm looking for good reason. I'm not putting them down. I mean, come on. There's a reason why we all know about them. But I thought, you know, who's left? And the more research I was doing, the more people I talked to, like, who's the biggest bad that's -ass not a SEAL or a Delta boy? And it was like, finally, someone said to me, what do you know about the Marine Raiders? And I was like, you know, not much. So the more I looked into them, the more I thought, this is more Red's brew of coffee right here. Yeah. My character, Matthew Red, I just saw it instantly, man. It just clicked. And I kind of just ran with it. Yeah. Cause the Raiders, I mean, there's been some variations of stuff. So one of my friends came out of Naval Academy, FBI agent, but was a captain in the Marines. He was force recon. And there's this great picture of him. It used to be on his Twitter page. He's doing a halo jump in white. It's wintertime, but he's doing a halo jump in white. You know, and it's like, you know, that's some cool shit. But when I first started reading about Matthew Red, like you say, he almost, it reminded me of what you would get if you kind of put together like a Mitch Rapp and a Jack Reacher, you know, and a couple other folks, you know, somebody got some street smart as well as smart knows how to operate tactically. But I like the fact that you set it out in States that tend to be flyover countries. You know, I came from Kansas flyover country. Now I do have to ask one thing. Will Matthew Red ever work with the Dutton Ranch at Yellowstone to drive off the other people? Well, you know, it's interesting. When I first wrote about Montana, I kind of think a lot of people I was talking to was like, no one cares about Montana. Like, no one wants to read about that. And then like two years later, Yellowstone came out. And then 1823, 1883, then 1923. I think they care about Montana now, you know? And so, so that was, I won't lie to you. That was another reason why John Talbot was like, Hey, the timing's good. Let's get this thing out the door. Let's go shop it. You know, Yellowstone's huge. I don't think that hurt for sure. But you know, Red's got his own cattle ranch that he's worried about right now. And in book two, he's facing a very real threat of losing it. And I mean, that is just one of, put that farther down the list of problems he's got in book two. Well, we want to tie this back to our Game of Crimes theme, because it has to relate somehow to crime. So what happens is, he's kind of, kind of tell a little bit too, Matthew is set up in the beginning, team, something happens to his team, obviously, and then he's got the choice between getting court -martialed, you know, or taking a less than honorable discharge and getting out of the Marines, which kind of, that's the inciting incident. That's what sets him on the path coming back to Montana. So how did you come up with the, because you, like you said, you originally talked about human trafficking. How did you come up with the idea though, for Fields of Fire, in terms of the manipulation of the food supply? Yeah, I mean, I'll touch on it a little, I don't want to spoil it, but one day I was sitting around, I won't name names, but there was a billionaire who looks like a really nice dude, a friendly face, round glasses, just looked super nice, but was making headlines because he's buying up all this farmland. And I just was sitting there one day going, why? Is that Ted Turner? Why are they buying up all this, why are they buying up all this farmland? Well, that's the Chinese too. They've been doing a lot of that out there. Well, I couldn't let it go. And I just thought, okay, let's say that this nice looking billionaire is actually not, what might they be doing? And so in my fictional universe, there's a billionaire who comes from the tech world. His name is Anton Gage and he looks very nice.
Cloud Security Podcast by Google
A highlight from EP133 The Shared Problem of Alerting: More SRE Lessons for Security
"No, we're not joining a cult. So, unfortunately, we are just about at time. And so it is my lucky duty to ask our traditional closing questions. First to you, Steve, do you have one tip to help security professionals improve their outcomes? And two, do you have recommended reading? And that recommended reading could be anything except Anton's blog. So I would say a tip for kind of anyone to improve their outcomes. Just write down what it is that you want to do and have other people look at it and just kind of like start off kind of vague, get a little more detailed, get people to say like, yeah, good idea, right? Get some wind behind your back or get people to be like, no, dude, we already tried that. Look over here. If they don't have the thing written down, don't believe them. But like if someone can present to you with like, here's what we tried, here's what we wrote down, here's why it didn't work, then that makes a lot more sense. So basically, write more docs. That's my TLDR. Write more docs. I like that. For reading, I would say it's kind of a category of work, but there's kind of a new side of reliability. We've talked about postmortems in the past when it comes to like writing down the stuff that went bad and everything. There's this kind of new way of looking at it called learning from incidents. So if you, shorthand is just LFI, I think there's learning from incidents .io, maybe, dot something, we'll put it in the show notes. They've got a lot of stuff. And so these are folks who've been talking about like, airplane crashes and fires and like, people dying from like nuclear whatevers. And like, so it's like, real risk, you know, like in the real world, like atoms, not bits. So we can learn a lot of things from them and apply it to our stuff. So that's a whole, like, you can get a PhD in that. It's a whole big thing. And you know, I love that answer because one of the other people on the show who really changed my perspective was Tim, when he was talking about safety versus security and the relative success of safety people compared to security people. And the fact that we don't die in airplanes very often actually comes down to a lot of learning from the times that we did die in airplanes. So that I think is really great advice. So the critical thing to point out about that community is it's called learning from incidents, not learning about incidents. So we're not actually caring about the incident itself. We're using the incident as a lens into the system. Oh, that's interesting. That's, that's really interesting. That's really interesting. I mean, it's really interesting. Like, that's all I can say. It's kind of interesting. That bit alone is worth the price of this episode, I think. Yeah, I agree. Listeners, the best bit came at 34 minutes in, you better listen to the whole thing. Hard one to follow. I will say, though, my takeaways are, if there's anything that's subjective or fuzzy, that is definitely going to aggravate having bad alerting. So prioritizing by measuring everything, measuring everything, and that will entail talking to other stakeholders outside of security to understand impact. That'll entail talking to engineering, legal, finance, a lot of different stakeholders. And on that note, books I'd recommend one is how to measure anything in cybersecurity risk. It gives you an introduction to the And the other is Security Chaos Engineering by Kelly Shortridge with Aaron Reinhart. That one is epic. We'll have Kelly soon. Awesome. Oh, I can't wait to see that. Listeners, not to give away our guest list, but we are excited to have Kelly join us. We hope. Awesome. Awesome. Do not miss that. Awesome. Well, hey, great recommendations, great tips, and a lively, interesting discussion about SRE and security. Steve, Aaron, thank you so much for joining us today. You got it. Thanks for having me. Cheers. Pleasure. And now we are at time. Thank you very much for listening. And of course, for subscribing. You can find this podcast at Google Podcasts, Apple Podcasts, Spotify, or wherever else you get your podcasts. Also, you can find us at our website cloud .withgoogle .com slash cloud security slash podcast. Please subscribe so that you don't miss episodes. You can follow us on Twitter, twitter .com slash cloud sec podcast. Your hosts are also on Twitter at Anton underscore Chiwaki and N underscore Tim Pico. Tweet at us, email us, argue with us. And if you like, or hate what we hear, we can invite you to the next episode. See you on the next cloud security podcast episode.
The Charlie Kirk Show
"anton" Discussed on The Charlie Kirk Show
"So Mike, I'm going to read a text from somebody in the DeSantis orbit in a second, but I want to go through your tweets here. You say, not even I could save the DeSantis campaign. My earlier advice, first mocked then accepted a day late, would have given them momentum. It's hard to help people who don't have joy. MAGA influencers can be, let's just blur that out, but no one can deny. They look, they, they look to be having a good time. You've also said DeSantis can now drop out of the race with dignity. Say we must really get behind Trump given all the unlawful indictments. Trump says he'll make DeSantis attorney general. There's a way to save face here and not look your butt in the knee. This is the, this is the controversial tweet, Mike. Why should Trump bring DeSantis now into the orbit? Because we're winning or losing elections on 50,000 votes in three states, right? Trump won 2016 by 83,000 votes in four states. He lost, if you, you know, if you consider it a real loss in 2020 by 50,000 or 40,000 votes in three states, you can't, you can't really alienate anyone is the problem here. And one of the people I read and some people I've talked to have actually thought that the DeSantis campaign is designed to torpedo support for Trump in 2024, then Trump can lose. And then the regime comes back and says, Hey, we told you this MAGA thing was a bad idea. I think that's right. Yep. I think it's an, it's a long, slow motion, expensive, I told you so campaign. Right. Could be. I don't know that it is. I, I tend to think that psychologically DeSantis is an ambitious man. He's a calculated man. I think he did want the presidency. I know that I heard before this was a big story that Casey DeSantis really wanted him to run. I think some of the stuff people are saying about her is unfair. So I don't want to complain to that too much other than that. She really wanted him to run. I know that he's an ambitious man, Cassius, right? We go back to high school English, you know, you only have to go to college to reach your Shakespeare. So he's a, that kind of character. So I don't, I don't buy into that. He's necessarily trying to torpedo, but I understand why a lot of people think that because if you look at how they're trying to win, you would say, Vivick, again, people have their things. I'm not here to get into all that, but Vivick is playing to win. Now, whether he really thinks he can win the presidency or whether he's trying to win himself a profile, these are different conversations to be had, but he's playing to win, right? He's on the field like, all right, we're fired up, ready to go, right? I was thinking about that actually yesterday when I met somebody who was part of the Clinton campaign in 2016 and she said, when we doorknocked for Obama every morning, it was fired up, ready to go, fired up, ready to go. Like everybody was hyped. That's how they managed the campaign. And with Clinton, there was none of that. So if you're on the DeSantis campaign, do you imagine that it's a, because remember politics is a team sport. Do you imagine that it's, all right, what are we going to do today? Who's here? Boom. What are we going to do? What are we going to do? What's going on? Show your wins. Do you think that's really happening? Right? I mean, that's not a rhetorical question, Charlie. Do you, do you imagine that there's an atmosphere of enthusiasm and hype amongst the DeSantis campaign? No, I don't. In fact, I'll read this text message because this is, this is what the DeSantis people can refuse to get through their head. That at times we're actually giving honest advice. I know that they feel like, Oh no, it's like, no, actually we want people to get to their highest level of excellence. So I was texting somebody in the orbit, right? And I said this, I said, look, I'm not wanting to give advice, but this campaign is the worst I've ever seen. Totally misreading the room. It's tragic to watch. He's a great governor. And they said, okay, well, what's the street, by the way, this is a name that everyone would recognize in the audience. They said, what's the strategic advice here. I said, fire everyone and stop acting like a chamber candidate. He's ruining his legacy and any future chances went for the presidency. It's sad. Final thoughts, Mike Cernich. No, you're exactly right. He needs to go into the lion's den, not have your campaign people saying Jake tapers are honest. Let me come on, bro. I, the more I think about just the more angry I get, imagine calling Jake Tapper an honest person that actually came from the Santas campaign. Fire the comms team. That's for sure. Get on message, kick all the dorks out. They lost in 2015. They lost in 2016. They're not going to bring anything new in 2024. Reshape your messaging and get people who are excited to be in the room.
The Charlie Kirk Show
"anton" Discussed on The Charlie Kirk Show
"January 5th was the Georgia runoff. The day before, obviously all the events on January 6th. January 5th, you had Kelly Loeffler and David Perdue both fall short in the runoff to Raphael Warnock and John Ossoff, which ceded control of the United States Senate, a Senate that could have at least slowed down some of the Biden nominees, a Senate that could have locked down this Katangie Brown Jackson nut case that is now in the Supreme Court. So the Georgia reconfiguration was a master plan by Mark Elias and Stacey Abrams and Laurene Powell Jobs and George Soros and Arabella advisors and America votes. And I mean, of course, they had all the Fulton County, Cobb County slowing down, stopping to count ballots. But Donald Trump made a certain calculation. This helped, by the way, Donald Trump in states like Ohio. Going after the good old boys network in certain states helped Donald Trump. It hurt him significantly in Georgia. If you do not pander to the southern hospitality, not just southern hospitality, but it's just relationships are a big deal south of the Mason-Dixon line in politics. They just are. There's a lot of graft in both parties, by the way, but especially the Republican Party, a lot of graft, a lot of corruption, a lot of backslapping. Okay, now we have Michael Anton as I set that up on a separate topic, who I think is the most gifted and talented essayist and writer in the conservative movement. Michael, welcome to the program. I want to talk specifically about the idea of birthright citizenship, 14th Amendment. Where do people get this most wrong? Well, they interpret a clause in the middle, a parenthetical clause that reads subject to the jurisdiction of the United States in the 14th Amendment as requiring birthright citizenship, when that is not what the drafters of the 14th Amendment intended. Now, this gets very much into the weeds. I've written about it at length. So what the court said in Wong Kim Ark was that the child of legal permanent residence could be allowed back in. It only ruled on that question. It did not rule on the question of the legal status of the children of illegal immigrants, people who cross the border illegally, who overstayed a visa, who were vacationing or working temporarily in the United States, but without any kind of legal status to reside in the United States. That has never been decided on, not only by the Supreme Court, but by the court at any level. So what happened is, sometime in the middle of the 20th century, after World War II, and really in the 60s, the federal bureaucracy just started granting citizenship to anyone born. And remember, this is a complicated issue because there's a state question, right? There's still no such thing as a federal birth certificate. Any of us who live through the Obama birth certificate, brouhaha of 2008, 2012, remembers this, right? Birth certificates are issued by the states. And without being told by any higher authority, whether court or executive authority, the states would just say, you know, we can certify that you were born in the United States. And then the federal government started to say, well, if your state birth certificate says you were born in the United States, we're going to say that that amounts to citizenship. Now, again, this is just something that the bureaucracy, the government decided to do on its own without being told. Granted that many people in the Democratic Party and the Republican Party liked the outcome of the policy. So they declined to stop it. And now and for, I don't know, at least a generation, they have been pretending that this was intended by law and intended by the 14th Amendment all along. But in fact, that's not true. There's no law that says this. There's no court decision that says this. There's not even an executive order that says this. And so as a result, you get not only the normal abuse that we're used to, that is to say, you know, people crossing the border illegally, obviously coming for a better life. I understand why people come from south of the border or why many or if not most people come from south of the border into the United States, because they're coming from poorer countries, often much more violent and dangerous countries. And they know they're going to have a better life for themselves and their children. But it still breaks U.S. law. And there is no legal reason for their children to have citizenship simply on by virtue of being born here. So let me ask you, Michael. So this has not been in the last hundred years, what I understand challenged at the United States Supreme Court base. I mean, it's just this is not an executive order. This is just bureaucratic precedent that the administrative state decided upon. That's fascinating. The federal government for a long time has just decided if if you can produce a state birth state birth certificate that that affirms that you were born on U.S. soil, you're you're a U.S. citizen. They've never been told to do this by Congress, by the Constitution or by the courts or even by executive order. They just do it. This is one of the most important things for a civilization to basically get right. How rare is this in the Western world? I mean, France, Spain have gotten rid of, you know, get rid of citizenship. I wish I'd known you're going to ask that because I had the exact numbers for a piece that I wrote and I don't know. But it's about 80 percent of countries do not offer birthright citizenship and something about like 20 percent do. And those 20 percent are overwhelmingly in the Western hemisphere, although not exclusively. But pretty much nobody in Europe, Asia, the rest of the world offers this. And if you go not just by number of countries, but by population, you know, because some countries are bigger than others, it's something like almost 90 percent of the world's population live in a country that does not offer birthright citizenship. And one other important fact, countries have had it and then moved away from it, have gotten rid of it. But in the last 50, 60, 70 years, no country has moved in the direction of more birthright citizenship. They've only moved in the direction of restricting. So, Michael, is it time for a Supreme Court challenge, considering the Supreme Court is more sane than insane right now? Well, you know, I usually I'm wary of claiming things like that under my own name because I don't watch the court carefully. I know some people who really understand the court extremely well. I'll just name one name you're probably familiar with. That's Theo Walt, who's now the solicitor general of Idaho. He's a close friend and a lawyer and his wife is a lawyer. And, you know, he's tied in and he would have a much better sense of what the likely outcome of a challenge is. I think, though, that the way to approach this is to start small and go for the obvious abuses first. Now, obviously, with the Biden administration in power, you know, none of this is going to happen. But the most obvious abuse is so-called birth tourism, where, you know, people, not poor people, but by definition, rich or at least affluent people from Russia and China scheduled to have babies in the United States. Southern California is a big destination, as is southern Florida. So they fly in six weeks before the birth. There are whole hospitals and industries that are geared toward taking care of these people. They have the birth. They get their child a U.S. birth certificate. They make sure to go and get a passport as quickly as possible. And then they go home, you know, with the idea that, well, they need the option. They have the they can always come back on the essentially on the backs of their child status. That is an obvious abuse of the system that even if you believed the framers of the 14th Amendment intended birthright citizenship for the children of illegals, which I don't believe and I don't think the text supports. But even if you believe that, you'd have to admit that they certainly did not intend for birth tourism in the age of jumbo jetliners flying in rich people from, you know, hostile or adversarial countries to take advantage of U.S. citizenship. I don't want to say laws because these are not the laws, but a misguided citizenship practices. So I would start there with that obvious abuse where you're going to get 80 percent at least of the American people agreeing. This is terrible. This should not take place. These are people exploiting us. We have to we have to stop that and then work your way up toward the correction of the of the more widespread abuses. This is the big the buried lead. And it ties to your other story here. Michael, the deep state is gearing up to fight a second Trump presidency. You think about gay marriage, Obergefell, this issue. Congress is not participating in this Roe versus Wade. This is administrative state and courts and largely bureaucrats that are unelected, unaccountable and this fourth branch of government, this Leviathan that is calling shots. So, Michael, tell us about this article you wrote for The Telegraph. The deep state is gearing up to fight a second Trump presidency. Tell us about this. Well, look, I mean, I'm sort of on record saying that I don't expect a second Trump presidency to happen. And I hope I don't upset any of my Trump supporting friends by saying that. And I'm not saying that because, you know, out of any disdain for Trump or for the movement or for the things that he represents, I just think that the forces arrayed against him are incredibly strong. And I don't see the counter force arrayed against him as being nearly as strong to overcome what the deep state, plus not just the deep state, but what the tech companies and what the financial firms and what the foundations of the media and every sucker box that you name it can throw against them. Plus, all you have to do is read what these people say. And I unfortunately do maybe more of that than I should. But they're quite clear that they think Donald Trump is the biggest threat to America since, you know, 9-11 or even before that, bigger than Pearl Harbor. I've heard some people say it. And so they therefore think that they're justified in doing absolutely anything to stop him. And I take them seriously when they say that. And that means that they'll use any and all of their powers to make sure that another Trump presidency. And since they have a lot of powers, I unfortunately take seriously the fact that I think they can block it. And I think they will block it and intend to block it. And what I'm not yet seeing is enough countervailing force, you know, and not just force, but like the political savvy, the institutional savvy, the institutional infrastructure, legal challenges to all these voting changes that make things easier for Democrats and harder on Republicans and so on and so on and so forth. I'm not seeing enough organization money and serious effort to oppose that. And so right now it looks like a pretty lopsided fight. Yeah, no, I agree. And by the way, you want to talk about someone who understands Machiavelli very well. And I'm going to learn about a lot about Machiavelli next couple months. It's Michael Anton, who sees this super fairly looking at this with prudence and practical judgment and with wisdom and not hopium. Anything you want to plug? Books, articles? I'm working on a lot of stuff right now. I guess my next thing is, well, you can look at something on compact called The Pessimistic Case for the Future. It's a little bit of a downer, but I hope it stirs thought. It's also the first chapter in a brand new book published by the Claremont Institute, edited by my colleague Arthur Millick. I think 18 authors, all of which are going into different issues of why conservatism needs to change, called Up From Conservatism. And then one other thing is my next article, which I'm finishing now, which will be out in the Claremont Review of Books, so I guess in the next issue, let's say a month or so, is a review of Patrick Deneen's, I think, very important book called Regime Change. Oh yeah, it's a game changer. Michael, thank you for taking time. I look forward to the class and hope to have you on again soon. And everybody should read everything he has published. You will learn something. Michael, thanks so much. Thanks a lot.
The Charlie Kirk Show
"anton" Discussed on The Charlie Kirk Show
"There's some breaking news. We're not going to emphasize this, but in addition to the federal charges that we expect against Donald Trump, the extent of which we are not sure, Georgia looks like it is winding up, long windup to use a baseball pitcher analogy. Fulton County case against Trump might be the most serious yet. Fannie Willis is ready to go all in eyeing criminal solicitation charges and Trump inquiry of criminal conspiracy based on a phone call where he said, can you go find votes? Find votes. So that is getting really wound up. So you're going to have New York with Alvin Bragg. You're going to have Department of Justice, Florida documents, and then you're going to have Department of Justice, whether it be insurrection, seditious conspiracy, rebellion, January 6 related stuff remains to be seen. And then we have Georgia and in Georgia, the governor Brian Kemp, even though he's a Republican, he hates Trump and vice versa. He's not able to pardon Donald Trump. There is a pardon board of people that are all appointed by the governor and we've controlled that office for the last 20 years, but somehow the pardon board isn't one that would just shoot down a sham prosecution like this, especially how Donald Trump has gone scorched earth against the good old boys network in the state of Georgia. Georgia has actually more counties per capita than any state in the country. There's a lot of localized political power in Georgia, a lot of dog catchers, mosquito abatement district, school board members, mayors that you have to brown nose to be able to win in Georgia. And by the way, Donald Trump said, hey, can you go find me? He did not say go steal or fabricate or find me. And I believe the phone call was recorded by Brad Raffensperger. Georgia was the most Democrat state in the country for a century after the civil war. Georgia is a very unusual state. It has a lot of Hollywood influence because of the tax incentive structure to have films in the bucket area obviously has a significant black population and Atlanta, I'll be very honest, Atlanta is not my favorite place. I love Georgia. Georgia is a great state. I do not like Atlanta. Atlanta is like top three cities where I'm just not happy to be there. I'll be honest, not a great place. But I love Georgia. Georgia has some of the most beautiful places in the world. Savannah, Georgia, for example, is just an extraordinary city. Augusta is really nice. And so Georgia is a great place. Atlanta is not my favorite place, but Georgia has turned, it largely turned because of mass mail-in voting. In 2018, Georgia had 248,000 mail-in ballots. And now this last cycle, they had somewhere between 2.4 to 2.5 million. We can get the exact number, but it was about a tenfold increase. Mass mail-in voting. Stacey Abrams, who we used to mock, became this incredibly vicious community organizer. She threatened to sue Brian Kemp and not threatened, she actually was suing Brian Kemp and Raffensperger. They signed a consent decree, different than the RNC's consent decree from multiple decades ago, that basically Brian Kemp and Raffensperger relaxed the signature verification threshold. This happened coincidentally right before COVID was a thing. This was all in the spring of 2020. This is the secret, not the secret, but the kind of just not talked about way that we lost Georgia. So you have all these dynamics happening. And just remember the time and sequence events, all this is tied together. It's all harmonized, right? So Georgia is a state that we thought we were going to win automatically. But if you were reading all the kind of intelligentsia left-wing blogs, New York Times and all this, they were incredibly bullish on Georgia in August and September, October 2020. I personally dismissed it. I thought it was just kind of like, oh, we're going to win Texas type stuff. And they always like fall 8 to 15 points short. But they knew something was in. They knew the fix was in as far as the mass mail-in voting. The Trump campaign did not dedicate a lot of time, energy or resources. Remember, Obama nearly won Georgia in 2008. That's a little bit deceiving because it was Obama, McCain was an awful candidate, high black turnout, right? But remember, it wasn't just the presidency. That was very disappointing. But we should have had Senator David Perdue win without a runoff. So then we go to January 5th, not January 6th. People forget this. January 5th was the runoff.
The Charlie Kirk Show
"anton" Discussed on The Charlie Kirk Show
"The U.S. dollar has lost 85% of its value since the 70s, when the dollar decoupled from gold, and the government seems bent on continuing the tradition. Charlie Kirk here. From now until after the elections, the government can print as much money as they want. The last time they did that, inflation went up 9%. Gold is the only asset that has proven to withstand inflation. Invest in gold with Noble Gold Investments. You will get a 24-carat, one-fourth of an ounce gold standard coin for free. Just use promo code kirk. Go to noblegoldinvestments.com. That's noblegoldinvestments.com, the only gold company I trust. Hey, everybody. Today on The Charlie Kirk Show, Michael Anton joins us to talk about birthright citizenship. We talk about the 14th Amendment. And then we are joined by Mike Cernovich to talk about the tragedy of the DeSantis campaign. Email us, as always, freedom at charliekirk.com. Subscribe to our podcast. Open up your podcast app and type in charliekirkshow. Get involved with Turning Point USA at tpusa.com. That is tpusa.com. Start a high school or college chapter today at tpusa.com. Become a member, members.charliekirk.com, and listen to the end of this episode for a special giveaway opportunity. Buckle up, everybody. Here we go. Charlie, what you've done is incredible here. Maybe Charlie Kirk is on the college campus. I want you to know we are lucky to have Charlie Kirk. Charlie Kirk's running the White House, folks. I want to thank Charlie. He's an incredible guy. His spirit, his love of this country. He's ever created Turning Point USA. We will not embrace the ideas that have destroyed countries, destroyed lives, and we are going to fight for freedom on campuses across the country. That's why we are here.
The Charlie Kirk Show
A highlight from The Birthright Citizenship Scam + The DeSantis Tragedy with Michael Anton and Mike Cernovich
"The U .S. dollar has lost 85 % of its value since the 70s, when the dollar decoupled from gold, and the government seems bent on continuing the tradition. Charlie Kirk here. From now until after the elections, the government can print as much money as they want. The last time they did that, inflation went up 9%. Gold is the only asset that has proven to withstand inflation. Invest in gold with Noble Gold Investments. You will get a 24 -carat, one -fourth of an ounce gold standard coin for free. Just use promo code kirk. Go to noblegoldinvestments .com. That's noblegoldinvestments .com, the only gold company I trust. Hey, everybody. Today on The Charlie Kirk Show, Michael Anton joins us to talk about birthright citizenship. We talk about the 14th Amendment. And then we are joined by Mike Cernovich to talk about the tragedy of the DeSantis campaign. Email us, as always, freedom at charliekirk .com. Subscribe to our podcast. Open up your podcast app and type in charliekirkshow. Get involved with Turning Point USA at tpusa .com. That is tpusa .com. Start a high school or college chapter today at tpusa .com. Become a member, members .charliekirk .com, and listen to the end of this episode for a special giveaway opportunity. Buckle up, everybody. Here we go. Charlie, what you've done is incredible here. Maybe Charlie Kirk is on the college campus. I want you to know we are lucky to have Charlie Kirk. Charlie Kirk's running the White House, folks. I want to thank Charlie. He's an incredible guy. His spirit, his love of this country. He's ever created Turning Point USA. We will not embrace the ideas that have destroyed countries, destroyed lives, and we are going to fight for freedom on campuses across the country. That's why we are here.
AP News Radio
Panthers beat Maple Leafs 3-2, take 2-game lead in series
"The Panthers are up two games to none in their second round series following a three two victory over the Maple Leafs in Toronto. Sergei bobrovsky stopped 34 shots and was perfect after goals by Ryan O'Reilly and Alexander kerfoot gave Toronto an early two zero lead. Alexander barkov tied at 19 seconds into the second, and Gustav forsling made it three to about a minute later. But borowski did the rest in his third consecutive strong start. Anton lundell added a goal and an assist for the cats who host game three on Sunday. Ilya samsonov stopped 26 shots for Toronto. I'm Dave ferry.
AP News Radio
The latest in sports
"AP sports some Josh Valtteri, a busy night of playoff action Wednesday as we start on the hardwood where Memphis tied it serious with LA one O three 93 in a game two win. The grizz played without star John morant, who has a hand injury, but Xavier Tillman scored 22 in the win. Also out west Denver took a two O series lead topping Minnesota one 22 one 13. Jamal Murray scored 40. In the east, the box tied their series with Miami one 38 one 22 Milwaukee played without Giannis Anton Takuma, who missed with a back injury, but pat Connaughton had 22 points off the bench. On the ice, the Panthers dropped Boston 6 three to even their series at a game apiece. Carolina grabbed the four three win and a two zero series lead thanks to an OT goal by yes perforce. Out west, the stars tied their series at a game of peace, dropping the wild 7 three, the oilers edged LA four two to tie that series. And on the diamond, the mets topped the Dodgers 5 three behind 5 hits from Brandon nimmo. Max Scherzer though tossed from the game after three innings following multiple umpire investigations into a foreign substance on Scherzer's pitching hand. I'm Josh rowntree, AP sports.
Cloud Security Podcast by Google
"anton" Discussed on Cloud Security Podcast by Google
"Provider, your cloud environment, to make sure you have the best defenses possible. And in that way, you can really move forward very effectively. So I don't know how I feel about cloud providers and HOA. And I really mean that. In the physical world, and I don't want to make it into about real estate, but I tend to have a very negative view of HOAs. Now, in the cyber world, I kind of see where the metaphor works well. Because even the guardrails example that comes up a lot in the podcast, it is kind of an HOA example, right? Like you can't paint your house red because rules. And if you do paint your house red, in HOA, I guess you can still paint it, but then you'll be punished. So it's not a true guardrail where you it's impossible for you to do it. Well, so I live in a three unit building, where the three owners are the HOA. And I have to say, one of the other owners does a really nice job of keeping the backyard in beautiful shape. And she does a much better job than I would on my own. So if we were to think about the sort of things that Google provides as the cloud HOA, I can kind of see the metaphor for that. I think that's a unique metaphor. I have not heard this one before Charles. Well, I'm glad to read something new to the podcast. I'd hate to bring you stuff you've heard all the time. And I admit the metaphor may not be the perfect one, and I know a lot of folks have negative impacts with the HOAs that they've worked with. I think the apartment metaphor might be a better one that you're referencing there, too, where I think that there's advantages to having some of those gut rails in place or some collective controls in place. And enabling that sort of capability at a broader scale than just individually by the organization. But I wouldn't take Anton's criticism of the analogy to personally Charles Anton is allergic to any form of authority that doesn't come from a place of sensibility. He's got good reasons for that allergy. I just suspect that's what's influencing his view here. By the way, I never really criticized the HOA and metaphor I was still processing it. I just said that my initial take was that HOA is a bad thing. But the metaphor. And so I don't want to be a cloud provider who is like a boss's tenants around and the noise. But at the same time, I do get the guardrails and the house value and the I'm really mixing metaphors here. So I'm paving the roads and keeping the gate aft and all that.
Fading Memories: Alzheimer's Caregiver Support
"anton" Discussed on Fading Memories: Alzheimer's Caregiver Support
"You know, originally, my sister and I agree on zero things. We actually agreed that we were going to talk to our aunt about moving into mom's house because my aunt took care of my grandmother and they lived on my grandmother's social security. I am not sure exactly how my family, you know, which is not, you know, we do not have a lot of stupid people in my family, but somehow we made a really stupid decision. My aunt was gonna live on my grandmother's money, so my grandmother died. Guess what happened to my aunt? You know, my aunt has her own mental health issues. And so she's on welfare and subsidized housing. And so it was like, it seemed like a reasonable solution to move Anton with mom. She could take care of the household. We would hire a caregiver to be there 8 hours a day, little did I know how difficult that probably would have ended up being. And. That seemed like a good plan going forward. And then there's me, I have a tendency to go down the dark side and be negative. And I started thinking all about the what ifs. And I realized I wasn't comfortable with most of the what ifs. Like if any of those what ifs happened was going to be a really big problem? So and I knew because mom, like when mom and her dog were with me, I knew how fast my frustration level shot up. I also worked from home. I'm like, I'm gonna have to hire a caregiver to deal with her so I can work. This does not seem logical. It doesn't make sense, right? No. So thankfully, mom and dad's house was paid for. We rented it out and we had a great family that rented the home. That paid for most of mom's care home plus or social security plus money from the financial investments that they had that the financial and financial planner to guy he dealt with those. So like I said, we were very, very lucky. But I knew before my dad died that mom was nope. My dog was hated her dog. And I have golden retrievers. They don't hate anything. And they don't. They're too overly social. And I'm like, this is not gonna work. And it's like, I'm sorry, my daughter just moved out last month. I am not. And I assumed that my mom was going to live for like ten or 15 years. I'm like, I am not giving up an entire decade. That I've worked my butt for to have just me and the hubby and the dogs. Do stuff. So, you know, I immediately recognized that would have been a bad choice. A lot of people do not they don't admit to themselves that this is not for me. I love my mom. I want the best for her, but it ain't coming from me. You know, because I don't think, you know, I don't think our society really accepts that kind of quote attitude, you know, and it felt selfish to me, even though I had to manage the tenants in mom's house and deal with mom's house and deal with mom and the care home and blah. You know, it wasn't like mom was in a care home and I didn't have to worry about anything. That was that is not true. The biggest difference between them living with you and them being in a care home is you aren't responsible for them exactly 24/7. I mean, you are, but there's somebody there to help you. You're the backup for the help, basically, but you can go back to being the spouse or the child or whatever. And that is a huge thing. So what would you say? What would you say are some of the best things that you learned as being a caregiver? If there's someone who is maybe listening to your episode that is saying, oh, I have to get prepared for this, or maybe they're in the middle of it, or maybe they're getting towards the end of it. This is essentially turning into three questions, but just bear with me. What would you say are there some overall tips or strategies or viewpoints that you would say, you know, I really did this and this is one thing that really helped me. Or this thing I did at this stage, there's this thing I did at this stage. I'm sure there's a lot you can probably write a book. Well, the best thing I did for myself was actually start a podcast, so I had actually people to talk to. But it took me a while to actually accept some of what people were saying because I would go see my mom once a week because that is about all I could manage and still take care of my other responsibilities and trust me, I really tried to add a second day in. But there were the weeks that I could have added the second day in, Mondays wouldn't have been so hard that Tuesdays I was depressed. So I'm like, there's no way I'm going on Thursday. Like, I finally feel good on Wednesday. Go Thursday, be depressed. No, I can't do that to myself. So I very honest with what I could do. Now my sister did go on the weekends, my one uncle and the aunt did go, they didn't go weekly because they lived about 40 minutes away, but you know, there was plenty of socialization for my mom and while I wanted to do more and be able to do more that wasn't an option, but it took me a long time to accept way too long to accept that going and being with her for two or two and a half hours was too much. There was one time we were there for two hours. I finally went to the ladies room. I came back and she went, oh hi, what are you doing here and I thought, oh hell, she don't remember any of the last two hours. I got zero credit for this. And that makes me even harder to leave because I knew she didn't remember I'd been there all this time. It was like, why did I do this to myself? She didn't remember. So I started going and having shorter, much more productive visits, and that productive as in we accomplished a bunch of things, but they were just more enjoyable for both of us. And then she died about four months later. So like I said, I waited way too long on that one. I had to really learn how to advocate for myself, especially with her doctors. In the last year of her life, we're kind of dealing with this now and I know other caregivers deal with this, but like when you have like my husband's got the home health nurse coming in to deal with his foot wound, I may just assume that he's sitting around waiting for them to come. Like, oh, they're going to, they're going to call you this evening to let you know what time tomorrow they're coming, okay? Well, he's not how much on Tuesdays, even though he's not supposed to be driving. He won't tell anybody that he drives basically what the cruise control and two feet. But he has a meeting on Tuesday and he does things on Tuesdays and so, you know, when he tells them, you know, I'm not necessarily available all day and they act like that some sort of really bizarre attitude. What? What do you mean? It's like, I had a doctor call me and say, what was the doctor's staff? Well, because we were dealing with the staff kept thingy mom was having UTIs, and she wasn't, so they were trying to figure out what was going on. Fair enough. She went and saw the doctor. I took her to see the doctor, blah, blah, blah. They did some tests. And then there was one day I generally go outside. I did before we moved, go out cycling with friends Wednesdays and Fridays. This was a Friday. And I peeled off early because I'm like, I'm gonna go home. I got no recordings. No zoom nothings. I can shower, just I don't even have to put on makeup or dry my hair. I can just be like, whatever. And, you know, get some stuff done. You should not have said that, because karma came back to me. And the doctor's office called 1130 ish, and they said, the doctor would really like you to bring your mom back in today. Why?
Fading Memories: Alzheimer's Caregiver Support
"anton" Discussed on Fading Memories: Alzheimer's Caregiver Support
"You know, originally, my sister and I agree on zero things. We actually agreed that we were going to talk to our aunt about moving into mom's house because my aunt took care of my grandmother and they lived on my grandmother's social security. I am not sure exactly how my family, you know, which is not, you know, we do not have a lot of stupid people in my family, but somehow we made a really stupid decision. My aunt was gonna live on my grandmother's money, so my grandmother died. Guess what happened to my aunt? You know, my aunt has her own mental health issues. And so she's on welfare and subsidized housing. And so it was like, it seemed like a reasonable solution to move Anton with mom. She could take care of the household. We would hire a caregiver to be there 8 hours a day, little did I know how difficult that probably would have ended up being. And. That seemed like a good plan going forward. And then there's me, I have a tendency to go down the dark side and be negative. And I started thinking all about the what ifs. And I realized I wasn't comfortable with most of the what ifs. Like if any of those what ifs happened was going to be a really big problem? So and I knew because mom, like when mom and her dog were with me, I knew how fast my frustration level shot up. I also worked from home. I'm like, I'm gonna have to hire a caregiver to deal with her so I can work. This does not seem logical. It doesn't make sense, right? No. So thankfully, mom and dad's house was paid for. We rented it out and we had a great family that rented the home. That paid for most of mom's care home plus or social security plus money from the financial investments that they had that the financial and financial planner to guy he dealt with those. So like I said, we were very, very lucky. But I knew before my dad died that mom was nope. My dog was hated her dog. And I have golden retrievers. They don't hate anything. And they don't. They're too overly social. And I'm like, this is not gonna work. And it's like, I'm sorry, my daughter just moved out last month. I am not. And I assumed that my mom was going to live for like ten or 15 years. I'm like, I am not giving up an entire decade. That I've worked my butt for to have just me and the hubby and the dogs. Do stuff. So, you know, I immediately recognized that would have been a bad choice. A lot of people do not they don't admit to themselves that this is not for me. I love my mom. I want the best for her, but it ain't coming from me. You know, because I don't think, you know, I don't think our society really accepts that kind of quote attitude, you know, and it felt selfish to me, even though I had to manage the tenants in mom's house and deal with mom's house and deal with mom and the care home and blah. You know, it wasn't like mom was in a care home and I didn't have to worry about anything. That was that is not true. The biggest difference between them living with you and them being in a care home is you aren't responsible for them exactly 24/7. I mean, you are, but there's somebody there to help you. You're the backup for the help, basically, but you can go back to being the spouse or the child or whatever. And that is a huge thing. So what would you say? What would you say are some of the best things that you learned as being a caregiver? If there's someone who is maybe listening to your episode that is saying, oh, I have to get prepared for this, or maybe they're in the middle of it, or maybe they're getting towards the end of it. This is essentially turning into three questions, but just bear with me. What would you say are there some overall tips or strategies or viewpoints that you would say, you know, I really did this and this is one thing that really helped me. Or this thing I did at this stage, there's this thing I did at this stage. I'm sure there's a lot you can probably write a book. Well, the best thing I did for myself was actually start a podcast, so I had actually people to talk to. But it took me a while to actually accept some of what people were saying because I would go see my mom once a week because that is about all I could manage and still take care of my other responsibilities and trust me, I really tried to add a second day in. But there were the weeks that I could have added the second day in, Mondays wouldn't have been so hard that Tuesdays I was depressed. So I'm like, there's no way I'm going on Thursday. Like, I finally feel good on Wednesday. Go Thursday, be depressed. No, I can't do that to myself. So I very honest with what I could do. Now my sister did go on the weekends, my one uncle and the aunt did go, they didn't go weekly because they lived about 40 minutes away, but you know, there was plenty of socialization for my mom and while I wanted to do more and be able to do more that wasn't an option, but it took me a long time to accept way too long to accept that going and being with her for two or two and a half hours was too much. There was one time we were there for two hours. I finally went to the ladies room. I came back and she went, oh hi, what are you doing here and I thought, oh hell, she don't remember any of the last two hours. I got zero credit for this. And that makes me even harder to leave because I knew she didn't remember I'd been there all this time. It was like, why did I do this to myself? She didn't remember. So I started going and having shorter, much more productive visits, and that productive as in we accomplished a bunch of things, but they were just more enjoyable for both of us. And then she died about four months later. So like I said, I waited way too long on that one. I had to really learn how to advocate for myself, especially with her doctors. In the last year of her life, we're kind of dealing with this now and I know other caregivers deal with this, but like when you have like my husband's got the home health nurse coming in to deal with his foot wound, I may just assume that he's sitting around waiting for them to come. Like, oh, they're going to, they're going to call you this evening to let you know what time tomorrow they're coming, okay? Well, he's not how much on Tuesdays, even though he's not supposed to be driving. He won't tell anybody that he drives basically what the cruise control and two feet. But he has a meeting on Tuesday and he does things on Tuesdays and so, you know, when he tells them, you know, I'm not necessarily available all day and they act like that some sort of really bizarre attitude. What? What do you mean? It's like, I had a doctor call me and say, what was the doctor's staff? Well, because we were dealing with the staff kept thingy mom was having UTIs, and she wasn't, so they were trying to figure out what was going on. Fair enough. She went and saw the doctor. I took her to see the doctor, blah, blah, blah. They did some tests. And then there was one day I generally go outside. I did before we moved, go out cycling with friends Wednesdays and Fridays. This was a Friday. And I peeled off early because I'm like, I'm gonna go home. I got no recordings. No zoom nothings. I can shower, just I don't even have to put on makeup or dry my hair. I can just be like, whatever. And, you know, get some stuff done. You should not have said that, because karma came back to me. And the doctor's office called 1130 ish, and they said, the doctor would really like you to bring your mom back in today. Why?
Cloud Security Podcast by Google
"anton" Discussed on Cloud Security Podcast by Google
"Anton, we are doing an episode today where we get to learn from the past. And history does not repeat, but I think this is a case where it does clearly rhyme. What am I talking about? I'm talking about virtualization in that revolution. Correct, correct. We're going to take a time machine to say 2008. Oh boy. When virtualization was really cool.
Perspectives on Healthcare
"anton" Discussed on Perspectives on Healthcare
"The three questions question number one. about me. Question number two is. Will you help me in question. Number three is cannot. Trust you now when i say answer. Yes those three questions. I don't want you to answer. Yes to those three questions with your words. I want you to answer. Yes to those three questions with your actions. How you showing the care team that you care about them that you're willing to help them and that they can trust you. How you showing that parent that visitor. That child who is with a sick parent that you care about them that you willing to help them to get back to their lives and live out their god-given potential but more importantly that they can trust everything that you say. Dude is going to be focused on those first two questions. That's what every healthcare every medical professionals should be doing is through their actions answering yes to those three fundamental questions. That is a very powerful way to end this conversation anton gun. Thank you very much for being with me today. I appreciate your perspective on healthcare. Thanks for listening to perspectives on health care. Visit perspectives on healthcare dot com to learn more about rob oliver or to subscribe. So you never miss an episode. If this podcast was valuable we'd appreciate a review on itunes. Or if you tell a friend or coworker about the show that would be helpful to join us again next time for more perspectives on health care..
Perspectives on Healthcare
"anton" Discussed on Perspectives on Healthcare
"From the your keynote speaker studio in pittsburgh pennsylvania here is your host rob oliver. Hey and welcome my guest. Today is someone. I met through the national speakers association. His name is anton gun and let me just say his bio. I had to go through and it would take me about a half hour to read all of his accomplishment so i'm just going to highlight a couple of them okay. He is a former hospital executive and he was a senior advisor to president. Barack obama on the affordable care act. He has recently been named one of the ten most influential minority executives in healthcare by fierce healthcare. Currently he is the ceo of nine thirty seven strategy group which works on leadership workplace culture and diversity equity and inclusion he is from columbia south carolina a member of generation x. anton gun. Welcome to the show. Thank you so very much for having me excited about being here with you. Yeah so first question. Tell me a little bit about yourself and your role in healthcare. Yeah well so. It's definitely great to be with you in and you gave all of the formal stuff in the bio. So i won't bother to recount that but i will tell you first and foremost is that. I'm a son of a navy veteran and grandson of an army veteran and a great grandson of an army veteran..
Cloud Security Podcast by Google
"anton" Discussed on Cloud Security Podcast by Google
"And so sometimes there's this tension between product and marketing where my more technical stakeholders want to tell. The customer. Just as anton was saying earlier like the specs. Exactly how a feature or product works to drive that product or feature adoption. And i get where they're coming from because like this feature or their product. It's their baby. They have been working really hard on this thing and then marketing watts to tell story that shows the value and the benefits of particular feature or product to drive product adoption and so as a marketer a lot of times what i do is i'll just take my technical stakeholders on the customer journey and show them that. Hey i'm still talking about your feature or your product and we will get to the technical specs or but storytelling right is that gateway to talk about the product or the feature in a much more personal way an away that can resonate with our customer and get them to ultimately do what. We're trying to have them do so. This sounds like a some kind of a balancing act. I guess between the discussion about features inspects if customers want to but also about value and kind of a high level story to me. I don't lose the story ever because to me. You not sell to enough people if you lose the story. There's a story. There's no product exactly so let me touch on the other thing that's been interested in this market. Of course we all know that they're roughly you know. Eight hundred maybe. Two thousand security vendors and cloud security is such a space that's evolved in new then. There's a combination all the time. We had a couple on the podcast here. So there's a lot of noise. A lot of people are talking about clouds huge at this time and of course we have You know three cloud providers like ourselves and wealth to others who will remain nameless. How do you talk about products. So they stand out from the noise so that you don't sound like four hundred other than theirs..
WSB-AM
"anton" Discussed on WSB-AM
"S b Atlanta's news Anton Hi there. Good morning. It's 11 o'clock. I'm Sabrina Cubit live in the WSB 24 hour news center here in Atlanta. We're learning more this morning about how $5 million from the Governor's Emergency fund will help fight Atlanta's crime wave governor camp has had enough of Atlanta's crime been beyond frustrating, which is why he's tapping the emergency fund. The governor tells Atlanta's morning news. The money will not go directly to Atlanta police but instead will be used for state agencies, too. Support A PD. Unfortunate hears we're having to spend state resource is to help with crime in the city of Atlanta, says troopers and other state law enforcement will be on the front lines to help tackle the problem. Bill Cappuccio 95.5 WSB, And while we're talking about the governor, public colleges and universities here in Georgia cannot require students prove that they've been vaccine. Through 12 public education or any state government service. Now his executive order does not apply to private businesses. As we take a look at the WSB market Watch here at the 11 o'clock hour. The Dow is currently a 58 points at 34,370, NASDAQ and S and P also up your weather 81 degrees on Peachtree Street. Hot today, Would you have a smog alert in effect? Atlanta's most accurate And dependable forecast with Kirk Mellish is coming up Game two tonight between the Hawks and the next and that led astray. Young is in the middle of the action in more ways than one tray. Young left an early mark of this serious young We came a regulation that floater gave the Hawks of one of 71 Oh, five Game one win over.
Elevate: The Official Podcast of Elite Agent Magazine
"anton" Discussed on Elevate: The Official Podcast of Elite Agent Magazine
"On the show. Today i'm joined by a couple of innovators in the area of real estate automation. That's rex lab. Ceo anton babkov and rick crm. Hit of product. Tom mccarthy so welcome. Back to the show and tom and the show for the first time. Tom glad to be here. Yeah really really excited. Thanks for having a say well. It's it's great to have you back because we've had some great chats in the past. And thomas mentioned your first timer on elevates they can you describe exactly what it is j. x labs. Yeah so. I'm the head of product for rex. And my role is basically purely focused on the on the crm in coordinating without design and development team. Basically chart the cost for the product. So i spend a lot of time talking to customers getting product feedback and then taking that feedback to product team and working on building new features and solving new problems and moving the product ford and a bunch of ways. Amazing and radio. I think you'll buys have changed on the website. Because i was reading them before we walked in here. And they great. By the way and anton you describe yourself as doing all sorts of ceo things including hailing. Take news and jumping up and down with excitement. What's the in may jump up and down with excitement in the race in recent months. Oh god what i. It's an exciting time. It's such an exciting time to be alive. The roaring twenties of back. This is my big name. I think Covid has done some really interesting things in terms of people saving money and also suppressing some of those instincts that we have to travel abroad. And do all those things as we don't destroy we're gonna be stuck here for a little while so it's really interesting. Seeing how people are translating that into into creativity and Into some you proceeds and is really fascinating with the money. Money supply people are starting to spend some of those that was squirreling away. What's happening with the property market. What's happening around climate change. What's happening in technology and being at the cross section of that business. That that's definitely got me jumping up and down with excitement at the moment. It's extraordinary such an amazing time for the industry. Such extraordinary time for the industry to make hype all the signs but also kind of knowing that this really strong fundamentals that are driving some of the gross and some of the activity that we saying. It's a really big macro changes. It's just an exciting time. Who wouldn't be jumping up and down.
Music in Motion Columbus
"anton" Discussed on Music in Motion Columbus
"They and moon bronze. Where you're on podcast With our special guest. Peter desam feature ours Somebody of wanted to have on the show for a long time Anton newcomb from the band. And you probably know him. Better from the brian. Jonestown massacre but once again. I can't say enough. Good things about this album. Anton you guys you guys really. You hit a home run with it to use the the sports cliche. Well that's all fine and thank you. But what do you think about bob. Polar is right down the road. Yes you you tell them. I said hi when you're over at the dollar general store of course. Well actually. I've got a couple of friends of mine. That actually do see him from time to time. So i'll pass the word on mosley once or twice with them. We played once or twice them when the heads jokers. Fine with me. We were very good but Boy we drink his band so far under the table. They never seen anything like that. Well you know. I know i. I'm not. I'm not talking. Pbr's i used to be a serious drinker. I start with the leader. You know and move on into other. Keep going for months. I don't carry on one of those guys cowboy style. I just get anri. You know what. I mean like the english guys. They drink or viewpoints and then they're starting fights throwing up the street and all that stuff. I'm not like that. But i will get crazy or you know like if people 'cause people try that's why i never get these fights anymore because i'm never in bars right. It's so beautiful. But whenever trays yours you know i would you know if there was some to be had. I would keep drinking well when i spent a lot of time at all so people would say there's a guy from the movie or whatever to try it on. You know what. I mean that kind of stuff and i hate that so i'm so happy with my life now never house say i never saw the movie so good not even gonna worry about it at all. Good didn't get to one thing i wanted to ask you about but that's okay You know maybe we'll have to Down the road again one. We're just asked me a quick question. okay real quickly. How much was it When anthony bourdain came to berlin and and you guys did the show together. Can i tell you the truth. He seemed really two-dimensional. Like if you were sitting on the corner of house and you could see two of the walls and you kinda knew that there was more walls there but he was showing it whereas i am used to like three d. I look right through. People in concede their whole thing. So at first i was thinking. Is this just a face that he puts on for tv because people do that they just have the personality right right and the go. Hey we're back you understand what i'm saying. The picture right walks. Have everybody right. And i spent a couple of days with them so i couldn't figure that out i couldn't figure out if somebody stole a soul or what was going on or if you had a wall up against me or whatever and then he ended up dead right in a court. The i knew agent in there was so much weird his girlfriend so much weird crap with down. That was a real shocker. But it really enjoyed being with him in a really value friendship and support and all that stuff but there was something weird and i tried to talk to john laurie. Who's natura from down by law and all that stuff who is also just found out was just interviewed with him. He said everybody is like that. And i was he liked dismissed me so i quit talking to that guy. Because he he didn't really get what i was saying right. There was something deep and perplexing at that time that minute that he was with me that you can't see on the show that i picked up on in that i was just sitting there going. Wow here we are doing this. But this is real. And you're this real guy right but it but it wasn't tv land. It wasn't like my plastic face. So there's something there was something going on and i and i know a lot of stuff behind the scenes but it was like real quite deep. Do you know what i mean. Let let me let me polish this off. I want to be clear to listeners. That i've met i've met way more than ten thousand people and i look at them. You know what i mean. I'm not talking about just the people when we pay play twelve hundred people in the audience or something. I'm talking about people that say something to you. And i know people you know. I grew up very salt of the earth. People look at people like that. You tried to avoid problems you size people up and all that stuff right right immediately when you meet anyone you start making decisions right in to all that stuff but something was up there so i know i totally get it. I really i do understand what you're what you're saying there You know it's it's. I never my life. I've ever met anybody like that. And i used to date actresses i know everybody in the bed at least people the business. It wasn't that see what i'm saying. It wasn't like they were giving me the hollywood right moment to see what i'm saying. It is something that was just kind of often. The universe in that's where he was Is how is the occupied deeply. He was either preoccupied deeply that there was a whole inside him. That could never be filled. Do understand that that didn't exist like either he had no soul are something had his full. You see them saying yeah. Yeah use shell your which. It's a shame. it really is. Because he was on your regular acting we were interacting and having a good time at talking about things and and going. But i kept getting sense of a suspect boat. Something's going on you know. And of course i do. You know there's other stuff but it was very profound in my dad killed so it wasn't just like being tortured inside. Are having the depressant whatever they wanna say he ended up with or what you know what i'm saying right right was deep a lot cheaper than Than i hope. I ever get to be honest with. Yeah and that that killed me. I was on stage when i when i referred other thing with us it or not when i got into the situation with a in australia with a culture that was right when i heard i got a call on state at that concert that he was dead as people. Were yelling at me. And i just went off the tie that in. That's that's crazy You know. I would look to expand on on going. This really take a by all right for the for the shell eternal. thanks to anton.
Music in Motion Columbus
"anton" Discussed on Music in Motion Columbus
"You're listening to it right here Macaque la podcast july. These same jason. The queen died meaning and is.
Music in Motion Columbus
"anton" Discussed on Music in Motion Columbus
"You guest you know this Happened on me. Present don't know is cool risk wrong. Many earnings.
Music in Motion Columbus
"anton" Discussed on Music in Motion Columbus
"I say off jazz. I'm dr i.