20 Episode results for "rich campbell"

The State of Security in the Octoverse with Maya Kaczorowski

.NET Rocks!

50:53 min | 7 months ago

The State of Security in the Octoverse with Maya Kaczorowski

"They call here with a very special offer for music to code by. You can now get the whole twenty track collection for nineteen ninety nine wile electrons last good my new store at pope dot e dash junkie dot com. That's p. wwlp. Dot e dash junkie dot com. And get it now before. I change my mind. Welcome back to dot net rocks. This is carl richard. Cavill been time. Isn't it although we can't be sure twenty. Twenty one came came without incident because this is december twenty first of this recording and so so. I'm tom. shipping is complicated. Yeah well you know if no stood dominance was right. We might not be here right. You might not be listening to this. I'm just saying. I think the only thing that was right was boil your water before you drank it that probably you can count on. Hey i got something to share with you. My phone over. Better noah framework. So we're all the music our man when he got. I gave myself an early. Christmas present. Richard did you. It's a samsung forty nine inch curb. Gaming monitor and the thing is huge. Yes it's so mean question number one. Does it fit on your desk. 'cause they're really that is very big. So here's what i have to do. I have my. I have my laptop right right and that's on my desk and i had to push this to the back of the desk. Put a stool behind it. And then i have a john bash. Mine new orleans book. That's high enough to just match the height of the desk so the back of the standard sitting on the front of the standard sitting on my desk. Wow yeah it's totally. Just the hacky janke wide like your scanning left or right like you was can't take the whole screening at once the twenty by nine right right. I haven't found anything square in big enough to put over both my desk. And that book so i could raise the height of it but i guess if i had a piece of wood. I could do that right now. It's like it perfect but my laptop is just a little bit too high to cut off the middle of the of what i can see and your laptop can drive this thing at full bore. Let me tell you something. I plug this thing in and just hit windows p. and it came up no problem and what is it fifty six hundred fourteen forty like it's it's yeah you're not a game or the are you coating on this thing. I'm doing everything on it. I'm doing adobe premiere video projects doing audio projects. I've got so. Let me just tell you that. The experience that i had first of all right now. It's about a thousand bucks. Eleven hundred six. When i got it the first time the first time it came broken ball. No yeah and there was a little crack in the screen. And i had to send it back so i bought another one in. Ask for a refund. Whatever setback so just immediately bought another one. And when i went to buy it was three hundred dollars less than it was. I ask okay. But it is a hundred twenty hertz. And they do offer a two hundred forty hertz version. I'm not sure my laptop will be able to our that. But i don't need two hundred now an attorney down anyway right like realistic. Yeah yeah now. I i do love it. That's awesome right now. I've got zen castor on the left. I've got adobe audition on the right. I've got my main screen. Which is my main browser. And then i've got the other things that we're looking at in the middle of the curves not too weird for coating or anything. I that's interesting i love. it's cool. It's just not say. Merry christmas to you man. What a great gadget. Yeah and write something. You'll use us almost every day so we spend money. I've already been a lot more productive just than having you know things off to the side. And i i find myself saving certain work until i can get back to my big screen. Yep like there's certain classes of work. It's more efficient to do it on the big screen definitely awesome. That's what i got. Who's talking to us. Comment office show sixteen twenty five the one we did back in march of two thousand nineteen with victoria Alma ova when we're lending we were talking about putting security in applications. We're going to talk about security day. And that was just a really fun conversation we had with her and derek smith brought up his point again from two years ago. She said since i'm in the middle of retrofitting an existing product or application. I find a lot of parallel with this discussion on security. My current work adding accessibility compliance to an existing application. These are both cross cutting concerns that tend to get overlooked in the initial build out for the same reason. It can slow down and complicate the develop processes idea of adding accessibility and security. After the fact are really hard but when you look at them in the beginning intimidated by them. And i appreciate the challenge of shifting left so getting those things involved earlier and bringing the discussion back to product. Management and road mapping so we can plan for compliance rather than kick the can down the road for some future team to deal with. And you can tell. Derek was the future team. It's like why am i doing this. And he finally says since you're in we're in london when you recorded this do all the websites say because of gdp are this site uses biscuits rather than cookies. No no they don't but that's funny and now that they're not in the eu anymore. They're going to stop complying with. Gdp are question. I don't know the answer to so. I've been binge watching gordon ramsay in and of itself but you do have to get used to a certain amount of personal insults. You know coming out of his mouth to people who are doing things the right way you know and he he likes to call people you donkey right the donkey comment. You don't another one. Another one says chef. Here's the basil. And he goes dammit. It's basil how many times do i have to tell you. Donkey looking for a fight now is about trying to get good radio. I guess he's not like that. It's clearly the shows was they make money off his his loud mouth. I liken it to being a like a drill sergeant like you know you put on that uniform. Your drill sergeant. That's your job is to freak people out in scare them into compliance. Someone's there's a message there for security as well. maybe. I don't know i just feel like taco. Thank you so much for your comment at copy. Music co buys on its way to you and if you'd like a copy music owned by right at comment on the website at don iraq dot com or on the facebook because we publish every show there and if you comment there we read it on. The show will send you a copy music. Oh by and definitely follow us on twitter. I'm at carl franklin. He's at rich campbell. Send us a tweet just because yeah we just. It's a new year. yeah well. Let's introduce our guest showing maya catts. Rousey is a product manager at geared hub in software supply chain security. She worries about the software. You depend on the you. Didn't write yourself the security of open source. Welcome maya thank you so much for having me really excited to talk to you about. Everything's gone on. It's been a tough security or twenty twenty ending with this crazy hack. Possibly by state actors. I think falls right in the area. You focus on protecting source code. Yeah solar winds and certainly been quite the news item. No kidding me just just thinking from the business perspective. Says it doesn't matter if you're a high security company if you have a high security customer you're at risk exactly and i think that the solar winds deputy looking at you know commercial third parties so how you how you manage your vendors in your third parties that you rely on. I think it's what i'm focused more on when i'm interested in as well as open source Dependencies that you have so you might also use a component of open source somewhere in your supply chain in your environment that That you don't exactly know how it's maintained that's what i that's what i worry my for myself about well. We we always presume this idea that since it's open source you couldn't hide a piece of malware in there. I think that's really true though you probably could not. Everyone's studies every line of code before the check. It in rain. I mean the idea with open source is that with all with more is all bugs are shallow right that if you have people looking at it more people looking at it than Fine security issues. The reality is not necessarily a lot of people are actually doing those security audits or going in looking at what they're using I think there is. There is a benefit to being to being opened in that. It's like you said it's harder harder to hide something. explicitly Yeah without a doubt end stuff is verifiable too. I also appreciated the get. Hub sends me security reports on a routine basis about out of date libraries and in those kinds of things like hair. Easy things you can do to improve security at any given time. I don't know if you're directly involved in that. Yeah i believe you're referring to dependable which is actually am one of the products in my in my area. Okay depend about. We'll send you a email or web notification or or known of notifications if you prefer But let's you know when you have a dependency that you're that you're relying on that has a known vulnerability and we'll send you a request. Update that dependency to a known good version for that. It's awesome please. Please merge the. Pr's that would make it. You actually have to accept them to. That's no fun so every year get help. Does this state of the octa verse at document. Which i think in the old days mostly look how many people are using data but clearly it's expanded over on the run as side. I had a conversation with nicole. Forest grin not long ago talking about the view of devops from the context of get hub. But i gotta think you have a security professional an amazing view of software security with all these projects flowing through gap may have some really good dan with nicole's research. You know some really good insights into what's going on. So what did you learn what Cookie learned from this report quite a few things. If i look at some of the top findings one of the ones that was most surprising to me is the the rate at which people fix. Vulnerabilities is not necessarily depending on the severity of that ability interests. No out so you would think that. If i have a dependency that has critical vulnerability. I'm going to fix it. Faster than independence a ability. And we're seeing is that. Yeah it's a little bit faster but you know just a little bit faster not much faster so. The severity of the vulnerability is not the the major decider. How quickly you can actually fix it. Which was interesting to me. Do we know what the major decider then is in my head offices. My hypothesis is having good automation and and Good working principles your team not being silent etc the whole devops mentality but we didn't explicitly explicitly look at that We did find though that automation does accelerate your ability to actually Fix issues in your environment so that we just talked about repositories that had dependent. Paul requests patch their software. Thirteen days sooner versus thirty three days. Plus thirteen banks one point times faster than those. That didn't roy so using automation helps helps. You shift left's helps you deal with issues much faster in your environment. View got an automated pipeline. You're less concerned about pushing those kinds of changes down. That's definitely true right. If you have good. Hopefully very very few security changes should freak you out because it should be relatively easy to make those changes in your environment. I say that relatively. I'm continuously shocked by the number of developers who choose to make changes their environments when they have no testing place. You're gonna test your disgusting in production. Yeah that's i mean. That's a very risky way of testing. Yeah for sure. That's one way of testing. Yeah well yeah. I mean i the account tell you. How many times in advising development group with ago we really don't have a lot of test is like i'm here. I'm here to tell you. That's very normal but fixable like you can get to work on that strip. It's yeah the i. I can't believe how often the main thing i say is old developer now is. Don't worry that's normal. Nobody has enough test. Everybody needs more tests. You definitely need more tests While that that's an interesting thing that criticality is not the real driver here that the ease of deployment it seems would be the the bigger one it. Can you even make an assessment of how vulnerable most software is. Is that a metric. No we can look at like for example. What percentage of software has known vulnerabilities. But then there's always unknown vulnerabilities right so so some of the interesting interesting data here that we came across the first one was. Just how reliant. Everyone is on open source which you know we all know. Seen a handful reports have said this. But you know pulling the data from get hub at that scale really brings a message home so something from sixty five percent to ninety four percent of active public repose us open source software which is huge variability is really based on ecosystems. So you seem java ecosystem needs a little bit less and things java. He's a lot more. Which if you're familiar with javascript. Polls independence for everything. That shouldn't be a surprise. When you're looking at that data from the context of someone participating in good how does that sort of bias towards open source because get yes and you can help have a lot of commercial enterprises commercial customers as well. We're not looking at. We're looking at active public repos. That's that's fair in the sense that if you're an enterprise you might have a lower use of open source but what's publican open source and people's no small projects tends to reflect. Developers are also doing at work okay. That's really interesting. And so there's always been a conversation on on this show especially is plenty of dot net developers a distill. Aren't that comfortable with open source. And so we've sort of had this belief that there's lots folks just aren't using open source at all in then you know but it's time you're seeing this huge amount of open source being. I would think of it slightly differently. You know how used to say like ten years ago. it's like oh i don't use the cloud. We don't use the cloud and it's like well if you're development credit card you're using the cloud it's like has a command line. You're using source like what to tell me you. He used dropbox. You're using the cloud rain just because he don't think of it as the cloud not think of it as open source doesn't mean it isn't either wonder how had projects that have opened source them that no one's really acknowledged that they do. I think people don't even really think about it But it's there anything is like it shouldn't scary right like you should keep using open source and supporting open source and developing open source. It just being aware what's in your environment and being aware of the security issues that those dependencies might have horrid Other elements from the city report. Where is the security port living. Now can we see it. Yeah it's an octa versus dot get hub dot com Love the clean. I think the other interesting findings. You're talking about you. Know how secure is open source overall right if i if i look back at at that. We said active reposted have that you don't endorse philippe to the active re bows at received depend about alerts so those are alerts that they have trouble dependency on average. The the the expected chance of getting a security alert in one year is fifty nine percent while so expect it to happen. Not a normal thing and then of course the question is response time like what would you do about this. How long before you get in there and serve fixing stuff yeah. Uranium me to the to the kind of other major finding which is the overall time to find remediate these issues so we also time to find. Because i'm getting up has a a tool called jewel which is sort of like a really powerful data analysis tool that. Lets you look for security vulnerabilities. Right you can say hey. I'm looking for a rollerblading that takes type of input inputs at this kind of output. In lemme query my code basically to find that thing we were looking at open source code in looking at how. How long took between when vulnerability was introduced to when it was actually disclosed In in that environment rame and looking that life cycle not just looking at the time to patch at the end of the time to detect plus the time to patch the to detect. We're talking more than four years to find a typical ability to end being being disclosed and from there the community will fix the vulnerability in open source in just over four weeks and then it takes Ten weeks to let us know that there's vulnerability in his about one week from a user knowing fix while while the four years one is the one that grabs me like ray holy men. That's a long time. So if i make a mistake in code essentially introduce vulnerability we're not gonna take it for so long. I haven't cracked anything. Like the life of the data rate for years is probably if i guess like actually the low ball estimate because long tail hasn't hasn't isn't long enough yet for Take there is if it takes so long to detect something like yes. We can speed up the time to. We can speed at the time to alert. We'd speed time to apply of patrick cetera. We really wanted us. Eliminate that thing altogether right so like if you scan your code before you attitude environment right. You have a lot of tools now again shifting lap to do something in ib in paul request that has a huge impact. I would actually ends up in your environment so question. Out of left field I see that you also categorize the the different languages that the repositories are are using in his way out front. Does the language used have any impact on security. So it's a little bit it's a little. Bit misleading kind of stewart. Some languages because we'll have more vulnerabilities that impact wider amount of packages. But that doesn't mean the that the language is less secure as much as the language has a lot of dependencies in that in that language. So again looking at something like java script rate it doesn't mean that javascript is less or more secure than languages but Seventy three percent of active repos would have received that were java script would have received a secure in the last year in freight exactly and that's also related to the job because you have a handful of direct dependencies and you have like hundreds of indirect dependencies and so one of those ability than chances. Are you have a vulnerability as well. Especially if you know. They're they're linked via the cloud right instead of you know packages put actually into the repos. They're linked now. You have a special problem. In fact was just a couple years ago. There was an issue with one of the Java scrip- methods that somebody was handling in some repo somewhere and everybody was linked the url to it in all these apps went down or any pulled the library. Yeah he pulled the library. This is a few years. Yeah that's it. Yeah yeah left. The developer wasn't getting Compensated for it. Had a if i recall. This is before before i worked on on. This topic had a copyright debate with mpm where there was a company that claim. The name left pad in said. Okay you you have this name you can have library left pad developer got upset and pulled. Sorry i'm sorry. I'm completely mustn't messing up the story. They were disagreeing over So i don't know if you've heard of k. K. i k. which is a canadian messaging service right and The the owner of love had also had lab call cake kick got pulled given to kick the canadian messaging company in protests. That don't full. All of his libraries including left had not realizing left pat had such an impact on the industry. While we all found out in a big old hurry chewed three hours. Later until until the guy reverted. But it's also it was also a good a warning you know a good What do we call it. A lesson learned not to by url. Think so but then we had like espn and a few other scenarios where it wasn't pulling a library and making it unavailable but it was certainly like very noticeably having an impact on the ecosystem going back to that four year number thinking when you check that code in was it known vulnerabilities an unknown bala like i'm thinking about the the noticed that open. Ssh problem that had been in there for years and years but nobody had noticed it now. It's a known vulnerability to get to work on it but it was always there was sort of unknown. I don't know that we actually build code with known vulnerabilities for sure we do. I don't know if we could break that number out. There's very few. So ideally someone's scanning vulnerabilities in their code before they committed they all find it said I think today a lot of security works as a gate at the end of development. So you checking your code and then you have some tool that runs and tells you all the potential cross site scripting errors that you have excetera. That's known as fast Static application security testing the problem. That a lot of those time a lot of the time that gives you the information after you've written the code is not when you're in. Id's not when you're checking in the code. You're getting it as a dualist. You know two weeks later. You have to go back into that that you know that function that you haven't talked to attention to the long time and figure out what's going on and try to fix it not that of stuff and it just makes it really hard to security right The other main issue that you have with that that type of twelve day Is that is a false positives. It's really frustrating for a developer. To get told fix these ten items two of them arreola native or not right gets spend the same amount of time tries to figure out. That's not real great. Exactly there there arguing tools indac- Zastava i asked in etc More grimm's that are helpful. I think the general tendency though is is to shift left rate. Make it in context for the user. 'cause he doesn't wanna fix it after the fact and i think that's a very reasonable request while the code is still in your head to be able to get hints that there are more secure ways to do. Things are at that same way that then telecom helps you write better code in other respects could totally visual studio bias here. Couldn't we get those same kinds of hints around security issues which are spending like. How often have you attempted like autocomplete name of function. And you like get have typo. But he tells you that you have taito right that in there while the big thing is with the typo. The code won't compile red squeak. I get a lotta red squiggly. The idea that i would get a security squiggle is really interesting to me that that that is much subtler concept frame to this is a secure thing to do. This is not a scary thing to do. But i mean going all the way back to the comment. We opened the show with derek way. Or was he was retrofitting security and an accessibility rather than bringing them in the beginning. That seems to be the norm. Unfortunately i just don't i just don't know if are we there for a better way like what are we gotta do to actually prove that. I'm not gonna put all of that debating in my own head it's like we. We need to be better here forgetting here. And there's more and more tools in this category challenge. Just like we worry about devops in combining development and operations and we always have this trend around the term dev ops in securities in there. Too roy security actually not that special rate. Ideally all of all of the tools that you wanna have in your development pipeline should be continuously integrated into pipeline right now. It might be security by Acceptability like you just said Idea building the pipeline in every bill is goes through those tests to hits inaugurated for those things as well you mentioned in the report and we opening also with this around the the solar wind attack this is. Are we getting to a more dangerous time. Do you think in software that there's more intentional back doors and malware attacks into source code so we did look at The type of vulnerabilities whether they were they were on purpose or whether they were accidents right and we found that me. Seventeen percent vulnerabilities. October seventeen percent of all new abilities that we looked at were explicitly militias but they impacted a very very small percentage of the overall High with only only a Impacting zero point two percent of the alerts for vulnerable dependencies. Okay so most of the issues. Eighty three percent of the issues are just errors are just developed developer heirs right so most of the time should be thinking in terms of errors but yeah there other is such thing as intentional. Maliciousness here certainly. It's all over the news at this particular moment still recording this in december for publication in january. And we're in the middle of this. We still don't even fully understand the scope of the solar wind attack. You think there's a difference between You know someone trying to insert a back door or some some additional functionality your processes into a tool versus someone just straight a publishing malware rain a lot of the time we talk about supply chain attacks in the attack. Was i'm trying to typo squatting. Which is taking a common package name in changing a letter or changing and underscore to a high fin or that type of thing in publishing Aware at the at the alternative location right. That isn't attack pertain. It's weightless sophisticated than someone joining your project actively contributing to it etc right means similarly like it It'd be kind of like someone Solar winds distribute on a. Cd-rom right in my time back to the day. Somebody in the mail sending you a wrong sita. Rama helping ear that. You're going to plug it in. I actually going in and attacking solar winds. That's a much more sophisticated. Attach well the apocryphal story of the stuxnet attack against iranian uranium enrichment was that they left you. Esp keys in the parking lot. People stuck them in machines. Don't true in a apparently it worked. Clearly it did but this is a much more modern thing and using the internet. It's the way that we deploy software. Now it's taking advantage of the trust that solar wind customers had in solar winds that that's a very deep concept but you think granted solar is not an open source project. What they're trying to imagine being able to check in malware through a pull request and not being detected. I think it's possible. I've seen people accept pull request with cursory looks at somebody's just not paying attention debts. Which account i'm looking at your security report here and maybe you're already said this. Forgive me if you have. Seventeen percent of vulnerabilities are explicitly militias but trigger. Just point two percent of alert right. Yeah people are paying attention. The upside there is like we said they can the the very small amount relatively limited impact of that hat although when there is an impact boy it could be a walker. Insult someone interrupt. What moment for this very important message there. Tons of vpn providers out there. You've probably heard of a couple of them in some of you may even use a vpn. Before but i like to do research on my sponsors and i can only recommend brands to my listeners that i believe in and i can say with full confidence that express. Vpn is the best vpn on the market. Here's why express. Vpn doesn't log your data lots of really cheap free. Vpn's make money by selling your data to add companies vpn developed technology called trusted server. That makes it impossible for their servers to log. Any of your info second is speed. I've tried lots of vpn in the past many. Slow your connection down or make your device. Sluggish i've been using express. Vpn for two years now and my internet speeds are blazing fast. Even when i connect to service thousands of miles away. I can still stream. Hd quality videos zero lag. The last thing that really sets express. Vpn apart from others is how easy it is to use. Unlike other vpn's you don't have to input or program anything you just fire up the app and click one button to connect. It's so easy. Even mama franklin can use it and it's not just me saying this wired the verge c net and many other tech experts rate express. Vpn the number one vpn in the world. So protect yourself with vpn that i use entrust us my link express vpn dot com slash dot net. That's xpress vpn dot com slash dot net and get an extra three months free on a one year package again. That's xpress vpn dot com slash dot net. And we're back. It's donna rocks. I'm richard kabil. Let's carl franklin and we're talking to my now get your last name maya carrizo sqi catcher ski very close. Cats are ascii. I apologize From get hub talking about this amazing state of the diverse security report in and. I'm just grateful. You getting insight from all stay to help us be better because you of course are getting examples of very successful secure software flow through hub as well. I presume it's also just a beautiful example of communication with taxed and pictures and graphics like the design of this report is beautiful. It's really well done aniko horace grant. Who led the research didn't awesome job app. She's good about thinking about talk to to to death folks Around these things at work courses focused on open source Any of the quote unquote worst vulnerabilities. You wanna talk about in twenty twenty Things go down. We've talked With open source we. We did a case. Study here which i was kind of interesting On you know what was one of the worst films and wasn't necessarily because it was a particularly critical or were publicized von Look at one of the most impactful bombs this year it was soon be twenty twenty eighty two three it was in load ash and it's single handedly responsible for effecting over five million rios on get up whilst yeah. It's one of the most widely used. Npr packages your own ability and prototype of project pollution in that in that package and we send alerts to over five million reposted. Tell them the patch awhile because of course it was detected it was fixed but then everybody has to get that new version of low dash to really put that away right to what we were talking about earlier. Attempted to identify it. In the time to develop a fix in the timber media is really just like how how quickly can users go ahead and patches up. So did it take four years to pick up the prototype. Pollution and just looking listening took eight years so that vulnerability had been in code in the field in millions of projects for as much as eight years. Young yikes this is alabama's nothing like equifax and people make fun back. Facts if they want to or whatnot but like so many vulnerability so many dependencies. It's really hard to keep them straight well. And who has enough resources to have folks. Constantly monitoring at these comes in critical. Is them decide how important they are relatives here app and then get them fixed as quickly as possible. And now that. I'm going to. I am not going to defend equifax but I look at it as a without go is like we're all walking through the same forest here. It could happen to anyone really eight years. He's this is scary stuff. Of course it takes that long for that. Many people use the software right. Like that's sort of the side of the reason. It was such so impactful as it had been around long enough. It's almost inevitable. It seems that a successful peace offer widely spread in existing for some time is going to turn up a with a vulnerability at some. That's that's pretty resident. That scares me a little bit less because if it's really successful than you hopefully have a lot of people looking at it using riot. Maybe they have a more established security team etc. I'm a little bit more rate about the small to medium open source projects so in these situations where they've identified malicious injections of malware in software. Do the people that put those pull requests in. Are they trackable. Has anybody ever been prosecuted for doing anything like this. I don't know about the legal side of it but at least for some past incidents Espn's like we know what the name of the person was. Yeah about it. Though whether or not the prosecutor something entirely like but laws are funny give up has their gap has their credit card information because there or their bank account information. So it's possible. I suppose no not. Necessarily i suppose you're right. Yeah that's right just because you're contributing to a report doesn't mean you have a repo and you're paying for it Ouch yeah but you know the the legal prosecution That's ever going to stop anything. True the the the idea that we can detect and repair in short short amounts of time while we get back to this ability to eight remediate quickly and again with saw whole automation story. The you know there's a conversation about shifting left and we said it a few times there. But i mean what does that really mean. That is just folks getting together earlier in a project like. There's no nothing to do with an existing piece of software except refit. Yeah it's not about a particular tool or or anything like that. It's even a specific process. Say just the idea of rather than doing something later in your development process later in your domain pipeline just to do earlier. Like if you're gonna run. We talked earlier about scanning. If you're gonna run a scan for deployment anyways why not run it before built right. Were when before. Pull request in anything that you might wanna do right If you think about like the checklist of things we need to do before you actually pushing the into production just doing some of those sooner any move to the leftist kind of shifting. There's no there's no definition of what specifically as you know if you go from only scanning things in production to doing something at deployment time. That's already shifting labs. She brought limited time to bill. Time you've shifted more. You know if you go to pr if he would id some companies. You have these. These design reviews things like that. We actually talk about what you're gonna go build before you build it in that in that situation. Hard of shifting left might be like bringing. The team is part of that discussion to help. Challenge somebody assumptions. You're making a window as clued. The scanning tools in the pipeline. I certainly seen it where it's only when we were close to going to v one then started inserting those tools into the pipeline. And start doing those tests. Rather than from the first builds. On so yeah. That's certainly a shift left thing including your security people in the conversation early and you and your accessibility people for that. Most is a good idea to or at least putting that on the agenda because sometimes not a separate person. It's just have we thought about what is what is the security plan. What is the accessibility plan. I see as well right. Well i mean part of that. I have to wonder with everything that's happened in here are show twenty twenty one like when did these laws get expanded is it feels like there's a weight of you know beyond the gdp are in the eu to more of the world wanting to take privacy and security more seek seriously. What's a what's a bug door. Yeah a buck above door is. I'm not sure how we define anti octopus report off. The top of my head above door is when someone finds a bug and leaves it there with the intent of exploiting later. Oh so it's not necessarily maliciously planted like a back door would be but a bug but it's just a it's a passive aggressive backdoor. I guess that's what you're you know if you're thinking about commercial software when someone's selling you if i'm a national agency or dealer. Whatever whoever these people are. If i'm selling you a zero day which is a former ability that it doesn't have a patch on on day one so it's noble on on days. Zero is a. It's a bug door. it's something that is exploitable that is useful for me to to to know about but that is not currently patched in that environment not sanitizing inputs right Buffer overflow protection. You don't miss have specific exploited to poke at. It's like a by discovered in. You can't tell if it was an accident or intentional so like back to where might be someone. Purposefully put it there but above door might also be like i know somebody put it here on purpose or not. It's hard to trace back. Who put their tufted for to be provable. In any as a data seems to show is relatively few people intentionally building vulnerability in the software. It's unintentional vulnerabilities but in apathy in cleaning them up to yeah. I mean all of this. Data has the giant caveat. That like you must be you know. Here's the percentage of things that are vulnerable for the vulnerabilities that we know about rain. And here's a percentage of those willing to believe that religious for the ones that we know are malicious right like. It's it's really. It's really hard to categorize what someone was trying to do in if there were trying to evade detection factor. The criticality of the vulnerability doesn't seem to motivate begs the question. Why do we categorize. We also changed the scheme ryan. Cds has changed what five years ago and change the severity of a lot of bugs. On which i think arguably has a lot of confusion at least for for the security researchers and developers that i know who would like are like really low or is it a medium or is it. Yeah yeah it. Does that really mean anything. One way or the other freight. I'd certainly when it comes down to you you fix which you can fix. That doesn't seem to hazardous alot had the critical bubble up to the cto in there. Now pounding on your door's well. I don't know the answer to that. I think they're not that i'm suggesting or not. Still score them just. The scoring doesn't seem to really matter a whole lot of the really interesting one for me from this is a lot of companies will have a policy around Time to fix right. So the meantime to resolve must be you know less than thirty days for critical less than ninety days for i less than a hundred and eighty days etc etc in. It's like you look at the data and like it doesn't matter than like this. All kind of stupid works mustard rating these crazy policies. That don't do anything legit Because this is actually a more complicated matrix in this because it's also difficulty to fix. Franks yeah this is a low criticality but it's a trivial repair. Just put it in like. Why would i weighed one hundred eighty days to do that shouldn't yeah but i mean i think it's not the saying don't fix is four hundred eight days but it's like you're trying to prioritize and so you bump other stop the real question is how often does a vulnerability bump a feature in sprint and that is a tough night is a survey problems like have you done this. How often does it happen. Is i think it's relatively rare are hard to happen. It's just another item. But when i think of what. The biggest sort of impact on software like going all the way back to windows. Xp s p to right when bill gates put out the word about we need to make windows more secure and took a non trivial chunk of the windows team and had that mostly senior folks to to focus on reengineering security windows and it's a couple of years and impaired the development of windows like it's one of the things that leads to the visted debacle is x. Two because it was such a huge fix. It worked for better or worse. Well how often do a mid size teams know amid ban project mate that sorta come it to. We got a burn down the set of vulnerabilities. I really that's a tough question to answer. But folks listening have been there and sort of said. No we prioritize that. Like if i was a project lead looking at the vulnerability strain coming in and figuring out what i want to any given sprint. And when do i hit. Let the big red button. Stop everything you're doing. We gotta fix this. You'd be anything that's along these policies come out of a world where you were patching servers right where you actually have to take the off line and then do something with it and apply the patch and why in that does require time Schedule down time. Sunday at two. Am whatever happens to be today. That's not the reality that's not. You don't need that kind of time to fix Ability so and in the process is complete different right. You fix it in your the next version of whatever you're playing and then deployed you already have this sort of continuous deployment scheme going. Where new versions coming out you. Even daily are are more often than that. So it's just yeah you don't have to make that big commit but i think it's the flow of features versus the flow of fixes to be able to prioritize those things because in the end you didn't work on something else to work on repairing his father ability saw some features delayed. Because we we fix the things. I don't have a problem with the prioritization. Like that should go on. You would hope but to what degree you know. We're never bug free. I think we're never vulnerability for either. You're you are gonna have to triage some point. Yeah great It was very interesting to look at the package. Ecosystem data here to just see that. Is this the compared composer to maven n. p. m. two new. Get to pie pie to re gems. The the the the vulnerabilities has do with age of the different package systems. That older one's just naturally have more projects at more risk to to to The vulnerabilities it could be something we at that. I might opposites primarily based on the number of dependencies right where it's normal reader pull in a lot more dependence one environment than another so something like think java script for example you might have only ten direct dependencies. But you have six hundred eighty. Three indirect dependencies are transit dependent. Just huge right. Which likely now but like it's still seeing that number is absolutely flabbergasting and something like I don't know python six direct in nineteen indirect New gets numbers crazy low. But but i think that might just be the nature of the way new. Get packages are bill. They don't have as many dependencies. Exactly chattanooga six direct and out. We're not sure of the indirect cause the transitive it's only measured files so we don't have the data for new get there. Yeah so that might also data hall to okay. That's fair i don't you. Don't want to advocate for. You should be using new york because it's numbers of show low. That's not what this says. Now you should be using whatever language you're familiar with so that you introduced fewer dependencies and as long as frequently updating. I really don't care us. Yeah well regarded what language news frequent updates keeping up to date his important high justice vulnerable on any of these given language. The language the end the platform sack is not. What's going to save you right here. Your diligence in the your willingness to put your time into this stuff. I guess is the thing it's gonna save. You hear what a great report and terrifying at the same time. It is awesome. It's terrifying. but it's awesome seeking to make one of these every year. My i'll get one every year i believe in the last five ish years is number five on. This is the first time we put so much detail. The security we had a couple of secre metric last year with nicole. Here now mom. I suspect this is going to be an ongoing thing. I'm very excited about this. Your help our. What a great way to help the industry understand itself. I'm grateful this is cool. Yeah thanks maya. It's been enlightening terrifying and lightning and often all at the same time. One of the three reports two others to read as well to know so thank you thank you. Thank you so much for having me. Thanks so much all right. We'll see you next time. I'm dot net rocks dot. Net rocks is brought to you by. Franklin's net and produced by plop studios full-service audio video and post production facility located physically in new london connecticut. And of course in the cloud online at p. wwlp dot com visit. Our website is dot net ks dot com for ss feeds downloads. Mobile apps comments and access to the full archives. Going back to show number one reported in september two thousand to make sure you check out our sponsors they keep us in business. Now go write code. Cnx time asking.

wwlp carl richard john bash zen castor Music co rich campbell maya catts Rousey carl franklin adobe nicole ray holy
Visual Studio Feedback with Mads Kristensen

.NET Rocks!

56:45 min | 4 months ago

Visual Studio Feedback with Mads Kristensen

"Welcome back to dot net rocks this carl franklin and is the richer campbell in here. We are again. Yeah we do anything with the stuff. Yeah beautiful day in the neighborhood. What can i tell you what's up with you man. What's what's new with the dog in you know. You're you're the bears. And give me a story from vancouver. I don't know the bears hibernated. This year we had a pretty mild winter so a have gotten a few bear clips through the winter which is weird. that happens. Bears only hibernate when the camp find food and as long as people put garbage they could find food right but The old dog I didn't know if he was gonna make it to the winner. He really faded this year. Tough but We've been having seizures and we got new meds for form the beginning of the year right at the beginning of january and now it's been two months so it's a long stretch since he started since he's outta seizure but he's he's fading he's a doddering old man. Now he gets lost in the house. I found every so often find him in a corner just like not able to get out of the corner. How old is in human years. Well he's sixteen in doggy years. Which old for dog. But yeah they the that was saying. He's like an eighty five year. Old man who you know is pretty good shape but the stuff starting to break so Do you do you guys to. You probably can't do. Maple sugaring there because if you hang a bucket on a tree for sap the bears probably come along and take that dante. Well that in in in sugar. Maples don't grow here they don't we have we. We have maple trees but not that kind of maple tree really. Yeah east coast thing. Yeah i had no idea. I mean Okay learn something new every day. Yeah we do. We do alder syrups. So if you're if you really like maple syrup and you wanna version that tastes terrible alder syrup. It's awful. just don't bother auto syrup in berkshire to both terrible but you could make it. It's the same. You know this same kind of sappy would that. Just don't come up with the same kind of flavor okay. I'll remember that next time. I'm in vancouver. Yeah alder serb. You can put it on your shelf and never touch it again. Is it not sweet or just tastes horrible. It's not sweet. Yeah but I mean i find maple syrup generally to suites milder syrup but they're quite strong. Flavors is just the nature you know with all these great for salmon. That's what you do very go. Yeah awesome well It's time for better know a framework before we bring mads on so roll the crazy music awesome. Oh man i was enjoying that. You probably know because you're my friend. But i've had sleep apnea for a while. Yes yes. I have slept in a room with you on your machine for that right. Oh yeah it's lots of fun. Well anyway it turns out. There's an application out there that you can use to analyze the data from your cpap machine cool and most c. pap machine of the razz met ones. Anyway that are very popular. They have a little less teacart in them. And they write down all the telemetry from your sleep. Nice and You're supposed to bring that into your doctor. Every once in a while and they look at it and they see any problems blah blah blah. Some of them even automatically transmit the data. They have little modems in. And they transmit the data to your doctor's office but somebody hacked the data format and figured out how to show it in graphs and they made an open source. Project called sleepyhead cool and so yeah. So this being Seventeen thirty to seventeen thirty. Two dot plop dot me. You'll actually not come to sleepyhead. but there's a link to it there. But it's the rise. And fall of sleepyhead. how community-backed c-pap hacking got jeopardized. It's actually a story of intrigue and backstabbing and hostile takeovers. And stuff and it got so bad that the guy. Who wrote sleepyhead. Basically if you go to the sleepyhead page which is sleepyhead. Djeddai mark dot net sleepyhead project has shut down after repeated hostile takeover attempt undermining be trail torrents of abuse. I have no desire to continue subjecting myself to working under those conditions. No free and open source software. Developer should have to endure that. And so you can still get it and you can still download it. You can download it for windows for mac for ubuntu and he's even got the the get hub repo up there but he's done done that's really it's an open source project so like anybody could copy what they want with it anyway right. I don't understand how he feels so attacked. How do you get it stolen. When you're giving it away you gotta read the story so yeah but on february twenty nineteen he shut it down and said i have. No working stopped working there. Yeah exactly exactly so there. You go however i have used it and it is very very helpful. I found doubt that. I had some events in the middle of the night where i was still What happens is your airway gets Clogged at which you it gets closed so your your muscles relax in your airway gets close to the machine. Blows air down your throat. You're down your safa guests to keep it open. Your sophist bronchial tube does go down near safa gets and you wake up with horrendous burps but but so what i did was. I set up my phone on a camera timer to like every five minutes. Take a picture in that. Correlated that with the events in the in the the c-pap data and blood sugar data. To which i find is been very strange ending. Yeah so for any kind of self hacker you can. Still go get sleepyhead. but but i read the story. 'cause it's priceless. Yeah yeah it's very odd to to to be. I get that open source maintainers take abuse to as arriva but when you publish all your source code the idea that someone else take that source go to do something with it should not be offensive. It's true because you published all the source code dude like that's the point right. Well anyway there it is enjoy it awesome learning love and have a good read and if you've apnea good luck. It's it's good stuff. There's there's the over arche story which is like yeah. Your medical professionals should have access to data because of your medical professional. But i really think there needs to be laws in place to say. Hey you know who else should have access to your medical data you you. Yeah exactly that. How i should have a copy of all of your data and you have a right to all of the. I totally agree. That's you know. Welcome to america. Welcome to the united states of america. Yeah i don't. I don't know that those laws are clearly outlined everywhere else in the world. either. I don't know if people have a right to their medical information all right. Let me read a comment here. Seen thirty nine one we did with mads christiansen the last time we talked to him which was june of twenty nineteen that we turned into a geek out of all things about home automation being has. That's where the conversation went and we had a great time doing it and There's some great comments off the show. This is remarkable fatten. Getting a couple of years ago now. He says another great show guys when considering home automation or any new technology and one's busy life. The challenge is not to make the customer alter their habits and lifestyle to make the technology work but rather to have the technology work for them and their current life habits and crawl was correct when he stated now you're imposing rules on lifestyle to appease the technology. That's i think. This is the crux of what most mortals face when considering technology of course they thinking why should i have to change this to take advantage of something. New is the primary challenge for him. Automation specifically and technology in general and so when implementing ideas. How do we accommodate users. Existing lifestyle patterns and habits there. There's also a social aspect of home. Automation in tech carl's mission to the song using song. Free bird as a weapon is a prime example. We will but i'll fire that day. We'll play free bird but it will cost you ten thousand dollars in crash up front. And moreover the only way we can make autumn automation in tech with less friction is trial and error in other in other in other words This topic this is something that you have to consider because the customer being the other folks in your house is both complex and not easy to navigate right. I got admit to manage to like. I got bitten by the home assistant bug. He talk about open source and home automation. And it now means you're tinkering with your house. All the time that being said she who must be obeyed has enjoyed many of the features his issue. But it is. It's one of those things where you put it out there. You explain what it is and then you see how they use it and then you adapt to how actually gets used so mark. Thank you so much your comment a copy miyako buys on its way to you. And if you'd like a copies dako- by reddit comment on the website at don iraq's dot com or on the facebook because we publish every show there and if you comment there in everything on the show we'll copy music go by and definitely follow us on twitter. He's at rich campbell. I'm at carl. Franklin send us a tweet before the bears get to it. I watch offered him bears for bears embarrassed and that brings us to our guest today. Mads christianson is a program manager on the visual studio team at microsoft with the privilege to work with the extension community and ecosystem. He's an avid extension writer himself. With over one hundred published extensions to the visual studio marketplace and before joining microsoft he spent a decade as a web developer working at both startups and enterprise companies. His wife and two young sons all enjoy and support his adventures in the world of home. Automation welcome back mads. Thank you very much. Thanks for having me back home. Assistant trop yet are matt's no you know. I don't think i will ever go down that path simply because that i think it will be all consuming my time will it would be a time sink and you know what i really want. I want plug and play a one or to just work. I wanted to be managed by someone not me. You know someone. That's it automatically updating everything. And i just wanna to be the kind of the consumer that sets up the rules for automation but not necessarily right everything and maintaining everything down to the minute detail. The mac of home automation. Well i want the well. I want the visual studio head. That's much more of a swiss army knife right like that's a lot of. It's a lot of things. The thing i would say in favor of home assistant is because it is an open source project and his hit that threshold now with his people being paid to maintain. It looks really sustainable. It's not bound to any vendor stack so in you know as mation aficionados is like you got to kind of pick amazon or ring or or amazon with ring or google with nests like because those two. Don't get along right. Are you putting a lack in the house. You putting who ask because nobody's putting cortana. Now's so a and once you go down one of those tax. You really can't cross tax. What the home assistant guys have done. A decent job of is abstracting that so that you can make those things out there that there are several hub effect manufacturers or whatever that that navigated that pretty pretty well Home assistant is one right I think home series another one mention of course Sam smart things which is the biggest one and then habitat which is sort of the newcomer. That's kind of interesting. That sits may between smart things and the rumors that the smart things is in trouble at samsung. Gonna walk away. We don't know well. Since since amazon. Started putting into alaska a zubi hub. The whole smart things hub things like. Why would you do this. You already own one. No no no. So that's what i do. I actually started with i like. how are you saying. Leka i learned that from the youtubers is like trigger things you have in this show. We liked to trigger them. Won't do it. I promise trying to be good citizens. I won't say alexa. Delete all my files. I won't do it. Just say add but for but for but she's very limited in what you can do. I mean you can't really do any complex. It's really it's not useful for anything really really except for turning lights off with your voice which is like why would you do that. The simplest thing of all in the least interesting yeah. It's at least interesting but it's also not very useful. It's just it's just a switch that you use with your word and and that's not home automation home. Automation did lie should come on automatically when they're needed f- yeah and so the more you go down the more you look at the that it from that perspective like you want has things has to be automated the least dependent. You are a voice assistant our or the on the only time i see the voice assistant popular in my house is in the scenario. Where you're you're hands are busy so being able to close the garage as you carry groceries in. That's a good one. That's a good one being able to turn on the news in the kitchen while you're cooking. Yeah that's a good we're asking for metric to imperial conversions. Yes you know. I have to do that. Yes i do that to live. Yeah those are the those are the ones that seem that that i see her us. That's to me. i'll use anything. I'm goof right. I'm gonna try all things right down doing the programming to be able to shelter like turning on the fireplaces up picking up the remote pain the astor program but boy that i you know those. It's interesting to see which one she actually wants to. And those are the ones but they you know she. She be appreciated the other day. It's like hey you know what outdoor lights and the blonde go down. Turn on the lines. Go down at sunset. Yeah right with no work by you and the other one. She noticed that. I slipped in and didn't tell her about. Was they getting a drink. Water light so the rule is if you trigger motion sensor in the great room and it's after midnight and there are no lights on then turn on these two lights very dimly for the next five minutes so enough time for you to go in getting lots of water go back out and they shut themselves off and that's impossible to do if you only have a lack or or go home. You can't do a rule like that with multiple each statements and so you need something like home assistant or samsung or habitat and you get into that. That's the level of sketchy. Okay now i have ten. Am i the only one that has problems in every automated bathroom. Go into like the you know you put your hand under the sink and a spurt of water and then it just nothing and you have to take your hands out like this and then put him back under and then yet another fifteen seconds squared away. It's the sink prayer ritual right. He put it in. Put it out. Awaited the hokey pokey. Shh that's just the gods advantage irony after you. Carl just say oh and then here's another one you you go to a stall. You're the only one in their right and you're you know you're read through your phone all of a sudden go off. What how we need to have. Have you seen those new methane detector smart faucets that are out there where you can like you wave your hand over over the faucet like in your kitchen and then water comes out there the most annoying things ever. You never know when it comes on. Because they're still the manual. Shut off so if you left shut off on the handle then you can't like wave your hand over it to let water because it's manually shut off right edge like the opposite of good design when it comes to my smart home things like so frustrated the same thing with the bad lights which is right flashy. Flip the switch off then. The automation doesn't work anymore. That's yes never do that. People all right. Let's talk visual studio man. Yeah yeah you have a real job sorting so yeah as it feels like some days. It doesn't will you used to be are extensions guy like we count on you to talk about extensions. That's what you've always done right. Have you shifted roles now. yeah. I'm actually officially not on the extensive ability team anymore. Even though from the outside in might be hard to believe because i still have a youtube show where right extensions every friday. I'm still very much engaged. I can't not yeah right extensions and so it's still the same platform team sort of the core of this room studio that team but now it's more concentrated on customer feedback so one of the things. I've always been really interested in is making sure that visual studio actually meets the needs of the customers. And that whenever people find that their workflows change and they want visual suited to change with it to make them as productive as possible. And so on that. Visual studio will actually allow them to do that and Hopefully we'll have the prog ready to those changes before you need the and of course that's really hard because with millions and millions of users. Everyone is moving in their own unique direction. So that's almost by definition impossible to do. But i think there are some some trends we wanna follow and we want a ba- listening to what Our customers are saying our users how the used the product and so how do you translate like patterns of usage through telemetry and all that sorts of with whatever they say when they reach out to us on developer community or twitter or staggered will flow. a river. Might be for all that together. All those data points all that signal and then figure out. Okay i think we need to invest in an area over here. We need to invest more in debugging certain types of application on arm sixty four or whatever right now. Isn't it great instrumentation in studio for you to sort of if we opt in to see what you how you were using studio. Yeah absolutely that doesn't tell you about how you want to use it in the future. What you can't do it right and so you have to. You have to have multiple data sources to get fuller more accurate picture. You need to have a you know when you close visual studio you need to have. A little clipper thing that says. Hey i see your closing visual studio. Did you have a good experience or a bad experience. I know that right. It's like every time you go to the store you get an email afterwards asking you how your experience was right. I bought a battery stupid mess. If arrive but you know you never going back. It'd be good to find a way to figure out how you know. People got so far with their app and then just closed it in. Why you know of course can't do that without a stupid survey but that'd be good information to have i think everyone hey surveys and we. We used them quite a bit. Yeah so. I hope that people will continue to give us their. You know their answer got it. Hey visual studio is not free. if you'd like to continue to use it answer this survey. Otherwise you're going to have to pay pay pay a harley. You'd be program manager on the visuals. You just gotta be a little evil. Matt's i think you're too nice. Maybe he will come out. I don't i don't know if users things that were popping up all of those notifications. Hey what do you think of this. What do you think that So we actually looking into like limiting the amount of notifications that we give us. It's an it's actually very fun and interesting challenge to figure out how to do. How do you like the idea of by. You can find me in a workflow right like if i'm cooking along. Don't interrupt me but if you can also tell when someone's lost like if they're trying to find something and you just sort of stumbling like if is using the mouse and highlighting stuff on the toolbar and stuff. That's where to pop a probably help like you know i'm trying to find something. Can i help you as opposed to. I'm using the all keys man. I know where i'm going. Don't interrupt me yeah. We know like when you're idle and we can say okay. How long have you been idle and stuff like that. We have all this already to to do something like that at another good idea for visual studio music to code by play button. How about that. That's an extension. I just like that in their boom start. That wouldn't be. That would be pretty easy. Just put a play button on the toolbar right next to a do button or something like that. Yeah and you think you're going to run your application but now here comes some elevator music for you. Well i think as soon as a code of window opens the music absolutely right now. Talking about automation. That's good proud. Hey mike code has the theme song. A driver in the empire march starts di di di okay. I've written echoed marketplace. And see what they're people have done some pretty hilarious things. there's also there's all sorts of sound extensions and other things. No sad trombone comes up a lot. When i know we actually do have like call to your point like when when people will uninstall abuse which you probably. You've probably never done before and you would know this fails before uninstall studio i only upgrade. Yeah i have never uninstalled studio unless it was a preview version right so we actually do have a uninstall survey so we do understand a little bit about why. What are the situations that make people on his celebration with students instance to your point earlier right to understand what why were. They not successful at one of the one of the problems. And how can we help improve right and so again. It's just multiple data sources to to do this. And i think that's a really interesting thing because in my over ten your around ten years now of writing extensions. There's a very direct feedback loop from writing extensions giving them out to users have an amusement and then work with them on good hub with issues and back and forth on twitter like iterating on it to make it the perfect feature right. Yeah as natural inside visual studio as possible. Mega seem like a good part of your workflow and so on solving a problem and so how do you take something like that. That is very that doesn't have a great scale like an a single person like me with a with a bunch of people out there how do you how do you translate that into something that works on the whole scale of visual studio itself and not just a single little workflow or something that i'm personally interested in and so i think there are some there are some great learnings from from that and then we just need to figure out how to scale that up and so that's part of what i'm working on and and it's absolutely fantastic. There's nothing. I love more than being leg hanging out with the with users and and figure out how we can make visual studio better together. It sounds tuber cliche. But it's the truth. Yeah all right. I get that and certainly my experience working with you. You're totally into that. Absolutely it's not cliche. you mean it. It's it's it's what makes me get up in the morning. It's it's very rewarding but also it's weird. Because i'm i think i'm an introvert but i'm like when it comes to like talking to people about visual studio. I'm definitely not yeah. They certain things right. You've got have a sense then of the diversity of people that you studio to yes. It's actually very interesting. People people have we get a bunch of feedback of course to like three thousand pieces of feedback to the developer community every month while so that's people either requesting a feature or opening up a problem report and they always have like this Typically when we close something down or whatever and they complain like why did you closest down. Everybody wants this or no one wants this other thing that you prioritized over what i want it and i think it's hard people seems like that. At least some people seem to believe that there is a generic visual studio user. Yeah there's one way to use studio. Yeah there's just not and we can see when we do like these lap user lab studies when we have people sitting in a lab and we actually look at what they do where they look on the screen where they click. You know we give them some tasks and we'll see how they do it. We are surprised again and again and again at how people do the same things. I'll give you a super simple example. These are people that have used visual studio for like over three years. I think and we had them in in one of the things we want them to do with like build a simple console application on dot net core. Something like that. And i forget exactly what it was. We wanted them to do but one of the things that they showed us was. How do you guys let me. Just ask you to when you want to build your project. Let's say you have a console and you want to build it. How do you do. How do you build like what literally do you. What do you click on or do you keep shortcuts. What do you do as a right. Click on the project. The solution and say build or rebuild depending on how dirty i think it is. Yeah or f. five. Yeah yeah right. I personally use control. Shift be that's my keeper. Show here okay. Well that's not my personal visual studio. Has that shortcut for building. Has that shortcut. Where's it from. Like f five is literally out of original visual basic. But that's just for building yet out for building. Yeah so but there's a whole lot of people that takes their mouse. Cursor goes up to the top level menu under the bill menu and go down a quick built build right and not in a million years. I have guessed that that is as normal as it is Yeah we didn't. We didn't study how people build. We just started how they're using visual studio. And you get to learn stuff like this. Yeah and people don't control shift be right. Yeah right so everyone does it differently. You think you know what the right workflow is. And everyone's crazy for not doing it the same way i do. So it's it's just. It's very clear that even though we can say their categories of users like there's dot net users there plus plus there's web developers there are certain categories maybe That is not very accurate. That is not very accurate. Way to say that It's almost like we have to on a per individual basis We used to have personas hanging on the wall. Remember when that was a big ten fifteen years for awhile this and einstein and how to insult your entire customer base in one easy lesson. Yeah i remember that. And so we still operate with some of that sometimes depending on the team or whatnot but Just became pretty clear that it's almost impossible to put anyone into one of those personas. You're a combination of multiple or or none. You fit into any of them. And so it's very very bizarre and just because this studio so feature rich and complex and let you do so many different types of app development. That is just almost impossible to say the typical user. We can't say that the typical us. Yeah where. I think a lot of other apps. Maybe the whatever you know the audience where they work on you know you might have a typical user or a typical bucket of the to three different types of users or something like that But i don't think we can say that for visual studio. We can categorize in many different ways but when it comes to user patterns and not with product that's this old the tad that has users. They have literally used it for twenty years right. They are going to have their own sorts of things. There's plus also the nature of the app like vs code not that old but trying categorize vs code user. Same problem yup. They're all over the map. Yeah absolutely and I guess we should interrupt for one moment for this. Very important message. This portion of dot net rocks is brought to you by our friends at express. Vpn so how did you choose which internet service provider to use. The sad thing is most of us have very little choice. Because isp's operate like monopolies in the regions they serve then they use this monopoly power to take advantage of customers data caps streaming throttles. The list goes on but worst of all many. Isp's log your internet activity and sell that data onto other big tech companies are advertisers to prevent. Isp's from seeing my internet activity. I protect all of my devices with express. Vpn so what is expressed vpn simple app for your computer or smartphone than encrypts all your network data and tunnels it through a secure virtual private network server so that your isp can't see any of your activity. So i recommend express. Vpn as the best way to hide your online from your isp. You just download the app tap one button on your device and you're protected and express. Vpn does all this without slowing your connection. That's why it's rated the number one. Vpn service by senate and wired so stop handing over your personal data to isp's and tech giants who mine your activity and sell off your information. Protect yourself with a vpn. Trust to keep me private online visit express. Vpn dot com slash dot net. That's e. x. p. r. e. s. s. vpn dot com slash dot net to get three extra months free go to express vpn dot com slash dot net. Right now to learn more and we're back done iraq's emory campbell. That's carl franklin. Hey and here's our friend. Mads christianson who is caring about the feedback mechanisms hair right so i always think about user voice for visual studio like if that's the place you go and make requests for features. Is that still true. That the way we used to use a us voice initials dot com. If you go there now. I think it says it's no longer exist but we transferred all that to something called developer community so developer community dot visuals through dot com. Okay so if you are in visual studio and you go up to the help menu and you can say send feedback and that will take developer community and so that's actually a So that's our own website for tracking feature requests and bug reports and it integrates directly into our own astro devops system for buck trek. So if you open a book on something on the let's say the editor intellisense is not working the way you think it should work right that that take it. You open up on develop a community actually ends up on the editor team. Asher devops along the side of any other bug that they have nice so it's a very deep integration of that and it's it's pretty Proved to be pretty effective. While it's it's not a it's not a separation it's just a direct view in your actual issue maintenance system. Yeah taiba almost almost. There's there's some there's some automation processes that of synchronizes the to But but that's basically what it is and so it's pretty fantastic. A lot of people. They think You know because we didn't fix their bug or whatever that you know that we don't listen or anything like that but it turns out we actually fix up to seven hundred bucks per update to visual studio coming from the user orderly no yeah quarterly. Ever too much okay. Well so what is that then. Bi monthly. alright. Yeah i just went to the developer community for visual studio and it says one hundred thirty two thousand items yes theft cessna nearly three thousand new ones right per Per month so okay. How do the math. that's up. But that's only visual studio so developer community also tracks all the feedback. Four for mac and azure about so it's different products percent of their. Oh yeah okay. That's a challenge because just as visual studio well actually. I'm looking visual studio. Visual studio for mac as a different entry and only nine thousand items only own right now. We're dealing with a lot of stuff. And so i think it's really interesting. How can how can they extend sibility and and and the developer community. How can they help each other out. And so i was playing around with an idea of like what if some of those ideas that people have some of the feature requests that are kind of small in nature. Some of the ones that are maybe not the highest priority How can we make that happen anyway. So why did we. Somehow mary up the extension authors out there the community of extension authors to start picking up picking off the list of of. Let's say low hanging fruit or or things that are like lower priority from the develops so that we can have those features available so that everybody wins you. If you want the feature you install the extension and And and off you go right. You're happy So that's the thing that i'm playing around with and i have this new extension news like six months old is called tweaks and it's it's kind of an attempt to say okay. What if we take all the tiny things tiny feature requests people have like twenty. They're just basically. Can you tweak this a little bit to beat relevant better but they might be too small to be like an extension of its own that would go to the marketplace to download. So what but what if you take a bunch of these and put them together in a single extension and so that's exactly what tweaks does it gives you a bunch of of tweaks to visual studio. That are all feature requests from the community and I it's something as simple as you know. When you debug deep toolbar. That comes up automatically. Well you should have toggle button for enabling or disabling just my code right so it adds that button right there or in the upper window. Wouldn't it be nice if you can set the built verbosity level from minimum to quiet to like from the output window instead of having to go into tools options and find out where that is. Yeah so a bunch of those sort of small little things that would just That makes a big difference. Well some people think in general. The tools options kind of settings metaphor is just hard. I mean i never ever go in there except to You know things where i know what to do. There's no discover ability and thing like that. Nobody's gonna sit and look through all of those things from having them in the place where they're used and where they make sense and wearing the process you're using them makes all the sense in the world. Absolutely that's i think that's actually one of the other. The other features of tweaks is that when you're in the any text editor of your shar or and you right click. Though there's a settings dot dot menu item bottoms. That takes you straight to the settings for right right now. You have discover ability problem if somebody knows the setting they wanna change is no longer in one place where they have to you know. They're still angry because they have to look through. Find the right setting way too many. Don't have to figure out how to get to the context to get to the senate. Yeah that's right and so. I think there's a whole lot we can do there. And we know from us data as well. that people are not changing settings. no it's very few. It's nobody knows the man and they also don't know which setting does what a little bit when they also an only way to find if the sitting did anything to back out of all those dialogues and you just not convinced you're going to be able to get back there again. I'm going to change l. Never see it again and it's going to break everything it's like. I accidentally switched this to bulgarian. And now i can't get through the menus to turn on now no means yes and yes means no. What's so it's something that we've talked about for years to update to make smarter And two separate so each setting as its own you know apps like unit like atomic unit so imagine you go to the search box and you search for what could it could it. Be like turning off Signature help right on the text editor. Whatever some setting so if you search for signature help he'll be nice if you can talk that on and off right from the search results instead of having to be sent into the and once. They're like that once their atomic like that they can be used from that search but they can be used for like much more contextual place. Like i'm doing something in the editor. Could there be a a little gear. Icon somewhere that. Give me a little shortcut menu somewhere. That can tackle some. Yeah but also. I mean it's been my experience. The generally speaking when you go searching for help or anything like that in whatever product we're talking about if when you click on it it pops a browser year about to be disappointed. Yes you're not. I am that is just a signal that says you're about to not find what you're looking here. Yeah right. it's not in the app anymore and because often those links have now been changed like you're literally dumped in the wrong place entirely and but i also think throwing them on. The app is an admission of failure. It's like and then we punted welcome to the web. Maybe it can help you and settings. I think is really interesting. Because you know settings for some things are good where you have a lot of people that want different values of those settings right so take something like How you want format c. Sharp or java script or something well that is what style guard are you using like. That's very different. So having one setting for everybody wouldn't work. In that case you want people to change certain settings right to optimize their productivity whereas the another category of settings like. Well how should we should of behave on on certain things and and i feel like over time A lot of settings have been added that she probably shouldn't have been added. And i always kind of think back to you guys remember those the windows mobile good old days two thousand and three something like that you know we had pocket. Pc lamb pilot windows mobile back. Was that a thing. Yeah come back. Yeah absolutely and you know if you remember if you ever had windows mobile you had more settings than you had feature now if you ever. If you ever got into the settings would it would be so overwhelming and it was like why can i buy. Do i have to make so many decisions. Yeah and then. Apple apple came out right with the iphone or the ipod. Or whatever at around the same time. And it's like oh it turns out if we just make the right decisions. I and we're confident in what we're doing and we you know we supported by evidence and uses dadis whatnot. There's no need for those settings we just decided right. Yeah it works this way and if you don't agree you're wrong well or use use a different product right. Yeah that's another product for you. Opinionated products one of my favorite ads on tv. In the ninety s. and i know old but Was this had for so. I guess maybe it was late. Eighties early nineties. But it was essentially dads on a computer he goes. Hey billy onc- some dinah source. Yeah dan he's like Okay hey copy. Con honor dinosaurs dead. Yeah yeah hang on one second can fig bumper blind says. Dan can see some dinosaurs now. Yeah yeah hang on one second. Let's see a bios. And then he goes dad. I'm gonna tommy's house. They have a mack. It's like ooh and of course you know i've never been a mac. I've always been a pc guy. Twiddling those bits is always been the most fun thing for me but you know that that hit home because you they really did a good job of Just taking all the decisions away from people and and making a product that you drive like a car. Well they did. And i like now. They're back to having a bunch of segregating spending all the app all have a bunch of settings and now finding a setting on an iowa right. Yeah so i think from studio once you have settings and people like make their decision change them. You can't just remove that setting that easily because you're gonna see you moving the cheese for some people they're not gonna like it and so it's really hard once you have the setting there to take it away again and i think like we've been a little bit guilty in the past especially in like instead of being confident and being like this is the way it works. We've basically set now. We don't want to make that decision. You decide user decide. He checking like the fact that you're keeping the tools options for the people who know how to use it and now you're just sort of surfacing those settings in the right place at the right time i think that's the way to go man. That's awesome. yeah. I don't i mean we're it's a slow process right because it's one thing at a time one area at the time and and usually we're probably not going to do any of that sort of stuff unless we have to do some work in that area anyway. Yeah but but again there's low hanging fruits everywhere and so i'm trying to identify that this also that you have to do the research to figure out what is the right setting. The punt is easy. Because it's like. Hey we let's not decide. We'll just give them the choice and that which means actually the default is to choice because the vast majority of people never adjust it. And you know that it's just an out when you complain. It's like well you can adjust that. Well maybe you can adjust that but none of us leaving nowhere to go. You know. I kind of like the idea that you know you have to. You know sensible defaults by default was do. Does almost everything correct for your workflow right wherever you are. Whatever you're doing that's what that's to strive for. I think obviously. But i also like the idea that if you want something else that you then have the option to that to go digging on but you go to tools options right and you can change it or there's some way that you can change the default. I like that too. But but i kind of don't but you don't have to and you don't need to most likely like if we can get to that stage. That would be perfect right to be. The default should be always right. Yeah well that's where machine learning comes in right so that's something we've been thinking about. How do we you know. I used to have this thing for many years called. It's something that's been like in the back of my head. It's like the thinking i d like. I've used that it's kind of a mantra. Like how do we. How can we be one step ahead of you to offer you what you probably gonna need without being in your face or noisy about it right or doing it automatically unless we know that we should do it automatically I think that's very interesting because that can also include settings of force but it can. It's more like Just being one step ahead to. Oh you did this and you did that. That means you know with a high level of probability that you're gonna wanna do x. y. Right a list of advice to go to when you need it when you want to. You know is a good idea. I like the. I've never liked sorta the tips dialogue. Because they're never relevant to what i wanna do. But if something's watching what. I do like for example going to the debug menu and building every single time Something should come up and say you know if you see that habit like more than ten times or whatever some you should say. Did you know about control shift be. Yeah exactly yeah you learn shortcut keys. So i wrote an extension for that of course. Of course he did. it's called learn the shortcuts. what an obscure name. I'm not sure what it's basically what it does. Is that whenever you execute a command command. Visual studio is basically any button. Click or any keyboard shortcut. You execute right if you if you execute a command like built but you do from negative. Carl does it from a context menu right then at the bottom of the like in the status bar. It will tell you you should use controls so it's in your face or anything. It's just like kind of discreet like yourself. More efficient just glance down and then it keeps a log so that creates a new pain in the output window So keeps a log of of the recommendation. So you can just go back to having scott hanson. Look over your shoulder as you're writing code. Yeah yes but this one knows all talk and you can trade their little scott you do know you can customize the shortcuts right and you can assign your own shortcut keys to whatever you want right which seems like an incredibly bad on you know. I think it's good. It depends because sometimes you have software that installs itself. Here's one many cam. I'm using many cam right now. Takes over all the shortcut. Keys that i use in all of my applications like the simple ones like control one you know like for zoom it. Can't you zoom it. Have gotten many cam installed control m. for build a not build but mixed down in wwl dish right. That's many cam takes out onto a little bad. Yeah that bad but you can imagine like you can change the whole keyboard scheme to be that of You know and tell the j. or of the code or sublime text or whatever like people. There's there's some built in but there's also like download whole keyboards on the marketplace as an extension. What true scott hasn't been might not be true for whatever installation yuka with reports so but learned the shortcut. Extension will honor your keyboard scheme. That's is so. Where do we go and get your extensions again. Marketplace dot visual studio dot com and You can always search for mass. I do that. Sometimes when i forget like been grabbing the extensions like the learn to code. Learn the shortcut as we've been talking and that's exactly what it search on you know. Management learned the shortcuts. Boom there was. You're the only matt. Is that what you're trying to say. Torgersen he might have words with you. he's not he hasn't been a visual studio. Extension added that where he does under alias. Language that you use to write the extension subtle difference s different thing totally different. I think have over. I have over one hundred and forty minutes so cool awesome. That's it's getting like the the show. I have on fridays and i think every other friday. I ended up publishing a new extension. Because we've been building it together life coating right so come on your show and do a music to code by extension with you. Can i do that. Yeah she'll be doing. That would be a ton of fun. I would watch that. I yeah right and use it to 'cause you know i have these. Mp three file somewhere on my desk and you know have to load them up and player and repeat no man. I just wanna push the red button not the green button and go blue. The blue button. That's you know. I'll i'll i'll make a note of that and i'll put that on the colorado it. It's be extremely easy extension to right. Mike would take no time. What would take long was to figure out how to do the plano. Yeah the playlist and you know. I'm thinking download the file. It's not already local and if it is local just run it. Just read it from local and you get less from. Rss so it could be. It could be that you have a file in your user profile that list. You're lt me and so it goes in and download the morning time and just plays them. Well you get that from an rss feed or you know an api call or something but that means you can only listen to your music. Whoever controls the rss feed controls. What the extension user listens to. Now i'm thinking a url that hasn't the rss so they'd go get the meta data on the list of files from a website and then that would have and then you get into the whole game of like. Here's my playlist when code vs your plans. When i code because some people code swedish thrash true. I don't know why but they do. I thought everyone does. Isn't it norwegian. so don't okay scandal who've mental. I don't know it's called in. Your name has behind the idea that would we now on real quick. That's a fun idea guys. i love it. Cool what else. So we'll we'll have to be smart about it because you know you probably wanna poss music when certain events app pens nowadays the test runner explore visual studio actually hooks into the window. Sounds so you can have windows play a beep or whatever whatever sound you want like mp3 even Whenever a test run complete successfully. Or whenever i can think of a few good ones for the failure. It's all half the sounds coming out of studio now. Sad trumps. Yeah that's the hanging fruit. Do that was thinking something. More extreme. no there's the hallelujah chorus is the other side you no it would be. It would be super easy to ride and extension based on certain events like build or something like would play play a song. We can add like bunch of of new events to that so it's not just the test runner but it's build and break point hits and what whatever you were only there was a short version of brahms requiem. You could play when when it fails but unfortunately that's a kind of a extend. We tie this back to home automation now. Because i used to have an abbas tag that whose ears went down when the bill breath you know. I remember that was given on conferences. I i remember seeing it. I finally purged it as e waste some time ago. he wastes. yeah sort of reality. But we're going to me. It's definitely the lights. Should go off like the whole house. Should go on starring celebrate. And you know you know. I thought about doing that and it would be. It would be relatively easy to hit a euro like from and i know all these system home assistance. Or if you have sam's if you have the smart things and you use something like web core to do all your automation rules that then you can also posted your l. straight to web core to hold. It's like dad. Wrote the bill again. So cool man. What's what's next. what's new for you. what's coming up. Oh man you know right now. i'm looking into notifications. Oh 'cause we don't have enough of those. We talked about that a little bit. Well that's the part of the so you're not saying you're thinking about adding more user clearing them out. I'm i'm looking at like how we how we can make the more you'll how we can make them more relevant i and the keyword. Here's relevant right. Because a lot of people get get notifications and they don't really care. I don't think it's the notification themselves they get a little toast down in the right corner. Well that's that's not problematic. The problem is that it's irrelevant to them wars. Not it doesn't clearly say why it's important or something like that. And here's the thing is the more irrelevant notifications. You get the less likely you are to even care about them right to florida isn't important one you'd ever seen seat you're too busy clicking okay like ads and web blows so you should be able to configure their might say. Hey no you know that that happened. North gatien is low priority. So don't show it in the notification window that's fine but don't give me like a toy or yellow bar in my face. Literally interrupt my typing. Yes that's the worst yup like a modal dialog that takes focus right take is literally while your worst what i thought that was worse ones or the modal dialogs. That have an input box than they set. Focus to it so like you're typing and then you hit enter and all of a sudden you've ordered five hundred tonnes of bricks to be shipped to richard campbell's house told alexa do yesterday. So there you go agate after he deleted all my superfund hanging out geeking out with you and mads. Thanks so much. You're you're just like a font of extensions and information. And i'm glad that you're a hard at work on making visual studio better for us. Oh yeah this was fun anytime if come back on and giving up date on the latest and greatest. Let me know please do. And let's definitely get in touch about your show the court and we'll see you next time on dot net rocks took dot. Net rocks is brought to you by. Franklin's net and produced by top studios a full service audio video and post production facility located physically in new london connecticut and of course in the cloud online at p. wwlp dot com visit. Our website is dot aro ks dot com for rss feeds downloads. Mobile apps comments and access to the full archives. Going back show number one reported in september. Two thousand two and make sure you check out our sponsors. They keep us business now. Go write some code. Cnx time not.

bears Mads christianson carl franklin mads christiansen rich campbell amazon Sam smart Leka vancouver carl twitter mike code di di di samsung america arriva Maples microsoft berkshire
Building Multi-Tenant Cloud Apps with Tom Kerkhove

.NET Rocks!

51:33 min | 1 year ago

Building Multi-Tenant Cloud Apps with Tom Kerkhove

"The Microsoft azure marketplace is the premier destination for developers software needs certified and optimized to run on Azure here technologies provides an a prize grade SLA backed location suite consisting of maps and location data for all Azure apps you can access them via surplus functions deployable solution Welcome back to dot net rocks is that it could have helped me avoid the dumbness yeah but so I'm pointing the finger at my galaxy s get started that's T. dot h. e. r. dot is slash here Asher the problem your mobile data button is off nice there's a mobile data button sure that you can turn on eight-plus in there you go that's it that's that's my better no framework for today is a confession of dumbness and I've connected to some Wi fi then still nothing and you know browsers don't work facebook doesn't work I have phone messages thing I'm in line and my phone doesn't work there's no service and I don't know what's going on I turn off Wi fi just in case and conspiracy of dumbness I I don't know if you need to know learn or love that at all no just be amused I suppose when he was off and I deliberately went to a website it just said off line right didn't say your mobile days off yeah there there wasn't anything hey I mm story it's all right it's dumbness but also the phone didn't help me at all it's okay here's the story I'm out and about I'm shopping or Carl Franklin and this is Richard Gamble Hey Richard you know what what I hate my phone there there goes all the guys listening in the car with their kids right you know why I hate my being phone roll the crazy music for better no framework and I'll tell you so I know like I don't have a problem there and I just Kinda put it off Oh yeah I gotta go to the store and the at and T. Store and let but then it becomes really annoying and like you know at Dammit I got a few minutes I'm just GonNa stop into the ATT Store Guy Pulls up the phone he goes here's tell me your story so at first I thought the story of dumb was me that was dumb and you know there's a little part of my being dumb in the story think you're trying to reach a website and your mobile data is turned off would you like it to turn on would you like me to never ask you again you know there's so many ways on and off now so that's where I felt really dumb because oh the fat finger it or something but the thing that makes me Really Mad Richard is that shing topic dear to my heart I spent many years working on these exact problems I've built a software package for connecting a thousand recycled parts dealers using MVP performance is far better with only a few sequels databases and cashing is much more efficient. Yeah as for the code I found plug INS worked pretty well for customizing things per customer extinct to build one database per customer right is wrong don't do don't do that in a rewrite a few years ago I decided to do a combination approach databases back in August of two thousand sixteen talking about multi tenant applications right this whole idea of how do you support multiple customers off of a common code based up in the cloud right yes go by and definitely follow us on twitter I met Carl Franklin he's rich Campbell send us a tweet and if it doesn't go out check your mobile data button there are trade-offs as always maintenance is now much easier but restoring backup data is harder yeah you spread the data across multiple different places getting to compensate is tricky awesome buddy figure it out for me I just put it off put it off because life is pretty much everywhere in my life right yeah he's he's living on Wifi yeah so it's not a huge priority designed to house many dealers date single database the system can also be installed on site with one dealer or more replication since shared data between each installed database always a safe bet that you've screwed up yourself yeah but in and I'll tell you how embarrassed I was when I found the solution to said of course the databases convenience you for that as well on an all in all was probably no easy answer and the usual correct answer is it depends always it's just a little rage rage all right who's talking to us today grab show thirteen thirty two when we did with Paul stovall I'd say that I can't say what phone yes I can because I have the power of the bleed if Ding Ding king sucking bone is your architect is a member of the as Zog crew as e. g. and has been a Microsoft azure MVP azure advisors since two thousand fourteen having me again yeah how about that comment from three years ago that was an interesting approach to solving a problem he turns coffee into scalable and secure cloud systems and writes about his adventures on blog dot COM Kurkova Be Welcome back Tom Thank you very much zeon sequel server part of the package includes alive meshing system or a single message can be viewed by many dealers or just one in a direct mode and some of the data shared in much of it is not you can see tom around on get hub maintaining premature in Azure deprecation or contributing to projects like Canada Kate. Eda and Arcus all the good old cloud native stuff clearly need for three year old show it we had a lot of comments on it it resonated a lot of folks comes from Wayne Hiller who says this was yeah it's very circumstantial and non trivial but it's great tips sort of Bang through the different ideas faces ways and approaches to and now that they're talking about data I think that's most one of the most hardest things Luke legally certainly with it depends yeah a I think it always depends on the application in Tennessee are broken is almost zero that's probably right there's a half dozen antennas they're tightly interwoven their fragile as all get out you drop your phone I started out using a single database for each dealer which quickly became a nightmare to maintain the middle show was three years ago by one of the big themes and we were talking about multi tenancy was you haven't he just didn't work right after a couple of times and he just didn't work right after that okay hey let's bring Tom Tom Kurkova works for Kodak as an if you're sharing a database then it becomes more tricky right of course sequel has like this so you could roll levels he didn't smashed or anything but sometime later you realize just at work right now it is often it's like one of your in tennis is now broken yeah I had a nephew like that it question I think in terms of providers like actress who helped you build better systems certainly has all but I think soon acquired that you have isolated thank afoot customer because they need to have access to their data and if you're sharing who suffered with the same challenges on everybody has its own opinion out to do things we chair databases that we'd not share the even direct acid database you've got problems like that seen as like a mistake I would much ladder rather give them an API level view then give them direct access to tables yep so we have talked about Montana's in a couple of years I hope things have evolved is it gotten easier harder that's think about shortly so basically spreading your data across Barnard more databases and the older you should that you you're going multi tenancy you've got customers spread around the world yes or no take partially shared databases and restricted us to only the pieces they want although I would argue the real issue is giving you're trying to run a SASS product for someone building it and what the needs are the common don on one database for customers and interesting example because some so the reason why shopping is interesting is that we don't want to have one day Abass Shaping But I know that approaches to scale out so if you use a lot of small databases ask me how I know oh I already told you know pretty sure you know how you know the one thing about phones that people don't realize they have so many antennas in them that the chances that none of your it's way to you and if you'd like a copy of Mexico by Red Comment on the website at Don Iraq's dot com or on social media as we publish every show to facebook and if you comment there and I read it on the show we'll send you a copy Cardi B. S. in general I'm only using azure sequel moments but the the beauty is typically pay for one database basis wants to give them access the today that will be given access so I think it helped to a certain degree and we are reaching a point speaking just had a couple of more charge newer re-balance hope the sharks and we have more but it's still not easy to yeah I appreciate it is never going to be easy but maybe there's some tools that make our life a little simpler next every database has a specific skew sign so that means that if you have one hundred databases you they one hundred times the pricing at the and only give them access to that but Yeah again it depends how far do you WanNa go yes that sounds very tricky he's got a thousand US parts dealers to say they're all in one city you you could still see a case for using COSMO's DP just to have multiple end points the main that you're working with so I mean we love Cosmos DB but the that we're talking about charting it's really about Gio district in the same geography yep that's really interesting I thought about Cosmos DB that way well of course cosmos nothing it doesn't matter on- only in for what's inside the vote so instead of under utilizing our databases we just created the ship bull every database takes what he needs from that so you basically have a better way of governing the resources across all your the deal this and yeah you know starting with this sort of admission that one database for customer not not GonNa work out for you're GONNA be sad yeah so wayne thank you so much for your comment a copy musical buyers action you're always have to define what distribution cable so Nathan spink aheads how you will want to scale the data and I personally still find that one of the hardest starts and also requires understanding there there are a couple of shopping patterns which who needs to choose from how you will distribute your data but also if you're going to you're paying by the pool and how really it's more utilization exactly however there's also a tricky part because if you have a very one deal to have failure right so in the case of our our our listener Wayne distributed you need a unique identifying with what's that unique identify goals critics harmful if you create a nuclear so let's say we have one hundred units you could say that every database can only use five units them on if they want they want to use Moore one you're one of those multiple applications because when you say milky people always database resources to keep up their performance but the the big customers going to struggle with performance not everybody else yes exactly defense because you just signed the deal with a very big company like let's say Microsoft which has a lot of employees house you create a computer pool for sequel databases where we say Okay I want to provision one thousand units the elastic foolish also allow you to define the maximum on the maximum amount of compute at one specific database can use it's pretty cool I like that they've they properly cloud defied sequel server here for multi tenant it's really neat Yep and even if scale is scaled up database up and at some point there will not be a big ask the people what using it so you do have the ability to do some Geo options to keep databases close too close to your customers yeah you could still have database per customer and we can debate how smarter dumb that is but you're not paying for the database per customer that you're using even if you're only five percents imagine you have something cool which is called asleep as the pulse and basically the data you know this is this is my question Tom that I opened with like heads things gotten better this sounds better accidentally does yeah and a lot more confused and the limitation on the date of his level is a loaf highest so if you're suffering from issues nobody they more it's really cool he even nowadays have an elastic life where they basically do the partition mapping for us that's fair there's other storage mechanisms how do they work melting tendency things like the the blobs in the table store and stuff like that they did it's an understanding of how operate how to support SAS inside of something like Azure like they clearly are making products to make our lives better I'm excited about that let's say you're Providing and you have multiple pricing what we've seen is that you could basically reflect the in your elastic you might bring down the other one's inside right so needs to keep in mind that this is a certain risk now the good part is that the only the store I think right sick royalists Philip Alad auction put this because what you're sequels specifically or just you know have multi tenancy features as well I've not used them in these scenarios but as far as I know I don't think they have that out of the box needs of data storage when it comes to all the tendency I think you can already get pretty car now that it sounds like a great mix right if you prefer relations computers to distribute them across so it can be and the chill distribution but it can also be just in we'll give you more and it's all owned by I don't have to build yourself nice built in this is just you just to find different pool so so you answered right you're so between elastic pulls for Azure sequel and causes DB you feel covered as far as the which is now Colts Vinci views and in that bull at all my databases so if I have one hundred or two hundred eight the now I think in terms of Sean Dang also depends on how complex you want to go because if you have one database cuts so let's say we have bronze silver and gold weak create the full custody and if you're the Gulf customer with basics orange but if you're really a high scale service with a lot of cost the national mourning ethnics you need to have let's say now but you know in our industry we always say I I can also right it's you know I right so then I know that it's good right fine you know one of the things I always liked about cosmos DB ways that I could just point a Mongo DB endpoint at it and it worked Nikki down that path it's not much to do oh you're just define how many shots you have and shot his and the live at eighty it Thurmond's with the shot this located for you okay and but at the same time you are the notified by that and you've got this big new customer new expand the pools of they have enough argument for for database per customer but it does you are taking on some management problems or do you feel like the tooling is good enough now that you could make that work I think it's a good start then I shall keyholes can be shot mouth as well right what we've been doing for some customers is okay we want to connect used charting throughout the G. Ones but they did not do geo distribution that's about as I remember of all the data stored them because one day abates is a single point of failure but it's not scale well because the only approach medi yeah which I the nobody's built cheaper multi tenancy or cheaper multicolored solution than Cosmos does she realistic and well now lasted pool seems like a pretty good way to go. Yeah what about identity in the context of multi Tennessee like you mentioned using key vall to figure out what Um so again they're coming right it all depends on what you need to do yeah and and I appreciate it there's the occasional the FBI which automates all of this audio you need to have a shot at G. across multiple databases uh-huh because API management allowed to get context for a given Use It yeah so what I typically prefer is if we already know it from that it's global scale application you just the liven it does not take into account you just at let's say the charts while you're the petition key and they just who I'm out of luck I'm sure but but let me three years ago we show with I think visuals talking about it Nappi Management I get an eight the I for example if I if I do requests with that he api management knows that right so if if you would want to use the azure storage Khambatta Milk Ethan and that's one way of building her own shot method Echo Michio level it's really nice for example what we have was we would onboard you just building. API So in terms of API suits we find it very simple to add the management that fronts nate granular. You're not just your honor your off not you that's that's Yeah I love that just like your customer and we have API to get the state this officer process I'm basically they were constantly hitting hits right and I can't abuses anymore exactly and is it sort of an all nothing thing if you throw them just shuts them off or limited them like one call every five minutes like what actually actually time management it's very powerful they give a lot of analytics both on the API level but also on the US level operation Pi Management and What I liked about it was also just you know when one particular customers abusing your API can cut them off without impacting else? Yeah I think it's pretty powerful I need to use compulsory fortius that as a shot for example but if you're going into the whole as should the world's than we would very easily able to determine who was calling and for all the time and then we just decide hey unique back all over the call it system get cool so he could write a policy that's -At's HDTV headed for example phoned just it's interesting to think in terms of he's not even a multi tenant APP per se it's just one context but people are effectively calling but that's a real insight for me Tom this idea that I would put api management on stuff. I'm calling yep well it's not that your call scholarships I mean it's it's not cheap but I was GonNa say if you want to have that the Chiel scaled down I think it's cheaper so that we can determine which it is so an example is it five developing four composer and create an a is subscribe through improper so you know he does want to put a limit on that yeah and I think we're building a multi tenant service or just public services yeah that's really that's really interesting to just think in those terms made little out of context molly tendency but but in the context of how do I keep my system up and not get it if I'm not mistaken I think troy hunslet using this for how they've been phones right yeah because lots of people are redeeming have I mm for web APP back ends and real time data streams now accessible within the azure marketplace simply go to T. dot h. e. r. dot is slash here Azure but he was actually going to you know you may think you can do it but by the time you get to the end of it Iran still has to serve the database for and also just to get the secret with the name sequel bearish also and that's from actions during that charred databases but what about the accounts as a whole is there is there a good strategy for dealing with that and that they are doing going to tackle you then we add trickling and that literally the one minutes Maitha Management Fall Asleep little knob right click there the multi tenancy side but it's interesting that that's the limit of the identity you need to deal with it's just like what Ki- you have to get access to the API is yeah what granularity to have on that throttle high would make the check but I think you on certain how how much they they are been troubles his API when they're checking their stuff so to limit that is smart Yup just went if you take them you're good to go carried yup without just pay spending more more and more which I mean that's something troy certainly talked about is you just keep turning the Knob but have I been phone doesn't directly generate revenue in but let's say that you're using web polk's what I'm seeing law that people start spinning up functions and logic outs etcetera to handle those but the behave we're only gonna let you talk every five minutes how about that you can do it on on different levels and it's really nice in general that having an API gateway is always decision a if it's not thirty accustomed it's forty commission yeah batch tenants and full of oats upstream may be I saw a dead your syrup is not okay for all the credits on the data level chance by the US coast most get yourself lots cheaper solutions that have the same features not that I'm aware of at least does somebody comes by accidentally elites the function the web book will be broken because even if you recreate the same function issue with those is that they have generated name and the O. L. So if you start integrating function everything's grape today meant the moral the moment this very important message hey what are you doing Monday November fourth how about Monday November twenty fifth or Monday December sixteen allowed this to provide context information when we were subscribe to updates that's actually very good concept because configuration and maybe our management's but even if you're calling your own services internally coach without knowing hey tom how do you describe a Web Hook what is a Web Hook Aleppo that's tricky lights we would receive updates Fiat arrests and we were walking them through API management's now so the authentication mechanism to basically if we wanted to integrate we have to expose a publicly available and points even if they think calling me doesn't know how to pass credentials listening to that because that service provided that's not nice to have so I know getting what's unwise certainly so at the beginning it was it's well I'll be teaching an online service side Blazer workshop on all three of these days in one day we'll deep dive into blazer in on our API was fully secured with mutual except for one points so that was kind of security flaw I web hook calls into an API makes now one of the tricky part is that this service provided that not support file uploads and signal are for collaboration between clients all of this using the free version of Visual Studio Twenty nineteen community edition and no if you're received flights how do you know how it integrates with your application meaning Howdy annot which customer is third party tools only open source tools and what comes with dot net core free go to blazer dot V. necks dot com for details links in fact it's or wants to know about that information so basically we were able to at the order number in the registration and when they build an application with e F core three reusable blazer components API controllers ask peanut core identity user and roll management it bogged service and they basically say pay for describes we want to get up and then for every so basically we limit the exposure through the gate by which was done security check this aps. Yeah that's all trick is I still want to secure it even if the the web they will basically including those so we could map independence and the order go I'm gonNA interrupt and if it's fabulous reformer it's the upstream FBI which was then fully secured and even the Westbrook and points labeling effect like being able to make an APP look the way for the customer the way they want to do you dig into that sort of thing changing code based on it doesn't have a bunch of API surface area. Am I wrong there tom like that's kind of normal right yeah I fully agree what about the whole white uh given customer account do you mean providing I'm customer specific large I think what features you reveal about multi tenancy and I think we've got down a little bit of a rabbit hole on the API side but I think there's no SASS OUT APP out there worth WanNa make custom versions of the software anymore you WANNA make separate databases I'm we did that there were certain degree would we show yes so that's also a lot better where feature nobles is becoming more and more of managed by another team basically decoupling those services from the other team has the breaking changes the commit the Infield so we decided to just about follow-up upstream managements and have some check in to see if it's valid approach where because the name was basically a block campaign which refers to the correct a putting the customers logo into the APP they those kinds of things from the APP looks the way the customer wants without a lot of work for you right it's you don't turned off so you know will turn but you could pay for them we'll turn it back on when lucky customer gets to test your APP today Nice it's really nice and it integrates with adult coach as well if I'm not mistaken yeah you get you get to the they saw it as a competitive advantage but it does take a certain kind of customer yes you need to be open to embrace issues basically goats as far as like feature switches and things I mean that doesn't sound particularly difficult I probably do that in a vault as well right it's what features they're paying for have access to I should certainly now that you have things like cloudy and Van Thing Cipro with web-post I'm loaded voting machines to the other two workshops are listed there see online and we're back Donna rocks I'm Richard Campbell Carl Franklin I'm here Tom Kirk off Oh go there a company name it's Chitra which was indeed exposed by API but we did not providing fully customized this is there is now tooling for this but you still have to write code to utilize stuff properly like yes that's correct and it sometimes used yeah well we keep one code base but stuff was turned on or turned off and so the nice thing was when it went wrong you just switch it off you didn't have to do a reinstalled lovely yeah that's a good example of how deployment drinks can help you because if you have a baked set of customers anything like that so it was quick to revert but I I don't know how people feel about this but we soon as we tried to run multiple versions of code life got horrible and they're willing to take some risks and so they were leery pool that said these are the guys are willing to try the new stuff and they've got close monitoring and so we would push the new bits of them I small feature snack in the configuration but again it also depends on how far they want to go do you want to have a general switch for all the custom Hugh I and what we basically did was we thought all the informational national love storage and then be used a convention falls which will just tell let's say knobs defend things on but now new on the issue was that if you want to change something you ada testing new features only some customers are on one server things like that but the idea in a multi tenancy APP of you know you've only paid for the teachers the other ones are going to be accepted an easiest and now I should actually that he has it built in so in the fos- we have configuration multi tenancy and they fed off If you need the Mike Nature data what do you do if those go southward how easily people but nowadays there's also a service called patch apt configuration which is basically feature flags as a service returned on now I think I answered that ups his also great example of how customers scan open foot features not unhappy they can just doing it back I mean this does bring up a whole other conversation point about updating multi tenant software you do not want to deploy to all of them and I think that's also what you did but you can create rings video I deploy new version though very small subset I have to before the reasoning or have to change things manually right and that's basis he was shot the date for solid them now over there it's already here because sometimes stuff breaks and in this case when we've tried was strange we were breaking their websites they had words with us when that happened and then the third model is you have multiple stance off the application which are using shifts from eighth Leeann as well coach they want to have a switch folks on the clerk customer basis or they want to go percentage based and I've always thinking feature flies away nate on the database what you could do is basically proficient any web database I am but they individually updates on this damn veg down basis so again Ben's on how we know that that's also some misconception multi tenancy because there's different models for not so yeah it'll be a customer's than you promote the bigger brew and then to the late the blast radius of the bad version gets out some kind of shovel and what we've seen is that GonNa fix this very important let's let's the simplest approach this full isolation if ghosts Abe rakes be as impact it's because Eddie could just have the deployment brings that I mentioned another approach was what we already discussed was that we just have one API multiple David like you don't know what you're struggling version there on the set of problems aren't like all your documentation tech support and stuff gets harder there's only one copy of the code and you just dealing with what features ear so you want those multiple instances it's just a question of how many versions are up and live at the same time everybody yeah it it's tough you especially if it only got one customer with the problem right or you got to customers go with it the easiest on you could have full isolation

tom Microsoft FBI Paul stovall Carl Franklin INS Tennessee US MVP e. g. Canada Kate Arcus Wayne Hiller rich Campbell officer Luke Um Ethan three years
Visual Studio 2022 with Simon, Anthony and Andy

.NET Rocks!

56:18 min | 2 months ago

Visual Studio 2022 with Simon, Anthony and Andy

"Hey carl here you know. There's something new from our friends at text control. Tx techs control supports the integration of legally binding electronic documents signatures into your s peanut core web applications simply use microsoft word documents. Prepare them using the texts control online editor and requests signatures from signers. It works just like well known. E signed services but runs on premises in your infrastructure without sending storing documents. Somewhere else to showcase typical workflows and the text control electronic signature technology. They published a fully functional demo. That can be used to create and request signatures signed documents and to validate executed. Pdf files see the demo at e sign dot text control dot com. That's esi dot text. Control dot com. Welcome back to dot net rocks this carl. Franklin and richard campbell. And where. Wow this is going to be a very special episode of Dot net rocks. We're talking to some microsoft peeps about visual studio twenty twenty two visual studio pm in the room today. That really is. The room is very virtual. Because we're all in our respective homes. Yeah but it's good. It's going to be really good. I guarantee you're gonna learn something before the hours out starting with better. No framework awesome. Roll the music. What do you got all the time this comes out. This will be a couple of weeks old. But you know. Richard we used to have dot net rocks podcast apps in the app stores back in the day because we were before podcast was a word so we ended up having to invent a lot of things. Yeah exactly well. They're not there anymore. Obviously they're even looking and they're not there so i decided what i would do is on my youtube. Show the dot net show people how to create a podcast consumer app using zaman forms. And at the end of it. We're actually going to come out with the we're going to we're going to end up with Dot net rocks custom app so interesting including publishing it to the app store so we will have a dot net rocks app. And if you're interested in those videos go to the dot net show dot com and start with episode two because that's sort of an introduction as amarin forms in all the different ways that you can debug and use emulators whatever and connect your phone devices and then we just start rolling with series basically a building out the iraq app. That's right that's cool and you know. I heard a lot of complaints from people in the blazer. Community saying that there's a lot of demos encounter in whatever but there really aren't a whole lot of real world applications. You know that we can see being built race at a time. So that's why i'm doing good idea like the dot net show dot com not learn. It love it nice. Who's talking to us. My friend grabbed commodores. Show up sixty three. Which is what we did with one. Kendra havens may be heard her talk about visual studio. Twenty nineteen productivity. I published back in november two thousand nineteen and picked it from this show because all my alternative choice is the only one of the guests has been on the show before he's anthony but that was back in two thousand and eight four five and that's just like a little bit too long ago. I was a teenager back then. That's a long time ago. So but i mean. Vs twenty nine project. He's clearly koenders bali. What to right now. Is she deeply into that. Space and wayne. Hiller has this comment from about a year ago so excellent show is always. I love listening you kendra. The timing of the show was great because the just the next week i decided to enable code analyzers seizing fx cop as well as the null reference types in my solution with two hundred eighteen projects in it. I was amazed number warnings. Could actually go that high. I love the ability changed severity and suppress errors from the it. I do have one core. Three ot project mrs back in two thousand nineteen that causes the id to throw an exception when changing the severity from the ide all at all. I love it though. Applying all suggestions can only make me a better developed. In the long run so thank you kendra for being passionate about the tools they use every day. You and the team or make my life better with police. you know. that's a really good tip on how to get rid of bugs in your application just suppress the errors. That's it turned off down at. The air doesn't get raised. It doesn't really doesn't really count. Yeah that's the important part as actually So waiting thank you so much for comment of copied music buys on. Its way to you. And if you'd like a copy of mr co by read a comment on the website at dot net rocks dot com or on the social media as we publish every show to facebook. And if you come in there and we read on the show we'll send you a copy music. Oh and definitely. Follow us on twitter at carl. Franklin he's at rich campbell. Send us a tweet and use the dash s. for suppress the errors a lot of tweets. There yeah all the time. I'm always getting errors. Because i don't learn the syntax. Tell us four. I don't need i. Just keep typing dealers squiggle. Go away exactly. I right now. Let us introduce our guests anthony. Cangelosi is a principal group. Em visual studio core at microsoft and a dot net rocks former guest. Simon calvert is director program management and developer division at microsoft and considers himself lucky to have some great teams that work across the visual studio platform visual studio dot com and subscriptions and specifically developer services. Andy sterling has also here. He's a dev tools product person currently working on the debugger and diagnostic tools. In visual studio microsoft. The perfect group of people to tell us all about visual studio twenty. Twenty to welcome everybody. Remarkably quiet bunch short show. you know. it's probably my fault it's my fault because host. You should never say welcome everybody because then not everybody knows when to respond so one at a time. Welcome andy straight to be a welcome anthony. Thanks for having again welcome. Simon hits be hit excellent. We're all here. Welcome richard friend. Yeah i appreciate. Anthony is a long time ago that you realize the show episode five and this is what seventeen thirty nine so you know thirteen hundred shows but you were with rico mariani. At the time the two of you came on to talk about visual studio extensive. Are you gonna tell and eight timeframe. But and i think it's rico's no longer with the company. Actually he's moved on all. The weight works for facebook. now. I don't even know what to say about that. He has moved on. Yeah i do remember. That was an interesting time because it was a great person to work with. I've learned a lot from him. I just want to say up front that we're not doing sixty four bit to spike rico. When i saw the blog post about sixty four. But it's like didn't we ask rico mary-anne about that like a million years ago and he was pretty adamant that it wasn't gonna vise anything. I i think that was the show that had me really realized that we mythology sixty four bit that some of you make something sixty four bit thing will be good and in reality he reading. Nothing changes right. You just have access to more which may or may not help anything. There's certain things get better and their problems that that you have to introduce and deal with. Enrico certainly realize that early. I and you know he had some really interesting points. That certainly drove our perspective for for a long time at a great deal of value in terms of moving more of our operations out of process Which which gave us more freedom to paralyze but You know there's only so much you can. Do you have to really three up visuals city solve to give it more room in memory and i don't know i need you know you've really been driving a lot of charts today in perspective if anything i down a little too biased by rico in the past you know what you think about our changes. Yeah i mean. I think the first point is back when you by that. That was two thousand eight. We're a long way from that now. And so the same things on necessarily true in terms of in if you funk about i mean now memory is so much more available like you said. It's not a magic bullet like it's not going to solve everything in the question to like. Hey it's gonna make. Vs faster the answer is it depends. It really does depend on what customers doing. But it certainly allows customers with you take advantage of that hardware and it is twenty twenty one now and there's a lot of workloads that in benefits from having that extra capacity to use extra memory to use. It doesn't mean you should not use dispose and you shouldn't worry about memory leaks. I mean granted the conversation around dispose and all that stuff went silent after sixty four bit. I remember that exclusively. But that doesn't mean that you still to allow memory leaks just because your assistant can now absorb them probably easier. It doesn't mean. I'm making sixty four bed apps either right still clearly. There are my experience especially in the web app world. Things like that like you. Just no reason to compile sixty four bit ballots thirty to bet. Unless you need that memory. Yeah we're not changing anything about how customers can build apps type of apps that can build like visuals always supported building app type. Snap your bit nick. For example swamp is a target platform. You can about tiger balm and things like that. It's no reflection on what your capable of visual studio as you mentioned. Each app is kind of has to make his own decision. What is best for it and it's hot to say like there's no wool as a k sixty four. Basil was for the win. It's not going to be it. Depends upon what you're doing. All we know for sure is compile any mistake. Don't go that far but women it is it. Why is it might mistake. Yeah my experience compile. Any was was great as long as you were always running thirty two bit machines because as soon as you tried to run on a sixty four machine. It crashed the chances that you had your sixty four bit set correctly. Actually the at properly. I don't think. I don't think that problem exists anymore but but i don't think we tend to do that anymore either i mean hopefully attesting happened sixty four bit and sixty four bit systems that make any two bit. Windows client is anymore right. I guess another aspect of this is just like a lot of stuff. Sixty four bit offers a sixty four bit. So why wouldn't we be cuss. Everybody needs a fifty megabyte. Gigabyte were duck. Everybody we got embed all that power points in there are four k images and videos. Oh yeah got to put that thirty to good use. Yeah that's right. How did you guys know this is simon's job is really being the mole videos. The bada who. I think running lots and lots of thirty two bit. Applications in sixty four bit windows is really the way that most people work right. There aren't a whole lot of cases in the software that i run except for. Maybe you know the adobe suite premier and you know stuff that works with big files where i need all that sixty four bit stuff so why does visual studio. What is visual studio. Gain going sixty four bit. Do we really need to load two thousand projects at the same time. Is that the reason or is that just the side effects and you do. If you've got two thousand projects. I suppose you're gonna be your choice to be fed. So i think the advantages again. It really goes back to the russell sets of customers do benefit from this because it's not just the lodge files that use over time like he. Is you open for days. You'll grow memory like it's inevitable Just because you're doing stuff like this. As you mentioned like photoshop. People live in those tools to and they have the same sort of challenges whereas other apps us don't have the same challenges that people are living in them constantly essentially days on end and into doing heavy workload since really Perpetuity it's ma'am will be the right choice for everybody else. It's kind of up to your app so currently in visual studio two thousand nineteen. I can compile to forbid application right. Absolutely all right so if that application while i'm developing it needs to have access to more than what is it four gigs of ram. Right then a what happens in development lake it as like the visual studio components at design time like the editing tools and a runtime of bugging tools independent of the business of the app that. You're you're building so like the you can kinda joke del. You can build an app. This targeting a phone or an device or another thing and they're independent from what your needs. Are things like that so most most of the tools implemented a setup to be able to talk it across business. The what i mean is that you're building a sixty four bit at that will target sixty four bit and let's say you're building the next. You know premier video editor. You wanna test this out. You only have a thirty two bit infrastructure with which to work right in visual studio or do you have to compile it and then test it with lots and lots of big files or whatever whatever it needs to load in memory in order to test the limits of what it can hold it depends on the tools using testing that many tests from processes that units sort of things And so again running inside visual studio in the may devon presses visual studio. You have four gigs ram velvet and that's it in the main devin process but Today is not just one processes anti mentioned many things. I can pilots for example Process and they can do whatever they want. They choose the business. It's appropriate for the task at hand So many of the tools work that way today. It's really just some of the core devon your experiences the changing to be sixty four so i just wanna be clear on this if i write a new sixty four bit targeted console apple. Let's say and i load up a five gigabyte file in visual studio two thousand nine hundred thirty two gig and i loaded up and i want it. All in memory isn't gonna break in. Visual studio will not allow me to load that in. Because i do have sixty four bit types in visual studio but what happens in there i mean i know if i compiled it in iran it if the sixty four bit it would have the memory allocation that i need but what has inviduals you if i try to do that today. And in this case vichy was trying to open that five gig file. Yeah so unfortunately depends. So i think quite a few language is other things. They run out of process and they converge wise. It's contact like visualize the actual that the file reading essentially because presumably going to fiddle five gig in the screen at the same time unless it's magic magic dense file So you can read subsections of its so but it depends on what language service it is. What file type it is. The reader is 'cause you know she has the nba the too so. I wouldn't be surprised if you try to open a five images you do that. Fold over That's what i thought. Yeah i think it's going to go but you've got excuse you could shoot yourself in the foot. That's always a possibility right. Yeah but i will make you really long time. I didn't say it was a good idea. Just what's going to happen so so the developer experience when dealing with large files is going to be easier in a sixty four bit visual studio clearly. Yeah and i. I don't if the mutation we've ever really encountered single file. Viewing there's five gigs. Each file out that nano. No of course not. Yeah yeah it sounds like a refactoring opportunity to gas could function. This function do stuff. It has one parameter which is xml file but it also makes the question like what's going sixty four bit then. I mean already. Visual studio is abundance of software eighties. A bunch of processes. So is it dev. Envy dot exceeds like. That's what's gonna be sixty four bit. Yup some of which actually has already gone to sixty four bit you know. Some of our debugger components had had switched over to sixty four bit. Was it in business. The two thousand seventeen and we introduced a sixty four bit version of our burger which allowed us to attach to huge processes in those releases. And so we've been really honest journey for for awhile long before it's really kind of the last stage of that journey is bringing deaden bags e the the process. That's running the shallow visual studio. That's loading all of the extensions into visual studio all the language services and project system and when you take those components combine them with huge solutions in a bigger solution to solutions that are getting bigger and bigger that we were really starting to hit the upper limits of of of what four gigabyte address base could could really do for us. And there's always so much we move out process before we really had to kind of expand the the break the glass ceiling visual studio so i suspect it for the past few years. You've been okay. Let's pull out a process. Pull that out of process and some points. Like i've run out of things to pull out a process. I just need more. What's going to break extensions is the. That's what i was thinking. It's like i have a bunch of stuff that i installed the visual studio that kinda. It's not my visual studio. Till it's there i think mads is going to be a little mad. You mean mads christiansen him off. His ledge got forty thousand extensions to be recompiled. He's already trying or time. Yeah they had a show just recently on this topic of Moving extension sixty Good on the bright side though are extenders have been super excited about this as much as we're bringing them you know you've never seen a group so excited to be broken As as partners in men and we certainly very deliberate about that but in this particular case you know this is as this all boats a little higher right like that are are extensions that low actually loaded to the business process most of the time and so that increased address base that we're making available now visual studio not only gives you are face to our own processing. We were running but when you have extensions installed though not more space as well so sometimes some of that Upper limit that we were hitting that would be out of memory. Exceptions was as a result of you know running student with a large solution and a number of or on top of it. Whether it's the sequel ring moser's number of different third party extensions all that value now. You can continue to use those tools. You're less likely to hit those on memory. Such that's great. i'm just thinking about what. What does it actually take for the extension builders to move to sixty four bit is is just recompiling the code to make a sixty four bit version or is it going to be more complicated than that. It's a bit more complicated. If unfortunate cases of recompiling some guys that have had to break the studios has a very wide broad set of public api is and some of those guys were redesigned for thirty. Two bit welt. And you're the in sixty four bit. They were using the today would result in. You know frankly weird behavior because things will get truncated like Point get asked to us in just thirty. Two bits looks could be missing range and so but then changes a mechanical biolog- like okay don't use u. indoor. I didn't use pointer or type change like that and this quite a few especially. When it comes to components they interact with the native sides of Are unsafe mode. Yikes that ought to be fun. I guess we're also thinking about sixty four bit calm to write like studio is got many layers to it over the years and i i know you guys have been sort of digging some of those old layers out as well. Awful lot of cop but there's a lot of common studio so to get de deb over to sixty four bit means that a lot of all of that needs to be addressed as already been addressed. I need to translate com okay. So all of the millennials listening this is an ancient technology was introduced in windows ninety five that really everything on for developers provided new can see it go by by dawn. Box said com is left. He needed to sell it because it needed to be sold. Yeah it worked that out and it was all of course it was. I just remember the engineers. The company where i worked looking at calm and saying it's just these long binary strings of stuff all pointing to each other in this big cross section list called the registry. It's binary crap and who knows what's going on in their secretaries are supposed to be able to understand this stuff like the nineties early nineties. Yeah when it was object linking and embedding gap. That's many i we. We need to come back to twenty twenty two or twenty twenty one now for that but it sounds like you've been doing the work under the hood for a while so it's not like he decided. Hey you know it'd be fun. Sixty four bit. Twenty twenty two like clearly. There's has been building up to this moment absolutely. yeah we actually had some incubation. Did over the last couple of years that allowed us to move large sections of visual studio over to sixty four bit and it was through. Those experiments showed that yes. We could make that. Make that leap with the platform and as we were able to do that with the core platform we started to look at the opportunities when the right time was at at make that available for customers so with visiting a twenty two coming out. This was a really great opportunity to bring a whole new set of value to customers that that we knew would get customers. Really excited about what we have simon. You've been quiet for the first twenty four minutes of this conversation. Do you have anything to to throw in there. I'm just kinda lurking. Okay yeah i mean. He's kind of into the queen guy that through this time we have been making these hermits united nations and so the sweeping moving through some of welcome. We felt we had a good position on with with these doing as well as we at the component. Trie everything that constitutes she will sue being able to actually make coach toward sixty was a really good opportunity. Do you anticipate that. The developer experience will be improved. Whether that's load times or compile times or less time we have to wait for windows to shuffle memory around or or or bugs can talk to that off. I think the It depends there are certainly some star is that hopefully will benefit from this more than others. For example you mentioned shuffling memo around like a challenge with any sort of managed application is garbage collection. Just have to be collected. That's typically results in the freezing threads your customers manifest as like posed unattractive no response of very very intensive memory weren't have the would have as much pressure on the dc to collect stuff because as more memory available so we talked about. It's not a magic bullet. It's not going to make everything fast. Some operations in some conditions will certainly be faster and it's not the end. Every address is bigger now like there's an overhead to running sixty four bit too. It's not it's not free. There's a cost like you get extra edges on the obviously but like you said the is you larger like everything's bigger physically mean bigger space. Yeah but i got an i nine with one hundred and twenty gigs of ram. I'm not really worried about that. It's mostly laying around smoking cigarettes and wait for stuff anyway right so you might as well put it to work. I would also point out one of the things that happened. Moving from thirty two bit windows to sixty four bit windows was they went to the purely signed driver bottle like after we got over the hump of actually having good drivers generally windows got much stabler. I wonder if switching to sixty four bit for studio is also an opportunity like that sort of shake off. Some croft of the old systems and increase reliability stability. Yeah i mean said he potted a big pot of this instability like the biggest thing that is impacted by route. Sixty four his vision. When i was memory as much won't crash stars starts at a memories of reliability is huge and moving to sixty four bit. Yeah we have to bring along other things and some of those. Things will be opportunities to move Breeze or different approaches to doing things. I'm so there. Is that opportunity as well. Each team hopefully will evaluate take is needed Clearly targeted for the the dot net six timeframe. so we're deduct continues to evolve alongside studio as well this this. I think it's worth also out that. Even though the move to sixty four gives us more reliability. There is so much more happening in just a twenty that relates to performance and reliability beyond that. And you know what this seems like a good time to take a break. So we'll pause here for this. Very important announcement will see on the side. Are you under increasing pressure to ship code faster than ever before. Then it's time to work smarter with ray guns. Modern approach to error in performance monitoring. Raygun gives you instant visibility into the health of your software. And what makes it. So unique is that it not only tells you when something's gone wrong it shows you exactly where it's gone wrong and how to fix it right down to the line of code made by developers for developers regan is built a suite of monitoring tools that are used in loved by thousands of software teams every day monitor every corner of your tech stack with widespread language. Support a native integrations with git hub. Jira slack. Bit bucket octopus deploy and more for even greater visibility visit raygun dot com to resolve issues faster and to deliver flawless digital experiences for your users. That's raygun dot com to get started on your free fourteen day trial with plans starting from his little as four dollars per month. And we're back. It's dot net rocks. This is carl franklin. And that's my friend richard campbell. We're talking anthony. Simon and andy from microsoft about visual studio. Twenty twenty two. We spent the first half talking about sixty four bit so we can spend the second half talking about something else. Because i you've done some other things. I do think the sixty four bit thing is overwhelming the massive. And there's so much more to talk about. I presume this looking down the list but you guys go. Would you wanna talk about it. So i need working on inside the studio. I think science to describe it. Because i think he's being a little modest in terms of his role in bringing us to the point where it was assignments vision. Dr laid out the direction for for visual studio. Twenty two include among it are sixty. Four bit johnny. So what else is happening. In just mean that was a highly collaborative highly collaborative Highlight hasta voca. Just saying this so much twenty two and to bring also beyond this full after knees team working on get tooling loss of innovation happening with further extending what we've done with like intel code done line shares extending. Obviously you've seen some commentary on the manda wrote where we looking all enhancements in dot net seat as you truly would doing cosmetic stuff as well look at trion really. Simplify that that went. We don may. Congress seems a lot more looking. So we're gonna do best to go and bring that back even viggo. We're going to extend the size of the phone sanitizer in garad size Yes so it's exciting. It's there's a lot of stuff coming through exciting. Yeah i like new icons. I liked any font. The new fonts has a is kind of an needed update. I think refresh eighty code ligature support. Nice yeah yeah. A and i got hooked on cascadia code working in windows terminal. Right is that you could set it up for their any he get used to it real quick. It'd be nice to have that in studio definitely welcome to the show. There's been so much push for studio with his deeper and deeper integration into get hub right ear your own people you studio extensively against good hub. But there's a big chunk of enterprise out there that are still very much dedicated t.f. S like how does that get you. Talk about the interplay there about the different source code strategies that the field is using for visual studio for sure. we would through visuals. Client taw wanna make sure that we got a great experience for all the remote hosts and so whether you're kodo students get hub as devops or even bit bucket. Want to make sure that you get a great experience using your tooling as well as with latino with ti the agile devops specific advertising full system. Image you mentioned tiff aso now as your devops on from server that server also works inside of two thousand nineteen will continue working because this new twenty two so from from an end user to the hobart tool over it. We want to make sure that we can bring every developer into the into the family and so with that we need to make sure we're working with all of those tools you definitely see a lot of interesting innovation in how been were kind of finding the right place where we can add value. Jose get up in the right places to enable it in devops but if you look at for example the new get experience that we been introducing through the last Started in a sixty eight release of studio nineteen may continue to add through that. And we've been really deliberate about making sure that we're maintaining the right experience between devops up so that all the customers today are using digital uses experience and be successful so we test both of those And and we get continuously back from the both of those customers about where they need us to focus on parties. And we've been using that as backlog on if there's an opportunity for a plug you know. Our developer community portal is really really strong indicator that we look at internal to look at where our community is asking us to focus our attention. We recently had mad on talking about the feedback mechanism. Just how iraq. That actually is that when you when you post stuff about something you'd like in studio developer community. The deaf team reads it like they may not be able to talk to you directly about it but it does get seen. Madge is a really strong advocate for the community. I mean he really kind of tries to embody the voice of our developers entirely. And so he you know. Make sure that if there is feedback coming from the community through bugs or suggestions that team hearing that and acting on it and really kind of giving detention deserves absolutely Other things you're working on for visual studio twenty twenty two. I was just an add on as he was saying. The is very interesting so actually watched the progression of teams that in considering things like gets ruling envious they really tried to focus in on really the the user experience say in how the tooling is set up in a way that you have to get to activities very quickly activities that you might be doing often commits or something like that. And then Ultra is in all all that so that you still have adult wells co that you can work with it that same time when you need to move on to something that's more has Ui Intensive oil something that requires much face. Now i feel dissing coup something like that. They look to the the capabilities have bring that. It's a much more seamless system within the tool as well so the work to do that is done through loss of customer research. That again how it ties in with things like the deaf community suggestions the the actual Packers law so we have lost kind of cows that feed into the system. Those andy and anthony here Whichli on the end of some of the shells often looking at suggestions as putting these roll out into the what it so. It is a tickly informed channel for us to connect to get feedback directly and immediately to the prophet. It does seem like a tighter cycle these days. Plus you have the quarter releases. So i i hear these stories over and over again have out. Something rises quickly and they community feedback area and it shows up a quarter later in a bill but it. I think that's that's kinda hit people hard that it's that responsive once upon a time there was only new visual studio every year year and a half to two years faster than that actually at the preview channel the preview channels a pretty rapid sheila title of constant innovation that goes in there fritzy testing but we also have kind of a preview mechanism in the g. h. Also tools options. You'll find capabilities that are pushed that in order to drive some of his feedback. In fact she's gonna get tooling options right unsafe experiment. Turn on. try something out if you like it. If not often you can you. Can you know. Keep using the tool. So it's a great place to kind of see what innovation is coming I'm particularly excited about some of the new May have in to laying. That is coming out so we you know one of the things. We've been getting a lot of aspirin customers around the ability kind of understanding. Visualize your whole tree of changes and this is something that today you ha- you've had to go to other tools outside of the unit and a lot of operas really want that context in the idea. Isn't you know it's the integrated they're looking for. And so we've been looking really hard time in michi kind of the workflow for users. Exactly kind of wearing users need that context able to do things like understanding their get branches. See all of that history. One plays compare that to the co changes to their make gains and reducing that context. Which if they today need to do between different tolls that just adds hive for. Can you guys talk about the the changes or the updates that you're making in real time. Collaboration the live share feature. I'm just for full disclosure. I haven't used it yet. Typically on my teams when we want to collaborate we have a like a zoom meeting or in slack or teams or something like that and one person shares their screen and another person just writes the code. So what's first of all what's the benefit of using live share and secondly what's new. What's coming. Yeah so i'll take action start with So live scher. I honestly forget. I can twenty nineteen when we saw introducing live show On the premise share is really kind of your real time collaboration with a colleague with more holly programming paradigms as a jet powered lines as we used to call in. So the you know. Hey can you come and look at this with me as on web on something. Deepak was kinds of a workflow is Its value is particularly strong. Of course now. With the fact that you can live share or create sessions. That go cross. Tools is is on the small just as israel studios visual studio. Vs who are i on even to a client the a student wet swell so the mechanism of the ability to share his pretty strong in twenty two. If memory says right in twenty three twenty two yet. We're looking to introduce little bit more capability here so in zero s with having integrated chat channel as well so rather than you had how to some other chat client is teams or whatever and go through that context. Which would wear anticipating. Is you having a chat system that allows you to clearly be looking at yuko. Talking about what's going on and immediately the jumping into the livestream session all within the session talking amongst yourselves as well so their audio component to it is already an audio component in chair this election. Hey the topped in along with the solutions whereas there elitist section as he can no at least had calls to your senior. Yeah that's good. I mean i mean. I get it that you don't wanna have to involve another tool with other accounts and all that stuff. It's great if he can just do it inside visual studio but like i used it so So i have a couple of questions first of all when you're doing a live share if i'm sharing my screen or whatever visual studio with my team can i pass control to one person at a time or can anybody just jump in lakewood. Woody's oua like this for mob. Programming is this the kind of thing where everybody can just jump in and write stuff and different places or or or is it. What is it you have more control. In fact eaten in twenty twenty to one of the ideas is to increase cooper control so sessions saw the only remains read. Only those will be some of the capabilities that we're looking at Yet question originally yes you as a host can control the actions. The guests can have as little so whether they are entering. And how read only will they follow you and it kind of mechanism to out tool or you allow them to take more control and you follow them. So as the thermal control to use host newscaster allow they have the tonight. But i have seen the demos where two people typing the same time in the same code window right if you allow and this is not. The problem of you need a pilot. There's only one award everybody's got a keyboard. They're on their respective they. I you and i have done this in google. Docs out writing simultaneously pieces of things. Yes yeah yeah. This isn't the screen sharing mechanism walk pass and has the The engine sign. It is kind of the jewel mechanism you typing in cyber sides. You can use her comments for your cheap version of chatting with someone you know the the key here to take away. You're not interacting with video here interacting with your visual studio and everybody's interacting with their visual studio so you're not seeing a video download stream that you now have to interact with and deal with all the latency and all that now. I really like this. It's also all of your personal stations. Are there as well. Yeah precisely that all your personal stations decent these he makes inside so as wonder yeah The time of the anthony has to you know ugly flav visual studio. He can remain in the the play visual while abusing the aussie music interesting. So yeah the way i have. My setup is not impacted when an election. What about tools. That are installed. Like what if one person who's driving has has You know Refactoring the refactoring tools installed from chap rains. And somebody else doesn't. That's an interesting problem. They remain independent person. Cool so the only thing being shared is that code window. Everybody get inject keystroke though. But you're tooling is separate. So if i've got re sharper i can use re sharper to do boom. And if i'm just watching wow stuff magically appeared good on you not only that you can also do it across visual studio code as well so think about the front end of doing a quick cobra view on some back and services flabbergasting on. That's a place where you might have a developer this working the as most of the time and your party with someone who might be working in digital some apps services. There's an opportunity for them to work together and you live share from their troubles with their extensions as they are but chair that context in code window the window. That's being like it's the context the pointing to coach the text itself. And so you have the freedom to navigate individually or you can kinda snap users to the same place to bring focus. You have a variety of all a lot of the same concepts as you think about google. Dr cooper's man. You know all of a sudden i feel like richard. I've been slicing sushi with a spatula. We just did a humanitarian toolbox code a thon and One of the contributors to the two weeks ready product is david packet. Who's one of the. Espn dot net monsters along with simon. Tim's and james chambers and during the livestream all of the as beat up. Mary's all three of them through live. Share worked on the same code base literally on the same chunk of code simultaneously during the same of wildly productive. Yeah i think we're they were struggling not to step on each other to subject better I just feel like it is. I've seen this happen. Where focus get good at this. You know you. And i writing copy for for Don iraq's promotion think simultaneously. We've had a lot of problems. Go really quickly today. But i i imagine a team of folks working routinely in live share would just get really smooth at it but it it does take a prop under the hood is a signal. Are anyone web sockets somethin- sounds like a perfect signal. Are ya cool. There's nothing flash mob so one of the things which at one of the things you should try to get the chance is live shannon code debugging sessions last videon press. Yeah yeah so. There's some new debugging features in improvements right. Yeah between twenty two. This year will be so. I think the twitter to again like obviously one of the big things is making sure we support all the platforms as you mentioned the dot net runs normal places these days and so he wants to make sure you can about your app way of it's running. If you're running in dhaka for example just a lot of people believe don't wraps around lakes us. We will improve the poll and valve like cross platform. Applications that semi blazes. How geting or other things. And so on the i wanted to make sure we support the rich ecosystem and on the other side i think eventually quality of life improvements who wanted to make the dugout helping customers get sauce from a variety different places. pre ov visualizes inside visual studio as well as some of the in general at one of the challenges. We have with other especially is. There's a lot of tools in that. There's a lot of stuff in the valley. That's really utilize a lot. It's kind of hard to know when to use which tool by even sing that initial brain so one of the things already focusing on his trying to figure out how we can make the help. Customers have developed. Find the right tool for the right time. Clicky mcallister clipping is back. Maybe that's the solution or some sort of machine about doing for you. I know about to press f nine head just simple stuff rearranging menus. Making stuff more lena. So it's not like it. A context may disclose the two days and not creepy. Hopefully bigly z. Idea that the fact that it's such it's so mean mable people relate to it out. I think it's it's now it's funny like you probably like to see it. That's very strange that it keeps coming around. Anyway it sounds great. And i mean to say that the debugging experience for blazer webassembly will be improved episode so like the resembling runs a you know the across platform and so we kind of have say like to to bug is coal ones Classic like windows applications. That's been around since while the everyone is a platform which we show. Vs code and other places and so we generally try to add more features because the old windows one as a wide range of has been around for very long time. And so we've been improving at cross platform which really helps star as i mentioned the knicks places shoreham. Even if it's silly stuff like adding next statement until athens like that less calm. More love is old is new again. that's right. Yeah so what can we say about arm. I mean it's coming up that it's not supported. Yes still there are gonna be arm window devices at some point have been in the past arm window devices. I have are like these little tablet thing. Is that if you're going to run visual studio on them you're crazy. I was thinking about running visual studio's making. That's why i wanted to talk about army general making arm so absence of running studio completely supported like for some time. Now you've been up to you visit to build apps the tiger balm by z z. Full you know for for those tiny devices would also the newest devices the spike larger Still probably another place to run studio on jesse if you keep on screen keyboard or or the computer. Yeah jenner retouched. Keyboards had someone who did fire up. Studio and like emotion computing tablet back in the day. Yeah yeah pen programming. Not a thing so ninety nine percent complete for thirty minutes but is it if you start because you do have the the with the now rebrand veto branded as visual studio for mac which is literally a different code base. I think that of zaman acquisition like you are opening the door bit by bit to. How do you unify all. I just can't imagine the tasks that you guys have in front of you with dot net six in maui and bringing cameron forms forward into maui and all these devices and you have to make one. Id to rule them all. I mean and got bags under his eyes man. He slashed man going to happen on these four hours of the week. One of the nice things that we are sharing more across over those Platforms because one of the things that we've been on his agenda moving out of process and process that full systems or pc's communication mechanism is independent of wes and so positive by they run in all those things today and more we once upon a time there was. I m mike when intel was trying to do sixty four bit zone. This is cool. This is not only a look into the future but it's a history lesson. yes that's true. That's what happens when four guys get together and try to talk about windows five different some cases trump with basic. You definitely don't need sixty four bits. Stick with three malbak right well. What's what's next after this release were. What are you guys. Do you go into cancun. Chill out for a while. You got a lot of hard work to do what. It's co two. What's what's next after twenty twenty two. I the first thing i to me is get sean. There's a good one. yeah i would. I highly recommended. Do you have things today. I mean it is second quarter of twenty twenty one. We're talking about studio twenty twenty two. You're always doing this. Triage like are there things going into the v. Next been past twenty twenty two. You're already triage out. That won't go to twenty two yet. Thank you mind talking about the dreams drawer of dreams. Yeah okay well. We'll we'll saw king flying. We would sink. Outflow whatever's is next. That will be sometime. That will how about that are much more into the twenty twenty two cycles. We show melissa. Great yeah i mean you know so much happens within within this tree to the wave the twenty twenty news sing pao vice news as it was in clearly if there's huge investments and so on those will be things that we have to think about when and at my leisure these out things that comes to mind right now well and i look at the sixty four bit as this huge advancement that you've been making over a long period of time it's gonna come to fruition this time around so i'm sure there's a couple of other big ones out there and i'm not picking one hundred twenty eight thing and stop that andy anthony. Simon thank you very much for this hour with us and sharing your your thoughts about visual studio. Two thousand twenty two. I know that our listeners can't wait thank you thank you. Thank you all right. And we'll see you next time on. Dot net rocks dot. Net rocks is brought to you by. Franklin's net and produced by plop studios a service audio video and post production facility located physically in new london connecticut and of course in the cloud online at peak wwlp dot com visit our website at dot net rotc ks dot com for feeds downloads. Mobile apps comments and access to the full archives. Going back to show number one reported in september two thousand and to make sure you check out our sponsors. They keep us in business now. Go write some code. Cnx time de.

microsoft anthony rico richard campbell Tx techs control app stores Kendra havens koenders bali kendra rich campbell Cangelosi Simon calvert Andy sterling rico mariani rico mary carl
Fighting Hackers using HoneyTokens with Dana Epp

.NET Rocks!

1:06:26 hr | 1 d ago

Fighting Hackers using HoneyTokens with Dana Epp

"Welcome back to dot net rocks this. Carl franklin richard campbell. And we're recording this on your birthday as we did the lest yay birthday to me birthday. You there's actually. I have a bunch of friends in the area that all have birthdays roughly a week of each other so so we tend to have the collective party awesome birthday week. It's like one of those birthday week. Things is actually wearing party next weekend. But i got eighteen pounds of corned. Beef brining in the fridge. Right now on a mug. I'm going to turn about a half of into pastrami. That's great and we'll see what happens. And i'll be right over. It's like you've got a plan. Three weeks in advance for stuff like this brian. Her wives actually thinking. I can pull a piece of that corned beef this weekend and test. It make sure things went. Well you know that order pizza and it'd be terrible than yeah trashing trying to do some Some dry smoking of the me when a us the points. The fatty bits for the presumption that want to do a little more rendering on it. You know not to talk about food too much on iraq's but i found a really good way to cook pork belly. Oh really yeah. First of all. I went to costco and i got a big pork belly. Like the full thing without the rib bones and everything and they also take the skin off normally. I liked the skin but in this particular situation it was note. I liked it without the skin and i cut it up into what you can only describe as one pound slabs think of when you get bacon a pound a time you know and it's it's all one block but they're sliced. That's the size. And i put them. I cook them. Sous lied under vacuum in large cooler. That i've created a coleman cooler with a inova precision cooker in it a drill the hole. Big enough for that. So i could cook all of these the same time in all i have on emma salt and pepper to the seed. Preparation is one hundred and thirty four degrees for two days so medium rare for two days pretty much and basically after two days. It's soft gable. And then i slice it into stakes. Probably about half an inch thick and seer the snot out of them. And so that is quite crispy delicious in tender. There you go. That's awesome yum yum yum yum. our angry. Yeah let's let's get to better know framework roll. The music did. What do you got well. It's very significant. Dana episodes here for his maiden voyage on dot net rocks. He's been on as radio several times. Maybe ten times and and and we're talking security so i this is a good enough time is any because this is coming out on the twenty ninth of july and by then we should be in full swing with a new podcast with yours. Truly and patrick. Hynes in dwayne lifelock. Okay nice group. Yeah and it's called security this week so it's not necessarily a news show but the security conversations are application security topics through the lens of current events. Okay so whatever happened that week. Spawns the conversation that we have with deep dive into security including patrick dwayne experiences with customers. They worked with the fbi. They've worked with lots of fiber profile customers to figure out security issues and depen- testing and all that stuff so they've got a lot of stories from the field in a lot of experience and i'm the everyman as you know that's what i do the i asked the dumb questions and it's not really for developers. It's for anybody who wants to keep the money that they make in their business and not lose it to security attacks. Simple is that you know. It's also for people who just use computers and who want to be up on the attacks and how to prevent them from happening to you so it's tough man yes security. This doubt securities on. Everybody's mind seems these days you can't get a day by with another huge ransomware attack. It really is a problem so anyway. That's security this week dot com. Hopefully it's up if it's not at least be a boilerplate. Stay tuned page there but anyway. That's what i got. Who soccer to us today. Richard by grabbed seventeen forty two while we did with paula talking about ransomware which was like an online event with tech aroma. That was good. Fun ain't if she had an article recently in forbes magazine and forbes poland being she built a hell of a company secure is a lot of people that are doing there. They helped governments deal with taxes. But he's very busy. Yeah so Yeah have to say. We knew her win We did you know back in the day. That's one of the things we talked about was one of the company. She was working with paid a ransom and the decrypt didn't work correctly. It only decrypted many files but not all of them and ultimately was her team. Debugged decrypt her to be finish recovering data for the company. Wow you know that's a weird moment fauria right. And that's why we call the show debugging ransomware so ugly. Has his comedy goes. I was waiting for the bugger part. We would you meant that. I thought you were going to go through code. Level details of buggy ransomware. If you could fix it that would be interesting. it's like. I don't think i really wanna go through ransomware wearing detail. I like big decoders at different thing. Yeah on a radio show look at line. One hundred fifty seven goes on. You mentioned encrypting. Backups i had one of my customers. Go through that. The whole company was wiped Recover it a few months and one thing. They did immediately by was tape backup because he can't encrypt that. I hope think right. Actually if you use your tapes to back up cryptic files than your tape. Backup sir krypton. Some of this ransomware with command controls subsists sophisticated that. That's what they do. They they learn how your backup systems work and then they wait and make sure that all your packets are good to to before they trigger the ransomware so there there is evil if they're pretty damn evil man. They're clever about what they do and they are trying to take out your backups. If they can get away with it. So cold backups. Backups at are disconnected from the rest of the system. So somebody remote can't get to them are one strategy but in a big part of this is do you understand restore times. What how long will it take to recover. I'm sure dana can speak to this. But you know there's no faster coverage from rents. Were you know in terms of real business out if you can get operation a week. You've done well whether you pay that ransom or not like it's tough these very difficulties to clean up and people. Just underestimate the damage done. Right so i think the takeaway here is do everything you can to prevent your people from falling victim to ransomware. Yeah but you know that it's hard so cavalier. Thank you so much for your comment copies to is on. Its way to you if you'd like a copy to by write a comment on the website at dot net rocks dot com or on facebook as we publish every show there. And have you comment there. We're reading on the show. We'll copy music. Oh and definitely follow us on twitter. He's at rich campbell. I'm at carl. Franklin and dana eps security passwords are as follows. Yada yada yada hamas abbas. Did you really think i was going to give you. Dana apps password code good luck. Good luck with that. And and the the laughing guy you heard right. There is dana app. He is a serial entrepreneur who founded several security based software companies that have gone public or sold through. Acquisition and dana has spent the last twenty five years focusing on software security and has been awarded the recognition and designation by microsoft as an enterprise security. Mvp for the past fourteen or so years in these past few years he was also awarded for his azure experience in cloud and data center management and was appointed as a microsoft regional director. Congratulations stain on all those accomplishments and welcomed dot net rocks for the first time will thank you very much. I got up the vial. That's like four years old. You know it's one of those things you know what i thank you very much. I've been on run as for god. I don't know how many times richard but it's always so much fun. Thought i oh yes sub sandwich anyway but if fitted finish i'll vote a mug. I would love to see one of those running. You're on the same buddy city and we never see each other. Yeah so what i. Oh this is fun only sixteen shows. I just counted them six. You're on episode three. Wow security's always around right. It's one of those things and especially always had stuff to say. Everybody question. But i don't think i don't think you've missed a year like you've been at least once a year embargoed for almost one year where i was. It was hard to hear the catch me just the right arm. Yeah you know. I remember ping you saying hey can we. And you're like no. I really can't yes in the midst of an acquisition to something. I cannot speak publicly right now. Yeah it's one of those things so And you know it's security hits everywhere right. Run as awesome for. It pros wanting to learn how to better lockdown and manage. You know you're talking about things. Like backups when recovery and meantime to recovery that stuff and you guys were talking about like prevent people from getting ransomware ashes. Not the reality. People are gonna kick click on dancing pigs. The real thing is to assume breach and find a way to recover as quickly as possible. And while it's you know it's optima say that you know. Even the largest companies can take months to recover if the it strategies are in place the right way and they're more concerned about keeping a business afloat than looking at Analysis Meantime recovery doesn't have to be that long if the right strategies are in place that comes down to just you know knowing and managing the recovery and so like they come back they can take out your backups. But if you have points in time backups. Hourly weekly monthly and those are stored in places that you can't reach their ways to regenerate that stuff and redeploy but people don't do that because automation is scary because ryan cases automations upcoming a bigger problem But then think about that from the other side you know. Iraq's is all about you know the developers experienced and all that and sometimes i wonder if we as developers Aren't doing enough to help our ops people to be able to know when attacks are happening even before they happen. And it's an interesting scenario. I know richard. We've talked about this before. Just how do you as we shift left from developer's perspective get into more devops or death. Cyclops how can developers. It were closer together to get that high fidelity signal to know that things are safe that things are secure and that at the end of the day the information which is what all of our code is is meant to manage and manipulate. It can be done so in a safe manner. And i think i have a question and you know. Because i'm the i'm the new guy to security here if i had if my company is using get hub for our repose. And they're checking and changes all the time. And we're we're we don't have any on prem hardware you know. Nobody's pulling up a browser on the web server to install anything. It's all like azure or amazon or whatever Are we still at risk. Because we have backups. Essentially in in get hub. Any you know we can just pull changes How how are we still at risk. Well think about it like this. Especially for developers. The crown jewel the organization as far as the developers concerned as their source code. And so there's lots of different aspects of source control. That can be arrests right. And it's not just direct risks. Such as list listen things like solar winds attack where they actually attacked in to the cic de pipeline to be able to sign a malware that allowed them to distribute it to customers through their update mechanisms. Right off that is extremely difficult to be able to defend against. If you're just saying. I'm allowing people to you know hey passwords on hub. While is that enough right. Like there is stronger than occasion mechanisms. That allow you to to help. Protect the communications to the service. But what happens if someone gets in if you take a look at a majority of the security research. That's out there. You know every year like verizon releases its data breach report and the number one way people get in they find credentials authorized users and use an unauthorized manner. So yes. it's still possible. Even if you have a lockdown repository. That's private that if someone was able to access a developers machine and they have. Let's say their keys stored there so they because they don't wanna enter credits all the time. That means that someone else would have the mechanism to push up a change. Now that doesn't mean that actually always happens because you can put process in any matured cd pipeline where you can have guardrail elsewhere. Things like merging into major branches need peer review. And you have the capabilities of of having know and other components that you could do static code analysis to look for a certain types of behaviors but that's directly on the code and that's that comes to security maturity Of of coat on there lot of times. It's not direct its indirect. It's the third party modules that you're just expecting to consume through nougat or n. p. m. or whatever package manager. You have on there where if those and get infiltrated you then become infiltrated and you have this inherent trust into a package that you rely on. That may not have the same security Validation as you you may be exposing that the next time you do a belt and you don't even know but aren't you always able to roll back to the previous bill that didn't have this version that was susceptible and then start over from them from that version. Well its potential right first off. You're saying after the fact so after you've been breached and now taken over all your machines doesn't matter that point ladies the other side is you. Can you can lock inversions. But most people don't so if you take a look at more modern let's say front. End development frameworks and anything from rock angular. I'm using those aren't new but they they've been out for a long time but if you take a look at how. Vs code or our vision studio Sets up the scaffolding for a lot of this stuff when people add these they just go and say. Give me the latest version of ax. So the problem is is that that means that they're highly at risk that they're going to consume new code. That could be vulnerable but the opposite is just as bad. They lock it into a version and then a fix comes out and they're not aware of it and this is where it starts coming down that you have a responsibility. I looking at third party libraries and monitoring and managing as part of your sprints. You should be looking and seeing what changes have occurred and things. I'm taking dependency on. So that i have the ability to then verify and say are those important to me. Do i need to make changes right. And because you just now don't always know and you're not you don't have direct visibility. There are tools and technologies out there that can help with that and bubble that up for you to tell you. Hey this package has had security updates. You should probably look at it and gets doing awesome on some of this stuff. Because i do like doing a lot to tell you. Hey this has vulnerable packages. You really should look at it. The only problem with that is that it's after the fact is usually a little too late down so Adversaries that are trying to target major applications. They may have a window of exposure. That could be anything from days to weeks. Some times months years it all depends on just the exposure just because things are are sometimes available openly say open source doesn't mean they're actually getting that Auditing all the time. So so get hub. Has you know some mechanisms. You were just mentioning to look into identify malicious code so this is another reason to only use packages because you can have new get packages. That aren't get hub. New people create without a repository. But if they're on kit hub. That's one more level of confidence that you can have right so it's a good reason to use packages that are already vetted vetted end that you've actually vetted to certain releases you only want. You know in many cases unless you you know. You're very brave. You shouldn't be taking on a you know the daily builds and trying to consume them. But sometimes you get frustrated. 'cause you just trying to get a job done you know a package. Works has some fixes. You take a dependency on that and then all the sudden you don't get it back into mainstream later and that's that's just comes down to the the maturity of having a process in place right like you should have engineering change orders for. I want to add this new package in. There should be people reviewing that and saying. Why do we need this package. Is it absolutely necessary. And if it is are we willing to take on that risk and a lot of developers especially when they're new to the world these days. Oh just consume this. Do you know a pip. install in and requirements. And bring them in. And you're like but do you know what those are and it's you know there's a tax that that i've seen there where they've been able to get in and contribute and update things like a requirements that t- exte- in python package to automatically install a militias package and leaving dormant for like six months. And then they take advantage of it. You've done everything you've done. Your coat auditing review and everything looks fine but that dormant sub package ends up becoming the the risk. That's on there so you need to know who the packages are and you need to take a confidence in taking a trust in and once you do that you need to lock it down. Don't always say stuck in the latest version yet. You should know about the latest versions and you should be able to to to to be able to look and review them regularly but you want stability so you want to know what you're taking a dependency on and then you know. Check it from time to time but that requires a process also thinking a little further ahead in a lot of times. You don't because you take a trust on a package. That package has taken a trust and other packages. How deep do you go. Well i i think. Part of that process needs to be some developer. Who understands code can go. Let's say you're three changes three versions back and go to the diff of each of those versions walk through the code. See what was added or modified and determine whether or not it was malicious right. So if you're going to count on some you know a get hub or another repository to do that for you you. That's fine but there has to be some proof that they have done that work and they have declared it as safe so it's just like you're saying it state it depends you have to be careful. Do your due diligence and you have to also understand the the dev cycles of the people involved right like if you look at. Some of microsoft's azure. There is a ton of packages that they make available for all the different languages to make life easier to consume their ep but some of them are open source like the packages are open source but some of the components behind-the-scenes art so you have to also have a level of trust with that team To to make sure that when they're taking dependencies and bringing stuff in that. You're willing to accept that. I'm which i think is reasonable and i think that's all a balance of securities about risk mitigation not risk avoidance and. That's not just in the it world that's in the code world as well if you take a dependency on a package you need to it at least to a degree or you need to look at and try to determine what is a damage potential in what it's able to do for you and there is the conservative mindset airbag back. Don't be the first to take that update people spend some time on it. You know they. That rarely serves you poorly be i on that. The power of the package makes life so much easier because you can start playing lego. You don't need to be an expert on something to consume it but my my push back on that is if you don't understand the code that you're bringing into it. You probably shouldn't be using like it's it's one of those things that I get trying to speed up and getting things released with. That's when mistakes happen and sometimes you need to question. You don't need to reinvent the wheel. There's something out there that millions of people have taken a dependency on and it works and it does his job. Okay take a look at it and try to understand understand what it does and make sure you're a you as a team. It shouldn't be just a single developer. Saying i'm gonna take this package on. There really should be in every company. I've always worked with. We always create An advisory board where they view on packagers in engineering change. That goes in. And there's a review of it. It's not like we're going to spend forever looking at it but we have we have certain milestones and goals that we're looking at. How old is this package band. How long has it been. How many security advisers. How many updates do they have. You know who is maintaining. It is backing of a commercial entity. Especially if it's an open source package and and it goes on and on go look at the issues of his kit hub. Can we take a look and see what kind of a defects are currently being reported or issues. How quickly are they being fixed. When was the last time they've been updated in all these things matter And then once you start looking at that you can make an approval to say to. We wish to take that risk on now. Is that a blocker before they can even tinker with the with the library or can they take into their branch. But before it's allowed to be merged to go through the advisory board it depends on. It really depends on who you are. I guess in the organization when we actually have. You can take spikes where it's like. Hey i want to learn. I want to add this new capability in there. Then take a spike on will actually use his research time that is going into a branch that will never be merged Without full review in those scenarios it may very well be that that gets even more scrutiny. It's not your standard to person. Peer review approval process. There may be more involved especially if it's something that's might be critical like an off package or something where you know maybe security needs to be involved in the sure. Yeah you want to spend some time with it. Seems it seems to me guys that there's room for an organization and maybe foundation or something to be in the business of validating a third party to validate new versions of packages. That are that are. Put out there where you know. They don't have the benefit of get hubs like you know. Hey i too would be nice in a get hub repository to see what companies are taking dependencies on these things at what virgin's like hey if microsoft is using this library internally i have pretty high confidence that it's not full amount right but also a stamp of approval. You know that saying somebody here has gone through all these changes and approved it as being safe the tricky get into that when you start talking about those types of reviews what is the mandate in what is like who. What's the ultimate goal of people are trying to do. There's no standards body for that stuff. There are commercial companies. Do some stuff right. Like there's i never know how to pronounce it but it's like Sink dot io. I think it is s. o. Y que i think it is. They have a package Open source package Scanner and it's literally looking at all the packages and it's got vulnerability database and it tells you everything. It sees fines. And you can subscribe to that service and there's tons of other services that you can put that in your pipeline right so it's like hey before this emerges there's a guardrail that's going to check this stuff and saying. Is this a package that has vulnerabilities. Or is this a package. That has had a certain amount of vulnerabilities over the past period of time or is this a package that is you know old and antiquated and You can use. I i i. I don't use that particular solution. But i know that exists and i know there's under slight get and it's i think worth looking at From package management point of view just to be able to rely on trusting third party. That's doing that kind of stuff for you. And they're doing that. Because i wanna make money right like they provide a service to that you can pay off. Yeah and it's product and and so you know that what their motivation clearly as. It's hard a lot of times. You can take dependency. I know lots of great packages that i've taken dependencies on where microsoft employees is working on it but then they stopped working and it's like it wasn't a microsoft package right like it was. Yeah like i take a look at things like the stuff that for for javascript in an angular For years microsoft and have an official package with microsoft employs working on it. That didn't give me enough trust on it. But then when microsoft released an salt package for that then that that that's the microsoft them -cation library that. I was able to look at that a little more in detail. Problem is they're very slow and solvent always behind by like almost year from where everyone else is trying to consume services. So then you start looking and saying dawn take trust and other people's work because it's actually more modern for the modern stuff or do i wait wait and the reason you want to wait usually is because while it's been audited and reviewed and mike putting their stamp on it. It's a trait of risk. You want that. Is that new feature that important. You're to take on new risk or can you wait and reduce your risk although we got this reality that the weird such an agile world. Now that by the time you're willing to take on risk that packages already moved so far had right like show that we're now seeing some. Api's they're going to be a online and offline in a matter of a window three years and that that gets scary if you're taken a dependency on something Maybe if it's just an mvp or something and you're just trying to get it out the door you don't care but when you're trying to build production code that's hassle last some time you want to know that there's some maturity management. That's going on at some of that stuff. So you know what we. I've talked about in devops. Toxins things like that bringing deb's into a firefight as an it person like it's the weekend sites gone down and you hit a certain point where they where the checklist hasn't brought it back up. We have diagnose the problem in having a senior dev Get involved probably remotely anyone rule. Now one is. Don't write any code. This is about your insight into code helping diagnose the problem and the by product of that process has consistently been the debt says. Wow we need to write more things to let you see what's going on in the app absolutely that there's a there's a blindness there. They only really see that when they see how blind. It is during one of those firefights. And i saw your honey tokens talk and thought this is the same thing. This is one of our applications was used. It was exploited and only post-facto. Have we come through the logs. Ac- they worked at it for months and if we had some mechanisms to sort of raise a flight say there's some weird stuff going on here that we would have had a chance to shut that door long before they took advantage of it. Yeah well you know. It's one of those benefits. I get you know. Because i sit on both blue teams in red teams so a lot of times. I'm thinking about. How would i offense in the offensive trade craft. How do i go about attacking applications and you look at it and say okay as a defender. How would i stop that in the reality is most developers aren't security professionals. They don't know how hackers are going to breach especially web applications. But what ends up happening is. There is so much we could be doing to help. Get signals to the ops guys so that they can be forearmed than forewarns and i. It's it's interesting because when we start thinking like that we start putting the edge back on the defender which is not easy because we always hear right. The attacker needs to find one way in defenders. Have to find out of defending. And that's so hard. And i almost feel like you jumped over something there dana which is how long does it take us to know. We're being attacked. You know it's interesting because most times most people find out after the fact where they may have the greatest security devices that are able to look at network intrusions on stuff and that's way too late by that time they've already pivoted and got in to to to deepen the system. But it is possible through honey tokens to be able to get early warning detection by creating deceptive mechanism. that will troll attackers. Because if you look at something like the mitre attack chain which is a really good way of defining and describing how threat actors will infiltrate systems. There's always some recon mechanisms and some post exploitation techniques that are used that are helpful as as signals. So let me give you a super simple example before we dive into. This honey tokens. Let's break for this very important message. Sweet how did you choose which internet service provider to use. The sad thing is most of us have very little choice. Because isp's operate like monopolies in the regions they serve. They use this monopoly power to take advantage of customers. Data caps streaming throttles. The list goes on but worst of all many. Isp's log your internet activity and sell that data too big tech companies and advertisers to prevent isp's from seeing my internet activity. I protect all my devices with express. Vpn so what is expressed vpn. Well it's a simple app for your computer or smartphone. Then crips all your network data and tunnels through a secure vp and serve her. So that your isp can't see any of your activity sadly every site you visit video you watch or message you send gets tracked by espy's or other tech giants who can then sell your information for profit. That's the reason i recommend express. Vpn is the best way to hide your online from your isp. You download the app tap one button on your device and you're protected and express. Vpn dissolve this without slowing your connection. That's why it's rated the number one. Vpn service by seen in wired so stop handing over your personal data to isp's and other tech giants who mind your activity and sell off your information. Protect yourself with the vpn. I trust to keep me private online. Visit express the vpn dot com slash dot net. That's e. x. p. r. e. s. vp and dot com slash dot net to get three extra months free to express vpn dot com slash dot net. Right now to learn more. Are you under increasing pressure to ship code faster than ever before. Then it's time to work smarter with ray guns. Modern approach to error in performance monitoring. Raygun gives you instant visibility into the health of your software. And what makes it so unique. Is that it not only tells you when something's gone wrong it shows you exactly where it's gone wrong and how to fix it right down to the line of code made by developers for developers. Reagan is built a suite of monitoring tools that are used in loved by thousands of software teams every day monitor every corner of your tech stack with widespread language support. Native integrations with git hub. Jura slack bit bucket octopus deploy and more for even greater visibility visit raygun dot com to resolve issues faster and to deliver flawless digital experiences for your users. That's raygun dot com to get started on your free fourteen day trial with plans starting from as little as four dollars per month and we're back dot iraq's richer. That's carl franklin. Hey yes it is my birthday and this is my friend data app. Who usually hangs that with me on the run ads side at things. But this whole conversation about honey tokens such an interesting idea for devs to support offs in detecting threats early on when you know that whole idea of what it's like you didn't you put up watchtowers but didn't put anybody in them. Right goes wall but if nobody's looking to see if there's somebody picking away at the wall to see if there's an opening their like you only find out when all falls down if you've been looking that way a lot of times by the time they get past the wall you think everything's okay and they're getting deeper and deeper into the app so Yeah so we're we're honey tokens really come in is you can get his complicated or as simple as you want. The to say is if you're ever thinking of doing honey tokens. Remember that things like security engineering should be doing the done i. You should be doing all of the things that they tell you to do from sanitizing input and all the relations of threat modeling stuff but outside a security engineering. Are there things that developers can do to help. Assist ops and understanding. What's going on so let's talk about. How hacker would recon an application on the first things are gonna do once they find a target. So there's a whole bunch of recon they're gonna do to define the target itself but once they know they have a target with one of the first things are going to do. They're going to take a look the application. Try to understand how it works. What's the tech stack. What's running and they're going to do things like look at your robots dot. Thc because they know if they go and put in certain disallow direct that say do not go in index this these things it's not a security component but what's there to help to reduce the strain on spiders going through your application and looking at things so if you go in and say hey. I want to disallow slash admin portal. They know that You know the spiders no not to go and try to index at but as an attacker. I'm looking at saying okay. They haven't out in puerto over there right and there are legitimate reasons why those needs to be there and they should be looked at so if he has an examples. This is a great example. Could've azure dot shop dot com. And you go take a look at their slash. Robots dot t. There there's a whole bunch of things that they're telling you look at it in ring at the bottom is the disallow. Api did you know as you're my trump dot com slash api there a set of api. Probably not as a hacker. Dama wanna know about that. Yeah sure we brian. So let's turn out around. Let's use that as a deceptive technique to start getting early warning knowledge so put something in your robots t exte- that isn't normal and what it might mean. Normal is hackers have these word lists and you can go into like get hub There's the checklists with has the the All of them. Common directory brute forcing so if you use something like dur- buster go buster or or burp suite to actually enumerate look for directories You don't want to have something in your robotic. See that's on there because obviously it's can start flagging. You know the script kitties that are just trying to rattle your cages but if you actually put something in there like a good right like people wait. Wait a minute. Why the hell. Eric jewett it in there. What what's over at that resource. And then they go to. That resource start questioning. What wait wait wait a minute. Why are you going there. You're not supposed to be going there. You're not a process. Should be looking at this stuff and it becomes your first entry point to say something's going on it's not enough to say an attack is occurring. But it's enough to saying this might be interesting but now combine it with other deceptive strategies at the same time like maybe inserting into java script a routine that could never ever be executed under normal operations right have a parameter that hey the parameter is adleman or or you know Valid equals one. And it will trigger down into this javascript. Code and that code block goes to an empty endpoint that just returns an empty array as an example and by the way logs their information. So you exactly. That's exactly the point right. So what happens is when they go and can reconstruct that. Api request to see. What's there you now have the ability to collect their browser information. There i pee information. Anything related to what they're doing and he starts creating a fingerprint now. Let's be honest. Attackers aren't stupid. They're not going to be running this from their home. Hopefully they're going to be doing this through some ephemeral resource that they've spun up in some cloud service to scan you but that's okay or coming through tornado. What you're looking at his fingerprinting the rest of their their system and start correlating that activity together so we all the sudden see. Hey they hit the robots dot. T. exte- went to an end point. We know they're not supposed to then decompile my java script that's been modified and started trying to call into those. Apn points their intent. It's a high fidelity signal that someone is spending time trying to understand how your app functions right and that's starts starting be something odd people care about because when they have to correlate millions of records. When you're doing something like a brute force against a server you're getting it so many force right if you've got hundreds or thousands like some of these Some of these brute force Directory lists have like fifty thousand eight hundred thousand one. That's almost a quarter million records if you have two hundred fifty thousand four or four messages on your system. It makes a lot of masks from a log perspective to see what's going on. What's real versus. What something script when you start correlating all this activity together you start being able to attribute on. It's a real attack and the people can really appreciate that you can go deeper than that is an example you can use deceptive parameter pollution in a way so that you might have parameters like adleman equals true or deb equals false that have no real meaning to that route but you could simply track for that and say okay. Do i see that. Someone's trying to change that parameter which means they're trying to manipulate how the session interacts even have more fun. Build it out so that it responds of with a fake Stacks when someone's manipulating that stuff. So they spend time wasting time trying to figure out what they've manipulated even though it has no business impact to the real application. Now you gotta be careful this kind of stuff because you need to treat this just like any of your production code if you're going to do something like this. It needs to be resilient you need to know you're not going to cause fragility in your i would never say like use deceptive cookies with your session data. Just it's just there's a high risk that's not something wanna use together right but it doesn't mean you could add extra cookies though. Nothing says you couldn't create a cookie. That said api sid that had a certain value in it maybe basic seaport coded so it looks like you've actually made some effort to hide some information amended if that's got some data in there like an endpoint that they go to you know that they're looking at cookies trying to manipulate and change them. And in those scenarios that is a high fidelity signal of people up to no good and these are the things to start linking together and this is how developers can help the team because we can now filter out through millions and millions of records to get down to transaction chain to say okay. We can see they're doing this. And this and this is the only way this would be in the log. File is that they've done all this work right to treat to run that particular. Api that's only there to log. That got run right and so we start being able to work our way. Backwards provide signals. Now here's a reality. No matter how much technology put in there and how good your security engineering is at some point. Someone may still get in. There are still things you can do from a deceptive prospection. That would allow you to know about it. As an example. It is possible to create. High tokens right in your databases. So that you can have things what i call trapped tables basically it could be view like admin credits which is linking from your users table and pulls out some other information but what you do is you can use in most databases an ability create triggers based on activities. So as an example. If someone wants to select that view you could trigger function and that function could be posting to your applications so you could consume it in your security logs to get into your ops people. His what that means is if somewhat hitting that view that means they're in your database. Maybe they found a sequel injection vulnerability or they've actually got a foothold in there actually on the sequel server itself. But now you actually have some evidence that they're doing things they're not supposed to be gotta be like that because it might put up an internal attacker to exactly but you've got to careful because you need to make sure you work with obsta. Understand how they do things because nothing would suck more than getting a call or two in the morning to have to go in because your database has been breached only to find out. It's the weekly backup writing because remember some of these maintenance routines are going to look at these tables and grabbed them and back them up so so you have to account for this type of behaviors but the dates. It is possible to put any tiny tokens in a way so that they trip the attackers because a lot of attackers these days. We're going to use tools. That can help them so things. Like sequel map exists so that they can Enumerate exploit exfiltration data so you can basically run this command and if finds a sequel injection on a forum as an example it will then go in and suck out all the data for it. But they don't know that that view may exist. That should never ever be called right. And if you have things like a mature orem system or you have some sort of a data manager in between database in your application. You could do things poisoned records creek columns that are dedicated to being fake data or Special data i look at as like edina loss protection guardrail rated it has ability to say i can have a maybe i'd say permissions call him on a user's table that's never used. And if you know you only ever call that table in a certain way if you ever see the permissions column brought back you know. Something is out of norm found some way to execute or modify queries to get through your data layer and get to the database. Now got to be careful because that first junior developer comes in and says i'm going to select star on users. It's gonna trigger. That would imagine either. Yeah because now you're educating them on learning this kind of stuff so the trick here is using deception for good and what you're doing is you're just trying to arm the it people with with signals. That seem to have more viability an. It person probably isn't gonna know what tables in your database are meeting in your application right but if you start exposing to them and saying here's what we wanna do we. If you ever see this data coming back it's bad. We want to create this function to trigger on these type of behaviors. You start being able to leverage the it infrastructure in a way that it can help signal not just the it people but you as well as if it's going back through your application you can start correlating things and seeing what what areas of my apper weaker do i see signals that. Maybe i wanna put more depth than to be able to provide it as an example. Let's say you taste support username and passwords for logging in. You really wanna know. If someone's credit i've ever been league because we all know people reuse passwords across different applications and services so the next time it's in have i been pounds. You know that troy's got your password. You know you know again. You want to know about it. So so one thing could be as simple as using Deceptive techniques together to give you maximum impact so as an example maybe having the robots. It exte- a slash admin portal. Or something that you know is not real but you create a forum on there with a username password field so it looks like a legit admin portal and now they start hammering you with credits and they're using something like hydro or some sort of pass restraint technique to try to hammer on it. Well you don't really hear that much that they're hammering on because you know it's not a legit endpoint but now you're collecting the user names and maybe even the passwords where yachts team can have. Because now they can start looking and saying do they have real user accounts do they have. They found that stuff out. Are they trying to use them. Are they using credits at might be legit and now a sudden you can start going back to the users and say. Hey you know what bob the your password. There is being used in a fixed Admin log there. We wanna change your credit and be. We need to find out. Why the heck they're going after you die becomes valuable. And that's where the developers can add more context through the applications. Sounds like a great conversation of devon. It over pizza one afternoon just to doing that. Like i hope but it but you would hope but it's also just a talking point. It's like can we slipped something into the sprint. That'll help you identify attempts young. I love this idea of adding to the robots a folder to not scan. That isn't real anyway like it exist but exist purely as that honeypot as that trap that the only reason you would ever go here is because you read my robots file and so court as soon as you start getting down that chain of thinking of will add just enough code to log as much information as possible and actually leave breadcrumbs four bad actors. You would only be here. You had a if you had malware untapped right and if you start getting deeper and deeper in there the more complex the attack pattern is the more high fidelity signal that they're really trying to get in there. So things like modifying a parameter. That you have in your. Let's say a hidden feel form field or a. You know it's just a proud it's being passed in and you know it always should. He say know admin equals false. The first time it says admin equals true. You know somebody's trying to manipulate that. That's a red flag right. That's way before they've succeeded. You've now got that information collected. Will you can even get deeper and more fun. With this There are ways to using a deceptive documents to your benefit as well An example that. I gave in that talk on. Honey tokens was inside a word documents. Even if you have macro enable one of the capabilities that you have the ability of doing is embedding images that can be pulled from external sources. And you can hide the image in in the footer of the document. And have it call to an on your app which would say this document has been opened and i know it because i now have a request to an image on my server that i know should never ever be requested ryan example might be adleman. Guide dot doc axe that you've placed into the root of your application folder. It should never ever be accessed if someone has access to that file. Then you know they've got onto your system through some sort of local file injecting founding somewhere brief file access. That's right and now. They've got an as soon as they open it. Guess what happens most attackers when they strap the loops. Whatever they're going to take a document out of the system they have the ability they'll take it back into not gonna use it on the same tunnel so won't be that. Vpn they'll probably gonna open it later or they're going to open it on their machine and when that beacons back to your application. There's a good chance that the ip information you will strap from. That request will be more zoned into where they're attributing to where they actually are rosy. Because they're not paying attention. They might be using their kelly box. Either half the poll up that doc and put in their actual windows partition to open it up and then boom now. You've actually got an ip. Now you can correlate that. I can see that. They came in through this robots To this form they went into this form and did all this other stuff. And then the next thing i see there's access to this document whoops vulnerability somewhere but now i'm able to correlate that information together and i have an ability to better attribute that's on there and there's lots of ways you can do that. When we're attacking dot had applications one of our our methodologies is to try to get access to the files we know where the bins are going to be right. They're always going to be in the in the bin directory and a deal out. We're gonna extract at the so we can run it through reflector and decompile the code. So we can then look at how the optician functions. This is one of the first things we're going to try to do to attack the obligation. While if you start doing things like embedding you are als in the resource bundle of the deal l. And someone starts going to that you were out to try to figure out what the hell's going on you know that someone is breached. The server downloaded the deal l. d. compiled it and adele trying to get access. That should never ever ever happened. So if that ever gets beacons you know you have a problem and these type of things. All no one's ever gonna do that. Well hopefully you're right. No one will ever do that. Means they never got there but what happens the day it. Does you now have a signal. That something has happened is a great signal to when this gets back to. The original question is like how long does it take you to know that. Someone's at your walls Banging away or after the walls rate if they read get to your code. They've got to your database. You're already breached now. The question is where we trying to find. What's going on every moment. Every log is helpful to the ops team at that point and anything that the dads can do to help with that. that's that's that's that's a useful component catheter. Gray thinking i think i think when we think developers you know a lot of times unless you're execute engineering. You're focused on it. You're not thinking like the attacker nor sharing many ways. It's hard to do that but if you start thinking about signals of areas in in ways that people should be able to access things you can use deceptive credentials you could put in a web dot com fake fake credentials to a database. If you ever see someone logging in with that you know they've got into your web dot com fake right like that to me would be an interesting thing to be looking at like you know Or if someone's trying to inject like maybe they've attacked into a server and you've got honey user account that's on there like an admin account that has been set up to never be authorized to log in and if they all center trying to log in and you see. Let's say azure active directory and a logging attempt to an account that you know full well should never ever have been used You have evidence that they're trying to pivot in deeper into the into the infrastructure. These are all things that aren't expensive and talking to my friends. Pat hynes entwine lef- lot their their attack was to create a to take the default admin account. It was on bare metal. And change the name of it to like. You know bob or something like that and then create another account called admin. That's your honeypot. And act so. The name of the account is the first signal to an attacker That's what i wanna hack. Yep and what's interesting is that you can already look an active directory. You can go in and set up. An administrator account that looks and shows all the principles of being an administrator But set it up with no logging time right. So they have no rights to log in ever so even if they were able to getaway to log in. Eight would never authenticate authorize it. But now there's an actual audit record that the account was used so the reason sump like evil r. m. or they're using a power split or some sort of tool where they're trying to pivot off those accounts. You're immediately being triggered. Your you know that that account is being used in a way. It's not supposed to. But if you're a hacker and you log in as admin and you get no credential prompt or whatever it don't you aren't you a little suspicious. What depends how they get in first off a lot of times. Attackers aren't trying to log in. They're gonna do some sort of expectation like that's gonna give them a shell in many ways that shell will give them enough access on their. So as an example maybe able to breach your i s a web server. They get in as the network service are into the. Is apple there in his apple. Now they wanna pivot off right. They want to do is call the process and so they're looking to say. Can i do something like run. Something like mimic cats in memory to be able to extract hashes. So i can go crack those or or use them in a pass the hash attack or some other mechanism. There's lots of security mechanisms to leverage a little bit of a foothold and pivot into more perms but that is the deceptive part of it if all of a sudden they see a hash on a machine for an administrator account and they go crack it and then they go try to use it to pivot off to another machine. I one of the deceptive. I don't usually talk about this stuff but there's an unintended dot. Xml that is in every single windows server ever auto deployed. And you're supposed to remove it most people don't i love putting it there for a different reason. I put in a fake administrator credential on there so that if someone tries logging in with that credential i know damn well that they're enumerating the server and trying to get a foothold with an administrative credential. I know that that is someone doing. It's up to no good and that's an immediate flag response. That's a red signal and that is immediately reviewed because no one should be ever looking at an unintended dot. Xml file no one should be using that credential and those type of scenarios is how we start his defenders creating mechanisms because as attackers. It's in our methodology. If you get a foothold. Look for the unintended. Xml 'cause you're gonna use those credentials if there you're gonna go in there and there's technologies out there that exists. That can help with that. But i sometimes wonder about fragility when you add more technology on there. You're just causing more risk. Because now there's more an point software running on your service which you may not want but techniques for things like robbing the hashes and and late night on some of the servers i have i put on a purposely which is Sis internal tools. But they're not sis internal tools. They're actually the look like internal tools. But when you run them. They're collecting all the information of the connection and they're providing all the information we need and as soon as you've tried to do something like ps exact something that's try to pivot off but you've actually sent me all the logs that data of your connections and everything that's in your session now. I've got enough details to work backwards. And these are things that These type of honey tokens And honey files. Are there to help tell the story. Once they've breached of who the attacker is but this is. It ops related. You want from a specific you need to do this in the app itself. 'cause that's an earlier warning signal. The role for dab is you can help the earliest signals in with the initial sets of logs of data for infosec guys to take it on our even get help. I mean the idea of hayward small organization. We don't have a fulltime ops guy or fulltime security person but we put enough instrumentation places when we feel like we. Now have a sense. We're being attacked. We can get some help yet. Absolutely and one of the other things i would suggest is that if you have a security team or an ops team. Sit down with them and ask them. How do you correlate. All your logs today Because what you want understand is what do they use. So that they can ingest your data into their systems so as an example. I'm a big fan of azure sentinel and i have that same for everything i have on there. So there is a certain way that i structure on my logs and everything i have. So that can easily consumed in the sentinel because then it could allow them when doing attribution to cross reference. Not just the applications. I'm responsible for but any the other infrastructure and other components inside of azure so that links it back up to a single path. They can start attributing more together because all that information works together. So if they're using you know if it's not setting maybe they got spunk. They've got alien vault latest tons of different solutions Out there Find out what they're using and make sure that you make your systems Easily consumable if it's not directly because you've got a lincoln to it. Have it be exportable in a reasonable way that doesn't impact your business continuity on your application but allows them to be able to get those signals out assistant earlier. Yeah yes this is. A lunges starts as a lunch and learn. Where i t sack ops comes into talk deb's about how we monitor for exploits and attacks and then leads into a conversation of how can we with a little bit of code or features. Add to our apps to help you give earlier signals and more information right. It's different like what we see with. Sr right like site reliability engineers. They're doing the same thing. They're sitting down with desma. Say how do we get the telemetry autograph gatien's to know if an application is performing proper. Nah we're just looking at this from a security lens rated slater how you provide those mechanisms in there so that we know about it and of course as you're building the sand and trying to do it just make sure that it has. It has no critical business. Fact last thing you want to do is have the product. Managers hate you for implementing stuff that is making your systems more frail. Sure but a lot of things. We're talking about here. Have no direct impact adding a route that simply returns a null array should go through the same baptises and testing as everything else but it does so little. It's not impacting anything else. That's on there all but it's raising fly. When applied needs to be raised right and one of the things. I like doing things. Like if you have a a description in point. So maybe you got something like you know you have a mex or you have swagger or some kind of end point that is publishing lot european supposed to do. And then he says you can't add deceptive endpoints in the swagger documentation. So that it's almost trying to posted that you know that they're actually trying to go. I i'm used this before to be able to identify threats where people were trying to elevate privileges using a fake endpoint because it was described in a way that allowed them to do it and in alternately that transcended into a customer account we were able to see where one of their competitors was trying to log in them using this type of technique. Magic's going like We need to notify them a happening being. Here's who's doing it and see if there's something that needs to be looked at there. And i think these things all combined together gives you a huge inability to have high fidelity signals of real attacks. Not children hacking at it right. Not script kiddies. Not nice thing when it's driven this way is if it's noisy you can turn it off or improve it like it's just code right so done right. You should never hear it unless unless something important and i think. That's the challenge is due to trivial limitation ear. You could have something noisy and then people start ignoring it. And that's dangerous and i think when i roll something like this out. There should be as instant response. Plan a mechanism to say. We're only doing this right now. Monitoring mode we are not to take action on it. Let's see what happens over the next few months and see what is doing goats match the big red button. The first on this goes off lead suspicious for awhile and understand what it's doing right because like if you have read teams or pen testing firms that you're engaging with about this kind of stuff because you want to see you if they're gonna trigger that kind of stuff and this is where the blue team gets together with the red team today. This is why. I love purple team. It's like the developers and the security people should be working together to try to understand. What is a real signal versus. Just someone playing. And if you get in too much noise simply. Because let's he's an example. I would never do something. Like put an admin and point in a disallow in robots because that is a common endpoint. That's in every single word list out there. I guarantee you it will noisier. it's too noisy. Kitty sweepers looking for that. You're right and and that's not good enough right lane. But if you put something in there like admin slash it where they're looking like oh wait a minute. That's not normal. Yeah then you want that sense of intention -ality that they looked at it. Thought about it acted on it right right and just remember though that not all spiders are going to honor. Robots tnc may very. Well just get a spider that going in sees it doesn't that doesn't in itself make that an attack but it's when you combine it with other things because guess what spiders not going to manipulate Parameters and ios or luke kuhn to to modify it in a way to try to change some behavior. These are things they don't do. So if i could get one piece of every developer out there. I highly recommend you find cycles to go to something like some of the A hacker universities that are out there for bug. Bounty things like hacker one in bug crowd. They published like the hackers one and the bug crowd university. where they're teaching hackers. How to look for bugs in your help locations. And the reason i want you to do that is to learn their methodologies. How do they go. And recon your app. How they look for these type of vulnerabilities and then start looking and saying okay well. Sometimes they're gonna find real vulnerabilities that that could be but any type of methodologies that they have to use. Can i understand what is someone trying to hack my app versus a drive by where someone's just trying see yours locked or not right. You know at some point. You got to say where is intent. And when when i see things like people reverse javascript colony. Pin point that. I know full well should never get called. That is a high signal of intent. The i want to know everything. That person's do. I wanna say one conversation to have with the this. The the ops guys because they may not be aware. It's not that hard for us to write something like that. Yeah added that thing in. But how should i raise it to you. What data should i gather like. Wait a few minutes. Conversation have fairy small piece of code. That could just give us a few weeks head start on an on an unintentional attack gain. I feel like we could go on. Talk about this forever. But what's next for you. What's in your inbox. my friend. i'm continuing to work on a lot of security research. That's on the offensive side. So i've been. I've been getting asked about a lot of people to help with. How to attack azure and understand that. So i've been doing a bunch of research and and work with. Mike soften some of that stuff. But i'm actually hoping to to start providing some more content on that either through my youtube channel or or i might even be helping A security agency. That's gonna be leasing it as a course Just because i think this is where development. It's need to merge in the middle and that's understanding how to offensively look at code and azure. That's my answer guy. Right sorry And i love the red team. I love the exploitation side. It's something that i've always enjoyed. I spent so much time on the blue team that that that doing. The red team always a lot of fun. I like the idea of putting some paranoia into the attacker right. That's just defenders paranoid for a while. You hacker would trip something that gives them away. I love everything about that. Yeah well it's putting it back on the on the defenders you know when blue team now has an edge starts being useful and if we start looking at that there is so much more. In honey tokens. That can be done. And i've been exploring like that like how would you look at something like how would you know. Someone's trying to numerate your cosmos. Tv right how would you know if someone's in your storage account. We try and extract stuff and that some of the stuff. I've got now. I got a ton of python code. That's actually attacking stuff left right and center in and it's not triggering anything at mike microsoft and it's like a good now gotta go deeper. How do we keep digging getting in here and then working backwards. And how do we defend against. How do we do this. Because chev- responsibility model in the cloud. And i think there's a problem where we as developers just when we start using the cloud. We're like abdicating responsibility. And saying i mike soft takes care of that. They've got the soccer. This they got the security operations for this and it's like no no no. It doesn't work that way. Your app is your app and your need is your data and you're responsible for it. So how do we start creating mechanisms to be able to know about that so we go right back to beginning of the show and we're talking about things like package management right like azure devops in of and get hub in. They all have mechanisms to look for these type of packages. But what if what if we have the ability to inject these packages And these things like containers in in a malicious way. That can be manipulated. There's a lot we can start doing. Because everything's getting automated now for deployment and if we have infrastructure as code that can be manipulated things arm and by sept- in all these mechanisms azure. There's a ton of risk. And i wanna make sure that we're exposing developers to what that risk looks like and how to look for it so that hopefully they'll get it fixed before it becomes production. Jane thank you so much. This has been very enlightening for me. Especially i know you guys talk about this stuff all the time but thanks for for sharing your knowledge with today no problem. I'm here anytime you guys wanna talk. Security sounds good. And we'll see you next time. Dot net rocks dot. Net rocks is brought to you by. Franklin's net and produced by plop studios a full service audio video and post production facility located physically in new london connecticut and of course the cloud online at p. w. o. p. dot com visit our website at dot n. t. s. dot com for rss feeds downloads. Mobile apps comments and access to the full archives going back to show number one recorded in september. Two thousand two make sure you check out our sponsors. They keep us in business now. Go write some code next time off.

microsoft dana Carl franklin richard campbell emma salt dwayne lifelock patrick dwayne fauria sir krypton rich campbell hamas abbas adleman richard Hynes forbes magazine costco iraq brian
Azure APIs with Jeff Richter

.NET Rocks!

58:06 min | 3 weeks ago

Azure APIs with Jeff Richter

"Welcome back to dot net rocks. This is carl franklin. And this is richard campbell and we're here with jeff richter it's been a long time he'll come on in just a few minutes but i just want to say. Hey mr campbell. How you doing. I am all right. How are you i'm good. I'm good almost recovered. From whatever happened in the back of my throat and my chest that i picked up in florida but least not coverted. Yeah well considering you already had it and been vaccinated seems likely and i'm about to come out of Out of quarantine from from the Too so i finally get set loose. No family for you know dot marketing all right. Well let's get started with a thing. We call better no framework awesome when he got says. You know. i've been doing this blazer. Train series for a long time and in dot net six preview four which came out in may They added really good support for hot reload. Yeah the blazers story is nothing short of brilliant Blazer server blazer web assembly doesn't matter the thing is that you have to use the dot net watch tool command line tonight in so it's weird because you're not debugging when you use this it pulls up a browser and you see it you make changes to either the markup or the code in visual studio and when you save it poom it just loads up in the browser so you can literally do it. You used to do with html javascript which is just pull it. Protects editor hit save. Refresh the browser. And everything you know you get it out. But it isn't debugging so the with the debugging hot reload. The thing you can't quite to yet in blazer is the markup but the code like if you have any classes that are rare code code bind glasses or whatever you make a change to those as you're debugging you press that fire button the hot reload button in visual studio which has to be the latest preview version of visual studio twenty nine thousand nine hundred or higher and then then it reload and it works. But you can't do the same thing with blazer markup yet. At least i couldn't yet and i didn't see anybody doing any data makes sense. They've been they've been working on the dot. Net side. i enforce markups are different area. So i get that. That's it is cool. And i did a blazer train about it and this is episode seventeen forty seven so if you go to seventeen forty seven up plop dot me. You'll see that blazer train episode and get this. It's only ten minutes long like it's not. It's easy it's fast. It's quick and it's awesome. It's awesome so who's talking to us today. Mr campbell grabbed a comment. I figured going back to two thousand eight for comment probably not appropriate two thousand eight probably not just say So i grabbed a comment show sixteen eighty eight. Which is the one we did back in. May of twenty twenty as the sort of nbc. Porto that didn't happen so everybody was remote. It was all online right and we did that. Panel discussion about api specifically right. I know we're talking. Api's today and this comet seemed particularly relevant because this comic comes from neck and his from about a year ago where he said arena was beating. The rest is so bad drum for the entire episode at. I love it and i would point out. There are other comments. Votes rest is It's not really that bad but teams continue to keep falling into traps of bad design. Don't know until it's too late because rest doesn't have a forceful opinion. It's too easy to make bad decisions. The rising trend in this industry is seems to be going towards heavily. Opinionated av is so the people quit making those kinds of dumb decision. And i think we've seen that in a lot of code in a lot of places frameworks and libraries and so forth. Api's too opinionated make sense. It stopped being all things to all people say. This is the way we do stuff. You don't like it use a different. Api right it makes a lot more sensitive. Any use did not get into those nasty traps so nick. Thank you so much for your comment. A copy music obe buys on its way to yun if you'd like a copies to co by write a comment on the website at dot net rocks dot com or on the facebooks republic every show there and become it there and everything on the show. I'll send you a copy music. Khobar and definitely follow us on twitter. I'm at carl franklin. He's at rich campbell. Send us a tweet and make sure it's highly opinionated and sorry man that brings us to our guests. I think you said two thousand eight was the last time. Thousand asia was on hold episode. Three hundred sixty one. Wow so a near. Fourteen hundred episodes ago well in his bio has changed. Let me read it to you jeff. Richter is an azure software architect and has authored several bestselling windows dot net programming books as well as many msn magazine feature articles and columns. He's also co-founder of winter lacked a software consulting and training company where he's authored many videos available on intellect. Now welcome back after geez. I don't even know how many years old bunch. Yes well thank you for having me. It's good to be back so to lao. We reconnected was just some community. People were having sort of an after hours chat. And jeff got invited. And i got invited and you're not just totally started geeking out about old things that i remember you on dot net rocks telling us about. You're a contractor at microsoft at that time but you were working on windows the windows base and how you'd have these like switch statements for the application running is let's say adobe after facts or whatever it was i don't know what it was. Then you know do this. And if the application is whatever and i just thought that was just tickled my take on my funny bone but you rightly said that you know we we. It's good that we have those things in there because it means we're taking care of our customers. Yes microsoft bend over backwards. You know every time they want to add features the operating system and some of those features might break compatibility so they run a bunch of the old apps on the new system and if they see something is not working right than they'll put like switch case statements in like you said they call them quirks in the operating system to make sure that the apps keep running so that there's no hindrance to customers adopting the new os. It's really odd thing. I won't take this thing because my adobe app doesn't work anymore or something so it's a win win for everybody right. Yeah and i think he had matched ops. The i mean anything that would stop a sale of the new windows. They're gonna fix and i. Well sure we want to keep the customers. Happy keep adobe happy and of course. Microsoft wants to keep himself happy too. So i can't imagine a scenario in which i would do that for for my customers. Like if my user is blah blah blah do that but however if it meant know keeping that customer happy and not screwing up everyone else then. I definitely would. It's different when you're an operating system. I think definitely us. Yeah so we're here talking about api's azur and this is actually spawned from one of these conversations. We're having a month ago ago or so and Your what is your exact position. What do you exactly do the. Api's azur okay. So i wear many hats in adder. So one of the hats is i'm on the hd rest api review border stewardship or we call it now so we are a sewer chip or we understand very well. We create the guidelines for the entire your organization as to how any azure service should be exposing its api so we make sure the things are important for example they support optimistic concurrent currency the all those h. e. p. goodness things that go on there urging up breaking changes for customers compatibility stuff like that so whenever a service team is introducing new. Api's their bring those api's to our board and we review them to make sure it's consistent with a niger policies because we want to look like a holistic platform to customer right not like this service was created by this company and this service created by this other company. We want to look like one company and there's some consistency across the board. So that's a big part of what we do and coming up with guidelines that make these teams be successful another thing. We focus very heavily on there is sustainability. We want the service to be sustainable for the service team but also for customers so the service should be able to evolve over time without breaking customers and without the service team. Having to do weird incantations in the code like those corks things. We're talking about a windows really. Yeah we'd like to have a really good growth past that can live for big. Potentially decades azure storage. A team i was on for a few years joy microsoft full-time that team in vet that's been around for more than fifteen years now or so so we expected to live for many more years to come. So that's a big part of what i do so another thing i do is i'm on. The azure breaking change review. So we do want these teams to evolve and sometimes they want to make things better but making it better might also break existing customers so whatever team wants to make a breaking change they have to present it to the board. We review the change. We see how many people it would be would be affected. Customers would be adversely affected by this. Change we kinda judge. How important is this change. Is there another way to accomplish the same task without breaking the customers. If we do break the customers can we just break them in a minimal way right. Not some dramatic way. Br break the fewest customers. Make us you know the smallest possible. Jj again we're the least number of places in their code right so maybe right change the method that creates a resource but all the methods that return the resource for exactly the same one that so. There's it's a long analysis that depends on. Many factors is the is the api in private preview. It in public preview is a g service. How long has it been in service. How many customers does it have. A lot of things we have to analyze. We also do retirements too. Sometimes the it service. The team can't support it anymore. For whatever reason we have to retire certain things right. So i helped create the policies around all of this and i'm on the board to review these changes and then we talk it over with the team. We try to arrive at the best place possible for the customers so this affected us in a very specific way. Which was i'm you know. We have this admin application for our podcasts. In it's great because puts all the advertisers stuff and all the documents the description the title photos from the guests in sponsors and And also it's a place where we can collect files from everybody. So when we're done with this. Zen castro interview. I'll take the mp three files that each of you generated. I'll upload them to this admin tool and what it does is it puts them out into azure blob storage in so sometimes these files especially away files right can be three hundred four hundred megabytes a piece. You know the mp three files are smaller. Obviously but three hundred three. Let's say three hundred fifty megabytes and so you need to do sort of a A chunked deal you need to upload it in chunks so that you can update a progress bar so the users and sitting there while it says you know uploading azure for ten minutes. And you don't know what it's doing and In version eleven point two point. Three of microsoft azure storage blog. We were able to do that but in the current version. twelve There there isn't doesn't seem to be any mechanism for that and And i wouldn't necessarily call it a breaking change but it's sort of the removal of feature or at least the rewriting of how you do that so i remember talking to you about this but you had to be really good answer for it. Yeah well we would consider that a breaking change definitely certainly removing features of breaking change money even if you have to modify your coon to use the existing feature. That's also considered breaking channel case. But before i answer your question or talking about this progress reporting i feel like i should say one. Other part of my job is that. I'm on the s. k. Team where. I helped design the way. These client libraries were this address. Vk team is about two and a half years old. Now and scott guthrie caused the team to be formed and we decided that we were going to re architect all. Sdk's for all the address services so that they were consistent across the board and we knew that that was going to force breaking changes to come into play. Okay and sky agreed that we'll do this and then we hope that this new architecture will be sustainable for years and years nearest to come. So so i'm i'm the largely architect with some other people. Course on the design of these new st case for progress reporting the design that we have for doing that progress reporting when you're talking about uploading blogs into blob storage or files you pass the upload api a stream and it's gonna read from the stream as it does the upload so the right thing to do we believe that you wrap that stream with a progress reporting stream and it's always been our goal to have a progress reporting stream class in the sti. But i don't think we've created again. It depends on what language as decay or looking at but it would be fairly trivial for someone like yourself to go and create a progress reporting stream. It's maybe ten fifteen lines of code right. So and then just use the decorator pattern common in object oriented languages to decorate your upload stream with the progress reporting stream and then as our. Api is reading those bytes from the stream. Your progress reporting stream will get call backs in it and then you could update progress reporting. Yeah yeah so. That's really good But i didn't see that in the docks as far as how to do that. But i you know i know i could. It's in the dogs. But i could figure it out but i appreciate it. I mean i appreciate the fact that you guys are thinking ahead of uniform. Uniformity and That's the new way to do things. Well it's consistent. And i think if we were talking about dot net specifically which i do not focus solely on dot net and c. sharp anymore in my life i have much scope but if we're talking about that specifically this progress reporting streams should probably be dot net standard library. Yeah so that we don't actually have to create it and then we would assume dot net programmer knows. It's they are just like you would know. File stream as they are network stream as they are right and right or crypto stream or whatever compression stream and then you just it with that and then you use. I mean there is a question here of should there be that that service to push up to azure as part of dot net or is re. It's just an azure. Api like any language. Any platform should be able to call. Well yes that's true but in at the wires. Http you're using some kind of h. e. v. stack right in dot net. You're using heb client in other languages. You're using whatever they have right and each one of those may have its own unique way some don't do streaming for example. Right right saw you have to give it a pointer to a buffer and a buffer size. And that's when it's going to upload if it does that then there's no way to do progress reporting right on that right individual block right because it does does it without your involvement in any way but if would support streaming than we would recommend or what we want to implement ultimately is a streaming rapper decorator. And then you get called ex. Yeah very cool and use the same thing for downloading everything download via anything that requires progress to be reported. Yeah i like it yet. It's interesting just to think about long term maintainability. Where if you have. He's living in dot net pieces that are api. Like what changes. Where i guess is where your whole board comes into play to make sure that stuff stays in saint definite well yes for the dot net part of the ecosystem yet. Sure right but do other languages to which microsoft doesn't own like go where ross your example in so we just have to track those communities and when they do certain things that might affect us than we figure out how long it should take us before we embrace those things right in the right way to do those things. I i do like the idea that if i understand. Some area azure. Api's i'll be comfortable with most of them that they should be all be of similar style similar authentication strategies similar structures to their api's ladies at the goal or is that true so there's a consistency across the services. Like they all the same way they all do. Lemesurier distributed tracing the same way. Then or they all do optimistic currency or item potency the same way then. We in the client libraries. We want to have consistency there. Across languages. have a certain set of features that we won available like cancelation distributed tracing telemetry retry support and so on authentication. We won. we know. This is a core feature set and we know we want those implemented in every language for bryant libraries then we have an architecture that allows us to implement them in a consistent way so for example we have this thing which we call the http pipeline and each one of those things i just said is a policy that plugs into the pipeline right. So they're retrying policy distributed tracing policy authentication or credential policy unique requests by policy and customers can actually create their own policies and plug them in so you customers could do things like client side caching policy or a fault injection policy if they wanted to. We don't have those someday. We might but today we don't have them and we don't give them and you just now. The penalty on the language made you create a structure. Maybe create a callback method or may be derived off a base class to create your own implementation of that policy and out of the box again. We provide all the ones i said. Initially and then you just create this array of these policies is what a pipeline actually is and when the http request is being constructed or right efforts constructed then it walks its way down through the pipeline so it goes through all of those policies last policies the transport policy which sends it out over the wire and i. I'm very proud to say that Polly was one of those first sets. Policies that you guys implemented The the retry policies in pali policy architectures. Really really. nice it i. It has been really nice because we've had other teams come to us and ask us to do things like our architecture. This allows us to plug this extra policy right in and now we have the support for this additional great. You'd also allows us say well we have a couple requests for this but not a lot. So maybe we'll customers do it make him plug it in and then over time we can decide if we want to add it to what. We call azure core as our core infrastructure piece that we have a version of for every language it's sort of aspect oriented isn't it. I mean the code the code that the programmer does to you know make request and execute. It doesn't change really. I mean everything is happening down below yes. yeah sure. it's really nice. I'm trying to figure out how you guys don't end up being a bottleneck like that. There's so much happening at the same time. Inside of azure like. How do you look at all these. Api so you mean as part of the stewardship board you mean is probably sdk team. Which where where are we being. Potential bottleneck is. I just think there's so much. Surface area in azure. So many things happening at the same time like it's really interesting to try maintain How do you do that. Yeah that's a great question. Actually so very firm of august time. There were actually a handful of us on the board and it was being very challenging for us to keep up with all the workload that was coming in but just recently we've got a lot more headcount and we have hired a bunch of people on the team two and a half years ago just to give you a point of reference. The team was started. With me. And peter marco who was just two of us. We're now over one hundred fifty people in now so so the team has really grown quite substantially and we're still continuing to grow so we have a lot more people on the stewardship board. Now that's cooled that allows us. I mean the other problem is when i go on vacation which i just came back last week in a lot of stuff came to a standstill. Now yeah and the the breaking change board in particular. It's actually just me and one other person and they always seem to be a fire that needs to be put out so right. Usually when i'm on vacation. I still have to take the phone call or do email here and there. I can't deal with fire. But yeah i guess what. What's the conversation about breaking change. The is a really outcome is. Hey we're not gonna make this change. Yeah yeah there. There was a big one yesterday. I probably shouldn't say the team or what they were proposing. Yeah that's fair. But i shot it down completely and i said you just can't do this. There was another team one. I was on vacation where there was a legal issue. That was coming up. Somebody thought that we were using something that we didn't have the rights to use rather than fully fighting it. We decided we were just gonna stop using that thing and But they were going to charge us money for every day. We continue to use it as like a fine so we had so we're gonna break customers on that immediately bright. That's very very rare. In fact the only time that i'm aware i've been doing. This is the only time we made a decision that we're going to break you immediately just so customers feel comfortable. This is on a service. It's not used by most people and we kind of have a work around where it's not exactly what it has mostly worked exactly what you right. We're just getting rid of this extra piece that we don't want to. We may not have the rights to use anyway. But also i'll say so. Our normal breaking chain policy is that if a team wants to break customers for whatever reason then typically. They're allowed to do that. But we give customers three years notice and three years of time for them to upgrade their coat. That's our office lot. So that's like the full long long license version for dot net of duration. Now guess several if it's a secure security or compliance related thing than it's only one year's notice okay don't want customers to be exposed to some chew security breach for three years even years. Some people debate. That's too long too but we want to give people some time. The the alternativists is breaking their software. And that's not accept right so those are formal policies. This legal thing happened to be like a one day thing but we never come up before. I don't know he ever come up again. Hopefully not willie ease is an interesting aspect of of developing offered. The scale is like the origins of code libraries being used so forth like that. So that's a big challenge. We talked about this with rocky. Wrong about using. Open source and enterprise software justice. Do you know where your code game from. Do you know where that open source. Who made that open source library. Where that code come from like those things matter but i'm abundantly aware that microsoft is very diligent about any codes they introduce in and checking sources very much so there's always legal that gets involved to read over the licensing agreements For any other parties third party stuff that we consume and now we enter into agreements with companies that they have to adhere to our breaking change policies to bribe so i know the azure data factory. People they have a lot of third party plug in components and they'll have agreements with the people who make those third party plug ins that they have to agree to our raking change policies of three years or one year so that we can ensure that to the customers of azure data factory. Absolutely in germany would interrupt for one moment for this very important message. Hey carl here you know. There's something new from our friends at tax control. Tx texts control supports the integration of legally binding electronic documents signatures into your espn at core web. Applications simply use microsoft word documents. Prepare them using the texts control online editor and requests signatures from signers. It works just like well known e sign services but runs on premises in your infrastructure without sending in storing documents somewhere else to showcase typical workflows and the texts control electronic signature technology. They published a fully functional demo. That can be used to create and request signatures signed documents and to validate executed. Pdf files see the demo at e sign dot text control dot com that's n. dot text control dot com. This portion of dot net rocks is brought to you by elastic. Elastic enables the world's leading organizations to put their data to work using the power of search whether it's connecting people in teams with content that matters keeping applications and infrastructure online or protecting entire digital ecosystems elastic search platform is able to surface relevant results with speed and at scale learn how you can get started with elastic search platform for free at elastic dot. Co slash dot net rocks. That's elastic dot co slash dot. Net rotc ks and. We're back dot rocks. I'm richard campbell. That's carl franklin. Hey we're talking to jeff richter about this role extraordinary role that you're in to help Sort of unify. Api's and to try and advocate for us out in the field here did not get surprised when jj's app. Yeah i mean i love what i do. It has enormous reach. I think it's very impactful and sure make makes it makes a huge difference without a doubt and it's one of those subtleties. I don't think a lot of people think about you know you're working in your malaria evanger as a developer of course those things consistent but just this idea that that that consistency spreads across a lot more. Api service than you realize. Oh yes the work is. I don't know several thousand engineers alright in code every day all going in different directions so you know that whole e are you thinking about the impacts of your changes. You can't just change stuff casually. I thought i've ever thought they really did. They were always pretty careful. But it's it's just leaving larger scale now see how some yes. Some no. A of teams since azure microsoft growing. We get a lot of students in fresh out of school. Who don't have as much programming experience. Their coaches univ- reviewed by somebody more senior yet. But they don't always have the discipline or the fourth on of. How do i make cone sustainable in the long term another thing. It's i think common at microsoft and maybe a lot of companies to but probably less would like apple is that microsoft's i've noticed in all my years. There have tend to out a lot of features at a proactively. We think a customer will like this. So let's go implemented right. What a lot of people don't understand is that the cost of implementing a feature is cheap compared to documenting it testing it support. Ivorian post for the list goes on and on right videos. That are created presentations at conferences. That get reported the people watch later. But then you've changed how the api works now. It doesn't match anymore sample code so the actual implementation is like one percent and ninety. Nine percents is other. I think there must be institutionally implemented response for every program manager at microsoft when confronted with an idea for a feature or change. The answer is and. Why would you ever want to do that. I swear to god. Every time. I talked to somebody you know. They need is this. The first thing they want to hear is the use case. Yeah well certainly. That's true so we're trying to change the culture a bit to say let's ship the minimal viable products get feedback on it and then let slowly iterating over time my slowly. No some of these services update once a month so it's not like those things where it was once every three years right. It's no. I think that's a very cool aspects. Certainly watching dot net in gift hub. Where folks talk about an issue or any moments deals sale and within a month or two. It's running in a preview bill. Yeah like the number of times. I see that message like i can't believe i'm already playing with this. We just talked about it a few weeks ago but you know the teams are really responsive and speaking of windows. I hear windows. Levin's gonna run android apps. What and why would you ever want to do now. I mean that's you know hearkens back to the days where if you remember. Os two when os to was trying to you know. Ibm was trying to re redo that and it was in the time that windows ninety five without. I can't remember when it was but but there they were bragging about being able to run windows three. Oh apps oh that's right. Windows three one was out and boom. They they had just implemented. You know windows three. Oh absence so everybody was like yawning magic back in the day. It's a long time. Yeah only man wow android on windows. Yeah nineteen eighty s. That's but yeah. I mean if she to see how much lennox kernel code is running in windows now in the end. Androids running on lenox. So they're really emulating that they're running some lennox colonel inside of windows again. One i'm guessing. It's on top of the window subsystem. Wwl's whatever it's yeah it's it is a fascinating time you know. Some of their. That idea came around again. It's like what if the colonel was. Just lennox what if windows was actually the gooey. That lennox always wanted. Yeah yes well that. I don't foresee that ever happening. It seems unlikely. I kind of thought that was going to happen with windows phone. You know that they were going to adopt android as the base platform and keep that wonderful user interface that that we enjoyed for a few years because i still to this day. Think that that's the best mobile you i've ever used and i wish i had it now but the tiles. Yeah the tiles contract. Centric stuff windows eleven. All the tiles are going. You weren't appreciated by most people only ucar. Yeah i guess i didn't see. I haven't seen the preview of windows eleven yet. I just saw cursory article on my phone until somebody interrupted me on. I had to put it down. They messed with the u. I again you know. it's it's interesting to see. I mean i'll certainly take it out. It's been the all wheel but It is interesting to see what the impact a veto. But they're doing there. Didn't they tell us that win. Ten was like the last windows. Hi do seem to remember that but not true. Apparently apparently not you know are the learn share with no. They don't care what the number is now. They started out with putting out major quarterly revisions of windows. Leave me on the. It side baghad old fast but most it shops are not set up for that. Many updates to windows davis dropped behind. Like i love that. You're making all this stuff we're just not gonna use it. Thanks well not exactly windows. Memory management anymore. That's gotta i got a question for you. Jeff and i think i may have asked you this one way back in two thousand eight also but you know a particular challenge. That was a little bit surreal. You know because you obviously have these scenarios that come up they get dropped in your lap fix this. And here's why and you know something that left you scratching your head. Maybe oh you're asking me. What has yeah. I'm asking you to recall. Oh let's see. I mean there's been many challenges certainly i faced in my life Technical nine technical of course mean one that is kind of fresh for me is other was a in. Sdk's address decays we're recommending the customers us manage identity for doing authentication to the actress services. Manage identity gives you back a token refresh token and the refresh token requires that you refresh it periodically so we you might have a client like a blob client objects and you might have hundred threads that are using that blob client object simultaneously. And if. they're all using at the same time and he comes time to refresh the token then. What should we do so should we take a lock. And one of the threads that owns the loch then goes at refreshes the token and all the other ninety nine threads. They just stopped running. That doesn't feel good. Tammy right plus. You don't generally wanna hold a lock over an i o operation which is refreshing of the tokyo because maybe the earth never replies so now all one hundred cents or blocked indefinitely. So that right you'll good Do we want all one hundred threads to try to refresh the same token that seems wasteful time consuming so we tried to look at a high scalable way that we could write an algorithm to do this. And when i say we this was was actually be so the royal thought about it for a couple of days and then one night. I'm laying in bed trying to go to sleep and all of a sudden Wait i think. I have an idea. And i put my surface profile. Love it and i do a bonus room and i sit down and in three hours. I come up with this solution using condition. Variables sir that. There's a time window so let's say three minutes before the token expires when one thread detects that it will go and make the request. The other threads will continue to use the current token which hasn't expired yet waited. Hopefully the i read will get the new token back. We'll just updated atomic -ly and everything just keeps running. So one thread gets a little hiccup the other nine keep running at full speed and then if it's updated than everybody keeps running. If for some reason the token does completely expired than the other ones do stop. Because we don't wanna make fail network requests with a token lino expired right so anyway i worked on this algorithm for a while and were now. We've encoded that up in all the different languages and now our sdk uses at our them. That is so cool. Who'll i accept clean initial variables and see so was on there. I've done that many times. Been laying in bed you know or or just like the inner dream came to me in the middle of the night and for some reason my brain just kept locking on that solution and in the morning and just like it's so cool shower also seems to be good. Yeah somehow seem to get good ideas there too yeah. I'm a big believer in leading stuff burning evacuate rain for a while. It's like i ramming my way straight on. This is not happy. I'm just gonna let it cook and And sure enough yet. Another pot of coffee isn't always the right solution. The number times i was like this is not working tonight. I'm going to bed and hit the bed and had the wife roll over and go. You are vibrating. I don't know what the hell's going on in your head but go deal with it and just laying down from. It was enough to go. Oh yeah of course enough you go now. Yeah it's funny. How we how. We solve problems like that. Yes sometimes away from the problem for a while. go on vacation or something. Yeah our leaves see a movie do something and then it come back to our. You're at a place where you like. Maintaining templates for api's that are being built in the organization around stuff like the authentication logging and so forth. So it's like here's table stakes. You have to have all these things go do them. I will definitely we have If all public the accuracy k. Team has all these guidelines we have a guideline for each language. But there's a core set of guidelines that all languages must follow up. Yeah and those are the things you must support cancellation. you must have were distributed. Tracing they have to have bravery have retry support so we've coated those all up and then in different languages we code up for a specific language. Here's how we're going to expose this functionality. So like can see shar. There will be a blog client class. Constructor will take the url to the endpoint. It will take the credentials and it will take some other configuration options like how many retry is. How much time between retry is. That's the most common one. There's some by logging is also in there too. And then in dot net every method has to have a cancellation token as the last parameter right in gut. Every function has to have a context as the first parameter which using goto cancellation. So what is the type. And which parameter is may vary but the concept is there in all these languages right in dot net. You have inheritance in go. You don't have inheritance so that changes things on language have interfaces some. Don't some have noon. Some do not have a news so we have guidelines or specific for each language are see. I'm on i'm on. Get hub looking at the address the gate entries and yeah you could design guidelines for a host of languages some of which come from microsoft which down But it's also think agnostic li like. How do i approach these services that the clients are being built over so that it doesn't matter whether they have inheritance or doubts know that they're going to work for everyone. It's i think it's very easy when you're language centric to build. Api's that really only worked for that language. It's hard to use them in any other way. Yes so our team has an architecture board of which. I'm a member and we have members who specialize in different languages so i'm specifically the architect for c. Which is mostly from embedded devices c. Plus plus which is wildly different than city. And then go. We have other architects who do python java script c. sharp java those are other our core main languages right We also have ios and android support as well so we have a. We have an architecture. Board meeting set up on the calendar four days a week from two to four. We don't do it on friday today and then in those architect meetings we all the architect board members show up from all representing all the languages and then we review. Api so the storage team might come to us and say we've added this new api for blogs and here's what it looks like in c shar and then we'll say okay. Well then that's what it should look the equivalent in java or the equivalent in python or the equivalent in whatever and bribes. We debate them and say well. This has actually following guidelines. You should change. The order of these routers were this structure should be a class or this should be an interim as or in debate those different things yet. I appreciate you have architects from each of those languages of their advocating for. Is this going to be reasonable for a programmer in this language. Exactly right so that allows us to have consistency than we produce those guidelines and then sometimes new thing up how should like we didn't do distributed tracing initially and then people came to us and said it would be really nice if we had distributed tracing support in the client libraries so then we had a few architecture board meetings where we weren't doing. Api reviews that we were discussing. Okay doing what to do distributed tracing or not it we do what aspect of it do we want to do. And what things do we want to support. How should we plug it into the cisco which ultimately ended up being a policy that goes in the pipeline as where things end up going so though we have those kinds of conversations and then once we come to agreement on those and it might take a few art for beatings to do it. Then we if its core functionality than our teams also Responsible for creating an azure core component for each of the languages and if it's a core functionality we will put it in there all the client libraries depend on the your core for that same language and so ends up so we distributed tracing azure core all client libraries in that language now have distributed tracing support and it works the exact same way. It has the same options the same parameters the exact same thing across all the different services within that language. And it's it's been a great way to work. i think. I think it's really been a great thing for customers. I think it's really been great for the teams at microsoft because they take a dependency on azure core and we do most of the heavy lifting for them. They do the federal specific things we do. Infrastructure stuttle right when new infrastructure gets added. We'd put it in and then everybody gets it for free. They don't have anything to do. Just shows up magically so it's a really nice way to work and it's it's funny how it's maybe thirteen fifteen years for microsoft to arrive at this model but it's working particularly well and we think it works really well for customers. Yeah well. I think it's one of those things that a lot of folks just don't know about the amount of effort goes into to make sure your language runs well against everything in ayrshire. Yes another thing they were guilty of in the past is our library. We will get feedback. The python librarian looks a lot like it was created by a c. Sharp developer and it was happened yes so a with our team we are team is divided up by language and the engineers who work in that language are experts in that language right right whereas when the service teams did their own client libraries almost all the services regency shar right and so when they would make they make c. Sharp client library. I of course and then when customer said why us job or i use python then we would have to grab a c. sharp developer. Because that's all we had and say here you go go make the place on version of this figure. Yeah we don't work that way anymore now. We have dedicated teams with experts in that language. Where almost so the python thing really looks like it's written by a place on developer for python bill. Hey jeff i notice nobody else can see this because this is an audio podcast. But you've got a very colorful stratocaster hanging up behind you. Fender strat guitar. And some interesting pictures. And i can barely make out some celebrities in those pictures can you. Do you mind telling us about this collection. Sure happy to guitar. I go on a progressive rock crews almost every year and it's called cruise to the edge out. Are you probably progressive rock or are you just. I'm just a fan. They have the famous bands on the ship. Okay so it was so it's called cruise to the edge and it's the headliner has been. Yes based on their close to the edge out right here. If i found a recommended referred a friend to go on the cruise then the members of yes would sign a guitar and they would give it to the person who did the referral now so that with this guitar signed by the members of yes so i never play. I don't touch it. Because i don't wanna ruin the other pictures on. My wall is me and famous semi famous ish us editions famous as prog rock musicians. Mant some of them are the most famous of all aren't they. I mean the appeared in russian. Neil won't take a picture and of course he's late. he's passed away now. So but i do have one with getty leeann alex license russia revere corner vow and emerson lake and palmer and chick corea who died recently and members of us in members of yes. The bottom row is me. I'm bill gates and the bomber. And i have impending teller awesome. He missed the sacha photo sagan. The you're missing the sacha photo. If you've got bill. Steve you kinda need sach it around. Yeah i've never met him in person so it hasn't wow yes. He is an interesting character to is about. Yeah i have a lot of respect for him. Now he's changed. The culture of the company alive really has truly more in line with my personal values of like one microsoft. Everybody helping each other in fact here all all share you. A story from years gone by where two teams at microsoft wouldn't talk to each other. So i was doing stuff for i was consulting in negative and i was doing work for the spy. Plus plus program that ships with studio in fact if you opened the about box for that my name is still listed in the about box for that is contributing to like mike. Ahmanson one of the developers of that as well i by spy Not not vice by this is spike lost. Plus okay the window messages. That are coming into a win. Okay i'm sorry practically no one uses it today but way back when it was pretty popular too okay and a lot of used it. So there's a thing in windows called a registered window message where you register a strain and you get back. His senator and this injure the comes through the window message and the spy plus plus team. We wanted to be able to find these registered window messages and we wanted to display the strength in the user interface. Not a number to make it easier for people to see this in work with while there was no documented function in windows. That where you could pass it the number and it would give you back the string equivalent and so the spike plus plus team at microsoft. Didn't know how to make this war. Because i had done so much work with windows. I knew a lot of people on the windows team. So i went to the people at microsoft and i said if you pay me ten thousand dollars. I will go and i will figure out how to do this. And so we wrote up a contract. And i signed the contract and then i went to a friend of mine windows and i said any idea how to do. Not but if you call get clipboard. Ormat name and you pass in that number. We'll give you back the strength. His ten grand. You ever made a week before i have coordinated the result right. Don't wanna be too fast. Boy says a tough week but here you go out along prime ago awesome catcher. Microsoft wouldn't be like that today today. We're encouraged all work together as one microsoft and people talk but back then that was my comical example of the teams competing with each other and not feeling comfortable working together. I was thinking about this. Richard that if there's one person without whose work the current state of microsoft would still be windows centric who that be oh one one person who made critical contributions to the current state of microsoft. There's so many people. Yeah but there's one in particular and all that i'm thinking miguel de causa. We'll you know it's hard to argue with that because especially when you think about sort of the dark days ryan at you know. I remember when when anders was moving onto what would ultimately become type script very worried about what was that. Mean for c. sharp at at the same time that you're wondering about that in the galloway's mickey c. Sharp that ran for ios androids. I think on the show even said i think make yell the cas now. The current like soul of well. Yeah i mean if you think about mmono on which all of this stuff was basis amarin and then you know the open source and cross platform versions of dot net And in inviting. Sacha you know who to. He could now execute his vision. I think that without that mono certainly mono spoke to doing cross platform dot net but dot net. Core has no ma. I know that now but yeah all right so anyway. He's my microsoft superstar even though he's only lately true but he brought all his stuff with him but he you know he liked the language before it was shipping right. He read the equa specifications in two thousand he announced mono in two thousand one. I remember having him as a guest on dot net rocks and it was being co Served the podcast was being co served the files. Mp three files on msn and suspiciously. That episode was missing. They didn't like him. Oddly not yeah well. It certainly part of the book the conversations i had with him. There was a period there where the microsoft guys are all suspicious of him because he was sky and the limits guys are all suspicious because you says yeah. It was hard to be hard to be miguel. That might be a book title by jeff. What's in your inbox. What's next for you. Oh well i'm. I'm spending the bulk of the day reviewing the returning heb guidelines into an actual document. I already had slides and videos on that. I'll send you some links that you can post for people to stuff that i have videos on. People can watch so doing that. later today we meet with the embedded seem to talk about how. Sdk's being used by customers in getting feedback. They are any enhancements. They would like us to make to the core functionality of that we just shift our c. Plus plus sdk and we're going to be shipping. The ghost off in gi very soon so these are things were fine tuning some of the api designs on in the guidelines for those things annoys reviewing breaking changes right and reviewing new services. That are coming out. But i can't speak to share in. We announced them ignite and build typically so usually right before then like a month or two before. Then there's a mad rush to review the api's make changes before we put it in customers. Hands sounds good. Well we'll we'll keep in touch with you a little more frequently from now on thirteen years between shows along long. You think you'll be doing us another thirteen years from now. Who knows when we're in our late six. Who knows awesome. Okay from then. Yeah all right. Thanks gary thank thank you jeff. Thank you listener for listening today. And we'll see you next time on dot net rocks dot. Net rocks is brought to you. By franklin's net and produced by plop studios a full service audio video and post production facility located physically in new london connecticut and of course the cloud online at p. w. o. p. dot com visit our website at dot net rotc ks dot com for rss feeds downloads mobile apps comments and access to the full archives. Going back to show number one reported in september two thousand two and make sure you check out our sponsors keep us in business now. Go write some code. See next time.

microsoft carl franklin jeff richter richard campbell mr campbell Mr campbell adobe rich campbell Zen castro jeff peter marco Khobar scott guthrie blazers Richter lennox lennox colonel
Debugging Ransomware and Other Stories with Paula Januszkiewicz

.NET Rocks!

58:14 min | 2 months ago

Debugging Ransomware and Other Stories with Paula Januszkiewicz

"Hey carl here. Let's talk growing pains. You hit the market with a cool new technology. Everyone's excited you're changing the game. Then you get that first. Big customer and another and another in your tech infrastructure starts to shake under the weight. There's a better way. Oracle for startups is enterprise cloud at seventy percent off for two years. So you can build for the future right from the start and with decades. Supporting the industry's most intensive workloads. It's not gonna break as you scale. Check it out at oracle dot com slash goto slash net rocks only. Hey welcome back to dot. Net rocks carl franklin and this is richard campbell. Polly initiative is here. And we're going to talk to her in just a minute. But i just wanna tell everybody you know. Hey look at this. I know they can't do this on radio vaccine badge. I got my second vaccine hours ago. And there's no side effects. Of course you had it in like february of last year. Yeah march april something like that. Yeah and then you know. I was really concerned that when you get your first dose like you'd have a strong reaction did you. Nothing i ask no no reaction but they told me to expect a little lethargy and maybe even flu like symptoms this time. Unfortunately we're doing a ban video tomorrow night. So i might just have to see how you are right but yeah you can go and listen back to some of the dot net rock shows that we did while i you know had covid pretty bad. Yeah all right. That's cool man. I'm is now my second one. But it's imminent. It feels great. You have to paula's. Well i had only one. I'm awaiting the second in like two weeks. Good good it's still enough for you to walk around smugly. So that's the best part that's important. I'm waiting for somebody say. Put your mask on. I'm kidding wear masks kids. it's good idea All right richard. Let's get things started with a little thing. We call better no framework awesome. I found something that which is becoming my source of all cool things like finding a cool repos is becoming a thing we'll get. How really is like the new framework place right like there. Yeah so this is get up dot com slash microsoft. Slash koyo tei. Oh my goodness see y. Ot fearless coding for reliable as synchronous software. I love that. Here's a of repo. That's going to take away my fear being stupid okay. Let me read you. The explanation as a set of libraries and tools for building reliable a software it ensures design and code remain in sync dramatically simplifying. The addition of new features co take comes to the systematic testing. Engine that allows finding in deterministic reproducing. Hard to find safety and live bugs so as you know you know you do concurrent software you writing code. That has a possibility that there could be race conditions behaviors. But unless you know the theory and you know how to lock things and all of that stuff you can't test it because things might fail once in a million times and even particular conditions. That's right yeah i remember. I told the star in the show years ago about having deadlocks happening in a database but only at peak load like. Yeah five o'clock in the afternoon right kind of thing. And so then. I put the the the monitoring tools on it to actually look at the load of would see what the deadlock had. And then that altered the timing database enough that it stopped deadlocking very cool and so the deb's answer was we'll just leave it on. It produces a gig of log a minute. No gonna leave it on. But that's the reality right. Timing is everything it's cool and it's interesting that this is under the microsoft account. So i wonder if this was. I don't know who it's an ms project. Originally it's p. shar. Yeah right. it's this actor model is a you know acing curtis deb model. That's now evolved a new name. I'm not sure why they call the coyote though. That's interesting i'm not either. But what's cool about is that it'll probably show up in the framework in some at some point. Maybe maybe not. Maybe not 'cause it's fareless that's right fearless voting we. We're afraid. The one of the neighbor's cats just disappeared and we were afraid it was a coyote ticket. Coyotes are common around here and the not popular also kill raccoons so paula will be happy about that. Yeah yeah. And we're beginning to get bob cats and stuff down in the suburbs of connecticut. Here we live a budding swirls and those guys need to be tamp down a little bit rats with good. Pr man like they would be taken if he ever get angry at squirrels. And you want to take out your aggression without actually harming them just go scour youtube for twirler squirrel squirrel squirrel kebob category backyard. Snatching a squirrel off of a tree. Branch twelve feet in the air. Those cats could jump off. Is this yeah. you just don't want him to jump on you. Know they don't like people they shy away. It wasn't for the wildlife camera you wouldn't even know they were there but one day. I'm sitting on the back in this orange thing sales through the years the score of the french and it's like well that was awesome. Whatever that was was. I looked at the camera later like holy counts. That was a podcast. Thank you mrs bob. Cat was awesome. Some all right dude. That's a great find. Yeah wildlife these are the consequences. So that's better framework richard. Who's talking to us today. Hey grab comment of show. Sixteen ninety nine which is back in august of twenty twenty when we talked to christo matt skus and jump after davidson. We were talking security stuff and fit specifically around identity and the azure ad btc libraries. Which identity is hard to as about it but this story are reposited when this john comment for a few months ago this episode inspired me to try out azure ad b. to see because all the crimes are gonna In the end it seems like a great alternative to rolling my own indication an authorization of haitian in each and every little web. I want to build but don't intend to leave fully public and let's be clear john. You should never roll your own indication. Now letters asian dacian a problem solved be inevitably. There's going to be issues. You're gonna create vulnerabilities and you know the stuff is going to get deployed some at some point. You're going to get bitten by that. He goes on to say. I don't even have to attempt to become a security subject matter expert. Every time i build her updated site and adding a reference to an existing eighty. Beat service is incredibly easy and web apps a couple of lines in your startup. cs. And a block of configured the app settings jason and i in the end because the documentation is not the best. And there's only a few months ago so all this effort at the docks at microsoft still having this well-worked. I'm i want to inject something here. In that you're trying to do a d. beat ac- authentication with blazer projects go to blazer train dot com and search for it because i did a show joe human. We actually did this in a project that we writing for a customer just finished it by the way and with the docs problematic like yeah. There are some things that we couldn't figure out. We had to do by trial and error so good show and we walk you through all the steps in how to do it. It's awesome and it's basically. John says it says because there's so many use cases supported and so many kinds of applications. You could build. There are a ton of entry points in these tutorials and some of them still referencing. Now deprecated azure ad specific new get packages and not that are not consolidated in the microsoft identity dot web packages which are now available which they know there is a sin. You're not pulling down videos reference stuff. You don't want people to use anymore. You gotta get out of there. We really get people confused. And frustrated spend any dissent peeves about the internet and documentation. Don't take relevant documents out right. But and i'm not worried about the rest of the internet. I'm worried about docs dot microsoft. Yeah those folks should be curious not out of this for the most part. They are I have seen things that say this documents deprecated and with a link to the current thing. Yeah that's what you want and you want it everywhere and certainly the video content like if it's referencing out of packages take it down. Oh sure the search engines find it but if it gets there and goes this information is out of date you know go somewhere else. Yeah at least. You're not misleading people. You're just frustrating them with the internet. If you're not frustrated you're not trying hard enough. One problem with youtube is you. Can't just replace a youtube video. So youtube video becomes irrelevant. The only thing you can do is either. Put something like a banner in the youtube video or you can modify the the description so the forty read something. Read the abstract before you watch mario john. Thank you so much for your comment at copies. Dako- by on its way to you and if you'd like a copy music oh by comment on the website at dot net rocks dot com or on the social media as we publish every show to facebook and have you comment there and i read it on the show. We'll send you a copy music. Oh by and definitely follow us on twitter. I'm at carl franklin. He's at rich campbell. Send us a tweet. You can use your phone. You can use your browser or you can use a squirrel tribute. You can't use a quarrel. Don't i'm like to note to the squirrel and essent applied to you. All i wanna do is make the sound of a squirrel on a chevy taking ready the sound they make you know zach zach. The dogs get pretty old right. Like he can't see too much can't hear too much his bear chasing days or over and the squirrels clearly. No this because they're hanging out in the yard turning. This came nowhere near us by the the other day. I'm out of the keep an eye on the old dog and there's a squirrel on the deck. The dog is out. it's like what is yours can can't do stairs so he's he goes up. His rant gets on the deck and squirrel does sort of dips down behind. The back. Side of the deck hides out and zach could smell them. He's sniffen it gets to the right in the middle of jack. He lets out one big bark like our kids and then he went inside for nap. Because these old da. And that does it. For this. Week's rendition of dog stories with richard campbell. That brings us to our guest. Of course paul has been waiting patiently in the wings. But let me just give her a formal introduction. I'm not gonna read your entire bio pala because it's long stuff qualifications and stuff but a polianichko vich is the auditor and penetration tester enterprise security. Mvp and trainer mcat and microsoft security trusted adviser. She is also a top speaker. At many well known conferences including tech north america tech europe tech ed middle east are essay tech days cybercrime and of course tech aroma and is also often rated as number one speaker. I can't imagine why. Welcome back to dot net rocks paula. Thank you so much for the great introduction So yeah absolutely absolutely are happy to see you. Finally online go right. And i love the conversation about otis Stories and all the animals. Because it's always really funny to hear. Sorry yeah thanks pleasure and to be clear. This is paul's first visit to donna. Iraq's kidding we've known her for years and years castle she's been on run as seven or eight times. Yeah this is her first. Dnr and really a mistake on our part because her her scary vices untouchable over on the run. Ads side. Like i need to talk to her every year. Carry keep pace with the state. I know why. I thought that because you have told the story and you know what i mean by the story of the job interview that paula was on and she was waiting in the lobby and said excuse me can i connect to your wife fights. I check my email and they sit your wifi password. And by the time she got into the interview and they said okay. What are your credentials. They said never mind my credentials. Here's all your data. There is said once or twice. Don't let that lady anywhere near your computer. That sounds why. I have no idea why. Can't imagine and i've seen you do it. Odd stage rubber duck for clicked into the usb port a laptop. I the twenty seconds later. Took it back out. You mentioned actually here is actually to the end. The next kind of version does this is digital. So it allows you to program the full usb functionality. Not just like a keyboard for robert aki. But this could be anything you want. So it's by. I'm gonna kitsch can program it cincinnati because it's that easy pretty. Do teach kids how to how to bring down big companies and stuff fun. It depends who you consider a kid all at security him. I thing we're going to do mama. I cannot look no. I don't actually quite fun but no no It actually rarely happens when kids at their young age beside they wanna do the cyber security they they more wanted to be it. I so it's kind of like this direction. But i do also trainings to and must be in high demand because there is a huge shortage especially now of cyber security experts at like the i heard on the news. The estimated need or demand is something like four hundred thousand new experts. That are going to be needed this year. Just to handle all of the the demand for for them to those like we've never had so many projects like right now during the pandemic Cincinnati every week. We've got a couple of incidents happening word. Customers are hawk and Our job is to react pretty stressful time from like from the cybersecurity perspective. It's about amount of work. It's crazy you are totally working two shifts and that's normal already that's becoming a new normal and and because the customers are all around the world you work across many time zones so whether it's day or night who would care there's always somewhere right so first thing you have to do is learn to sleep. Just drink some coffee or coffee. Your good friend. This latest northeast pipeline affected my life directly gas prices went. People were hoarding gas putting it in their cars and plastic bags and exploding. It was crazy. And so i guess the question is is the antidote to getting not the antidote but is the the prophylaxis forgetting ransomware to just not open emails from people. You don't trust or click on links in emails like is that does is it that easy. Actually good that you mentioned that because fishing being like right now during the pandemic number one means of transportation for malware thank but it's easy to also prevent that because there are Service reduction rules that you can implement in windows so companies can fix it easily for free but the problem is as well in other places for example the customer that i've been visiting Don't time ago In germany they had a problem with a point of entry off a contractors account. So what happens. Is that a contractor. Were using the privileged account in their organization and something happened apparently and they are infrustructure or we don't really know what happened. But then they actually brought run somewhere to the Fuck all around the world organization and encrypted almost one hundred percent of their data. So our we've been actually traveling to germany with older restrictions of being canceled from the different like government units in germany. Because he couldn't travel there on. That was that time but apart you can when there's a high state of emergency for various businesses and we actually help discuss tomorrow to stand up so on so it occurs to me that a lot of the ransomware what it does is it. Activates the operating systems own encryption features to encrypt the your entire disc with the password. So isn't the solution just to take that feature out a windows notice. My tongue firmly pointing like here. I mean that it's a it's a feature right. You know even be good if they use that feature. Didn't i was just reading about the colonial attack. The one that affected you carl. Yeah hey i mean. It went on for a week right and they paid. They paid like five million dollars and the decryption keys didn't work properly. They didn't recover all. I also heard that the guy they caught the guys that did it and they're like oh sorry. We didn't know that it was going to be that bad. The same story of that customer by the way page a couple of hundred thousand euros and they send huker's tandem that corridor that work only for like eighty five percent of the. Wow so the vice from the f. b. was don't pay because it doesn't doesn't work like you're not going to get everything back in our case yeah totally bought. Sit on if you don't have a proper backup and so on then maybe you should risk it out on saying that. That's a good thing to do but sometimes company saito and have choice. Is there something that you can do in just talking windows. Because that's what i use them. Not a macaroni guy. Is there something that you can do windows to Anytime that and elevations privilege happens and windows a little box pops up and says do you want to allow this. Yes you know. If you have administrative privilege you can allow it. Is there any way. That is kip. Bypassed in this rant these ransomware attacks yeah absolutely. So there are ways to bypass. You're a and close afford iran somewhere. You can only user because you just need to have access. Today ct up. So that's it so basically like if someone is the case of one hundred customer managing the documents follows over overall for traders in a financial organization. That was actually a person who had an email. Hey someone left you voice message on dropbox and that person open it. Go the way how people communicate. And eventually eventually that the gods are two two over an encrypted old documents for two traders so they had a couple of hours of stopping operation and imagine that in a trading company. Or you got. This was millions. It's something that microsoft could fix. I mean it's obviously vulnerability in windows right holder are outside on the platform is allowing you to not to implement everything at. I bought So it's not like a completely closed box but of course there are building solutions. That are even free. Like surface reduction rules where you are able to configure it at for example if you get efficient gay male. You've got an attachment exit spreadsheet. Let's say with crow so of course it creates a child process end like normally. That's not doesn't that's anomaly so This will be blocked and a couple of other behaviors also You've got application control so someone came into you gotta choice. You don't have to use the microsoft product you can they and use something else. Because in someone's opinion that could provide better management so the end the solutions are there. It's that companies. Maybe no or whatever. The reason is state on us when we can dig into some of those. Moore's smarter tools but theory. These guys had backups. Like why didn't the backups. Work at first right. So so for that company. That german company That was mentioning sold. They actually got her information from their papers. From a nineteen sixty five and from net they put everything into the sequel database to like allow them to work with some statistics. So that database. Wasn't that top. Because as i said some specific Whatever's some specifics. It's hard really to get the answer but okay. We don't worry about that. We just try to fix it. Try to recover but if you got like such a huge important critical asset in a company why does not manage. And i've seen different situations. But i think it's easy to conclude on that even for the best this week points happen right. Yeah inevitably i mean expels so speak to this idea of. Why did they have all those right. Privileges like it's not actually necessary especially talking about data like why isn't that read. Only you should never modify that and so long right what if what if you just turn off encryption. Because you can do that. I i mean like to blow completely the access to api like do. Let's say you're not encrypting any of your unit using bit locker and you're not encrypting any of your file folders on your computer turn it off right because if it's off nobody can exploit it right But you could use your own algorithm so then you will not use the windows. Api ford inc and then It's even better because it's it's it's not a s and coding or whatever way that it's hard to reverse the bottom line is you allow executing code to run on a machine at privilege. It can do whatever it wants. It can determine well it also deleted files like there's all kinds of havoc that can be re the real issue here. This gets very much in the. It conversation of this people don't need that level of privilege but it's the default so often we're running on these default privileges which is what the black cats count on that. We have at lockdown machines properly. Yup plus they are allowed to run software that they don't know quite often social at at first moment they can run various power cribs because run somewhere right now. Use appears in power show and That's also pretty cool. Why not to raanan opens than than curb our data. That's why it's so hard to block it. But on the other hand you can have that constraint language partial and salons there for every problem there is an ultra actually so we live in ridiculed times for implementing good say of security just companies are like starting at that trip in his car pointed out earlier. There's not enough skilled people who yeah definitely. I'm struggling with this everyday. 'cause when we tried to expand him i won't hire people were example in my team so hard. Oh gosh Like every single time we do some recruitment process and so on. It's really hard because it's also. There's no standard. I would say right so if is it. Would you feel comfortable training. Somebody who is you know comfortable in. It and comfortable with development understands systems training them in what they need to know to become a cybersecurity expert so they could cash in on these government contracts. That apparently headed our way. Is that all the background. Somebody needs to understand what's going on today. Very good question. And i prefer to do it this way by the way and i. Actually we do it this way. So we hire someone of a good approach and the background to me. There are two requirements on would be good. Id skills but these could. This can always get better yet because technology changes so you spend more time when you educate yourself. it's fine. what's the most important thing is that you need to be hyperactive. Meaning unique to want to know more every single day and do you need to be not afraid to say that you don't know because saint cybersecurity it's to not do know things yeah right. Coasting is going downhill. So don't just think all right. I set up my firewall. i'm good. it's just sapphire while you're fine. Yeah and folks. I'm going interrupt one moment for this very important message. Hey carl here. So have you ever browsed in incognito mode think about this incognito mode like the chrome browser itself is a google product and google has made a fortune by tracking your movements online. There's even a five billion dollar class action lawsuit against a company in california. Were they accused of secretly collecting user. Data and goose defenses. Incognito does not mean invisible. So how do you actually make yourself is invisible as possible online express. Vpn turns out that even in incognito mode your online activity still gets tracked and data brokers still get to buy and sell your data one of these data points your ip address which data harvesters used to uniquely identify. You and your location but with express vpn connection gets rerouted through an encrypted server and your ip address is masked that makes it really hard for third parties to identify you. Your data. Best of all expressed vpn is super easy to use no matter what device. You're using phone laptops smart tv. All you have to do is tap one button for instant protection so if you really want to go incognito and protect your privacy secure yourself with the number one rated. Vpn visit express vpn dot com slash dot net and get three extra months for free that's x. p. r. e. s. s. vpn dot com slash dot net express vpn dot com slash dot net. And we're back. It's dot net rocks. I'm richard campbell. That's carl franklin. We're talking to our friend paula. J who we first met in like barcelona. Oh it was a speaker idle. Yes exactly. yeah but that was a quiz. That was richard washed doing. Yeah we remove the tour speaker. Lytle we did that. Remember used to do the game show quiz. We're we're giving away swag. Yeah and she was a contestant on the game show. And i asked her a question about dos from before he was born was created or something. Like that for three eighty. But you also did. You also did speaker speak right. I remember that. Is that how you broke into tech ed yet pretty much. That was in los angeles right. That was the first time. Remember that recharge that was vic. The famous thing about politics is she never want speaker auto. Yeah came in second more. She came in second in europe. I barcelona and speaking and then although ultimate she did and then competed in us which was completely the only rules. You hadn't spoken a tech. Ed you hadn't and came in second again and that was that one we did in. La where we were in. They didn't do the that was like two thousand eight where they didn't do the attendee party so we were part of the attendee party and rescinded which was one of the one of the judges. The judges yeah. I got back up a little bit and just tell people with speaker. I live because i think they do it anymore tech ed. They used to hire richard in me to do to run the show. Like pop idol in the uk or american idol in the us. You get five minutes to do a presentation and you have judges and so they've they're judging you on obviously your your approach your mannerisms how how much they're paying attention. Your presentation style your content. You know how many ums per second use hey that kind of stuff and they were recording it so that the people who were picking speakers for tech ed would review this stuff and say. Hey that person's pretty good or we ought to get that person as a speaker and even if you didn't win as testament with pala The they saw her and said we have to. We have to have. I remember very clearly at the end of that speak in l. a. the head of check in europe. Who knew me knew us. You know came to me and said who is that young woman. She needs to be speaking of the show right. I know but was fun. I was so much fish bring. That was a long time ago. Your congress kids. It's it's an issue thing. Well you know we sort of the rules like listen. I got pretty good tasted speakers right. I got it all the content selection and and fairly consistently. If you may speak arado you were going to get a slot. Tackett sooner or later. So the winner guaranteed one but some other people other people who came through speaker idle jeff. Fritz david gerard Who else am i thinking. Missing here pete colleague. Was there a peach peach from australia. Which calvert yuppie calvert bark desmet well as the thing is that top four. It's be grotto. They're all astonishingly good speakers and a five minute talk is one of the hardest things you can do like an hour is easy in comparison to you know. It's very tough to put together a crisp five minutes. The communicates effectively. It's really quite tough to smet was in barcelona and he was a wild card in other words he just came up while we were doing it and said i can do presentation and it was all code and it was console reviving its app. He just type for five minutes and he nailed it and he ended up winning. Yeah well it's also that's sort of a flying close to the sun kind of thing like it works. you'll be fine and if it does you know you are going to crash and burn you know the other one i was thinking of was rhonda layfield. Oh yeah around queen of deployment and she also she one tech it in the us. Yeah and then applied to tech europe. saying hey i've just won t i'm gonna speaking tech and got declined. Yeah and so then reached out to me and said. Hey i'm going i couldn't pay your way to tackett right like i. I didn't have any. We didn't have any budget for that. You had to go to check it anyway. And this is one of the things. I found in common with all of the successful cadets on on speaker auto was they were so dedicated to the craft that even when they didn't get a speaking slot and essentially a ride detect they would fall in tier and pay their own way and be there anyway and like pala. Rhonda did the same thing and then came on speaker idle and I was killing at kasese. Amazed and the organizers in europe came at me and said listen. She's a ringer like you shouldn't have in speaker idle. This is wrong. And i'm like she's never. She followed falls the qualifications. Anyway it gets escalated. I'm sitting in the room with the head of tech ed europe and these folks and the and the you know the track chairs complaining like this person they shouldn't be in the contest and the and the over honest as well if she's that good why is to be exactly and then she wants speaker idol of europe as well all right. Let's maybe we should get back to work. Yeah well we've we've done a half a dozen shows on on run as about this as well. The last one is called. How black hats profit from From this whole thing and it clearly. This seems to be true right back. People are paying these ransoms even if they bought. It's this is a profitable enterprise. How what are we going to do to stop that part. Oh you know it's it's really hard because it starts with the atak eventually and run. These are on the increase on dan. Basically people in general will pay so what would be important. I think to stop it if we look at it from the bigger picture perspective would gate people more anti over security so they don't become victims of that so that they don't have to pay in order to recover day or day and On average by the way within stutz hawker florida successful run somewhere campaign earns like ninety thousand dollars nine zero thousand dollars monthly. So it's a pretty good salary to have for months for many people. That's quite to if you're listening to this and you're an evil person. Don't say that don't give ideas. I mean in the case of this colonial attack. Clearly the fbi's on them they didn't call their payment systems enrolled Their worlds ending. How like things are going to get much harder for him. And i did another show with our friend. Sammy leo paula. Talking about the vast demo- attack which is one of the most horrible things. I've ever heard that ransomware folks went after a mental health care facility tried to ransom the facility and when they wouldn't pay then ransomed the individual patients with a threat to release their private therapy tomah god and apparently that was too far for the black cats do because ultimately they've turned that guy in like there's a line even in these the scumbag category but there was also the case with the hospital in los angeles right so that was one of them. I bake you were on some more cases were they were requesting like three million dollars or something and then eventually hospital negoti. That's down a demo of money to pay pay. So that was that was one of the first ones that people to own their wetter. Like it's going to affect people people's lives because okay someone later while we can live with this hospital. It's a limit too much well especially during the pandemic like what kind of scumbag hospitals. When they're at their absolute limits trying to keep people alive right. It's pretty horrible stuff like yo. What is your mother. Say about this exactly. My daughter has a word for its douchebag. Ary good one yeah. It's fairly the same ones who don't believe that covert exists and all that stuff right long term but you know this is the place that we're at right is that we've now got a category of hacking. What's the time this was sort of like college. Kids on a lark create a worm that gets out of control and that's a little embarrassing and we clean it up and so forth right now. It's turned into an industry and by the way also state actors like what's upon a time we danced around where this was coming from. But you got the half exploit from earlier this year that they simply stated is a chinese acting group and this colonial attack which point blankets russia. So we're not even hiding the fact that there are states out there that are funding folks to attack different entities policy. Do you have any resources that people can go to to learn how to protect themselves from ransomware. Actually i have a pretty good resource on the incident response. So how to collect data to help ourselves when that problem happens and so on and actually get hub results and that's a search for two top end awesome incident response. There is actually the resource from marijuana. And then eventually you can see like really good books tools. And so on it's a good repository all scattered in place. Is it mostly concentrated on what to do after it happens not to prevent it before. Yeah that's that's actually more focusing on that digital forensics. Yes and so after what to do and so on but i'll do prevents well depends really kind of possibly disregard because we might be working and a small medium size company and not to be able to implement for example up locker and all that stuff but in general idea. It's quite simple Anything widely stink anything on preventing running into code that we don't know Service reduction rules as i was mentioning exploit guard being in windows. Ten so user place where we can learn about all those things that you just mentioned. I know it's your business to to consult with people about totally. I'm happy to share. Well of course. We sent our bulk which is secure academy dot com slash blog where we actually pose videos how to perform not only hacking but also securing for various various things but in general. The solutions that i mentioned are are building a platform so in a window so docks. I think we'll be the best reference over here where you've got a perfect step-by-step Implementation of obligation control and so on and It's it's a resource on this one. Great that's and it's thing is. It's not like there isn't tools. It's the people aren't putting people know about them like some of these things that you have even heard of before and i'd like to. I'd like to go through a checklist and make sure that. I'm not doing anything stupid here. My for example ethics introduction roles is just one power shall come online so implement yeah inflammation letters so easy and then you just add some more rules to that end by saying rules you just gave an identifier overrule that is already built in window. So there's nothing you have to implement. You just need to run that command across workstations since there were so is easy. It's just that. I don't know just it's not there but why is it on by default is the question I'm a fan of that. By the way our bank should be a like for example the possibility to use net bias should also turned off by default. Yeah getting to the point. Which is when you run those tools. You are removing privileges. You're cutting cutting back on. The defaults had a rights. And you will cannon will run into issues. Where stuff won't run anymore where you're gonna bump new a place where you're going to need to be able to raise pulled bridge on that particular. I'm hoping nobody's counting on net. Bios anymore please. But if you run that script and shutdown that bias and you've got some software that's still counting on that buys it's gonna break. Yeah that's true. A paul any other tools. You think we should be looking at for sure. There is a repository Many organizations like for example. Dod are publishing Four recommendation how to secure server slash workstation for a certain purpose so overall department of defense the us saitoti and basically There is also the are margot's ish Set off script for the our locker for Like up or boost and so on so there are plenty of good tools that are At the end performing one limiting amount of things that you can run and how you can run them right are azure. Vm's as vulnerable as your regular desktop on windows. They will be because eventually. It's the same operating system and if we make it available to be to be accessible from the inside of there are infrastructure than it doesn't really matter whether it's in the cloud or on prem so just because you have vm in the cloud doesn't mean it's any more secure than Just a regular desktop in your network. That has a a log in. Although i i would say when you look at stuff like azure security center again if you do some of the settings which are very much check boxes like. They're good at picking up things like hey you see this. Vm the normally rights to one file a day spa well. It's writing to every file in this foul store every few seconds so i'm just going to shut that off for now and ask you about that. That's pretty good. I wish error messages. Were like you could like recite them. And i would just hear your voice. It'd be so soothing. Hey you know what. I see this thing to write aramis. Hey gots news list. I don't think he's happen. We're not quite sure how this is going to work. So i'll tell you what go make yourself a cup of tea comes up maybe three buttons here abort retry continue probably know. We're going to work but you should try if everything blows up and goes away but at least you have a cup of we can start over and if nothing that none of that works sewri exploded. Abruptly don't worry. I've waving because i miss this. Is your retirement project right air for the rest of everything about this. Yes just to. You know the near as good intrusion software right like the. We starting to learn to watch network behaviors. Eat is very anomalous. For a workstation to suddenly start writing in defile aries is never written before and so you know when. It folks deploy these tools and by the way far from free like and not even cheap but they can really stop things. Like i mean. Are we going to learn anything. If we just put file mon- in a monitor up on you know and just watch it and if it starts going crazy than we might want to take a look. I mean do. Does anybody do that policy. You do that well. I don system on our f- tells you pretty pretty lot and actually allows you to monitor plans if we use azure sentinel within subscribe to mog and then have that somewhere out there. So it's it's it's like she. None of that idea bought too good to watch for sure and certainly all the list of links from the show are things you can take a look right. There are many many options to do better. Yeah that's it's scary world out there no question but there is a part of this thinking from the developer side. You know physically we really an it. Central compensation here In a lot of respects don't roll your own authentication strategies like beyond fishing. She's like what's breach to make it easier for the bad guys or artem So the whole concept of implementing and rolling out things quickly at that's from the security perspective. It's a brilliant brilliant quote quote of course because there has been so many situations over at where it appeared to but for example we've been testing mobile application for others actually quite Juicy so from that bank very modern bonds one and they wanted to roll out new up and and it was like even the by the communication in the emails. Were like super harry. So we're like come on. There is a project date coming. We need three more days Three more days that three months so you could. You could feel the rush from their sides. And we're like roy. Yes yes it's gonna be an interesting project so when the up finally got rolled out one of the first vulnerability was that we were able to actually log into the someone's potential customer account and the we were able to make the money transfers in a way so that we were like there were like We could transfer to our sales virtually so we could eventually increase our amount of money on the account that whatever millions so there was like many logical problems. Who have this up. And then we ended up with Having quite a bit of money that was virtual. It was cheat. What it rules of course appentice That potentially hucker slash customers could do so This is what i was wondering about. Could you do use some magical feature in your bank up to triple your income or something. Just make money so. This was actually possible and i was like. Yeah but you know we tend to think of security is an afterthought to the application of. The end is that unavoidable. Do you get pulled into projects with like okay. Now we have to secure this at better. What can we do. Yeah so when there's like i roll out than Depends radio on the approach right but sometimes the app we. We'd like tested regularly within the project for example modules and or the final release. And then they only fixed things that were found out within the final release. And we don't raise see what's in the code. 'cause we don't the cold we look at the stuff from the outside so there might be a bigger mess because depend does there is always a limited time that you got and that's always what actually makes me think because how much time hackers will be able to spend on these apps on a banking apps. Probably a lot. I know that they have to eat and survive bought. Why not spending an hour two hours per day for the next six months to try to grab problem so all. These tests are about minimizing the risks. Not about fixing the problem right. Yeah and not actually addressing the issue but you eat mostly talked about attacks that were against specific entities for the entity like going after banking gazette seal dillinger line. That's where the money is Or going after hospitals during the pandemic because they're under crisis on are likely to pay. I think some folks listening goes well. What i'm working on is just not that important. Nobody's going to target me. That's not true everybody's get some dollars to share So so up look ransomware could could Everybody end if someone. Maybe i shouldn't do inside but eventually if someone like for someone five hundred dollars for survival. It's enough yet. Been if you target hundred thousand people regular people that work at home or whatever then basically it will be enough ford person He doesn't have to be ninety thousand dollars. It could be five hundred and That might be you. It's very possible that the other part of realized with the backups is sometimes ransomware guys are smart enough that they encrypt the backups. To like you've gotta make sure you've got an air gap between your backups. And your primary says yeah so backup management system absolutely important. That's actually not the trio case. They are first party solutions. That are actually allowing you to store backups. In the way that is like almost storing the certificates the root Organization so that you have to exited only by two out of five feet goal in that kind of stuff so Longer protest but eventually backup by one manage all can be can be managed breeding. I in way while they still get into doing the math it says. How long does it take to recover from backup. And how much did are we gonna lose. Tha say suddenly. The ransom is reasonable. If it's avoids having to do all of that work yes yes interesting. Balancing act between those things to what makes sense economically. How grandma franklin ever going to protect herself from ransomware grandma franklin needs to rip it only websites stat That she trusts boy. There's the problem right there. You can implement some controls that i think's like occur and so on so that she can run the stuff that she doesn't know even blind not knowing that she's doing this similar actually to the enterprise at the end and microsoft keeps threatening to make secure version of windows like the windows accent so forth that the defaults to the white model not allowing foreign software to run automatically. They never seem to ship it. I think it's just people everything always to the customer doesn't want it. It's an it's an interesting ruth and at the same time they go and say. Hey i'll get pixelbook right or chrome mission. I don't have those problems because it doesn't run anything right and same for ipad back in the day. I don't think it's true for ipad anymore that there's now there are attackers going after ipads in as an attack factor to right because it's popular right but as long as the popular infrastructure. You're gonna run into the the popular. You're going to be a tax write obscenity. So today doesn't matter. Of course there are some more steps indicating that sets windows of course because it's more used within to enterprises and so on butts up suitably any operating system here nowadays is a target. Does any of windows historical api is that they keep around for backward compatibility pose a threat or pose an attack vector now that People may not be aware of. I wonder out be to so much. I mean the netflix thing. Net bios things certainly. Smb one fresh. You know because there's a reason be wanted still on the two day you can still go to a a best. Buy and buy a piece of network year that depends on snb b. one. And if you have to be one turned off which is a brutally. Ill protocol incredibly vulnerable. Literally insecure -able but that device won't work unless it's on and it's on by default and you default unless you run the lockdown script which will turn it off ably a defending part about that is that you've got also auditions that are currently allowed in the infrastructure. That are with that problem so it doesn't have to be from the past. You've got to end in aversion to which is an attentive protocol. That's in line with carbon. Has a big deal because it civil to their relax kerber us as well you can do corp rose think attack where you request for the ticket and then you tried to crack it so it it. It's completely not dependent on time. You can crockett for the next couple of weeks and then you come back. You perform the attack. So i like that. It's quote end. You've got a tabular data stream. Communication protocol insecure server. That thrones declared text and nobody freely attorneys on encryption on the database servers. So think of things like this nowadays. Don't even have to look into the past saw you just connect to infrastructure and uc to brooklyn mmediately. This lockdown powershell script. Check to see if there are any applications that are using these services and tell you hey you you have some dependencies on the services you sure you want to disable them outside Configuration slash vulnerability management assessment systems. Something i bet but the thing is that these myths configurations that we mentioning here. This is not really considered vulnerability. It's more of like thing that's running out there like like we really said it is a problem but again it's a it's a miss conflagration rather than Eventually and we'll system tell you like hey you're using that bias may want to use not bias so like the same for version two you will you have to use it. Actually when you're out alternating using local accounts across the editor like machine. So there's no other choice you have to use it so therefore cannot be considered vulnerability so sometimes it's hard to spell these conflagrations. 'cause they're very dependent on things so it's like when you connect the dots this is when it becomes a problem by the when it's like working as a single thing it doesn't so until version two could be help with a little bit with that. Smb being signed smb will Signed were not able to relay attack that easily and one. Yeah yeah yeah i mean. Is this pushes to fix. All these things are dead pile has been maintaining the smb one clearinghouse or forever whereas essentially shaming vendors saying. These guys still depend on smb one and bit by bit. Some of them are actually starting to retire it. But you know the vendor also pushed back so my customer doesn't care i it's like you're gonna care if they get exploited and then it's too late and it's literally a recompiled kids like just run b. Three library eight rocket science. Wow so much to think about what paula. It's been great to have you on the show. Thanks his lot. Think about. I'm going to take a look at those resources that you mentioned. We're gonna have those in the show notes lots of links and the show notes and that'll be dot net rocks dot com on the third of june show. Seventeen forty two debugging ransomware and other stories with paula initiative. But they say that right. Yes yeah okay. Thanks and we'll see you again next. Time dot net rights dot net rocks is brought to you by franklin's net and produced by plop studios full service audio video and post production facility located physically in new london connecticut and of course the cloud online at p. w. o. p. dot com visit our website at dot any t. r. o. c. k. dot com for rss feeds downloads mobile apps comments and access to the full archives. Going back to show number one reported in september two thousand to make sure you check out our sponsors. They keep us in business. Now go write some code. Cnx time yesterday.

microsoft paula carl franklin richard campbell youtube europe richard curtis deb bob cats mrs bob christo matt skus carl mario john rich campbell zach zach robert aki germany
Open Source Home Assistants with Sarah Withee

.NET Rocks!

00:00 sec | 2 years ago

Open Source Home Assistants with Sarah Withee

"Hey, Richard yet body. You're ready to go to Portugal. Yeah. In DC is coming to Porto February twenty six to March. I will be there. Checking out the sights and recording some dot net. Rocks episodes, so come and hang with us by registering at NBC, Porto dot com and get this is also coming to Copenhagen March twenty seven through twenty nineth at DIGI ibn. It's two days of workshops in a one day conference. Go to NBC mini dot com. To learn more and NBC is coming back to America back at the Saint Paul river center in Minneapolis may six to ninth that's the one and they're offering early bird pricing. If you register before February fifteenth so go to NBC Minnesota dot com to register today. Welcome back to dot net. Rocks. This Carl frankly, and this richer Campbell from an echo cave somewhere in the Queen Elizabeth center in London we bid it here before it's a good spot. I guess we could try and hang blinds or something. But he don't get crazy. I think our listeners are they realized the body is usually higher every so often a fire truck or something goes by or just makes it excite. It's real life. That's what it is. And Big Ben is in a big old rapper has going to say, it's like a big condom big big Bank condom Big Ben con, I didn't say that. I was gonna say wouldn't say, and I wouldn't say that say shit. No anyway. Sarah with the is here with us. But we're going to be talking to here in a minute. But first we have a few things starting with better. No framework. Awesome. Aren't doing my found something really cool. I actually saw this in my Facebook feed. And every once in a while, I just I'm bored, and I scroll through that thing. And I realized that I could feel my brain cells dying when you that I still a lot of internet like that. I still do it. Anyway, once in a while, but I saw this. It's a Bose build your own speaker, a build it yourself bluetooth speaker for kids. It's a cube costs one hundred bucks. Okay. Goes. So it's overprice. Yeah. It's completely over priced. But it's still one hundred dollars for a little speaker. But you can personalize it with blinky lights, and then there's an app for apple devices, of course, not for Android. It's gotta be an apple because you're not even talk about waiting phone. That's crazy talk net. Well, no. I mean, we are talking bows here. Yes. Apple and Bose together. Anyway. So it's intended for children eight and older. And it looks like a fun project to do with with kids. You had a crafty kid like electric, this is electric project. They might actually use a little bluetooth speaker when they'd right and the customer reviews and ratings are off the charts five stars. Wow. They like it. Interesting. I do get real hate on for Bose stuff too. Yeah. I own their head. They're canceling headphones because I think the best. Yeah. And they're expensive. But I don't know that I'd owned their stereo equipment. Yeah. Well. So just from an audio perspective goes got really famous for making things that sound Basie that are small form factor. Right right, in the way, that crazy clock radio right in the way, they do that is by you can if you have one big speaker, you're going to get base frequencies, but if you have four smaller speakers, you have even more base frequencies the way that the the way that it works out is the speaker configuration because they're like a foot apart. It makes it sound like a big woofer go. Yeah. Cluber that's clever. All right. That's what I got who's talking to us grabbed Godiva show fifteen twenty four then when we did with MS Heather downing back in March of twenty eighteen talking a little bit about voice program. I know we're going down the home assistant side of things today need to use voice stuff. So I thought this was somewhat relevant and Peter sits has this comment from about a year ago. She's hey, guys, great show is always after listening to the show. I started thinking about all the voice activated devices. Tone and why none of the work for me until I got an echo. Yeah. I'm I'm the same way voice command in the car awful. Yeah. It's it's not that. You can't have good voice. Command the car. It's the car manufacturers cannot make good voice commands, right? As if traffic wasn't enough to fuel my road rage. I think these companies give up trying to build consumer devices entirely. Yeah. Android auto and apple carplay. Just you support it stop. What you're doing? You're failing at it. One of my favorites is Alexa. I'm sorry. No problem. Cortana on the XBox. I'm Lee works devices on yes, it will turn on the device, but who has time to wait for that. Yeah. Because every time I turn on my XBox. It needs to act. Syria, the laptop never used it. Maybe it's just me. But I don't know why. I'd wanna talk to my laptop already has a screen and hater keyboard too. Alexis. This was the one I've had a few weeks and it works because it's always on no waiting no authentication being just go. And that's why I keep you know, getting stuff ordered for you by accident because it's just ongoing. This the best the single biggest reason why this device works. And and I don't feel like I need to talk to it. Like, it's a Google search engine, you know. Right. So I do think voice activated devices about the friction Lewis interaction. And if you use your needs to wait there have to look at a screen or physical interact with something else. It's failed. I also think that these products that throw voice supported just because the cab without really thinking about the users are going to fail. Also, I have a read a blog post, and I can't remember where it is. So I can't provide a link, but some guy basically wanted to get back at his ex or brother-in-law, son. So we went over to the house, and they had an Alexa, and they had a dog that was kind of high strung, you know, and anytime you knocked on the door or the window the dog would bark bardo birth. So basically, he trained the dog to bark every time the word Alexa was sense. So basically, it's like Alexa. Alexa. Eventually the dog would just anybody. Intellectually has no idea what the person's. You've destroyed that entire system. I mean, this is the social engineering Daggs people thinking about I do notice Peter to ever try to Google home device because I think they work pretty well as well. So Peter, thank you so much for your comment. A copies dako- buys on its way to you. And if you'd like a copies dako- by write a comment on the website at Don Iraq's dot com or Facebook, we publish every show there. And if you read that comment on the show, we'll send you a copy music. Oh, by and definitely follow us on Twitter. I'm at Carl Franklin. He's at rich Campbell, send us a tweet. No barking, please no barking. Okay. Let me introduce Sarah. With e she is a polyglot software engineer public speaker, teacher and mentor, and hardware and robot tinkerer located in Pittsburgh, Pennsylvania. She has a passion for technology and has ever since she wrote her first computer programs in elementary school. She captivates audiences with both popular and powerful technical and anecdotal talks gives workshops to teach programming and hardware building to women in tech. As well. As to students of all ages. She's mentored middle and high school robotics teams to world championships. Yes. She's even helped organize six conferences Ben on Google year in search video and started the viral hashtag, speaker confessions. Ooh. That oughta be good. Sarah. It was kind of interesting. Hello, I specifically chose that Bose box because it's something that you reading your bio sort of reminded me of all the cool fun Electric's projects and programming projects. I did with my kids when they were younger. Yeah. Like, really cool. I haven't heard of a build your own speaker system. But I imagine it would be pretty fun. If I were a kid. My parents got that for me. I love this coaching kids in robotics championships. What are the competition's? Like, what are they trying to achieve for the middle school ones? They were building LEGO robots right away. So the goal the first LEGO challenge like committee over the country they would develop a big field, and they would have little LEGO doodads on them. I don't know them. But they change every year. So technical term doodad yet officially and they would have to build a robot that would be within a certain size frame. I think like eighteen eighteen eighteen inches, and it would they would have to hit a button, and it would have to Tottenham Asli go collect thing. Turn knob flip a switch, whatever. And then come back every time they could do one of these successfully they would get points. And obviously the goal would be the more of these you can do at the same time the battery. This is not far from the DARPA challenge where they had the robot that had to go in the vehicle and open a door and turn a wheel. And and those guys failed miserably. I've seen some very spectacular LEGO fails. There was Lygo everywhere, man. It was awesome, always impressed. And some of the amazing things. I can see these middle schoolers do with like. You know, I think as an adult who one has played with Legos as a kid, but to know. You know? I haven't engineering background. I have two levels of college science. But it's gotta fill your heart with hope when you see them that sharpen pulling these things off and not exciting things. I don't even think, sir. They come up with solutions. And you're just gobsmacked like, wow, that's the way. And we try to let them do as much of it as possible can help know some problems all being in some kind of fine tuning into really their ideas. And. One of the teams made it to the world championship really must've been super ho what was their project what was their robot. She remember those years ago. They also could take all parts and put on new parts. Right. They had like four really reliable parts and like three minutes to do this end. But apart hit go rent over click, click like four or five different things. Come back. Put it off put on a new part, it send it back out in brilliant. They were just on top of it every step of the way above about working with kids is that you literally are a magician when you show them technology that they don't understand. You know, I can't remember what I was showing one kid in the back of the room stood up and said, that's not real. Love seeing that light bulb affect imagined. The imaginary lightbulb other hadn't it just turns on and I just love seeing. Great. He's going my home. My drove broken dreams is filled with a home automation projects of various types. We have this great coffeemaker that didn't have a timer on it. But it did have a start button. So I was like, okay. We'll just get remote button pusher. You know as you do. Right. So that was a remote button. Push your store. I found this button pusher. It was just something that you remotely connected. A little projectile comes out you stick it on where the button is. And it worked once. And then it just sort of peeled off. And there wasn't enough pressure sticking and on God that's going in the drawer broke right works for me. Close up. So my wife is like Carl you got some stupid button pusher from Amazon, what are you doing? Now. You do in a session on my craft. So you don't just have to buy commercial devices. You can cook it up yourself. Yeah. And what's really cool about this is it's totally open source. Everything is gone get hub, you can build it yourself or buy their device. So they have a device it's like one hundred fifty bucks. Preinstalled ready to go just plugging in. It's cold to the do have writ. Good to go products. You don't have to pull out a raspberry pi built by took out a raspberry pi through the software on it. I bought a little Omni directional microphone and speaker for it. It actually works pretty well. I was kind of skeptical at first I'm like, I hope I'm not dumping money into to determine the nothing. It's actually fairly reliable. So it's cool. It seems to be just getting better as they go on. And so besides just load this offer on a program Billy model in there. He can do tensions is there. The whole thing's written python? Okay. Make really simple editions in python. I think I have a demo. I think it's like four or five lines to just do a basic say something get a response back, right? Since sort of a Hello world of the online speaking. So. Sodas, Microsoft sort of. I'm not sure how this is its own thing. Or is it connect to Alexa, Google now Serey Cortana, although it is it's completely own product. So they have there's a organization that works with it. They have a service connect you their service, basically, all they'd use just going to centralize your account into say like you're located in whatever city. Okay. Do they do store settings kind of in the cloud? But they don't share this with anybody else. They do the speech to text in the cloud as well. Or is that on the device, it can do it on the device? They're starting to offer a Mozilla backed. I think it's called deep search. And so if you want to opt into that, you can actually send your stuff up to the cloud Mazzola processes it since ruthless backs and the process does the actual skill. Yeah. I've been I was using for the longest time the speech recognition stuff in the dot net framework on windows, but. There it sits, you know, in windows, and and it also didn't work as well as I thought it was going to wear some of the other stuff that I saw like Google's speech API is fantastic Amazons, of course. But how is the speech recognition accuracy? Some of it depends on your microphone if you have a crappy microphone it's not gonna pick up as well. All the time. But in general, I've had decent success with it. If mere skill set up to understand the right words, and if it's not something that can be easily mumbled through. Hey, my. That works. Sometimes. TV shows that have set it off. But but for the most part, it's been actually really accurate, and of course, obviously, the further away I get from it. It's harder to but it getting one of the upside of the building your own especially for someone Carl who knows a lot about microphones. There's some great microns up. We'll spend a little money on it. You should be able to get outstanding result. At least that's not the barrier. I got a cheap four dollar one. Because I'm like, I didn't want to invest much in to this thing. If so a lot of money because I think on the average small device, it's a two dollar microphone, but it well, it's a little. Conference. Call doodad. Pretty well for a forty dollars by off Amazon. Oh. ESP? Yeah. So I mean, that's that's the interesting part is being able to PC's different things together. Guess it's to be some Homebrew kits folks saying like I like one of these and one of those, and I got these kinds of results from install it. It has some I guess some optime settings for some microphones. But also says like easing default and can just kinda run from there since it's based on lenox, you can configure the system. However, we want this. Well, that's pretty cool. I'm poking around the site one of the first things I saw was talking about like doing grocery shopping and things with that's an Amazon echo thing. Presuming you're tied to an Amazon prime account like a what's the back end options here? So there's not much tied to Google or Amazon or the big cloudy store. Things went something like that. You'd probably have to go by the commercial property yourself or by the commercial product. There's no specific back end to it at all runs locally. Right. So the skills are also on a big help repo, and you just pull them down. And it's just always checking for updates. So if they build a new skill you can actually pull it down from okposo automatically. But are there are skills to service providers that might be like a grocery provider? There's some. I've seen any grocery provider skills seen some like build a to do list kind of ones you could build up grocery lists that way well, there allies one of the challenges that we talk about these this is like they are front end to a host of services. So what are the services that we care about them? Yeah. And I mean, if you really really love shopping on the EMS on Amazon devices perfect if right love shopping, Amazon, you know, they're not easy for you to shop any, but the device the echo device. Also, just does a whole bunch of things that have nothing to do with shopping. I even use it. I don't use it for shopping. I just use it for your reading the jets as those sad. Well, yeah. Fine. No, tears have been shed. But he but use it in the kitchen for measurements. And conversions from grams, two cups or whatever. And it's great for that. And there's a Wolfram alpha tie into it, a really so I've had some fun tame my what's the integral to X square to the third power. The. I want to hang out with you. I see what kind of fun you lie. Let's talk integral 's let's get a computer. Do it for us. I've taken calculus in the college. Wolfram alpha. Did it I was just like wait this my Crofty that too? Sure enough like a couple of seconds later. It's like I set up a second computer in the kitchen, I have the Amazon echo. And I have this other computer that I wanted to run it on. Of course, it runs windows. Now, there is an echo or what do they call it yet and Alexa for windows, but you cannot drive it with the keyword. You can't wake it up with a with a word. You actually have to press the button. Right. So guess what? I got. It's letting push. Well, no there is. Good. A key the separate device. The button noise versus the secretary, Alexa, push the button on the micro. It's worse than that. There's a global keyboard hook. So it's like control all teeth as when I don't know what it is something obvious, something obvious. So basically, I wrote a little app using the Microsoft dot net speech recognition to do the wake-up keyword, and then send the global key handler to Alexa. So. This is. That I do bring a clock in the morning can't sleep. What's Carl doing? I I've ended up using Google homes because I am using nest cameras. Right. Right. And that's the. British Columbia says wild animals everywhere. So we're always wanting pictures while. That's what I do with. These camels gotta have content to send your relatives comes to your front door. Would you like to see video clips of the front door? They don't read the doorbell. But I did I've realized I came to predate his I started going down. This path is like there are somewhat isolated ecosystems like the Google nest system is quite insulated from the Alexa, ring environment. So it's like we did wanted a new doorbell and I had to go with the next. Hello because I committed to the cameras and. What's what's useful about? I don't have you ever played with this things. They recognize they've facial recognition on which is a little creepy. But it does mean I when Beth comes through the door the thing sets that's at the door. Right. So you know, or some otherwise it's a somebody's at the door. And I don't actually know the name of the guy who delivers the water, but the but the device says water guys at the door. This guy was water. The guy with the water is at the door weird. Cool. So all of these things are things that we could do with Microsoft. Yeah. Ultimately, if it has convey PI of some sort you can write a plug in in python can contact the service, do whatever it needs to do and get a result back. So I want to hear some of the cool things that you've done with it. I'm still playing around with it a little bit later on in up to can make a talk with it. But I've been working on tying it to Wunderlist, which is my to do list program, your they have one I think it's for remember the milk that somebody made. I was hesitant to get into these. Because I find talking to a computer talking in a room alone. Just kind of weird. That's why I have a dog. Brawl. That's a little weird. You know? So I'm just kinda like, well, I didn't like the idea of spying device. Sending in my home. If I'm never gonna use it either. I never just got the echo, or whatever I kind of liked it. You have the open source one where you know, where the data's going. Like, you have a lot more control of the things. I really liked Twas. You can look at the log files see in real time. What is what is it actually doing? I love it. Also, see, you know, when it triggers the rake words when you know, all that. And it's not sending data up anywhere. Yeah. That's that's a plus because nobody there's lots of folks. And we every time we talk about these control systems. Like, there's always a few comments bills. Like, I really don't want to bring us by device into my house. Right. I could respect that. Right. But the fact that here is a device it has these capabilities, and you know, what it's doing with the data. You have some control over it. Why wouldn't you experiment? I was I was more afraid at first. And then I realized that you know, it's not everything that you say, it's not constantly streaming and audio stream. Of your tax, whatever that everything you say to the cloud. It's not doing that. It's only after the wakeup word. So after you when you when you're talking to whatever it is a lexin, my case, everything that you say that that is sent up obviously. Now, I fall more on the camp of hey, I have a smartphone. And that's Mark phones been spying on me constantly anyway. So what's one more device? Yeah. It is running gag with a buddy of mine who's got a phone that. I don't know what he figured as. But literally I get in his car. I mentioned something that we've never talked about before. And he will have ads on Facebook while it by lunchtime. Yeah. So, but hey, it's remarkably difficult to think of completely original idea every single time you get into somebody's car. But he he was getting ads for radial arm saws because that's what came to me. Dude. I just replaced a blade on my radial arm saw. And he looked at me said at a very naughty word to. But by lunchtime. Did he have ads for radio arts us coming out of Facebook while yes, yes, he did? That's funny. Kind of amazing and terrible safety as a technologist. I'm amazed. And the tin foil hat guy is like they are listening to just, you know, just keep coming back to man, the pranking that you can do with this technology is just beyond belief because we assume a lot about humanity when we make these types of technologies that they're going to be right. You're right. I should be talking about sex toys more often when I get new. That's the ads. This is what I'm saying. I'm not thinking creatively enough. That's what you tell it. Yes. Have you seen the videos where the two Google homes next to each other? And they program to basically argue with each other. And so they're trying to purse out what each one saying they like know response to it. And of course, I think they wrote some sort of like Markov bought by. See just went on for hours. How about how about you have a little portable tape recorder in record yourself ordering really expensive crap off Amazon. Well, let's leave it. You know when somebody goes. This way. You don't do that test with Amazon devices because ultimately it falls into her. Cursive order batteries until you're literally already Powell's about it. You don't want that to you? Gotta be careful like that's a lot of double as dude. Would it be done? Think about going to the store buy some w no, no, no here. Have to worry. I've got battery forever. How had an accident with my Alexa. There's a family guy episode monkey waving inflatable arm planning to Ben how he had over by them is trying to get the correct over by of those one. I think he's been seizures bad things are terrified. Okay. I'm pretty sure we have a show in here somewhere. We're talking about something. It's all just python. Yeah. Yeah. Well, you know, I have nothing bad to say about python. It's a remarkably fun language to work in any avid tinkering with it for some home automation stuff oddly enough. So it is just like if you're not a program you can handle python. You start getting into. Lightbulbs and stuff with too because I I don't have any of that. Right. Right. But that would give me a good excuse to maybe the reason to own all those things, absolutely. And let's stop for this very important message. Hey, Carl here. So we're at one show per week until further notice, I'm sure that's a relief for some of you. But for others. That's just not enough. Well, the only way we can get back to two shows a week is if we significantly increase our patriotic pledges. That's just the way it goes. So think about becoming dot net. Rocks patron like Jonathan Hickey. Thanks jonathan. Make a pledge today at patriotic dot dot net. Rocks dot com and thanks Amer back. It's richer Campbell with Carl Franklin we're here in DC London in London in London west actually, we're in London London England, actually faintly hear the chimes. I believe of Westminster Abbey just across the way. And we're here with Sarah with the and talking a little about Microsoft, and this idea of building open-source, pharmacists and sue you kind of got control of what's going on which I approve I agree. So how? How repository for for a lot of these projects? There's the core system. It's I think it's Microsoft is slash Microsoft. Dash corps has all the audio the Texas speech, we all good stuff. And then there's day, I slash Microsoft skills. And that has each individual look at the weather look at Wolfram alpha look up to his different things like that. So directory is a sub module that points to somebody else's skill. He can make a skill on your own repoed Lincoln in this module. Do a PR Samaria everybody has it may have versions for the phone. So you can just just like any of the other products. You just run it on your phone working on an Android package. I think it's not done yet. But they're getting close. So the question is will they be able to have a wake-up where it on the phone or in theory. I think they should. I mean the Alexa win on the Android phone. Anyway, there's no up where to either I wonder why they do that. There are a lot of skills. Somebody's been busy. Yeah. That's funny. Don't publish as fast because they don't have millions of dollars. Backing they don't have most of people most of the Alexis skills. It feels like it's a new kind of gold rush lifted the iphone rush, we have an Alexa fart that must be. For the rule, isn't it? Yeah. But eight Spotify we've been using that on Google home. Like, that's a that's a popular feature just being able to call you Spotify account and have it play out of the out of the microphone. There's another one where a home built version of a of a home assistant with a better microphone and a better. Speakers better audio you could really tied into your whole audio system can result from that. So that you're not just playing Spotify out of a dinky little speaker. So cool thing about their bay pie. Is you know, there's a headphone Jack on the side. Yeah. Just plug it into to the to system. Yeah. I because again, you get in this tribe, and I'm in the Amazon tribe. I went I got rid of my Spotify account, and I got an Amazon Universal Music right now. And it's the same thing. I mean, basically, you just held to play any song and minute just plays it, and you just signed up Damas on prime for that. Yeah. You're you're committed to your x dollars per year. And it's a ten dollar a month. Additional. I think. The unlimited. Door plug in for my cross. All right now, I have to have one of these because somebody did his or plug in Zork plugging you can actually play your on your Microsoft. I could do that twisty little set of passages. All like, I do that all day, especially it is yards. Beaten by grew on a long drive just playing the game playing the game, let alone because you know, how to win you play. So it's like trying to come up with the fewest. Now, you had some where you just make a recording of a winning strategy for Zorka. You play it to your Microsoft is that where I went to purpose kinda kinda does. So what else is cool about this stuff? It has a really cool debugging interface. So you can pull up the field. I of it, and you can either SSH into it or hook it up to TV and you can type in commands to it. It will show you the responses to suggest in case, it's not recognizing words correctly. You can always do it straight into the interface. Is there a way to play back the audio that had just heard? I mean because number times, I've wondered am I having problems with the microphone like why is it having such a hard time understanding? We'll tell you in the there's a frame that shows all the logs that are scrolling up happen. Happen, and it will show you the words that detected as well as when it thinks heard the way cord, I heard the wake word pay Microsoft, or you can change your way cords to. So we'll tell you what it think it heard and then the skillets trying to use to parse it out. And then any like sub logging things that particular sky absolutely wished that the commercial devices show that stuff the fact that this one does excites me like, yeah. Okay. I would love to see how Alexa, Google home and all those work like could I plug them into TV or SSH in New Jersey? He been give me the lot. The stream of the logs won't. Yeah. I'm sure they won't. They got no incentive to do such a thing. So to get back to the reality of this. These devices all have a kind of digital exhaust coming from them that people and those companies value that exhaustion collected up. So there is a joke skill. So, you know, that's your favorite thing in Atlanta. Yeah. Tell me Joe I like the twenty questions thing to know. No, I programmed one of these for my car a couple of years ago, and I had my music library ended. And I had all these games. I had allies of the road Jerian psychotherapist. So that my kids love that you know, answers a question with a question, and and I had the twenty questions game which was a fun game too. Right. Basic betraying algorithm. It was fun. And they have this on all these devices now so again driving in the car board. Don't wanna listen to the radio. Don't want to listen anything else. You can actually play stupid games you build a day to step out over time like over the course of the drive eventually Knowsley a few hundred a few dozen dozen more than when I started. Yeah. Yeah. How long before become scented under-funding base built like big twenty questions database that would things well as no twenty questions in this catalogue of microbe day is so we've found something to add? I mean, my talks not until Friday. It's only python. What does that nine lines of python? Yeah. It can I write this inundate and half. I don't. I don't. Yeah. But it's a lot of loaf. It's interesting. How when it's just the low friction solution to stuff like convert this measurement for me. What's the weather like tomorrow? The things the context stuff is the one that always gets me is like with today's weather. How about tomorrow's weather? I gotta ask it all over again. Right. And they interesting I've never elected Alexa, skills or Google or how they're developed a pretty good system of you. Give it words that are required and words that are optionals like weather could be required word, but whether tomorrow tomorrow could be optional very, but it would still take these words, you can parse out which ones you want or need and can go look up weather from there. So the natural language stuff is built in. But you still trying to trying to build that chat bought part of what are the words that matter to tell it how to parse out things, but it's really good at taking a sentence. You said correctly determining. What skill to us with run saying, white fears? The message for the rest of it have you seen Louis L U, I S on Microsoft cognitive services. This is a it's a way that you can parse out the different nouns verbs from a sentence. And turn them into meaningful queries. Yeah. Yeah. It's a natural language processing service. Really? But you get to set it up. It's kind of cool a lot of work though. I mean, I just like the fact that. When you when you build a skill. You know, you have some core question, and you have might might have some sub questions, and you just pick out the things you pick out the nouns verbs yourself. I mean, how do you deal with that on this platform? So when you write function e build class reach skill you can have different functions within it. These functions can take a message in have to return some sort of response that could be just see this thing. But it could also be asking the question and then get another response. There is a way to set up like, you know, what's the weather eager to response back. But you could also say there's like a guest the number game. It's mature low number what your high number. Okay. Let's play and just going to keep going back and forth until you get to the number picked, right? That's a good example of kind of a back and forth. That's still the same skill. But you have to say exactly the. Right question to get the skill right? I'm you can add in derivatives too. So you could say, you know, what's the weather? Tell me the weather or different with box for doing stuff like booking a hotel room or flight where you start off with. I'm looking for. I'm looking for a room in Los Angeles. Are what days do you want? What features do the room? Do you want? Can I get you something like this? Would you be okay with that? It's those chains where things get really interesting down. All those details, but from a programming perspective, you're still sort of demanding the order of execution, right? That they made the initial requests. And if it doesn't include cities or dates or anything like that you ask each one of those. It's just it's still a pretty much just it's almost in a synchronous population of an array to collect sufficient data. It's like, okay, I think I have enough. Now, let me go search for you see what I can find. So that's an extra just an interesting levels of what information do we really need to put in their matching over time. This is going to get better people your work with house my coffin around a couple years. Okay. I get it. So I'm grateful that this exists. Even though I've already committed to Google spying on me that it's like, you know, we don't have to be like this. We could do this in open source. Wade the just so all my Ness cams on Craigslist. I guess when we're going to do. Well, I I'm interested in checking it out just to see how the recognition compares to the stuff that I have and that works. Well, sure. Yeah. Especially when you think about a pie is able to do the recognition part now. And if you get one of the older pies responses are a little slower because there's sorry process. But. Three b pluses, which is the latest ones. Don't take too long and what forty dollars? Yeah. Yeah. Thirty five forty dollars. So I mean, that's the liquor. We are in compute, right? It's like the thing that couldn't do just a few years ago reliably right now doing a forty dollar machine with some open source software third on my laptop. And that's what I'm going to use for my presentation even faster than. By the kidding done. Tons of horsepower. Is there anything on your wishlist for my cross that you wish it did either at all or better than it? Currently does. I mean, I would love to see more skills in general. Okay. A lot of it's been simple can calm response sort of scales. I would love to see more interactions with you know, like things not space or sending texts to people or different things. Like that. I did see one that would read your emails whenever a new Email came in. It would send the message. I didn't quite see how that worked here. I'm oh, I think you ask it three during and it will go check out. I give you Email, right? They read my on weight. That's different thing. You can call arrests service. Obviously. Right. So if you had a little twi-, Leo service, you could certainly call that to send Senate tax. So what's next for you? What's in your inbox? What's the next thing? You're going to be doing working on. Then things are getting ready to do with obstructions conference, which I'm the director programming. So we're getting ready to opener C A P for that. So people can apply to speak there. So that's opened up in a few days. Probably by the timeless releases will probably be argue open. Go nets Pittsburgh. Yes. That's cool. Yeah. Andy about two thousand people, and I think our motto is kind of. What do you not expect it as opera conference? Okay. Let's do that. I didn't make it to the really. I'm really see some pretty. Sounds like a really diverse. Great. Well, share with you. It's been awesome. Talking to you. Thanks for stopping by. And we'll see you next time on dot net. Rocks. Dot net. Rocks is brought to you by Franklin's net and produced by plop studios. A full service audio video and post production facility, located physically in new London Connecticut, and of course, in the cloud online at P W O P dot com. Visit our website at DOT NET ROTC, ks dot com for RSS feeds downloads mobile, apps, comments and access to the full archives. Going back to show number one reported in September two thousand two and make sure you check out our sponsors. They keep us in business. Now, go write some code CNN time.

Google Alexa Carl Franklin Microsoft Amazon Sarah Facebook Big Ben apple London Bose cloud Pittsburgh rich Campbell NBC Portugal Saint Paul river
Coding in Q# with John Azariah

.NET Rocks!

1:00:35 hr | 3 years ago

Coding in Q# with John Azariah

"Welcome back dot net rocks. This is Carl Franklin, amateur Campbell. We're here Sydney and Sydney to the exact devote cruise last night, and that was awesome. They took us out on a boat which is like a floating restaurant. Yeah, glass walls. It was a bit noisy, actually, all glass all the way around you. People aquarium really took us out by the Sydney Opera House and they just slowly twirl the boat around. So we could just there while because it's not very far to go and the bridge too, and the bridge. She's awesome. It was awesome. And this is going to be a great show because we're here with John as Araya and we're gonna be talking q. sharp in a little bit. But first we have this little thing called better know framework roll. The crazy music. This is crazy, but this is an article in the verge windows ninety five remember that. Yeah. Now, teen years ago, it's now an app that you can download and install on MAC OS windows in lenox written electron. I swear to God. I'm not making this up the guy behind slack Felix rise Burke. Did this? Okay. Yeah. So now you can run windows ninety five as an electron app. This is electron Runamuck. That's what. Is not a good idea. It's crazy look, look. There. It is. That's funny. You can't see it, but just go there. This is actually show fifteen eighty seven. So if you got to fifteen eighty seven up, walk dot me, that will link you right to it. That's awesome. Dude. I love it. What else they say? You got it. This is standing there every once in a while you need a little minesweeper. Minesweeper somewhat smaller way to run minesweeper. I'm just guessing rather than emulating tire offerings deployed, probably okay. That's what I do. I love it. Who's talking to my friend? We haven't done a lot of shows around quantum computing. We did do that a geek out that was that was twenty fifteen. So this is a comment from show eleven ninety. Six was the quantum computing geek out and I'm laughing at the abstract. I wrote again three years ago where I said the state of quantity competing today, three years ago, like the state of classical computing in the nineteen fifties before the advent of the transistor. 'cause we're still feeling around for the fundamentals of cubit should look like there's competing strategies cube it. Nice, never mind. That's another show. Yeah. Not as funny as it used to be now, apparently which too bad this comment comes. And while that show is recorded three years ago, yeah, this is only nine months old. This from Tom Atwood said, hi, Carlin, Richard. I just saw Microsoft's release of q sharpen the quantum computing Vellon kit and thought, hey, Carl Richaud did a show on quantum he'd he'd just a few months back. I should religion, and then I went searching for the show and it was two and a half years ago. I guess time flies when we're having fun. Is there any chance that you could find someone who can do show them cue sharpen the quantum development kit? Thanks so much for the great podcast that can't do no can't do that. We refused to dock you saw the whole thing really gauche actually, really. All right, actually, that is the show and Tom, thank you so much for your comment. A copy of music o- buys on its way to you. And if you'd like a copies dako- by write a comment on the website at dot net rocks dot com or via any of our social media, because we publish every show to Facebook and Google plus. And if he comment there, we read it on the show. We'll send you a copy music. Oh, by and definitely follow us on Twitter. He's at rich Campbell. I'm at Carl Franklin. Send us a tweet, we try to observe them, but they keep slipping away. You can observe them, but then you'll know where they are. Sorry had could we all quantum humor? That's it. You're done. That's all there is. No, I can't promise. All right. Well, Jonah's Araya's here, and we're going to talk to him q. sharply. Formerly introduced. John is a frequent speaker at conferences on various topics of expertise, including functional programming, cloud computing, computer science and software engineering, Scott over twenty five years of experience writing all kinds of software from packaged applications, like oracle forms, Microsoft excel, Microsoft Project tools like bright sore designer, websites, web and cloud applications like Maya. Obe- account. Right. How do you say that. OBI business, Amway, OB. Yeah, thank you account, right? Microsoft Azure batch also be currently works from exile, researching the effort for the new quantum computing language, Microsoft, q., sharp, welcome John. Thank you. That's quite a pet of you might know your way around huger. I'm might a little. Do you still relate to that comment about? We're still feeling around for the real transistor of the next generation computer? Well, yes. I mean, to be honest, we haven't got to give it yet. Right? And the people doing my way way way. We have to just sort of back up and find some terms here for one and completely lost when it comes to quantum computer, even after talking so cube, it humid quantum bit. Okay. Now we used to von Neumann architecture in the standard computer where memories stored in ram and this can all of that. Yeah, in binary format. So it is a key that anyway. So in classical computing, we have memory which is stored in ram and on this event. Right. And then you have these processes that are basically also transistors memory store in transition. The process also said of transistors that build. Up to from flip flops and then at adas and you make it make an gate, you make an or gate me Savar gate, like all these fundamental stuff. And then you bring the memory in and then you put it on it and then you write them back and you do that can thing, right? Yeah, quantum McCain's is limit funny so little. Yeah. When you want to operate on something quantum mechanically nature doesn't let you observe all of the innards of the condom, mechanical state. Right? So you'll end up with a system that both holds the state in a way that you can't actually see it and also operates on it. Right. So Cuban is the processing unit and the memory that stores the state in the. And so when you want to build up a bigger system, what you do is you take multiple keyboards together and you kind of fuse them together, and I'm being super deco entangle them tensor them really. Okay. And some of the the fusing is entitlements. Just denser product of the Cuban states. Okay. And then you land up with a state that is actually going to become twice the size everytime yet give it, and because the amount of information that stored in Cuba it systems actually very lots of its what is technically known in terms of very high dimensional linear space. Okay. The, it's Victor in this may damage little space. You can't actually ask for the victim to in order to do something with it. You take system is, hey, please rotate this Mechta this way or whatever it is. And so the system of q, it's is both the state storage and also the thing that actually operates on the state for you to do something the accumulators it's yes, the question my mind is we have to have a quantum computer before we can have q. sharp. Absolutely not because the way in which we think about quantum computing is it's actually levels of abstraction, right? So what do you say earlier about classical computing before transistor people still have the idea that there was such a concept of computer -bility. I mean, eight a loveless basically outlined what would von Neumann on the machine. That's right in the eighteen hundreds. That's right. And in nineteen twenty and the nineteen early early, early nineteen thirties, there's a formal theory of compute ability, right? Without untangling and all of that. Yeah, that actually talked about not just, hey, what are the nuts and bolts that you need to do the competing with? But what does computing actually look like? What kind of problems can we solve with computing, right? They did all of this stuff before they had the fullest so program computer. Also the talk about what tearing of doing they were hard wiring computational the the baba was sprite, exactly to hardwired computer in the didn't require the transistor. As I understand it. There are different kinds of cubits. There's several approaches to Cuba I'm thinking about div WAVE's quantum annealing and we're of fair. Me on based. Right cubit. Right. These are all software models right hardware, but I'm just curious as to where you're at. All right. So let me just back up one second, though. If you think about what computing was like before the plans state was basically the mathematical model of computation. Right? Was important thing, and then you basically build systems and even talk about algorithms just based on the mathematical models. So Mukundan computing would it turns out that the mathematical model of quantum computing is a generalization of classical computing. Okay. And the generalizations, actually linear has not anything else. So if you had linen is above it, certain restraints on over, you can actually build up a viable consistent computer model for quantum computing. And then you can embed that into an emulator which is kind of what everybody does these days and like an emulator just not as fast as the real thing I've not. It's. Autism magnitude slower enormously limited in terms of how much the Android emulator. So if I can just kind of wrap my brain around this. So you have software models that emulate what the hardware will do when we have a quantum computer that we can run it against. But in the meantime, we can develop architectures in programming models it in languages like. That that we can do so that when the the hardware comes around, we, we've got software to around on it. Yes, exactly. The hardware will take some time coming. Sure. People have been working on different types of hardware for a long time. And as you mentioned earlier, there are many ways to skin this cat you can create, and that is actually a corner joke. References since he does. Thinking. Alive or dead. Many ways to actually Bill cubits. What physical Cuba three looks like is really a quantum mechanical system that has properties. And there are many wanna because systems that out there in the world that kind of have some of these properties and did the trick is to get them to actually be used in computational manner. Right? And so we have the front runners in the field who have these things called trans, Mont cubits. People like IBM company called Righetti and Google just announced seventy two Cuban device people basically talking about a hundred and forty four given do as coming out soon. Right? And so on so forth. These cubits have interesting, they're real. They have the quantum mechanical properties. They're severely limited with the kind of characteristics and they have. So for example, these are devices that show all the quantum mechanical properties that you need fought about a millions of second. Okay. And so now you have to basically sequence it instructions to interact with the quantum mechanic. Estate of the thing, and you don't really have much time to do it now in order to make things a little bit more tractable what you'll end up doing is introducing Etta connection again, a mathematical model for it, and that effectively allows you to have between hundreds and tens of thousands of these little physical cubits that you can now simulate a logical, but that has a lifetime. That is tractable, right? All you could numbers are so large. His wasn't a magic number for quote, real Cubans. Once you get to thirty, you're going to be good in terms of complex computation. Well, no, that's a different study. And there's quite a contentious issue to be discussed that that point, because there's this really weird phrase called Quantum's equipments, hear people talk about right, which is notionally the kind of thing where what is a problem that I cannot solve classically that I can now have solution fall and Konta mechanical assist. Them to say that this going to mechanical system is actually better than the the state of the art loss. Aren't there certain sort of classical equations like this is essentially unsolvable with traditional hardware, it'll take the duration of the universe to dissolve it, but quantum able to knock it out and it's going to be one of your proofs and there's an enormous amount of visa in trying to find the smallest solution that requires the fewest quantum resources. Right. That's still proved that the quantum mechanical approach is superior to the classical approach. Okay. And duty still out on which problem is going to exhibit this behavior, and can I ask about the d wave guys? 'cause their system seems different. It is and somewhat contentious as well with that. This is another company making another kind of quantum computer, but they're advertising a thousand cubits. Well, I think they've said some two thousand Cubans to mortals of mathematically describing quantum computing. One is called the gate model, which is actively. Time Shen of condensate using metrics vacation. Okay. Okay. And another one is what Dave does, which is to try and find the lowest energy of a given system that represents a problem. And by finding the lowest energy, you kind of get the simulated annealing kind of approach to finding an optimal solution for something. Okay. Okay. What's contentious about this is that this approach is not conscious specific. It is a coordinating has been around since the nineteen fifties. Sure. And it turns out that you can actually use the comb the mechanical Oprah, quantum mechanical approach they've taken and optimize your classically. I'll do them to come up with the same solution with far less resources from classical side, and there's an ominous in some sense going on somebody comes, hey, this is a quantum system and it's all this problem fast. And then someone days quantum inspired optimization too. Classical sense, and then beats the classical problem on the head a bit. Right? And then you'll end up with a classical solution that actually performs the corner one. And this is actually happened more than once. Of example. The quantum optimization that d- we've achieved was actually I replicated by an Azure cluster, so a lot of magnitude cheaper, right? Two million dollars to two thousand on his right. And then after a little while somebody worked on it for graduate project or something like that, and eventually getting the same result, our laptop. All right. So this is the one of the conversations that I saw going on around these things was that you weren't demonstrating the benefits that we expected from Conroy in this approach. It was still just reasonable, e solvable problems. Right? But that's the kneeling model that Dave uses. Right, which is in the gate model that all the others actually working on. Okay. And the get model allows you to actually employ certain interesting algorithm. So the nineteen seventies there was a relent at MIT compete ashore, who came up with the algorithm for factoring numbers, right? And factory numbers, HUD, and should be. I mean, that's why we have credit cards that we can rely on. Right, right. This is the basis of most encryption is number factor. Then tire was economy right? If you wanna be less minute Matic about it. That's the left. Okay. So basically, if you want to destabilize the wills economy, you want to learn how to factor numbers quickly, factoring large. Crimes is a great way to wreck the economy. Exactly. Okay. So pita sure. Basically used number theory and whole bunch of basic mathematic stuff to come up with a mechanism to reduce the factories, Asian problem to the problem of period finding as in give you a function that spits out a bunch of numbers. Tell me if this functions bionic, right, and that out to be a heart problem, right? Classically as well to think about it. But it turns out that the tour related finding is now basically actualization the twenty. And so the billion bit came to using quantum mechanical techniques to achieve speedups on the pitted finding peace, and it turns out that takes exponential time, classically, right? And linear time quantum Louis. Okay. Right. As you increase the complexity of that expression, the performance on classical computers can drop like a rock. It's gonna go terribly slowly and the quantum should be unaffected where we can take away from this. Once we have quantum computers, the whole world financial instability is. Oh. Collapse, right. You wouldn't wanna be dramatic or no. And you wouldn't wanna be naked either. So what anyone who off in shorts, bitcoin saying this thing's gone to Hansel. Let me hasten to point out that not only is post one crypto real thing, but we already have solutions that Histon to cripple condom attacks. Okay. I want you to hold that thought right there best you can for me anyway. While we take this moment for very important message. Hi, this is Richard. Denner should fall show this year will be December third to sixth in Las Vegas at the MGM Grand Hotel. The lineup is awesome. Scott Guthrie Scott Hanson, Scott hunter, yes, all the Scots, but also a ton of great industry speakers from some insight on what's coming up in the world dot net, you know, core threes bringing client technology like windfarms WPF into play. Could it be time to migrate your existing desktop apps of this new technology? Learn more at Deb intersection, December third, six. In Las Vegas, the MGM grand. Go to Devon section dot com to register and use the code dot net rocks to get a discount. And we're back, it's dot net rocks. I'm Carl Franklin. This is Richard. Campbell is John as riot. We're talking quantum computing. Well, they're talking quantum computing. Just sort of be wilder. One of the things that I'm reminded of here is with his taking of these quantum ideas and applying to CASA, competing independent is the same thing. We saw with functional competing with f. sharp where functional programming practices could be applied in c. sharp and made some nice code. You could write very functional, see sharp, but it was only a parent when we started heading functional hanging around with us all the time, right? He started seeing practices, I'm intrigued. There's a similar comparison that these way that we think about quantum computing is influencing class computer indeed, be Finn. I mean, let's put the crypto thing on hold, come and address the specific thing. Right? And do we finish classically? We've been taught algorithms in particular way, and that have usually been taught very pragmatic, you know, set theoretic, maybe approach whatever it is. But usually you don't go all the way down to linear algebra and matrix operations and that kind of thing. All the way down to the nitty-gritty what you're really doing is medicating vectors in hill basis. But it turns out that that's actually how quantum mechanics works. And as a special case, that's actually how classical computing woods. It's something that we don't start with the association early. So it's not surprising that you get insights from working with quantum computing in this deeply mathematical approach, and it suddenly dawns on your special case, classical computing village special case of this deep mathematical insight that received right now. You can apply that classical things, and all of a sudden the you have bit understanding what the classical behaviors like or how to improve. Is it providing an insight? It is because you're exploring that this special case in more detail couldn't and it's a different way of looking at it because you can't look at quantum mechanical systems into Italy. There's nothing India, the corner. ACA system, two dachshunds line. If you feel like you're understanding quantitive year further away than ever before, hey. This. So so in terms of quantum crypto though. Plus crypto is real thing. We already have solutions for even at Microsoft unveiled willing stuff out, starting to think in terms of given this ability to factor, large primes quickly with quantum computing will disrupt this style of corruption. We have styles Christian, that can resist that indeed. Okay. And the size of encryption that much more difficult to crack even if you do have a quantum computer, right? Right. Are we just going up to larger primes or a completely different strategy to usually things like that is based in corruption in which those are a lot of theoretical pieces we just haven't cared about because the large prime strategies worked so well and they're inexpensive to compute. Yes. And basically it was a matter of nobody bothered to try and figure out whether they needed a better mousetrap because Muslims already called it PGP's pretty good privacy for a reason. Right. Pretty good is pretty then now it's now we have a threat that it may not be well, we, we owe some way away from it being a threat. I. And to underscore the second boy I wanna make, which is why stem corruption is actually the big ticket item that you think about as being the this metal thing to quantum will solve there are several trillion dollar problems that will be sold. When you have a fraction of the number of Cuba's that you need to solve encryption instinct. There are more valuable things for less cost in indeed which we will meet as Canaries in the coalmine long before you get to the point where you big and corruption and destabilised economy, right? You might actually do things like solve world hunger or solve carbon capture right. Then you need money. So they, I mean, I would think solve plasma instability in fusion reactors so that we can actually get those things off the dime. Well, so that pretty good application isn't something I'm familiar with, but I will tell you I'm very familiar with the problem of solving hunger. Okay. And I can give you two minute introduction to what that looks like. Yeah, I'm really curious as to how quantum computing would affect that, right. Let me take you back to nineteen eleven. Okay. Okay. Before that we didn't have industrialised farming, so you would dependent on natural ways of fertilizing count back wanna, right? But Ghana's one of them, none of interestingly solving, that problem is to grow beans, right? Nitrogen fixation, nine fixation by plumps. You take the plants and then he tells them into the ground and you've got fertilizers that you just have to grow beans in field. Okay. Growing wheat, you now grow beans and the difference in the plant actually driving back into the soil, you can know harvest the beans. Okay. And then plough it down and then grow corn again, right. No problem, right. The way that works is like this in the root of the bean plant that are parasitic modules. These have nothing to do with beans. They just happen to live on the plot and inside those Nadia's you have back to the that live in the cell membranes in an anaerobic environment that know how to capture nitrogen from the atmosphere and hydrogen from water, put them together and form ammonia, okay, that is a profound complex chemical action. He nine hundred eleven. We figured out as humans the first way to actually make ammonia from atmosphere and water, and that's the boss able pros it right. And that looks like nothing like what the being blunt is doing right? It looks like taking knife is in. Heating it to five thousand degrees, putting fifty atmospheres of pressure, sticking a whole bunch of catalysts in there and ultimately getting ammonia. We haven't changed much since nineteen Levin worked pretty well. Makes great gunpowder to, we spend full percent of the global energy output on just making money is the most important industrial chemical on the planet. Right? Because it makes fertilizers to reason, we feed people because this is literally how we've eaten anything that we've ever eaten. I anti lives and explosives we. We talked about this in their culture geek cat, right that the green revolution in the sixties where we went from a billion people in the early nineteen hundreds to three billion people where we should have tipped over as a civilization. It was this process and that technology that allows a triple our population and not everyone star. Yes, yeah, no. Why do we not do what the being plant does industry? The reason we can't because we don't understand how nitrogenous which is the enzyme. That used by knife is back the magnesium, and we don't understand how nitrogenous works from a chemical perspective like chemistry. We can't sit down and say, hey, this is actually the equation set of equations that you'd need to solve to figure out how nitrogenous books. And when I was in this, this is how it catalyze this fixation issue. We can't do it in the lab in vitro because everything's anaerobic environment inside the audio, right? And we can't analytically understand the chemistry is a protein folding problem. This is not a protein folding problem. This is typical chemistry because transition metals, in fact, in nitrogenous and Molly denim, you have to solve the problem of what happens to one hundred seventy and trans in order to get the understanding of why nitrogenous has these properties. It's almost like a Nanno scale Kalyk behavior. It is. It is not as skill Catholic. This really cool very hard problem solve so much so that if you tried to sit down and classically right out the state of an electron on all the permutations, yes in water for example, that I've two hydrogen atoms. Yep. So two electrons from the hydrogen atoms and two from the Couva biz on oxygen. So for electrons you can sit down and solve the water problem analytically dick you couple of weeks, but as a grad student probably sit on workout decreases and Say, Bory will have these properties, right? Right at one hundred seventy electrons. Each electrons way from takes at least two complex numbers to store to store. One hundred seventy electrons characteristic way forms. You need two hundred seventy complex numbers. That's big number. How big that it only the hundred and fifty Adams on this planet. So if you made every. Adam on the planet. Of the equation lamb sell you would need a million earth's just to store the problem's definition. Nice, right. So quickly we can't solve this problem should wait for that phone forty. Yeah, I think you're a little pessimistic here. Right? We can't sell. The problem is we don't have enough atoms. Well, the I order Amazon. Nice, Richard. Yeah, buddy. Guess what time it is now must be that happy time again. Yeah, that's right. It's time to decouple the Heisenberg compensator 's split the freemen blazer ater into its component parts and dispatched the corker Dirk. So someone around here can get a stronger coffee last week. That joke funny at last week. That's when you nailed it. It was. It's actually time to give away a two hundred dollars Amazon gift card compliments of progress teller to one lucky member of the dot net rocks fan club. But first, let me tell you about the most comprehensive developer tool kit for building modern apps on the market today. Teller Dev craft with more than eleven hundred teller dot net and KENDALL UI Java scrip- components and controls. You can easily build modern high-performance web mobile and desktop apps as well as chat bots. The tool set also includes reporting solutions, automated testing and productivity tools, and comes with a range of support options new this years of free online training program for all license holders. So with this alongside sows of demos with source code comprehensive docs and full sort of visual studio templates, you'll be up and running with the progress teller and KENDALL UI tools in no time. Download a free thirty day trial today at teller dot com. Slash download. All right buddy. Who's our winter? Today's winner, Richard is book Hicks, Glock. Clapper here and buck just won a two hundred dollars Amazon gift card compliments of progress telluric just for being a member of the dot net rocks fan club. And if you'd like to be a member, go to dot net rock stock com. Click on the big, get free stuff, but button answer a few questions. Join the fan club. We have thousands of members all over the world and every show we like to give away stuff from our sponsors and every December we give away five thousand dollar technology shopping spree to one lucky member of the dot net rocks fan club, but you gotta sign up to win him. By the way. If you wanna support dot net rocks and the fan club go to patriot dot dot net rocks dot com and make a pledge. We also like to ask our guests John. If you had five thousand dollars to spend on technology today, what would you buy? Not a quantum computer. I'd like to know. This good Christian. Because back in the day, when I was a little kid growing up in India, there was log less light pollution spent a favorite time. Looking up at the stars. Haven't done that. Longtime would love to get good telescope and a decent camera and try and five grand. Get you a nice auto trackers literally plug in what you want to look at, and it'll the right location and track for you as the planet rotates like shiny. So that's probably what I would do. My own little observatory going. That's a great idea. I took my first photo of while I thought this week the Southern Cross, right? Because we're down here when you see the Southern Cross for the first time. Yup. Understand now why you came this way. That's a lyric sills in that I took my first star picture. Okay. With DSL are fasting with ADD and it was great. So I don't know the telescopes they have now you can connect to a DS lar- camera, so not only take pictures, but they can actually have some detail. Yeah, really good stuff on love to jump back into this because I now have a picture of John things as an intractable problem. Once you're using all the atoms on the planet, many times over, that's what we call hard if had. So knowing the quantum computing models, this is the kind of probably take on. It's actually a very, very small problem. Understanding an enzymatic behavior in a plant is. Beyond our current computational abilities that these machines could take that on? Well, it's actually interesting because if you think this is actually fines idea, five basic came up with the profound insight that said, hey, the math about this mathematics is hard, right? But nobody told the bean plant this, right? And it's solving the problem without, you know, there's a solution the solution? Yeah. All you have to figure out how to get that to the competition for you. Right. And in some sense, that's exactly what quantum computing is. You take the quantum mechanical natural phenomenon that's present and happening already, and you leverage that by making your problem express in terms of the quantum mechanical behavior, you get nature to solid from for you. But my boss told me that I didn't know beans. He was actually, we correct. I don't feel so bad. I want to get back to the idea of the currency problem because it seems to me that when you have technology that can undo a system, you also have a technology that can redo that system with more robust results. So before we get to the point where encryption fails, maybe we could get to the point where we could encrypt with quantum computing and create a stronger thing so that a quantum algorithm couldn't untangle it. We have. That's exactly what we have and you absolute right. In fact, I'll go stronger than that, say that the in corruption doesn't need to the in corruption that will be resistant to quantum tank can be done classically. Right. Okay. Sort of thing because we've been exploring the quantum problem. We suddenly see that volubility and cost computing and strategies that resist all did. We already have. The lions dismissed in one of these days. I'm gonna go to Europe. Going to try to use my American credit card will say, oh, sorry, you don't have the quantum chip nice. We really haven't talked a whole lot about q. shark. Wondering if you know game we had. Now we have this opportunity to start writing these expressions, even if we can't necessarily compute them, could we get to a place where we can code a model around trying to understand these nitrogen fixation strategies. And yeah, we not to run it or you can run it, but it's never gonna finish until we have the machine that can actually do it. Oh Indy. So because we're really talking about modeling competition, the what is going to competing leg. It's actually very much like programming against draft CPU. Sure. GPO kind of thing as in the knows how to do certain types of operations much better than the classical computer can. So you ship the quantum piece of the deep off the new in the case of quantum mechanical system. Zip, the quantum computing on computer, right? Right. And so now comes interesting bit. Now if people have done good, I realized that the host languages in whatever it is you're right. The gothic piece in the same language and you distribute across and somehow there's some like that happens and the bit that's supposed to on the on the depew and the bid that on locally runs look, and you may have done this faster. The listener Khuda was programming spe specifically for GP. It's been around for a number years, but it was good at these tensor array type problems because you've got the cheapies a really small scaler processors, lots of lots of them, and you know the same way that you wanna create a shadow on an object in in three d. space. It's great for math problem. Same kind of probably went many values applied simultaneously, cross a large number numbers moso than that. When you have an adjunct co-processor like the quantum computer, it turns out that that computer conned actually live on your car inside deal on vox because one. The quarterback properties that you need to sort of exploited the fact that if you want to hold onto the state inside the Cuban, you have to salute as much as possible from the environment. And so you typically do that by killing everything down. Right. And so your typical quantum machine that we at least approaches that we've taken so far tend to work in the neighborhood of fifteen million Kelvin assault living in a bath of liquid helium. Well, no liquid helium is far too long. Think really miss four Kelvin. This we are talking about fifteen million Kelvin roaches about fifteen thousand of degree about absolutes awfully chilly, right? So in fact, the engineering title that'll get your tongue on it. No, the engineering Tange of sticking wire with one in full Kelvin. The other one in fifteen million Kelvin is actually significant. Yeah. So anyway, the the long and short is the quantum machine is likely to live in such an exotic programming environment or such an exotic environment that you're unlikely to keep one your basement. It's like a product you'll take from the public cloud Indy. Trying to imagine the syntax q. sharp, and I'm having a real hard time. So does it look like a traditional programing language in the sense that you're using numbers and values? And that's an interesting question this hold for a moment because I didn't come back and tell you why you need a language in the first place ragged, right? So then people who've actually built keyboards companies have. Cubits that allow you to actually interact with them over the club? This is already thing, right? Right. So there's I've EM and get, you know of these places where you can go and sign up for account and Cheddi la- job that says, when Myton comes around on this thing on the five, Cuban city garden is on this is actually a thing you can do today. Okay. But the way they do this by writing the program and then and calling library function, which then gets an implementation for doing something device. Okay, right there is a functioning call from python will run on the quantum computer and to some kind of inspection inside of that function. Well, no. I mean, the the function is literally the thing that you want to do. So you'll end up retaliating against a simulator running it on on the hardware, whatever it is, having just a plain old library plus host language very naive way of doing it. It turns out that we're myself quite good at building languages. No done it for few title. Couple of peers here and there, and one of the. Things we noticed was look in order to make it so that the program that you write that supposed to run on the quantum computer is something that we can reason about optimize and actually prove correct. So being able to have strong type system, having a sensible way of actually composing pieces together from libraries at somebody's written with code that you want. Right. And so on so forth, being able to share this information out so that we have, you know, distributable outer them swings, right? It's useful to actually model that as a programming problem in its own. Right. And when you do that, it turns out that it's far simpler to model domain specific language that expresses the quantum nece in a quantum context. Okay. And run it in the context of a host program. Just like a coulda program would be you have a host program and then you say, oh, and this piece is the quantum bit, you know, in the old world. When I the good programming you stop that with the come into says, this is the hard bit. Done the stuff and Gooda, right? What you're doing here is saying this stuff is in condom, so I'm not even gonna try van this. Classically write this piece is going to be different language with its own type system. Its own mechanism of function composition all of this other stuff and become pile that runs that can now optimize it against the actual device that I'm going to run because I don't know what instructions are going to be primitive going forward. And so the levels of abstraction basically give US Pacific ly- the answer the question that you asked earlier, can we do this without a quantum sheen the answer this emphatically? Yes, you can. And in fact, not only can we do this, but we can do it in such a way that when a quantum Shane becomes available that is different from another quantum machine. That's already there. You won't even know the different obstruction for us. So is this very much following the model of q sharp is an obstructed language. It's top of kind of I l didn't go through a Runtime. That will be specific to give machine. Yes. And specifically that will be an exotic computing environment read is non von Nyman right in nature. So even the instructions that we put as an after action over the quantum device is going to have to be something quite significantly different from anything that we've seen so far. Put. We've done this once and we have a few ideas to do much time for research. I've done you think about how many times they've implemented. I l two compilers when you think about thirty versus sixty four bit instead of Intel style architectures, but also the arm implementation, the item implementation, right. They did this many times and some that we never saw publicly processors that were being played with and Microsoft did development to make sure that dot delve is able to corral against them. They never shift it. And this is another example of indeed and someday we'll be able to run windows ninety five as an electron up on the quantum computer who would do that. Maybe maybe. 'cause I really wanna play minesweeper, but I remember nineteen ninety-five was pretty slow. Click that thing, and then it would think for millisecond wound explode. Yeah. So that's kind of the approach and having the language allows us to know distributed library written in the language that it's completely agnostic award, kind of wave in as far as we know now. I mean, the hardware could get really weird hardwood. Counting on it? Yeah, but the algorithms that you are going to use, we know how to add registers together from a quantum perspective that's not going to change. What will change is what are the primitives that this new harbour gives us and how do we leverage that without you having to rewrite everything. Right? And that will actually come clean. The moment we start moving. If you describe now getting back to the language and the syntax you describe it, will anybody have any idea what you're talking about? I'm certainly okay. So strangely enough. I mean this, this is one of the languages that has been influenced by many of the language outside in the world today. So we borrow ideas from shop ideas from c. shop. We bought a syntax from Shaab we bought, oh, a couple of interesting ideas from five thin. We've created a new concept from type theoretical perspective just from experimentation. So we have the ability to. Actually draw on language design and candidate the type theory and all of the foundations from other language designed spaces. And that's kind of how we we came up shop. So if you look at q. shop, he looks like it looks suspiciously familiar. He stateless because if you think about it is precisely because you can't represent the statement classical in. Yeah, that you need to have the first place. What types locally, so types of people based. Okay. And we have types that basically have arbitrary attitude PAL's. Okay. And function is always a single to a single plowed. Okay. But the addity can change. We have partial application on the types on functions that allow us to provide more than one before argument. So it's non cutting based. If you want to think of what from function perspective, when you cut or you partially apply, you can only do one argument, right? You can have to where you provide the first seven eighteen and all falling arguments and leave holes for the rest of it, and it'll return your function that takes only those plugs it in. So. It's a non carry based Muslim. Advocation approach, right? Jenex is supported. So we have genyk system that allows us to countless. We have as hard of the quantum context, the need to be able to apply functions on what would have normally been simply does in the category theoretical sense, and we actually generally funk this for certain types of as big operations. So for example, when you want to calculate the at joint of an sequence of operations, which is a mathematical thing, you don't have to write that out where you would have done if you just use library calls and given you would have to manage what the followed operation wasn't what the operation was. We can deduce the list from the forward because we have a compiler. We can generate that for you. So from a category theoretical sense, there's a lot of additional work that's been put in to make dro- bust sound reasonable so that when we look at a piece of code, we. Can reason over it. The whole program assists and say, when I call this function in the context of another function, it generally this sequence and I can reduce that sequence down mathematically which is dumping I could not have done if I just knew this piece because this might have been written by somebody in the library that I don't have those good for and they don't know what context I'm gonna call this library function in. So how'd he actually optimize the two pieces to give without knowing. Separated by time and space. Really? Right. Somebody will components Asian strategies in the first place where encapsulation was supposed to create as isolated or all of the interfaces matter. Just not going to work the same way and nice not because here you actually can't about the optimization of the sequence, right? So this thing is out in alternate sequence. This is the putting the two of them together. And now in a special kids, these two sequences actually can become mind in somebody away. You won't have any clue of how do that unless you can run up toys and compiler on the compiled vision of thing. Yeah. And that is actually what is up is accident at his uniquely quantum problem in that's really cool. Having a hard time understanding, say it's a stateless language, so aren't variables state. So if you have types you have variables, isn't that a state? We know. So the quantum state of the thing is actually an opaque type because you don't know anything about the state of the. System. If you did, if you would able to represent the state of the quantum system, you wouldn't need the coin of those mates. You can write variables, but if you read them, they change will debugging certainly doesn't work that you expect. Eight point that quantum state we get to decide exactly what happens. So obvious is actually quite an issue. I mean, we can observe in a simulated environment and say, okay, look at the state victim, stuff like that. Yeah. But in the real classical quantum computing inclines away, you can't possibly do debugging the way print debugging mobile gaming. Right. So you not nothing would what could be expected to work right. When you say variables, we don't actually have Abel's. We have bindings that a constant, immutable and really what you passing in our arguments that you can then Cutty away. So the arguments are what you start with. You just put them in, then there's no reading them. They just the things happen. The things happen. So if what you're saying is if I want to start with the cubit in zero state, but just what happens when you also cube it even at the silicon level or whatever it is it'll tell you, okay, I'm now giving you a cubit all you know about the cubit from the program is my ID is twelve. Right? Right. You. I don't know anything about what state Kiewit ID twelve is because if you did, you wouldn't need the cube in the right, right. And so what do you do is you then say, hey Cuba, twelve lease rotated this way in that way or this sequence of operations on that, and you can define which equals operations, but using some variables that make sense all you can eat rate over things in order to to generate the sequence of operations that runs on the thing, but you're always talking about what you're going to do the Cuban rather than what the value of the cubit was after you did something to it. So the state of the Cuban is always Pinkus consensus. This language. So let's say we have a quantum computer and we have cue sharp. Am I able to basically send a stream of information anywhere in the universe by quantum entanglement entanglement doesn't work like that. Entanglement is strictly speaking mathematical operation that takes a more than one Cuban and makes them non independent of each other. So quarter. It's them somehow. Right, right now what you can do, the correlated Cubans is actually kind of interesting and kind of spooky, right? They said. Right? But it doesn't beat any known physical laws yet we can so far having broken speed of communication, for example. And I think there's a proof that you can't. So if anyone comes does that you can, I think that you would new science to do that by definition we say you experiment is wrong? Yes, right at that. We or the universe is wrong. That is him being as quantum algorithms. Another misconception it's quite common is that we run in complete problems differently. I think the accepted reasoning of this point is if you have an algorithm that seems to prove peak was MP for example, then it's almost certainly that you have problem the right. That's not to say that we're blind enough to say that will never be able to know whether NPR not because that's still an open question right. But I don't think while there are several really disruptive and really profoundly different non intuitive things that quantum mechanics gives us. I don't think fundamental laws actually on the threat yet. We don't actually know. Right. So anything out of the question. No, I don't think so. Sorry, you're gonna go that any sense when we're going to start having these machines to work again. Oh, beautiful. We have some. We have the noisy Cubans that out there already. In fact, they're out in such numbers that people have started new brands, computing called Nick, noisy, intimate scale, quantum computing. You have, you know, hundreds of Cubans that don't last long. Can you do something useful to them? Right. And that's a lot of error correction involved, their discarding incorrect values. Maybe we, maybe we say that the only things that you can actually do are just wanted to rations. But combined with the large number of cubits, we can do something that we couldn't do. Classically the people thinking about that Microsoft is not actually thinking about in and ask you woman. We're still trying to get off. I even. And that sounds like we're behind the eight volleyball and it's perfectly reasonable to feel. Separate, but the physics behind the kind of the big wing falls actually has higher promise than the other approaches. So ideally speaking, when top logical cubit comes forth when it does, it should actually have characteristics that make it immune to certain types of interference and seven types of deco heads. So the first give the rebuild or the first real cute. Topless rebuild will actually have lifespans that our is magnitude larger than the existing ones and become much more competition than become much more competition element. So the idea is that someday possibly in my lifetime will put a thousand million of them. One of one is one way for Chile thing to fifteen and do something interesting reading, right? But more pragmatically, the stated goal is had we should get the I could give it by the end of the year. We're still on track. We haven't announced anything to country yet, right? That said, you know, their shows. Coming out after night. Who knows you guys might be saying there. Igniting night is interesting. Actually, I'm not speaking. I think it was going to. I'm going to go to labs in Copenhagen next week voiced ignite. He's going on to actually meet with some of the physicists because my next piece of work that I'm working on is actually a piece of software based off to that should make their lives a little easier that in order to in order to get to keep it going. So that's kind of where we're all gunning for the first Cuban in video, very tangible, very straightforward, like this is literally what I do residual citing. Yeah, very excited while we're still running here. Is anybody have any questions. Smarter dumber. Yeah, I know how I feel. I feel. So one of the running jokes that I created accusa accidentally, you see, I'm a function program. I was very active in their shop community. I happen to be two hundred yards away from the mic, visit steam in another building, working on batch when the tweet it about f- show just repeated. I saying that there's an extra job then looked at it and said they want something to do with language is language and cogeneration. I've done some of this stuff. Maybe I'll go have lunch with the guy, and so I went and land up getting the job. Do this, then landed a building the language. And when I was done with building the language, I can honestly assure you that I was one of possibly the only person on the planet that had actually built a language designed. The compiler design, the syntax built the compiler diverted and was not qualified to write a program in the land. Yep, I get that. That's probably a I. I had to have somebody coming into the foot discus to see if the line is actually doing that. I think so. I'm definitely let's say virtually everybody else on the team has at least one row. So it's a great story. Everybody else. Got a question. Yeah. Is it gonna take Christian, the being problem. That's a brilliant question. You will need about five thousand cubits to write down the problem for our safety thousand forty eight. Okay to to do the cracking of encryption, right? Those thousand forty eight bit encryption. If you want to connect, you need five thousand cubits, just right the problem you need roughly two hundred cubits to solve nitrogenous. That's the point. It point you made earlier in the show was exactly that. Yeah, this is actually a simpler problem but profoundly important. Exactly. And so we don't understand. But if we could, we would get carbon capture. Right. Few hundreds of cubits all these problems, five thousand Cubans plus to break in Spanish. We already have a solution. We have post. So as much as it's great fodder in the press irrelevant, it is actually not a big deal. Right. And long before you get to that point, you will actually see the positive impact. Yes. Oh, something very profound. Because if you think about this changes, everything, right. The changes, the cost of food is tied to how much energy you can actually spend on your laser. Yeah, if you've removed that, how does it change the world? Yeah, I can only say profoundly because I can't even imagine what that would look on. As a sub Saharan Africa, all of a sudden you don't need to put in four percent of energy output, degenerate fertilizer, you can actually feed people without any of that. Animals. Round, right? Yeah. You you, you see what I'm saying? So you can't even think about profound in fact of what this is and you need autism magnitude fewer cubes to get that kind of impact. Yeah. Yeah, that's fair. Yes. His thing for us. So. Are there any quantum computer solutions for using quantum computers to make one of computers? Right? Floral. Office. India the words, once we get quantum computing is going to be indeed crosses one of the one of the key pieces that we need to worry about. Then you want to build quantum machines understanding superconductivity, right? And superconductors only exist below the key point of of any giddy, right? So you'd have to typically till things down before they become superconductors. If we understood material science and we somehow able to understand how to get rooms emphasis if we're gonna high temperatures and up this and we were able to solve that problem that might actually have a profound impact on many, many things not just on being able to run quantum computers better, but even politician, power transmission. Enormous amount of energy is lost just by the ice quit losses, sending things on Luna, McCullough, whatever it is. And now if you have a mechanism that could be superconductor and cheap superconductor that you somehow created because you understood the corner mechanics of it. Now, a lot of computational opportunities in that space in that space of elektron behavior, any. My personal conviction is that and this is shared by several people. So it's formed after having some people are way more than I do stuff and the strong commission that the first and most important and most visible problems that we will solve. Using quantum mechanical phenomena to simulate natural phenomena somewhere, somewhat, and try to get a bit on sending of that first before we sold out of problems, factoring numbers. And I think that's kind of that goes to the point the jonoski normally Bill, is there scope for that kind of improvement, but it's likely that we will talk probably we didn't know we have because of this picture. John. Thank you very much. It's beginning to soak in. I think for a lot of our listeners, probably the same. Thanks for being with you. Thank you. Survey that. And we'll see you next time on dot net Ross. Dot net rocks is brought to you by Franklin's net and produced by plop studios a full service audio video post production facility located physically in new London, Connecticut. And of course in the cloud online at p. w. o. p. dot com. Visit our website at DOT NET aro c. k. s. dot com for RSS feeds, downloads, mobile apps, comments and access to the full archives. Going back to show number one reported in September, two thousand two and make sure you check out our sponsors. They keep us in business. Now go write some code CNN time. And.

Microsoft Cuba John Carl Franklin Richard Sydney Opera House Twitter Dave Google Campbell India Araya Sydney Tom Atwood Felix rise Burke rich Campbell Amway adas
Event Sourcing with Jeremy Miller

.NET Rocks!

56:35 min | Last month

Event Sourcing with Jeremy Miller

"Welcome back to dot net rocks this carl franklin and this is richard campbell very very much looking forward to being in orlando next month. Yeah does month. Yeah this show comes out while we're in orlando so maybe does our this is coming out on kelly's birthday. Oh my goodness okay. that's lazy happy birthday. Yeah you know what i'm doing right now. What's that probably drinking in a bar. Dun dun dun. That's very likely very likely pretty probable pretty exciting to be in person. Oh my god yeah. I can't wait and of course you know we're recording this in. May i just got my kovic. Shot the second one and Yeah good things are good. What can i say. we'll report back after. We have something to report about from intersection. But for now let's get things started with better. No framework didn't last week on polish. Oh my better. No framework was coyote. Hey which keeps you from shooting yourself in the foot when you're doing kind of a synchronous programming well easier now because you've got a sinking away. Which just completely revolutionized the the a availability of a synchronous programming when it came out and c. sharp but You know sometimes you need to lock stuff and there's still the lock word sharp and sometimes it works for things and not other things and sometimes you get the dreaded requirement. Lock this in this particular type of making a call like an api call or something. We can't lock that right. Some some some situations you need to go one step further like maybe a semaphore well. The full semaphore class uses windows kernel semi force in so they can be not only local to your application but system-wide so there's a version of the semaphore called semaphore slim in the in the dot net framework. And it's been there for you know before dot net core. But i hadn't used before. So it's a lightweight alternative to semaphore that is local only and it's also got a wait a sink on it. So essentially what happens is you initially is it with the current The initial number of threads going to allow and optionally the maximum number of threads that you can allow so if you just basically initialized it with one comma one year allowing one thread and that's it and so what you do is you just create that and then when you want to implement it you do your semaphore slim object dot wait or wait a sink now with the weight and then all the code that goes under that is locked basically until you do a semaphore slim. Object dot release so it's really easy. It's really easy to use. And it works in more places than just the lock which requires a separate object to lock right. And i found it really useful when doing the Remember i told you about making an api back. End that rights to a data manager that rights to azure blob like jason files in a blob storage container very fast. You know the criteria for that if you're gonna do it not a lot of data because you got to write the whole thing got. I told jason file so make sense to split it up as you have different tables like that kind of thing but you have to write the whole thing every time you want to save and you also have to allow for multiple people to use it so this turned out to be a really good thing to use on the service side when we're saving data are accessing data so that's it semaphore slim. No learning love it. It's i'm just surprised that i had never seen it before. And framer about part of the framework. Work right yeah very cool and it works like charm so levin who's talking to us richard grabbing common talk show fifteen fifty four about anti fragility Software parachute repair rile and You know roughly approximate stuff. We're talking about today. Lots of great comments on this show but there was a derivative comment about a talking point in that show. We were talking about the undersea data center that microsoft hills. Your should that time was still underwater. Today's on surface. And i've been trying to get a show with team to talk about. What did you find after being underwater. For three years what's happened. Yeah the only piece of data that come out so far is that the failure rate of the equipment was substantially lower on the surface or in in the water while it was submerged was actually a running data center. Small a little cylinder relatively speaking. It's got certain racks in it because the environment is so fixed right. We don't point with this. Other data centers the cooling related said the water doing the cooling You get to put it close to cities where you're low latency really matters in landis efforts free it's at the bottom of the sea near the city or wherever you i do it so there. There's reasons why they develop a good idea. Yeah it's interesting. And this was the biggest task one out in the arguing islands and yeah the the reliability really relied. Their argument was because people. Don't mess with it when it's under water you can't get it's you leave stuff. Alone is reliable. but mark. hodgkin's comment is a few years ago says that underwater day center narc must be close to a flow at. Yes yes it is must be closed. Location of the remains of german high seas fleet. So that was world war two with war. Ones Lind where a lot of german ships lost their their down there That data centre might make some interesting additional scuba diving. And i've heard that low background steel salvaged from a breeder nuclear testing shifts including these world. War battleships In any said citation needed unlike is some citation. Because they really do do that. that since nuclear testings happened you have a sort of background level of radio-activity most ores and so if you're in an environment light spacecraft he referenced voyager one where you want to be sure that the radiation you're measuring is in the environment not materials we using you actually have to go and steal that was protected from that testing and steel in the bottom of the ocean is one of the ways to do it. It's why did they bring it to the surface. The why did they bring the undersea data. Senator surface half. They were finished testing and they wanted to evaluate the these are all despair. Oh virtual product our okay accents will be. Someday it's getting ice. I wonder if they're they're now like this was such a good field test that i suspect they're they're they're gonna they're gonna put out a bunch of realize with cloud servers essentially they turned over every three four or five years anyway. Yeah so the whole point is the cylinder down the wired up and so forth run it four five years take it up and you have refurbished rather than building a bespoke buildings and things like just dropping heavy cylinders. Just come and go from the local waterways around us a pretty good way to solve the problem. Data delayed had lobster pots around him. Yeah what it always nagged on. And of course. The ocean is unstoppable as lots of lots of gunk on that that data center deserves. Somare thank you so much for your comedy to copy these biko by is on. Its way to you if you let copies to go by right. A comment on the website dot iraq's dot com or on the facebook if you publish every show there and if you comment there and i read show i'll send you a copy music and and definitely follow us on twitter. He's at rich campbell at carl. Franklin send us a tweet. There's a semaphore slim chance we might even respond and nettie kind of like pepperoni states slim. Jim got close. Yeah there's nothing slim about my semaphore okay. Well anyway hats where we ended up monday morning when afternoon. Let's bring back to the show. Jeremy miller he is the senior director of architecture for media analytics. That's emmy analytics. Jeremy began his software career writing shadow. It applications to automate his tedious engineering documentation then wandered into software development. Because it looked like more fun. Jeremy has been heavily. Involved in open source. Dot net development is the author of structure map storyteller and is the lead developer of martin. Marta an jeremy occasionally manages to write about various software topics at jeremy. D miller dot com. Welcome back jeremy. Hey guys with me today. Thanks for being here back yet. Yeah how is martin. Doing we are very close to a gigantic. The four release Kind of gone over turnover. Almost everything Made a ton of improvements. But we're closing in on duke nukem forever territory. So we're going to record this. So i have a hard deadline to get the four out. Goes right you're gonna kick ass jew bubblegum. You're all at a gun. But you know that's why you look for in a version rat like forgoing diversion for. Is you rethink the problem. Space from all the experience you've had and literally come up with a new strategy that writes in version of the product. Well so the good and the bad of actually having a significant amount of users they find problems they find problems or even more than that you learn a lot about how how the system wants to be used. What are your real use. What are the problems. And then a of it is just trying to stretch martin so we can go into bigger and bigger systems to to scale up as much as possible so that more folks can use. It does speak like fundamental architecture. Changes you end up doing That's that's not a dot one change Okay we need to rethink this aisle and that's absolutely true and then also with us trying to play with semantic version rolls. When you're doing a full point release it's okay. This is our chance to correct usability problems with the api. This is you know this is our one chance to sneak in break potentially breaking changes. Why because people are expecting it. Hey by moving. From three to four things could break like an you could mark got out. It's like if you do things this way martin you. You're gonna have some issues in the new church. Emily still try to minimize it but there are. Some problems need to be addressed. The word is minima not trying to torment. People making the product better and sometimes that runs into edge cases that are problematic by the crow crow. Facts suffered element is backwards. Compatibility impedes process our progress It is hard to maintain perfect backwards compatibility and continue to improve your toilet on some. Something's gonna get any change for keeping customers right. I mean that's the trade that susie do a set of breaking changes where people have to rethink. Anyway they can rethink from your product furniture furniture so we wanna talk about events sourcing today and i remember my first events sourcing project. It was funnily enough. The accounting section of a bigger project where the requirement was. There can never be a single source of truth. There has to be only modifications to the numbers. We can't just look at one value in one table and say oh that's the number will because we don't know how we got there and so i remember specifically that moment when i was like. Oh yeah that does make sense. Makes it a little harder for the developer. But not really i so. I didn't know i finally take harder. But it's very different than the traditional architecture. You know the traditional idea. Or what. I grew up with you more or less design the database i and it was. It was a relational database. Pretty always going to be a relational database. And that was your single source of in. You may not realize how many times you are mapping data incoming data to your database. How many times. You're mapping your demand model. How many times. You're mapping away from your database to whatever it is. You're you i needs when way maybe to soften up up events sourcing because it is so different. Is you do about same kind of the same amount of work. it's just. You're doing things at a different time. Yeah well is so naturally a synchronous so not necessarily taking taking martin. Traditional yes so traditionally for maybe listeners. At are having done a lot of this. You're capturing all changes in state explicitly as some kind of it you know we're talking about an ordering system. It's order received I worked on a previous company. We worked on a call center application kind of a call center telehealth so we had things like call started call ended call dropped. His things went wrong. So we purposely modeled any cat anything. That was really a change in state. You model it as as an explicit event and you really ended up just Serializing jason and stuff in the database traditionally with event sourcing That's nice. You have all these events but you still need to current state system at some point so you probably have some of eight synchronous processes in the background. That is taking all these events and building up what the current state is seeking. Look at any time. The events are the true source of truce. But you have a kind of a reflected projected view. Are you a fan of not not a fan of putting the current state. In an event in other words you have all your vents but let let's say it's a an accounting system to take my experience in accounting system. You know where you have to the total right. Is that total going to be recalculated. Every time you go to query it or is the total also going to be saved somewhere like in the last event. Gotcha so it depends You'll have that one now so an accounting system so martin. No you know. Some people will do like a snapshot and event snapshot to reset reset while reset state that. That's getting pretty advanced usage as i think traditionally probably just You'd probably just recording the changes in state. But why do you can do martin. We got a little bit of flexibility. In what you can do so. These projected view of what is the current state of the account You can either do what we call an inline projection. So in the same transaction where you're you're capturing the event we can go ahead and update the projected view of that account right there in the same transaction so your your acid have a strong consistency model. You may instead safe. You got a case where. I'm working on a system similar to this day where you have Very few are you have a lot of reads and very few rights so in that case it made a lot of sense to do things in line just immediately update the read site side model as you can so just completely built up Brennan places you may have lots of rights but very few reads so in that case. You probably don't want the extra overhead of constantly updating. Thanks so martin. Has the idea of a live aggregation. Recod- say i think what you're describing. I want to see the current state account. And it'll just compile it from the raw vince on the fly or you know. show me what. It was at five o'clock yesterday in third model. That's probably more more. Traditional events sourcing is the a synchronous model. This is your eventual consistency. Now you have some kind of background process. That's constantly trying to grab the latest events and update to productive use. You've got just a little bit of lag. Between capturing the updates tune account and the compile account being visible in the database. I think the whole world was taught eventual zizi by facebook ads. You'd put up your facebook post. Wouldn't appear right away so you're like oh i must advertising posted again and individual would show you to. You'll learn wait a minute. I have a sneaking suspicion. We haven't talked too much about eventual consistency on iraq's. Maybe we ought to tell everybody what we're talking about. What we're talking about is kind of is kind of self explanatory but but really what it means. Is that at some point in the future. A synchronous -ly we will have a a a source of truth or a state of if you know the consistency of the the truth. The data as it was at a particular time. Like it isn't immediate isn't something you can synchronise quarter talk about the context of face facebook. Show that the everybody right. There was a lag between you putting up a post and z. Your feet yeah and yeah and automatically humans do the wrong thing right. They are all i suppose. Why don't i see. I say also pretty quickly facebook figured out. Hey if they posted again does it again right so made it a fall off on that. So the good and the bad for for developers trying to wrestle using consistency. Potentially it's a. It's a huge advantage for scale ability By in response system by taking a lot of the potentially expensive at dates of this you know more expensive retied model like say all these account changes account coming in if you can capture the raw events pretty fast So that you are a very responsive to external api users but then have a background process off to the side. That's not in line with your api calls it's just trying to catch up right and make the full updates so it's great it's potentially great for scale ability. The obvious downside. You talked about facebook. People submitting things twice I just got done helping helping a project that suffers from eventual consistency that this case are using elastic search for fuzzy searching and there's a process in their ui where they make an update to website and takes them to a new tab and they try to query on against the last search on the data that just barely got updated so it doesn't look like it's coming through and then they questioned that i really type it out. I forget to do this to which would you hit that. I mean that's something developers got it now when you can and cannot get away with eventual consistency reno. Or you just building your tax practice where you answer the phone with your breath refresh and don't answer on the first ring like answering the third reich because by that time it'll have actually been populated now. It's like okay good. Just make sure you don't have some kind of devops culture where the developers are actually responsible for production support before you do that. But i need to know the phone will get answered right away. The problem is as long as they wait for long enough. It'll rio it. The data will appear right. I mean it is various considered that particular issue in exchange for all of those strengths. That it with a big thing. I realized that database perspective is no updates only inserts rate all of those blocks that would normally her 'cause you're wrestling over at particular location their database but doesn't exist in these models their journaling. They just add new route. They are Which would get into. Maybe a little bit later. We'll talk about how we're going to make that scalable It is and where you are. Maybe updating updating the count information if you're doing that off to the side and they sing in a synchronous process you can do that That a secret process won't have anywhere near the kind of contention that your normal intake will right while it more and you're not making the customer wage right. I mean you're essentially setting the customer on his way having collected the data and all of that synchronisation is happening while the customers removed up. Exactly yes yes. i think. it's just an interesting philosophy. All around this idea that we force the user to wait while we get to a state where we say. Okay like you got the data. Good enough sia. Let him go on at now. You do your thing on the back end. just yet. The journal entry into simple was saved the blob. It a right. They do the exert. That's the only thing you keep them around for. And the rest is up to you as aggressively acer originally meaning. Milliseconds later typical. Yes but then there's also just a little bit of challenges as a developer to make sure in is going to be consistent that you record those events the now you really do have to have something else that is guaranteed to process those or you know you got leaky pipe. You've just you're just losing data. And i guess therein lies the question which is in these patterns. What is the risk of loss. Data versus unprocessed data elegance. There but is not in the day well up so ask me in a year after martin before our new executive supports. been in place No it's it's a significant amount of challenge on the air handling for that that kind of a synchronous process you know if the users pushing a button and blows up just sit there and retry it or they can tell you something's wrong but if it's something goes wrong today. Synchronised process often side How are you gonna watch you know. Do you have young have really solid retry capabilities. You know can you. Discern what type of exception is you know network connectivity problems so i can just retry again and just a second or is this some kind of just drawing on my recent client work. Is this some catastrophic event because the downstream system is just totally offline. You know. In which case i need to slam a circuit breaker shut. I need to stop all processing what things build up in the so nothing gets lost. Yeah that's always it's a resiliency mindset is one of the reasons. I mentioned that anti fragile shows that we're not presuming. Everything works all the time but it would sings bray. They break gracefully. Like there were covetable. Data is not lost and is in you holy on on cable like a full stop. If there's a risk of yeah for for folks listening in the show. I'm nodding vigorously Here yes there is violence agreement. But i think it's an in the you talk about the the philosophical difference. Any part of their resiliency part that tolerate your software having a bad day. Connectivity being radic drives going down the stuff happens and dizzy software failed catastrophically or graceful Restore baggies he go. I'll at an absolutely so you know. Make sure i'm tooting our own horn We have built a lot of that resiliency or were attempting to into our a synchronised processing martin and it does also have configuring air handling so you can teach about what exceptions mean so if it's specific exceptions to your application you can do things like say. No i need you to stop the line or this is going to be what we call poisoned pill event. There's something that's so messed up about this. That it can never be processed so skip it and go on or do a circuit breaker. Just totally stopped the line. Right invent language. We we have a bad letters file right like there's a. There's a a a message that has reached the q the deal. Kennedy's that adds a you you. You don't throw it out. would you. Don't let it chew up cycles on servers. Like i don't know what to do about this. I'm gonna put it in the bad letter. Q you deal with it later. I didn't continue on. Yes yeah and set have a separate process that choose through the dl queue or the bad letter. Q whatever you call it and you know. Looks to resolve those things some challenges. I hit in the last several years in client. Work is dealing with resiliency. In a way where you can keep things from landing in the dead letter queue to select the sooner or later some kind of if a support person has your phone number or email address. Sooner or later they're gonna make your life miserable and drag you into that ensured out. The the deadlight accused a work around. Like you don't want the normally ends up there but it's better than shooting everything else up and it typically the now you can have another asynchronous processes going through the deadline. Human going is this worth retry right now. Is it recover like you could put automation or or some geologists to you know. This looks like it's a bad email address or whatever maybe we could bring it up to the user and say is this accurate information that or possibly just a little bit tilling. Make sure your support folks who devops whoever that they have a really fast way to retry this. Throw it away but at at least have mentioned mutation alerting to date so they know when these things are landing in and dead letter queues. Yeah so here's an interesting real world world problem. That even dead letter queues. Probably can't solve. Which is that My mother you know talk about gramma. Franklin every once in a while and her computer woes she needed a new washing machine or something so she called someplace because she thinks that you know going online to do stuff is she wants to talk to somebody so she gave them her email address and instead of an f. they send it to an you know an email address asks because obviously those two are very familiar signing me. Being the domain admin. I get all the emails from people to the wrong email address. And i'm forwarding them to her but if i wasn't doing that they would have just gone into the void and know she would have completely missed these things that she had to do. So sometimes it might just be that. Hey you know. We haven't had a response from this person. Which has nothing to do with. What's in the dead letter queue except that we sent this email for example and didn't never got a response back and now it's time for the appointment and there's no response. What do you do about that. That requires some sort of human interaction. And this is a usability thing but for any kind of a synchronous communication where you're setting up appointments for real people you happen. This is something also stepped on a recent project. You have to close the loop. There always has to be some kind of acknowledgement back to them of. We received your message right. You don't leave them hanging Wondering what what goes what's going to happen next. Yeah right although email because of spammers bouncing back with that that's not a valid email address also has negative consequences as a way to identify email addresses. They ended up walkies. There's visited a black hole policy for a lotta stuff to set. You know we're fighting two different issues here. I don't know our regular messages. aren't necessarily in the same boat as email Ajami i need interrupt for one. Very important message. Hey carl here you know. There's something new from our friends tax control. Txz texts control supports the integration of legally binding electronic documents signatures into your espn core web applications simply use microsoft word documents. Prepare them using the texts control online editor and requests signatures from signers. It works just like well known. E signed services but runs on premises in your infrastructure without sending in storing documents somewhere else to showcase typical workflows and the texts control electronic signature technology. They published a fully functional demo. That can be used to create and request signatures signed documents and to validate executed. Pdf files see the at e sign dot text control dot com that's n. dot text control dot com. Are you under increasing pressure to ship code faster than ever before. Then it's time to work smarter with ray guns. Modern approach to error in performance monitoring. Raygun gives you instant visibility into the health of your software. And what makes it so unique. Is that it not only tells you when something's gone wrong it shows you exactly where it's gone wrong and how to fix it right down to the line of code made by developers developers. Reagan is built a suite of monitoring tools that are used in loved by of software teams every day monitor every corner of your tech stack with widespread language support in native integrations with git hub. Jira slack bit bucket octopus deploy and more for even greater visibility. Visit reagan dot com to resolve issues faster and to deliver flawless digital experiences for your users. That's reagan dot com to get started on your free fourteen day trial with plan starting from his little as four dollars per month. And we're back on iraq. I'm richard cantu. Let's frankly oh. Hey we're talking to jeremy miller Sourcing and i got sort of address the fundamentals with the hard bit here. Well it's thinking about things differently I think we talked about eventual consistency. i would say it's exactly that unless you have great tooling like i hope people will consider martin to be in. It's how do we manage that a synchronous process if we have to have that that can ingest all these quickly incoming events and make sure that they are getting built into the read side. And then you know doing a reliably but also main shirts fast enough that it can keep up with the traffic so why not just use a message fever. This why aid storing events in martin. Well so you need a permanent store for the events. So part of the thing is the ability at any time to go back and see. Why did why did it become the way it was. They think the chronology of what happened. Would you go so martin's as synchronous process exodus projections for right now. happens to do it by polling against the the post crest database sunday so but some of the other techniques for doing this or just like to immediately kick it out into cues and have used that to feed whatever your projection engine is sonali. Got a couple couple of new challenges. So we talked about the consistency. You never lose lose information so on the inside when data's coming in say this is a typical seek s architecture so somebody issues a command that into your system and out of that command. Maybe you make some updates to some other database tables you maybe you register records events and then you also want to kick the kick those events publish them out to acute and all of those things have to succeed or fail together needs to be a logical price action right so the old days We might have tried to use something like hero. richard. I want to see your face. Say this you might have used something like mts to do. A two phase commit he. Yeah let the record memories right. Nobody wants to do that. Microsoft transaction coordinator because sometimes your transactions are not coordinated. Yeah for the young folks. It's just an automatic way to create memory leaks in your application. Yeah exactly it was enough pain today. Me give you a two for more pain. It was early. Chrome magnetic windows. Nt technology will leave it at that. You wonder why all the guys are so grumpy. This is one of the other one g calm but let's not talk about then. Mts used com of course is stacking unstable technology would otherwise digs. Technology is a path to success so. Cq are ass basically separate your a system. That handles reads from that. Which handles writes yes. Pretty much yes but back to our consistency issue where i was driving at so one of your challenges on the on the incoming side is. We don't want to do to face commits I don't even know how you go about doing that anymore. To be honest new. It's not a thing anymore real now so you're of use a Designed added called the outbox added Into over by that you're going to. You're going to persist the messages. That are you're about to publish in this case. Just the events you're gonna you're gonna record those process those to the same transactional database that you're recording the events or your database anyway so once one native beat of database transaction with. What's that succeeds than a background. Process is gonna kick that out and to make sure that all these messages that are persistent as outgoing messages in the database are picked up from the database and pushed successfully pushed out outgoing queue. So right there. Unfortunately the world. There's gonna be a lot of tooling already has has this Just plug another another open source project. Mind called jasper. I have an outbox based around martin. Anita rabbit impure as service bus. But if you pick up a tool if you're doing you're a synchronous messaging within service bus or mass transit or the well. The commonly used messaging frameworks and net. They're gonna have a strong implementation of the outbox pattern It's not something you necessarily want to run around and try to build yourself. You can pick off off the shelf secure. Why bother yeah. So that's one challenge on the receiving side of things you know through the q. Things inevitably go wrong. You're gonna accidentally republish the same event a few times over Receiver side you're going to need to be careful about disregarding duplicate duplicate events right and then there's a sequencing a potential sequencing problem of hey i got you know i. I got event number five in the stream but one through four. So am i gonna try to wait. And and do the messaging sequencing your. How's that going to work. So that's another another issue where you probably want to use off the shelf shelf technology wherever awful. If you're using the azure stuff you know for for a messaging message queue and Event grid. there's more of them Some of those have built in you know insurance of Accurate sequencing and some don't so you don't have you do have to be sure about what you're what you're using and make sure that You know make sure you know what you're using. The power works and just like the old gi joe cartoons. You know the first first thing to know is just know that these potential issues you know knowing is half the battle i think. Part of this is diagnosing. Problems is hard like you need a different set of tools. Different approach to the bugging peek into cues the chronology bill. Organiz information What happened test. I asked him think we forget. Because we a lot of tooling for free that we re working these patterns the tooling may or may not be there. He do you look at like i know are the for. Jasper is their goods rotation in jasper z. Hansie was on and so there is But it could be a lot better. So that's a good segue And i apologize if y'all have already covered this in previous episodes but so there's a newer standard called open. Telemetry that is a new standard for distributed tracing between services and applications. Jasper doesn't yet support it at. That's pretty big weakness. But what. I think we've probably all wanna do is probably take pretty good investment in this open telemetry idea and this is giving us a causation. Correlation tracking across a distributed application. From you know an incoming. Hp requests being able to trace. How did this bond messages. That went through used other services that might have ricocheted to second third services down line. Awesome this Respect being because it is a speck Lot of are off the shelf monitoring tools. The the things like s- plonker log zeo the probably train that They have opened telemetry visualization. Can see kind of a tree view in house effective this incoming message spawned this event that maybe at aired out over here but you can start in these complicated environments where you have systems throw messages to other systems you can start see some tracing and cause-effect of how things flowed in your support. People can use that as a way to figure out. Where did things go wrong. Yeah where are those messages would happen to the open. Calamity talks about being Cloud native software. Is that mean it has to be in the cloud or this more of an architectural statement. Your run it wherever you can run it wherever you want this trouble for oversimplifying but in a lot of ways. It's a logging stack. How do you receive in sin correlation information right and i respect the idea of cloud native being the cloud has this in architectural sort of demand for immutability in certain locations immutability in others. Like the. you know. It's an approach to architecture. That works well on prem to. Yes yes but anywhere where you have more than one process talking to each other as cigarettes. Hp you're you're gonna have those problems where you're going to have to trace problems around around the systems. It's not going to be isolated to one system so yeah the open telemetry with some kind of good viewer skinny. Give me a chance to be able to solve problems that that cross service boundaries is at for martin or is more jasper. Yes yes to both. So i thanks for bringing. That is a version five in the works. I love it well. There's a sample application. I need to build whether it's with jasper. Maybe it's with jimmy bogarde. I know a lot of work with open telemetry and in service boss whether it's in service. Mass transit are what So we did. Add a lot to martin for part of the forbes. Lotta people wanted this as a little bit of configura ble meta data now so that when you're either capturing events or even just doing updates to martin stock documents where you can start to capture correlation. Id's causation id's so they just it. Just updating a mark martin document as a result of a web service. Your core web service If they are you could capture. Whatever correlation identifier you using for the request. Id you could tell martin about that when you when you build the martin session just say this is for this request. Id or this correlation and that's now kind of extensible metadata that's gonna be part of the martin storage itself nice same with events so with the goal being. We need to push through a sample app. Before i can say. I can say with a straight face but so that martin is a full participant in your open telemetry tracing from web services writing martin two messages getting out to completely services you can see what is the impact of a given web requests. You can say you get to the point where we extend martin's link us for just a tiny bit but you can do a sequel now or you can say oh well. This is the impact. These events were captured. These documents were updated win this. Hp request was handled nice. Yeah there are. Libraries roman total imagery host grass. I just don't know how much martin's interaction with post grass would show telomere out crudely. This is just adding this is just adding extra columns for correlation. Id as asian it right and then just make sure we have easy ways. You can pipe that from incoming requests for like mass transit service. Bus message to data. That was persisted in martin. It's pretty crude but it doesn't. It doesn't take a lot to be seen to show up in that chain inside of calories it can trace from step to staff at any given transaction effectively. Your message being yes exactly. Yeah cool man. Are we missing things. We really think about on the event sources. I think there's a philosophical part of this just thinking that a cigarettes way does seem to me that message queues and martin kind of go hand in hand that one of the destinations for messages would be into a mark davis. Yeah and the left to more and more we go Some other options. We haven't built yet but we definitely want to doing event streaming from martindale kafka pulsar as Of something we all want to do it. Just didn't make the cut for before If you're going to be serious about event sourcing think about what kind of applications that don't set right. I wouldn't touch. I wouldn't use events horsing if you're building a credit application it's just unnecessary high volume web based stuff. There's that i think i would add that Applications with a lot of workflow right. This has to happen before this can happen before that. Yes applications where you may want some kind of temporal querying or running metrics right the options get us events or sync with not with martin but was a Tell health system so there's a lot of metrics there probably gonna do later about how pal fasted go from somebody registering for a online dr sousa to being nervous Yeah we don't know what metrics there we don't know exactly what metrics there they're gonna want in the future but because they had this this raw venturing they can recreate those metrics on the fly right or you start doing things. Like what did the world would like at five pm yesterday. Yeah right right. I mean it's an intrinsic aspect of this journal. Approach data that you can. You can literally say give me the total of two this date and essentially recreate the state of the database at any particular interval which is not true of any updating database. Where you writing over data that. Data's lost by being written up. Or you know you have logs. Good luck with that team So i don't have any direct experience with this but there is an add on for postgraduates called timescale db That will let you look at point time of the pus cross database. So we'll more. Bruce brute force approach events are seeing that that's also possibility. Yeah i mean. I do appreciate when you use this event source approach that is an intrinsic ability to take to ask for pointing is correct. Now another is some challenge. If you're going to try to. You're saying the sounds fun. And i want to go build my own. Events horsing toll completely from scratch and some things that martin needs. Get a little better at now. You get into things like do any record occasional snapshots do i try to rebuild the entire state or dry. Say you know once a day. Am i going to keep the snap. Snap snapshot in in history. What are you gonna do. So there's there's a lot more so it's very simple to build a simple events that store you can build it on your own. There's great young wrote a paper about it. You can just follow and copy that like everyone else did but getting these advanced things and trying to make. It'd be really scalable. That that's a different ballgame back in the old days. When we wrote gated down on ledger paper. You took balanced forward right there. Every account started with an injury that was we start here now. You don't have to look previous to this to let all but it is an interesting point. You always composing existence from the beginning of time is resource intensive. It takes awhile so we say okay. This is a known state the beginning of the year. Here are your hold on goal balance forwards. Now you won't you don't look further back than that. Aleve the nose day so that that is a that that exact kind of feature you're talking about just in the last couple of days Because again into duke nukem forever territory purposely. Push that to martin. Four point one is okay. Yeah 'cause he's a exhibit feature do shipping getting feedback writing documentation. Yeah yeah and and getting through reliable visa software and you've got time before people get insulted trouble enough like you know. We really great. Can i get a ballots for invite anonymity lucky how aaron is four point one Needs so this is something i tell people that want to wanna be an open source author is. There are some potential downsides to having a modicum of success. You'll have user. That will need stuff that you haven't thought about before it's a great way to learn about software development understand what people are doing but it's a never ending race well and the entitlement of them that you haven't already written it in you know i haven't paid you a. Why aren't you doing everything. I want as hell throat stake in the ground that i think my experience has been so much more positive in the last. Maybe maybe four five years than ten before that. But i have had plenty of those conversations. Exactly what you're describing the. I i'm with you. The culture has evolved. Yes and right now. I can't i can't play. I think we'd probably all saw the the What the identity server folks went through a couple of weeks ago. But i haven't had to face much of that myself for a while. What what happened to everybody knows that we're talking about. Should you might have more context than than idea. We did this show. You're talking to you talking about dominic and bra and any server and this sort of reality that in the end their customers came to them and say we want to pay for a product from. Yeah right. I don't care if it's open source or not but we want a product like a year the you were dealing with this evolving economy around software. Yeah open sources useful but so is sort of guarantees that financial liability bring to it so when you're product is actually being inherited successes customers can't adopted unless you represent a different business model like there's an interesting problem and brock Trying to do the right thing by everybody. Like i don't envy those guys you think about a folk stanley know this but like the number of conversations. We had with them before we did that. Show they were figuring out how they wanted to talk about a to you. That was sort of the reality. they're in. We're at the edge of history here. We're evolving a new way. That software needs to exist at that is appropriate. And jeremy. you've been in this business long enough. You've done a bunch of these different models than you do in right now with martin. It's not simple and I i don't. I appreciate those guys efforts while resume did that show is to help have that conversation about what is right for any given piece of software is longevity and supportive as customers. It's a hard problem is that there's no one right answer and we'd all be doing it. There was it is just all say that. I'm completely supportive of what what identity server team did her inst- doing Yeah i'm with you. Yeah and to be honest. The martin the martin fourteen. We have talked I think we're gonna have to grow a little bit in terms of user numbers but at some point we are probably going to try to find a way to bring in some revenue to keep this going at some point. It's going to get two big otherwise but well and like domine brock. Sooner or later you're going to encounter a customer. Who says hey. I need i want to pay you for this because i want certain guarantees. Now i want certain things and like the money is not the issue here. How do we do this. And that's exactly what they were up against but it was big companies identity solution like make no mistake and you could easily get into the same place you talking about the crown jewels of the average company. It's data and how it store sooner or later. Someone's gonna pick a bad on martin larger than you consider and And they're gonna have certain needs and you're gonna call a diversion of success like if nobody was using your product. You'd have no problems like you said it. It sounds like a good problem to have someday. Yeah it's it doesn't but it doesn't mean it isn't a problem either. I am grateful to folks. Like dom and brock is gone before us that we're gonna have their examples toward as the as these occurred more organizations. Yes jeremy what's next for you. What's what's in your inbox. so better. better be finishing before so by time this airs. I'll i'll be starting a new position so maybe meeting. New co workers coming up to speed as fast as possible with the existing architecture. I think mostly you're on the open source front. I think it's mostly martin and we'll see from there. I have some smaller projects. They're still going strong. They don't they don't require a lot of attention. Martin very good martin all the time. Yeah very good. Well thanks for spending this hour with us. It's always good to talk to jeremy. Thanks for all the great work. Do thanks guys. thanks for having me on. Thanks for letting us come on and talk about martin. Yeah and we'll speak to you next time here. Listener on dot net rocks dot. Net rocks is brought to you by. Franklin's net and produced by pop studios a full service audio video and post production facility located physically in new london connecticut and of course in the cloud online at p. w. o. p. dot com visit. Our website is dot rotc ks dot com for rss feeds downloads. Mobile apps comments and access to the full archives going back to show number one reported in september two thousand two and make sure you check out our sponsors they keep us business now. Go write some code cnx time.

martin facebook jeremy Dun dun dun jason Somare rich campbell orlando richard campbell carl franklin zizi Jeremy iraq Jeremy miller microsoft Franklin carl hodgkin nettie Lind
Build 2021 Announcements with Scott Hunter

.NET Rocks!

56:59 min | 2 months ago

Build 2021 Announcements with Scott Hunter

"Welcome back to dot net rocks. This is carl franklin. And this is richard gamble and it's currently just after six pm here so that's officially one o'clock there you go. I'm still drinking tea. It's only three here. That's pandemic time hayes pandemic time. Yeah i'm going to have an excuse pretty soon. Be side of the muscle. It used to be scotch time at that. Got a really expensive. Yeah oh yeah well scott hunters here. We're talking about bill. Twenty twenty one and all sorts of good stuff coming down the pike. But before that let's get started with little thing we call better know a framework harmon. What do you got. you know. i've been watching Top chef reruns right. Tom kalicki when he's at the judges table. He always seems like he needs to do this. Little philosophizing chefs. Life is funny so that's become like the thing that we can pick you know chefs anyway so you know some times. You have an application where you're on the back end doing way more reads than you are rights and i'm talking about frequency. You might be updating your data once a week once a day and usually it's one person maybe two persons. There are a lot of things like that. And you know one. Application comes to mind. Richard which podcasts. No okay right because we have podcasts. Right we have podcast data. We go into our little adleman and we add things to it and that goes off to a sequel server. And then there's a lot of reads off of that sequel server. Yeah many's very inefficient. Especially if you don't do caching cashing okay. Well and it's also not changing right if you read the same thing over and over again. That's right it will put on a show week right. So basically. What i've come up with is a blazer train episode that is coming out. Well it's already come now. But i'll give you the link if you go to seventeen. Forty one dot pope dot me. That'll take you to a youtube episode of blazer train in which i talk about a back end manager for me. Pi that writes in reeds to and from A blob storage as storage right and so the key is that we we only right once in a while. If there is a possibility that you and i might actually be writing the same filed the same time however remote. What i use is a semaphore slim. All right so this is a dot net Thing and this could now officially be called a better no framework because of the framework. Yeah a semaphore. Slim is a a synchronous way that you can allow in a singleton object only one Client to call that at a time. So you do like a weight. Semaphore slimmed outweighed a sink. And then you have your block of code and you release it by doing semaphore. Slim dot release. So it's a really easy way to wrap all the save code that we do in You know in a in a protective barrier so that one user can access it at a time so with that and the fact that you know Blob storage is so damned cheap. Yeah and i can essentially put a a one hour or even a five minute or a five hour ten hour whatever. It is sort of wait time in there in so anytime somebody goes to read. I'll check the last access time. And if it's time to load up. Then i go read it so just with a combination of that sort of cashing and the fact that you're using blob storage. It's perfect for podcast. So this yeah so. This episode sorta talks through the mechanism from everything from the back. End the api the manager the controllers and then on the client An api and it's all based on their pattern an api repository all uses generics. So you can create your own managers for different things and in. It's pretty good. This is going to become an open source project now and including the podcast administrator. It's all going open source. And it's all blazer all blazer all the time that's what i say nice so i think it's good. It's not the ideal architecture for everything obviously depends on the volatility of the data. Yeah how often does it change. How often does but you. You tried the prototype and you would you say it was stinky. Fast steve yes. I think i may have used a somewhat more firm word than that right. Yeah and that means there's going to be a new dot net rocks a dot com website. That is all going to use these static files in. Yeah we're looking forward to it so it's any future plan to share it all and get a nice though. Yeah that's it. That's what i got. Who's talking to us today. Richard grab commented show seventeen nineteen from december twenty twenty where we talked to one scott hunter about dr number five. You know back. When that was the thing i was thinking we talk about dot net too but no gonna talk about dot net sex but once we talked about dot net five. We've been talking too much anyway. It stevo has this comment. It's only a few months old because there's only from december is his great show as always. Thanks carlin richard. I have a question for scott. I'm trying to convince my boss to use blazer instead of react for our next project. Why would i don't know what the i don't know what he's saying. I think blazer is a perfect candidate for this project which is a rich client for schools students but my boss thinks blazers to new and not ready in two experimental and it would be harder to find new employees. Yeah that dot hard hiring just hiring blazer people right clearly steve. Getting ready to be fired or quit. I don't know the i. I was wondering if you have some sort of materials or list of customers which would help me convince my boss. I've tried but i'm not quite ready to give up the battle yet. I know you're super busy. But i'd really appreciate it. Helps thanks indiana stakes staff. So babies not stevo but his name is steve. Oh but we'll let against them. But you've done a bunch of projects carl and i'm sure staffing a ton of them. I've just a we've just shipped or just by. Now we have just shipped our first In production for a customer blazer server application blazes server turned out to be the right solution for them because they only have a few thousand Customers and it was easy to scale and develop. Yeah the you're not worried about having to deal with millions of users where the load of back end would be a big deal now and even if we were. There are solutions to that. Sure so yeah. I can't. I can't say enough. Good things about blazer and here okay so here is a really good testimonial for blazer mark. Randall was doing talk Online and i went and sat in on it and at the end of it. He said you know blazer. Here's the thing. I was never on the blazer bandwagon because it was so new and all that stuff and it sounded quite frankly too good to be true. And now that i've played with it. I think it's absolutely fantastic. It's solid it's awesome and a guy like mark randall. Who is highly ca critical of just about everything quite doesn't right himself. You know for guy like him. Says this is good stuff in and i would use it. Then that's that's a good testimony ill. That's pretty cool. Will areo stevo. Thank you so much for your comment at a copy of music. O- buys on its way to you and if you'd like a copy to go by right a comment on the website at dot net rocks dot com on the facebook. Do publish every. Show there if you should come it there and every day on the show. Will you copy music. Oh by and definitely follow on twitter. I'm at carl. Franklin he's at rich campbell. Send us a tweet. Twitter two point. Oh not one point one point now. We like to better all right. That's a it's a private joke before we start scott said what are we talking about dot net too so scott. Hunter he's here. He's the director of program management on the dot net team at microsoft his team builds dot net framework dot net core asp net and framework and the manage languages web and dot net tooling to us. He's scott to you. He's mr dot net scott hunter. It's going great. I was well. This is coming out during build. Yes crazy we could build acceding bill lots of software lots of new software and that. Yeah there's more dot net always more pitcher don at every november true. And it's an interesting point you bring up. Which is this if you ship to schedule the york kinda slip features. You're going to stick to the schedule. So which also makes it very challenging to do really big features. Like i'm impressed. Would pulled off with maui so far but that's a lot like getting it done by november like i'm holding out hope but boy we don't really even see features like the maui stuff is stuff that we actually don't. We started the maoist of last year right so secret that you didn't build it in a year. It's been going on for a while. Now i think for a while. So there's there's many things at leveling features that we do take you know more than a year as well we do we. We did announce dot net six that we now ship a c. Sharp every year so she see sharp is now joined the same schedule. The dot net has and so she sees ten. We'll be part of the release november But i can tell you that. There's lots of sharp features that i would love to go have already in. The team just tells me that need more time so right it takes time Like we're you can't use all the new language features and linked today we've added over the years and that's because the treaty tack inside of that debt needs to be updated for those new features. And that's something we'll do. seven is unable all the new language things All the league stuff. And course we're not committed to that. And i decided on air so give itself to that but that said scott link is pretty darn powerful right now. I mean you do have to. There's a crazy link thing. I'll tell you a story about linked at I will shock both of you. Okay so if i ask you a question in dot net data access eighty dot net's stack. The change has their they're lightweight framework. Call dapper yet on and we core. Which is those is the fastest tackling that eighty dot net being so the smallest oldest sticky fast and then after that which or if core core doesn't sound fast right because it's so high level but i'm gonna go out on a limb mr hunter and say that. Ef core is faster than both of those things right so he of course gonna come in so obviously that's the lowest level things. Richard said that it's going to be the fastest your bare metal. You don't even to make objects if you don't want to. You can just pass a budget texter app. But with e f indicted six on it will basically match the performance of dapper. Wow wow i'm shawn and so that that is It's literally seventy percent faster between net five dot net six. That is amazing. Thirty one percent faster corey performance and forty. Three percents reducing reallocations. 'wow now is this re engineering by the entity framework team. What is the responsibility to the speed increase just operations so the team has worked on making existing featured better. We got to a point where they were able to go and do a bunch of crazy optimizations on right of cour- the same way Nats in various other parts of the stack over the year but Core is is super fast and well imagine an upgrade to an existing application that gets a performance boost just by recompiling on the new staff. That's one of the crazy things that we started seeing this last year as we've been saying a lot of customers said they would only do. Lts releases jump onto dot net five interesting on in. There's enough of these types of improvements that they can see and it pulls him forward to the next version of the framework fashion. They expected and they're like i was on on the phone. Some some big banks selanne there. You would think bank of anybody being somebody that's like well i'm gonna stay on entre Lts at a minimum. Like hey four point. Eight works for me. Heck voted by talking about four point. One works for me. They're very conservative. The reason i use. Es is that. It's just so easy to use as a developer. And that that. I don't have to write all that goo and that yano code that used to so that's a cool and sixteen that you probably wouldn't expect. Yeah we're talking about the upgrade assistant on donald trump's. So i believe so so i think that's a that's a great part of the story to is you know as we think of You know don if core and then don at five and done it six after it. You know a lot of questions come come to be with like you know if you have an older application and you want to move it forward and we. We think now's the time you know if you're actually working on applications you thinking about moving in florida the new bits. We've obviously a team inside of microsoft that helps a lot of large customers. Move including internal customers outrun Interesting in pictures inside measured stuff like that better sticking around on the sort of standard version of dot. They're still sitting at four point eight okay. They're not. They're moving and You know of course Arcane helps some of these these internal themes move in some of the extra customers move i. They kinda built their own tool over the years as they've done this which available to everybody and it's it's pretty slick it's a it's command line tool you can run it on a solution. It supports multiple projects It does a bunch of stuff. It'll it'll upgrade project files the right format. It'll go. Look at references that you have and make sure that you're referencing the right thing for you. Know dot net five plus it'll fix newgate references as well And then it also has the ability to go in and do a bunch of code fixes us. According some of these applications you do the same thing over and over and over again and those are built into the tool it will go fix those things for you as well. So it's i want to be very clear. This is not until you're gonna run. And you have a guaranteed run dot net. Five project additives But it will take a lot of the tedium out of stuff. That's everything up so it's easy to revert back But it's something people try and it's the minimum dot net version that it will support. I think it goes all the way back to beginning of time. So any any dot net application microsoft dot net dot net core. Whatever it will upgrade to dot net five it will try to help you migrated to dine at five so try convert it. The one thing that doesn't really have good support for today's isn't great support for What form yeah. That is something that we we are looking at trying to do in the future as well as adding more support for that. But it's it's pretty good for doing nbc whether if he is Desktop applications when four awful applications class libraries And you'll take a lot of the team. We had a command line tool called tricon burgers This is to allow users tracking the project files that we did for project files last year in. This takes it to the next step where it could do. More than just one project filed new hall solution. And so you know if you're out there and and you've not tried at five and you wanna try one of your applications. It said a k dot ms slash dot net stash upgrade dash assistant. Nice that will take you to the page. It's in beta And we plan to rpm it with donald six in november. So i could take a windfarm zap from like the from studio twenty ten and take it over to the new form of windfarms. But you and i talked about this ages ago about. You couldn't do pixel perfect conversion from the old style forms than you informs. It was able to tolerate high. Vpi screens and so forth. But this is not doing a conversion this is a migration migration so you gotta go do checking right like things are going to be different. And we've taken a much of a laugh. We took handsome. Maybe smash apple when it takes you. You run this tool. It takes about three four minutes to fix whatever left. You said to write us comments about two miles We have a cool that we show bill called is called boy. It's and it's a. It's we're showing one of my favorite features Taught reload and it's a graphical program that the draws it's like the game of life s and it was like a six seven year. Old donny project is converted completely. Wow and it's one of the demos that we used and but try to help everybody and that's why those tools you're also doing a try convert for zaman forms to maui conversion for dot net six. I know it's a little premature to talk about that. But you must know a little bit more about that. Since the last time we talked to some microsoft about it this is the tool that will put that support into so. We'll we'll have zaman team some of the support in To the upgrade assistant tool so you can make up on this thing zaman forms project which obviously is gonna use the old project files and stuff like And this will try to clean up as much stuff as you as we can. Obviously in this case because he changed names faces The big thing you want this tool to do is to go through all your files and fix all your name spaces On he the easiest to migrate your stuff plus all those custom converters and things that you guys are leaving behind salmon forums. Those need to be totally rewritten. Right so i can imagine like somebody who's got Third party tools or a community based salmon forms tool wants to convert their stuff to be a maui tool we component And they've got shavers and stuff like this. All that's gotta that's a tall order man. Yeah you know. I'm thinking i'm putting my enterprise architect had on right where i've where i've got a group of dot net. Deb deb's that may have had over the past twenty years. I have this body of eternal applications. The idea that. I could take a couple of keener 's terrified the prospect trying to maintain those ota eld applications. Go kiss upgrade assistant and start doing a survey. just take won't yield. Let's give an order to the most are the most important apps that we think would really benefit from upgraded. Work our way down the list and see he ll hanging fruit. What just comes across you and what what needs hours worth of work. And what and what goes. Oh wait a second. You're going to have to think about this one right. Maybe we'll that over power platform guys. But no but what. If you know what. I've worked with organizations where literally thousand old apps you know in in various states of disrepair to to have a couple of folks spended a week working down that list and see how many just come across of the new platform and all those security risks go away. All of that maintainability stuff. Goes away like that could be a huge win. Well they wanted. It's not it's not tied to dot on the machine anymore. Which means no longer are you. Are you taking a risk of a patch. Tuesday you're up to me. That's that's that's always been one of the premises of dot net core dot net. I've plus afterwards was disconnecting you from the operating system. So you write control your own destiny and so then you go your bosses. And say hey. I want us all the newest features and guess what we want to put anything on the machines to do that. Yeah doesn't work anything. And whatever doesn't come over you rewrite and react because it stable power platform pipe was funnier but okay. That's a call back to the to the comment. my friends. yes twenty. Four minutes of comedy at the did. Yeah that's a really powerful thing to think in terms of is dislike. I you know you're in an organization who's not interested in running the latest and greatest because they because they don't see the benefit to reduce the cost. I mean there's there's there's a new reason to think about it as well which is It's kind of my my my favorite feature. I have two favorite features. One is the unification of the platform and six but the other one at at the independent five. We were asking ourselves. Well what are we good at. And we're good perf. We're good at cross platform. yep where do we. What do we really not do well against our competitors and you know in many cases is carlson. A few times things like reaction. Javascript style is kind of one of our competitors. You know what's the what's the day in the life of building a react adversely building dot net app and the big thing that comes to mind to me. Especially if you're talking about blazer carl's a lot blazer work You know make a change in your blazer advocacy long. It takes to refresh your screen to see that happen in your application It takes way way too long i was. I was doing a demo before build. It was in the dining six preview. Three bits where. I literally can show that the you make a change in the blazer app and takes five to six seconds to see the the the actual refreshing screen with the tech doing dot net six. It takes one tenth of a second. That's great basin and so it's instantaneous and and it's it's kind of evolution that can continue yeah But it goes eagles. Further is also using some of the tax reload that the zaman folks built into some of their attack and it uses kind of a mix all that stuff and We got it dialed in before bills. Such a point. You meant to save your code anymore. You can basically push the button And we can apply the change to you're running application before you even save the file. Now i will caveat you know. Obviously you can't change everything if you do nothing. That ripples through the entire application this is not going to happen. But i know in the case of i'm looking at carlier. Even the nobody else can see him. And and you know you're just trying to adjust the new i i'm world. We pixel changes from colors. Removing some styles or stuff like that moving a typo like all of these little things that i don't want to recall for and their instantaneous. And on it's excited to me. It closes the biggest gap we have. We call this microsoft all this the process of writing code running it looking at the resolve changing it again. We call that interloop how to do that. Interloop circle hung in the golan dot net six to get that interloop circle below one. Second i can tell you the tech that i've seen so far is well below. One second. Goofing is works everywhere. It works on a net. It works on windfarms work sunday. Pf works on marin which is now dot in maui. Bit no matter no matter what type of after you've got this text gonna work and you know. Imagine near the coast on dot net framework. Four point eight in. you're maintaining your application and it takes you six seconds every time you make a change at six. We'll take less than one second change in while number six seconds you do day and see what you're gonna save your used to be an excuse to go refresh my coffee. Yeah it's getting one a time getting faster and faster and faster one question out of the blue for you. Is there you guys thinking about. Seo with blazer. I mean it's very hard with any kind of dynamically generated you i to get the attention of the google's in the bangs but is there anything that we that that is happening on that front. I don't think we have anything that i'm aware of. We're doing it in in six zero for that That is an area. We've talked about in the past and there are techniques for doing that. Yeah there are We just haven't got to that in in in Blazer for sex. If you run through some of the big blazer things done at six and are pretty dang cool. And you'll appreciate this. Carl for sure is now. We have Supportive at a time compiled for blazer for funding. Know that blazer for the most part there is a donna interpreter. It's running the browser under webassembly and is interpreting. The i l for the the simply the john s and running it now you can decide and tell us what parts of the app you want to make native stuff. You're doing you. Don't math are some kind of fast transition in the in the web browser you wanna do. You can mark those parts. Code is areas that we want a ot at a time compile for you. We don't do the whole thing because what makes the app Bigger so we don't do that Another thing in blazer and six is a small downloads is so if you're doing the webassembly tax You'll see smaller sizes. board Very significant. i can't tell you why we're doing it but it's still cool You know there's a. There's a bunch of tech microsoft. Call fluent fluent you i. That's one of the web frameworks or one of the. Ui frameworks A lot of the microsoft products who built Bill with on. And we're gonna make sure that you have access to the flu. And you is tech from blazer so if you wanna make fluent looking application You build that inside a blazer that's more than just fonts and it's actually cons. If the end of the day is being some controls were there as well. Yeah yeah that grabbed the link to it for the show notes here and right away. It's like hey web windows iowa's android mac. Os like this is not just a windows tool either. So it's it's that that's a that's a cool thing that kinda came in from a side project we're doing but to be the coolest feature that we've we've done in indicted. Six for blazer is going to be desktop sport meaning that you can basically build a blazer desktop application so you know if we're all aware of Electron vs code. If you run spotify. Dropbox i mean you know slack. Who knows how many other electronics out. There these are web apps that that appear to be desktop ass on. We want to give that feature for for blazer and so you can now take your blazer app. Wrap it up as a mac app or a or a windows app and you know you might ask why well if you're a web app you only have access to whatever. The web sandbox gives you access to your desktop app. You have access to everything on machine at both pros and cons. If you're building internal apps act that probably is fine So it gives you the ability to build web apps that work well across multiple devices they have full access to the to the platform and so one of the Build is we added blazer. Desktop application and it showed up as a with a tray icon on a windows machine If you right click on his icon you you've got the right click menu In task far and it had the ability to send notifications to the notification center in windows. Ten and so not only. Can you build these web apps you can give them platform lineup. And and it's pretty crazy because we both molly version of it as well. Yeah if i showed you both the app side by side. You couldn't tell the difference. Wow this is the blazer web you thing that came out and three right allie app and molly app then hosts a new control to blazer control. So we we add a blazer web view to the zamel until you basically bill amalia with just a blazer web you inside it and from that year blazer near you can put native controls is wealth. You want to if you want native controls on top below okay. So it's not an embedded browser which is what the approach that we've taken with windows forms v before that taken like abortion and plucking it in there. It's not that right. it's it we give you the. Ap is if you wanted to do something like that and you could. So we give you the hosting fee. I if you want to go build. A native host are super slim hosted in bring them alley. Run time with it. You could do that as well So we put the hooks into that. But we're we're primarily focusing on those electrons scenarios. Yeah routes with windows and mac to star with right. There's no reason we can't bring it to android and ios as well. I'm trying to figure out if you run if you're running webassembly in there or you don't need to. You're just running down that framework. No don't need to no reason to run weather simply. Because of the laser desktop server the blazer server is in process at the app and so actually a blazer server app with the actual back into the app in process so it's blazing and it has full access to whatever you wanna give give it access to so if you watch the demo you'll see acts the do all this native. You've really followed the silver light path. Right you find now. It's silver light out of the browser. She's just blazer out of browser but the difference is it's awesome law. That is the different gentlemen. I need to interrupt for one moment for this. Very important message. Are you under increasing pressure to ship code faster than ever before. Then it's time to work smarter with ray guns. Modern approach to error in performance monitoring. Raygun gives you instant visibility into the health of your software. And what makes it so unique. Is that it not only tells you when something's gone wrong it shows you exactly where it's gone wrong and how to fix it right down to the line of code made by developers for developers. Reagan is built a suite of monitoring tools that are used in loved by thousands of software teams every day monitor every corner of your tech stack with widespread language. Support a native integrations with git hub. Jura slack bit bucket. Octopus deploy for even greater visibility visit raygun dot com to resolve issues faster and to deliver flawless digital experiences for your users. That's raygun dot com to get started on your free fourteen day trial with plans starting from as little as four dollars per month. Hey carl here you know when you're starting up in the tech world having all your options open makes a big difference so why let a cloud partner limit how you can grow oracle for startups provide stable scalable cloud infrastructure with multi cloud flexibility. So you can build your technology. Anyway you choose and it's seventy percent off for two years. There's nothing holding you back. Grow your way with cloud. That won't lock you in. Check it out at dub dub dub dot oracle dot com slash go to slash net rocks. And we're back rocks. I'm richard campbell. That's carl franklin. Hey hey we're talking to our friend. Scott hunter about dot net to actually. It is in some way. I wave dot net and this is his had five in some ways was the the new one we really the unification and everybody gathered this one dot net. Although he was feature complete like they've there are certain folks in certain places in four point. Eight where it was going to be tough to move to five. It seems to me the sixers going to be even easier. It is but we're not. We're not bringing it bringing the back no anymore. Maybe five is what's going to make it web forms not common w cf knock common. That's reality there isn't open source. Cf that is out trying. You know people microsoft work on it and maintain it once again. I can't tell you where we used at. The we use that thing inside of microsoft for some some big services. That run behind are interesting. So i have one more question. And that is the blazer. Web view is that different from the tax. That will allow us to build native. Maui apps with the blazer with the blazers syntax rather than using Zamel for you. I which i guess is like the upgraded version of the blazer. Mobile bindings right. So the the second blazer. Desktop is still zamil based tech. You're talking about where you can actually build a ui nc sharp. Yeah there's a project jayme james clancy. My team works on called comments. And that's where you can go find some of that syntax. That's something that we would love to bring into maui future. yeah. I don't mean that i mean i mean i mean using the html and the blazer ui. Yeah yeah model. So we don't know what to do with that right now so we don't like like there's comet which lets you all your you i in our sharp. Yeah then there's The mobile bindings which lets you all your contents in hd in blazers and tax right on. And it's gonna it's gonna end up being people voting with their feet on where we go with that. I don't know which one what i don't want to do is say. Hey we have blazer. Are we have maui and you can do it in web and see if you can do an example. We know that every time we offer too many choices and so okay you know. I have to offer zamel for compatibility with the past right on. But i have to decide. Are we as a team after decide which the other ones is. The right one to bring forward. We know at this point. A part of the team loves the point. Part of the team loves the Web when. I don't know we make them as you know. Never actually in the box Supported packages that you know the light of a different experience. go get some I at least have one more blazer trained to make comparing all those things when dot net six comes out so go ahead thing other announcements from build. Yeah so we've talked about the the inner loop. We've talked about laser desktop lacking we talk about maui. You 'cause to me. It's it's the end of the unification journey that we started a long time ago. You know we've more damage. I think in two thousand sixteen If i if i'm correct correct in so we're five years into the that that story and we've always wanted to make the camera tech you know feel like a really first class citizen in dot net's and so now is basically the next evolution zaman forms long it uses the same product system that we have For all of the other dot net five. Six projects It now uses the same bc l. So it uses the In don at five we made blazer with assembly us the corby seattle and with wave The that malley will use the same. Bcl on and so it is really unified products just some issues in the same bcl It's evolution of zaman forms to act out very happy about it. Know we're we're trying to do some some other things there as well. Anybody tells zander project today knows you end up with a solution with a whole bunch of cs produce inside of it wanted to the platforms Your we're trying to collapse all that into a single project so you're right with just one app in one self contained space for all platforms. You're gonna see in the bill timeframe we haven't got all the way there we've got most we have everything when you i Into that into that mode in our hope is before we actually get to november anarchy and we can actually collapsed all the way down. And that's something we should also talk about. This is something new about done. It now Zaman really only was ordered on ios and android. Maui is supported on s android. Mac and windows on all the platforms and Which is a nice thing and in. i think it's a big part of the platform really influence and he runs everywhere and it uses whatever the is the is the best tack on the platforms that you're running on windows. It's actually going to be a win. You app using the windows teens. Newest fiber extinct. It's using what's called project reunion. I know they have a new name for that. But i don't think they've announced it yet. So i'm not gonna not gonna go. There and project reunion is is a way to build a windows app that uses all the new. Api's works on downloadable versions of windows ten and so they'll us let me use bluetooth stack. You can use it on her when she was only back to the In so that's a die now is is is a big piece of of the announcements in the final Big windows announcement. Something we've been calling a espn minimal api's And you know you've have been around for a long time and you know kind of our journey you know we. We built this amazing controller based way of building. Api's in dot net Matured over many many years. I think we should the first version data around two thousand twelve. So it's eight nine years old now but when you start looking in our checking you compare it to express on node. We looked way more complicated right more ceremony. We want to make sure that there is a path for simple as the is and a path to upgrade those the full controller based eight. the is in. So we've actually put a whole bunch of features and she sharp to make awesome. So there's a you know what's the first thing you see in a project you see the You know the program class in uc a main method. Well c. sharp nine. We got rid of those with top-level program you to have those anymore but then the next thing you see is a wall of using a new feature in sharpton called global using You get rid of that. Like underscore imports razor in blazer Place to put all your using statements true for the same reason. And so you literally can build a Couture whetted the i in three months ago. Now build one of the demos. I did it. Bill was i took a is whether api that we built a long time ago and we had a note express version of it. We had controller based And we had been the version of it And the our features to get revenge of casting and stuff like that to make beautiful small. Ep is in dot net very performance. And once again you can always add all the tech back building to is inap- you probably want use this tack. If you building a thousand eight the is you probably use the controller. App that technology. That's that's another piece of billed as well as dick continuing simplification of see chart our Donald programs with new language features To get regular code less ceremony but minimal late the is is a is a big thing. Blazer desktop dotted now Inner loop those are the the big staples of the release. He scott our friend. Steve smith has it open source source project. I think we talked about on the show last year about sort of minimal web. Api in points is this adjacent to that or somehow involved in that. I don't know i'm he was his project or is he using point running which is something that we did show in dinant five is we did she. Maybe we a routing. Yeah it's it's just interesting to see the. The name was so coincidental. It's like we do this because it is. We are looking at often these libraries when they were initially built there is many options at. That didn't really get used. And so i. I like this sort of movement towards a minimal stripping of of ceremony. Making all that stuff lighter. It's it's a big thing we see. We see it's like i hate it. When the microphone compares dot net to express and they go well break. You just look so complicated. And i'm like no we just we just give you. We game the other way round. He came from mega. it didn't think about. How do you write small at apps and now reality show both sides of this show the you can be very successful. Writing small dotted apps. And you can be very exiting. Huge adapts goal part of the platforms. We support you know the entire spectrum Back and forth win as peadar. Api came along like it was touted as this. Is the lightweight choice. Compared to wc cf all of these other strategies. Now we're located going. Wow that's a lot of ceremony circles that we go in in computer. Science is funny. How we how we because we all. You're right i remember. We had a whole team called the simplicity team back. Then we thought we really simplified everything down With with espn whether it was so much cleaner and easier right than cf in you. Look at this. And you're like wow you simplified it again. Turns out it could be simpler. But there's there's going to be clear. This is not a replacement for asian Court whether that is still a super important piece of technology and it has its place and It depends what you're building the ability to do. Not very complicated this great tech yielding a single the i rate tack and it is a ton of other. You know crazy things inside of dynasties as well some of the you know we have support for the we have wolf Support for arm across the board and window. So you can build windfarms debbie. Pf apps in arm full arm sixty four support in windows. We've added arm support for the max as well so you can do them one chip on mac other crazy small things. We have a single axes. This something i saw one is done at five. But it's the last minute was where we basically take your apps and all parts of any use and make them into a single execute able saito size. Her reasonably will even more reasonable on six. Because we now compress the execute -able Which means you can get a win for map in mike Twenty five yeah so In the earliest days of dot net. I remember you know having to tell our customers to go out. And download the dot net framework or whatever and figuring out how to bootstrap it and then it would download and stuff and it just seemed like a good idea to just put the dot net framework right in the installation of windows. And why didn't you guys do that. And then i sight of learned how microsoft works on the inside and the windows team and the dot net team not necessarily having lunch together all the time so so. It's really nice to be able to just package everything up. I'm talking about the old days right. It's a new microsoft. Now there's there's pros and cons. Each way i mean it was know. Windows itself depends on the dominant framework. And so the framework became a part of windows. Because you know lot of the tax us inside windows of using manager there. Many of those tools are all built on dot net so It makes sense that we didn't put it in the operating system by the end. There's a cost for having dot net in An operating system is on billions of machines. No yeah sure sure. Yeah which we remember. I mean was two thousand. It was two hundred six. We did a show about salamander. Yeah that's right right and not only it was at abu skater. Back when we cared about that that was one of the so had this compilers compile you noon emc but because you took the whole framework with you. The app was small is huge and facts. And that's our goal is our long term goal is to get to a point where you know every every version are we have a link folks the If you drill into public settings on any any app dot net you can actually get to a place where you can click and say term out the parts of dot net that you don't use in every release that gets a little better. It's on by default isn't it. it's not no. I don't i don't think it's not my fault. Okay but every release we make that tech better and better ways of now annotating dot net to tell it when something is lincoln. Friendlier not liquor friendly As dot net core has gotten way more lincoln friendly over the last couple of releases and so that is a long term goal to let you build release small single execute ables for dot net as well. But it's a journey and we know it will take you know you know versions inversions to get their week each time right but i do like this idea that you can make new versions without adding a lot of new features. Just make stuff go faster to write. Optimization is a worthwhile benefit and time get folks onto the new bits and the current security models and the very compelling argument to say hey your existing apps will be fast tennyson. We see big customers. Seen this in picking up new versions faster and faster. i mean. you've really aware that people stayed on older has done it framework forever and forever and i'm glad that we're adding enough value. People see a reason to move and we also want to make it easier and easier to move that was one of the other tenths of dinant. Six we don't really talk about lot was you should not take you more than ten minutes to move dot net five thousand six up. We still want to have the ability to break things we need to but we are trying hard to make it as easy as possible to migrate from version. Diversion because we went all our pastors to be on the latest release. That helps us and helps. The platform in healthy helps the customers. You guys are doing some work also to move towards supporting hd three right so hp. Three support will likely be in dot net six. But i need to be very clear about that. Hp three is not ratified spec. Moving target with moving targets. But but the reason we're actually been experimenting with it having it available as as a preview on is because we want to show our customers that we are looking at the latest standards making sure the dot net if you're if you're using dot net you don't have to wait two years to be on h. Two three three ships and it ratifies. They're very fast. Yep well to be fair to adp to like the second version of anything is really really hard to hate. There was a lot of battle. Yeah it's not that you guys were slow to adopt. And he wasn't ready for adoption either. The there were problems but three going one to two is harder than going to three To you know they're still asher the dump support full. Heb to at this point and so there's no challenges there in obviously gop c. Which is built into dot net five and six and so on it depends on. Heb be too. It's the right late uses for some of this stuff and so that makes that makes you. We're actually testing in working. On all the crazy features hd two to make will empower part of. That was the internet selfish. Changed the nature computers and browsers like the the attitude of only maintain two additional connections to a website to bring down resources was silly metric at that point. I mean it made it made sense in the nineties. When the heb one speck was written we were on dial up connections but in the era of gigabit broadband like this is sally. And wonder you know other things in hd three are gonna come up like that it's like this is an architecture based on things that are different now. Yeah i was gonna say mobile changed a bunch of that and you faster changed much of that you know. Obviously you know there's a there's a cost making connections and so you know being able to do more with a single connection is a powerful powerful teacher. Yeah yeah hey i pulled up the attack empower benchmarks in its there's You know dot net core in the running not number one but it's up there. Yeah we want what we say is go. Find me the first well-known java framework. Go find me the first well-known like java services. We like to think that we're the full stack. Were probably the only full stack. It's in the top said most of those marks in your eggert We'll go up on on the database parker fortunate mark in denison down and so we still think we own full stack aspect of this. If you're if you're you know other things you see in tech in power or people who built crazy frameworks to to you know. Get to the top of the list but you the two guys you know what use it. It's awesome almighty fuss boston. Mina yeah there you go around your you talk of the number ones in the ads a lot. E plus that stays. Is that an efficient way to work. I don't know you go on there too. So i mean those are. Those are great frameworks. But yeah they're just being in the top trump at every time And making our you know by the way it is a competition and all those frameworks. You're fighting version to version of power to get faster and faster and faster which is great for all our estimates visit means all the troops are getting better over time right it does make you is a way to keep performance tuning on the work list so that some of every release addresses that yet it up the like the core team runs the data benchmark in their lab work. We have the same hardware. The tech empower themselves us. We all those folks up and say what are you have. We both thrown lab on until we actually concede. Today we make a change hurts us and we ask. Why did it hurt us. We care visit visa providing more value than its cost right like we found some We're working in jason benchmark down at five and we tuned yourselves to go faster but with her other things at the energy writing general purpose. Thing that you're not over optimized for one eight when tests most of your customers aren't focused on the power benchmarks. That's not how they make decisions. Zappa breaking their code. 'cause you did stuff to bit up real benchmark. That's not funny at all now. But he's going to be happy about that or slowing down their their tax. They're apt to make one of these benchmarks. Faster is also not a good choice. Yeah that's not. Take care of the customer first. Benchmarks can wait. Well dude. yeah you know. Few months since dot net five to have all this to talk about in the bill timeframe. and we'll just have to get back together in november and talked about done at seven right. No kidding well we've got we've got Vegas in the beginning of december there will be able to talk about the release of six of being out in the world and what comes next is. Apparently you're gonna keep making these things we're gonna keep making these thank goodness better. I think we were on something here. This quite catch on. Make up to say man scott. Thanks very much. Is there anything else that we forgot to talk about that. We can drop in here at the last minute. There's so much. I think i think we've hit the big points i okay. I don't think drop anything else in so all right. I'll make sure there's links to the bill videos as they come up so you can make it there for for bill along version in a short version. Bill is actually a thirty minute session but we get an hour and a half as well so if you want to see all the new c. Sharp features you want to see some of the emerald dot net runs on arm awesome awesome. Well thank you scott. Thanks it's been great and we'll see you soon. I'm sure and we'll see you next time. Dot net rocks and dot. Net rocks is brought to you by. Franklin's net and produced by plop studios a full service audio video and post production facility located physically in new london connecticut and of course in the cloud online at p. w. o. p. dot com visit our website at dot net ks dot com for rss feeds downloads. Mobile apps comments and access to the full archives going back to show number one reported in september two thousand to make sure you check out our sponsors. They keep us in business now. Go write some code see next time.

microsoft scott hunter stevo scott zaman richard gamble scott hunters Tom kalicki carl franklin adleman Richard grab carlin richard steve mark randall rich campbell carl don blazers
Elasticsearch for .NET with Steve Gordon

.NET Rocks!

56:57 min | 5 months ago

Elasticsearch for .NET with Steve Gordon

"Welcome back to dot net rocks. This is your old fran. Carl franklin avenue for richard campbell. Well not that new. I think you're older than me. Are invite a week or two. Yeah a couple of weeks right. July versus august but otherwise. How's it going up there in vancouver. Canada got a little destiny snow last night. Which is pretty rare like just been lots of rain so the mountains are full of snow which is worse no should stay but yeah it's knocked down in the city today and it's one of those things where you know. We don't get snow in the city very often. So we're not. We don't respond particularly quickly to it. So it's one of those mornings where it's like. You should stay indoors. Yeah the roads are not pretty. I just spilled my first bag of rock salt out in the driveway. Hey go state pummeled yesterday. And last week. I was talking about snow. Yep morris now marsh now well. I figured i wasn't getting any snow this year because i got a a snowblower for christmas. And that's the rule right. If you get equipped i know you. Don't get any snow. But and you know the rule of snowblowers. What's that the snow that falls is always deeper and icier than your little snow blower can handle through right now. I think we're still at the. There's not enough snow to pull out the blower stage but it's enough snow to make massive everybody who didn't put snow tires on and i'm looking at the weather forecast for this week because this is the eighth of february nowhere publishing at the beginning of march so shifting. Yeah yeah. I'm i'm looking at the weather forecast for this week and four days of snow area. I don't know how much but yeah we have a lot of snow. Hey there was a farmer's market on the weekend. I loaded up we the fridge and freezer weakened hunker down here for a month that we have got to. I got plenty of the freezer. You know. I saw this meme on facebook. I think it was where somebody built a snowman around a mailbox. now. I don't mean like a snowman i kinda mean like you remember like grimace from the from mcdonalds characters. He was just sort of like a pyramid. Right shape it. It was a pear shaped snowman with the mouth was the mailbox opening and it was open and the is were like angry looking dhabi. That's scary is a great photo. But you know. It's very snowball bali snow. It's very dense. So i was actually going turning my mailbox into grimace are excellent pictures please. All right well. I don't wanna waste any more time. Steve gordon's here. It's going be a great show but let's start it off right with a little thing. We call betty new a framework awesome. Been an. it's all right man. What are you got you know. Microsoft azure cognitive services continues to blow my mind and it just keeps evolving right like it's it's so much stuff. We could almost do a series on what's going on in their right. I mean when when they first came out with azure and stuff. The only person you know how to use it was cephas. Yes because he had done that kind of stuff before and we were all like I don't know anything about modeling. And whatever and then they started building. These api is that used their models and they're built in things and make it drop dead simple for you to do stuff in a and the anomaly detector is a really good example of that. Oh the anomaly detector. Api enables you to monitor and detect abnormalities in your time series data without having to know machine learning algorithms adapt by automatically identifying and applying the best fitting models to your data regardless of industry scenario or data volume using your time series data the determines boundaries for anomaly detection expected values in which data points are anomalies. I can think of so many things to use this floor about not clip detection in audio but you know like pops sometimes sure yeah those little although spike show up on the way for him. Yeah and that's right and you could just run your way file data through this and it would find those things. theoretically. I haven't tried it and yeah take him out or at least identify them for you. You you see this in like sending an intern looking through log-files like just like you're naive to the data but you look at the consistent patterns and find the inconsistencies. Right right the i. I remember specifically when brother jay and i were recording the lifeboat. Nowhere album and i think it was even the first one that we would sit and listen and listen and listen and listen shake jere that that'd be no what because there's a little click click and the bass track. I heard it go back. Give back wait a minute. Here is right here. We isolated down and isolated down and zoom in and zoom in zoom. In on the way form. And there'd be this little thing right unbelievable. And i didn't even hear it at first. I mean i heard some that jaded brother. Jay is a cognitive service after cognitive survey yeah all right well. That's what i got. That's cool man. Nice find learn it. Love the anomaly detector. Who's talking to us today. Richard i figure we all around this subject material like the cognitive services. The searched up and so forth and i found A great comment from show thirteen eighty. That's when we did with anthony. Brown talking about building azure search engine. And that's that was with sharp like a completely other approach right to doing tolerant parsing in an indexing and so forth and elastic search. Which i know we're going to get into today's another approach to all of that and and that's what mark rousey is talking about. Democracy wrote this comment admittedly for years ago because thirteen eighty is from odds november of two thousand sixteen right And he says this show. Is greg read intro to what goes into building a search engine. I'd love to hear more in depth. Look and what goes into building. Domain specific search engines possibly based on the popular elastic search and solar engines and topics could include effectively. Lots of documents make search relevant provided great user experience that makes users wanna use your search engine to just so much exploring. This field is difficult to figure out what the best practices are. And we'd what's cool is like that was a great question in two thousand sixteen. Yeah twenty twenty the answers. That are totally different again. And it's because of things like the novelty factor in all the cognitive search tools are getting now that. We've been building a layer of distraction. That i think in a lot of respects is making search. More more trivial. We people are expecting great things from it. Like i didn't g mail caused that but the but we due disrespect search to work. I think we're headed towards getting better tooling do that. We're we'll have that conversation. Yep yep so mark thank you so much for your comment. A copy music obe is on. Its way to you. And if you'd like a copy it needs to go by write a comment on the website dot iraq's dot com or on facebook. We publish every show there and if you comment there. Every show was copy musica indefinitely. Follow us on twitter. I'm at carl. Franklin he's at rich campbell. Send us a tweet. And don't worry we'll take out the families. Yeah you're that. Click here that. I heard it. Reverse it Defy the Let's bring back our our old friend steve gordon. He is a plural site. Author and microsoft. Mvp dot net software engineer. He works for elastic. Maintaining their dot. Net client libraries stephen joyce sharing his knowledge with the community through his blog on his youtube channel and by presenting talks user groups and conferences from his living room around the world. You can find steve online at his blog. Steve gordon dot co dot. Uk and on twitter. At steve jay. Gordon and i just want to clarify when i said in his living room. I added that because we are still in the age of covid for those anthropologists listening hundreds of years from. Now that's why. I said that did not age. Well it's walk down was pretty serious in the uk. To how are things in your part of the world there steve. Yeah it still is really Was still locked down So to suffering the effects. I think if a bit bitchy light on the side of the government to react to it but i think coming on a slightly improved think crossed. We'll see see the other side of it on on the positive side vaccine programs going quick. So that's that's yeah. I don't know that we'll ever gonna contain this with lockdowns ultimately just gonna get needles in enough arms that email need to contain it anymore. Yeah kaya now we know you as a dot net guy what got you into elastic assay. I i started with listrik my previous role so when i was working for jax For the last three to four years we were working on a new product at the time which was an analytics engine atlantic's metric system for customers. See as we base that at the time on top of elastic such because you hear the words elastic. Such immediately think i searched full-text that may be left. Except he's also really really good for cut a metric ingestion aggregation at the kind of what that we won't variety it so that's got to wear a i got into it now. Been sort of interacting little bit and there with the team. Elastic civilize will years before joining the be november. Will the question what is elastic. Search is his valley. Because i've heard people talk about it as a database like use it as a database. You don't even need like Persistence just let search figured out. Is that still a thing or was it ever thing can't degree i mean off. Success is is really just a document database at its heart so it's it's highly optimized was the full text search scenarios. It's built on top of patchy letse so that provides the kind of the low level full text search part of it and then more elastic search on top of that is is kind of the set of features that tyke full text search a make it highly available make it suitable to scale manages. All of the coordination provides a query sort of domain specific. Language is at the top of Can get back at it. It's going to whole pace over the top of it. Really and i heard of elastic search through the lens of amazon. Aws that's where. I first heard about it but it isn't is it or is it not an amazon thing It's it's not it's It's it's own thing created originally Trying to remember the date now now. On on some recent training crazy coffee is ago at its cut evolved. I've italianate coming from an open source background. It has been focused and have a veteran of it as well. They run Asked asked office kind of the original pace if you will okay so loose scenes. Been around a long time right. But it's kind of a very java's centric low level library and it was in like twenty or twenty eleven that we saw last research built on top of it to me. It seemed like one of the original examples of here's sort of the commercialization of open source like his loosens all opened completely open-source. Like do what you want. There's the the search engine like there's there's sort of that apache approach to stuff. And then alaska archie more kinder like it was sitting on top of that with his easier use worth. Oh you wanna retail-version we gotta retail version like that mix of for free and you can. You can do pay as well. Yeah exactly. I think i think we've seen itself is is extremely powerful but it doesn't kind of get yourself to well. What do i do. If i want to have a distribution system across multiple nodes of coordinating together to handle search at scale. Yeah anything about that. Era that era of the twenty arts was really that's the huge version had do like all of this dispersing compute load across multiple machines sort of Map reduce approach of spread. It out computer bunch roll up but make that easy because that's hard. Yeah definitely and the way it makes it eases. It puts a arrest a basically in front everything. So your interaction. Glossy she's just through. Api coz arrest points and there's a couple of tools also like elastic search dot net and nest. I guess for the two official dot net clients exactly. Yep that's that's the era of that. I'm so focused on. We have these data to clients that work together so the elastic search dot net new get packages kind of a low level library. That stating things like. Hdtv transport layer type stuff however map. The api exist in the server back down to Coda is pretty much the on opinionated dependency freelancer and then next sits as kind of a high level client over the top of that. And that gives you a strongly type requests responses. So if you've if you've types that you want to map to and from an store into elastic imagery back it can handle that mapping for We could accomplish kind of different. That not used to do that though. I'm sure we can talk about. But that's that's the level that most people probably want to bring in bringing the nest client You can kinda get going very easily from that. And should we really be thinking about this as a database or as a search tool or both i mean obviously if you have a database you want to search tool but but it really is a data structure database right. You can use it as a so day to store. And that's what we were doing on on the product that i was on previously it was the sole data store all of the metrics and we restoring about eighteen million metrics day into the system holy crap. It wasn't insignificant. We had i think thirty to thirty five nodes running at tuck. Handle the load. It can scan at that level can scale much beyond that to be honest and when you say nodes you're talking like virtual machines or gabar hardware stock with for the case. It was set Machines so we were not snarled. We re not going to self-managed mode. We've got the the license sort of the fashion that we needed subordinated and we all maintaining our virtue machines in the cloud and installing it an officer which works reasonably well. But you know you end up as we found today simultaneous stuff. You don't really want to be handling businesses One of the things that we have at elastic. that's getting more popular is all cloud offering which is elastic cloud. And that makes all of the management plane out with your hands and you just say i need to stall in this many gigabytes of data and you just essentially select slider will deploy a number of instances of elastic search to handle that across a different availability zones as well as loud yet. They don't want to run the stuff themselves. Like hey the cloud stuff the api knock yourself out. Yeah i think more and more people are moving moving to these kind of philly managed. Deletions where you just kind of scared off and damaging need. I've been using it in my day to day. Work just to spin up testers than you can run run. A few indexing commands Things work and then spin it down when you're done and that's that's extremely convenient. Wow and it's i'm looking at the pricing. It's his lowest sixteen dollars a month. Yup that's a far cry from my sequel server. Bills on azure. Definitely one of the things i like about the price that we have for is. It's gonna reasonable space so you can use elastic search for search but a lot of people use it for metrics monitoring and logging systems outlets per agent. So if you've hundred servers that you want to collect logs from you're paying a hundred times. Whatever the cost is whereas that's not usually equivalent touchy necessarily. How much data is those things and producing. And so we just charge for the detroit she stored. And this is it's more or less than slide bar to say. Okay but i wanna. I wanna store but also google spit up some more notes for you under under the hood and under the hood. What is the storage mechanism. Can i think my thinking in terms of stuff like acid compliance support thirds of data store tightly. I think he's actually compliant. That's a really good question probably night but the i mean this stuff is so descended into. The point is written down one of the things. You're dating waves In relational wealth. So we all storing dino malaya's structures of data right and so this why you may or may not run it in combination with a traditional relational database by the side for certain of a needs where relation is a better fit. But this kind of story where we're talking about like search am again beyond just like such on a website. Is this kinds of set. Talk of our customers either for example. So when you when you're looking for a ride on uber. Elastic is the engine behind the matching you to nearby echo and that's gop search really and sort of yet distance analysis is not kind of stuff and so you go to these kind of cases where you might want to do that woman's system you might want to relational store for some of the more transaction type data that you have in your system and yeah you can use elastic as you're kind of sight system. Fill the the full text date. So that you might want to analyze the data that you might wanna set across the i've seen architectures where we have those transactional databases and llc searches the search facilitator but is also effectively. A cache of that sort of recognizing that when someone searches they're likely to search again in short order and so you sort of build up a bunch of cash. Data's their searches get more and more efficient. They're done and then odds are that stuff can be. Let go and any repopulate for different. Yeah i mean a lot of stuff stunning memory. So it's it's it's very quick The index is loaded into memory. And that's kind of part of the reason you need to scan it out over sleep because the lodger your your active index is a growing No need with memory running You can handle that by doing what we shutting out as well so a conceptual as you gotta cluster. That's made up with one or more nodes within those. Now you're gonna have a indexes. Which i kind of you'll unit of storage that you want to as you probably have logging in this That kind of thing and then those split out into we shots. Those are the things that we can kind of place across legs different nights to give you both kind of in indexing time and search time optimizations as well as kind of resiliency as well. Well it's amazing stuff. I mean i had like. I said i had heard of it but i never really Never really looked into it. What else can you tell us. What are some of the other feature. I'm 'cause i'm looking at the feature less than it's huge a lot of these things. I didn't even understand. So maybe we could dive into some of them yet. There's there's also soco's stuff that you can do with it. What are the kind of keeping things. I was using it for an ro job. Society's kind of metrics state to that you want to you know not any such across. But then you won't to kind of aggregate on various different dimensions that bring together. That's that's where it's extremely powerful. Which is why it's really popular. Fill us with logging an item collection of data. Which is probably one of the big use cases for many people today. We have a if devs out that we have an atm agent. You can plug it into your. Don't applications and you can stop firing tracing a metric data straighten to elastic search as it stands today. What the of tools from the wider elastic stack could cabana. Which is kind of all a window into your data. So it's the ui visualization lab. And you can use that. To bills he'd reporting dashboards built on monitoring you say yet. I set up some things in arrogance sutton. Mona says that you want to trigger in trigger activity based on that kind of stuff. And that's an extremely powerful way to kind of take what as we could be millions or billions of documents and kind of consolidate than down into something that you can actually work with understand. It almost sounds like a stream engine in that sense right that i can have an expression that as its processing data can pick up on in that stream of that event and then exactly. I'm on of the things that we've got on a list of the moment. Is we want to really improve ingest story as well so at the moment we have you have mechanisms free. The existing is to kind of do a book Indexing of data one things. We want to make that read. Easy from don't applications with Ingest price that you basically pump data into what might be channels which we talked about in the performance. Show at did with you. Previously we got this concept of a channel which is really just kinda concurrent q. Data you can write. Dates are into into that channel and of forget about it and later in ingest library to going to read from the channel deal with kind of forming that into sensible size requests shipping it up to the server that kind of thing and that will integrate with something we call elastic common scheme which is really just a specification that we've built that defines common fields. The might come across when doing kind of event Loading metrics so rather than everyone having their own word for name or service that kind of thing we can have this common scheme at a. You can apply to all of your ingestion of lacson metrics from assistance. That means that you can read easily than such across lake systems. Full kind of anything. That kind of likes to one another Yeah the the great glossary battles of data warehousing come to mind and i get shivers right. Her i'm trying to give that overall view of an of an organization in everybody's got a different definition for customer. Much less what you said. You're steve which is name. Van the fights. I've had over the word name name. That's right now has to go into the name stable and if you wanna customer you get a customer record. There looks at the names table. Exact people having to figure that stuff out so the schemer is kind of our our. Why of trying to say well. Here's a bunch of things. We see people needing to log often his the recommended practices. And that's not only how you actually name those things but also like how you might want to map them down to elastic search so elastic search is schema less in that. You confirm any of jason. Basically as your document you ought to soar. We'll store that document to get the full power of it. What you want to do is apply mapping. And that's how you really say. Well this field the comes into you if you say i want you to treat in this. Why won't index it down. And i won't to be able to full text search over and i want you to analyze that text in a certain way so we have to break down that big chunk of text maybe side a blog post and try and find all of the the actual cool words that really matter for searching and ranking perspective so we can kind of process that for Inside those mapping how you control that We will infer bunch of stuff but the you can provide much better guidance to us based on either using the common schema or your own. Cutting mapping information. You talked about ingesting data. And that's usually the first thing that you do when you have existing daddy wanna move into elastic What is cabana in. How is that use that. Ui layer basically say will connect to coban instance over to your elastic search cluster. And from that point you can stop really refining down. What you're looking at so you can do role queries against the Kind of exploiting datasets But more often what you're gonna be doing is starting to build up your dashboard. So if you've got as we did Data coming in from sort of lots of notes different servers in terms of lock data. We could look for higher currencies of exceptional django era logging. Coming up in systems perhaps setup Kind of monitoring against latte so that people can be more proactive in responding to as opposed to the typical things. You go to the locks when you've had a problem in unscreened what you want to be able to do as kind of see that stuff as it's happening fix it and then before the post even rings you up you say know that solved understand that was a blip over here and we collided that down to these looks over there and go from fixed. And that's where the the visualization really gives some power. Is it only logs. That people are using this stuff for. Looks like you know when you're ingesting You're you're you basically can pick logs or metrics or security data you know. What about other data yeah. They are extremely common cases for cut of congestion. But you you could be storing anything you want him to this. So you know if you imagine an amazon mike all that information so that they could easily query over what's happening in there and understands yet which products in most popular given time of day you. You could put documents into sort of a set of indexes and start to explore that data as well. Maybe you want to in run a sale and then see in real time. I'll people responding to a sale that we sent out to them so yet think logan logan comes to mind for most people. Because it's something they have to deal with right sure full-text such real But you can get kind of creative with the stuff that you build on. Top of this is. The site of a use case is really cool. nasa used to analyze the miles river dikes for example. You mentioned the. He's kind of data sets that you're putting in from from those kind of systems that you can install to explore in Can you Use the nest client or the low level last. Search dot net Client tools to do ingestion absolutely. Yeah so what we have today. You probably most likely use the nest. Klein cut a day to day and is basically a full full set of like strongly tight libraries that Responsible if the api's are available kind of on the rest points and we give you cut taxes that you might want to say we have what we call the objects initials tax way. You'll basically newland off a request asteroid talk requests Properties then you far it. All the more popular one is off limits in tax which a lot of people kinda like. I think because it is simpler and it also kind of mirrors a little more closely. What you see in the in the jason two main specific language. We have querying. And so you can build up your of the data that you wanna post infer that offer more specifically for searching you build up all of your cut if conditions inquiries in a different mattress that you want to do on the data inside that next. Climb nice folks. i'm going gonna interrupt for one moment for this very important message. Have you ever wondered. If you could be offering a faster less buggy application experience for your customers with reagan application performance monitoring. You've got all the information you need right at your fingertips to find and fix errors and performance problems across your tech stack down to the line of code. Reagan makes it easy to monitor the impact of your performance. Improvements quickly identify and resolve issues. And see how your code performs in the hands of your customers saving you time money and sanity visit reagan dot com and join thousands of customer centric software teams who use raygun every day to deliver flawless experiences for their customers. That's reagan dot com to get started on your free fourteen day trial and we're back. It's dot iraq's. I'm richard campbell that's franklin. Hey man are steve gordon. Backers second show moved over to elastic which you know what a cool place to work and which is kinda dig into all the goodness in he back to elastic really was the other open source stuff. That wasn't all that dot net friendly. Go back five or six years ago is one of the things that ms open. Tech focused on was trying to get added a good library for you. Know keep up with dot net being able to access it. It's nice to see that elastic cells supports. Its own set of dot net libraries. How long has that been going on. That has been going on for a number of years. I think it's something trying to raise awareness of out there. People are kind of using. Don't met at a day to day. Yeah we've got a. I'm part of what's called the client statement. We have now eight. Different languages really On different languages that way supporting clients for now with a few to kinda tried to make these well distinct for their own languages and frameworks reasonably comfortable. Start transitioning between them as well. So that things on two different you may dive to the client for example and we've sorted casually spoke at the beginning about setting up nodes rank yourself a push to the cloud and so forth but after just a few years ago. That wouldn't be easy thing to pull. Off from vm perspective. I can't imagine you run the elastic services in windows. It sounds like a job for lennox containers yet. They typically run analytics. I mean you can spend this stuff windows but yet when we were running up why would you exactly why why license when when you really need the also just the size and shape like this is a very specific type of vm. That's really kind. do one thing. Actually i think almost make more sense for containers across the board but yeah this is not what windows servers were meant for next now you you want his little head from the as well really you just own memory map box to be available for elastic. Search to run squaring off the top off. I mean you talk about one of really good example of you can't spin off in dhaka. We have Docker images and i'll use them. Typically full sort of development time prototyping so he kinda got two options. You guys to the cloud. If you want to spin up a temporary cluster on the cloud or just some sort of really quick testing than i was have of daca paul sitting nearby that i can spin up by for a single node of elastic search. Plus the cabana. Ui up top of it and that site simple today now with with the daca technology spin it up. Use it for sure Damage done a really nice way to kind of get developing the this with with had completely free to to kind of run elastic search with the kabasic license on that kofi. Just perfect for dev work in architecturally fundamental years when you go to production You've got different implements on the back end. I say it's really just a mattress guide at that stage. And how much resilience you want to build in across yasser cluster citing mind blown. Now there is a free tier to elastic search. Right i can just go. It started with us. I don't have to pay a thing. Why do i want to pay it. All co Freak preteen yeah that will get you going in a lot of areas to be honest and what you get when you start moving up. The levels is one you get support which is as you start to scale a stop putting and get re large clusters Getting on it be quite crucial to many businesses just to make sure that some kind of continuity of service for what they're offering did you. Did you get their magnetic stories. Like oh cabin hacking away this now. I need to talk. Somebody scaled this before. Exactly yeah we. We had support fairly early on in terms of all journey with them emmy yet found it quite useful just because you run into these points where you're kind of all connecting something you've kind of made it work can you like. I'm not totally happy. You know that's a scale way. More than food i would and you can cut a gun shop to their support engineers. You a fantastic. You know really noticeable people. Now that will give you some instances about what you can change. Maybe what you can do to get things going especially as well if you have like. We occasionally had a. We had a system where we were able to kill notes quite easily at one point in our application feeling because we just too much query load at it in one guy and so we got some advice for them to basically implement while they could nineteen knows which is essentially notes the holding data but a responsible for taking a query Dispersing that tool. If you have a notes that contain relevant data. thanks bye go off and collected spent back to the coordinating night and that bain assembles the final results. Then take some pressure. United is in and that kind of information you can get that by reading the ducks just having someone on hand to ask a question. Oh sorry important. Yeah and so that right Set you on the right path. 'cause you per a lot of energy into an architecture and it is not working you can't decide. Have i take it the wrong way or just making implementation mistake is and some of these things really need. Kind of surface was in production at super scale. So it's really nice to to kind of lawsuit stuff out and get some feedback on pure support the other stuff that you get by kind of moving up to the the kind of pay levels we have what we go x pac which is all kind of set of extensions that provide some additional monitoring reporting at machine learning and many other capabilities that some people might need out of the box had Chuck into the free version and expect people are going to be using it in every application but for those that really need to do something a little bit more advanced machine learning side of it which i've got to get my head around at some stage looks typical And you know that's that's in there kind of pay packages where you can kind of get some of these additional features if they apply to your business what you'll building as well right now. With x pac originally a closed source product that became up with socially. Where would it. Where did this come from that. Originally some years back. I think kind of it was hidden away. It was kind of in a repo. No one else could look at an to create a very keen on kind of being open and free where they can and so this whole of that was opened up so the kind of say how it contribute to it if they wanted to and put in feature requests which is kind of mice important aspects of when this stuff is open as we seem with. Don't mat you get everyone from the community can kinda say. Why would not like to do this. And it's really good kind of feature pipeline coming into your product with not stuff's open to people to kind of see how it works and see what they need so that is now. I've been a carnegie. Look at it and you can draw. I think thirty days as well if you've got a new Custody eastbound up you. Can you can on for free and safe. It gives you anything that you can use. But it's interesting. I think it's kind of an artifact of learning to make a business around open source fighting that could At one time it's like i have an open source product in a close source product. And you can decide when you want to move between them that kind of thing and now that we're kind of figuring out that hey you know close source close sources. Never good idea. There's other ways to make money. Yeah i think the. I think the industry is pretty in the last few years i would say my. My experiences is starting to come around to this. How to open source libraries make himself sustainable going forward and i think plastic is an example of the company. That's done really well Found quite nice balance between his code. His waltz free on his the Votes on stuff that allows us to kind of grow in scale and continue investing in in the product sustain. a business as well as Ah giving services that people wanna pay for exactly. Yeah without without without the cripple. Wear fact right where it's like. Oh yeah you made it work for free but you only going to get so far that you gotta call us. Yeah that's that's just extreme. Vetting people isn't that what you've got something that works for twenty percent of the time and you try and scant how i mean. It's it's no longer going to work for you. Yeah it's like. I'm sorry we're 'gate-keeping on that right and it's that's your relationship with companies shouldn't be damaged. You got me. Yeah is there any kind of Monitoring and alerting mechanism built into elastic. Search say i wanna know when certain things happen or certain records have particular values and just alert myself. You know alert my code. At least maybe a web head that you can set up in the cabana side of things i would. I would probably have to answering that. Until i've played around a little bit more and to see how it would hurricane okay. It's it's definitely something you can set up coban. It'd be nice if we could yet provide a mechanism to have a hook. The incomes back in. I know this the stuff that's being worked on around that we have a bunch of or we have a couple of things in the stack the kind of support just enabling this Really easily so we have looks tax. Which is something that you can still run to basically ship any kind look file into elastic. Search which is quite convenient site. That handles things like again. How would i like to go to random. Csv fall that's produced by some service. How do i interpret that data. Decide which pieces. I want to take again how to transform those maybe Ip to two geolocation cups that kind of stuff and then alongside that we have beats which is all data shipper offering well so you can still on service in a number of applications to collect data about them as ever running and pushed that in. And then that kind of stuff that you can then hook copy in bonn to get your your dashboards than your monitoring for the top off. You're getting to that place where it's like. There's enough different pieces here. The people sort of What do i need it right. So i think that's always the challenges too much choice s but i think about this stack is you can kind of you can start with. I was elastic search which was in the coming previously wet for we were initially just using full searching across kind of data on the website approach with a job board platforms offers and service as keeping people wanna do against his such job spy title by different price categories of what salary they're gonna get That was kind of where jenny started and then very quickly realized. How can we can. We could easily such will logs using. So we started pumping looks in Look stash going when we got what in we can search over them. But wouldn't it be nice if we could have dashboards. We cabana look. We can sit alongside this and start building up so. I think that you can take the slow on boarding ramp if you want to or you can kind of. Just stop drinking from the Of tech if he buys requirements ago. One of the things. I've seen folks talk about in the context of alaska searches. There was a lot easier to build this cashing searching tool across multiple data stores. What to try. And build the low level you know. Mother of all data stores right at the data warehouse approach where we consolidate a data from all these different places. And then you've got to get to go search and so you had that you created this huge mountain. You needed to climb and lasser bypass at all said. Hey we we're not gonna hold all your data just figure out what you want to search on no matter where it is and then you are on it. that's it. yeah. I think. I think we kind of as we towards mark services and the manger does on that kind of stuff. I think people are getting used to the fact that you'll use data stores for different things that are best suited for and you necessarily stole the same shape of data you're just Applicable to out go to blog. I walked to full-text such So i have the title in the body and a few categories i stored in the search engine side and then maybe for the other parts of the database you will maintain anymore relation to why you keep that over some routes and you have another service that manages the that are nicely the fact that you have multiple parts of your company running each of their own databases is not a sin at. That's okay. They all made their things their way. For their reason the fact that we can aggregated independently of them and not. You know forced them down. Some particular past life is easier. We've got enough compute. Maybe that's the change. We have lots of storage a lots of compute. We could afford to keep things in different locations and consolidate the gags brought it up before richard G mail who who expected g mail to become the largest database that i manage messages. I don't know about you. But i my inbox. I never delete anything. I'm afraid i won't be a box of dum. I'm afraid. I won't be able to access something that happened. You know years ago. When i need to know what that was. Yeah that is people's reflex. We're we're definitely that point. I think in the industry is so much information everywhere. You put it in slack you at an email. You've got it in wicky. An is going to be real challenges while we have a elastic. We have a product called enterprise. Search kinda geared towards exactly that problem where you pointed at your sources all of these things like salesforce and whatever else using Install ingesting that information and then give you kind of a a centralized search point in your company over with that data. The maintain A pathway taking with that kind of data explosion problem that. I think we're having now the stuff everywhere. This information across all of the things i used i really wanted. And it's not gonna come from anyone big vendor because that big vendors always gonna preferential is there data sources. It needs to come from a search specialists that that it is agnostic to the source. Exactly yeah i think. That's i think the advantage that we have is trying to sell the things that create the data. We're just trying to make such a really powerful and fun experience. So i think people you know we want you to be able to plug in into your applications to power those such but it's kinda make such across your enterprises easier in a from that. I'm thinking that context of as the someone who's who's Architect for enterprise had yeah. We know we're gonna we're gonna rely on search engines. That are agnostic sourcing. Because just because. I'm not saying that anybody's doing anything wrong. It's like that way. They're sorta kinda equal opportunity. Then we should be able to take data from anywhere and index and. We don't need to do in advance right all of that old data ingestion you know. Transformation tooling comes from a time when we had limited amount of storage and we're trying to make its Quickly i think we have that problem anymore. You you just scale out your. Yeah the whole reason. I think we've kind of salted realized that relational databases on the one and only salaciously need just because it reduces your normalized data structure. Jeez size on disk which still has its places but a lot of the time you've got you're dealing with documents said a more realistic level code already and so now you can just index. I straighten Posit the object represents whatever you want to index and we'll policy Yeah i'd wherever that source may be right a again. You don't have to ram the square peg of your data into a round hole. Just look at it as a square peg link. You've got some documents you've got some blogs those that's fine index at all Do you find like we're the hard parts in elastic search. What is his struggle for indexing certain kinds of data. They're harder things to analyze that others. I think the two areas. I see people struggle with the most about the heads around his is getting a getting the head around the dsl fu. How you query is a bit of a challenge because you've got so many options about how you act y'all gonna acquire this data particularly starts get into full tech's she needs to start thinking about what kind of language analysis might be happening all night. Which kinda stop words. You don't care about what kind of normalization of that data. You want k sense to do you now and then you start to build up the quite complex queries say well safest in here but ranked higher because it's title if not safe. It's in the ball. Deba give it a slightly lower ranking And then if you think your typical website said she'll you'll have a keyword search then mice shops now will have office Styles on the left. That say cabinet in red. I wanted to be in no more than two hundred dollars. All of that kind of information needs to kind of get filtered into the search you before we say mapping that into the can be a challenge at first and two kinda gross kind of what that looks like I see people without Occ people struggle to translate that into the dot net sort of fluent syntax. We have in our society. We tried to keep it pretty close so that you know if you spent a bit look fairly similar. But you're no jason anymore. You're in cut dot net tight code and that's totally not in chase that any more. Geez louis sorry but it does sound like over time. You're going to build up a body of knowledge about your data. That elastic search depends on gets better at querying around. I think that's the thing i think over time. You you understand the data that you have. I think the key thing is really nice to this time. You wanna still the day to now. Just chuck it into something Stole that data and then stopped understand. How can that be used to power the business mother. That's a typical search or machine learning that you can do over the top of it as you start to ingest stuff overtime a not so stuff that you kind of figure out lights are on elastic. Search site has this concept of how you map the Timing been fields on that data looked like but you can always like time. But in a new mapping against the new index and then re at content that you've already collected into seasonable form for a new search experience. Oh new aggregation experience that you want to provide a new filter. You didn't have before right. Like i think about later. Talk about your initial contracts where you're searching across multiple data stores and so you've got to figure out the relationship of the customer the name though sort of classic glossary terms and i like your description of like the then you've got filter criteria only the red ones like that kind of thing but then you add in something subtle like sentiment analysis should an interesting tool right and once you have them analysis but the fact that it would just appear as a filter Just be a new filter. That would would operate within the system and that's kind of fun for the folks that are trying to find opportunities in the in. The company's data is like one day a new filter appeared. It was amazing. What happens if you want to use last six search. Maybe people are doing this. Maybe they're not but starting with you. I've got some relational data in a sequel server in. So the first thing i need to do is turn that into blobs documents and you can do that with the right queries and all that stuff Are people doing that. Ingesting data that starts off relational and turning that into you know taking the first step of making it duck documents centric right and then the second step of ingesting it in expecting to have the same sort of fidelity of search and retrieval that they're used to being very specific about what they want in a sequel search for example. I don hey a specific but sure it's going. i mean i know again in my previous role. We had a historical system where all of that searching. Philip jobs was done in secret time. Msa quill and then we realized actually that we're having to beef up the who serve as to handle the semi still not really getting the results the really matter and at that time it was just an exercise of cable. We'll have a a scraping utility don't scraping utility that squaring out of sequence transforming it into an object and then index oak index back into elastic. Search that stage we were able to them play around with that tightrope. Bit more and sack. Well now what does a full text search over this return arc. These results archie far more relevant to what the us miserably looking for. Because it's it's doing that as a side kind of text analysis and tokenism kind of words that you probably more interested in from the body of the text that you're searching. Yeah yeah it is a challenge and you know is. Is it appropriate. I guess is what the question is. Is the air the people that are doing that. Just because the cost savings or the You know the the they want the cloud infrastructure that they might not have. Maybe you've got an on prem thing i mean do you. Do you deal with customers. That have those problems. I'm sure our consulting business do yeah. I think it's a very common thing that people trying to decide if what they've got today is the right thing and if it isn't the right thing what is the right thing that they should be moving to An elastic in my be of other. Document dykes basis that. A gateways other things. That might be columbine. Cassandra that kind of stuff. But i think that keeping is is kind of doing initial analysis of not necessarily what the doctors but what are your actual requirements from that date. We'll do you need to get out of it right. And then you want to fool me and structure in store where applicable. It's a constant challenge. It's the world we live in. Yeah any sort of that reality of you've got some people with sequel skills here so they keep trying to ram the tech search and in document exploration through sequels contacts. And you get some results but never quite where you wanna go like. Are you doing this. The hard way to sound like sign pops out of the machine is like you're on the bat. He you know you got something working you trying to get more working got imagine it's quite a breath of fresh air when you get your head around alaska search at some of that hard stuff just becomes trivial. Yeah i think it was something that was. That was one of the once we understood how to get it in an how to query it actually results coming out from day one. We're better than what we had to cheat. In any way we just use the analysis and the auto configuration of most things and it was just giving us better results off that you can start saying okay. Well maybe this. This particular field if matched Should be boosted up. It should be ranked higher in search results and that can be as simple as someone's paid for a premium listing on a job. Board should results in bubble up high. Because they're not premium is kind of flags can easily be enabled as well in results. Which you could do. A sequel purchase a lot of code to writing that boost algorithm. Yeah why right if it already exists in this other tool. I think i remember having a chat to the timing. I think these kind of databases e. scanty be as a bit because it's like taking stuff out of your secret database. But that they were very kind of guy. We'll give me the quirino running. A query analyzer. And figure out how to make it foster and you can do that but do you want to be doing that or would you rather just store and something that now. He's how full-text such works at Is designed for that job and could just do it out of the box. Click about that does seem like that's the entry drug is we need to do full text search. Here's a here's a set of tour and then you then the other stuff emerges with with value and before you know it is migrating to elastic cloud s. That's the way that's the way forward. That's the way that's right Steve what's next for you. What's on your radar. So i've got a little bit more end with Preparing for the seven eleven release of elastic search which should be an style. Two years we were quotes. I paid for that And then for my side of things of started livestreaming which is kinda crazy. Scary experience of coding in front of people So i'm having a gun doing streaming around what we're building act in the client prototyping performance optimizations kind of stuff. So that'd be my twitch channel. I'm just stay over there. And then that will syndicate over to my youtube channel. Which is code with steve up on youtube content. How kind of elastic search. How you get stalled if that kind of thing good will keep us informed if anything happens. That's that our listeners. Wanna know about let us know. We'll have you back on all right. Thanks again stephen. Thank you for listening. And we'll see you next time on. Dot net rocks dot. Net rocks is brought to you by. Franklin's net and produced by plop studios a full service audio video post production facility located physically in new london connecticut and of course the cloud online at p. wwlp dot com visit our website at dot any t. r. o. c. k. s. dot com for rss feeds downloads mobile apps comments and access to the full archives. Going back to show number one reported in september two thousand two and make sure you check out our sponsors. They keep us in business now. Go write some code. Cnx time lab.

Steve gordon richard campbell Yep morris steve gordon mark rousey rich campbell stephen joyce steve jay amazon steve Carl franklin reagan lacson cephas microsoft jere facebook twitter logan logan
OWASP Purpleteam with Kim Carter

.NET Rocks!

50:15 min | 4 months ago

OWASP Purpleteam with Kim Carter

"This episode of dot net rocks is brought to you by our friends at texts control. They're not only the creator of the full featured document editor library for dot net and angular applications but their libraries also support powerful. Pdf functionality instead of programming pdf documents. You can simply use microsoft word templates and merged with data to create pixel perfect pdf and pdf slash. A documents also fill lable form elements like formed text boxes check box fields and dropped down elements can easily be added to pdf files. Txz texts control provides developers the complete solution to handle pdf documents in business processes. Check them out at text. Control dot com. Welcome back to dot net rocks this carl franklin and is richard campbell. And wow it's going to be a good show carter's here and i'm one of my doing what are you doing. I'm working on blazer sliders on of course you know with cheese and cheese and onions. This is the it's been four shows since i talked about it. Yeah but it's still only second of march as we record this 'cause we included blocks but i'm loving i mean basically got something working and now i've just completely made it better. You're always way code man. that's i am. Most people watch you know net flicks. I write code now. I'm not that guy either. I'm happy reading scientific paper making good notes and finding something. You can't tell anybody a my wife just instant iro. You did what with wear how all right. Well i got something even more blazer for better no framework. Sorolla crazy music him. What more blazer. Well i'm going to talk about blazer virtualization so this is something that dan ross talked about when we talked about dot net. Five right and blazer now has the ability to show large sets of data in the u i only grabbing from you by calling a method right that you have to implement when it needs data and how much it needs some kind of a lazy load thing. Well lazy loading is. I don't want to confound that with another feature of dot net five blazer which is lazy loading but that's lazy lazy loading entire al component right. But this is yeah. It's of like lazy loading when you talk about data access. It's on demand. And so i did a blazer train episode about this. And what i'm linking to in you know. Seventeen thirty four pope dot me is actually the documentation from microsoft. But if you go to blazer. Train dot com look virtualization. You can see and download my code. The demo that i did first of all generates five thousand person records right and saves those two jason foul turns out. It's ten megabytes on file perfect k. A saturday night at my place. Yeah okay right so it begs the question. Why are you trying to load five thousand records in browser at the same time then. Don't do that but you know we have customers and customers want what they want right. Even when it's dumb now my brother used to do this access and it worked great. You know so. We want so you can actually do this. You can be efficient when you're displaying. These large sets of data now. Of course you have to download them all but don't necessarily so. Here's the thing if you make an api and point then has a range of records to get to induce some paging. Yeah you think of it like that. Like i want starting at ide- one and going to id twenty and that'll get me the first twenty records right and then as you know you you go on every time you get this call you can go back to the api and just get the records you want and so the experience to the end user is wow i'm i'm scrolling through five thousand records here. Yeah it looks like it whether you are not the other question entirely. It just looks like it but that's enough. I mean that's what they're doing that you can't tell them otherwise but the thing is just with virtual is if you do that scroll to the top page and you get records you scroll the bottom page. Twenty records now scrolls the top page again and you get those twenty records again so the next step would be put them in a cash a local cash and now every time that we go in we wanna get some new items. We go through each item and if it's in the cash that gets returned but if it's not in the cash go get it and instead of getting them one at a time which is crazy. I actually put them in a list of id's and then just go get a one shot to the api to get all the ideas all the records that aren't in the cash so it turns out to be really uber efficient when you have a lot of data and kissed get this richard camel. I'm going to use this on our next. The next version of dot net rocks dot com. Which is gonna be minimalist and all blazer and virtual states as long as it's seo friendly. That's what i care about is being able to find us. It's going to be a ceo friendly absolutely. So that's what my better. No framework is today. Learn it love it could. Who's talking to us. Grabbed a common tougher shows. Sixteen twenty five. Which is when we did with victoria. Almaz ova From nbc london in two thousand nineteen back in mid the before times when we were talking about security and applications and we talked about loss in there. And i know we're talking loss today. So i thought adjoin very nicely. And victoria's divy specifically into listen. These are the things you should be doing your applications to sort of get security in their upfront. And jd has commented. Middle is two years ago now. His twenty one he says i think the change of mindset is not don't trust input but rather assume malice so i think jd's little on the foil hat absolutely Developers are optimists true. We tend to test software while working. We develop blind spots because we use our own software correctly. Bugs exploits. don't get exercise because they require us to use the software quote wrong. We need to stop using our software. Right we need to assume that an evil genius knows the code as well as we do wants it to fail. If we can't make our code break that we have not thought hard enough about its threat. Surface yeah all right fair enough. I mean it's a. It's a little on the paranoid side. But just because you're not paranoid doesn't mean they are not to get you. It's actually not bad. I mean you you you you do have to at some point assume all right how do threat assessment and figure out. How would somebody get in here. Yeah what what what would have bad actor do right. I even went into internal employees. Know over on the run outside. We're having these conversations like listen. Employees breaks off for all the time they utilize exploited. Like this stuff happens. You've got a plan for jd. Thank you so much your comment very relevant to our conversation today and a copy music by on its way to you. If you'd like a copy used to cope read a comment on the website. Don dot com or on the facebooks. We publish ever show there as well. And if you come in there and read on the show also copy music. Oh by and definitely follow us on twitter at rich campbell. I'm at carl. Franklin's send us a tweet and don't worry about scale ability will handle that from here. Email skills pretty well. Yeah so with that let's introduce back to the show for the second time Kim carter. Kim is a technologist slash engineer. Information security professional entrepreneur founder of binary missed ltd founder of purple team labs. Oh new zealand. Chapter leader certified scrum master facilitator mentor and motivator of cross functional self managing teams holy crap. I'm just a musician. Rights code how are you doing man. V back next goes yeah house new zealand these days. Not an as much lockdown as much bluish. The wheel of saying yeah. Didn't you just have on their wilkins. Oakland's oakland's gone back into them. The lockdown malleable fair. Believe in when to which is pretty mild. Men's we can still get out and just go to the social distancing thing with masks and stuff on it. Yeah yeah yeah here. there's been. I'm the mosque shootings and stuff like that has been dry. You guys have had the full meal deal in the past decade. No two ways about it. But yeah. That's the i've i've always kept notes. 'cause i'm proud of the ghee coutts around how cities die. You know just this idea of like. When does the city end. His has happened in the past. It hasn't happened recently. And the christ church earthquake like there's whole neighborhoods that got red zone that got shot down and and people bought out even against their will like it's just fascinating to me. This idea of the. I felt the government did it responsibly. Although opinions vary of course in the sense of getting people out of off of ground that they used to have homes on. That is no longer safe. Yeah yeah original place. was That was in the weeds on but it was it was it's it's it's pretty much ruined now it's livable but it's not insurable right. Yeah because who knows what happens if another earthquake shows. It's just it's to me. it's very fascinating admittedly. I'm on the other side of the world man. It's an academic exercise. This is your home. That's hard you know the place that you built and that's important to you and your family was that so i mean i hope you're well know getting through that it's only ten years. It's not that long. Some of the teenagers at the time Did a pretty hard luck boys Twenty even twenty four and did it pretty hard. yeah. I have friends that That that went to auckland and then it because it took she took years to get that resolution done in an ultimately they were red zone. But in the meantime they were kind of in limbo is like why are we waiting ear. And they went back up north and And they've never gone back with just started rebuilding. The city seemed to cathedral. It takes way longer than you think. Well thank you takes a long long time to deal with these things and who knew the ground is different. Like things have changed. It's it's hard to to think in terms of what that looks like. So can you remind us. Kim what a wasp is and the wasp foundation. I was was The location security project so as a worldwide organization his his a whole lot of resources that has like this chat dozen cities in the world in polish chapters responsibilities to run made made-ups run conference. Vince in other talk vince. Nice little thing in his project so out of which which is individuals. Decide that when a credit the software project in Ask i was with. I want to adopt it. So now in is all sorts of learning materials of learning materials for For people that want to get better at the security. It's it's pretty much what targeted i'm suffering engineers and developers so it's a combination of learning materials and suggestions are best practices told code examples tools all of that so it isn't like something that you just install in dot net. Oh i got us squirted all over the computer. Good at a top ten list in my prep here and lay that sequel injection still number one builder services ad. Oh uh sp- yes so it just and diction now but used to jeff is now just because there's so many times right bottom line is this is just. It's kind of nice though diversifying because it also speaks to just sequel getting exploiting it. Is you know vulnerabilities in operating systems. It is held up like there's other things that are vulnerable that allow a hacker to inject instructions into the into to the server and changes behavior. You mean the last time interviewed medium. It was my book series and our kevin moist delays in book series Yeah and they're all things we could be doing. So binary missed. Is your blog right now. So botanists mud a business. It also seems to be. I'm online handling most places. Just because it was before the business haven i say and then purple team is what so apparently teams i security immigration tasting says for we're progressions in idealize and it's just sort of. It's my put it on top of the pit team labs nine so that next to build talks in the future weekend taming lactose all right and it looks like year It just went alpha. Yeah yeah yeah more about. Yeah so it's actually being about three years in the in the workings so i so did a perfect compensate Must been four four and a half years ago and basically it to make. Ups and conferences owen wilderness. Just two minute to elicit develop a feedback in workout with a develops could get use out of end in building. Something like this would be. It would be a viable product developers in teams to catch not security defects as being introduced as county and a genetic walls side by dived into end. Spain's sort of To have the years. Tighten the proof of concept alpha release and staying on top of a day job. I'm most of the time So so i'm a consultant side so dante wig. I'm doing I think most people know the concept of like the red team being attackers and the blue team being defenders. What's a purple. So he has a few different types on. This is that it's just development team that understands both the understands that it is under a tank. It's code is under attack and that also nice headed a defend itself council and it's basically a cli and a back end that you you basically go looking for defects and then give you some advice on how to fix them. While the effects means security vulnerabilities. Yes yes so. People teams The project is is it. So what. Scott scott scott three ts in the baking now to actually implemented a stopgap the application distal which was the mind tister which gives people the biggest bang for buck. At the moment is is the mind. consumes any messiri county. It's consuming zip. I was present. Which is nice tip into into saving proxy which actually does most of the work looking for evicts in requests the proxy Using selenium and the scanner itself which is the taste is responsible nafta how the misery and in the orchestrator which is a front of which takes its requests from sale. I actually orchestrates the whole baking nice. It looks really cool. It looks complicated. But it seems like it's easy to use once he set it up here this up involved in it so so that's why i decided to create two environments so there's a local environment in a cloud environment local environment. I've put into. I wasp so i was some environment. And basically means that type people can see it up the whole environment in the saline on on systems. Now the cloud environment this assigned but over beckoning to sit up for you. I typed away a lot of work. And that's that costs because we have to look after the infrastructure right so it strikes me taking adding his two digesting apps like adding tests soon existing project like. It's just going to be a bunch of work to do well so Instead of actually writing tastes longer need to go at them so audio with the perfect concept and in with a what a lot of people are doing with the pipe is actually writing tests tigers. Api pipe in the reputation. So that the hidden in the Checking in in the sale. Oh i basically onate. Today's blood the ceiling. Until you build and run pipkin taste in all of this taken care of for you right the banking smart enough to know. I'm have to gobble up testing in in. What sort of things to taste for you need to do is build user. Which is the developer. I'm inserting the pupil team sale. I n t bill pipeline is some this decried a small jason fall which which describes you routes Some of the fields. In europe's some will think the kitchen aside it so the top team noise had a log into your application in So this teast being retinal so in so the idea is that it's it's much easier to get them. Sit up and going and you don't need to tastes. What are the most common Security flaws that you fi- enemy if you have you're looking at your customer data or not but some of the most common things the threats that we find in everyday software it still the top team. Basically jackson injection injection. But i appreciate the number to you being broken authentication. I have seen a ton of that. Recently twitched abundant designs of authentication. The past few years and feel like there's a lot of demetris of bad authentication out yet. Well the thing is the keeps getting hotter as well sign lot. We keep getting these bells and whistles to. I'm so that we can see within the guy on a distributed idealize and stuff like that and it's getting hab side moments nights happen right. Yeah you You're more likely to do it wrong. But that doesn't that doesn't excuse the likes of a sequel injection. What will i would i now. We all understand what it is That sake she not. It shouldn't be that easy. To mitigate i saw that difficult to mitigate. No yeah no. I'm i'm stunned. I keep waiting for injection to fall off the top of the list. Only good news. I can see here is at least. They're talking about other forms of injections besides exploiting sequel. Yeah it is also lock less probably about teen of the memo broken up in different ways you can go on exploiting in mitigating Is it is it. Just said apps are getting so complicated. That we aren't able to to keep up here he saw. I believe it is a lot of the Also believe that. It's a lot of chin out. Developers say a lot of developers are juniors intermediates in just seems like a lot. We've still got a lot of young developers another thing. That's really ever gonna go what i guess. The field attracts now. Young people young shot. There are worse things in this world. Right you'd hope they get better at two we don't is it just. Is this leadership not prioritizing security. That we just don't seem to be getting on top of this. Yes so this sort of another discussion. So i'm one of those For getting some ladyship into the development team and getting security experts not leaving tame stein in the development things ceylon. You've actually got some security experts within team late. I'm here so they like to kolyma A security champions right. Yeah which by sleigh just helps waste the team to upscale on security concepts and you watch a lot like a scrum master to the and it's really with the i to try to integrate security in as you go or that you make sure you putting cycles into retrofitting security on application So you're the yes you don't wanna retrofit Because it's sort of like getting towards what the guy develop the location now. We seem to penetration testers in. It's just light in developed lots. Tear it apart. It's too costly With security Tripping over the top team. When i should be looking for a more obscure issues right otherwise i was top. Teams shouldn't even exist by the time. It had the team penetration dishes. That should have been waited out during development. Is that ever actually happened. Kim that somebody passes the top ten right off the bat. Not really a top two if you had reasonable indication that no obvious objection tax. I'd throw a party then yet. Vows get Some organizations doing really well in some an engineering teams. Doing really well in those the ones that actually understand that this is a thing it's important to to wage security defects out during development in. Tow lop get some good security static analysis and analysis tolls for good toast. The problem in in china couch. You coaches gotta be one way thinking about security. A journey spoons right. And i got imagine after some practice like this is just part of the workflow at security's layered into the whole time. Just got to get over that initial thing is it doesn't take any time either once you once you just sorta the adding you told up. It's all salak. It becomes part of the bill And then as fix papa than have not a bill running so triple team a fits into like a naughty bill. Really well in the developed was common in the morning then realize on i Laughter vulnerability watching card lifted the vulnerability in the end of negative report. Shows me Vulnerability is gives me a pretty good idea where it is and gives me a gun. You have had affects. It's actually pretty trivial defects at that point in time. Yeah i just put in the cycles. Then yeah you mean the gist tonight. Ron but that's the question is do you remember. I was exactly where i was going to go like. I've tried to get a test. Labs down to fifteen minutes that would you push you push code. That have it. Gone through a turnaround tests in fifteen minutes. Was i figured that's about as much time as it takes me to go get a coffee and come back yet right. Yep yep so you can get some security tools. Like faust running security total static analysis on mainly in in insecure libraries Until bill part one other. Good felicio about for Thing that's generally with lakhs of paper team will put right dynamic nominations Because it takes a little bit longer normally. Yeah also appreciate it. That's the first thing you see in the morning is the security report from the work the day before. You're likely to pick that up at work on it. Like the first efforts of the days clean up the security problems introduced yesterday. Then then you can go onto the next things. You'll the good thing about team also is that it's got some. It's got to control on their Wind development teams pick up a brownfields projects in good existing defects. So you can go out. David count To county is in want to live right side yes off. You've got existing bugs in the you can still get a clean bill of health until you decide to take some of those existing dates writer so the at least you're aware carrying reducing new security issues before you before you managed to burn down all the old security issues that's pretty smart but it's a sort of a recognition of yeah. Somebody's going to go in and spend time in that module burning down the security concerns we have but new code still needs to be written at least give the rest of the world. Some you know. It's hard to prioritize security features. They don't look like anything when they when they're finished. That's right yeah unless it slow we introduced. Mfa and annoyed everybody. He's like regulations. We're more secure. We've added if they go get your phone. Let me teach you about authenticator. Yeah you need to balance a usability as well. Yeah i was. I ended up in a conversation about flipping password. Managers again the other day and And one of the points. I brought up to someone that really resonated with them like now. They wanted to go look not securing passwords but actually having a list of all the places you have accounts and the fact that you have not logged into that account for years like maybe you should go delete that account like most people just not aware of the effluent of accounts. They've left behind incites. They never went back to again in potentially still using the same passwords using now they only use the same passwords decrepit and been exploited. Now that pass result in the while you. And i'm going to interrupt for one moment for this very important message. Have you ever wondered. If you could be offering a faster less buggy application experience for your customers with raygun application performance monitoring. You've got all the information you need right at your fingertips to find and fix errors in performance problems across your tech stack down to the line of code. Reagan makes it easy to monitor the impact of your performance. Improvements quickly identify and resolve issues. And see how your code performs in the hands of your customers saving you time and sanity visit reagan dot com and join thousands of customer centric software teams who use raygun every day to deliver flawless experiences for their customers. That's reagan dot com to get started on your free fourteen day trial. And we're back it's donna iraq's i'm richard campbell. That's karl frankly. Hey hey here's our friend. Kim carter lay down in christchurch new zealand the side of the world the end of the internet so to speak if you look at the undersea cable maps. Boy you really are in a corner down there. So being an internet security what a fun combination of things have the new architectures new approach to building software like pushing pushing web apps in the cloud. Does that help us with security to any degree like. Is this a good so i think it just changes. It not really helps youngest. So there's pros and cons do so basically just means that you've got to switch to focus to To the clap of oughta out. I doing the job properly. If using addiction. So i cloud provided. Generally the answer's yes in its fram. I'm disdains tolling options knobs laser available that spicy. What's chinese too. Because i exist. You just need tonight. We're lay on what they haven't had a use them showing. Yeah and and often. We don't do the minimum to get up and running and then we're busy doing the work and not actually looking at it over on the on the run as side done some shows with a guy named dana. Who's siri serious about security. And we talked about the fact that the defaults in stuff like azure are not necessarily about the most secure features but about the ones that create the fewest number of tech support requests. Yeah it's actually a lot of asian is like the The emissions tonight. Wac man. You guys through the documentation in general Tell you to do is bisi leaving everything open to start with saying get it running. In the back down lighter the lighter actually come into role and herein lies same-store. I build the apple. Add security later like he's not what they just describing to now. I mean that being said it is a valid point of while. You're trying to get things working. You are gonna bump security problems which are likely to turn off if they aren't already off until you can get to a working state. It's just a question of when do you turn it back on you. So have done. Some with was sitting up Sauve lift things. I've been until i understand what's hidden in guys to lock it down a lock everything down and then just watch the years and by she just through the logs in an open everything that i need to open up this spicy however. Take right yeah. It's still a question of like i have. I locked down. And now i get. I do get to a point where it's like. I wanna lock lockdown enough. That i can actually see that i'm breaking something that these changes your permissions actually have impacted something or education window pops or something. Give me a sense that. I'm actually twiddling a knob. That's attached to anything. I've talked. i've changed. Settings run it no differences. Like do those settings do anything. Yeah i don't know the answer to that and it's also a big push on and certainly in the it space. But i'm sure this is true. Developers is like you're typically running on account that has way more privileges than the normal user. And so you are never having a normal user experience. Yes i'm using. I'm using tearful with a with a cloud infrastructure which helps a lot but so basically say i'm at the end of the dioxin t of the whole thing down suck up with paypal team. Got five the Stat coach sits up stuff by neva. Ta damn permissions and stuff like that and Quick which needs to be run after the steady just sits up the network. That also. I pretty much i static. It's got some taylor. Tickets and other things as well in the kitchen in container orchestration in the actual ipo Votes the Gene need to be set up an order and the titan From the previous ribs puts the good thing is genuine. You guys thrown your cli- though he's worked a few permissions on what you say years straightaway. Mike right mike sitting up. You mentioned some quite. I wouldn't say easy but the direction Place and you can put a twig Permissions in ways. Liaising while i appreciate that. Those tariff form roots are declarative. So you can see them running step by step and they generate an error the point of execution rather sometimes later like so many times we said about security permissions and then you gotta run some other piece of software and have it fail to be aware of what those permissions redoing. Yes yes you ought so. Generally by sea wants once you have applied overlays here from words. You don't generally have many other problems and tim's of permissions right Narrowing down the scope and And hopefully eliminating some dumbness from your life. He you know. I'm a big believer in these sort of declarative infrastructure is code models. Just for exactly that. We know exactly what you're asking for in and then lets you know as you do it whether it's working or not What it won't do is detect when you forgot something when you've left something off just when you go to a ploy that splice doesn't work any something else. The pins on that thing that you've left. Yeah the the one script you don't know works for sure is the last one you're in. The previous was probably right because the later ones ram but the last one. I don't really know use of the last one. Fasces the ip in its year which is which is good because it means they should just not smoke this. Yeah now you run your typical tested fire. All the api's and see if they work in that that'll give you pretty clearly if that last gripped right now and it's good to have that harness piece on it should we dig into some of the other areas that purple team pokes like. Where would you find. What is it good at finding so it's going to depend on what taste as applaud done. It's it's gotta plug a block teach. You saw the moment. I'm as i mentioned. Just the Plugged in the gotta serve scanner in tailless. Not chicken out of of the stubbed Once i commented on the new beginning results for you Ciphers and via civil scanner huber getting results for us it configuration Quite different from education at yet is mentioned. The main reason why the application was done. I was because it was it by hit. It finds the biggest abang about deficts than you're not cowed couch running application Ipo is around in bisoli yet. Fonzie in the top team plus a lot of the stuff. So i saw him and says his mind. Go in and out of the coating. He's got in yet working tirelessly on all the time and so the Associate community now. The communities always adding an extra plug ins and stuff like that is well to find additional fix now wonderf- zaps at a place now where nobody could pass everything. That zap has built into over fifty two distinct proxies. Some bibs wait now but that sort of the same level new is very clean and device in to clean up to use the zap in lease clotted. But then also feel zips a bit of digging into some of the more finicky sort of issues and it just seems like it's got more knobs and controls on it and this is another free to use the tool or they have a free level pay level nine not so free step so free but it's being consumed by nasa mouth organizations as well. I'm inserted into different products. Paid for products right. 'cause i've i've talked about burg on the run as side as the sort of something. You run on a routine basis inside of your network to sort of find new vulnerabilities. It's it's sweet spot. I think is also Ipo is it's it's it's it's targeting the same sort of by says right as A by that yet you do these kinds of scans or poke at these apps this consideration for it's an internal only app inside the firewall versus in italy facing out at the moment. Not really. we've got to go to a beck lago item to At eight auditing that it's it's that's not done yet. So the cloud does it can actually also zip. A pupil team can hurt anything. That's it can save on the internet and the local instance actually can have anything in the cloud and anything that can say within unit. Okay and i guess. Con- context matters that case. You've got an internal only app in. It might mean running different privilege levels and and Way way that it's going to get exploited is different cowardly Used the local environment. Which is i want to know. That would be the be. Speak for your internal stuff right and should turn it up you. Are you supposed to always question. Of how security. I need to make attornal apps to now. It's just as secure extent of because at least fifty percent of a take. Come from with a come from within organizations right. Yeah whether whether they it's a somebody carrying an infected usb key the organization or a disgruntled worker like there's a bunch of exactly so it could be ultimately coming foam external about the i've got a foothold within unit with Or lightning now exploit these other apps or could lead the disgruntled employee. Yeah i seen both scenarios that any comments on the whole solar winds thing. Cas i feel like the security folks are looking at this going. Holy man is a whole other set of ways that thing. Yeah mom staying out of. Yeah yeah very very high level state actor kind of this is what moderns cyber warfare looks like today guys carry on on it. Yeah it's very different from just in terms of thinking about bad actor gets into your network a modifies your source code distribute to your customers that allows them to be exploited. That's a different set of security concerns. He is smiling is very clever. Very clever what. They came up with no two ways about it. And i don't know how we defend against this ultimately how you have a trusted vendor. You've used many versions of software. What happens when one of their versions has been exploited. Do you even pick that up here. So you can only hope for the beast really applaud. The hyde for the yep. Well it was. It was a security vendor that founded in the first place because it was doing unusual communications it was straight up point port monitoring that found this piece of software which is never talked this way before is now talking this weird way to an external server which to russian of this thing so i'm so often with the take will the good ones when they're on. The traffic will look like any other normal. Aphids point of of succeeding is a is an attacker to might. You look like normal driven so that it's not Yeah that's that's that's tricky and it's definitely a different level of thinking around what you do to secure your app versus what you do when you're under attack exactly since response when you're undertake which channels always look again at the oas thing it's like. Typically people aren't picking up that they've been attacked for months and months yet hundreds of days hundreds of days before detect the act that you've been exploited and a new solar winds was no different than that. I don't know how you improve that. Like what is it. were probably logging. Everything just looking at the logs he is. Nothing is just It's it's defeat some deep. Now there's a lot of things that you can do. You've got to improve everything right. Yeah just keep everything. Keeps plenty of information out there on what we should be doing Do we have budget to do. How do we not have budgets this budget to be the source of an exploit we put we take the time to put locks on doors even though they are inconvenient. These slow the access to the building. So what's coming up next year and alpha now. What is a beta look like for purple team. We'll just how on on the issues back twelve full of Issues too so For people using gone. Hey what about this. What about that. It the muslims coming from us. The developers right little with them realizing that with messed something else. Something doesn't quite what we thought it. Should we really came to get them. Additional hanes on to Get community feedback and that sort of thing so that we can still keep on mike On the great fit for engineers and it teams. So we got a Go to pick up a backlog. Autumn in the at the moment to build a doc so upping spend the last two weeks working on the documentation cleaning up making the flow of beta was a bit disjointed. It's it's it's getting bitter cause you to navigate between the show. I weighed in the repositories Plus documentation and yet it was sort of bouncing around a little bit at the moment Brothers because his quite a few components stood if you wanna see all up I luckily yourself right if you go with the cloud environment than high. Cecile i in it. So it's a lot easier and is not much time involved in the poked around the get hub repository for purple team and noticed that depending on the component you've got some mit license and some a gpl three licenses. You wanna talk about that Chain the purple team. Now repulsed. which is the sale. I type and so in on him being the whole free in arkansas. I'm louise in some of those components more restrictive if they're going to be used with another told like at what i've built on. I want the suicide code to be available. You want people contributing back like the this is the classic copy left like you're going to use this. Make sure you're contributing back. I team the cli up. You can do whatever you want with. That have really restrictions on that. The parents in the backing their logo different saif yang too type dies in modify them and monetize them. What right the arkansas in nyc That's very intentional. Licensing cam like. I appreciate that that you didn't pick any of these things accidentally. It's like no. That's where that lives you know. Make sure you're contributing to. He is very cool is a bit of time. Spent on the licensing. I've been thinking about the licensing for years but really applaud them. Comic floodlights licenses out this year. Right here very good. Cool man very interesting stuff. You take on a big project. It looks like it's still early. Days is still really really nice. Just hoping to get as many hands on it as possible. Right offer shirl. Hopefully we'll you know. We'll see some results from our listeners. Has they're interested in this kind of stuff. Yeah for sure. He'll get it all right. Thanks very much kissel. Plenty of avenues. miceli fade back. And tell us what you need. What you want right here near discussion. Glasses even on gab. Got there thanks. Go discussion discussion. We have private safety stock of discussion. We're i lost slept on as well. You look twice excellent. probably that happens. Thanks again kim. It's been a really cool things that all right we'll see you next. Time on. dot net rocks dot net rocks is brought to you by franklin's net and produced by studios a full service audio video and post production facility located physically in new london connecticut. And of course in the cloud online at w. o. p. dot com visit our website at dot any t c ks dot com for rss feeds downloads mobile apps comments and access to the full archives. Going back to show number one record in september two thousand and two and make sure you check out our sponsors. They keep us business now. Go write some code. See next time then.

Kim carter richard campbell Sorolla dan ross richard camel rich campbell binary missed ltd purple team labs jd Kim wasp foundation kevin moist new zealand carl franklin Scott scott scott messiri county victoria onate microsoft
MongoDB in the Cloud with James Kovacs and Rachelle Palmer

.NET Rocks!

1:01:46 hr | 4 months ago

MongoDB in the Cloud with James Kovacs and Rachelle Palmer

"This portion of dot net rocks is brought to you by couchbase a modern multi cloud edge sequel friendly jason document database for building applications with jill dougherty performance and scale if you're new to couchbase and would like to learn more the couchbase developer portal is the best place to start. It's loaded with tutorials videos documentation as well as best practice tips. Quick start guides and community resources including couchbase developer community forum to get started developing on couchbase. Visit couchbase dot com slash dot net. Rocks that's couchbase. Dot com slash. Dot any t. r. o. c. k. s. Welcome back to dot net rocks. This is carl franklin. And this is richard cable and boy. It's been a while since we recorded a show. It's been a few weeks you gonna give you time off. We do a bunch of shows all at once and you get a couple of weeks off. They do a bunch more. I like it. it's march first right now. I mean right now as you're listening to this but as we recording it's march first than night saw. The crocus is coming up poking on today. Saying he here i am here i am. Don't worry life is coming back. life is coming back. Yeah it is pretty pretty rough winter. No two ways about it is pretty cool. This is going to be a great show but before we get the guests and stuff and before better no framework. I have a little announcement to make. I have put out. What i think is going to be a very popular. Get repo. it's called blazer sliders and there's a new package for it as well. It's just what you think but sliders is sort of you think like a slider that goes back and forth. But i'm talking about. I think about a hamburger. But that's especially blazer sliders right. I mean something. I want to order at chili's or burger king sunday but anyway yeah so so. It's multiple panels horizontal and vertical split panels. Right so you have a sprayer in the middle and you can grab the splitter and move it left and right to the panels in the whole thing re sizes when you re size the browser you can make it. Take up the whole screen. It's blazer it's good you can estim- right now. You can only nest a horizontal inside a vertical. But i'm working on multiple nesting. I basically got it working. And now i put it out there. Good yeah now. i'm refactoring it and making it actually more efficient and less verbose and all. Now you get the me notes from people of course our whole product around your library and it's your fault there's and it's only been a couple of days and thirty download. Some not all the eric about it. Give them a couple more weeks to really get the hate on for you right. So here's my advice. If you're using one point zero point one that's gonna change. So but but the good news is that properties are being taken away not add so the you won't need to do so much manual set up it'll automatically discover who the children are and who the parents are in. It'll automatically figure out how to size itself right now. I do i have. I would require a little bit of setup in the parameters but that's going away so anyway enjoy blazers flyers works on s- a server and blazer wasim and Yeah but that's not my better framework. Oh okay will you better play the music then be yeah you better go now. You know you do it. No you fine. You got all right. Well this is actually pretty cool in the guys in one of the guys in Avonex slack room. Scott rowdy found this so microsoft uses this thing called code q. L. it's a semantic code analysis engine. That's part of get hub right okay. They open sourced it so in the end the ideas that you can use code q wealth to make queries to hunt for Soul solar gate activity so essentially. What you can do is you can have this thing. Where your code base and find the militias bits. Oh interesting yeah yeah. It's pretty cool. So i don't understand a whole lot of it but it is mind blowing that you know you can just imagine just checking your code in and then you know get hub says. Hey this is Or notifies you know malicious code so it's It's really cool. Yeah very interesting. And he's becoming a normal part of the pipeline. These days it seems for at softwares also looking for like accidental uses of somebody else's coat right like you don't know right pace things like don't necessarily know where sources come prime so you can trace analysis across the board just like where is this code from That whole dependency chain. Yeah yeah for sure. It's good. But i thought james would like that and Now over to you richard. What's who's talking to us today. Well considering alassio james twenty thirteen. It's very unfair to read like comments from eight nine years ago. We should anyway. Not that i wouldn't do that. But actually i found a really relevant comment for this show from adult compatriot of james's from jerry miller's from show sixteen fifty five. Just show we. Jeremy met back in october. Twenty nineteen talking about the dot net core ecosystem so that whole the what the open source community looked like there and so we talked about a lot of different things in that space. One of which was talking about non relational databases and crossed crafts comment about a year and a half old now where he says. Hey it's always interesting to hear from rockstars like miller but as a show was concentrated towards no sequel noise right. Some of the statements were converts. Wrote not will put me off a bit. Like when richard said why would it make the customer to decompose objects. Just store the object right. Of course. I think a little. Alex fair alex's i followed that with the customer store the object and then break it out into a relational database. A synchronous -ly right. After the customers already moved on the goes on to say though i understand that adding all the caveats the statements would make the show boring as a dvd worshiper inactive. No sequel developer for years. Here's my outcry. There is a serious cost associated with developing and supporting no sequel database for relational databases to Consider at least document type databases which most people mean when they say no sequel the aggregates designed for the most often operation reading data so persisting aggravates is not meant to be quick sensitive volt dated duplication maintaining reference out of the boundaries and so forth and about performance. Hey sequel is performed to the question is what are you trying to do. There are places where no sequel shines and they're also places where databases do just fine. I do like no sequel in much higher level of usage in the enterprise but modern hazy understanding of those equal obstructs adoption of the technology. You the pragmatic way as just another tool in your tool belt team. No sequel as the default option would remove the perception of it being an untouchable shrine. And get more people using it. Yeah he does reference a couple of blog posts including seven reasons not to use no sequel and the book no sequel to still by martin fowler. Which is a little stale. but it's martin fowler. You should read it. Yeah anyway. I thought it was interesting. You know our apps. We weren't firm enough on this whole in. I think the two things work together really. Well there are places where people may sense appraises where people may sense and most places where both will help you zoom time. Yup so alex. Thank you so much for your comment. A copy musical buys on its way to eun. If you'd like a copy of these go by write a comment on the website at dot net rocks dot com or on facebook were published every show and if you sit there and read on the show. I'll send you a copy music. Oh by and definitely follow us on twitter. I met carl franklin. He's at rich campbell. Send us a tweet and you know. Hurry up because times. Wasting not yeah. It's springtime get out there and play in the crocuses all right. So i'd like to introduce reintroduced james kovacs and introduced for the first time rachelle palmer so a long time ago in a galaxy far far away. James kovacs was a frequent guest on dot net rocks. He spoke at conferences wrote magazine articles and had an active twitter account. Then a career change landed him at mongo. Db where he has spent the last five years in self inflicted obscurity. I liked that. Self inflicted obscurity during that time he has worked on the technical support team assisting customers with a core database product and more recently on the driver's team building the language idiomatic drivers that allow developers to connect mongo db his current focus is implementing new features in the mongo db dot net c. Sharp driver which is used by millions of developers worldwide and for the first time on dot net rocks rochelle palmar is currently a senior product manager focused on developer experience at mongo db which includes drivers and integrations with all of manga. Db's officially supported programming languages. Which are c. Sharp dot net python corsi sharp slash dot net python ruby. Php no go swift and java. She's been with mommy. Db's since two thousand thirteen. i mean. Welcome you individually. Welcome james thank you. Welcome back good to be back and welcome thanks mongo. Db james I'll never forget that. I Show that you did with us. Low those many years ago In the absolute perfect description of ifc. And why you it and It just You know it was a great explanation. I consider it the best explanation of those things since before. Or since i appreciate that a lot of my goal of technology is to understand things at a fundamental level and then share it with others. And i'm hoping to bring some of that. Knowledge of non relational databases and mongo. Db two emeals the dot net community. And i think i heard about maga d be in the context of raven db which is i thing and i guess he he wanted to do something similar to mongo but i never really really got into it into raven but i did like the way he was talking about. How index is created on the fly. And all of that stuff and i imagine. It's very much the same in mongo. I end is a smart guy. And he was trying to build a native and non relational engine on windows for the dot net framework and like a lot of the ideas. He took from mongo. Db we are competitive product. Why will fully admit up but with mongo. Db you've got a much larger organization behind cut a lot more features and it's amazing all the things that de mortgage is used. That's been around for well over a decade shall do you remember when we were founded two thousand seven might have been two thousand nine somewhere somewhere around there so we've been around for a while and we've gone through. There's been a lot of different technologies steps along the way an improvement. So that's remember very angie ireland with that canadian. Who's been quiet. so far we were on the Scott net rocks was at scott net rocks. It was the england. Ireland and scotland tour that we did yes and so we were in dublin. And we're heading out to go meet a friend you know for some traditional music and right next door to the hotel was manga devi. But it was just really. It was really like a a soviet kind of experience. There was just the word mongo. Db in a very small font on the door. You remember this. Richard was like. Isn't that kind of unassuming right for this huge as a company to just have this little door with his little logo. We're not yeah. Yeah yeah no. What i'm saying is it was probably a big office but just under understand it at the front door little door. A little sign on a perfectly normal size ashley right. So what's new in mongo. Db are we talking about atlas. Yeah we can talk atlas. We can talk driver right. We can talk core. Server product shown anything dot the dot net itchy has not been the usual constituency for mongo. Right is normally think of mongo in the context of the lamps. No right the lyrics world austin's often we the the actual core server can run on a variety of operating systems including windows including including a variety of other ones mac. Os things like that. A lot of times. People will build applications in whatever their development languages. And that's something that we've seen a real uptake in is that people were developing on windows dot net applications but we're seeing more and more desire to move dot net applications over I'm for the simple reason. Cheaper to run run faster Full stop mythic end of conversation. Yeah yeah a lot of companies are interested in doing this So that's one and the other thing is sometimes people will question. How much is mugabe committed to the microsoft ecosystem. We have a law of customers. Running the microsoft stack that are connecting among d. b. r. c. Sharp driver team is one of our larger grabber teams. We've got five fulltime members on the team right now that are actively developing features The dot net driver itself has been around for over eight years and we are supporting more and more currently going through a rewrite of our link provider to provide better links support. And that's gonna be coming in a future version so we're very much invested in the dot net ecosystem and in microsoft developers. He had the link side of Curing mongo with link is very interesting is better or worse like is very relational oriented so sort of get this. You know there used to be an odbc driver for excel to. It didn't make it a good idea. My the hyun kidneys. Cram that the link query style into through a among database. There's kind of performance again gonna get from it Quite good actually because from a technical standpoint C. sharp with link is just an abstract syntax tree. It's ast and we take that tree. And then we translate it into the equivalent. Mql were mongo db query language. And so it is actually quite efficient and we can get very good performance Is one of my favorite ways of actually accessing mongo db in performing complex queries often doing aggregations group by operations really crunching. Data is a lot easier to link quiry than often hand Handcrafting the queries yourself. 'cause you still have relations. It's just they're just not you know so diabolically specked out. I mean you just figure them out. On the fly build indexes he the the friendly way to say that his structure he added that in air quote. I like diabolic. Better more accurate. Well one of the. That's one thing that allows good to perform really well compared to a relational database. Is that if you think about your typical sequel database. A lot of your relations are parent child relations. Right where one object fully owns another one. But because sequel a sequel and everything structured tables in you got foreign keys you have to break everything apart. So you're spending a lot of Computation resources breaking things apart and then putting them back together whereas with mongo. Db you've got an order which has a shipping address and a bunch of order line items and a discount. You just jam that all into one document and that can be queried as a whole mugabe also has a very advanced query language so that you can say give me all customers who received a twenty five percent discount right. Even though that percent discount is buried inside order document. But if you think about it you don't want that order documenta ever change because that was the order. That is the truth. This was the point i made on. Jerry miller show all that time ago right is like you know the actual reference to the truth is all the things at that moment. Store those things then. Decompose them later for analysis. And i've done sequel applications. That are like that. They need to know the state of what was the address of that particular time. And you have to put in a whole bunch of machinery and always ensure that new addresses are always inserted in your version in them and all of that becomes very complicated and with mongo db. You just store the current address. Here's a really good example. The dot net rocks database is it is a sequel database and we have a guest table and we have a shows table and you know the guests have a photo and description and whatever and a bio right in anytime that That bio changes it changes everywhere that its reference so you go back to show in back from two thousand to. It's got a bio you know. It doesn't have the original by when picture it's all been updated and so you're listening to reading bio and it's the old bio well. Let's look at it this way. James's i show on two thousand eight and his bio on that show now says he works for mongo dooby before. That's right exactly. I know people are going back. What rachel what's your role at mongo. So i moved. Over to products in twenty twenty and i currently own all of our drivers and ap is and then in addition Framework integration so for php. That's larry will You know for ruby. That's rails and arm rails odiham which is mongoloid so a whole lot of stuff is summary. Boss here yeah. It's it's pretty exciting. I mean i joined manga in two thousand thirteen and it was a really different company. Actually not the tom. We didn't make any money wise. And i actually was when i first joined. I was on the cloud team and it was a much different product. Then this was pre atlas and so i actually have the spreadsheet of win. We first started making money. And i basically backed out our own personal credit cards. And we discovered that someone who didn't work at mongo. Db had paid us and we have a little party. So that's how long it's been now. It's been pretty crazy every day since i haven't been to. The story are of becoming a real company and that's without being acquired without going public like just growing up and that's a rarity to simply grow up in via company. I really recommend it if you can. You can handle a stress much preferred to work in at a big enterprise company. Where you're a cog for. Which is what i did. Prior to mongo. Db big big machines. So we've obliquely referenced times. I guess we better tell that story. So when mongo db atlas so among it'd be atlas is our database as a service platform you can use manga deby atlas with any cloud provider. So that's azure. That's gcp that's aws and essentially you. You know create an account. We have a free tier and it's free forever and you create your own little manga database. And you're up and running and you get your connection string and you're off to the races. It's huge at this point I was also obviously. They are when it was first created wing and a prayer. Hell mary type of style. And now you know we have c. Sharp actually is really big on atlas. We have over ten thousand active projects. Which active is somebody has logged in in the last thirty days and done something. So that's it's it's pretty. It's pretty big enough specifically c. Sharp projects right. Yeah overall project is much much. Larger projects is over over a million. At this point i would. I would presume. C. sharp is still very much a minority player in the in the mongo ecosystem. Yeah yeah you'd be surprised You'd be surprised at chuck. It's fun fascinating to me. You know when. I took over this position. I have to say like i was a little nervous about see sharp because it's one of the languages i've never worked with. I didn't know anything about him. Like microsoft yeah links. I never windows never But actually it's been super fun and it's one of my favorite teams to work with the community is just so great like really great And out of the top. You know i think. Out of the top. Ten gaming companies eight of them use mongo db and a lot of them use atlas actually which is pretty exciting so yes that's an area of focus and then of course like a bunch of Enterprise and financial firms uc sharp. Because it's a serious language. Meant for serious work. It's not an obvious thing. In the way that some other languages are well if you look at our commercials support offering which is where we make a good portion of our money. We're companies pay us to assist them and troubleshoot their applications most of these as you can imagine enterprises and therefore they use enterprise languages. Top top tier is java turnout surprising java c. Sharp is actually really close. Second for me. Let's face it. Essentially have similar origins. Right oh exactly statically. Typed object oriented management memory language in development environments like pretty pretty similar they are brothers yep and then pass that is that no j. us and the rest of our languages fall into down below that but yeah the top. Three languages are java. Java sharp and j. us enterprise side jaw job as he sharp and you sort of classic open web dev at davos. It's going to be no apps. A lot of developers whether java warsi sharp liked to play around with no j. on side. So that's what i've seen in enterprises is that they'll be a microsoft shop and sharper their javale shop so that all be java but then they got a bunch of nausea applications and both teams do exactly that they'll play with no gs his. Everybody has to write a little javascript. It's kind of unavoidable. I'm looping back a bit to them on the to atlas here. So if i'm on azure i can i can by this as a service and is also running on azure so you guys are actually operating on the three major cloud providers yet and actually if if you're worried about it or if you're one of the unfortunate souls who survived one of the aws outages in the past few years. You can actually have one of your each of your manga to be nodes on a different cloud so you can run across cloud which i like that well. Any par par somewhat multi cloud mythology to. It's almost like a checklist. But it's i appreciate that. Yeah you've done that. And so i could sink across these infrastructures if i wanted to migrate or or to have a fail over to another cloud i just have it as a guy who builds a lot of fail over solutions over the past decades. This is disturbing. I haven't seen a lot of fielded multi clouds like we can fail from from. Aws azure or. Did you see like that's just doesn't seem to be much of that. Actually lots of people talking about it. A lot of people talk about it but not a lot of people either. Do it or actually need to do it. Yeah we're i think. Multi multi cloud really plays strong. Especially the cto's is the lack of lock in if you're running on azure and microsoft decides to drastically increase as prices. Yeah you can just port your entire solution over to gdp or it'll be just not going to be free like there's gonna be effort involved with at least doable but it's doable. You do not all of a sudden reconsidering rewrite. My entire data layer in order to achieve these things. Yeah so what you're really describing then is prozac for right. That's actually is. It's like. Keep the cto com gonna be fine. We drop a couple of these in his coffee. You'll be all right. I guess it also depends on how far you depends on how far you go right so you can have everything in another cloud ready to go just laying dormant just images right and then turn it on if something goes wrong rather than invest a whole lot of time and effort and money into automatic fail over stuff you know then then it just comes down to up. Somebody gets a phone call or an alarm and they have to do it really quickly. I still think it would be days like it's just not that trivial wanted to shift that stuff across and and hopefully you're using the m.'s. And and containers and things that are relatively portable. You could go across deeply. Invested in any of the different vendors. Service technologies should've their distinctive analogy. There's going to be hard to move. Yeah that's true well and that's something that when you're building a cloud based application you have to consider a cloud vendors do provide a wide variety of very convenient services but they lock you into their platform. So how locked in are you willing to be. How much risk are you willing to tolerate being locked into. Aws or another platform. And how much do you want the flexibility to move services around. I like Azures coober nettie service because you can use your own docker containers and everything so as long as you have your containers some place ready to go. You could do your own cuban netease in and in gcp or in In an amazon if you need to But while you're on asher you can enjoy all the the wonderful high level stuff of ak s as a sort of separate thing. I think one of the other benefits of atlas is that secure by default. You get less. Esa sale automatically default. You don't have to set up anything which is really nice because you know. That's that's hard you've also got a variety of secur security solutions around like you can log in with a username password which is properly hashed salted over the net. Like you. don't wanna pass. Anything clear taxed You can use l. doubt you can use a api keys. There's a variety of ways of actually authenticating with the atlas service as well as private networks. So that you can isolate your look if you have a azure deployed infrastructure. You can make sure that it goes through private links so you only going across azure controlled. Interfaces you're not ever going out onto the public. Bob that reminds me. I want you to tell people about f. l. e. while we're here before we dive into that. Let's take break for this very important message. If you've had automating your. Espn at deployments. On your to do list. Now's a great time to give octopus. Deploy a try the starter edition. Lets you install octopus on your own infrastructure in deployed i s web servers azure websites and pretty much anything from no d. Coober netease and they just made it free for small teams. Give your team a single place to release. Deploy and operate software with octopus. Deploy find out. More at octopus dot com. This episode of dot net rocks is brought to you by every plate. America's best value meal kit delivery service. Not only is the food fresh and amazing but each meal costs about as much as a cup of coffee. Recipes come together in about thirty minutes definitely faster than a trip to the grocery store and starting a meal from scratch. Every plate gives you easy to follow recipe cards and pre portioned ingredients. C-can spend less time prepping and cooking and more time enjoying good food with family or loved ones. I wanted to see if every plate was as good as it was cost effective and after subscribing and cooking a few awesome meals. I'm convinced that you can get the same deliciousness at a much lower price so experience fuller plates and fat wallet. Try every plate for just one ninety nine per meal plus an additional twenty percent off your next two boxes by going to every play dot com and entering code dot net one ninety nine. That's right with every play for just one ninety nine per meal plus an additional twenty percent off your next two boxes. that's a one hundred dollar value. Go to every plate dot com now and enter code dot net one ninety nine. That's dot net one ninety nine and we're back. It's dot net rocks. I'm richard campbell. That's my friend. Carl friedman and we're talking to james kovacs and rachelle palmer and talk a little mongo. Db all the cool offerings going on there. And james i just interrupt you talking about l. f. e. a. Plant side field level encryption. Yes f. l. e. so what what that is. It's a recent feature that was added to mongo db and it allows you to do your encryption on the client side so you actually acquire encryption keys from an encryption key provider either on azure we now support azure and a and aws. I think we ought as well recently. So any of the major cloud providers they provide a key containers so you can request keys and those are ever only ever seen on the client side. So any data that you read has been encrypted with your key so the server the monkeys can't read it. It's just no pick blob a bits once it gets to the client. It's it can be automatically decrypted so it looks like clear text. So if you're storing hassle you shouldn't be showing say passwords sleep that topic out up. Ppi right like or p. I personally identifiable information which sometimes people want to store. So if you're storing credit card details once again need you really need to But things like social security numbers. Which often you do need to have them stored in your database. But you don't want your cloud provider necessarily to have access to the us. Side field encryption to actually encrypt these fields and ensure that and if you read them it just looks like encrypted bits but if you have the decryption key then all of a sudden it's readable unusable and is your ability to share those keys between devices so that multiple devices could decrypt it even though the store cannot yes So you actually communicate with the the jerky store aka s and if your client is typically do it on a server but if that server has been allowed access to a ks what y'all control take aka infrastructure than that client would be able to decrypt encrypt data to and from that is coming from manga. Db but if it didn't have those encryption keys for instance if it was reporting app that could only report on high level patient information but none of the particulars than you wouldn't grant it access and it would not be able to read those fields but you can go very granular. You can go okay. I want these three fields encrypted. But i don't want these other twelve encrypted at all so you can it not like you have to encrypt the entire object. You can if you want to. But typically Field by field. What sensitive rights. He could protecting specific data. But we we battled this problem with encryption on sequel server to where he was easy to grip the whole thing. But then you you know you just crippled any kind of querying because you had decreased everything to figure out any of that right. Not just a just encrypting sensitive information you just the salary information. Just the identifiable but the index the index stuff important stuff. We've still legible well while the other interesting things that we play with is you. When you're designing your encryption scheme what you can do is you can say. Let's say you're encrypting the salary information. You can encrypt it all with the same key. So they're always encrypt to the same value. You don't know what that value is but it's always the same value right and that allows you to still query it you can't do range based queries but you can do give me everybody who earns fifty thousand dollars stink because you can trip that fifty thousand dollars to a known value and then query the database saying everybody with is known value. I not know what that value is. But i know it's the same across these records exactly exactly so. There's a lot of fun things you can do with that from an application designs chant white insecurity standpoint. Yeah if you if you think hard about it but this whole encrypted before it leaves the device is pretty compelling for a lot of folks right. i don't. i'm not transmitting. It counting on some kind of encryption during transmission and then encrypting it again as it goes to rest on the in the central store and crooked it. Before i left. That's right y'all got for that and that's that's the client side encryption. Then we also do a lot of when you're on asher the bits that actually get out to the actual volumes are encrypted as well so we do on disconnection as well right to ensure that is secure while you guys mungo went through the security ride. I did a run as back in twenty seventeen about the mongo exploit which is like they. Hey you know what would be careful with. Defaults defaults are hard. Yes that it's not. I think it's also you know your products important when it makes but it becomes a part of an exploit like that like and now you have to think about your product differently too. And that was an interesting growing pain going from focusing on startups to an enterprise company off because as a startup. We want people to just be able to spin up a mongo d on your laptop. Not don't have to worry about authenticating anything you just connect to a certain port and you're off to the races so we made it really easy for developers to get mongo. Db setup running. Yeah well that was the problem and we had we had. We had all of our documents at the time. I was working with technical support and we had all the documentation in how secure it a. Nobody bothered insist. The that's the reality because the default was unsecured guy. You kind of have to force them to do the right thing. Even though it impairs their ability to get started yet by the other the atlas is another solution of that is like hey you developed locally. You ready to go into production. Why don't you use are secure one in the cloud and no worry about scaling at an all. Those other things like life will be easier this way. And you're far more likely to stay safe exactly because when you even when you spend up an zero cluster. Which is our lowest free tier always free that is secured not less. It has password protection automatically turned on everything secure by default in atlas as you can try out. I actually spent last week building applications with my team just like let's build a senior application and see what it's like from a user perspective and we just spun up. An atlas database put some data in there and were able to securely connect and started reading a phone app actually right on the device and connecting to atlas so that was a lot of fun but yeah it was secure by default of the box and as you start to scale. That's the other nice thing about atlas is you're going you say okay. Now i need more horsepower behind it this. I've developed the v. next plants versus zombies game. Let's start scaling this now we can. It's literally a click of the button in the u. Is like okay. I need an m. thirty. Which is our dedicated tier. Okay i need something with even bigger up to fifty and one hundred and what we are doing on the back end is basically scaling up the vm's at the running and providing more resources to the back end. She something somebody could do. Your ops team could be scaling mongo themselves. But did they want to do they wanna learn how they this thing and there are definitely people who do that. We do have an in prescription where you can. You can also just do it on community if you want right a lot of your own tooling you can download community for free and start building at your own mogadishu infrastructure. But is that what you want specialized right. Do you get a lot of customer requests asking you to move their relational databases to mongo some some. Yeah i mean that. Is that a common thing. And that's a that's an area that it's an area that i know. Our consulting team does log working obsessive. One of the nice things about maggie is. There's a support team. There's a conservative team. There's an engineer that we got all these different teams can focus on different things. There is a desire to move relational workloads over tomago db depending on the application. Sometimes that can be a good thing and sometimes it is more work than is really warranted. Yeah i don't find that lift and shift is super popular. I think what tends to happen. Is that they sort of sidecar the to databases for a while. And then they'll move workload over but it tends to be that they re architect in the process. Which is why. It's usually a very big projects like let's download all the data and then just put it in mongo. It's it's more like a even considering lifting and shifting. Because you have relational data that now has to be documented. Alexa therefore does need to be reacted absolutely but do. Do you think that if you were going to make the case somebody who's got a hefty sequel azure bill every month. Because they're you know because it's expensive. Let's face it and you know. Maybe it turns out that the shape of their data with lend itself really well to a document database. What's the case. Is it a money in performance. Both make the case there. I think it's both one of the solutions that is is pretty recent. I can't remember what year we debuted our data lake project but it's basically You know you can query your data in s. three bucket and then the results of the query you can put into a manga debbie database. So that's how some companies shift there content or their their data basically to mongo to be atlas which is a pretty nice way to do it because then it's like i'm only moving the data that i need just kind of nice i worked in consulting four gb. I think that you know it's one of those projects that we would love to bid on as a consultancy firm because it will take multiple years. No cost you millions of dollars and then you may not actually get any your net. Your net money gained loss. Might not really be what you were sold. I think well you look at the price of an enterprise license of sequel server today Like it's it's far more than the hardware. The hardware price keeps going down. The the licensed price keeps going up. Right what a sixteen thousand core right now for enterprise sequel server like. It's no fooling like the you could buy a lotta sequel azure for that and i suspect you buy awful lot of atlas for two. Oh that's true totally. I mean that's one of the reasons to move atlas also it's a consumption based model so if you are gonna run on thirties then you which is a sort of a smaller instance is like and then you scale up when you need to or during specific periods of the year. Like if you're a retailer for black friday you'll skill up and then you'll skill back down around valentine's day and it's fine. Yeah i've tried doing that with hardware. It's really tough to take those rams don't do it's not a good idea just leave. Leave those michelle. You don't have hot swap. Richard you pull hard enough everyday talks. That's why yeah. But if you know to that point. This alaska this sort of op ex capital choices like instead of investing in that hardware. And i'm saying this on the it side. These contracts are expiring these hardware. This harbors coming out of warranty. You're looking at in some cases to common numbers worth of equipment in licenses and so forth and you can get an awful lot of variable cost resources for that money. Like i just put that in the bank pay it out monthly and get pretty comparable results and ultimately if i careful and do some tuning and like you said dial down dial up. Those times are can spend less now. Nothing's for free like there's effort involved but by there's nothing easy about buying and setting up new gear either like instead pilot or the other thing that's true and like i'm sure that my our sales team would literally murder me if they hear this podcast but you can also in efforts to developer friendly. We don't have long term contracts for support so if you're using atlas you can purchase a poor because you have a problem or you want a question answered and then you can. Of course cancel your support. So you don't get locked in to this sort of multi year Thousands and thousands of dollars type of deal which is really cool. Yeah and it depends on your organization as to how that works. I also know companies where it's like you don't spend this money you lose it from your budget so you know i've been on the vendor side of that where somebody's calling me saying. Listen i got to this month. What can you sell me once you guys. Give me some kind of contract that shows. I'll get value from you over the next year. I just need this money out of the my account. This you are my friends. I will make something special. i guarantee you. Yeah well and actually the reason we first started doing that is because what would happen. Customers would have some kind of incident or some kind of problem and they would want. I want to support. I don't care how much it cost. i'll pay it right now and we're like no well we'll have to send you to procurement and then you have to sign some papers and they're like can i. Just give you a critical. No you need to start talking now however much money you want to on my problems and also take my money. Yeah yes well again. This is back to the prozac statement. It's like i've been that contract where it's like you pay a retainer to me so that i say there it'll be okay and then go make it okay. Well hearkening back to an earlier comment was. There's a lot of place that the cloud really excels is elastic. Compute resources where you can scale up and scale down. There's a quite a number of business. Not all businesses. But there's a lot of businesses that are very cyclical in nature either seasonal Where black friday. Rush or a i worked with a particular customer who shall remain nameless. Wonderful folks to work with But they they're peaks were around sporting events and every time there was a super bowl or an mc w aa tournament or some big sporting event have a huge spike in traffic. And then it would die down to almost nothing and so with. They were actually on atlas in what they do. Is they scale. Up to very large instances a or two before the big event. Host the big event and yeah. They'd be spending a lot of money for those few days but they've also got a lot of income coming in because of those events and then once those events are done they would scale back down to minimal instances to keep the background traffic going. And there's a number of businesses gaming companies. Do this where they have like. Blizzard has a big launch. And all of a sudden. You're gonna have a lot of traffic hammered. Now we can scale up and then once interest dies down then you scale back down and that flexibility that you're not locked into physical hardware and having to pay too because we're basically with physical hardware you paying for your peak. Now you have to the po provision the pizza and then you've got that peak provision hardware for the other three hundred and sixty four days that you don't need yeah that's absolutely true and certainly this is the new era right. The utility computers that we can buy what we need when we need it and in reasonably short amount of time i mean. How long does it take to move to a higher instance and On atlas minutes. Yeah there's a lot of a we do a lot of Interesting things in the back end. Most of the cloud providers will allow you to tweak their hardware once every six hours right so if you just need a like a very comic database we live and die by aiops guy ops. So if you want to bump up from like a thousand to ten thousand aiops that'll take a few minutes. Yeah i still think if. I might be doing ops coming into black friday. It's like on wednesday. I turn up the nah right and then sort of poke things like everybody. Happy with the big instance and we all good. We don't want to wait until noon on friday for another thing that we were experimenting with Experiment because it's actually in production is auto scale you can turn on auto scaling on your allison. Is that if you see a certain peak load for an extended period of time it will auto scale up to the next instant size. What's the thing you're measuring is like number of transactions are is it i opposite you're measuring ago. This view. Bombardier instance right now. A cpu guys. We're are pinned. Yeah you're processor is pin. Pretty hard bottleneck for mound. Go like i think disk latency zero bottleneck remember. I think you can also do it on. Aiops sedans on your workload if you're doing a very heavy workload. Obviously disguise ops is going to be your primary driving factor if you are doing heavy duty. Educations of where you're doing grouping expressions that's where you can run into. Cbs resource end. Seaview run. We almost never see network run. Hot is typically depending on your workload. It can query heavy and using complex queries like if you're just searching by essentially primary key are underscore field than that takes. Virtually no seaview resort sources resources. But if you're doing a lot of sorting in aggregation in server memory than that can take up cebu you can actually have atlas auto scale so that it will bump up to the next tier up to a maximum the you set and then if it remains if you are below a certain value for typical previously days. I think we're we're getting a bit more aggressive. It can be on the order of ours if you see like your views really running low. You're not using law guy. Oh then you'll drop down your tears again down to a certain minimum set point as it were very much experimenting with this for customers to optimize their costs on atlas. If you could get into daily with is like if you're a retail outlet that's streaming data from transactions but like ten hour window where every store is close like being able to turn that knob all the way down for what is better more than a third of the day or add up over share. Yeah for sure. What about the long term storage side of things is archived. Like i find that. That's an excellent. Sequel azure and these kinds of products as datasets. Get big. they actually get really expensive. And you kinda wanna carve off old data and put it away right so where how. What is the cheapest storage out there in the world today. Blob block store. Yeah whether it be s. Three or azure block store. That is by far the cheapest per gigabyte that you can get so one of the things that we enable is atlas data lake where you can actually pull off your old archive data into an s. Three blob store or a azra blob store and the nice thing about that is although your performance isn't great it's to query -able right so it's still there you know. Is it going to be slower. Because we don't have the full indexes we actually have you can issue mongo db queries against this blob store. Which is quite cool. Yeah but it's it's still there and available for reporting purposes but you're not in incurring the cost of having it hot an available immediately. I should mention the azure sequel does make backups. And so if you screw something up you can just go online into the portal. Find the last backup and restore that to another sequel database. And you're off to the races. That is a very nice feature. But you know you you pay for it. Yep we have automatic backups as well an in atlas so you can actually you can establish a backup schedule a. The backups are snap shotted into asimov's door or orange s three and then you can pick a snapshot and then restore it either to your own. Cluster to cluster. So you have similar functionality. So that you can because you live in companies live and die by the data. Yep and you talk about keeping. Cto's com lose weight like that's bad that'd be cto's get upset win. But so having visibility into data that's old is great but releasing the cost of storing all. Data's because the traditional solution is just delete data. Right or i built archive systems. Auto remote stores is archive it onto tapes yet but having it all built into the platform and we are investing in this as well so to make it easier to right now last. I looked You could either query the data that's in atlas or the the data and data lake. We're one of our goals is to provide a holistic view of it so it will look like the same collection but data that is past a certain year at certain point old will actually exist in s. three and be queried for automate that shuffling i can run into toads Over do do a batch. Once a week this sorta hunts down the oldest stuff in pushes over that street. But i'd rather more me than it's your fault. The other real selling point. I think is that there is automatic upgrades of your manga debbie server version. Which you don't have to do that anymore. Right break right but yeah it's nice that it's you know upgrading. Gnarly takes effort. But you always doing it wrong. At least if if the the vendor is doing it they're probably doing it right and if they're doing around they're upset rags up people at once and hopefully no breaking changes of version to version. Yeah we have a process where you know for the entire platform like said there is over a million active projects so we don't roll it out to all one million at the same time we we basically roll it out to a randomized ten percent and wait and then another twenty percent and wait and then another twenty percent and wait and then the remainder so if we have to. We can rollback of version upgrade. If we see that there are any problems with the i. Ten percent and related to that is not only mogadishu upgrades but os upgrades. You have to run your server software out on us and it's always a hassle. There's a new windows version. There's a new lennox patch comes out and going through the rigmarole of having to upgrade all of your servers. That once again taken care of. Portia not you guys mentioned if free skew atlas what are you get. Oh i don't know we saw. James will have to look up the stats. It seems like a lot. There are a lot of people using it and not just for a tinkering and not for learning mongo db but there are actually people who are running production level apps in our free tier which is kind of fascinating. We did a survey we sort of assume that most people who were Running applications on our free tier sort of learners or students or beginners with mongo. Db but that didn't turn out to be true based on the responses to the survey so yes so you can start out at five hundred twelve megabytes storage for free. And i think there's also a limit on connections and a limit on aiops. But i don't recall what they are sure. So if you have your your stuff out there your clusters or your your shared. Cluster and In turns out lo and behold everybody wants to be on it you know and it becomes popular. You can sort of migrate that up. I suppose that's great. It's also i mean. I use the free tier buy-sell for you know some one of the things i did. This year was analyzing stack overflow developer survey data. So i just put it in mongo. Db and then did some charts so that could look like a cross sections of developer communities. That was cool for that. And then last year i did a health little app which was mobile in a web app and they used our free tier for that and then used it for a talk me world so it's nice to get something up quick quick and running. I think when it comes to my health. I'd want to impact other than but it's also especially with demos it's like i don't like it in the bill at the end of the month because i forgot to turn the flipping off not that. That's this is all good stuff guys very very good. What's next what's next for you james offer me. We're working so. I've been working on the sharp driver and we of new features coming one of the features as coming in the next few days is were introducing. Better lennox support. So if you've got a dot net core apps running on lenox We're going to be adding the ability to feel bubble encryption. Cfl and the fear that i implemented was actually kurosawa. Nice so we're actually talking to the gp shared library on lenox and doing all the funding perot's ticketing stuff and that was believe me. I understood. for bruce before because i knew tickets i new server tickets a new Your ticket to all that actually. Having to implement the bits on the wire is a total total level of understanding. How you can see sharpe seven. These days We actually recently upgraded to c sharp nine po. And we can we do this. Hey we can if if we use a c. Sharp nine feature that requires compiler Libraries sport than we get under myler so we can use all of the new cool features like record types and others that come with c. Sharp nine and eight at did. I did mean to say nine seven. Oh okay moving in the past. But ultimately i know there's a lot of lot of really nice language features that allow you run much clearer code in c sharp and just some of the things that we're used to from functional languages are definitely coming over to see sharp you were. So what's what's in your sharp team I really you know. I've mentioned the gaming before. I started digging in on that and so have asked some of our developer advocates and developer relations teams to do Unity tutorials for c. Sharp from from beginning for beginners so build off entire game in ninety minutes so they've started doing youtube Live streaming of building a game in. It's sort of paired programming exercise. I think it's going to be really cool And then the other thing that. I'm gonna probably ask the team to do is I keep an eye on whenever we have sort of a little swell of users asking for certain things or complaining about thing and so probably going to ask the team to do serialisation improvements ca notice. There's a few tickets that come in faster and make it better. Yes the there's always going to be those. Yeah never fast enough those thing but it gets you know you're the pm role you could see the this hit a critical mass where it's like. Better look at this as something narrada to prove well in the serialisation movements are interesting because we actually have unlike some of the other drivers in one of the I was interested in joining the c. Sharp team is that our serialisation infrastructure includes complete. Odium object document map. So it's you don't just have to work with documents you could actually say. I've got a customer i've gotten order. Are you actual pocos then automatically get translated into the equivalent document structures by the drive itself. So you can get your business layer abstraction level and what the driver worry. That is really cool james. Glad you're working on. That's very cool. Well james kovacs and shell palmer for spending this hour so much for having us anytime pleasure seeing you too. And we'll talk to you next time. Dot net rocks dot. Net rocks is brought to you by. Franklin's net and produced by plop studios a full service audio video and post production facility located physically in new london connecticut and of course the cloud online at p. w. o. p. dot com visit our website at dot n. t. c. k. Ks dot com for rss feeds downloads. Mobile apps comments and access to the full archives. Going back to show number one reported in september two thousand to make sure you check out our sponsors. They keep us in business. Now go write some code. Cnx time law.

microsoft james kovacs rachelle palmer carl franklin jerry miller martin fowler jill dougherty richard cable james Scott rowdy Alex fair alex rich campbell James kovacs rochelle palmar mongo db Db james scott net rocks mugabe
The Environmental Impact of AI and Machine Learning with Amber McKenzie

.NET Rocks!

54:03 min | 4 months ago

The Environmental Impact of AI and Machine Learning with Amber McKenzie

"Welcome back to dot net rocks. This is carl franklin. And this is richard campbell. And i'm in connecticut and he's in vancouver in this how we've been doing the show even before covid right man yeah we. We stayed home before it was cool. I should not true. I mean we spent a lot of time on the road right and it shows in person as well but Definitely geared up and working from home this past year and now we you know we've been using all sorts of technology to record and stuff and we're happy to report that zan casters now really really good. We tried it before. And that's zen castro without an e. so e. nca sdr dot com. We try to before when it was in its early stages and we lost shows. We lost ada so we were like. I can't trust that you know. The for better worse is least with skype. When skype went wrong you knew it. While you're recording you compensate right real sin is to finish. Show be delighted with it and then find out. You don't have the recording right like. That's what makes people sad. Yes exactly with skype. We were listening to what we were recording. This then caster records locally on your computer everybody records locally on their computer but it also shares audio. So but if there's an i o problem locally we won't know about that. Yeah although it's gotten better and better detecting. I found on the run s avenues. Caster if someone can't pass the zen caster connection requirements to that green light. That says okay. You weren't going to get a good recording with them anyway. True and i think it does quite a bit of good reporting if there's a problem. Yeah doing analysis. But it's fun to modernize isn't it in august is talk to me about podcast. Like i think the biggest challenge carlin. I have is shaking off the craft of doing this for so long right that we have a lot of practices that are no longer relevant. That's true and the the other cool thing about zen caster schooling. It's not recently updated. Yes and the big features video so not only is it. Recording your audio locally. But it's recording. Your webcam are your camera locally to an emo v file and after everything is done and we stop i because i started it. I can download all of the mp three files and the movie files and we could send that off to an editor and put it together. In adobe premiere her final cut or whatever and turn into you go but that's the upside of the new zen kassar. The downside is the kind of screwed up some things with device. Allow you know. I don't envy anyone trying to update software like that but now yeah we've had to work around a few issues but most most of it's been good but anyway it means you can't sit down record right. You have to take a little time in advance. Make sure stuff is working. Yep well amber mackenzie workloads will ember. Mackenzie is here. And we're going to have a really talk with her and just a few minutes but first we have this little matter of new framework ruled in easy what he got. Well haven't talked about the stuff that i've done on blazer train in a while but one recent episode was just really cool in terms of the research. Got to do what. I ended up with so this was the episode on. Pwa's now this is dot net rocks episode seventeen thirty three. So if you go to seventeen thirty. Three plop dot m. e. That's the pattern for frameworks right on. Show number pope me. That'll take you to the youtube video. And of course if you want all the other stuff it's at blazer train dot com but the pwa video. I mean i've seen demos appea- w as before and the whole idea with progressive web applications. Is you take standard. Html static website or whatever. And you make it a pwa by adding some you know a couple of javascript files and a manifest in all that stuff and then the browser in whatever platform all the major browsers now will ask you if you want to pin this to your home screen and when you do that it on windows anyway or a desktop it becomes an icon and you can just click and run it and you don't have any of the craft on an on a phone. You get a you know a home screen icon you double check that and it comes up and it looks just like an well. It's the thing is people. Don't know the difference. They don't care as long as it's on their device they're happening right so the really cool part about pwa's cashing because the deal is that you know your home screen will render whether or not you have a Internet connection or not so. The canonical example is to turn off the internet and the browser tools. Turn give it no connection and then see if it renders but what if on on load you're going out to an api and getting some data right that you're going to now render okay so in that case. You're kind of out of luck. If you're off line you have to cash that data yourself so turns out. It's not too hard to do that with local browser storage. So that's not a big deal. You use browser storage. You get your initial data in. Save it when you get it. But here's the deal. There are certain types of data that In certain ways that you get data that you might wanna cash in the local cash which is separate from the pwa thing okay right. so it turns out the browser caches. Really cool it's not local storage. It's a browser cash. So the service worker in the basic stuff that comes in accesses this cache it names it according to the manifest like it comes up with a name on the fly so when i do i wanna use that same cash i have cashing code that deliberately and specifically used to look see some things in the cash and not right and i make sure that it's the same name and i know i'm going a long way around but the whole idea is i wanted to be able to play audio and i wanted to look in the local cash when i played it to see if it was there and if it wasn't i would go get it and if it was a pull it out of the cash and i'm talking about mp three files so it isn't really enough for you to just say to add mp. Three as the to the extensions. That i wanna cash because i'm literally setting in javascript. The source of an audio element to a u. r. l. Okay and. Because i'm doing that. It's not it's sort of bypasses all the regular cashing stuff. So i actually showed how to do that. How to use the same cash that the service workers using for all the other. Pwa stuff and at the same time. I can cash up. Mp3 files download and turn it off line in the ones that are cached. Come up and then the ones that aren't cashed. You get a message that says you must be online to to listen to this. So it's really cool. I mean walks through the real world scenario of cashing steph in a pwa so that it actually works so going laser. No less right yeah. Pwa's are not just for for straight up web pages at at all you can you can do. It will ever language you want right. There is one issue however that you gotta know about. If you're about doing something like a a podcasts consumer or whatever as a pwa on android no problem on ios you have a pwa that plays audio. It won't go in the background. He won't play in the background right and this is because of ios. Oh yeah no. Apple has very specific ideas of how apps are going to work whether you like it or not now so it was a native app. It would play audio in the background. But because it's a pwa behavior pwa apps on ios whether the icon is on the homepage or on a different page in ios see. I didn't know that it's on the homepage. You get more things enabled or whatever. The cash cash has more durability it's on a secondary page cache gets deleted. I chalk this all up to apple being hostile towards. Pwa's i disagree. They want stephanie. I want people to do native in the app store. Only way long winded better no framework. But that's what. I learned love it. Who's talking to us. Mr campbell grabbed talk. Show sixteen seventy eight from march of twenty twenty which i think we actually recorded it. Nbc lund back. When that was a possibility. Oh yeah on the ethics of ai. Of what we're talking about not a show that amer was involved in but probably should have been just there. And and joshua hiller said this about a year ago now that bit about mainstream ai. Applications and industry being stuck in the nineteen nineties. And i'm pretty sure that was Evellina that was talking about that. Yeah in terms of fundamental research made me chuckle as bread and butter. Mainstream software development is still struggling to get out of the seventies in terms of fundamental computer science research. And i gave me a laugh. I dunno it's as long as you're not wrong in the sense joshua that in the seven object orientation the fundamentals came around in the seventies. But i think most people have figured out that inheritance just isn't plague like it'll lead you down the path of doom and an even a polymorphism is a good way to confuse people. So what are we really doing for orientation modern development. These days muslim just encapsulated. Yeah that that compose ability and you're kinda good and any even. Ai prospected around. When asked about this when we we were chatting with that yeah you know. I think the breakthroughs in in modern day i came in in twenty eleven. You know the new vision research and the the Adversarial networks we. This is definitely technology and play but joshua thanks to your comment. A copy of mexico buys on. Its way to you. If you'd like a copy needs to go by a comment on the website dot net rocks dot com or on the facebooks. We are publish every show there. And if he comment there and every show. I'll say gee copies to go by and definitely fall on twitter. I'm at carl franklin. He's at rich campbell. Send us a tweet. Make sure your online true. You can't cash. That can't cash sending tweets and that brings us to our guest today. Dr amber mckenzie's vice president of data science at bombonera with a master's degree in linguistics and a phd. In computer science. She has almost fifteen years of experience. And data science ai and natural language processing amherst lead a variety of projects in a number of different sectors including military applications healthcare marketing law enforcement accounting an ad tech during her time at the university of south carolina oak ridge national laboratory dialogue tech pw wc and in her current role at bombonera. Her professional interests include. Nlp machine learning predictive modeling and computer learning. When she does get a spare moment outside of work she enjoys reading. Boardgames indoor rock climbing and lifting weights. Welcome back thank you for having me. Thanks the oakridge. Like the oak ridge like the bomb was developed at oak ridge. Oh yeah that's when. I got there. They were just phasing out the little things that you wore to tell you whether you've been near too much radiation and areas off. You can't go in there yet. Dear mom my new job is the bomb. Old story for the manhattan project was the. Up you the topic civil for For plutonium is p. u. so. Upu nice get over that it would show up trail. I just means a whole bunch of things. You did at oakridge. We can't talk to you about that is to on sale. There's some things on some things. I cannot. That's the much they might have down. You know very so the new role. Yes that is. It is very news. has brought on to bumper About six weeks ago as vp of data. Science there They they are a abebe ad tech company And hey trade. A lot in the data stay so looking ad event data web traffic and matching that up with the content. That people are looking at to sort of he able to tell if somebody is Interested in buying goods and services and passing that information on But mainly business. We don't deal so much with his new consumers that they have a hard they do a good bit of nlp an an and science and they needed to sort of have step up and head and some new directions. That's where i come in to sort of help bring in some some more advanced than all a. a A machine learning capabilities to be able to of take us to the next level. So i'm newly in the role that excited to be there in Custom really good people and for me. That's that's keita any job. If you've got a good team could do a whole lot. Sure yeah absolutely and interesting to see them bringing those kinds of technologies into play. So what kind of issues are you facing in your new role that may have challenged you. Yeah so one of the big things that we're looking at is Most of the most of the work that's done on this space is is at a sort of rudimentary lp level. So can we just tell what key words people are looking at or you know some basic things like that but there's a fundamental difference if somebody you know from businesses looking at a news page out harz versus looking at a car dealership website. Right you you think about Helping people are looking at that content. They're looking for different reasons and right now in the face. A lot of that is just sort of lumped together and it's up to the sales people had organizations to go out on those leads and Interested in buying a car or were they just reading about the latest tech so that's one of the areas that i wanna take us israeli. Starting get to get up the semantic meaning right so what actually is going on In that particular web page to be able to say. Is somebody interested in car or are they just reading about it and that's as significant step up so that's where we're headed next amber. Are you trying to make advertising lesson. Knowing i mean generally i try not to give myself goals that are intractable ultimately. You know i guess we can put that job. Yeah i mean you actually need help. Having helped presented to us really useful. Yes and that when that presentation of help is interrupting not so use. it's true. yeah. Well i can't. I can't affect how people are presenting the ads. But i'm hoping that maybe we can find the people who would actually be use interested in those type of things as opposed to kind of probably giving it out to you know. There's a lot being done on the marketing side. If your company is is putting out marketing campaigns you want to target your dollars to places that are are actually interested There is to just kind of casting a wide net. So here's a lot was face on honestly. There's a lot that i'm still learning. I was telling him that. At every when i go someplace you know the fundamentals of data science. Nlp machine learning all all there you know. And that's not something. I have to come up on but every place. I've been has been a different domain. I'm you know legal or social work or military or ad tech accounting events. Always the place that i spend most of my time is just what are we trying to do what our customers want. What are we selling. And then being able to say these are technologies that are gonna get us closer. They are really solve. The business goals as opposed just salvin technology goals. And that's that's being indecisive. Holdouts i've gotta say as a consumer who's come up through the light the entire life of the popular internet You know in the early in the early nineties in the nineties all all through the nineties most ads were just like you know coming at you. Bom bom bom bom bom right and most of them were completely irrelevant. And i gotta say now you know using using social media platforms where they're actually looking at what you're interested in aside from the fact that i always get ads for things that i just bought which is stupid. I do appreciate seeing things that they think. I would be interested because i generally am. I mean it just in the last couple years. I've actually bought things that have come up in my facebook feed that i would normally not have seen had they not put them there so i do appreciate when i see an ad that i might be interested in rather than just like you know the the constant barrage of ads. You see like on youtube or something. Yeah will announce even more important right now like the cove is people aren't window shopping. You're not outright wandering. The mall and seeing the latest things are You know it's an interesting place that we're in right now without a doubt and people's attention more sensitive than ever before you started talking about this whole they're do just doing keyword checking because i think sentiment analysis an easy add. They're like just what did people's tones. What are their moods to the to the data that the texts that they're producing well so you know it's interesting doing it all from far right. So what information can you actually pull you know. Okay so you know they look at you. Know where where you traversing. And how long are you staying there. And maybe you know what what is the content of the website that like. I don't know if you looked at this website was like oh my gosh. That's the ugliest car i've ever seen might navy. You know but so far like now unless the government gives the access to their. You know cameras that got everyone's fans. I mean. i can't do that. i'm just kidding. I really don't think they have a put camera in your fan. All the people out there are freaking out now checking their fans. No nobody cares you. You just sort of said say you wink. When she said she was kidding so she honey. Because i do get questions. Had you know especially for people who are a little less technologically savvy that you're out there stealing data whatever was like. Do you understand that like people. Hide your data for her ever. You know like okay. Yes before they had paper ads that they were still checking. You know what you're buying and like this is not new and two. Nobody cares about like the government. Doesn't care about you right like you joe schmo in your house. No they didn't bug your house because seriously you don't hear these companies have to be careful though. I recently bought something online Equipment and i won't say who it was but at the end they said hey. Would you like a free hundred dollar gift card for taking this stupid survey so i'm like hundred bucks cool so i go through it and i go through it and i go through and i get to the end. I'm like well. This better be good and they say okay. Click here to claim your hundred dollar prize and i got to pick between. I got to pick free magazine. Subscriptions oh that's it. I mean there was no hundred dollar gift card like it was like pick four of these magazines and you'll get a free subscription for a year. Okay now read fricken magazines so that was pretty shady so but because they did that i'm considering not ordering from them again. Yeah they really have to be careful. What the way they present you know the way they gather data. I mean at least they weren't offering you you know a a a cd. Subscription earns right like cassette tapes like cd libraries. We're gonna send you out the newest top one hundred years supply of lemon squeezy. Congratulations oh my goodness. You had been doing some writing around environmental impacts of ai. He well some presentations. And i. i will caveat saying that this is you know i'm i'm vandalizing other people's research and this is not my own fight. I feel like it's an important topic that would be discussed. You know we've we've thought a lot about some of the other technologies that have come up. You know big simulations you know blockchain that uses the energy of a small cities things like that. Sure while the whole discussion around crypto currency all right like you can't buy video card right now and all they're doing is generating bits for the possibility of a fictional kind of currency which apparently is exchangeable for forty thousand dollars at the moment but now running out of time on that. Yeah we did the mining for a little while and it was just diminishing returns at that point so gave up but there are you know. We've got supercomputers that are you know have energy requirements the same as like medium sized cities. And we're headed towards excess scale which requires a total output of the average size. Us coal plant. And then you know the same. The current expenditure for bitcoin alone is like the energy consumption of some nations like land czech republic. And you start to think about. You know what we're doing in that space that then not a lot is talked about in terms of like the research that we're doing behind he machine learning some of that sort of thing And that's what really got me interested. I was listening to a podcast episode of talk where he had He had a a researcher on. Who's who's doing research in this area. Her name is immeasurable and she started looking into. And so if you the current trends and and l. p. r. these sort of monolithic laid sort of language generation models. Burt is sort of the big. That's what everybody is using these days to do you know named nc recognition and to do classification to do all sorts of things. Luke burt yes sir. Gosh don't have that top of my head. Bidirectional and coda representations from transformers. Vegas guess out outlook warranty l. And they'll give you a random at your fingertips but you just call out like i just double check that you got it exactly right. I don't don't give me those crops. Do that at my fingertips. I'm also looking at a story in the guardian that says electricity needed to mind. Bitcoin is more than us by fire. Countries that's dummy thing so you look at things like burt. And there's there's a good you know. I give this a presentation. There's a slide that shows it's got uh an exponential curve rate and bert on some of its large because there's a small burton a large part. It's got you know something. Like a hundred million features navy four hundred million feature something like that and then we've got other places that were headed like you know open. Aip pt. To in videos. Got one of these models on. Microsoft put out one last january that has seventeen billion features. Okay and so these models ago right. They are like exploding. They're getting huge. And you have to go back and start thinking about all of be training and research that is going into producing these models right lately. Don't just run it and suddenly and stare they do it over and over again while so. Msg will look at the sort of the carbon footprint of these models and she specifically looked at birth that was one of the easiest and to train up from scratch one of these models that means you have all the features you put it into the machine to do the computation power to make all the weight of everything. In order to train that model it is the energy consumption of five cars in their lifetime. The same co two. Yeah and so you think about. we've got. We've got that. Burt model which came out in october. Two thousand eighteen five cars just to train. The base model now wants its trade. You can just use it or you can alter it for your purposes so not everybody's out there trading these from scratch but the researchers are and then you look at the microsoft model seventeen billion teachers. I mean you do the math right like huge and there and these are typically rendered on. Gp's as well like it's interesting. we're we're all computing. Gps here like the competition for these scaler. Compute units are important but the carbon emissions. You're talking about is. The carbon emissions of the electricity consumed to do the computation kept said he all really comes down to. How is the electricity that is true. Yeah so that's another thing that i've got that i that i sort of look at it in my presentation if you if you look at some of the you know who's using renewable. He's using gas coal nuclear right. I'm you know. I've got a chart. That's got china. Germany and the united states and for renewable in the worst rate. So we're seventeen percent germany's forty percent renewable energy And and that has a big you know big factor in it. I think for me. It boils down a good bit to yes like. Where are you getting your your energy from. Honestly if you're having the you know. If you're making considerations between like the cloud providers or compute providers i mean they breakdown amazon versus google versus microsoft and the amount of renewable but they're using Google on top of that list and so that's a consideration but sue like it's interesting right now as all of these big models are coming out. People are jumping on the bandwagon. And saying we need this model. Because it's you know it's what everyone's using and i would argue right probably manage. Yeah probably seventy five percent of the cases. They don't need like the latest greatest modeled analyze their data. But you know that nobody's talking about it. Nobody's talking about the ramifications. Like if i'm gonna go and choose a model yeah probably just gonna choose the one. That's out there. That scott the best but maybe i should i should think about. Oh if i use this model it's using significantly more energy producing more carbon. Maybe i'll try some of these simpler algorithms first and see if as suffice for my needs. You probably won't though because you want to bang bang for your buck. There's no incentive free to do any. Hold that just a minute while we take a moment for this important message. If you've had automating your espn deployments on your to do list. Now's a great time to give octopus. Deploy try the starter edition. Lets you install octopus on your own infrastructure and deployed. I asked web. Servers azure websites in pretty much. Anything from no dacoven attis and they just made it free for small teams. Give your team a single place to release. Deploy and operate software with octopus. Deploy find out more at octopus dot com. All right. And we're back. It's dot net rocks. I'm carl franklin. That's my friend. Richie campbell. How to end. That's amber mackenzie and we're talking about all the environmental concerns and going back to the bitcoin thing for a minute. I just did a little cursory research. In terms of how long it takes to mind one bitcoin. You know if you have like a few good rig. And i don't mean like you know. The people have crazy rigs that take power. But i guess that you know bitcoin's a finite so it's kind of like an arms race to grab the next one and are pools of miners that have do you share the risk. Show the reward. But i also saw that. It can take months to mind. Just one bitcoin right now. It's gotten very scarce these days so the way the algorithm works there ahead of the intended coin release and so the algorithm actually gets harder as you try and push further along these things. So you're wasting more and more compute cycles right. so don't be thinking like hey. I'm a gamer. I got a rig. And you know when i go to sleep at night i can mind bitcoin. No that's not true. Two thousand nine. Yeah that is not true today. Yeah and so the guys that are doing. It are wasting big. Big big power is so just. The whole thing is set up to just exhaust the world of electricity resources. If that's where the arms race is going to go any any you know. It's a sin even are in death prom looking at just the mining of the bitcoin but bitcoin is blocked curve fact by blockchain technology and blockchain technology in general is is extremely happy tation intensive as well so it you know just setting up all of that. Yeah it's it's a problem. It's fairly interesting to think in terms of the resources consumed by your software essentially I i'm looking at the three. The three big cloud providers. I think are. They're all making sustainability. Moves are trying to get two hundred percent renewable. So it's like cloud will we. We'll give you your forgiveness for your for your energy. Consumption by by will will zero at audi. Even countries are further behind on. This is not car. Richard little speculation. i Cloud provider to create to use a nuclear power plant. Well they're already do we. Don't own a dedicated. They i don't know of any any data centers right now that have dedicated power. Plants have dedicated backup power. I mean i've done tours of the data centers in eastern washington that are completely hydroelectric power. Right which is considered a sustainable power so And they and they got rid of their generators because they got access to two different dams so that the point being we have backup power the form of a different day so we don't we're not dependent on power source. I it is interesting to think in terms of because you you realize. The cloud providers now are starting to lay their own data kale race right like that pass already on. So how much long before. They start requesting permits for their own power plants and we were talking on the geek out. It's about you know. The the small factor nuclear power plants that are actually much more manageable and maintainable and produce less waste and stuff like that. So i'm just wondering small of a modular reactor it'd be about sixty megawatts. That's just a big data center. Yeah very realistically that would be your power. For twenty years with a no carbon emission right but you got the challenges of nuclear granted the modular reactors a heck of a lot more safe and a better and more advanced than the typical power. Plant out there today but either way it's fascinating to consider the idea that these companies are big enough to buy power and the molten salt reactor you know at the same site to reprocess all the the waste then. The i don't think you do that. With modular okay. But that's certainly a line that they're going on but now they can sustain the comment. He made about sort of accountability. There're lots of companies. Who do things that put out. A lot of waste who are are generally held accountable right like they've got to offset their carbon emissions. You know. I haven't looked into a recently but as for a while ago. You know. Your your data computational needs i don't think is generally audited or or considered stuff like that right so you know that's another thing that eventually needs to be considered i think i'm looking at the websites from amazon and microsoft and google about sustainability in their cloud. And with these really re to me as is. Here's our efforts so you won't regulate right for doing it already. Don't let dealers. They're making happy noises. Look here we're on it. we're good on. There's an app for me. I think because there's so much less of a focus on our country about renewable resources. I think than there should be there. It's more of a marketing whole sometimes writes us to be like look where you know. We're more sustainable than the other guy less than a a requirement in more of just like a hey. This is a way for us to shed. Were we're better than the competitor right. We're the good guys. Yeah yeah while. It's one of those things where once one of them did it. All of them had the do it is. It is a competition yet. And it's just one more thing in any corporate governance in any company trying to decide what provided we're going to go with. It's like where are we on the green thing. that's it. And i think there has to be some incentive to go green as i was saying before and you know that the that typically falls in the in the realm of subsidies right you carbon credits and that kind of thing but you know that's the kind of stuff you have to do but it ultimately comes down to energy so how how do you incentivize companies and people to go green without to save gonna end up being the same reason that the the cloud providers are there's gonna be some companies who are doing a lot of data science who use it as a marketing poll. Right who said hey look. We're making sustainable machine learning and choices from an environmental standpoint. Once somebody abate you know a big company goes out there and uses that and then starts putting pressure and says well. We're doing this. Let's everybody else still you know. That's normally the way of it. It's a lot harder to handle. No i think make a movement. That's right we need it. Yeah well but i think there's another angle of this. Which is we're now at a point in our industry where we have more compute almost than we know what do with been very efficient with it i could. Moore's law has given us the byproduct of tremendous amounts of compute. Keep coming along and so we we find a way to use it during these zero incentive to efficiency when there's so much computer valuable although i really think twenty twenty one is going to be an inflection. Point 'cause we are gonna have a crisis in compute. The byproduct of the pandemic has been interruption in supply lines. And we're just coming into this. This shows a. I think it's on april first. So hey happy april fool's but the point being like with a shortage. Gp's is very real lbj. See when that impacts the club providers cloud providers are trying to rent as gpu time and his only so much to go around. So we're going to have some hardware constraints but generally speaking we haven't and we've been using things relatively inefficiently. Is there a success story or to where cloud providers have actually saved money by going more green. I mean i get the whole marketing thing. You know you can make it back that way But but is there a any as i said a success story where somebody went green and became more efficient. Save money yes. I don't know what it looks like in terms of energy costs these days fed until so my assumption is because everybody's not clamoring to go renewable that it's not as monetarily viable as you know they would like great if it was super cheap. They go that direction right. But i hope is how like just what you're talking about some of the crisis you know right now. The trend in machine learning has just been bigger and bigger right like the fact that they're just making models with more features right. Let's just throw more data at it in. That's going to be our solution for better. And he has to change at some point right like we can't just going in that direction. So there's gonna have to be at and this is actually been the case for deep learning for a little while like we're just gonna hit a wall you can't just throw more data says some point there's going to have to be a fundamental shift a break in research you know that kind of shifts sat around and i'm hoping that it moves us away from the computational intensive stuff we've start have been on top of lately. Didn't we see this envision as well where low resolution lower color plane images actually got recognition results than just cranking it up to eleven. He visited a good example right because it has so many data points like and it goes up exponentially as you get better resolution and whatnot and so they had to do something about that. Especially because if you're gonna analyze vision more real time. We just didn't have. Some people don't have the computational power doing that yeah we don't have the bandwidth right four k four twenty four bit color it real tie sixty frames per second image coming down. I don't care what pipe you got to the wall much. Let the computer understand. First step in doing any kind of image recognition is too pixelated because it down. Yeah it's easier to find shapes first and then maybe you know concentrate on areas where there might be detailed. But he's got that much detail and you're just trying to find basic shapes. Good luck a upon them right because they didn't just decided you that necessarily right like if they could have the bandwidth to analyze. You know super sharpen remaining. They would buy. That's not really tractable. So they scaled back and hoping that'll happen within as well. That's really interesting. Yeah so the constraints were not due to environmental considerations there to compute considerations actually came up with a few problem bigger than they could solve but in l. lp could benefit from that as well. But it's very interesting to think about what the equivalent of pixelated is for taxed. I there's every now. And then. I missed the research side in this light. Sort of being able to dive in one of those super complex problems. I i found it. There are lots of people about thrive on the research side for me. I really found it interesting but it can. it can get tedious rate and you can go down. The number of paths. don't lead anywhere But you know there's going to have to be well there's there has been since he was invented. The there's gotta be some. We have to come up with some innovations on the on the algorithm excited. And then we're going to have to have some of the linguistic you know further analysis that starts to tell us areas that we should be looking at it. It's always marrying of the two. I know where things are going to go right now. I'll be interested to see currently. It's all you know. Burt and these big algorithms that. We'll see where it goes. It's ottaway that they're thinking right now but somebody might they hate the. Let's give them a while to get there like with the research. Somebody's probably doing for sure. But any district for your career to. I also think you going into the field. And taking your ai nells and applying. It should be beneficial if you do go back into research. Say like this is what the other side is. Actually seeing this stuff like that gap. I'm thinking back to. The comet. joshua made like the gap between what researchers are exploring an adverse his what the industry is applying is pretty large and yet it's the landscape between research industries sort of interesting little bit political rate. Is this culture that is like research is sort of pure and you do it for research sake and there's a little bit more. There's a good bit more sort of collaboration going on between universities and private business. Who you know need. They need more. The research side in not necessarily don't have the resources to spend the cycles and generally like it's a little bit harder it's easier to go from academia industry. It's a little harder to go back simply because sort of this idea that you've you missed out on the fundamentals you've lost sort of a bit of a where things have had. Hey just contaminate yourself with industry thinking and rather than academic thinking that's generally the that's amazing. Yeah so it's like you get to go and industry but coming back to academic that's hard is hard. Yeah and sometimes like if you get our nfl long and you've made a name for yourself and you've been very successful than the bring you back and then it's like sort of honestly of marketing ploy. Look we've got this you know we've rockstar. Yeah this high. A person who's his comeback in has joined. You know our our department and stuff like that but it's an interesting world. Yeah a question Pressed against the politics of academia enough just to be aware it's like. Oh that's its own crazy. Everybody's every area has their own skeletons. The crazy politics of the c. Suite of most large corporations. And there's the crazy politics of the tenured professors in in research areas like crazy. It's really fascinating. I mean i love what you're working on. This is cool. stop. But i wonder if we can't if this is something we can't get from the cobra providers like give me the kilowatts involved in this run. You know the same. As part of the result said is the energy consumed. i'd love to know the kilowatt per transaction that somebody's want right like. Yeah somebody important not you or me like the like one of a big corporation. Who's using enough of their. You know cloud providers resources for it to matter. Needs to care enough to be like tell me about this. How do you up against somebody else. But we graduating bill us. Enough because we are granulated are billing these days right like to look into an azure bill for a company and be able to break it down by by department even even down to individual cases is interesting so if i know how much it costs i could probably find out. How much energy was consumed to cost. That pecan there the different. How much of renewable versus you know everything else. Yeah yep me and just even just knew the power consumed then you can. Then you could talk in terms of. Can i tune this to consume less power. Yeah you know So that was kind of what was interesting about. Emma's hey are you know. Is that she. She did have to break that down into like what went into training model and they you know. So there's his gpa isn't also. They're cheap news that google us processing units. So that has its own energy consideration but She sort of dove into what went into training these models and how that gets translated into you know harbin usage and stuff. A guy was really interesting to kind of look at what she did there. but yeah. I think that's part of the reason that while. I'm not doing any actual work in the area or research in the area that i've been trying to kind of give talks about this on what i know about it. You know. I'm not an expert. But i largely would just like people to know that it's a thing that you should be thinking about at some point to be thinking about it but this is also going to impact your work year now thinking about this while you're doing natural actress processing solutions for your company. You know for your employer so there you know there's a footprint there as well like what decisions are you gonna make different with that consideration and play and so that that's a an interesting thought that there's here areas that it's impactful in areas that it's not right so like if we are if we're just using ardent pre built models. Actually the energy consumption is is d settling negligible rate sigler. Incineration comes in When you start training your own. So when i was at. Pbc we we trained up a Model with some specific data so that it was a little bit more targeted. So that's a case that like if we're going to start doing that regularly we need to you know we to take do. We need to be doing us. Oh isn't that a consideration for you in your current work to say i'm gonna tend to use existing models rather than thank. I should just make my own. He asks for share. While if you know if you get to a point where you're thinking about training your own model you've got to figure out what are my business ramifications and and that's actually something. I've been working with my team. A lot on is coming like it's really easy to get in a data science group and just the focused on the technology. And what we're doing and and just using the best thing for whatever you know on solution are trying to go after really late getting a handle on what are the ramifications for what we're doing has fit into our broader business problem. If we're thinking about using this method it's gonna take way longer than ease maurice horses and whatever is it gonna give us an incremental benefit. Yeah that's actually worth the time in the money in and possibly the there's also a nimby aspect of this right is like we should always be making our own things like. Why would i use somebody else's up plus making your own things is cool like building. A model is kind of cool. Yeah well and i'm glad to see like transfer learning is very big right now Just helpful right so that so the ability to take a bottle and apply it to other scenario. Yeah exactly you know. I'm glad to see that that is a you know being used more widely. Because that's a place that could be helpful if you've already got models just tuning memo to fit your problem. A little better than than resource-efficient he using her model. You know those things are kind of in right now as well which is cool. Well it's fascinating for me. I've certainly going to take some notes here to keep an eye on this and a measurements guy. Like i'm big on. How could i instrument this. How could i know. All of the time What what's being consumed in how it speaking to the wonder if there's a factor of kilowatts two dollars at the that you would be relatively reliable for your average cloud provider. He i think if you know this or a bigger issue a good start up opportunity would be to sort of be a consulting company for energy consumption within large corporations like being able to audit energy Tell you where you can do better or where you might get dinged but right. Now you're not gonna get dings so it's maybe not the right time for that. I think it's coming. I think there's there's a move towards dealing with these things. So i think you're very timely. Ever and also a thank you know the clean nuclear steph that richard and i are following closely and that shows a lot of promise of course expensive at first but the ramifications are really really good. Yeah lambert thank you. It's been a blast. Been a bitcoin mining complimenting. Get the bitcoin are. We were just absolutely. Yeah yeah sack all right. thanks again. Embrose craig all right. We'll see you next. time on. dot net rocks and dot. Net rocks is brought to you by franklin's net and produced by plop studios a service audio video post production facilities located physically in new london connecticut. And of course in the cloud online at p. Wwlp dot com visit. Our website is dot net dot com for rss feeds downloads. Mobile apps comments and access to the full archives going back to show number one reported in september two thousand and to make sure you check out our sponsors they keep us in business. Now go write some code. Cnx time asking.

carl franklin amber mackenzie skype Pwa Mr campbell joshua hiller Evellina oak ridge rich campbell Dr amber mckenzie bombonera university of south carolina o Upu joshua richard campbell salvin Burt microsoft pwa
Hello World the Film with Shawn Wildermuth

.NET Rocks!

53:19 min | 8 months ago

Hello World the Film with Shawn Wildermuth

"If you've had automating your ass peanut deployments on your to do list. Now's a great time to give octopus. Deploy a try the starter edition. Lets you install octopus on your own infrastructure and deployed. Is web servers azure websites in pretty much. Anything from no d cooper netease and they just made it free for small teams. Give your team a single place to release. Deploy and operate software with octopus. Deploy find out. More at octopus dot com. Welcome back to dot net rocks this carl franklin and this is richard campbell. And we're still here man. We're going to be here for a while. Still doing the thing with stuff digging deep digging in digging into the winter. Yeah it's come on hard hasn't it. Yeah of course. We're time shifting. According to the end of october for publication in november. So goodness knows what happened in the past month but it was very much a. I'm walking around in shorts boys. Nice out lino indian summer kind of thing to holy crap what happened. The joke of covid is everybody lives on zoom. And they're asking each other whether they're wearing pants right right and i'm not wearing pants right now. Like the joke right. Yeah i i mean i can say. I'm not wearing pants when i do blazer train. I'm wearing sweats. But i am covered. Yes unlike you know not hanging out. No why would you want to do a zoom meeting in a leather chair with no pants. That just doesn't make any sense to me. Put on closest. Nearly not that hard. They might get comfortable clothes like. I am very happy wearing my z. Slippers pajamas fuzzy slippers. Just you know. I don't wanna hear your size sticking to the leather chair when you get up to get a glass of water and the aaron chair so just accordion prince on legs. You don't want that either. Hey let's get started with a little thing called better. No framework roll music awesome. Where remember last week. I told you that the piano pop studios came to my house. Yeah it's it's in the house now right. Yup and i've been even composing some music actually arranging some stuff for the band on a tablet and You know we're. I'm just really having it in the house but i have some great memories of this piano and one memory. I'm going to share with you on youtube. It's from two thousand eight and this is sort of right. As the studio is being finalized you can see like the the insert. The inserts in the windows weren't even covered yet right and This is when the guards theater hosted a very famous jazz piano player. Cyrus and my brother and i got to talk to him afterwards. We went over to hannah. Fence had a beer. We were talking. Music ended up going up to the studio. And he was just sorta loving it. And i said hey. Come back next day. And i'll videotape. You may be dual interview or something. So i asked him to play You know something classic from his repertoire. And i'm going to share with you now. The video on youtube that he played By himself on the piano. It made it sound so good. So this is Swing low sweet chariot Yeah so good. The other thing about cyrus that really got me listening to him was his reinterpretation. Vince garage charlie christmas. That is a staple album in my house apps. Good stuff really good stuff so anyway. The of this time of year is coming up in. Just a makes me think of that when i look at the piano. That that's one of the moments that stands out anyway. That's what i got richard. Who's talking to us. Today i jumped into the way back machine Because i knew her today. Talking to sean. So i jump back to the show. We did with him in twenty fifteen episode eleven. Seventy four so six hundred and fifty episodes ago or so entitled back from the road. Which if you recall was when sean and his wife took off for an entire year traveling around the world in talks in different parts of the world exploring things and then he had a little accident and I think it was thailand. Managed to break his arm and so came on home and so our reaction to oh good. You broke her arm. Come on the show. Although we had a great conversation about the different cultures around software development and so forth and a to me feels like that show might have been the catalyst for a lot of things including the film. The podcast had already started one. The hundred episodes talking to developers This particular comment though comes from darren intimately five years ago where he said. I love this episode. Humans write code in the world is full of many different types of humans. The geek out about cultures travels toys and technologies important part about sharing ideas and recharging. Your batteries and sean really brings it home. When he says there's also the rest of your life and then we we ended up talking a lot about virtual reality which is hilarious. When you think about talking about virtuality twenty fifteen like just seem so long ago right compared to what's going on in vr right now And i think ultimately augmented reality being the more important candid conversation about we code in d you know what kind of interaction. So we're going to have like hottest his actually deliver something meaningful Which i think here we are five years on is still a big question more but to me this you know choosing to live and choosing to explore to do more stuff. He's one of the things i really enjoyed about. sean. I appreciate darren. Bring that up and So i wanted to read it. So darren thank you so much for your comment to copy music by. It's on its way to you. And if you'd like a copy to come by. Write a comment on the website at dot net rocks dot com or on the facebook because we publish every show there. And if you come in there and read on the show will send you a copy musical by and definitely follow us on twitter. I'm at carl franklin. He's a rich campbell senate. The tweet bumped him nothing. It's not right some days. I'm just not prepared to come to work some days. The work just comes to me right. well anyway. Do china's spend a while since you've been on the show so i'll read your bio again sean. Wilder youth has been tinkering with computers and software since he got a vic twenty back in the early eighties as microsoft. Mvp since two thousand three he also involved with microsoft isn't asking insider and client deva insider. He's the author of over twenty zero site courses. He's written eight books in international conference speaker and one of the wilder minds. You can reach him at his blog. Wilder m- youth dot com. He's also making his first feature length documentary about software developers today called. Hello world the film. You can see more about that at hello world film dot com. Welcome back sean. Thank you. I appreciate you having me back. I figured after you've heard me tell every other story. I had that i didn't deserve to be back eventually. Down does that. We can go out and do and you adventures absolutely regulations. You're on the board the dot net foundation board. Now you're in trouble now. I'm in real trouble. I don't know i was getting myself into but it's it's been a interesting learning experience and then we've Family accomplish a couple of things early on but a lot of it is more long-term planning. I'm actually on the outreach committee To try to help you know not only bring more people to dot net But also one of the goals that the committee has to go out and find people in underserved communities that are doing great dot net stuff and sort of celebrate them more. I think that you know when you're in sub saharan africa or you're in southeast asia. Sometimes it gets overlooked. Because you're not in north america or western europe and into the we've taken that on as a as a of oil hope you'll pass some of them over to us if they got a great story i'd love to make a show absolutely absolutely Yeah we're working right now and putting together a plan and we've got some contacts in some parts of the world to try to see what they with what they need from the foundation and and how can celebrate them more and certainly share them with you guys. It's a great thought right that we keep thinking about in terms of the foundation growing up very much in the developed world part right you the west and yet dot net's used everywhere and a bit. They have very different needs in more developing nations. It it becomes a start to me because I'm out i'm a white north american dude like i. I know who i am. And the board is made up of Not that diverse group. And i am not just talking about women or people of color also talking about north america mike. I think six of the seven board members are in north america and the other one's in the uk like right whereas the rest of the world listen to and some people ran but they didn't win and that that also tells me that our membership base isn't diverse either because they don't know about you know all these great people doing great things across different countries south america central america in the other parts of the world. We've talked about that you know we're just doing what i think is amazing work and you can see that when you start to look at the open source community. That isn't a centralized. We tend to celebrate people who are closer to you know seattle or that are somewhere in silicon valley or new york or london. Some fortunate we can do better we can we. Can you know route to work other. I am fascinated by your hello world. Podcast because i know you told me long ago. Only do one hundred shows and you're still not at one hundred like year. hold off. i always happening. That's a good question me to michaela's an awesome interview. She's been on our show of several times. Like one. And i know you're going to be one hundred right like you get to be a pretty sure. I conducted that interview a few years ago. You came through and came by when i was in a. b. c. and And interviewed me for that episode. One hundred and i keep on thinking about how i can sort of make this happen. There's a. There's a list of of people that i really want on the show and they're still saying no in cuba dragging my feet like jessica find seven other people or do i wait until you know win the ones you want to win. Yeah that's tough man. Yeah you're there are hard gets like as i don't know who's on that seven but like if one of those bill gates like good luck dog. I would shove one of those seven out for bill concern. Yeah i'd make an exception for. Billy i thought okay now So now that the film is done. I'm going to be focusing. More on that before i because with code happening the next film. I'm working on That has been sorta delayed until we can actually meet with the interviewees then. How long have you thought the first one was great education on. You shouldn't make a film. Like i love you. Finish this thing. Not another one dude. It's how long has it been five years five years to make this move from the first Picking up a camera. And i did a couple of small local film projects to get my feet wet am and then you know so many interviews and luckily the editor. I got really helped me figure out what to do with all this great footage. You obviously a richard. You're in the film some great things to say And it's it's a really learning experience. Because what i thought the film was going to be initially isn't what it is it stroke when our free. I told me about the film i thought. Hey this is hello world. The podcast done in film version. Yeah which i thought was a fine idea. But that's not what you end up making. No what's interesting is that during the process of recording the film my nutritional vision and Because i changed the visual little did upset some of the backers Honestly but my original vision was love letter to software development that how it has enriched my life and i've been super lucky to have gotten Into it and it's in many ways it saved my life. I was born Pretty much in abject poverty on welfare in brooklyn new york and not many prospects and as someone who's dropped out of high school in college. That's not that doesn't make for a good resume right right In because i had this early access to software it opened up this whole world from me. And i wanted to celebrate that story and i think i do still in the film celebrate that story but in the middle of that i realized that I admit something like i. I was looking at some of the press at the time about lack of inclusion and diversity in software development and realize i never worked with an american women my entire career. And wasn't that that. I never worked with an american woman. I'd worked with east asian women a decent amount from india from china from vietnam even But never american woman and certainly not an american woman of color and what bothered me wasn't at that was the case. What had bothered me as he had never even occurred to me to notice right. Just didn't like what do you mean you didn't notice and That really shifted my mind about like this is. This is the more important story to tell like you know. I didn't want it to be this gotcha. Journalism and and software is evil. And all this other like he could very well fall into that well of of trying to be. You know a new special odd you know this weekend saw suffered of element we find out I wanted to really understand what the problem was. And actually richard. You're really kidnapped. Because you had talked about the history of software development that. I didn't really know what the time about that likes. The first eight developers were all women right and sort of what happened between that in the eighties when the numbers were abysmal whereas just ten years earlier They were huge. You know there. There's a great cosmopolitan article from the late sixties inviting. Cosmo girls to become computer. Girls like it wasn't not only welcome but it was almost expected that this was a great career choice for women and that are what happened. Yeah and the ads all targeted boys. Yeah for those early computers and there's also you know there are problems in the education system as well that that we explore in the movie and we talked to. The chancellor of uc davis. We talked to the president of harvey mudd college about how they're how they're improving that because when home computers came in and boys usually Gravitated to them because of video games video game right were so masculine at the time. That by time People came to college they They had some computer knowledge. Unless you were someone that didn't touch a computer before them and you know the idea that we are now that we created a college system assumed that you knew something about Something before you got interested in you know it's not like You know when you're going to georgia tech for civil engineering. There will tell me a little bit about how you built lego and how that relates to your major right absorption right. You never would ask that question. No but in computing. It's completely normal. You're expensive already done the work and in a lot of these things. I don't have an answer to exactly why all the stuff happened. But there's a lot of little pieces like that You know one of the stories we delve into in the in the film not to be to spoil. Hillary is at harvey. Mudd has had this great success. Going fifteen to fifty percent women in their programs and a big reason for that was actually changing the way they approached it and taught it in a an a big change was moving from java and c plus plus the python and Of number of things they did. But part of that was that the the ceremony around plus plus and java. You don't need in python and so as a first language python is so good because you can get people to see something happened before having to understand the thirty four little things that right right. Yeah and Also you know encouragement of people Both women and people of color because one of the things that occurred to me. While i was looking at the numbers and digging into it was that you know we spent a lot of time in the last five years lamenting that fifteen percent of suffered developers are women and we need to get that number up But the numbers for for african americans and Lat next people lease even lower two and a half and a half percent right and there have been a more than a handful of a people of color that contributed to the history of computer science in computing. You just don't you just don't hear the stories but if you go look for the meal following them yeah the the i don't have the names in my head because i never do have the names but the guy that invented the computer game cartridge is a major color The guy who helped find all the financing to create this little company called. Hp you may have heard of color right. He wasn't healed or packer. He was the third partner and hewlett packard And it just goes on and on and on you know the all three d Computer a three d. animation that we have in films was started by the the guy who wrote the the first render for for three d. animation. Like we don't we don't talk about these people but there's tons and tons of people and you know not you know when you look when you look back at men and women of color were just. Were just not doing it in what the problem. There's in the eighties because expectation of maybe having a computer at home a poverty came into the picture like. How do you expect someone to be interested if you expect them to have. And the percentage of people being get into college are low in those communities and then you add on top of that sort of this expectation of knowing software now. I don't want to pretend that. I'm not aware of the optics as well. I'm a really white guy. Like i'd look like if you've never seen me in person. I looked like the comic book guy right. I i know who i am. But because i came up in this because i feel that i'm really lucky in that i found software and i've found success with it. It's not like i didn't do hard work but a lot of it was luck an privilege if the people that live next to me in the projects in new york. Growing up probably. This wasn't even open to them because they didn't look the part right right. And i walk into a place even with a substandard resume off and they go. Oh that guy looks like a software developer. We should hire him right and that and that's a lot of what happened to for me to recognize it. Yup i'm really lucky but part that luck was that i look i honestly i look the part right. And that's that's troubling to me. Because you know i never thought that was the case until i looked at myself in the mirror and that's sort of the other thing that i hope the film does not only do i want to encourage in in and talk to people in different communities about this could be a great generational changing career for you like you can change the you know the the trajectory of you and your family with this sort of career but also that i want to look at the developers who think that you know i. Of course i don't. I'm not biased. And of course. I'm not i don't i've never hired anyone you know. I've never been prejudiced against anyone getting into this career. Are you sure. Because i didn't think. I have either right where you certainly you may not recognize but you certainly benefited from your privilege. Huge you don't have anybody to compare yourself to. That is not privileged because you hang out with other people and so that there's the blindness right there it does. It is yeah know the fact that you know. I certainly went to user groups and was like. Oh look there's a. there's a recruiter not a developer. Right i assume that the pretty girl in the corner was trying was working for agencies not a developer. Just like me. 'cause i you know that was. That was my bias. Even though i thought it was innocent at the time it wasn't it wasn't and i hope through the film. You know it's told sort of my story is the backbone of this That i hopefully am overcoming that bias. Like i'm never going to be rid of it. There's always gonna be that little reptilian part of my brain. That is gonna instinctually. Go there first but that we can overcome that and pretending that you don't have any bias. I think is is the real tragedy there. I don't know the overcome by other than you. Don't allow the bias to control your decisions. Every time you're in a context of making decision you think about at least twice and say you know. What am i missing. And you know the other problem which this episode of the podcast has the same problem. Is you know worth three. White guys talking about diversity. The title of today show guys knocking about diversity. And i don't. I don't want to pretend to be the white savior either like i don't. I'm not gonna hear this. I just want to I just wanted to take the lid off a little in. Ask people to look at themselves and You know in applauded. Bet that i think we are getting better. You know it's not. It's not that simple. I'm not going to say we're good but we're getting better for the reason. The the problem is more surface. And i just find it interesting that you pivoted this piece. You were making this this film era making as you watched what you had made. Yeah and a lot of that is attributed to you know. Interesting film is a little bit like software is if he tried to do it. All you're never going to be good at everything and i had to learn. Oh you know what. I need an editor. I can't learn how to edit and make this film good. I need to find people that can do the music. Even though you know i i'm a musician but i'm not a film score right. It's a it's a different skill set And on and on and on camera people you know it took a a team to really put together but it's also the difference in the mindset to like your editor somebody who you could learn to edit but heavy someone else at it because they're not you they are going to see your film differently absolutely absolutely in fact you know. We had an early cut of the film. And my editors wife Was was watching My editor sorta review some of the things. We're doing and she was. That's a lot of white guys. We're like yeah. We know not funny at the same time. Hey hold that thought guys for one minute. Show we pause for this very important message. Hey here with a very special offer for music to code by you can now get the whole twenty track collection for nineteen ninety nine while electrons last good my new store at pope dot e dash junkie dot com. That's pwlb dot. E dash junkie dot com. And get it now. Before i change my mind all right. And we're back it's dot net rocks carl. Franklin that's my buddy rich campbell and That's sean william youth and were talking about hello world the film and sort of our role as privileged white guys in at least recognizing what everybody else has been recognizing For maybe hundreds of years if not resurfacing in the last twenty years One thing that occurs to me in in all of this things that i've learned is that you know when you when you make a comment or you know you. You have a bias in doesn't really affect anybody's life because it affects you in the fact that you're just making yourself more blind but you're not just in in in having a thought it doesn't really impact anyone's life but what does is when you're in a position of power to hire somebody for a job or to appoint somebody to a position and you in those biases get in the way and you end up not taking the most qualified person for the job or you end up not even considering somebody because of your biases. That's when it really rears. Its ugly head and i recently Saw though of President trump standing with his interns and compared to a photo of president obama standing with all his interns and you can see the president. Trump's interns are entirely white and president obama's interns come from all walks of life and very in lies the issue. Right the you're in a position of power where you could give somebody an opportunity and your biases are going to get in the way and that's when you're doing real damage to society and in allowing your biases to contribute to real problems but i think it's important to think about it as not just the people in power certainly with abam in trump. That's the case but the way that we interview people in in tech is interesting because you sort of have the moss interviews them and then the team will often interview them and one of the things teams are often looking for is a culture and fit. Right yeah who are they going to fit in here. Well that becomes a point of biased. That you know someone can go. I don't think they're a good fit whereas they you know whether maybe english isn't their first language or they don't say the right words explain the things in the same way one of the things we explore in the film that i think is so crucial. Is that these These on diverse teams make were software right Like if you ignore social justice like pretend just for a minute that it isn't the right thing to do. Yeah we still have a benefit of of increasing diversity because it it it resolves in better software. We're talking to you. Yeah we were talking to the chancellor. Vc davis and he was sort of iterating a bunch of projects. That were a problem. You know airbags Weren't designed in. There were killing women initially because they'd only used mail a crash test dummies when they designed right Who would have put a smaller women in front of a a an airbag. My favorite one of these is that when he goes to Airport in washes his hands. He has to turn his hands over because he's a man of color. In order for the water come because it was never calibrated for his dark skin. A and that's like you know. How does that. How does that happen. Like how what yeah was ever you remember when the connect came out and there were stories of it. Not recognizing people of color welling. Yeah all kinds of facial recognition systems not working with right colored skin. Yeah y- kodak When we used to for those of you who are old enough we used to go to drugstores and have them print out our before. We could see when we took talk with yeah. Calibration of the systems was based on a blonde haired blue eyed woman right and so when you look at old photos of people of color. They don't look right because the that calibration made their faces much harder to see their skin. Color much darker and so You know most people have actually seen this effect than alike where people in the were people of color in the fifties darker. No it's our. It's our biased film. Like you know It's it's crazy and so having people of different Backgrounds and ideas. it's just so key I'm handsome and in the film talks about you know if you're making a medical software. Do you have people with medical issues on on the team. If you're making software for the military do you have people who have been in the military and mike. It's not just about color and gender it's about All sorts of types of diversity. It's not it's not as simple as saying we have to raise women. Fifty percent of the workforce and raise you know. African americans have fifteen or twenty. Whatever the whatever like it isn't about those quotas about we wanna as at least from my view. I want to do a better job of writing software. And i can't do it from my one perspective. He challenging part. I see in this. Is that lots of folks. I've been brought in on on teams as a consultant. The teams are more concerned about peace like naught decision with each other than they are about managing conflict. Well yeah you know. And i bring up the idea of like nobody made steel with a little heat right. You just not too much heat. And so the. There's i think there's a fear of diversity because you're not going to agree. And that's the point. The the all of the assumptions that you're automatically making when you're the same when you're different. A lot of those assumptions options. Don't happen that way they actually. And that's the where you get better software from it absolutely absolutely. There's a there's a famous book that i'm trying to remember the name of it About abraham lincoln's presidency. Where he he brought in people from all sorts of different Views to disagree with him. And that's how you get the right decisions. Made when i was working on teams i. We said we heard you're talking about yes. The t revivals the team Arrivals yeah great book. I don't mind if my opinion is wrong. Or i want everyone on the team to be heard even if they don't win the argument and i think we get into the space of wanting to win the argument so much And it's interesting that sorta alpha You know Super coder idea. We have is such a male view of how the job is done. The lattice person in the room wins right. Well it's of zero sum game before. In order for me to be successful you have to be unsuccessful. and also because that becomes The culture in some places you get people with great ideas that aren't Extroverts that you know that don't have those personalities that that are afraid to talk in the situations and many times. Those are the voices you need. You don't need the same three people on the team leading it in every case because then all voices aren't heard you know and that that feeds into that whole you know hiring fit more than skill. Right I don't think we think about it in that sense. You know there's been a lot of discussion about how many superstars you should hire on a team. And i'm like well maybe not in you know. It's not sustainable. Yes right and and and be. Yeah they squabble. Anyway i had. I really talk about constructive conflict. I is destructive conflict. Absolutely we wish we do show a year ago. With lily dart that i titled maybe incorrectly empathy versus sympathy But it ended up in his conversation about diverse teams. And you know we. We didn't do service at the top near as well at the time. But it certainly hit me that it's not enough. Just to include domain experts folks that that are reflective of your users but to actually have the diversity right in the team writing the code because it will make for better code pretty consistently. Yeah i certainly think we're in a better place now than we were when i started. Which is where you would talk to the users you would write these gigantic documents and then you had spent four years writing the system and then you get the user involved right This iterative process helps that but it can only be it. Or if i think we can improve our iterations by having you know this diversity on on teams and that's you know that's not a code word for you know for getting rid of white guys in hiring black women right. It's not that simple. It's not that simple. You know When when everybody comes from the suburbs you get the same You get the same ideas in the room and we want new and different ideas. We at least i do. I get bored. Which is why. I'm in this Job bright writer having people to to to open my eyes even though my instinct is to fight it. I like my in steph. When someone disagrees with me is my stomach gets into a knot like But once i get it. I'm like oh okay yeah. I can admit i was wrong. I wonder if the pandemic has served us in this scenario two. I did a show on run as we talked to beat where one of the statements that guy may was. Now that we're all uncomfortable. Wanna talk about uncomfortable things. We certainly are uncomfortable. Yeah we're definitely uncomfortable. And so it's not a bad time to explore this stuff or arguably. It's always been a good time to explore fewer excuses not to. Yeah absolutely well. We wouldn't want to upset the status quo. This status quo is upset. Yeah so now. Let's dig in absolutely absolutely and it's it's an interesting You know initially when this. I realized that this was the story of the movie. There was that inclination of like not wanting to disturb things. Like i don't want you had a plan you recorded to the plan when you did your interview with me. This was not the plan right like no that they but we usually complain about this right that creators reporters like they take a story and then the the interview. The did with me was not about this and yet this is what you've gotten from it so wrong. Although i don't think it is like you made a discovery and ultimately reedited your showed spoiled discovery. What i find fascinating by documentary film especially is is. It's it's the same process of software. What you're building in the beginning israeli. What you really better in and businesses are like this as well. The businesses go. This is my business and this is x y and z. And this is what i'm gonna do. They fail because they don't hear from the customers after respond and go. Oh that's what you really need mariah. I'm going to serve. And how many times have we done this halfway through the software project. We from figured out what we were actually making exactly. Yeah exactly and that's you know. I think that's why i i'm still enjoying There's an old adage About film is when you're when you're making the avengers or something like that you film about four minutes of film for every finished Minute of of of of the film because you know what you're doing you can tell the people what to say like all of that. That's the expectation in documentary. It's closer to one hundred two one. Wow yeah and so. Those films are made in the edit bay not not in the interviews or not in the kind of feel better about how long i'm taking on the history of dot net because i have that same feeling. Yeah that i keep finding things in collecting these stories. That completely changed my mind about what this is about and being open to that change. I think is good for software development and anything creative. Because that's the other thing that is important for me for people to hear who sort of explore this idea that software isn't as matthey and scienc- as hollywood or even developers want people to think about that. Sir you can be creative and a great developer. You don't need to understand euclidean geometry in order to write a great Apper support a great team or help people do great things that it you know a john. Romero of doom fame Talked about it if you want to get all into it. E can become all math and science. But it's not required not needed i. I've always liked the the bridge analogy. It's like bridges can be beautiful. I they move cars across the river right but then on top of that when we talk about a good bridge it has an aesthetic as well it has an elegance to it and it is good all the things that needs to be unless there's a month man involved then doesn't matter different problems i think he also brings it back to its engineering. But this isn't just because engineering doesn't mean as creative yet. And i think we've i think we've sold that incorrectly because we've a lot of what's for dogmatise doing is isn't trying to you. Know defying things in these minutia ways. It's about helping people and if we focus on what that it's about you know there is some percents that helping people means increasing sales departments sales numbers right right. But there's a lotta software out there that you know that is helping you know. Find new drugs or improve people site or let them enjoy downtime. All of that counts. What we what we what we think of as what software is a lot of stuff counts that we don't think about you. Know someone programmed the The stop light in your town. Yep how long they go had get that feedback loop like. That's an interesting problem to some people. Some people also you know but designed the the the website for amazon. And you know they're they haven't changed anything in twenty years so they re architect under the hood. I happen to know that much. But you're right aesthetic. But you know what i really appreciate this. This aspect sean. That the other thing diversities that you discover that there's when you are all the same people they like all the same things and they dislike all the same things even things that are important when you have diversity people you often discover that there are things that some people really liked it. others really don't like isn't it. Great to have the person doing the thing that likes it. Not only will they enjoy doing it. They'll do a better job. Yep yeah absolutely. We've seen that with you. I in the last twenty years in that you know. There's a reason that the screens look the way they do on on old airport terminals right because that's the only people that were in software development at the time it certainly technology leads to but now that we're in a space where people can design these intuitive pieces in the end the hardware could actually make that happen. We have all sorts of people as part of that process. That just like pretty things. You know what i mean and it does pretty valuable. You know we just a couple of weeks ago with billy talking about you. I designed. It has a straight. Roi that when things delight twin. They're gorgeous when they flow and people are more productive that makes money. Yeah absolutely but when people wanna concern like how long are they staying on our website. How is it to us and how ugliest it has more to do than right. Yeah if you're if you're metric is dwell time then you are. You could easily be encouraging bad designs. It just takes longer to spend to get anything done. Yeah don't realize that the you know by only having one view you're limiting it to people that only have that one experience with it it to stick around you know and so you know the hope is when it when the phone comes out in mid-december that I just i just wanna open is and hopefully encourage people that aren't in the industry that they can do it. I've had so many conversations with people about like. Oh i could never do that really. I think you're wrong We get caught in this like while you have to have a developers mind. May maybe you do to to run the top twenty projects in the world. But as i think. I think this is actually from you. Richard in the film software is everywhere. It's pervasive you can do anything you want. And this and that to me is so important to tell people you know if you're interested in whatever it is they're software that supports in runs that and so you can use your passion in that. That doesn't have to be this. You know geeky nerdy thing. In every case he decorate thought. Sean what's What's next i mean. I know you're working on this new thing but Is there any young. He tells the kabylie region. Another film can do. What can you talk about the new film. Little bit i can. I can the That film that. I'm fine dot. I'm fine film dot com. I am f. i n. e. f. I am dot com. I thought after tackling such such a lighthearted subject is diversity That next i would choose something a little deeper Actually doing one on childhood trauma of men. Next so yeah. My wife was like seriously seriously so. Yeah so then you just jump deeper buddy. Wow so hopefully. This one won't take five years to complete your self a good list of people to interview. If if i can ever get on a plane again right well. Good luck with that. Thanks yeah and be sure to tell us about it. Next time you come on. I i'd love to all right. Thanks a lot sean. And it's been great talking to you. Thanks for this really important work. Well i appreciate you guys giving me the up. Talk about something near and dear to my heart that all right. We'll see you next time on. Dot net rocks dot. Net rocks is brought to you by. Franklin's net and produced by plop studios a full service audio video and post production facility located physically in new london connecticut and of course the cloud online at p. w. o. p. dot com visit our website at dot net rotc chaos dot com for rss feeds downloads mobile apps comments and access to the full archives. Going back to show number one reported in september two thousand two and make sure you check out our sponsors. They keep us in business now. Go write some code. Cnx time

sean five years carl franklin darren charlie christmas north america dot net foundation board richard richard campbell youtube new york microsoft saharan Hp china harvey mudd college rich campbell sean william Cyrus cyrus
TDD in 2021 with Ian Cooper

.NET Rocks!

54:05 min | 3 months ago

TDD in 2021 with Ian Cooper

"This portion of dot net rocks brought to you by couchbase a modern multi cloud to edge sequel friendly jason document database for building applications with dougherty performance and scale. If you're new to couchbase would like to learn more. The couchbase developer portal is the best place to start. It's loaded with tutorials videos and documentation as well as best practice. Tips quickstart guides and community resources including the couchbase developer community forum to get started developing on couchbase visit couchbase dot com slash dot net rocks. That's couchbase dot com slash. Dot any t r o c k s. Welcome back to dot net rocks. This is carl franklin. And this is richard campbell. Where live at nbc manchester online. Ian cooper's here but except that part where none none of us are in manchester. Yeah yeah okay. Well that's okay. It's all relative. somebody's in manchester. Did a road trip stop. Manchester play initially did the show in a in a club nightclub. the club. Yeah it was a strange one of the more stranger sets done but was a lot of fun because manchester is known for two things live music and football hooliganism. The yes we saw. Both i remember the day. We relieving o'clock game. We got to the train station at ten in the morning and there was beer everywhere. Everywhere just people have been drinking's eight in the morning because clear. The pubs open early. When is going to be an early game and it was. It was a state of affairs. And you know you don't wear the wrong colors in manchester. You like gang warfare. You'll get you'll get a wedgie. An atomic wedgie find pieces being a dumpster. I don't know it's manchester. Bad things get serious of dives and football is very serious right but anyhow let's let's start how we always do with a little thing. We call better know a framework well. This is pretty cool. Go a bp iso with your browsers now. This is an open source web application framework for esp net corps. And why do you think you might need a framework for a framework. Yeah that's a good question. Why would eat that. It is a good question so just to read from the website. Abc framework is a complete infrastructure to create modern web applications by following the software development best practices and conventions so it sounds fairly benign and boilerplate. But it's only missing the word paradigm and it'd be bingo right. Actually the word boilerplate is really what it's all about. So it replaces the popular boilerplate ten project with their own. Which has some things in it that help you. So it's micro services ready it's multi tenancy ready and it even has a blazer. Startup template helps you follow. Dd in in the dry principle. It's sim- really good stuff. And it's of course open source and free to use so it's a. It's a good thing to check out. I think co sounds what we should do. Shell on it. We should and source project right. Let's dongo so take a look at everything right awesome. That's what i got richard. Thanks who's talking to us. Grab your comment of show. Fourteen fifty eight. That's right back to the before times. July of twenty seventeen publishes show what we actually recorded in june at nec oslo with one in cooper maybe hurt him never heard of him. I nine titled the show the dot net renaissance. Because that's what ian wrote in his blog posts and was one of those things. Thought i think we'd interview to maybe four months before normally don't people maybe once a year or so. It was one of the things right. I read the blog was call. An opinion is like we need you show on this because he was talking about something. I'd certainly been aware of. Which was that. Microsoft had turned a corner dot. Net had was was ascended again. This very mature framework had rebooted itself in this amazing community. Emerging of really showing. I recommended to your listen even though it is you know pushing for years old now And this particular comment is actually referring to me. This is from chris zink admittedly written for years ago. Ankara says I richard made this calm during the show. And i have to correct it. He mentioned that software engineering is not a profession yet. In canada at least suffer engineering has been a profession for almost twenty years. It is a regulated professional engineering discipline. All professional engineering lights. They requirements apply to anyone wishing to call themselves a software engineer again in canada. You must be a licensed professional engineer. Use the title engineer. You cannot legally call yourself. A software engineer unless you're also eight p. enj- as well there have been accredited bachelor of engineering software engineer. Brooklyn's given by canadian universities for a couple of decades. The point to all this is. The profession does exist for software engineering their mandatory c. p. d. requirements ethics professional practice guidelines so on that define immature profession. Most provinces have licensing pass. It allow current practitioner to get licensed with some effort. The regulating bodies are responsible for regulating the profession. And they're working hard to get practitioners. Licensed the engineering. Regulators are doing this because there are major public safety issues around many aspects of software as an industry. We need to understand this and support the profession. And if you're looking for more information you can go to engineers candidate dot ca and they do have a white paper specifically on what constitutes software engineering. And i have been doing some reading I'm wearing this interesting state. Where here's this body. That is identifying engineers and ask you qualifications and so forth but largely. They are still kind of pitching is to the provinces so similar to the way the united states work with the state sort of make certain rules the actual regulation of software engineering in all kinds of engineering. He said a provincial level so the rules are different from province to province and They there's really any enforcement around any of this right now. Also they have the the ideas but they're they're still very much pressing against. We put more legal constraints around this. What is this. I mean the united states is you know anybody can use any term for an inch is considerate a marketing term. You know like pain reliever for example could just be a marketing term. It may not relieve any pain. Oh no it's just what we call it. Well there are rules again. Question of enforcement right. The federal trade commission does have very specific things about generally for stuff. Like can you call it bourbon. If it's in tennessee. Well yeah that's a federal thing and yes yes you can. But only if it doesn't do any carbon filtration. Look at it. You jack daniels separate issue so i mean chris great point and i have to change my pitch on this whole issue because obviously there are group's getting together to get more serious about when engineering looks like you know the same rules. Apply engineering. typically. There's only one p. ange per project like you're talking about constructing a bridge. It's lots of people involved in that but now all of the need to be civil engineers not much less have their pinch their their stamp so to speak so we could see a time with certain classes of software are built that way and one would argue that some software is already starting to be built that way because you know more than ever. It's becoming abundantly clear that suffers running the world and we really ought to have some a thirties around managing. Yeah so chris. Thank you for your comment. Eight copies dako- buys on its way to you and if you'd like coffee. Piece co by write a comment on the website at dot net iraq's dot com or on the facebook. We publish every show there as well. And if you come in there. And i read it on the show. We'll send you a copy music khobar and should definitely follow us on twitter to keep up with dot net rocks. I'm at carl franklin. He's at rich campbell. Hey senator tweet you know you can use the boiler plate tweet template. We don't mind all right. It's my great pleasure to welcome back to dot net rocks ian cooper. He is a polyglot coating architect and london. A founder of i d. Doug speaker tabletop gamer. Geek he is also tattooed. Pearson bearded the gove on at brighter command. Welcome back ian. Hey that's l. d. Knock actually the london. Donate user. Could chum i get it yeah. nine as co conspirators. Run between few reached with the london in canada who we occasionally yet some clashes with in terms of our events onto. It's okay and that's london ontario little london not the because nobody handed called new london. Because who would do that. Nobody who that i know. We're the littlest london. I guarantee it with the littlest new london. I'm anyway. Yeah i'm sorry. My didn't really differentiate between capital i and lower case. Oh so i was just reading all but it's good to have you back sir Long always learn something from you no matter what we talk about. So what's on your mind lately sir. So yeah. I was talking today about development. A mega famous talk about that in twenty fourteen. Nbc also which. I think one of nbc's shirts videos until storm install with his code. Do with that. Yeah but yeah. I guess about. Is this kind of fork. That seemed to happen In in the way in history of practice of test development about virtually at some point if people kickback multilateral working at the chrysler corporation in In the us from great practices x. pdd cetera. And it's clear of people understand when they when they produced the practices Publish them they've been doing this for some time. And someone solution should share this with the world. Kim's book about td is if you read it. It's not really a great beginning as because it's actually him explaining practice. He's been doing a question time in detail. It's more Close one of the problems with with the book has happened. Is that people who read. It didn't really necessarily get exactly what he was. Focusing on the law of techniques from a much more classical approach testing unit testing integration system testing so unit testing Moral allied test poisons that more jewel omnicompetent both sense usually not to do that. Do his eyesight. Well any other mortals yet talks to substitute goes with some kind of dummy integration tests Each other then all system test in august two local weather defects happening during black box testing a union undetected from dummies feige. It's the unit causing the failure of integration. The integration of these two tested units must be wrong nothing to do with test development. Unfortunately what happens is really the people in politics when the talked about. Td this unit tests. I really wasn't any moments doing but happens that this package with the people said. Hey we should isolate this thing. We should use substitute surrounded Moral we took a call for example we said. Hey well that's that's obviously all units. Let's substitute everything around it. Then next year. orbits dependences Become us that'd be volunteer unit testing when we can do it. Integrations has likened have tests talking to real things muggy assistant test. Let this growth mocks at Constructed that had what will finish huge number of interfaces who is taking a type language or even the type talk spicy language on these constructs already grown and what happened particularly in Second taught languages as we go into integrations that might depend on this object my satisfied that always interfaces it depends on with these garage off subject so we had to have ohio sea containers kinda bills So we can essentially realizes object untung telling and this whole direction. I believe was a completeness mistake. Talk about null being million dollar mistake. This is a whole paul that if we could take time back and say hey maybe if we got some history when we change the folk when went towards unit testing actually went to what the later particip- develop or program attesting seeking go look at what's called the see tiki. She took a repository of old school The beginnings of ex-pm tedi to phones Attested is and it says. Essential yet said test war effectively to test some behavior of myself. I'm going to do that Blessed During the smallest possible change. That i can make to implement some of the acceptance for its localization is simply in the my test break that lost like did you should be quite small. That's cool was that five. Am i should either reverted pure stores are votes. It won't be debugged On stock and then if not. Paul doesn't release smokes. It doesn't really need. Is consignments this very different. Approach as people struggle with a recurring factor have is that. What if you've done your thinking about design upfront. such that you can inject will. These interfaces described the collaborative projects. He must have been your head. Conceive of some kind of cross are i'll keep cetera. One you probably designed if what you do that she said. Hey this behavior the test how magog implement that's right so the example uses throughout the book so the money call Says well i. I want to buy she team touch different conscious atoms together and get results in the first concept. That's a typical He's gauguin to this place. You method calls county. say what. He's this behavior down Came along have higgins's He said that behavior. You'd say well what's the simplistic like the Brought to move one step forward towards that and he essentially said Test to prove that files green tests which is the the naughtiest implementation can think of your explicit. We also do something horrible stock flow incites Correct now now. i'm getting that. Yeah all the stuff that we moving those developers do as you do that. Dual that against the cost as soon as possible and you kinda step back and you go. Coatless hopeful akasha. That's my friends refactoring now. What i could do is actually that knowing that the algorithm is that i want to do well could refer to the trial. And that's when designed emerges and she that point. because that's unattached. I could break breakout clauses. That new tests and the idea really is it that the Language in something like seashell being tunnel in the public and be saying well no one should be cooling. That's how implemented lie cowrote factoring in time so that was obviously on the throw that away and redo it said gives you that kind of ability to keep changing her to prevent firm and lost the rights of a joke in that a test. Her walks into a bar orders a beer or two zero beers orders. Nine billion nine hundred ninety nine million nine hundred ninety nine thousand nine hundred and ninety nine years orders a lizard orders minus one beer in orders of who first real customer walks in and asks where the bathroom is and the bar burst into flames. Killing everyone a i lord about tested. It's more about designing an ipo. And that's really what. pdd is behind. And step lestat controlling scope. So that you don't watch actually if you do it this way you get that promise oh of self-destructing zones and i've been kind of this war call the bit because we've go this direction which isn't giving people the results won't that is very expensive to do on the lens up with these tests which already fragile out then. Let's be revealing to these working online. That's anything do now. All your tests can pass. It could still blow up in production unit tests and integration tests. That are so valuable valuable technique. It's just a different people. You know me thinking about that. The test permit roy Switch bowl doing test development radio around. What is the spice. The design actually addressing their other spices live user interface where test driven development is not technically looking for testing unit testing intestinal purchase. Maybe all winds. And yeah i'm willing to clarify exactly what. Td is portland's. It's good soaping. And said as paul of all mix of qa tools on. We should understand tools. Beth stage age appropriate If i've only got to hammer on going to be buying those cruising lines early testing a suite tools. Td is the hammer sprite for niles. But sometimes i'll go screws screwdriver when we need to get a little bit. Stand back inside the tools of on which one's going to get me. Get the best results in their tumor. Results looking at one is a want to get feedback now on decisions on making as cove. And that's she cheating or i won't protect my sofa against regression against blowing from judge a production and that's classic Task integration test. home concession. Yeah absolutely the the challenge here is to order of execution like we've always been pitched on this idea that we we focus on the testing would make us think more clearly with. Api should look like that that that's right we do that just putting yourself in the customer's shoes. Yeah i think so. I mean germany will. You should be working with us and kind of story. Customers defying acceptance criteria. You dumped me to come to do that. You can do that in your I'm really what you need to side is. Hey well i'm gonna for something. What what what is what is actually trying to achieve. Success example trying to achieve building cost support money trump to look what the acceptance criteria needs to be added in two different kearns. He's quite terrier. Let's have a test that showed me how that's what you re draw those bureaus exploring sti usable and effective and simple. So i do teach a welsh. Browning's upset there was gang with law one of the things i've them Shot video of me doing it but styles ripe Testing and doing anything as far cleared a difference in the one that i do kinda more unit testing approach. Land up with a client overcomplicated dissolving. Worthwhile i ended up going. You see the policy in this kind of a represents spicy gang with live tests so much clearer you can read the test exactly how the transformation is occurring between the two goals. That is poll. What you're doing you're saying. Hey developer how. I want this to work It is clear. What will the pit of successes for using miss. This particular api reminding too often. It's nor hey hero. The weeds detail was on by the way this documentation. Because you're never going to figure out how to usual reasons details without all this documentation such worry about the kind of a punt. It's like put all the things in here. You figure out what you want. I think sometimes. Yeah i think i think we as develop his arm. Callings to Mega this will happen. Will make the that'll happen. And i think it severely affects attempts to be calling. It's like that could come up. I bet i better make sure. That's that's console for lines and thinking of possible things anything get payback. Some point in the future because his come up when someone got. That's really great. He so that but the reality is call from what happens. That comes up and he kinda like. Yeah we had to stop. It wasn't quite Yeah but initiatives get stripped back to the whole yagnik Figure out the basic case. Get the basic case out there and then use feedback decide with the next case. The next version is to look like. Yeah it pretty much but even watching. That's what you will be putting tests be false because emergency Qualm about speed is. I really shouldn't be instructing Watching it looks like it. Smooth challenge okay. That seems to be making progress won't change And it really helps people qualified to work kind of really increase. Your actions of ebony have so much in my head right yeah. I managed to justify spending a lot of money on testing infrastructure to keep test times under fifteen minutes and my theory being it was as much time as it took for the for the debt to stand up declare himself a god and then walking off over get some coffee and by the time he got back with his coffee all of the errors where the l. Because we're finding was they still stood up to call themselves. Godwin got copy with the the tests. We're gonna we're gonna around at the end of the day like we were doing those kinds of models so they worked on something else. By the time they got the air reports back. The code was out of their head. Anyway yeah particularly on is to find if you're running cli sweets back in the die you had this whole kind of mortal to sean. You're on the mike bonilla critical. What's Ability gets was wasn't much ainge. He worked on my desktop. Yeah i used to play his pin ital- donkey. Somebody's job was effectively in the morning to around figuring out exactly huge change because the problem on the youth which government under hummus. Worst of the heifer early but if you give the people the feedback now that'd be like okay. I colonised scape this right now. There's no excuse we have the cloud right like you can distribute a huge huge test tweet across a bunch of servers for a few minutes and then tear it all back down again so it actually does. It cost that much but that you checked in this code in minutes later these are the errors we got back is just it's short circuits. That whole debate I think you'll still in the same context rot. That's the other big thing about developers in low interrupting them I guess the way. I perceive it is a immortal in my head and doesn't take for that model of the jet hit from my memory to do something else right to go the whole model and there's a so important about a want you to have that model between testing runs so i don't have to really think they're going to go away and do other things that i go my tissue list and i'll stop running that email document and i'm thinking of a story from a project that i'm working on. We had this issue where you know this. No reference exception was happening and it wasn't a code that was expecting that to not be no. Who's the co that was sending the null. That was the problem and so the developer. Just said you just did a test for no and if there was if it was just we'll just exit right just return and then we couldn't find the real problem. Which was that this thing over here. That was calling. it was passing. No so it's it's good to to not do check sometimes especially when you're developing or at least do something constructive when it is now but it all those things will help you find the real problems but it was just an interesting thing. That came up fell false sometimes. Light think underwrite did we. Can you can swallow in catch stuff. Doesn't know what to do right and actually penalty to do is to crash porn because the them was so sale silently like on on air resume. Next this is evil just means that is that is. Yeah that both dyson. You're better off but using dragging old languages right. I do think we're in a time now where we're starting to think that being opinionated right that this is how i work. This is what i do. And and no secrets like defiling loudly. Making it very clear. This is what made me unhappy. The makes for better software suffers too complicated as it is everything that can be expressive and and out and forthright so forth. That's us spend a lot less time chasing these ghosts around. I was thinking about this. The slight tangent but in relation to earning so far in containerized farms like you've nazis in some cases when you get a transient arrow something will talk Library on bright to josie messaging and this this whole question on his How sophistication we should we be. At a coping with the loss of broken state net continually retrying cetera. Because the trouble with that you can very hope to observe that from outside or just crash. Someone in the can say okay. Great what i'll pause restall anew anew to replace that one and that's his Being quiet and silent about the fighting. The i'm thinking that i'm helping the uprising. But in fact achy all because he caught now the error on take action right. Can't reproduce it. Yeah yeah you thought you were being clever. Yeah but he looks at his monitoring the running. Right but mega nothing. But it's in a state that's corrupted. You really do. Hey guys hold that thought. Well we pause for this very important message. If you've had automating your ass peanut deployments on your to do list. Now's a great time to give octopus. Deploy a try the starter edition. Lets you install octopus on your own infrastructure and deployed. Is web servers azure websites in pretty much anything from no d. cooper netease and they just made it free for small teams. Give your team a single place to release. Deploy and operate software with octopus. Deploy find out more at octopus dot com. Right and we're back. It's dot net rocks. I'm carl that's richard. Hey hey. And that's in cooper we're talking about td and the problems that that Have plagued us about this and he and it's interesting to hear somebody say. I think we got it all wrong and there are better ways to to test your application. And i'm concerned that the alert listener missed that part where you said now. Unit tests are still important. Integration tests are still important. So i guess what i'm saying is what is the prescriptive kind of fix for this you know. Td behavior that That people are habit doing now for years. Yeah show so. I think the thing. Is this rights. Decide that you are position A test approach is going to help you. The context for that is i am. I have requirement. That's reasonable befalling. A person's use the stores or use case acceptance criteria and. It's kinda mind program. Usually it's going to deal with in terms of entities except for a rather than technology and i won't essentially spol- how might combed that souls that pantomime no. I focused my efforts. Okay let's take the simplest thing like a due to move towards that Qualif- it's essentially something that says zero win this. This condition run a couple onto cow get started and then he said we'll watch the worth a super move Make towards the you might be initialising kind of vice level Thing so take an example of money head is using it. Lower seventy two credit money calls the by has kinda zero Not contested zero also. Not seems like could stall right and then maybe now. I think well if any value to it in Should to add two of them right and you and you build up that functionality of acceptance towards on getting something to each transgressive behavior on's trump for requiem factor. I'm really avoid. Using any kind of monks german-speaking. You can work in different styles like lots of refreshes clean milk touch it because it cleanly separates his denying around that is things that by she wa conflicts Now i can. I can t to do that. This is tweets volt them saying. Hey i'm gonna test on you. All i or as a test actually Directed by saguenay. He's the best tool in the box. Maybe actually unit testing is falling or even just in a testing blah blah running it right and having a look saying. Look at that right Instead of using what testing we're looking at this running it Solving now is regression. Lightning saying hey i trust him test to make sure that keeps running right. So i can watch from tests Just check that's gonna run still explore nets. I don't need to somebody coming for. This is a little bit code. Were saying oh while gopi urban entity that needs to save. The doctor stole all right. Locations weren't doing is some data access object wrapper on just going. You know need get the dog up. I just implement that. There's no expiration has no real kind of. How does this actually work. It will affect stuff by shrimp. I can i can check. Check that Once is the arrival to test making us exit tools to do that for you. Then agnostic The approach using. Can you can do that ron to check that. I think he's doing you all right you can use. I think you mentioned to me. His shop tools. And i did have a colleague. He wrote one of those Hey compare this. You want to the immigration. Nc whether we ball buttons around in the wrong place in shifted the few pixels to the left Or tool for that is playwright for dot net i. G. h. t. Yeah that's a good. Dan tester for for you. I i like that because you can basically tell you know. Fill out this form right. Here push the button. Wait until some. Id shows up on the page. We can test that. You can actually write a script. It goes through the whole thing and hopefully gets the desired result. And just remind you know that's not Td bundling doing qa puffy line. Both of these things are equally valuable honors. This notion couva testing permit says a pyramid right in. The ball is edith testing. The top is essentially manual testing. And other guy for getting it takes me longer to get results and those results are less easily repeatable. So obviously because you know. I would prefer to get repeatable. Results a false. I'm not wanna pull over my effort into getting a lot of programs console with td unity but there are other things that teach us not the right thing to sell any the decrypt techniques for those right when we all know mu joking working the bar right let the actually shipping code to a small number of users will fall in using is that you just never expected yet you look at. Why would you do that In a while but there's also sets of personalities. That really liked that work. I mean. I also think that's not a replacement for qa. It's an addition to qa and it takes time in cultivation in. I think back on like windows created the slow ring. Fast ring thing and what really happened was most people just put it on a secondary machine and never looked at. It didn't actually take for exercise so they weren't getting the useful feedback until they actually pushed patches in production so to speak and broke things. So you really got to evaluate these different strategies. Like where i think. We're abusing our customers via the cloud with this where we're not really finishing software. We're sticking it out there and letting them finish it forest by forcing them to give us feedback by crashing the app because they expect you know version one there's gonna be mares out there you know we can get. It's an interesting one. Because all i still have my career ship. Today's asks used to work in. Yeah medical software on ship discs on. I can remember a Added to the sofa the shipped Again and of young junior developer Teach me lessons. Sent me down to the department told me maybe pack of disks had to be recent album so basically that secure job quite have much older and more mature. Now we don't ship disk. We slipped this. Yeah very true But the thing is the whole purpose of talking back things that testing production become predictable thing anymore. No and is more sighing. When you when you release something this fishing complexity that you're going to have to accept releases that's what it ultimately. That's what it means. Testing production doesn't mean high activate During the chip the thing and that it explode is mobile accepted by the time he gets to production. You're still testing. You'd hope that some group of experts are going to be able to successfully use it and it you slip that new version out bit by bit right so you don't break everybody at once and create total chaos. But it's almost like dua release. Listen get that feedback. Oh everything's going well right now at a few more and wait until the scream start and then stop shipping and yeah start dealing with the screams. What's your what's your advice. Richard never ship Six pm friday night. Yeah t's don't ship. Don't change anything on a friday unless you like working weekend right before a vacation ship it outta here. Thanks for played fees. you wonder why i went into. Nepal phones don't work there. I remember my out of office message literally gave you lat long. Descend the helicopter. If you really need me this is where you need to go. Slamming amount in all right now. And i'm willing to be interrupted video of you. Picking up a helicopter that's acceptable but otherwise new friends. Don't do that to friends so the thing is earn. Yeah yeah. But i think there's a respect angle on this that you you right. We're never going to test for all scenarios but we should test for some and then really being careful with who you break in how you break them. You know we got into a situation. It's strange luke where there were some customers that wanted to leading features really really bad that they were willing to take risks and they went on this beta program so they got those bits. I and other customers is like i. I will accept a modest performance. Recruitment do not break my site right and they they were sort of in the conservative ring. So part of this was just listening to where the customers act giving them that choice and and building our deployment practices around those things that we could really learn nothing. You're talking about licensing of engineers and the risks of when he was talking about the risks buzzfeed we get from wove. Continue more running on software. And i think that we you know we we. We underestimate That we could. We can make people miserable because a substate dependent on is going to work for the next few or you can. Flat out killa mass. The folks who got on the boeing. Seven thirty-seven max like there were some hardware decision failures there too but it was also a lot of software Like no kidding or the fate. Keep picking on boeing. The star liner spacecraft. That didn't make it to its correct orbit because literally a time and date problem like straight software mistakes and only after it was up in orbit. Did they do the rest of the testing and realize oh if it continues this path. It's going to be destroyed. And they managed to fix this offer enough to recover the spacecraft with still that was jordi la forge to fix it. I think it's all about right. Augmented reality in the nineties. The pandemic's towards other things that we think perhaps all less volatile that it turns out can become So i need to get groceries To my house because Someone leave because you know that not vulnerable clinically dot young ready risk guns. Seek them okay. That's essentially nabokov central service for them rights. Sudden the i ended up talking to organizations that had not unified their purchasing in return process from in-store to online so the stores had inventory. But you couldn't buy it online and you couldn't go to the store because the stores were closed because they you know two different teams at it so all those little things you done along the way just not actual. One team built the software for the for the online product. One team built saw for the in product. Never got around to merging the two and all of a sudden here. We were in a situation where it's like people need this. These products like this is serious and you. You're broken because of adum software thing because they didn't do an integration test while are just at you know wasn't important of all the products were selling. Who cares is going to get. He got a taxi is. We're gonna cap right. Actually that can be a situation. Where if that doesn't work for you. You might be vulnerable place position. Yeah i mean. I've been you know in situations with the small children. We've been out some. Virtually you wanted to get them. Home right Suddenly discovered you call them get service on something and essentially become that tons for something Annoyance the quantity. Draw before you. I think that we underestimate you. Know as well. Bill gets more mobile on software becomes more and more dependent on dream. We've sold them had that exact same issue because of lack of service but because there were no uber drivers or lift drivers in the area Because of the pandemic yeah yeah and we. We've actually been stranded at places for hours because there's you know we thought we could count on that service but that's another story. Yeah but i think. I think the problem is of course. bruce. Sean said nothing. It was talking about basically you know the the the doing of newspapers and he said you promised the future you went to be better a we. We always think through The house of caused potentially constructing the our only strong as our weakest link. But i'll also i mean if there's a recurring theme in this episode. It's the listen. You're not your customer. Yeah your customer uses your product differently. Your product is more important to your customers important. Your customer way is not like you. You are not your customer and so if you're not listening to them if you not as she you're missing out on what your products actually about just because you built it doesn't doesn't mean you own it. Really ultimately once it's out in the world like any piece of creation wants this out in the world the people interacting with our as have as much to do with it as you did a really important lesson. I was very jeans and i Was fortunate not your verdict to uconn what to not so when out on site the when it is and deployed to the first signs early early days of kind of office automation and people were just doing So it's quite simple app for junior at engineered to build since just let fail to catch the doctrine click. Okay we wants the next one. A little bit of validations on sat down with the crew the At quite rapidly piece of feedback. That i never thought about which was the essentially i i hadn't thought about tapping and tablet and i was making life miserable because those people already false matab between feels the whole time a tabloid was by shooting for them detected by what was on the pike before that they were entering an a simple thing. I was making that them. That every moment painful Validation you call an end to date stood up basically the crazy but it's kind doesn't really help us. What really helps this is. The the tabernacle failed odor on by the dolphins. Yeah interesting different set of priorities and of course the moment you see you get it but you gotta go see it. So are we kinda stuck in this development practice now like these been around awhile. Add genre like are we looking for a new term. A new name a new practice. It's interesting lot. Because dan no of renamed it behavior development but then that went away and became something quite different admits become a really of full kind of agile approach to deliver it and software navigating I don't know whether i think we oughta moment. Td is conical people who both in favor and also some people who dislike enough that you can kinda present back and say i think many of the programs that you all a foot to with all due to the fact that you're using the wrong technique in achieving td of doing testing recent. You'll finding it difficult to get into the wool. And you keep complaining by that rubbish. Because you're using the screwdriver. Yeah hey let me hand you a ham. Right until i think we all will begin into renting reverse Some of the mafia thinking here and once you do it. It's one of the keys to this kind of more. People talk about other sorts of problems like abusive patents. When it's unnecessary except for that once you get into this mode of t becomes clearer because you can say well. This green pulsing test tells me what i need to do to solve the problem. But it's rubbish. Now on the context i can figure out to these patents. Really apply going need those to help cleanness code up twenty other compensations. I see much on twitter this whole time. Saying is this patent valuable or is this pat actually been negative because people are gonna wind implemented without foles. Something this technique can say. Hey well i can tell you the ons from the greenfield. Eases whether you're gonna need to talk if you already refactoring on no depending on what the context better now all right. We have a comment from Neil who says one of the biggest problems for rocking. Td's the lack of media examples. the contrived money example is great. But it's hard to apply in one's real projects that's true. I think that there is this difficulty. Says the contrived example is help you because they former paul. When you hit a real problem is level. What i do watch like every. Hello world example. Yeah i definitely agree with the. I think the answer probably is more mandatorily. I recommend you kinda Rights unexplored doing td laws in this technique in turn becomes kind of more Under push myself two hours. Do this why you learn you kinda muscle memory. That helps you weather stuff. I think this other on ceremony. Which is people doing screaming and stuff Twit straightening stop to watch the more demonstration of Projects always proper mov. If i have a complex enough demand to be real after the to us. Paul doing. But i think maybe that might be. What some of the She so some of this training problem is showing more solid examples of woking in the stall with big denying spices. Yeah i mean part of me wonders if it's just that when you actually get into the meat of really understanding software being built this way. It's out so complex. You can't explain it meaningfully like that's hard to and you also pre quickly dive into some proprietary aspects like it's one of the things i've found in really well. Architecture afs at apps is that the secret sauce is abundantly clear like the value proposition of software. And that's often things that leadership is Pretty also one of the things you said was don't use mocks so i guess that means you can't really test anything that has service dependencies. Yes testing. so that's not the right test for something that uses a service. So the jim row three i mean can allies three cases. Where smoltz rhymes wanted to shed. Fix sean spicer. False system where one tests conflict the other s to do with by cdt tests into fury. Others is slow to talk to start over network on the other as its Owns the three. That's what he says you use most requests those things. I think if you have a decent use of october that helps because you can say well. Those things are actually outside this wiped. I'm just picturing tonight. What works what about those Tend to use other techniques the kind of more than the test offer a unit test for protesting of yoga better so for for example. If your data comes from an api and point you could make an n. p. i n. Point that returns data that you can test against and use that for your test. Yeah that's s a okay use of a of a mall because i'm earning substituting for something. That's fragile slow. testing impact. But it's not as close to call dependency thing that the kinda the con- mantra of the people who treated this kind of sash lot secret also puts him in intentional delays in your api. To to sort of simulate what happens if this takes too long i get. I guess is a way to look at this. What the problems i solve with mocks are the are going to be replaced with problems with immigration later. Exactly what we done to ready sell appropriate to collaborating and a mock one ounce collaborates out resuming their pieces going to work this way and i put it into mock and i'm invariably wrong. Yeah and generally in the lower prices implementation detail. Public cephus reveal multiple. Doesn't need that. Is it something you go as a result of refactoring to clean up your green code. You've got small also. Does this thing has a senior spoke helps you develop to understand managed that but the conceive of the consumer of your code hatchets additional complexity. That doesn't really want to know about it. Doesn't help them. Also the question of how do i get it awesome. Yeah good stuff. So it's new for you in what's next what's in your inbox side which ought to get v. Nine of bright to the consoles concerts. I welcome helps you do messaging written between is the dole. We got vitiligo. You've got a couple of people who has potentially so one of them is now taking henderson. I can't remember you've met got on the show. But i think he's. The events took a took a good slog off the authors have changed. We go slow down by that but positive thing in his taking your very fast. Scherer chaka's Chocolates young so Yet so nine is gonna have some His release stuff. That essentially helps show the messages delivered or Tickets go some rewrites of S goes from ws can provide as more of austin and we actually have in transit for the transports Interfacing implement unnecessary straightforward. And we've none of the coal team where the owners us. We haven't really had one as well. Such a huge hole. You people have written them out. Can we have one bright and were like. Oh it's a proprietary secret my boss when we go on back in now we we know runs in production As geisel that's gonna come out nine wells people people who owns you then have to roll your own anymore or eventually someone's his country went back to the project. She's a big win for us. I think we wanted to try. And avoid the speculative. Don't somebody's actually tested. This running production. That's one of all kind of guarantees and so that's been really good for blocking that's prompting that very good. yeah. I've got to focus on that kind of messaging seventies the nine cool well and cooper. It's been a pleasure. Always a pleasure. Always learn something else. Have some new perspective on steps and thanks again. And we'll see you next time on. Dot net rocks dot net rocks is brought to you by franklin's net and produced by plop studios a full service audio video and post production facility located physically in new london connecticut and of course in the cloud online at p. wwlp dot com. Visit our website at dot any t. c. k. ks dot com for rss feeds downloads mobile apps comments and access to the full archives. Going back to show number one reported in september two thousand two can make sure you check out our sponsors. They keep us in business now. Go write some code. Dc next time.

manchester london carl franklin nbc Ian cooper chris zink new london rich campbell ian cooper sir Long feige richard canada richard campbell ian roy Switch football cooper united states mike bonilla
Building a Flight Simulator in C# with Laura Laban

.NET Rocks!

54:24 min | 8 months ago

Building a Flight Simulator in C# with Laura Laban

"If you've had automating your ass peanut deployments on your to do list. Now's a great time to give octopus. Deploy a try the starter edition. Lets you install octopus on your own infrastructure and deployed. Is web servers azure websites. And pretty much anything from no d cooper netease and they just made it free for small teams. Give your team a single place to release. Deploy and operate software with octopus. Deploy find out. More at octopus dot com. Welcome back dot net rocks. This is carl franklin. And this is richard campbell and while this is going to be fun is here. We're gonna talk to her and just a few minutes first man. How's things going in the great northwest up. The weather is on its just rain of course but it snow in the mountains they played about. I am working on house. Upgrades can zimba ho longest stretch of at home a long time. Yeah and finally replacing the cable light that on the outside of the house which was led. Yeah starting to tinker with individually addressable. Rgb led's 'cause why not are you. I know you're recent empty. Nester heavy reclaimed any of the bedrooms for your projects that the downstairs guest room is the gym now. the guest room is now one of the daughter bedrooms upstairs and the other daughter bedroom i think. He's becoming a weaving studio for a certain clothing. Centric personnel weaving studio. That's weavings yes. She has a loom. She has to alley. So yeah you know. But actually she'd been big on making masks. The past few months looms are very Programming like aren't they. Yeah you're really you're right. And she should have been is offering about what she has the knack matter. Yeah yeah But but fell into the engineering side clothing which is an excellent business as well but definitely has the mind for when i first introduced you. I think it was on show. Sixty nine dot net rocks. You told me about you. Had this great line about you know. You're a software developer and your wife is an engineer when we argue it involves a spreadsheet because it had we've been. We've been arguing over how to do something with a deck and we went away returns of corners because we were annoyed with each other as you do with spouses and both came back with spreadsheets. Really great now. She's someone you can build a house with. Ask me how i know. That's not a small thing to do now and stay married right well. That's that's really great. Yeah i've got something really fun for better framework so roller grazing music. All right well this being show seventeen eighteen you can go to one seven one. Eight t plop. Pwb dot me and you will see Blazer monaco Okay what's blazer. Monaco kinda learned about this from steve sanderson. I think it was steve. Sanderson's talk dot net comp You know. Monaco is the editor that powers visual studio code does intellisense and statement completion and coloring. And all of that stuff right and now you can't. Somebody wrote a wrapper for it. So that you can use it in blazer so at like a control and there's a demo just check out the demo you get a code editor in a place rouser in a browser. That's pretty cool with line. Numbers just the idea that you have an editor in your in your webpage on demand when every yeah and you know the fact is you know go to this and this dot and you get the list of properties and just voting color intellisense on my goodness. That's wild isn't that crazy. That's really great. Yep just more and more blazer goodness coming out all the time. I remember a codename monaco. Which i believe was a web based editor but then of course it became vs code. I mean maybe not straight lineage using the electron run time to maternity to a desk. All right essentially right but you know blazer brings out all bacne back in the browser with an editor nobile. No big deal. That's pretty cool school. Who's talking to us. Today mr campbell. I grabbed a commentator show. Seventeen four what you did back in september twenty twenty talking with theodora tattoo ru about building zaman. Remember the story of Young lady in college Her because of the pandemic her internship dies and so instead she bills an app an open source happens rather Went really well and his big on teaching others about zammar's right. It was a great story. Yeah this comet comes from john just a few months ago where said yet. Another great show was especially grateful for the mention of the sink fusion community license which is opened up a whole world of possibilities for a blazer app that i've been working in my spare time. You know Theodore talked about this. She was working zaman and that does have And many of these companies have certain products available for free for for open source projects. And things like that right. And so i guess. John took advantage of that for his blazer app which is pretty cool so thanks john and a copy music buys on. Its way to you. And if you'd like copies co by right comment on the website at dawn. Iraq's dot com or on the facebooks because we publish every show there and if you come in there and every show. Will you copy music. Oh by and definitely follow us on twitter. rich campbell. I am at carl franklin. Send us a tweet fly. The friendly skies nice so speaking of flying. Let's bring on our guest laura. Lebron is co founder and ceo of infinite flight as one of its chief developers. Laura loves working on flight models which is an acronym. She's going to tell us what that means. Multi-player systems cockpit instruments and more areas of the simulator. She holds appeal and believe that's personal private licence and flies a cub crafters ex cub. She grew up in france as moved to the us after graduating. Worked to nvidia for six years. Before founding infinite flight with philippe rolin laura lived in california new york for few years and is now back in france for some time. Welcome laura thanks for having me named lebron seems familiar. Relationship did jerome lobont for him. He's my brother Okay so we did. We did a show with jerome and and francois gay about you know a couple years back so. I don't know that we've ever had a otherness sister. Both been on dot net rocks for their respective google project thing. Yeah yeah that's very cool. That and he's in montreal okay As the french connection there dot dot at family. He's so gave me that. The bag literally him right infinite flight. I have played this game. It is beautiful. it's also been around a long time. The who is the first version was twenty eleven Yeah so is in two thousand eleven. So i was on windows stone so long time ago. Wow in the platform. I should rest in peace by. What does that mean. You've always wanted it in c. Sharp yeah so the project actually started When i was in school here in france this was a. This was a site thing that i i started on In in a school that was heavily dominated by unix and lennox people out. And when i went to the school also my brother was a teacher there. And he's the one who brought the microsoft ecosystem to school out and I remember when i was developing at people told me that guy you're gonna get stuck on microsoft platforms forever. You shouldn't coated in c. Sharp should do it in another language or something like well. You know we'll see And now we can run so many things so it's It's fun it was It was a side project. I started like. I got the initial idea to do it. We were like a bunch of friends of mine. We were part of a game development laboratory in school so you could be part of some kind of clubs. Basically and this one was for console game development but we wanted to do. Pc's branched The group into a pc deaf team and i was working on a physics engine for a game. We're working on and there was a There was a it was od the physics engine or the And there was a sample in details. that was basically just a little car. Annual were tired at four o'clock in the morning. I was just driving this car because the physics so really super fun and there was a way to flip the car back on its wheels when instead of returning to destroy the the example you just have play force in that side of the car to flip it on. Its wheels this. Sounds like an afternoon of silliness digital wheelies. Gone ramp and kind getting near impressed. The button many times the car which is like kind of levity in the air and surfaces that were higher this gave me the idea like since forces were making the car fly. You know what if i had virtual wings that i put on there and very deforest based on the angle of attack and the speed enters out deduction only works because this is how planes work and this is how it all got started. We were you already a flying fiction atta at this point. Oh yeah well it's still. My brother is mixing that story because he he got his first computer at first actual p. c. Because we grew up my parents scott. This old eighty eighty eight computer. Ibm pc. that didn't have a car. It was just terrible just dust stuff and so he wanted. He got his first like windows. Ninety eight p. c. n. He came home with a copy of microsoft lights ninety five and he actually never played it he bought a joystick and everything and he never actually played it so i ended up begging for some time when his computer to play the flights him. So this is how it started in. I got i got dead flying bug that way i take. You played the latest one. Or you're still downloading it. I actually yeah actually of my computer. S because i think when i tried when i bought bought it on the windows store Knee he told me. I didn't have forgot what i had. Oh yeah i didn't have the right. Windows version is some kind of content. Creator edition was like four colon. So i just bought a new one. Wow that's how much you wanna play education. Well aiming the okay. So the reason. I had his version of the creators thing on windows. Ten was because i wanted to. I wanted to prove to believe that we could have vr for infinite flight. And i told him he was like what's too hard to make it work too. Complicated to setup up now like well as show you with easy on. I bought the samsung. Vr goggles zingy. I'm gonna plug. Any was just a nightmare of. I need a new driver. The new the new windows version and anita windows update was stuck in the middle. So yeah he was right it was. It was a pain. But when i installed when dated something that computers started crashing over time like bar. Something with the driver is an updated. The ssd driver the chipset driver. Everything nothing worked. And i think about this time was kind of bored with the tire with the crashing liquid. Just gonna great can't figure out what's actually causing those crashes so so now ahead. I've been a computer enough chided. Yes yes it is. Gorgeous in the whole world is in there and hispanic buildings out. There were talking about everybody's going to jeffrey epstein's day and then there was the bug in melbourne australia. That put a what fifteen hundred story way right supposed to be like all these fun. Things folks are doing flying around. It's it's really hard to make planetary simulation like this. Yeah especially when you have so many people looking at it. At one time you have a scope of the problem but you started this on windows phone right so so the reason why started on windows. Phone is so philippe ni- back so we were working at invidia around two thousand and sixty two thousand twelve ish and i was working on the side project of the flights him And at some point we of disguised like he join me in this project and we could just basically talk from scratch except for the physics engine but he liked working on planetary rendering engines in graphics. Engine that type of stuff. And i wanted to work on. Do i like to graphics rendering aspect but rather focused on the aviation part palm so we can join forces and And the beginnings of was at the time microsoft canned fsx team ace's studio so we thought there's an opening now on pc because he's only eating explain left And so there's no you could have. You could have other players in the market especially Up microsoft like the big is out of it and But we we kind of chickened out and around that time was in mid two thousand ten microsoft sentas Because i had developed a bunch of a windows mobile allegations. I did published online. So they sent me a demo device l. g. preview device of windows phone before he was out. Yeah i still have mine. I've kept to. Yes the burns on it. yeah And so we figured let's go on windows phone. It's like what we'd be the first ones there others can't go on here because he's only c. Sharp can have any other c. Plus plus things on this so we clear. Unfortunately i mean we all know how it turned out he. If you were jumping into it is phone right at the beginning Will with phone seven. That was not like a lightweight. Version of silver light like. What was it like programming in that. It wasn't that bad because they had they had They had windows exit for For phone so okay so that was pretty easy for us because we were using ex. I think we're using on for the windows version anyway. So it's pretty easy. Just have run out on sunday on on mobile right and it was actually an coating and c. Sharp right we will. It was just a it was a no brainer for us. Like with worth the try. An easy esearch complete rewrite So so we shipped in two thousand eleven on. I think it was an april. Any worked okay for a couple of months and then it kind of started dying and performance was not that great Yeah it was lots of like the beginning. There was lots of constraints. We didn't have enough purchases to but there were lots of constraints on the Some of the rendering issues in some like the refresh so so you can only have one app. That was that was present at one time. And whenever you were putting the background they were literally killing the app so you had to to keep a state of the app are winning the to the to the front so you had to be able to recover your app from any state right twice. Complete bain sprays just a windows app. It's it's kinda easy but if it's your stimulating a world and you have to reload the content. You know make sure that physics engine is kind of sankt and there was no weird motion when it starts. Yeah it was it was it. Your your user isn't gonna they're gonna flip off the screen and go somewhere else exactly. Yeah if it doesn't crash before yeah right but didn't later update of wind phone fix them. This yeah but rooster mango mango. Yeah yeah appel no phone. Seven point five was the update. I think played with with the multitasking stuff. Right yeah and there was at some point. They had a data system where you could render wpf controls on top after three d. view. So we we had a small discussion about. Should we do this instead of our own. Ui for we had the foresight to think. What if we went to another platform. That doesn't have this system than the whole. You is built on this to have two different sets. It's the pain. That's not do it so we ended up recreating an entire you. I took it from scratch so that was fun because that was easier. Okay so it's also partly because of microsoft and gets it to say this on the podcast here guys but like microsoft has this tendency to drop things you know like we are in the nor history like is a big part of this like the dropped x ray like a stone like done like an uruguayan source. It nope okay. So what do we do now. It's like we had this problem at in video because we're using managed direct tax and for effects composer and dropped it And they're only answer was like well. You can use exit like okay with. It's not you know we need access to a low level stuff like we need multiple render targets and all this and. There's no way we can do that right now. They're like well you can use. You can use your own rapper. You guys have lines open source at the give it to the discussions with some of the microsoft folks at gd seeing any like we're trying but the lawyers are keeping us from doing an or something. It was complicated. That was back in the day in two thousand nine eight. Maybe more than that. Yeah so but you already had an eye to you. Wanted to get onto ios and android. Not really we like. We didn't think that far ahead because reading examining was kind of starting up so we didn't really have a clear path on like would we go to other platforms as you are now zimmerman. Yeah so the the reason why. I think it's kind of organic the way we went to zimmern actually because the plan deviation from the phone was to go into xbox so there's still some you know pound defines the code that we took out actually recently style flex i'm controller modes and stuff We were we almost had it ready to maybe predicted microsoft for approval. And then i was online and i saw you know. I think i saw mona game zamara in like some kind of sample of somebody running something on. Us and click. They're like wait a minute. What if we could just go to s and like we can see how this works instead of going on xbox restrictions and all that and the difficulty with motor game morgan is basically a open source version of accent said basically took out all the signatures of the the the library and replace it with code that in the rewrote from scratch because they didn't have to source code But at the time they only had two d It was only for platform games and they had not at all several. Have to do a proof of. I think felipe went on vacation at that time in france and In a few days. I a port to load some model and i really didn't extend be loader looted. Some textures and i was like. Hey you know we could actually run vs on on. Irs and fleet took over because he's better at graphics than me and he rewrote the whole the whole voting and everything to make a proper And we have ended up like this was in in september two thousand eleven And we ended up a shipping on ios in march two thousand twelve. So he took about two two. Yeah it's still pretty quick and it and of course in those early days there was sort of hostility to the to the cross platform models for ios. Like did you ever. Were you ever concerned about apple pulling your out because you had built an ex code I mean davis. There was a lot of discussion that remember back in the day. talking with Miguel there was some fear. That apple is app on. You could just decide to can you. For any reason that they want is still still the case. Today like railways. Every developer is living on those constant fear that apple could you dislike. Find something about their out. They don't want to go. There's no regret and the beginning was even harder because the approval time was seven days times even more so we had to wait all this time and the the initial release was actually a horrible pain because we shipped Pushed aversion to them. Like i think it was on wasn't tested. Was i think we may have been tested Before they were acquired by by apple so we had sent numerous versions data and it worked fine but when we sent it to apple for approval. They came back without saying like. Hey you're app. Crashes at start up There's no there's no dump so figure it out okay. So you'll get your stuff doesn't work full What just occurred to me is that you started on windows phone and then you were gonna move to xbox so you're obviously into You know windows. Universal wouldn't isn't ono the better choice than zaman for you. What is your brother. Think of that actually now promoting. I've ever gotten a marketing from him. But but you are. You've been around a lot longer. Imminent flights been around a lot longer than by any time. That was even a possibility. Yeah and well and you're still talking about predating in twenty eleven. That's really mono tie it was one is touch. That's true monetize. Yeah and it didn't have for enjoy. The tummy thanking was not even out a just started at the end of twenty eleven. So you would have. You would have not had a chance to do anything right. Yeah yeah yeah yeah. It's only because of the damn book that i have all these dates were here this book. The history of dot net forever. And i have every date in my head. Now so yeah that's a mono touch was around for a couple years that point but you wouldn't see mono for android till the end of twenty seven. Okay yeah i. I don't remember exactly when we started. I know released on android. He was about in mid twenty thirteen. Let's us. he took us a long time. Because of the randomness of android devices and driver shoes. And that you can have a galaxy s. three with certain center in korea that you've never heard of you know so and for some reason doesn't work and you can. You can procure that device because it's only sold in korea right so yeah times. You're you're always battling the fragmentation of the android. he's a lot. We a lot of frustration. We have with apple but boy. Their gear is pretty consistent. Yeah that's for sure. It's it's pretty clean issues The drivers are pretty solid. So you can't complaint. That exchange for as draconian as apple is because google arguably the other way too lazy fair right. Thank microsoft was a good a good mix. Actually we wish they would have stuck around. Because i still have fun. Memories of dislike. Ceo you want to publish on your phone. Just press f five is going to ask your password. Light since you've done going on iowa is just like every time deep profiles Certificate expires at year. Like all right here we go. I'm just gonna have to press a button. I can find to figure out. I hear the pain. Yeah but yeah. It is fascinating to consider the i understand. Why win phone sort of failed away at the time. But i think everybody wishes it existed today. Oh yeah with where the market is right now. I think we really want a third player. Now yeah yes because it sound. Everything was so much simpler on on on windows. Api's you know. Every time we have to develop something us. It's always a convoluted way of doing it on on android dissolves these call backs into the activity. Which makes you have some weird patterns in your code. Yeah it's windows. Phone was so clean. I remember overworked a little bit on the purchase. Api it was just so easy. Yeah i wish had work going. And i'm gonna interrupt for one moment for this very important message. Hey carl here with a very special offer for music to code by you can now get the whole twenty track collection for nineteen ninety nine while electrons last good my new store at pope dot e dash junkie dot com. That's p. wwlp. Dot e dash junkie dot com. And get it now. Before i change my mind and we're back dot net rocks. That's carl franklin. And i'm richard campbell and we are talking to laura lebron about Infinite flight and just. It's really fun. Story of writing of flight simulator nc sharp in the early days of these smartphones to because you basically would have been involved in debugging mono touch a mono for android like. I'm sure you ran into issues because you're doing hard things in a flight simulator. Oh yeah most of the issues we've had were with the when they switched to begin at the very beginning. We were using mono develop That they had looked like window. That looks like visual studio and Because that was pretty easy because everything was on the device and then when they switched to the With that thing that runs on the on the mac and you could develop on on their own windows without visual studio. That connection was always super sketch Sometimes things don't work and even today we have sometimes like. Hey i can deploy anymore. What do i do is like. You're on your own kick. Turn everything off and turn it all back on again. It's such a fascinating experience. And i don't even come to me anymore because it's feels like it's such like how do you re pro bugs like that's you know it's like sometimes they're like oh send us a default temples. It works on default sample. Just doesn't work on our stuff right so so now it's our fault right. I and i understand what they're trying to do. They're like they're trying to simplify the cycle time and you know. Get people back into the tools that they're used to just shortening up that time for writing code right a bit code to seeing it run on the device bot there's so many tricky hoops to jump through right. I remember also when they added at the beginning to connection was not secure and they ended a way to secure the connection. Unity to logging or something that will say a bunch of hurdles. Some of the errors have just gone. Google and google's like there's only one guy who asked a question and is no answer and zimmer says they're going to fix it digitally but then you completely stuck in the meantime. Yeah so we do is nothing for the next two months. Excellence and you have to find at point. We actually had to go back to develop like report solution back to develop so we could actually build anything Dow is that was frustrating. You know it's like there's no other choice anyway but it's just like it's still seems like it's amazing achievement that we can you know we have this app that runs on. I do most of development on pc The on pc tesla stuff up there. And then when. I actually barely run on on on mobile anymore. Is if i'm working on instruments of a new planet two seven five seven. I don't have to have a run on on the phone to do it. I can run on and the instruments the way we have done. I usually start and do everything in. its in. Continue which work on anyway right right. Well i guess you're also using the mobile phone just to check you know right. The performance the size. The you know all that kind of stuff. And once that's done he can revisited. The end of the cycle right and so the other members of the team. Kevin and philippe usually are more on the device But then we usually depending on the cycle depending on them release. They're gonna i think right. Now the fastest deployment is on android. So usually we ll tests on android first and then. Isn't it funny. Used to be exactly the opposite right at the android emulators have gotten so good. That ever tested melia really. I don't know. I'd rather test on on the device now. It's pretty fast. Like i have a as nine tabarez as seven tab. It just go super quickly. Can i just remember the using The ios simulator was always faster than the android emulators or whatever emulator stimulate. I can't remember which. I used to be faster even if you were you. Know using machines with the network connection between them But then you know. The they entered things got fast for us. We don't really do the the ios simulator because we everything we do is pretty graphics and the time actually knew a friend who worked on that The actually had a software. Emulation of open jaw everything to priroda open. Y'all rendering so he was doing restaurants and everything in software was still pretty fast but for our purposes. It was still slow. So when did you give up on the phone version. Don't remember me twenty thirteen. I think when it was barely making Any sales anymore. A lot of other big players dropped the app right and you were out with. Irs and android too so you have customers demanding things on the irs and android side and no sales on the win phones all right and we just looked at the the amount of time. They took us to even. If it's not a lot of time is just an extra thing to think about. And whenever there's an epa change or anything like that we have to go and like take our focus away from the main drivers. It just wasn't worth the time. But i also wonder like going from from phone seven to seven point. Five eight to ten. I was the code even portable at that point like they changed the underlying infrastructure. The phone so much. Each time. I think i remember like it's got blurry now but i remember there was something they did to To accept where the limited resolution. Because the i phones were eight hundred by four ad. I believe they had limited that for some time when when seven point one came out the bigger like dad. High resolution burr d the had hard coded the resolution. Like we couldn't ask for something bigger while on a bunch of sketchy stuff like that Andy may have also differ heated point. They were not like. I think they kind of said renominate to it so we are and for us. It was not like you was not great. We do way we do it now. Even with mona games. There's lots of restrictions that we have things that are designed in a way that it makes it hard for us to to move forward. We're kind of trying to move away from it but yeah it was excellent. It was even worse because we had no source code so was tomorrow but today it's built in mono game says fan has been with mono game like a heavily modified version of monica. Okay modified by you by the kimia. Wow mostly philippe and kevin. that's cool. I liked what it means. You maintain one co base and pushed both ios and android which definitely seems to make your life easier right. It's much easier for sure. Like i would say ninety in the high ninety percent of the code if you if we exclude old platform stuff from ono game but are sack like our responsibility on. The code is ninety percent cross platform like. It's the same coat that runs platforms the. Ui code is basically just sending commands to render and the goal to open jail in the back anyway so right so you not affected by zaman being acquired by microsoft. Not really it was it was Were kind of hoping that it would get more stable The bummer is that now. We have date visual studio time to have a new update. So that's kind of frustrating. But it's it's been it's been fine. No shoes on that but has gotten stabler. I guess that's the question. I would say a little more stable but there's always i would say two to four times a year. There's always one of us is like can't build anymore no idea why or sometimes in a work on a friday. You come back on a monday morning. And he's now building anymore and there's something like what were you guys partying on the weekend hash all definitely definitely late night coating sessions and then you get you come downstairs. Morning is like the good news. Is i drank enough. That didn't think too. Close anything. So i can see the detriments of poor decision in especially you realize you wrote comments like wtn. Mark have an intern who is now more permanent with us. He's finding someone. I will coach. Sometimes there's an expertise and there but to me the common thread through this whole nine years ability flight simulator c. Sharp the whole time. Yeah cool we don't even have any c plus things. Everything is whenever we have a library. Which have it in c sharp completely are you still using od the dynamic now. Use a different engine. Maidan shahr To yup. It's it's all like it's all c. Sharp and in most cases since we've been burnt by the by the xia drop and there was also Is your mobile game. Something something about authentication with facebook and google which did complete deprecated all of a sudden React to you know. We've we've been burned so many times by projects being canned and our roadmap being change last minute because a big company size. This is not worth their time anymore. We're not doing this and we do everything in hand and we take it away right. Yeah it's like anymore when you're done so it's like a second Ptsd we have. Because i do think you've been sitting on the harshest side of microsoft's behavior right compared to a lot of other companies microsoft's been pretty good about maintaining compatibility but i think more on the pc desktop sort of enterprise development side the gaming side. They've been as twitchy as google. Where just keep changing their minds about stuff. It's like the battles internal the company spill out on that on the ecosystem and suddenly the tools you were using gone away. That's that's pretty that's terrible. That's why that's why we're we're. We're oftentimes doing everything on our own for the young people think that our satellite imagery as us is using bang or group or box of we actually redid like felipe. Did a as a you worked and built the whole thing. The beginning we thought can use mattocks but then there was tons of issues and we thought. Like what if. My bogs is acquired by microsoft google apple and the candler anything or new. We have this version that's outdated but still supported but then decide to change something And then we have to go out of a cycle to date an old version In an apple can't accept old versions with the new as decays. What do we do. You know we can't update it Like let's build our own thing so we built the the whole cd end of the tunnel system and everything while on her own. Yeah where'd you the data from We found a provider that actually curates the images lead tire world so they go through imagery and in the find some that will have clouds have better lighting and the it together and color. Correct the whole thing. So it's so when you fly across big stretches of land dozen you know when you look at these seems some rivers and bays like if you get the bay area Right just like banding. Assorted take out all the stuff in cleaning up chidester. Tides are tough. Yeah i bet. I bet you know it's funny i talk. We've often thought the game developers were a little nuts about a the not invented here syndrome. But it's it's the way you describe. Your experience makes a lot of sense to me that. Hey every time i've taken a defense it's been yanked out from under me and then my product is broken. Exactly we have this issue with facebook right. So how many times this year is things book crash every single app. That was using their as the to start like so many times so we were working on removing it completely because he's a huge liability. Now so there's there's tons of stuff like this. We just figured let's rewrite it. Let's not use somebody else's stuff and rewrite it and so we actually own it's ours and we've designed it. We know it we know it. We know what since he sharp doesn't use some kind of weird yellowy may be deprecated using old. Crt version or whatever so you what. Version of c. Sharp d rely on then is dot net four point six whatever. Dominoes forgotten Something which is you know. Donna standard too. So it's compatible but you're not worried about cort anything like that but then you're not using those compilers anyway. What do you care. And we're using using some of like we'd love to part two core are back in staff where we're still importing it to core because there's lots of we actually were moving away from azure because it's becoming too much of a black box. Whatever we have issues that we don't know what's happening so we're we're using other providers we're using all the i mean. Not that part is somebody else's work I'm just going to say some words. That cooper navies and containers and stuff like that so we can move it to a different provider. Had to right now. But you're evaluating as those other platforms. Just tell me lawyer. you're not building your own cloud. No actually there's there's a time like at the beginning of the multiplayer server so it was The first version was using a tcp which was a mistake of course. But that's had so i use tcp and it was having issues with performance and the servers were joking with a are supposed to be designed for like nine hundred thousand users in at thirty users. It was just joking. So at some point i had I had a server running in my house and every directed all the traffic to my house so had small cloud service in my house and actually on a galaxy s. to some people were in a galaxy s to serve man. Wow how is the adoption. Sales been It's been it's been pretty good People have been people have been. It's gone in stages depending on on releases. Sometimes we're working on big things. We kind of let go of some of the stuff that people really want into moment. We seek the bigger picture the longer pictures when we released the whole planet Imagery that took us longtime to build so sleep was gone for almost two years of the main development kevin the same. He was gone for a year and a half two years of development. And i was alone doing some of the dui multiplayer that those kind of taff was kinda tough to to do to do. During this period of time where the we can't plateau and we see that the interest kinda going down. People like whoa. It's nothing new just a new plane. What about cloud. What about this and this. So it's kind of tough. Yeah yeah but it's been it's been okay like the multiplayer and i think the the deed move we made to go to subscription It was it was a tough call. what's the next big change so we have. We have different projects working on. There's out one. W called project metal so it's basically a full rework of the The three d rendering architecture on to to to move away from from the monarch game fleets been working on that for about a year and a half now And it's it's tough. It's really tough. Because he's building on you know he's he's running the app in st that completely broken And it's demotivating so he has to like you know day and i'd new things so we're were. He's made progress. There's there's tons of stuff that he's built that we're going to reuse when we find the optimal way to integrate all this work into the sim. There's no new rendering way. Newest renter things new way to to display. Lot of light really really interesting stuff. That's gonna make the app like we better and there's also clouds that are in the works so that is something that we've been promising for a long time. But it's a one of the big Hurdles that we've had to solve an engineering team a long time to do it. Is you know we have the rendering distance that we have is pretty significant right so you can have your airplane right in front of you but you could also see three hundred kilometers away in even more than that if you're really high into the atmosphere and that's that's a complex problem when it comes to three rendering because you it's hard to have something that's close to you and have something that's really far in the same view that's why in a lot of gains days Fog of war The high stuff that far away because it flickers there's some something called the z fighting where that ziba for does not have enough precision right so distinctive developers using But some of these tax are not available on on mobile or sometimes they are niwas but on an android iphone or android with open jail. Whatever lakes three point one three point to in some devices actually do have this pitcher in three point one four. They have the intra point. But if you call it a crashes you talk to the driver people at the company this. Yeah we messed out. But we're not been updated so there's cases where we couldn't do it. I couldn't even know if it was going to crash or not because they say it supported by the driver. But it's not that are year or you're sharing your your custom version of mono game with the world or you keep into self. I don't remember if it's public. I know we've actually we've actually. I think it's public. Maybe i know so when we want me the tree rendering tomato game. Two thousand eleven We branched out so much from from the The base code that we ended up giving them a zip files like. Hey here's the three d you guys can do the mergers three thirty three d. in it now has been through version three but yeah so the the original. Turn your code. it's your code. Maybe not now anymore. But there's probably part of our code yeah I think we wrote a lot of it by now but yeah the original version. We didn't want to do the merge so we tell them like. Hey here's is it file just if you would mind doing it can kind of cherry. Pick what you want from dead now. It's like the changes that we've made her mostly for like heavily customized stuff of what we do It's not. I don't think it would be useful for for the general public Maybe i don't know i have to ask about that. We'll talk about spidey sense about what listeners are thinking that came up on my list here. Yeah i'd like to use that accepted. it's there is three d. and imanol game now and it's broadly supported and You know it's probably a pretty good choice all around. Yeah it's pretty good way. I mean for now like when one is people asking me waiting. Put you recommend for an engine to you. Know go multiplatform. I just consider Dot net in ramona game is pretty powerful As opposed to unity okay. Well it's only for a certain type of people. So i mean for us. Unity is is the blackbox the risk right. You know i mean they're they're pretty big so it's unlikely that they stop doing would be acquired in shutdown. But it's still like there's some of the stuff that we're doing. We need access to the to the bare metal. Or as close as we can't be and it's just it's just. We just couldn't do it. We just couldn't do would be scared every day to hear them We dropped a certain feature. We changed Break something that we can have no control over. Yeah now no you've got that you've got that bug through through laura i get that and i'm not saying you're wrong in any way that's for sure but it is interesting to think about the life of mono game zimran for for mobile development versus unity people bid successful in both acts. Clearly i think unity is probably like for a for a small game or like a platform game constraints. And it's like it's like a standard game. i think unity is a pretty good platform for that. In our case we have to do so many hacks To render today for those entering issues that we have that makes more sense for us to control everything then but it's also more risky because now apple was was gonna now's the they're gonna drop will be in jail any day that's why we have project metal in progress because all this all this sub rework to actually make it easier once apple decides that it's over for us to move to a different rendering engine to regret it seems as same to consider dropping open l. It's one of the original three d. libraries like much off or dependent on it for so long it just seems mean. I mean you've seen what they did with the latest night book at right. Yeah well it's it's thing. Yes why you like containers. No contain extra how you wanted. A power supply wanted a functioning keyboard. It's just a box. I mean it's the same way they do things with the the mac general right so wendy update to a new version. It's like exco doesn't work anymore like you can't to the new x. code if you don't update to the new mac os right so you could definitely imagine them like. What will you have no choice. Woohoo you're going to go to you're going to android come on the end of phone. Yeah right so they have such power. Now that it's they could make this move and you'll be joining for them. You can cut you name. And this is old laurie. It's been a it's been a delight talking to you in. This is certainly an amazing project. And it's great hearing all the dirty details so thanks thanks. Thanks for having that all right. We'll see you next time on. Dot net rocks dot. Net rocks is brought to you by. Franklin's net and produced by plop studios a full service audio video and post production facility located physically in new london connecticut and of course the cloud online at p. w. o. p. dot com visit. Our website is dot any t. r. o. c. k. s. dot com for rss feeds downloads. Mobile apps comments and access to the full archives. Going back to show number one point reported in september. Two thousand two and make sure you check out our sponsors. They keep us in business. Now go write some code. Cnx time yesterday.

microsoft carl franklin zaman apple france richard campbell cooper netease Monaco kinda steve sanderson mr campbell theodora tattoo zammar rich campbell infinite flight google philippe rolin laura jerome lobont jeffrey epstein laura zamara
IdentityServer Update with Dominick Baier and Brock Allen

.NET Rocks!

56:41 min | 7 months ago

IdentityServer Update with Dominick Baier and Brock Allen

"Hey carl here you know. There's something new from our sponsor. Text control their new product. Ds ever provides documents services out of the box for all platforms and languages whether you want to. Integrate document creation editing sharing or collaboration into your web ds server provides the back end technology to integrate professional document processing for example using ds server. You can integrate a microsoft word compatible document editor into a pure java script angular or as peanut core app create pdf documents using web api calls or requests electronic signatures from end users ds server is hosted on premise in your infrastructure or with your cloud provider such as microsoft azure. And you can test ds sir. Without downloading anything create your first ds server application within minutes by requesting a trial token on their dedicated website at ds server dot co welcome back to dot net rocks happy new year. Richard happy new year friend. And i'm sorry. I thought you're channeling the duke there for a minute i well Welcome back their partner having having a good time today. He feisty feisty yeah. I got up all morning. Banged my head against some bugs. That have defy explanation. You know the usual. Chew on a monday morning. But that's cup coffee. some bugs. Yeah i've been The problem keep me home too long. Start modifying the home. So number of tools has increased substantially the number of gadgets. I mean at this point looking over at my work. Desperate is four projects sitting on it right now. So some people clean out their closets and people makes our brad. Richard campbell reconfigures servers. Oh yeah now. We're moving over to home assistant now for automation for a bunch of things so that has been a major disentangling services like i actually can draw an architectural diagram for the house. Now just in case. That's where we're up. Well happy new year to everybody and let's get started with a very cool Little tool for better now. A framework roll the music. You got well my friend and fellow app. V necks developer. Brian mckay ronin. This little tool which you can get on new yet. And it's on get hub. It's ether dot list compare eat. The our list compare and you got it. It's comparing to lists and doing something useful with the result and you would think that you know. This is kind of built into the framework but not really. Oh interesting yeah so and just trying to do the compare really efficiently. I hope that's the whole thing right. Used a lot of memory trying to compare to things that's true. And he even has the caveat that the performance is fine for small lists but definitely currently not optimized for huge data sets so does rely on a number of link expressions in plenty of room for optimization. But it's a good start and you can just install it with new gatt or go to gabba repo and inhabit goodness. He's not really part of the framer his per se which you're actually talking about dot net code on better no framework. I'm yeah it's one of those things. I'm turning over a new leaf and twenty twenty one. Richard who do do i was talking about. Dot net a data. Iraq's not really made a little bit how. Brian often brings cool stuff to the table. He does awesome. And you know that you know. In order for him to create a to like this. He was exhausted all our news. Yeah he he really didn't want to write this. Nobody had to had to exactly. That's awesome all right man that's it. That's what i got. Who's talking to us today. Well grabbed a comment. Show sixteen thirty three. Which was the identity server update with tom and brock from the shit nbc in porto back in twenty nineteen so we were scheduled to do a show in porto. Where i them right twenty twenty. We just didn't do porto with the pandemic. All of that changed and now we kind of had a big gap fight. This is probably the long stretch. We've gone not talking about identity server between this particular show today. I've mentioned a couple of times but it was like under my breath. Cursing kind of thing though so you got out the field. We'll talk about that when the guys on none of us do identity enough to be smart and except for donna and brought right right. It's always the thing we had anyway. This comment comes from stephen chef and admittedly it's too. You're pretty close two years old now. His it's from that from that twenty. Nineteen show which stephen was saying. I really hope hope for an update on policy server. What's the state of this. Product is still getting active. Development authorization is so close indication. I really thought we would have heard at least some conversation in this show in the middle of that shows two years ago. And he's like stephen. I don't know the answer that. But i know somebody who knows so i will ask them and you'll probably hear about that very shortly and so thank you so much for your comment. A copy musical buys on. Its way to you if you'd like a copy of music. Oh by write at comment on the website at dot net rox dot com or on facebook as we publish every show there and if we come in there and i read on the show. We'll send you a copy to go by and definitely follow us on twitter. He's at rich campbell. I'm at carl. Franklin senator to tweet and we'll compare it with the last week. He sent nice. You know as we do as you do as we do our it so these next guys. I really don't need any formal bio to be introduced. they've been on the show many times Talking about identity talking about security talking about all sorts of things in their claims and whatnot. It's a dominic buyer and brock. Alan welcome guys. Hey let me tell you what. I was muttering under my breath. So for the first time. I tried to do the built in authentication authorization in a blazer webassembly app that's hosted. So there's you know there's three flavors of visual studio template for blazer their server and there's two for webassembly one's a stand alone and the other is hosted and the hosted one uses identity server and It turns out in order to do roles. Which the other stuff does you know pretty much out of the box. You have to write some code. You know you have to parse the claims from identity server and turn that into a principal and requires some configuration. And i had to go out on the internet and find it and i did find it but it of seemed like something that should just be in the box in the template. What's the story with the with that that that template worked out with you guys the first of all. I'm happy to hear that you are now doing properly not doing basic authentication anymore with player. It's good to be honest view. I don't know those details myself. So microsoft used identity for for the travel scripts templates in. When there have been day released adrian. Coffee point zero for angula and react to hold idea was that it was not about identity. It was about the fact that the the front end is not hardwired to particular back. End brought youth based open connect library and pointed sub url and that happens to be one in the templates. yeah And they use the same approach for place. Because well i mean it's also jobless bribe just different sort of Trapped in sea shirt. Yeah yeah that's that's really the story. behind that. to be honest. I personally have never really tried it. I am not a person at all. I mean you know you never even my test. You is ali for test. You is i guess. I don't know it'll be honest what's going on. That's good enough. Has mentioned is is that we had these days proposing different approach to securing travel scripting style apps with talking based architectures right right and that is what called the back end for front end approach. You know where basically front end does not deal at all anymore. With all of the security tokens in the token lifetime. It's all done by the back end. And that's kind of in line. With what browser vendors want you to do it because they all changing the browser sandbox rules with saints cookies and intelligent trekking prevention. Then don't allow you to use. I frames all of these things kind of lead to more like a asaba site approach so i actually just for a customer valid. Assemble to secure a blazer with this approach and it find mean it just changes the procedure a little bit. I guess bought from a former youth as point of view. Don't see a difference. Yeah they don't the couple of things about that one is that the browsers are changing so quickly in the. It's sort of like back in the day when you're trying to get your css to work right across browser vendors. Same thing now with all of these company today or yesterday exactly Things change and getting it. Right across vendors is really tricky. I know because i worked on that library. The one that is used in in the jarvis comprenant apps and and people saying today it's not working in edge and then two or three months later oh edges updated out. Works again and things like that so having this architecture. Push all the security and protocol. Work of managing tokens. The server side makes your javascript simpler. There's there's beauty in that. Yep nice certainly is. It'd be nice if the visual studio templates were just a little more complete. That's all it'd be nice by you. Had to create you have to create a custom user factory to to parse the the jot into claims. Anyway just a little complaint. Not you guys. Just you know you've missed the nature of our business. You know things just kind of they evolve over time. Then i personally am waiting for Some features and dot net six. That it's just gonna make all this stuff seemed like what we complaining about you know. I'm sure i'm sure harder. So what's new. What's new besides the shift to server aside jot management. Well when when we're not prepared for the show. I actually looked up last mattia. And you know i realized while nepal's in porto in two thousand nineteen a lot lot of news in spend rights because usually we did our annual thing to talk about what what happened the last month or so so i guess from my side to things were happening in the last six months ago. The first one definitely is not reaching healthcare sector to to to update their architecture to token based system. And that's not the interesting party but the interesting part is that sparked the discussion about is all secure enough for these kinds of environments. Wow wow yeah question. I i ever thought anyone would ask so at the time and we stop at basically a kind of independently creating higher security profile ford. They are used as it turns out. The same has happened in in different industries as well in parallel financially called to the payments directive to in in in europe and open banking into uk. Which are different now. And but to your point. Dom like when i think about the origins of o-of it's like comments on blogs that that's where it came from right. That's where well i mean. Google tried to solve a legitimate security problem with this photocall right. I mean how to krant. Party access to your. Let's say google calendar without you having to disclose you're right. Yeah and it's still a heart problem to solve. That's a hard problem. So yes you're right. It totally originated in the consumer space. But it turned out that. What's secure enough for google. Probably also for many companies but there's also this mindset Time companies were doing federation right like the very top down complex security rules and sort of the consumer bottom up like i just wanna be able to have my name appear when i write a comment on a website that strip down of. What's the minimum necessary to make this in in some ways was like a counter reaction to all the ceremony we had in w as star right so w star without ceremony around it kind of sometimes. It wasn't be too simple right. And that's that's the reason why these questions came up right. I mean that's the odyssey are seeing seven four nine which is written twenty twelve which is a yes now ago voss meant to be a simplification off the previous version which was very heavy on crypto which was which actually was more secure to be honest now and also had operated on different preconditions. Slide for example. Https led the given now so so they they simplified and defend us left it because the simple cardinals either gonna use it right but that was the whole trauma around where one of the authors left right berry. You know It was a loud bang. Basically left the company. Like your your. It's it's a death but by by a thousand cuts your coming down off that it's not secure enough anymore. What's he right. Well he was right in. The senate was less secure than the previous version. Okay but less you know less carries it. Nobody can open the door and now there's less secure one that nobody can. I think i think the big thing where he's absolutely right. Is that olaf one. They had to called proof of possession. Excess tokens wear if you leak and accents token over the why the attack cannot use it and that feature they killed in two because it was hard to us because it's required a lot of crypto so a couple of preachers that took exactly this simplification of the protocol. And turn it into you like an attack. Now i'm not so that's one of the things that we into house caste system. You know like it didn't snow suddenly your best on your calendar. It's yaw in no way to the suburbs where you can If detailed you can tell them that someone is dead and if you have access to that service you can basically jerry people instead that that could be problematic that just a high a high value essence. I knew i knew it was rigged. I've been saying it was rigged that's how they reverted luxury short in two thousand twelve people. That didn't anticipate that it would become so popular right. It would be would be the backbone of the financial industry of the healthcare system of eke governments and someone's a false so yes. There was definitely room for improvement area. And that's what. I spend a good chunk of the last for years wished actually now. I'm certainly my experience with off has been if implemented correctly. It is quite secure but there are. Lots of bad implementations. Well the problem is is steady even if you implemented Word by word you can come up with an insecure implementation because the A bit wake in certain areas. I'm dave i think they suffer from the problem that many companies by sitting on this idea of committee and they all different priorities and enron. Everybody got a little a little cloth here. You may this all. You may do all you may ignore it. Yeah that's the h. l. seven spec. Sgml's like when you get enough committee members. There's so many alternatives just because everybody wants their thing that you end up being nothing analysis paralysis. The reason why him out of the guy who wrote the original spec lift right because if this was all dot ribbon november reverse normally the very emphasizes the point quite a bit that it's not vendor driven. It is well until the vendors got involved that became vendor driven and they have the most money in the most time in the most to win and lose. So it's hard to resist them and what was also complaining. If all of these vendors got little saying they left left the comedy right. Let let someone else finish writing. I think the we spoke about this quite a couple of times already about what happened in the end is that microsoft had to employ someone just to finish the spec and get it out of the door. And that's what what he did. Elect trump against basically Has the story. But the i mean. That's all history. I guess a much more interesting is instead in. The last eight years has been quite a lot of work. In improving the security and creating is highest security profiles adding additional specs on top to fill the gaps. That happened. yeah let's talk about those gaps. 'cause i'm curious to find out what what those little problem spots are. The biggest gap is is that the spec was not always very explicit the original so they created a whole set of documents what they call the best current practice the pcp which basically gives concrete implementation advice to developers. Implementing this now. That's one for native apps that applications one more like a general overview document for example and they are really really good because they are not just fioretti strep models they basically written by people who implemented this and analyze the attacks ended after the condemnation us and created. Really actionable documents around. So that's probably the most important thing that happened him and and we can. We can talk about other things. Having to basically data in the oil field is probably next year. That's gonna be a new version of called over two point one. Oh that's a big deal and and what to find. Run really is is the original spec plus all of these. Pcp documents and they actually removed features off the protocol that proved to be security independence. Now the for example. Maybe you want to talk about the implicit slow. Because that's something you'll spend a lot of time. I mean this is one of the original in the original spek. One of the workflows that they allowed for is basically for browser based apps like spas to obtain a token So that the job is running. Your browser could use that to call an api but the way that the access token was delivered was in the url in the hash. Fragment of the url. And so you know. There are a lot of complaints inside. Like the tokens coming back from the you know in the sierra l. It shows up in your browser history. You know the the the fact that the tokens delivered from the end point that the user is interacting with leaves a lot of like possibly shoes about user being confused and like you know clicking the wrong link and thinking they're logging into the right thing in getting the token back a lot of a lot of things in the protocol that they didn't they wanted to accommodate these spots to to let them get these tokens so they can do the protocol and call. Api's but the delivery mechanism of the token was never ideal for those scenarios just because the browser is so problematic and fallible from a security standpoint so they basically nixed it from this. You know the pcp saying that that flow is not the best one and the woman. Dominic was talking about the browser based applications. In one of the early drafts. I don't actually remember if it says it in the final draft. But the that's the document that talks about this pattern right the back end for front end. And the way they phrased it in one of the early drafts or something. Like you know if you're writing a spa with all those javascript. Renting the browser. It's so complicated to properly secure this thing that maybe you just shouldn't be doing at all right. And then the spec is the best practices for browser based applications using oh off and the section in the spec says or the recommendation. Maybe maybe you shouldn't use oth- right. It's really complicated. Hook what they. What they really meant is to be honest. Yeah maybe you should not see store. These off access tokens in the browser. Because i think that the browser is impossible to secure. And that's where the fec takes you down the path of saying. Make your server side of your spa. Do the protocol works. so it still does off tokens. but it's all managed server side and the protocol is is all initiate driven by the server side code and the java script just goes to the site the server side redirects you to go log in does all the protocol stuff and then you just end up with a cookie in your browser. And so what they really are saying. Is all of your javascript when you call. Api's you call back through your server side and that it proxies over to the real api so in other words. The javascript doesn't make direct. Http calls to the web api right. You're delivering the request through your back end. Which are usually is pretty much what we used to do like twenty years ago right and it's funny how server side is sort of swung back up in one of the reasons. Is these security issues that when you eliminate carrying identity out to the edge and you do much of his possible further back. He just all a whole class of men in the middle of tax. Go away a whole reproduction. Attacks go away like you. I mean it definitely reduces the attack surface kazoo sort of eliminate securing cookies and browsers to the back. End is unknown. Known thing right. We've dealt with that for all these years. And the fact that you can make cookies on the available to javascript. Right helps a lot right. Which is the main thing here. Right as rock said it we. We've come full circle right. I mean that that was the style twenty years ago then suddenly because oh well thing became fashionable ride and everybody will say i don't use anymore. Use tokens right a now. We realize maybe that wasn't the best idea maybe took because he's a pretty good idea. I mean two fingers. Data have changed cookies significantly right. I mean the cookies cookie day. I'm not the cookies. Five years ago or even ten years ago with all of the developments taught the same site. Sandbox style where that process now by default. Makes you a cookie. Stone travel across site boundaries anymore. Which wasn't the case five years ago. Which made the mitch maiden actually problematic cross site scripting for example. Absolutely i mean it all sounds like good stuff. And it's and it's interesting just the reality that you guys are dealing on the edge of what is the right way to authenticate protective formation moving around on the internet that it is an evolving standard is not just implementing as his danner but making several standards. Actually i mean that's the thing that when we say oh off these days it's not just the one r f c from back in two thousand twelve. It's now like i don't know about eighteen or eighteen or twenty of them at this point and there's a whole list of them and that's kind of what dominic was saying. That's what this two point. One is sort of a roll up of all of those are f- seized that have been put out over the last several years i think of as patches to the original spec right i mean they're almost like using semantic version. Almost dan adding i mean. Maybe don't dangerous. There is definitely that over two point. One does not introduce new features. But it it. Basically restricts existing or actually removes existing ones all refines the wording of the original spec now for example in the audio. You'll never gave any advise on how to validate you're rattles ride and url is pretty important in redirect based protocol in the browser by tossed room the wrong url printed the wrong place right. So so yes. That's a things like that six actually and then a very explicit that you must do exact matching you arouse knowing expression split forbid no white cards. Whatever thinks like that and that's an improvement and they removed in visit slow improve at removed another flow called the past. Well it was called the resource owner halford. Credential krant very long but basically the idea is that in a day they wanna some flows allow that the us would type in the password inclined application and not into the locking logging server so to speak a science show with basically more often a youth. Types indep hasslet into several blazes the more prone they ultra phishing attacks for example. Because they just don't think about it anymore. Like why do i type in my Again well hoops now. But if you i used to only typing it in maybe once a month into same spot like like the google page whatever looking patriot or your password manager. Maybe the next fishing attack will not succeed because you actually think about it. Yeah i shouldn't be typing in my password password. We're yes exactly. So these are the things they they remove basically from the spec Updated for twenty twenty. I guess yeah for like eight years later and then of course there's a whole bunch of additional specs which have been released. Not part of this but Sitting on top that now and one of the most. I guess the most important gone from my point of view is that finally Tackling the proof possession problem for eight years now it has been postponed and plus toned us but then postponed and we only had bare tokens. Which basically means you know. If you're losing your token psych. Anybody can use them now. We've proved possession. A cryptographic binding of the token to the owner of the token so if you are leaking your token now on an untrusted network or something like this the tech not simply use that token things like that has been edited but these are the things that should have been there much earlier but i guess that's how sensitization protests sometimes work day big undertaking see. It's huge in again. It's all learn stuff right. We're learning more about the way people operate on the internet. What they need to do the they're having mistakes. That are being made and he seemed to be trying to correct all that. Also you have to go with. What the browser supports. How long did it take before we had secure cookies. You know of course That's a whole another story right How proud lenders these changing the security rules and in intellect trying to fight legitimate problems like a trekking networks like and holiday along the way heard legitimate example also medi connect because they look very similar on the wire. Now right trying to fix those things and Folks before we're going further that stop to this very important message. If you've had automating your. Espn at deployments on your to do list. Now's a great time to give octopus. Deploy a try the starter edition. Let you install octopus on your own infrastructure and deployed. Is web servers azure websites. And pretty much anything from no deq oover netease and they just made it free for small teams. Give your team a single place to release. Deploy operate software with octopus. Deploy find out. More at octopus dot com. You know there are tons of vpn providers out there. You've probably heard of a couple of them in some of you may have even used a vpn. Before but i liked to do research on my sponsors and i can only recommend brands to my listeners. That i believe in and i can say with full confidence that express. Vpn is the best vpn on the market. Here's why express. Vpn doesn't log your data lots of really cheap free. Vpn's make money by selling your data to add companies vpn developed a technology called trusted server. That makes it impossible for their servers to log. Any of your info second is speed. I've tried lots of in the past many slow. your connection down or make your device sluggish. I've been using express. Vpn for two years now and my internet speeds are blazing fast. Even when i connect to service thousands of miles away. I can still stream. Hd quality videos with zero lag. The last thing that really sets express vpn apart from others is how easy it is to use unlike other. Vpn's you don't have to input or program anything you just fire up the app and click one button to connect it so easy. Even mama franklin can use it. And it's not just me saying this wired the verge c net and many other tech experts rate express. Vp the number. One vpn in the world. So protect yourself with vpn that i use entrust us my link express vpn dot com slash dot net. That's xpress vpn dot com slash dot net and get an extra three months free on a one year package again. That's xpress vpn dot com slash dot net. And we're back. It's iraq's i'm richard campbell. That's karl frankly. And we've got our friends dom brock on talk a little bit about well. I think we've done the state of identity now but now my next question is how does this impact identity. Yeah that's a good question so security for you guys. I very well remember kind of like the first line off. Identify coda ever wrote my alive with locals man also like around two thousand nine. I guess what's around the time when they released it the windows identity foundation which was like a really crown breaking piece of code dot net space. Because basically it's six all of the old problems we had with principal. And i identity and so on. Introduce tokens ws for the radiation and ws trust. All of these things became first class in mem- yup So and not not. Not many people know that the reason why by existed whilst because mike's tried to create i think it was the trust how windows sava feature that was ever written dot net which was eighty s. Though the active rectory federations rations. Mrs lost i think was the first heart of windows written and managed coach. So that was that was a whole team trying to create and realize there's so many things missing in dot net. We need i back. Sale the gaps in dot net to actually make it feasible to right after product. And that pasta. Yes i remember. I think we were talking to you. About w i f when it came out and kim cameron to show kim cameron. Yeah there. it is one seventy three two thousand sick. What i learned from that was using it as a means of authorization as well. You know where you could. You had these claims and you could tell where the user had the ability to do this or do that in code was pretty powerful idea. What i'm really getting at at this lost time in dot net space where these types of the countries became accessible. Don't having to implement things from scratch which was really really complicated. I mean similar tokens and all that stuff at a time. Right when when i didn't know what i mean. Every version of identity was called star. Sds six files on the fives essex. Eighth fis of coat behind. And and the reason i turned it into an open source project quote unquote. Yeah by the time it was just too much co two post on my blog so at total by time right. That's seems to be like a a thing that you can upload files and people can watch these files online so instead of coast and get coach. My blog posted to blacks and that became identical. So many things have happened since that right. I mean back danny false. My only i was looking alone on that and Luckily broadcast a step in in that and that was version two. I think and then there was less than three patana and then russian four eighth nicole and this thing just got so popular. We never never planned anything like it was a hobby project. It allowed us to learn that technology by the time and became bigger and bigger up to a point where like many olden sauce. Politics is at the crossroads at some point. But you said like this is not just a hobby bocce anymore. I mean there are real people. Depending on israel read companies depending on drive and one hand helping them with that problem on the other hand. Working on the product is becoming harder and harder. Yeah and and to be honest we naught at by it for a long time from several people saying you should use. You have to stop doing that. You have to create a company that allows you to write to work on the the product full-time and not cross the product work with consulting with for example or training. Or whatever right. I mean this has been an ongoing conversation for us on the show to. That's sort of. How do you have an open source. You make a living from an open source project and is that whole you know we build it over here and we could salt on it over their kind of mindset bookstore us really well for many many years just because we were working on it. It was fun doing consulting and so on but we realized more and more at Even if we had to make a substantial Small change to it. That requires engineering work that that requires us to be on the phone for a few days. It was almost impossible because the page work or two precedents right right so and we thought about this for many times right. But it's it's not trivial to set up a company between europe and two states and all the legal stuff and license all very scary really twenty twenty apparently gave us a lot of time to think about it. Thanks twenty twenty. Yeah so we finally bit the bullet and and and and ready the company and now right now working on our first released january. So that's what's different. Having a company thurs far less time to write code. That's the first thing. I can tell you what i think over since we announced in october well even before then i mean i've been i've been sort of thinking for every one hour. I actually get to write code on the product. I think i'm spending three hours either on the phone with you. Know lawyers or with the website designer or thinking about business plans or pricing models. And all of that is not you know. I didn't go to school for any of that stuff. So i mean it's a it's it's a it's scary Total league you know new new job title in a sense and it's pretty exciting. I like the the goal of course is to build this. You know this entity to make identities over better better better docks fedor you know. Time to work on the features time to two samples and all of that implemental these new x. We're talking about to me. It seems like it's about sustainability. It's like people are going to rely on this offer for a long time. I've done enough. Enterprise development work to no if you incorporate a library like this. This is a decades long invitation. Like it's always gonna be around. How do i know you guys are going to be around. Rather that product is gonna have life identity serve force still going to live on right and that'll be open source right. So i mean festival to appoint it's actually fascinating. How many companies. Happy enough to just download a healthy bro. Check from someone on the internet and basically their cost securities infrastructure on them. As long as it's three it seems to be that much of an issue. So there are so many things i i can talk to. I guess the sustainability thing is one thing. Yeah it definitely right definitely will open question for us How can we make this along a period of time. Because i certainly not about proper. I have a certain burnout factor yet. Like when you from nine to five book at a customers and from five to nine in your hotel room on the coach now so the thing is no one should complain in. The opus. felt about sustainability. Because it's everyone's choice. What to do with their work. I guess yeah that was one of the big takeaways. I had When when i took my time off in the beginning of the year to think about this you know more uninterrupted actually. I saw a talk from you. Know like the the same erin hem. I mentioned elliott. Who wrote the a wealth. Spec defenseless heated a really really good talk at a conference which was called fair trade open sauce and Great name yeah. Ange to the spoiler alert. it doesn't exist. So he he. he was the author or offer No of very popular no chair framework happy and he went through all of these stages similar to us how to fund free open sauce and he ran through you know a sponsorship and you know advertising and even selling overpriced t shirts. Yeah all kinds of things and indian. It doesn't work out that that's conclusion as well. Yeah it's not open sauce. That has a sustainability problem. Each three that has Now right and that will conclude that our this well. I mean we still have a free version of our software for you know smaller companies and individuals and hobbyists everyone. Who doesn't that much money with. It can use it completely free right but if you are a company you earn money with that. I think it's fair trade to put some money on that and that's why we had to predict change to business muslim now. Does that mean that the new versions are not open source. So the question number to get the i. It's like i thought anymore. No it is completely open sauce. There is no contradiction between open sauce and not free right router so yes it is still open source and that lost. One of the things from the start was our top priority. He be open saw us. We have a license that allows everyone to use it completely free for noncommercial open work. We have a license that allows everyone to you is if they're a small company for you to free insights pounder race math so we didn't wanna cut off the open source community. Wipe out on the other hand. We find a way to make it work into long-term while the bottom line is if you needed to you you took a sanity break. And that impairs the product. Like everybody's getting cut off anyway. Like they have sustainability is not about making money so much about sustaining the product so the commercial license then is for what support then well. It's it's funny you divina race and paul and we ask things like you know security notification services like you know if some security related update happens customers nowy trust right before it goes public things like that things that companies care about. Yeah yeah sure sure. That's interesting now. I appreciate you know. This has been an ongoing theme at dot iraq's for awhile now about sustainable open source and i appreciate you guys have brought this conversation too. Because it's you're trying to solve that you're in the middle of this and trying to find a way to to live and work at a reasonable pace and provide the things that people that companies want to go forward with the license even though they can just download and use steph if they wanted to. That's the thing actually pretty much every company we've talked to is said finally like finally we have a way to actually you know. Spend some money with you guys to keep you going pay for the product because we we did the patriots thing for years answer. Nobody nobody in companies has like a cost center for donations. Sure did they don't they don't know how to do that. They don't companies. Just don't understand that but the minute you say you have a commercial license. They're like oh yeah fine. We'll get the license done dundee right and and all the company i speak to Are so much happier that we now have this new model in place and even an annual license. So it's like you're getting patriots membership just not using like we try to patriot thing as an experiment. By the time it's depressing in the end to see individuals from company sponsored us privately because it couldn't find a way to make the company's. It's just wrong. I mean world should work like heck but you poke on the real issue here. Which is they. Don't know how to categorize it in accounting and that's enough to stop it i use the. Npr analogy right npr national public radio in the us or a public tv. You don't have to pay to get that or to watch it or to listen to the radio but they totally run their run their organization off of mostly donations from listeners. And they only ten percent actually donate right and they get the restroom. I guess from federal funding and they spend a lot of time and effort. Sort of a mon say guilting you into into it but making realize that without support it could go away exactly so and so in the software industry that we're in companies. Don't don't get that right. They don't know that just doesn't work for them. So turning it into a formal commercial license was the only way to sort of work something they understand and so it wouldn't get an interesting thing i learned is instead probably the open source projects out there which are very popular but which many companies depend on and self funding these two together. I very very few bro. Checks out there all of the big approach which are open sauce. They have some sort of company back by backing it right right you name them the that we will in this really really small niche really offer of of being self funded and apparently optional and And data is hot because you have all kinds of forces pulling at you in all directions basically to to make it work I i really hope that more and more of these open suspects out there. Think about you know what the value is like. What what is that currency deb. Working right if it if it same rights as the tension said being maybe getting hired by a big company that the company can kill off the open source rotation or not all. Is it really that they want to build something which you know last for a long time and it's tough than as i said at brock said. Yeah i mean we announced in october. But you can't be sure that at least six months before that we will on daily calls with you know as said lawyers tax people and all kinds of things. It's a lot of work in. Maybe maybe would be nice. That would be easier. Maybe make that huddle go away for smaller projects while wish you lot of luck with it and we want to catch up with you again next year and find out how never sure. Hey i'd be remiss if i didn't bring up stevens comment from the very beginning of the show about policy answer because in some ways i here he is describing. Sounds like now policy servers. Something people really want. And you've got a better model for making it exists so always site project if you like. It's a separate a side project on your side. Yeah well it boss. I love first foray into into the commercial about maybe math That that just exists and working on it. So i think is questionable. It's heavily stopped recommended. No we don't we actually east as we split time between company punt Much what you're doing right. But i would hope you bring in the big thing for me. Is it still really just the two of you like now with this new architecture and maybe a little more stable cash flow that you can get a few more deaths entirely right. I mean so policy server was was also michelle aruba semantic as well. He's also involved in alliance heard. Her company is the is the We have a team there. That actually helps work on it. So that's why it remains basically under the slice umbrella and our new windy software company is now just fr- identity service so those are strictly strictly speaking separate companies. But hiatt people right. I mean not hired in full time employees but we now have people working on upside having of consolidating a thinks you couldn't do before right policy server certainly fixes that problem that i was experiencing in. You know webassembly trying to en- blazer yeah we're trying to parse parse rolls out of claims into the principal. You know just sort of it definitely does that. Why is that funny. You're throwing some very heavy machinery that in just kicked yeah yes sir i got you swatting a fly with a beer and just my last. Friday's open source thing. I guess you had on the show recently. And he started this really interesting thing called cape in which a basically if his new project and that's if aimed at helping develop us you know make it easier for them to to actually turn that open. Saw bug in into something sustainable. That's a if anyone's listening undressed natural. Check it out them. Include a link to it. It is interesting it is said. This marketplace is evolving. How do we build software this way and make a living and be able to sustain it beyond ourselves. We're still in the first generation for the most part of folks like you that have built software that companies are depending on largely volunteer developed. You're allowed to retire at some point like what's going to happen like there has to be life beyond this if you've made a twenty year commit to a library like we we have no doubt that c. Sharp sharpen all the open. Source libraries at microsoft. They're not dependent on any one individual per se. I mean a pretty sure that that mets targets has he series influence on c. sharp but he's not the one but if dominic buyer wants to take vacation brock allen needs on august. The two of you decided you both wanted to go away sometime. Like this is what sustainability looks like. You're allowed to take a break and you're allowed to ultimately retire like it's not today. It's not next week but what happens thirty years from now. Do we just presume. We're gonna move on the software that we won't be dependent on at any server anymore like it's not reasonable. There has to be a model. And i think that's what we're fighting for right now is what does this model look like. Yeah well we just get the commentate from the sidelines. It's been really a lot of that was on our minds. Well how how do we at some point pass on the whole thing Sunday doesn't have anyone if it just from. You know. Just like rhythm. Now i'm going to retire now. Thanks for plan that. It's not reasonable right like you care about the folks that h- using these products that rely on them and so forth and there needs to be a reasonable secession plan. That brought the conversation to a screeching halt. That's right. I'm thinking about you dying. Yeah i'm thinking about you dying. I'm very excited about. Don't die today. Please yes please. Well i'm excited for you guys. I appreciate you working on a problem. That's a fair ways out of your comfort zone to like you've you've built up a set of skills around building identity tools that we all value highly. And now you're going to experiment with some business models to in trying to build the right model for taking care. This product going forward but I commend you. I can't and circle back a year or so. Maybe even in person and see how things are gonna win nappy luxury. That'd be great. Mci guys thanks again so it was great talking to you even even if it's About identity server. Yeah we'll catch you next time. Okay all right all right and we'll see you next time dot net rocks alexa dot. Net rocks is brought to you by. Franklin's net and produced by plop studios a full service audio video and post production facility located physically in new london connecticut and of course in the cloud online at p. w. o. p. dot com visit our website at dot n. t. r. o. c. k. s. dot com for rss feeds downloads mobile apps comments and access to the full archives. Going back to show number one reported in september two thousand two can make sure you check out our sponsors. They keep us in business now. Go write some code. Cnx time off.

porto microsoft Brian mckay stephen chef brock rich campbell dominic buyer angula mattia google kim cameron carl Richard campbell stephen Richard mitch maiden mama franklin voss dom brock windows identity foundation
Xamarin Forms to Maui with Gerald Versluis

.NET Rocks!

49:24 min | 3 months ago

Xamarin Forms to Maui with Gerald Versluis

"Have you ever wondered. If you could be offering faster less buggy application experience for your customers with reagan application performance monitoring. You've got all the information you need right at your fingertips to find and fix errors and performance problems across your tech stack down to the line of code. Reagan makes it easy to monitor the impact of your performance. Improvements quickly identify and resolve issues. And see how your code performs in the hands of your customers saving you time money and sanity visit reagan dot com and join thousands of customer centric software teams who use raygun every day to deliver flawless experiences for their customers. That's reagan dot com to get started on your free fourteen day trial. Welcome back to dot net rocks. This is carl franklin. And this is richard campbell. Happy to be back Man but eat. It's been a couple of weeks. What's what's new view. How's how's the pandemic treating you. The wife got he were locked down again. Of course everybody's in a third wave kinda. Sergio restaurants close wife got her first injection on like. They're now doing injections in the pharmacies. And so There was little overflow and so folks ran up there gotten line and god first round. I don't qualify to young. Oh really yeah we're not. We're not quite there yet. I'm in the next block. Married an older woman. I did but not that much older right couple years. Come through as just literally the threshold fifty five. And we're planning in earnest for devon or section so. I know i've i've submitted some talks. I can't wait now. You're this section is going to be a in-person and streamed right. We're calling it a hybrid. Yes and of course. We don't actually know what the pandemic situations going to be by june. We have to plan now so right just dealing with all the contingencies and trying to follow it follow. All of the rules legal requirements. But when you look at the rate of vaccination right now it seems like we have a pretty good chance to really pull off an in person show I'm hoping yeah. I'm i was encouraged by recent news that A study showed that once you have been vaccinated and a couple of weeks after you can no longer be a carrier like you you you soon. As as soon as the virus hits your system. The antibodies go to work in. It's destroyed before can replicate and do anything so so you can be safe if you're vaccinated without a mask and you know even if you then go into the company of people who are not vaccinated. You're not likely you know ninety percent or whatever not likely to pass it on which is great. Yeah i'm i very helpful and It's challenging a month ago. We looked far worse. Even though there's an upswing now the best piece of news and all this is even if you just have one dose of these vaccines nobody who's had a single dose has been hospitalized for the illness yep so it from a public health perspective it dials everything down so I'm hopeful it's good news. What we'll do we gotta do. I'm i hope. June works out but even in june doesn't or whatever happens there vegas in december monthly. I think we're really. That's going to be swinging. can he. can you know. I remember the first conferences after other worldwide. Like nine eleven things. We're really interesting. There's a real without but also real warmth we forget how much we are social creatures. Oh yeah and And that we we miss lee things and this has been a year. it's crazy. i think we've been starkly reminded of how much we are social creatures during this during this pandemic I saw an old friend that i hadn't seen in a year and a half and you know the hug lasted five minutes. It's just like you can't believe. I found somebody that can give me a hug. You know it's like all right anyway. Well that's good good positive way to start this off and continue the positivist. Let's roll the music for better. Know a framework awesome what he got a couple of new podcasts in the plop empire. Yeah one of them is called you me in pd and that's pd as parkinson's disease and that's you me and pd dot org hosted by our own jerry. Lewis right and his wife. Taurine jeremy Contracted late onset parkinson's disease like last year and So it's it's kind of a human story not just from the perspective of a parkinson's patient but You know somebody who's caring for that person as well where which i think is a powerful combination right because it's it's not just to. Who is ill. But those around them and how they were and how they work with an so and jerry's a great guy. Jeremy is super super guy and also part of zaman forms ecosystem part of the blazer ecosystem and Know a really really smart and deeply. Caring person Second one is another deb express sponsored. Youtube show liked blazer train but it's more general and it's called the dot net show nice and believe it or not the dot net show dot com was available after all these years. Believe me it's very. And i was like now i can call. How could i be so bold as to call it. The dot net show. It's crazy so basically you know. I looked an in the way back machine and the only thing i could find called the dot net show was some channel nine content. Back in the early outs and it was all relevant anyway. So it's everybody's moved on. And i called out to our friends scott hunter and i said hey man you think there's any problem if i use this moniker. And he goes you not a chance. Go for it so yeah so cool. That's going to be at the dot net show dot com obviously and i'm going to be starting Oddly enough with zaman forms interesting and in fact james monta magna is going to be my first guest. You're breaking your are breaking policy. I thought it was patrick. Hynes was supposed to be i. I don't even think he does not anymore. I don't know what he's doing. But he's a security guy. He's got his own podcast now. He does who ciprian called in ten angled things. They're talking about quantum computers. Oh that's so cool and it doesn't surprise me a bit. No and i'm scheduled to be a guest on their show actually but there they've got to three episodes in. I'm going to be coming a little. Wow wow wow. Wow all right well. That's the new hotness. Go check it out and Richard is talking to us today. I grabbed a common talk. Show sixteen eighty nine. The one we did back in may of twenty twenty you know in the pandemic times with kinsey. Whalen we were talking about you know and of course that broadens to a general conversation on zamel zamara. All of that. This comment was i think especially relevant. This is debbie. Goble said the promise of cross platform tools is great bill once run everywhere like who knows amarin forums and now dot net. Maui allow smaller teams much broader reach. There's one kind of expertise seems to get glossed over and that's all the nuances of the native design. Languish sure i can use these tools to make a control look native across several platforms. However it still seems like you need an expert niwas android. End the windows. You ax to show where and how to use these controls in a way. The user expects yeah. There's an incredible opportunity here for these cross platform tools to help developers quote fall into the pit of success by doing the right thing on each platform also would be nice to see. Cross platform documentation helps the developer. Understand things from the perspective of a cross platform developer instead of a single platform developer as each vendor seems to assume a good start is a good start the documentation from zaman team in many cases their documentation of ios. Api's is far better than what comes from apple. Their incredible things in the rising and i begged the tool vendors to not let javascript win this one. How do you say that word again. Richard javascript script javascript. Ori- near chesterfield. Sedan i mean first off ya there. You are making a presumption that people prefer to have absent native design language as well which i think is a reasonable assumption although there are plenty of products out there. That aren't if i'm making a corporate app and he's run on iowa and android. I'm i'm less worried about following ios and android design guidelines. I am making the same across all devices so only have to teach at once. It doesn't matter what platform they're working from You know and that's part of the policy conversation you're going on into their as opposed to maybe a publicly facing app although if you look at the facebook app the facebook abbas on all the platforms to right. They decided that they have their own design language. And that's how that's going to be. But i do agree that there's an opportunity to do a better job on the nuances of each of the platforms Because nobody can be an expert at them all. I just discovered that. Npr listeners. Apparently want to build apps. Because i heard an ad on one of my local. Npr stations for some aztec at building technology. That i've never heard of before you know. They had a weird name like zobel or something. Wasn't that but you know it was just some crazy name. And the whole thing was build apps with no code so apparently. Npr listeners are just chomping at the bit to build apps without code. I dunno seems like everybody wants to build an app nowadays. yeah. I don't know the answer to that. Is that cool with it or not. But i don't even know if it's true. It is it is. They just might one advertise but so devon thank you so much for your comment. Kapisa co by is on. Its way to you. If you'd like a copy of needs to cope by right comment on the at dot net rox dot com or on the facebook. His every show was published there. And if you comment there and read on the show will send you a copy music. Oh by cargo by and definitely follow us on twitter. I'm at carl franklin. He's at rich campbell. Send us a tweet are George washington it. That's an inside joke. You'll have to go to the show dot com to find on this show reference totally. Yeah all right so let me All right so let me introduce our guest today. Gerald versus is a software engineer at microsoft from the netherlands with years of experience working with asher espy net devops zama in another dot net technologies. He's been involved in a number of different projects and has been building several real world apps and solutions. Not only does he like to code. But he's also passionate about spreading knowledge and as well as gaining some in the bargain. Gerald involves himself in speaking providing training sessions and writing blogs which she blogs at blog dot v. e. r. s. l. u. s. or articles live coding in contributing to open source projects in his spare time twitter j. f. verse lewis website Gerald dot verse lou dot. Is welcome. gerald. Hey thank you for having me is so good to be your thank you. Thanks for being here and it's really fortuitous. That we started this whole thing off with a comment. End a new show about zaman forms. So is there anything that you want to address for that comment that richard. Oh so you know. It's it's such an interesting space. Because i totally get that but you know. I feel that it's totally true. What you said. Richard like you cannot be an expert in only things for sure But i think along the way you kind of need to pick up on all the platforms depending on which route you're going to take Like you said like the facebooks officials. They have the power to just do that designed system and just force that upon you The interesting thing about examining forms that they were mapping The the the the abstract layer bits two native bits at were. Because you know you see that kind of changing right. Now with with dot maui. End also examined forms itself But i think it doesn't hurt to have a little bit knowledge of the platform of developing on. Because you know at the end of the day it's saverin and the other solutions for that matter. What they do is try to. You know abstract away. All the things that you would have to do natively so under the hood that's still happening and whenever you run into an error That is good that you know all the things about net and nc sharp and all that kind of stuff Suddenly see joff errors or objective sierras than your to panic so it still be good to have some kind of knowledge here. I remember in the early days of zaman forms that you had to do a lot more stuff in the main activity or you know in the the eve at the android level or the irs level to do things simple things that you think that the platform abstract and then as zaman forms got more and more robust i think even james magna came out with his library. That you know does all that stuff but you can do it in zaman forms app. You don't have to go down into the You know you don't have to go down into the to the separate system layers so more and more stuff is finding its way up. Yeah and that's that's the thing right. Because there's there's the separation thirteen confusing between examined which is called like traditional examining now which basically provide you with the bible. Right everything yourself. Yeah yeah that's just you know creating native apps but doing it in c sharp dot net. That's that's what's traditional javanese air quotes. Yeah but if you go into examine forms what their challenges is to you know like you said servers all these things to uneven abstract layer where you can just say. Hey i want a button or a label. And they're going to do all the hard work to translate that button or label to The native counterpart of that stuff and yeah. So that's what i always thought. Zammar informs was about was. This approach abstracted exelon so that you just declare a button and it makes you in iowa pot nor android button. Whatever yeah absolutely. That's that's the. I consider it an main evolution of zaman. You know it says forms in other words thinking that it's all about you i but it's really a layer where the native stuff and i'm talking about you know like the e compass and the you know the devices that are that are the hardware right getting access to that hardware. Those things are even abstracted into zaman forms layer. So that isn't forms. It's it's really the state of the art for for zaman yes so forbes is targeting. ui specifically like you said Soap with a traditional. And you can do all the things that examining forms layer on top of that which allows you to also do the. Ui ended the devices in the libraries. That you mentioned by james montier mac no. He had several of them Hundreds up now not hundreds but a couple of them separate the compass for the flashlight for all the dissenters that you could come up with. They are now combined in what is called examining the essentials. Add we're probably going to talk a little bit about at valley but that libraries also going to be incorporated in dot net six and is going to be on their deep at an assistant devices is the last i heard. Maybe the namespace changed. What is just going to be. Api's inside of the at six framework at. That's really cool very cool. That's cool now and speaking of now in before. We get too much into maui. Maui as upcoming hotness as we have mentioned time and time again but right now p p people are. I think maybe a little confused about whether you know. The classic cooks zaman forms. Dead right. i mean you know these questions come up all the time. When things are evolving and will i be able to move my zaman forms to maui without too much trouble. What is that story. Look so. I totally understand that question because you know i typically interact with developers who are on the cutting edge and you know who try things but there is a i think even a bigger group of developers who make a living out of this so i understand their concern with like What do i have to tell customers about the story. So totally understandable I think we've tried to communicate through different channels. But i'll reiterated here no problem So examined forms. Five is the last version of salmon forms as we know it but it will evolve. It's kind of a hint to the evil conferences that was examined thing before it was acquired by microsoft. It will evolve into dot net maui which Firstly shows i think the commitment of microsoft because that always has been and concern to like is examined forms of microsoft is building apps and other techniques. How what's up with that So i think this. This show's commit been from microsoft into this framework by putting it into dot net six. It's not going anywhere so the first thing that's to me is basically a well. Let's just say they copy paste of course not exactly that but they copy paste the whole examining forms codebase into dominant maui. And of course they have years and years of learnings with the good things and also the bad thing so they're obviously going to get rid of the bad things. Keep all the good things that make them even better so architecture wise. There's definitely something go to change. There will be a couple of breaking changes but they're also creating all kinds of ships that should make the transition from your examined forms app to a dominant maui app as simple as possible. There will also be. I think a try convert tool Yeah exactly so they will try as the name says tried to convert troops salmon forums application I'm going to be honest. There's probably going to be worked for you to do absolutely. Especially if you have like custom renders and this already assuming that you know a little bit about how examining semmering force works informs app. I'm sorry if amer informs app in the app store now is it one day. Just gonna stop working absolutely not no if you have a binary that works than that's fine. You are go draft worry about that whenever a new version. So that's probably between ride in september or android version. But i think they're a little bit more backwards compatible typically then. How long will the salmon forms stack remain in you know in visual studio so that i can keep Managing that Or at some point. You're going to force me to upgrade to maui. So that's my question. Yes okay i understand. So the the official communication is. I'm sure in the shows you've talked about The new release cycle of dot net six. So donald maui. G. is planned for dot net six which is november twenty twenty one Examined forms five is going to be supported a year after death to november twenty twenty two Which means service releases that kind of stuff and whenever area i west comes with a new version new. Api's dare go to fix that so you can still alter here. Yes so but after a year you are kind of like forced or at least you know. There's no support so whenever it keeps working on a version of great But don't expect any support beyond that but yet to your point at some point. Apple's going freight guests because apple break routine yet. They broke you. Yeah you hit the real issue which is sooner or later. Apple's going to break it and after two thousand twenty two. You're not gonna fix it. Yeah that's that's kind of that you get but it's going to be at its open source open source. You feel like it. You can compile it fifty six yourself so but here's another question. What if i have third party controls or community controls in my in my salmon forms app will the try convert tool also update those orwell well those vendors or community contributors have to do their own conversions for their For their cameron forms tools. So in. Turn them into maui tools. How's that can work good question. Good question. So a to maybe. It's important at this point to say that i still love examined. I've been at examined forums team for a little while. It's not my day job anymore. So i'm trying to keep up with all the stuff so let me say that. I'm not officially speaking for them. To be absolutely. But i think the try confer. Who like i said there will be okay so maybe back up a little bit yet. Examined forums As it works is it works on renderers like we said Dominant force whenever you say. Hey i want to show a button. Screen that is your abstracted button To translate to a ui baton which is an object for a west and an android dot button for android and that's done by vendors. So the renderers will basically take that abstract button and all the properties youth assigned to it and it will Map that to properties for native ios or android or uwb york united. Those renderers are going away because that fit the paradigm of examining forms. Perfectly with mapping all of the things. Jim native a controls. But now you see that you know people want that more unified designed over a different platforms. So that is changing a little bit at also. The renderers were just that great. To override to to customize it had some performance overhead. So what they're transitioning to indictment cold handlers so it's it's it's still mapping. Of course the properties. But it's a little bit different with Der der stuffing some interfaces between them which people seem to be happy about two other people are non. That's the way it goes And that kind of also eliminates the need to have time to vietnam stuff anyway. I'm drifting off a ask your question there going to try to be as backwards compatible as possible because they know that there are a lot of examined forms apps out there So they're going to have some kind of combat layer or she him or whatever you want to call it that will take those handlers dominant bowie Kind of project tap onto a vendor structure that wasn't examined forms and go from there so if they pull that off than all the third party things and controls shoot work But you know it's it's we have to see if that actually pans out. Oh i see so so Interesting so rather than Require somebody who's written a third party control to rewrite it. Using you know handlers. They're actually gonna try to stick something in there in between the render and the handler and just it'll just work. Yeah that's hope. And on the other hand the bigger vendors and i think also like the the open source community projects. They're in talks in. Direct communication with the team has always been very open Talking to them. Like i mean all the code is open source so they can follow the progress and they can anticipate on that To interesting well. Yeah i get imagine that the native controls the new model will be more efficient. But you're exists if your existing after working with just a sham that it at least you're not punished. Yeah i i also got a thing by twenty twenty two. They'll be improvements as well like the migrations will get easier over time. Yup hopefully nothing. Nothing trivial do here. While you're witness richard. Why don't we take a break for this very important message. If you've had automating your esp net deployments on your to do list. Now's a great time to give octopus. Deploy a try the starter edition. Lets you install octopus on your own infrastructure in deployed i web servers azure websites and pretty much anything from no decor bonetti's and they just made it free for small teams. Give your team a single place to release. Deploy and operate software with octopus. Deploy find out more. An octopus dot com. And we're back dinero. So i'm richard campbell carl franklin and we're talking to gerald about Against the sort of my this evolution of zaman forms to maui. Why are we doing this. Is this about giving us access to more things not just android. Ios dad is definitely one of the reasons. I think Show as i've mentioned before. I think there was also Examining was acquired by microsoft in two thousand sixteen from the top of my head. It was a separate company. So it's always hard to integrate these kinds of things. And as much as i loved examining name and the monkeys t shirts and all the crazy stuff that came with it was to be expected. That would be fully incorporated into microsoft. And i think this is that step And also you know the chorus that microsoft is taking with dot net At don at five already like it's going to be one dot net again Regardless if you're writing web or desktop or whatever at bow also mobile So that's going to be the next step so it's just part of the strategy to have everything in one dot net and That mobile is included in that as well. We've seen from history that examine Let's talk about examining forms. At least the main sphere points were android i west. Uwb also but uc an android anaya. Whis is definitely the most popular ones so be automatically also That means that they get a little bit more attention but it has been set. The desktop will definitely get more effort now as well so. Uwb macaroni even We get that for free with matt. Catalyst so exciting things. Yeah it does seem like wpa is kind of an orphan like it. it's a it's been rebooted so many times is anymore. But we've been looking for this. What's my I it's great. That i can build something it'll run. Ios and android both phones and tablets. But what is the windows. Desktop solution there. And i mean i'd look at folks that have had success with reacted view on that more than in zanele. This zamel flavors have been so different. I mean a to me. It seems like the biggest thing now could do for give us a unified zamel ones ammo for to rule them all. Yeah that is definitely something. I've heard before too so what i can see. There is that they are talking because you wbz now also has The wind you. I think going on and that's happening with dot net bowie israel. That's going to be built on top of when you. I guess it's definitely need to be honest. I don't know why example unification is not happening. But yes that is. They're moving closer to that because we And we being zaman forms had a couple of properties that were named slightly different. And i think that's there to make it at least come a little bit closer. I can't promise that will be exactly the same But that is like you know talking about try converted how hard it will be to convert your examined. Forms apt to donald maui. There will definitely be some breaking changes also in the area with up. The property names that kind of stuff which is hopefully you know. It's it's painful at the time that it comes out. But hopefully in the long run it will be better because the naming and that kind of stuff is more clear. I think the original reason was because it had a couple of naming things in there that would fit the mobile paradigm better than the desktop one. right yeah yeah well. It doesn't mean it strikes me that it's always better to start with the subset with the smallest platform and go up that it is to try and cram the big platform down but architecturally like you're talking about take the two largest client basis and they're the ones who have to be redone in the new stack like zammar's only been part of microsoft's is two thousand sixteen windows been around a little bit longer absolute but that being said i'll link business. The show knows like the when you look at the current stuff on when you i. They're literally calling it project reunion. Wow this is not subtle this is hey how about we have one. Zamel like there definitely seems to be an effort towards a com- interesting thing is that it has been attempted with what is it example. Standard or something. They call it. Yeah the zanele standard. Yeah stamp standard. Can we unpack the difference between. Let's say maui in what it just reminded us. What win you. i is or will be me. Take gerald or you'll meet at least you take it because i to be honest with you i. I'm not that familiar. So go ahead. Well we talked to ryan He's to be two years right our year and a half ago about when you i three when it was brand new they were just getting started and it came up again talking to scott hunter about molly in the early days. of maui. Be before the previews and things came out where this was sort of. We wanna define A new you. I stack the big thing that i saw when you i that was important. Back in two thousand nine hundred talking to ryan was that they were going to pull it used to be that when you i was shipped with windows and that had two problems one is you had to wait for windows updates to get a new version but the bigger issue was if you wanted to use those features in your app. You had to make sure that everyone had that version of window. So it's really windows specific. Ui controls if you will or components right. Yeah and that's where they get into the new interfaces like it's very cool is beautiful but you know we. I put my. It hat on. Listen mr developer. I am not updating the version of windows. Ten in the in the company. Because you want to use you. Ics and so if a stumbling block And so when we talk to ryan and twenty nineteen they were talking about. Hey we're gonna start pulling you when you i out as a separate install as its own esti k. so doesn't resonate with windows but then along comes maui and says hey how about this will put an abstraction over top of win you i so that you have a common design language and yet you're win you i abs- keep working but you calling down dude if you work through now and now if you wanna make a maui app that targets windows and mac desktop i dunno lennox desktop in that list as well but i mean if you wanna do that. You're you're not going to be doing win. You is specific stuff. Maybe you are. I don't know. I know that the the project looks like one solution and then you have a platforms folder and underneath eat that each platform and platform specific stuff in there. But i don't know how when you i kind of edges itself into a maui app if it does or if it's just outdated now so i think that's going to follow the same pattern that we've seen now like you know when why is just overall dominant values just to map to you when you i things but yeah the did. That's an interesting thing that you mentioned that social to be single project so now if you look at it examined forms application you have the sheriff library where you want to have all your code for some things. If we come back to you know. I need to know something about the platform. There are features that are very specific to name for instance apple pay. That is it will need custom code for your native platform so you will come back at some point if you have a little bit of a bigger application or enterprise application. You're going to have to write something. That is specific to a platform at some point But yeah With the single project. That's going to be very interesting. Because like i said you you have to share project right now and then you basically have kind of like the bootstrap projects for all the heads for android iowa's udub. Up ask your question for lennox. I don't think that is something that is targeted primarily But the interesting thing is examined forms has a couple of these platforms that are contributed by the community like wpf gd caso running olympics tyson. Which is very cool. The samsung They're they're very active than with like following up a pr's for all the bigger features. Somebody i think the primary focus is like i said iowa's android udub. Up medical s. So that's what we will but it's now going to be a single project so Like you said you're you're going to have all the resources that's the big thing in this story i think so. You're images because if you've built an app then you know that you have to supply images in all kinds of shapes and forms and duplicate that times three for all the resolutions times two for android and ios at It's a mess now. They have solution. But you can do it from single project you just after images and i think it will also even figure out all the resolution things that it has to generate so it will do all that for you like your fonts. You will just have a single font file in your application. And because of the multi targeting. It will just figure out whenever you say. Hey i want to run my app. It will take all the bits that's needed for west android that and for android et cetera et cetera. You'll just have to one project which holds all your coat. It's pretty cool. I gotta say even this far into the conversation can't believe i haven't brought up sooner but you know i have a history with zaman forms have been doing it. Ever since the first version came out and Have even done workshops in zaman forms hands on workshops in devender section in other places. And every time that i would you know okay. It's time to spin up. It's been about six months. Spent up visual studio and try to build his informs app from there for a while. It was so painful. Yup you know it was like that when we did a workshop. The first half of the day was dedicated to getting everybody working to hello world in the second half once we had. Once we got there it was smooth sailing so say the experience that out of the box experienced zaman today his awesome. Everything just works and you guys. I don't know if you personally but microsoft has done a great job of making sure that that out of the box hello world. Experience is fantastic and a lot of moving parts. Manzana is probably the biggest abstraction network tree in the whole of dot net. I mean there's a lot of dependencies right. And so that's yeah so i'll say. Thank you on behalf of microsoft. Well that's baby a bit big but at least reform steam but yeah. That's something that they've really tried to do. Because i think if you've ever tried it in d early days that The biggest pain that you have every update of examined forums would cause issues. You would have an again. He would come back to you. Know to that platform expert. I want that abstraction but you would have to dig through all kinds of java objective. Scary things Whatever you got there than it was it was smooth sailing like you said but dad has been so much better. I think the cutoff point. I was kind of version three on five or something where it up better with each release. Now you're up to five at also. That's i think the most complete one with a lot of controls added that a lot of people were waiting for Right so yeah that that was definitely something that the was was a pain point but that's now solved so listeners. Get over your old pain and pull it out and just try it again because it's about it's really a great experience. Now you know. I was thinking about because it's all open source. There's no question that you could make a limits. Desktop version of dot maui. Not that microsoft's committed to it at all but there's no reason they could. The question is which desktop pick one. There's there's a bunch right katie. know like the. There's a few a. Let's face it. People don't use lennox for the for the you. I you know they use. Yeah for the data the desktops and yet there's there's a there are a bunch of somebody out there. They need that they totally doable. And the whole point of the dot. Net maui abstraction is that it should be reasonable to have a common set of interfaces that you know if you're going to windows yeah it's gonna call through when you die but if you're gonna go in tobacco last it'll be a different layer there and there could be a different layer for katie. It's it's interesting. I'm just fascinated this idea of bringing back the client You know we've been living where the world with a client especially for corporate apps has been the browse at instill is default. You know yeah and does it make sense if we have this unified environment to to have a native client diplo out. That's of course another route that school to be very interesting because there's also been since a little while the how they call it Not that blazer mobile bindings. I think we're you can write blazer kind like in an electron way where you can white blazer apps which is then wrapped inside well all the things examined forms basically because it's very close to that space or dot net bowie then and that's that's absolute magic. I don't even know how they let off because it also has like it with the native bit so you will have a blazer web fuse what they call it. I think that's where you get all your blazer stuff but you can just as easily referenced some element outside of that web you win it will incremental the phillies there at its debts magic so that could be another route it. So that's that's for salmon forms now. But they're taking whole idea and putting it into maui so if you want to build a maui app you can either use for the ui layer. You can use the new maui. Sample is it's called something else right. I don't know massive mammal man. No no So you can either use that or you could use the blazer model. The the blazer component model is wonderful especially for binding like. There's a whole bunch of stuff that you don't you don't have to call Property changed all the time. Like the the changes bubble up nicely. It's it's really gonna be very interesting. Once i get my hands on that. I can't wait and it's interesting that you that the mentioned that property changed. Because that's also something like. I think that was another thing. Another big point why they wanted to change the architecture because it's now very much tied to the. Mvm patter is being kind of. How microsoft does it's things but there is a big call for like you know the other side like the flutters of this world were The likes of that with like. Mvp you and i think the purists will not think it's view but You have an initiative colt comment which is you know. Does it more like composing your. Ui code you can do that today. But it's i don't really like it And so you know the new architecture kind of not ties it so much to. Mvp more pattern. It can be m viewed can be viewed can be some kind of fluency sharp tax Whatever you want and also it opens up the door to More kind of other backing Mechanisms like you know not just droid by native but maybe also get some drawing in there like skiing sharp and even draw controls which is not something before people will go out and say like this is awesome. That's not something that is a road map right now. At least again might be something that's picked up by the community But this new architecture definitely opens up this whole new world of these kinds of things. There's also another one. I don did you mention it. It's an. I can't remember the name of top my head but it's a c. Sharp you i. Essentially you define all of the code with c. Sharp what did you mention that. I didn't mention it. But that was what i was hinting on with fluency. You is in tax. Yeah yeah yeah. Wow cool stuff anything else that we need to know no go check it out like like you already said like it's the most stable and complete version right now. So that's actually. Maybe let's let's end on that one. Yeah yes the go-to now definitely because another question that we get like to get linked with like examined fours dead. Should i invest in zamin forms. A learning that while dot net bowie john. Yes definitely go do that. He's because i hope if you've listened to the rest of this show that definitely there will be changes between examined forms and donald. Maui eighty ninety percent of all the things that you will learn today with. Zam informs is applicable to dot net maui. So that will not be an investment. I guess my question would be you know given. I only have so many learning hours. Am i better off. Learning zaman forms. Five or maui preview dance interesting. That's interesting ideas as we have this preview. Bits and you don't like their open source. You can ship them if you walk me all right. It's not like they don't have to go live licensed or anything. No that's an. I think this question of depends on where you see yourself as a developer. If you are starting with this stuff you want a fool solution and and see all the how the bits back together and how it all works. You should go with examined forms because that is a complete coverage. That is a solution that works. You can safely assume that the which is going to sound a bit harsh but that it's you not them whenever something goes wrong. It's than it could be anything so we know what you're the main thing is it can be. It could be you like most exactly so you know and if you know what you're doing if you are a season tavern developer well you need to learn but if you're like a more of a season developer than definitely go checkout dominant bowie and you can so africa to summarize what you just said gerald. It's you'll be less frustrated as a learner with cameron informs five then you will be with the preview to of dot. Net six with maui. At this point in time. I would think so. Yeah yeah. I mean this. This will change by presumably by november. If not sooner but at this particular moment it's still make sense. Put your time it is. Yeah so i think. Everything has been etched out in dot net six preview to donald bowing preview to You know a lot is still missing. Because they're now just making headway with all implementing all the things that i think. They're planning to release a preview each month. So from now until november between six or seven more so we know each one. We'll bring you more and will make you happier. Yeah but But if you actually needed to ship in app you know. I remember as building apps for humanitarian toolbox on the betas of dot net core and every build and i think there was eight of them broke everything it took tie. It wasn't dramatic breaks. But you have to stop what you're doing can't bill features while you go through and figure out what has changed incorrect at all and you go through that same experience with the preview versions of dot net ethics like. It's not going to be easy. You'll spend as much time dealing with the next preview as you will building yes agile. That's going to be very valuable. And if you do that please provide feedback back to the seem like this is happening. This is my vision. How you can make better but you will have to have that mindset that. I'm building with bits so things are going to break. Yeah communicate with you with the powers that be about. This is why taking away right like you. Can't you cannot create a delivery date on preview. bits. You don't know what's going to happen well on that. I think we'll wrap it up gerald. It's been great talking to you. Man we can come back and talk about anything you want anytime. It's it's a pleasure talking to you thank you. it said. It's been a pleasure being here. And i'll be happy to be back anytime sale. Let me know all right. There will catch you next time on. Dot net rocks dot. Net rocks is brought to you by. Franklin's net and produced by plop studios a full service audio video and post production facility located physically in new london connecticut and of course the cloud online at p. w. o. p. dot com visit. Our website is dot net ks dot com for rss feeds downloads. Mobile apps comments and access to the full archives going back to show number one recorded in september two thousand two and make sure you check out our sponsors keep us in business. Now go write some code. Cnx time around.

zaman parkinson's disease microsoft carl franklin scott hunter reagan Npr richard campbell donald maui jeremy Contracted parkinson's patient james monta magna ciprian zamel zamara Richard Kapisa rich campbell Gerald versus asher espy iowa