Coding Blocks - Llama 3 is Here, Spending Time on Environmental Setup and More
Episode Date: April 28, 2024In this episode Joe introduces us to more security items you should be aware of in the world of CWE’s, Michael bends to the will of Joe and Allen in his favorite portion of the show, and Allen ponti...ficates on the time spent setting up IDE’s and environments. Reviews – Thank You! Upcoming Events Topics […]
Transcript
Discussion (0)
You're listening to Coding Blocks, episode 233.
Subscribe on iTunes, Spotify, and more using your favorite podcast app and leave a review if you can.
I've already unsubscribed.
What is this old school thing?
Look at that.
What is this?
Send your questions, feedback, and rants to comments at Coding Blocks and follow us on X at Coding Blocks.
And send your complaints and why we shouldn't do the old intro to Joe and Alan.
That's right.
That's right.
And we will promptly ignore those.
All right.
So with that, I'm Alan Underwood.
I'm Joe Zach.
And I'm neither of them.
That's right.
It's technically correct.
And tonight we've actually had a deep dive uh into the
water cooler tonight yeah yeah a deep dive so this is a lesson all about how water coolers work
that's right that's right we'll make this happen hey but before we do that we need for outlaw to
do some proper noun pronunciation here okay so from itunes we have uh vlad bezdan okay i got a i got like some weird face from
alan like maybe that's pretty good no i think that's pretty good uh mom in virginia and make And then from Spotify, we have Chutney3000 and Zenith.
Zenith?
How do you get Zenith out of there?
Oh, did I?
Are you kidding, right?
No, I was kidding, yes.
Okay, I was like, dude, we need to take him to the hospital.
But I don't know.
Zerath?
No, that's probably wrong.
No, that's pretty close.
Yeah, I think that's it.
Yeah.
Vlad didn't like us, which, you know, hurts us a little bit.
But, you know, the other people seem to, so we're pretty happy. So honestly, the, like, uh, X, the only name I know can think of that starts with an X
would be like Javier.
And that's has like a H kind of sound.
That's why I, well, yep.
That doesn't count.
That's a letter.
Uh, professor, professor Xavier.
Yeah.
Xavier Javier.
And if you say xylophone, it starts with an X.
X is Z, man.
Okay, so then you're saying I was probably not too far off.
Okay.
I feel a little bit better then.
Fine.
Yeah, man.
Yeah.
I was trying to just give up.
You know, yeah, whatever.
Yeah. So good, good stuff.
Do we have any news?
Was there any, like any talks or anything coming up?
Anything like that?
Just boomer hour coming up.
All right.
Sweet.
Okay.
I like things.
Isn't Atlanta code camp.
That's going to be coming up.
I think October, September, somewhere around there. I don't know. We need to look at that again. things in the wings there um isn't atlanta code camp that's going to be coming up i think
october september somewhere around there i don't know we need to look at that again
be fun to go back that was already coming up it was uh september 7th okay i was wrong
so yeah after the summer so it's a little ways off but but yeah, we'll, uh, we'll get some information in there here soon.
All right. So with that, some, some random topics. So first I want to mention open telemetry again,
because we did a whole series on it and it's something that, that I think is actually pretty
important tracing and logging and metrics and all that kind of stuff.
But one of the things that I don't think that we probably dove deep into and, and probably didn't even realize when we were talking about it is you can put, you can set all this stuff up in your
applications, right? Like you can set up the open telemetry tracing and metrics and everything in
there. But if you don't have a good backend that allows you to visualize that stuff,
well, it's kind of not going to be super helpful, right? Like we saw, we saw some stuff or I think,
uh, I don't know if all three of us were on a, on a call where we'll watch some of this today,
but like certain vendors have really good visualizations and back ends for this stuff like splunk uh splunk
was one of them that has a really nice uh visualization tool for looking at the traces
that kind of stuff and google and and gcp looks like they've got one that is is pretty good and
it sounds like they're spending more time uh building onto that so that so that
people can use those visualizations but i did want to call say again data dogs got a good one
which that's actually who i thought of when when this was first being talked about was i would
imagine the data dogs got an amazing one um that's what they do. Right. Yep.
But,
but I wanted to bring that up because if you,
if you just did all this stuff and you didn't have a good back end to be able to visualize it and see that stuff,
like the,
the key part of open telemetry that is so amazing is you can go look at your
traces or your metrics or whatever.
And then,
and then you can drill into something from that,
right?
Like,
so you have a trace, you see a problem, you're like, all right, well, show me the logs
that were associated with this and it'll take you to it. Right. So it's this whole navigating
that, that data in a way that makes sense, because the whole reason you would even use
something like open telemetry is so that it's not what you typically do. If you don't have a system
that's using these.
It's like, okay, I see some metrics on a dashboard.
It looks like, you know, request spiked here.
Let me go look at the logs and see what's in the logs.
Okay, I see some stuff in the logs, but that doesn't make a lot of sense.
Let me go search these logs for something else, right?
And this sort of helps guide you down the path instead of you having to go piecemeal everything together.
I have an announcement to make.
Uh-oh.
I now call it OTEL.
Did they rename themselves?
So I've noticed that being bandied around a little bit.
And I checked and it's true.
It was an isolated incident.
That is something that people refer to open telemetry as.
And I get it.
I don't want to spell that.
Yeah.
Or say it.
I mean,
it's a mouthful.
Yeah.
Anyone who has ever used teleprisons has aliased it like the next day.
The tool is the worst thing to spell.
TP.
Yeah.
That's the way to go. And and hotel so now welcome to the club
welcome to the club everybody very nice very nice you've brought us up into whatever year this is
now 2024 we're up to speed is it really there are times you know oh hey so there was actually something else that was said during
during that um talk that we saw that i thought was really cool and i hadn't really thought about
it before but it makes total sense so when we were talking about the open telemetry pieces right like
there's the the client code that's going to run with your app or whatever and then there's this
processor in the middle to where you can sort
of, you know, massage the data or do whatever you want. And then you can also route it, export it to
the backend server that's going to be your visualization and all that kind of stuff.
Well, one of the things that was brought up is if you've already got metrics in place,
like if you're using Prometheus or, you know, any other
number of tools out there, and you want to sort of dip your toes in the water, you could do that
by basically using the Prometheus stuff that's there and use that middle processor part to then
route that stuff so that you can have it routed to another place while it's still doing the old things. Right.
Like, so it's a way to where you can sort of modularize this thing and just
use bits and pieces of it as you have time to get into it.
So you don't have to go whole hog into the thing and, you know,
update everything to where it's all using, um, hotel. Um, yeah,
there you go. Hotel. And by the way, I hate this. They call it, um, hotel. Um, yeah, there you go. Hotel. And by the way, I hate this.
They call it,
um,
uh,
O T L P.
Yeah.
Instead of OLTP,
you know,
so we've done relational databases forever.
OLTP versus OTLP.
At any rate,
using their protocol so that you,
you can actually do some really cool stuff without having to go all the way in on
it and spending a ton of time so i thought that was pretty cool did you know that docker has
support for open telemetry i did not as part of a build or build x command i did not that's pretty
cool man i kind of assume like every cloud product has support for now it's like
it's like the standard but this is building yeah that's crazy that's the cool part yeah you could
like open telemetry your belts yeah i want to tell you i'm trying to figure out like what would i
need that though because i think of like open telemetry is being able to trace a call through like a
variety of different systems right and i want to see that one call go all the way through the
stacks i'm trying to figure out like okay tracing well yeah just just also just playing metrics so
like if you want to have a grafana dashboard about how often your uh builds fail if the building
is increasing in time like which team's build fails the most you know that kind of stuff how much
memory the builds take kind of excited about like how could how could that get worked in
yeah that's yeah that's really cool that is pretty neat hey one other thing i want to bring up along
this topic that i think is is something that anybody that's working in the cloud especially
kubernetes or anything like that should be considering is a point was made on that anybody that's working in the cloud, especially Kubernetes or anything like that,
should be considering is a point was made on that call
that a lot of people go off and do things themselves separate ways, right?
Like you put in your logging and then you put in your metrics.
So you might have Prometheus for one
and you're gathering your logs on something else your own way.
When you're working in things like Kubernetes in the cloud specifically,
there's a lot of tools that have sort of been built and made for those types of environments
to help you with this whole, you know, distributed computing type thing. And they mentioned, you know,
you should probably be taking a look at the Cloud Native Foundation projects to see what are out there.
Right. So we'll have a link in the notes for this.
I think we've even talked about this stuff in the past as well.
But basically, the CNCF, I think is the name of it.
They have tons of projects out there.
Open Telemetry was one of them that we've mentioned.
They have Prometheus.
We've talked about so many times.
They just tons and tons of useful things that help solve the problems that you
run into when you're working in,
in distributed computing environments.
I see another one of interest that now has access or a support for open telemetry strimsy oh nice nice
all right uh just so you know it's it's pronounced kinkif now kinkif all right so
you bring us up to date on that too very good and don't forget about my old friend big table
oh yeah yeah it makes sense like prometheus uh it was kind of the king for a long time like
there's some overlap and the whole thing's kind of a big mess but uh yeah i i really am happy to
see open telemetry is kind of developed into like the one the one to rule them all
huh it was even added into k Kubernetes in 1.27.
Isn't that crazy?
I mean, there's so many good things.
And again, if you look at the CNCF, man, they've got so much up here that it's there to solve the problems that you're probably already having.
They've got one here called Rook it's cloud native storage i've never even
looked at this thing before but my guess is this is probably something dealing with storing blobs
around and unfortunately they don't have a really good succinct thing here another turns distributed
storage systems into self-managing self-sc, self-healing storage services. So it sounds like an S3 type of thing.
Another one near and dear, Jenkins.
Just when you wanted open telemetry in your Jenkins.
Oh, I thought you were saying that was the CNCF program.
Yeah, me too.
What, really?
No, I'm sorry.
I think Jenkins X might be. There's an OpenTelemetry ecosystem integrations page
that lists all the third-party integrations
that now support this protocol.
I guess that's what we would call it, right?
No, technically.
Yeah, they have their own protocol.
Yeah.
And so I'm like reading through
new ones and seeing ones that are catching my eye that i don't recall from previous but maybe they
were there it's so cool there was one that i ran across the other day that i can't find right now
i can't remember what it was but it was basically certificate management for you
in Kubernetes. So instead of you having to do all kinds of crazy stuff, or maybe even
instead of having to go through something like a HashiCorp vault, it was made for issuing certs
for authenticating between services. Right. And I'll have to see if I can find that again,
maybe we'll, we'll bring it up on the next episode, but that's the kind of stuff that if you try and do that yourself,
it's going to be a mess, right? Like it's going to be an absolute mess. And knowing that somebody
was like, man, we got this problem where we need something to talk to Kafka and something to talk
to elastic search or whatever. And they built that for you. that's that's amazing so that was fun i uh i
looked up what the cnncf had for um for continuous delivery and four years ago they had a like a
radar graph they call it that has like a list of things that you should be assessing or that they
are assessing and things that they're kind of trying out and things they've actively said to adopt. That was four years ago.
I want to know what it is now.
I'm not able to find.
I've heard of Tekton.
I know Jenkins X is somewhere in there.
You're talking about their tech radars.
I've never even looked at these things.
That's similar.
I think we got away from it.
Are you thinking about like, do you want to look at the graduated
projects though?
Or the ones still...
I was just kind of curious what they had
in that arena.
I looked around a little bit.
I'm familiar with Argo. They do like the GitFlow
kind of thing. But I didn't think
they were really about doing the builds.
I could be wrong.
This one's called SERP Manager. That's the one that I was looking for. I just found it on one of these tech
radars. So, yeah, I mean, all kinds of cool stuff here.
But at any rate, have you seen this? I don't know if this is what you were looking at, Jay-Z,
but I'm going to throw this link out here. Landscape.cncf.io
and then under Continuous Integration I'm going to throw this link out here. Landscape.cncf.io.
And then under continuous integration and delivery.
No, this isn't a picture.
Underneath that, there's like a plethora of things for you to click on,
including Jenkins.
Not Jenkins X, just Jenkins.
Dude, check this out.
This is like an interactive chart of all their things.
Yeah, I had to click on the plus sign a few times.
Yeah, it's interesting.
I saw Flux was mentioned in 2020 as being in their adopt category.
And I am not familiar with it, but it's graduated. And it's an open and extensible continuous delivery solution for Kubernetes powered by GitOps.
GitOps Toolkit. and extensible continuous delivery solution for kubernetes powered by get ops that's still good
but uh that uh i don't want to mess with that on my own time yeah i mean there's so much in here i
mean you could you could spend the rest of your career just trying to figure out what they what
all they have and how it works and what it does but i I mean, I was just going to say,
if you have a specific need,
check here before you roll your own.
Really?
Well, I was in that continuous integration
and delivery section,
and I noticed an old sponsor, Mergify, is in there.
Oh, nice.
Oh, cool.
Good to see but i don't know that do all these count well what does it mean to be in
this page thing because like git lab isn't a
how you can go to the you can go to the filters and you can choose like hey i only want to see
graduated or incubating yeah these projects are not run by like this group like i don't understand they have guidance that
they there's like a application process and if they accept you there it's the it's a weird kind
of governmental type structure i always thought it was weird that kubernetes isn't in here all
these projects are like backed by google or you know various people like helm was microsoft
so check this out kubernetes is in there under scheduling orchestrate backed by Google or various people. Helm was Microsoft.
So check this out outlaw. Kubernetes is in there under
Scheduling and Orchestration.
Oh, yeah, yeah. But that's not
the open source foundation that
guides Kubernetes. Kubernetes has
the Kubernetes foundation or whatever.
That's their governance model.
Check this out outlaw. If you go to the filters
and you click the not,
or if you were to say hey show me
just cncf projects and exclude the not cncf that list gets way smaller okay that makes more sense
because i was like wait a minute mergerfire was a uh sponsor like why would they be in there but
okay now it makes sense yeah yeah so those are things that work in the cloud but these aren't
cncf like right but kubernetes is a cncf so it is in the list jay-z but what's interesting is
if you click everything except archive there it's a relatively small list so you can see
everything like oh so you can see like all the active projects out there
that are being worked on and it's it's a much smaller list but it's still a lot like there's
a lot in there so yeah that's this is a very cool page we'll keep this in the show notes again this
is the landscape for cncf hey longhorn steakhouse is in here
wait no no that's a different longhorn they do have good bread and butter to go on the bread
well now i thought that i thought that kubernetes had their own foundation but uh maybe not i don't
know i can't keep it straight but they definitely have a complicated like like whole system and
release schedule and it deals with like who's in charge of what committees and they
roll over every so often on the schedule. It's very complicated. It's also hard to keep up with.
All right. So the next thing I wanted to bring up, I saw this. So it's funny.
I've mentioned before, and I think outlaw has,
I don't,
I don't know if Jay Z's as much on social networks.
So he's probably more so than,
than me and outlaw.
Are you kidding?
He's the social butterfly.
He is the social butterfly.
I was,
he was.
All right.
So he dipped off of it too,
but like I,
I mostly don't get on Facebook,
but what's interesting is since Swint,
since must took over
Twitter and is now eggs, I've found that they'll actually send me some things in the mornings.
I don't know why, but in the morning I'll get some links to articles that I'm like,
oh, that's actually kind of cool. Um, and it, and it's things, uh, for things that I follow,
right? Like technology related type stuff.
And some of the things that popped up for me this week that were pretty interesting
were, Hey, Lama three, like there were several posts that like, Hey, Lama three has turned
my business around.
And I'm like, what is this?
So Facebook just open sourced and released Lama three, their large language um model right and we've talked about llama two in
the past and what was cool about it is you could download it and use it for free right
as opposed to chat gpts or you know gpt3 and 4 and all that kind of stuff like you you have to
pay for that stuff um llama views it free. It's free for enterprises.
It's free for personal use.
It's free for however you want to use it.
You can download it and do it.
And I'm not well-versed in AI stuff.
Like what some of it means, like they talk about, they have this 8 billion token thing
and a 70 billion token thing.
And then they have these,
these grids that kind of show how well they do in various tests.
But the one with 70 billion tokens does extremely well.
And a lot of these tests,
like I think Jay-Z had mentioned the,
the site that had all the,
like the grids and stuff where,
where people ranked or what, or where these tools ranked. And this is pretty good, like really good. So if, if you want to play with this
stuff, like there's not a better time. You should hit up llama L L a M a.meta.com slash llama three.
We'll have a link in the show notes, but get your feet wet,
mess with this thing.
There were people posting on X about this,
and this is what I thought was super cool and interesting.
There were people saying, Oh,
I'm running this thing on a raspberry pie and doing some cool stuff.
Now is it going to be super fast?
I doubt it.
You know, and they're probably not using the 70 billion
token one but but the fact that you can do it on something that cheap and expensive and accessible
is pretty awesome yeah it's pretty nice to have like a calculator one pocket for doing math and
then something else in your other pocket for doing poetry i mean it's insane dude it's absolutely
insane and people are saying that this is a legit step forward.
They're saying that this is as good and in some cases maybe even better than GPT-4, which, you know, at least when it first came out, I know everybody was singing praises of it.
I know that, Jay-Z, you said that it's sort of gone downhill a little bit.
But that's pretty amazing, for free yeah yeah that's great
interesting times yeah yeah uh now when you first heard though like even the first version of llama
did did was there a little bit of part of you that was thinking like oh i need win at player
i wish i wish you know i saw a llama the other day like uh
sometimes you'll see him like on farms whatever but uh no you don't i was hanging out in a parking
lot and a couple llamas walked up no way what parking lot what's the punchline yeah it was
the paulding county chamber of commerce and outlaw you had just left you were you had been there minutes earlier you're being legit
like i have a picture like uh i was sitting there after a bike ride messing with my phone
about to leave everyone else had just left and there was one other car in the parking lot in
a big van and it likes to tie you into something like llama something and all of a sudden a couple
almost like come walking up and they get in the
van it's the craziest thing that's amazing i have a picture i don't believe this and i won't even
believe the picture because i will believe that it was generated yeah hold on a second i think
you might believe it although yeah i forgot to mention it oh that's convenient you forgot to
mention it and oh i just left oh yeah so convenient i mean let's just go ahead and jump
straight into boomer hour because like he's expected you know why he's expecting me to fall
for this because before we were before we hit record i was sharing some videos with the guys
that i am so disappointed in myself for having fallen for because i saw it just randomly like youtube came up with these
predictions and one of them was about this crazy long truck and i know that in some countries like
they they will have more uh you know like they're like what we would call like a tractor trailer
or uh you know i think the british would refer to it as a lorry i know that from top gear um
that you know like we would limit it to like a
you know more than two trailers right on the back of it but uh you know in some countries you see
where they'll have more than two so i saw this one that was like you know i don't know it looks
like a dozen and i'm like what is that is that real no it turns out it was just like the graphics
were really good and it was from a game and I fell for it. And I'm so disappointed in myself.
And I thought, you know, like, hey, how can I better that disappointment?
Let me share that with the world and embarrass myself in front of the world.
Yeah.
So, yeah, that's why he thinks I'm going to fall for this picture that he, oh, I can't find it.
Let me.
So, like, you see his head down.
He's like, he's busy.
Chat GPT. Do this. I remember what it was. can't find it let me so like you see he's head down he's like he's busy chat gpt do this i don't
remember what it was um but anyway um while i'm looking for that uh i will mention that i do have
another picture i've been meaning to share sharing the pet picture channel of uh coding box slack
and another animal uh you know so i moved back to georgia loving it it's great fantastic and then all of a
sudden there's a two-inch scorpion in my bathroom oh yeah what's that about y'all yeah that's not a
friendly pet no hey so i have a question for you guys and this one may be a little bit controversial
but i thought it was pretty interesting so this came came up on, on one of the Joe Rogan podcasts.
He was,
I don't know what was said,
but he kind of goes off in all kinds of directions all the time. Right.
But somebody was saying something about,
it might've been electrical cars or something.
And he just went off on this tangent of,
you know,
Oh,
electrical cars are going
to be better for the planet but they're not and there's not a charging ecosystem blah blah blah
well all that aside what was interesting he's like what about ai like this stuff is is eating
up more electricity than probably most of the cities in in in this country, but you know, got to get rid of natural gas,
got to get rid of this, got to rid of that. But AI is quite literally how much compute processing
and how much electricity is actually used to run that stuff. I have to imagine it's an insane
amount to do these models. Right. And so I thought it was a legit valid um counter to oh we have to
be green but then we're pushing towards these technologies that require tons and tons and tons
of electricity and processing so i don't know what are you guys's take on that well this goes back to
um i think that i remember hearing about like years ago.
I'm trying to see if I can find it now where Google had different data centers around the world.
I believe it was Google.
I could have that wrong, but I'm pretty sure it was Google.
And one of them they'd specifically located in like a colder region of the world where, so that they could pump the water from,
I think they were on an ocean.
I think it was on an ocean.
They could pump that out of the ocean to use to,
to cool things in the data center and then put it back.
And I'm like,
that sounds great.
Like,
yeah,
it's totally efficient for your needs.
Right.
But you know,
like what's the impact that that's going to have on, you know, everything else?
Like you're kind of like heating up the waters, aren't you?
Like literally heating them up.
Yeah.
You know, and I think there was another one where like, I think I recall another one where Microsoft had one like that was on a barge or something.
Like they tried that once before too.
I'll see if I can find the links.
But yeah, I mean, that kind of stuff is really interesting.
Like we as developers, we as people that are in technology, like we love this stuff, right?
Like we love how things are getting pushed and all that kind of stuff. But, but seriously, like there's a whole lot to, to doing AI models,
right? Like there's a whole lot of compute that's being used on this stuff. So I don't know. It
seems like at some point, do we end up making processors that are just way way way way way more efficient or like what's the path
to making it to where things like ai help as much if not more than than they may actually cause
problems geez uh i uh i i'm not a huge fan of the question because it makes me feel sad
but if you think about like all the
power that goes into like powering like things that i don't need but i do anyway you know like
like we talked about social media like how much time i spend watching like stupid uh youtube
videos or like facebook like how much power like you know that i'm melting the the polar ice caps
so i can like watch some you you know, this kid fall down or
something in his driveway.
It's crazy when you think about it, right?
I mean, I guess at least though, if you're thinking about something like a video, right?
Like sure, there's some processing that happens when they're first uploaded, but for the most
part, you're just reading something off a disc after that.
So there's not a ton of processing going on, but to compute these, these large language models. Oh yeah. Right. Like these things are running how many hundreds of computers changed it or whatever but um and i did see some there's like reports that i just read where like microsoft was
trying to reduce its use of water and even in this one from google on one of their blog entries i
found it interesting that they specifically call out georgia because they say that where possible
they're trying to be responsible about their use of water
to cool their data centers.
And where possible, they don't necessarily have to use fresh water,
so they'll use wastewater.
And they talked about here in Georgia, in Douglas County,
one of their data centers,
they use by recycling local municipal wastewater that would otherwise be deposited
in the chattahoochee river so this is why you don't go swimming in the chattahoochee river
apparently or any river yeah so so check this out i found this site nnlabs.org who knows how legit
or non-legit they are uh but i mean they got some information here that's
somewhat interesting it says according to open ai gpt2 which has 1.5 billion parameters required
355 years of single processor computing time and consumed 28 000 kilowatt hours of energy to train.
In comparison, GPT-3, which has 175 billion parameters,
required 355 years of single processor computing time
and consumed 284,000 kilowatt hours of energy to train,
which is 10 times more energy than GPT-2.
BERT, which I haven't heard of,
which has 340 million parameters,
required four days of training on 64 TPUs,
and consumed 1,536 kilowatt hours of energy.
So all that said, it's a lot of energy, right? Like it's,
I don't know. I just, it's, it's one of those things. Like I I'm, I'm probably the last person
anybody would ever call a tree hugger. Cause I like Jay-Z, right? Um, I'm going to cool my house
with my air conditioning and I'm going to do other things, but, but there, there are costs behind the scenes that, that we typically don't think about. And
it's, it almost seems, um, careless to go crazy with stuff that we have, you know, I don't know.
It's, it's a bizarre, and it is a sad question. Like you said, Jay-Z. I found,
I found the Microsoft one that I was thinking of and it's from 2020 and it
was,
the title is Microsoft finds underwater data centers are reliable,
practical,
and use energy sustainability,
sustainably.
And,
you know,
again,
that's where like Jay-Z said, it makes him sad but i'm kind of like
okay yeah i could see how that could definitely be good for your for you right that works for you
but it's like if the entire world decided to go this route right aren't we literally
not being you know uh eco-friendly then because we're like or you know maybe me you know maybe somebody
would tell me like why we're not actually heating up the oceans but whatever you know it seems like
a bad idea right on the surface it feels like a bad idea i mean i think we've talked about this
before there was uh there was somebody who had the brilliant idea and it seems brilliant on the
surface that this is the sahara like what
better place to put a solar panel array than the sahara right like it's there's lots of sun it's
there all the time let's use it apparently they did that and i don't know how many miles of it
they put out there again i'd have to find the article but what they found is it created these little, uh, many, many climates that they didn't anticipate, right? Because you have a bunch of black panels that are absorbing the sun, but they're also reflecting heat in a way that had never happened there. And it was creating these, these odd, odd climate patterns. And, and so everything we do, no matter how big or small has some sort of ripple
effect somewhere and it's just as much as i love what ai is doing and how it's pushing things it's
crazy to think how much power and it's the same thing with bitcoin right like i have a hard time
getting behind something that that people bought up tons and tons and tons of graphics cards to just crunch numbers all day and
eat like hundreds of watts of power to to to mine a thousandth of a bitcoin well you started some of
this conversation talking about electric cars or like just tangentially how he started yeah yeah
and but you know like a friend i i have this debate with that. You know, he,
he says he thinks that electric cars are going to, you know,
are the future and you, we should go electric.
And I'm of the opinion that I'm like, to me,
a full electric car is the opposite end of the,
of the pendulum than full combustion and i think that the you know
in the middle there the hybrid type of approach is the lesser of you know it's not all of the
problems that go along with electric it's not all of the problems that go along with combustion and
it just seems like it makes more sense now i drive a combustion engine but you know it it feels like the the right answer
isn't like hey let's go extreme on one on the up on the opposite side right like that never seems
to be the correct answer to me i tend to agree with that too like it feels like there's probably
a middle ground that hasn't been explored as much or or far enough that would give you the better of both worlds
right i was a little sad though to hear to learn that toyota uh you you being a car guy you might
know this one but toyota they stopped the cell of their um the the hydrogen car is that what it was
powerpoint wait i know they had worked on one
but it was really slow and that's why it never caught on a lot of popularity but i heard that
they were also cutting back on on the full electric like they're like we're done with
this full electric thing toyota is like only hybrids or i thought they're like yeah yeah it
was the the toyota i don't know, man,
why am I trying to pronounce another proper noun Mira?
I think I'm going to say the hydrogen car, they,
they have, it's been, it's been in development and been sold for years.
And, and I didn't hear anything. I didn't,
I haven't read anything about it being slow, but they,
they're going to stop selling it from,
there was an article that I read probably on like Jalopinic or something like
that.
I don't know if you read that one,
but for sure they,
they,
they are going to stop selling it because they,
it was only available in California.
And that was because the infrastructure to put in place to be able to
refuel a higher hydrogen car was you know not rampant so uh you know just wasn't going over
well so they were going to stop selling it yeah it says the first generation never cracked 2000
sales it's sad but if you don't have a good amount of infrastructure in place, everything's sort of dead on demand, right? Which is kind of what Tesla pushed forward
is they were like, hey, we're going to put charging networks all over the place. And if
you buy this car, we're going to give you free charging. And that kind of kickstarted it. So you
have to have somebody willing to do that. But I mean, it's a major infrastructure cost, right?
Like massive. It's a major infrastructure cost, right? Like, massive.
To hope that somebody adopts it.
Right.
You know, I mean,
if we all live closer to city, sure.
The cool thing about that...
That Toyota car, though,
was that its exhaust was
water. Right.
And you could fill it
as fast as you could a you know a gasoline
or diesel engine you know yeah it's pretty cool so yeah those were those were the random topics
that i found that i thought were interesting again you know getting off the you know is it
harmful for the environment the fact that the facebook or meta has open sourced this and if you want to mess with ai like yeah
don't fall behind you've got the tools you've got everything you need to go out and play with
this stuff and there are companies being built only on these tools right like they're like there
are so many startups out there that are like oh i have a good idea for using this AI thing. And there, I mean,
there's probably a million companies that just went to YC to try and get
funding by using these free tools.
Yeah.
Yeah.
All right.
Well, thanks for listening to engine blocks.
That's right.
No, just kidding.
All right.
Well, if you two would like to leave us a review,
we would greatly appreciate it.
Uh,
you can find some helpful links at www.cuttingblocks.net slash review and,
you know,
one stars or up,
you know,
whatever,
uh,
we'll take them.
And people listen to that.
Ella.
What I like,
what I like about a one star review is that makes makes another five down into like a two and a half.
That's what you like about it?
No, I meant to say I hate about that.
I hate about that crap.
I appreciate it.
I always get those things mixed up.
Apparently.
So with that, we head into mental blocks, my favorite portion of the show.
So what is this? this is episode 220 okay so according to
to techos trademark rules of engagement alan you are first your categories are
above below or intersected by the equator so i think that's basically anywhere on the planet
that's what it sounds like yeah but i'll give you a country and you'll tell me whether it's
above, below, or right on the equator.
Next one, fix the movie quote. I already know
Alan's going to skip that one. But given a famous movie quote
with one word changed, you give us the correct
word.
Wow.
Your next one is pride and POTUS failing history,
name droppers or mixed greens.
And these are all anagrams of green things.
Wow.
It's two mixed greens for three.
Wow.
I totally thought you were going to pick the equator one.
I was almost going to do the movie quote one for three.
Let's do that. Cause you don't believe in me.
I'm going for the movie quote for three.
Let's do it.
Okay.
This is going to be bad.
Patrick Swayze says nobody puts Jay-Z in the corner.
Baby.
What is baby?
Baby is correct.
Look at me getting one.
Yeah.
That actually worked out so amazing that it was Jay-Z.
Yeah.
I didn't make that up.
You didn't make that up?
No, no, no.
It was legit.
That was legit, the question.
But I did misstate the quote a little bit because I said in the corner,
and it's in a corner, but whatever.
You still got it.
All right.
Well, Jay-Z, you got your work cut out for you.
Okay.
Your categories are libraries, Oh oh brother sneaker brands you'll have to name the brand that
makes each of these styles american bridges the nobel prize and lastly buy the numbers and jay-z
i'm just going to go ahead and tell you,
you kind of got the shaft on this one because I think that all of the easy topics.
Why Alan only went three, I don't know.
Well, I mean, it was movie clothes.
Yeah, I mean, I can only think of one library
and it burned down.
Oh, brother.
Sneaker brands. I mean mean that's not me american bridges i could think of two one of them's in london
noble noble prize um buy the numbers I wonder what buy the numbers is.
Is that the one you want?
Are you willing to find out?
Geez.
I mean, probably not.
But I don't think I'm going to be able to do sneaker brands.
So let's go buy the...
Wait, did Alan get the question right?
I did.
It was a three-pointer?
Three.
Yeah.
Yeah.
Three.
All right. Let's just cover a tie here. Let's go for three by the numbers all right geez it's safe you don't
need perfect vision to ask this trucker inspired version of the question where are you? So they want to know the number.
Sorry, can you read the question again?
You don't need perfect vision to ask this trucker inspired version of the question.
Where are you?
I know this.
I know the number.
The number is 20, but I'm trying to remember what the question is.
I'm surprised you gave even anything that would be on your mind.
Like, what's your 20?
What's my 20?
Bingo.
It's what I want.
What's your 20?
What's your 20?
Okay, I'll take it. Come back, bandit. What's your 20? Bingo. It's what you're 20. What's your 20? Okay, I'll take it.
Come back
bandit. What's your 20? That was
hard. Hey, can you tell me real quick if
number three in libraries was Alexandria?
That one
was the
initialism of the
New York Public Library is
NYPL.
As an acronym, some enjoy pronouncing it like this body part.
I don't know.
The nipple?
You said it.
You said it.
NYPL.
What's it going to be?
I just wanted you to say it.
The funny part, though, was like, I i wish the camera i wish i had a screenshot
of the puzzled look on alan's face like really that they said that did they that was the answer
yes i already got it all right you're back up, Alan. Yes. The categories are Fungus Among Us, Old Pop Music Had Some Vowels, E-I-E-I-O.
Each correct response here will have all these vowels, E-I-E-I-O, in that order.
Whoa.
Please pick that one. Foods named after people.
Sculptures.
Sigmund Freud.
Please say anything but math.
These will all be responses you can make by changing just one letter in the word math.
I like that one.
That's pretty cool.
Let's do math for five oh this could be bad
this number is the measure of an aircraft's speed compared to the speed of sound the concords
was my way a bit of it as what is mock what is mock no i'm not done with my question sorry sorry this
number is the measure of an aircraft speed compared to the speed of sound the concords
was as high oh i see this was a different part the concords was as high as 2.04 yes what is mock no that's a razor yes it is mock yes look at me jay-z jay-z you got
you got an impossible task here my friend um all right you're gonna you're gonna
go ahead and submit your your your uh wager to me.
Each of you send it to me individually.
I only got two questions.
I got one question. Is that how we always do it?
Yeah, it's crazy. You should get one more.
I think you should get one more before we go into the final
here. I think we should modify our show.
We've never done it that way.
If someone does two fives, then I could never win.
Yeah, you couldn't.
That's your stupid fault.
All right.
I mean, I'm good with it.
I don't think you are.
You brought it up.
I've never noticed this before.
Give him another one.
Give him another one.
Any of those 15, no, 18 categories I've rattled off.
Any of the 18?
Yeah.
I don't even remember what they were.
It was pretty fun.
I got that one right.
Hold on.
I actually wrote them down earlier.
Oh, no.
I only wrote mine down.
That was terrible.
All right.
Let's go with the math one.
It seems like cheating.
For four.
For four.
Well, I mean, you're still going to be up the creek, even if you got that one.
Yeah, that's fine.
Okay, that's fine.
I'm not out of the creek, though.
This one isn't going to work, though, because that's a visual one.
Ah.
All right, so you got to pick something else.
And you want five.
You want to be able to get up here with me.
Yeah.
All right, well, can we do by the numbers?
Do you need me to tell you what the categories were again, real quick?
No.
Oh.
You said by the numbers for five oh by the numbers five or five yeah
i got it come at me bro it's the number gordon ramsay might bellow to announce he's removing
an item from the menu uh the only thing i can guess is 86 but i'm not sure that is correct
all right good man because i got the pillow back there.
Now I got to change my wager.
Okay, so send me your wagers.
All right.
How much I got? So Alan, you said you were going to change yours?
Yeah, I'm changing mine. There it goes.
Okay, and there's your new one.
We're doing it in the tabs, right?
Just send me
a direct message. Okay.
Hold on. Hold the phone well not in response
not in phone it could be well yeah but you sent it as a in ios i meant like in like chat here
yeah chat like here i'll ping you here i don't know how to work this stuff all right
we've passed boomer hour it's always boomer hour oh yeah okay i've got i've got another one for boomer all right so
i've got your two wagers and here is the category tween lit ah yeah boy let's go
I've never seen him more excited
referring to the lengthy title
of her much discussed
novel this author lamented
that she didn't call
she didn't just call
the book Margaret
you better not know
this. That's ridiculous, man.
Referring
to the lengthy title
of her much-discussed novel,
this author lamented
that she didn't just
call the book Margaret.
I spelled it wrong.
Do you know this?
Of course.
And just to be
clear, we're looking
for the author. This
author. Oh, crap. Hold on.
Hold on.
Just to be fair.
I don't know if that's right.
Okay.
All right.
There we go.
Let's go, Coding Blast.
Let's go.
All right.
Here we go.
So Alan wagered six points, and Jay-Z threw it all online.
Eight points.
It is a tie game at the moment.
Eight to eight.
All right.
Oh,
I guess we got to do our,
uh,
redo our math here.
Cause somebody won't be,
it won't be tight game for a minute now.
Yeah.
Okay,
here we go.
So,
uh,
it's a tie game.
Eight,
eight.
So Alan wagered six and said smith pretty good pretty good guess you know the one that one
john smith i don't know sure
jane smith okay John Smith? I don't know. Sure.
Jane Smith?
Okay.
Smith.
You know.
So that leaves him with two points on the board.
Pretty good.
Jay-Z, who wagered eight points, said Judy Blume.
And Judy Blume is the correct answer.
What the world, dude?
Although I did kind of get it wrong because I said the title of the book first.
That's why I wanted to be clear.
That's why I wanted to be clear. Well, because I wasn't sure if Alan was going to do the same thing.
So I thought, like, okay.
If only the question asked what it wanted to hear back.
If it only told you what you're supposed to respond with it
be so much easier i don't get it what what is that's ridiculous man like how do you know that
i don't know book it 1992 something what year did that come out it's hello god it's me margaret
i'm thinking a movie or something i haven't even heard of it you thought there was already
i've never heard of it oh 2023, 2023. Yeah, it just came out
recently.
I'm now
on a three-game losing streak.
This is rough. I read all those books.
I loved Judy Blume back in the day.
Never even heard of her. I would have
owned this movie quote category, though.
I think I'm pretty good.
One of
them is from Tom Hanks says flavor town we have a problem
uh the other one was brad pitt says the first rule of chess club is you don't talk about chess club
uh the fourth one was judy garland says lions and tigers and labradoodles oh my okay i'd have gotten all
these and the last one is ice cube and then 1995 movie friday by amnesia
i would have gotten every one of these wait who was the last one who Who was it? Felicia. Ah, right. Felicia.
Yeah, that's killer.
All right.
Well, engine blocks is done.
Yep.
All right.
So I had one more thought here.
I got one too.
I was starting to work on some Python code.
Sorry, before you go there, I had one more off-topic thing. Oh, okay oh okay please i sent the picture of the llamas oh you sent the picture no he did yeah he sent what okay
let me describe this picture i got this picture and it looks like there's some little toy figures
on his actually i think these are micro or mini figures mini figs that mike rg sent you that
you've glued to your dash that's what it looks like
some little minifigs i mean you don't believe it i'm telling you i was sitting in my car you
in my car you actually see text messages from my wife you can see maintenance required on the
the car so you know this is like legit right and i'm sitting there outlaw drives away and 30 seconds
later some llamas come out of the woods and i didn't uh you
know it's impolite to take pictures of people you know so uh or you know you did it anyways
so i did it discreetly i was just like oh i'm just playing on my phone here snap
so it's not a great photo but uh that's literally what it is that's amazing tell me that doesn't look like some minifigs that looks more real
than the 12 trailer truck oh come on get out of here all right we're back on boomer hour for a
minute no way no i call shenanigans no i think no this looks i mean if i'm being completely honest
this looks legit i mean there's a porta potty honest, this looks legit. I mean, there's a port-a-potty in the background.
But I'm saying, like, when you had to click on, before you clicked on the image, like, you just saw the image in the chat.
Yeah, it looks like some minifigs glued on it.
Okay, thank you.
For sure, for sure.
But if you actually, like, click on the image and look at it in full zoom, like, you can see the dust on the windshield.
You can see it all and you can check
the exit data and you will see that it lines up with the time in the photo and the location
of the pauling county chamber of commerce and it will have been taken on a day that we went
on a bike ride around that time i'm not gonna see that data in the in the chat like it's not
gonna show me that yeah you gotta cyber sleuth it
you gotta the forensics this is already too much work that's fine i believe you're stupid llamas
all right the llamas were legit just so you know i don't know i don't know we probably
didn't have a couple people with them i did leave that out so it makes it sound a little
bit more fantastic but yeah there were people them that like help them with the doors.
People like many figs people.
That's awesome.
All right.
So,
so this is a little bit of maybe a boomer ism here is this next topic.
So I was starting to work on some Python and,
and Python reminds me of cold fusion.
Like you can just do whatever you want and run it and it works.
Um,
maybe,
maybe more like JavaScript.
Yeah.
Like node,
like it's,
it's the same type thing,
right?
Like you just go make changes.
Production is fine.
So it's probably fine.
It's probably fine.
So I'm,
I'm having to work on this project and, It's probably fine. get it as close to another environment without having to have the right version of Python installed on my machine and all that kind of garbage. Right. So that's, that's kind of what
I'm thinking. But as I'm seeing some of the errors that I'm trying to go after and figure out how to
fix, I'm like, well, how are you running this? And, and who I was talking to was like, well,
um, I usually just attach to a pod that's running in one of the Kubernetes clusters,
and then I'll just rsync my files up there as I change them
so I can see things that are failing and make changes.
Literally testing in production?
Well, it wasn't in production.
It was in another environment.
Oh, I see, another cluster.
Yeah, but my thing is man that reminds me you guys remember i know i know you do you remember back
in the day when you program for the web or whatever and the way that you would test stuff
is you would put an alert in your javascript oh yeah oh and it would spit out some stuff and you'd
reload the page or hit a button and that alert would pop up and show you what you needed, right?
Before there were good debugging tools for it.
And that's what this reminded me of.
And I was like, this is no way, no way to work, especially when you're working with a multithreaded code, which is what I happen to be working with. And I was like, this, I, I,
I will spend days trying to figure out where this is happening down in the code.
If that's how I have to operate,
right?
Like if I can't actually use a good IDE and put a break point and use a
debugger to like,
look at the stack trace,
which is really what I needed.
The, the thread trace, like I was, I don't know, man, like it kind of bothered me. And in all
honesty, it took me over a day to get my environment set up to where I could even run it and get it to
work properly. But in the end, I feel like that day burnt doing that paid dividends a hundred times
over because I was able to create a break point, which by the way, if you, if you haven't used
pie charm and you're doing Python code, it's amazing. I mean, it's really good, but I had it
set up to where it would launch a Docker container container it would hook into it i could set a
breakpoint i could look at the entire thread trace which in python also means you can go all the way
up to any libraries you're using and find out where these things are failing so in my case i
was having something fail in a connection library and if i had done the whole thing where i was just like you know putting alerts in and
dumps of of of code out like in cold fusion right we jay-z i know you remember cf dump like it was
probably the most used function ever you're muted dang it i said oh yeah yeah so that's that's kind
of what that approach reminded me of and i was like
this this isn't feasible so i don't know like i don't know what you guys's takes are but that
that really frustrated me when it was like oh so i've got no real path forward here i'm going i am
going to get my id working because this doesn't make sense do you know when console.log was added
by the way no side note yeah i looked it up
because i remember i was i used alerts too and it got me thinking it's like why was i using alert
when console.log was there and it's because it wasn't until 2004 i think we've actually coding
longer than oh really well we've talked about like there's's like console, console dot table. And instead of like just console dot log,
there's like other things that you could do.
Yeah.
Well,
I even worse than that.
Right.
Like,
so console dot log was like the new way of doing it.
But back in the day,
there weren't even good debugging tools for the browser.
Right.
So you couldn't pause anything.
I remember when the developer tools came out and like,
I E way back in the day and I was like,
Oh man,
I could put a breakpoint on something
yeah firebug oh man yeah dude firebug was like the first big step forward right yep
so firefox was the first one to add console.log in version 1.0 released in 2004 wow man it was
episode 157 that we talked about the about using console.log like a pro
was the name of the article that was referenced as the tip of the week.
But, I mean, be real with me.
Like, if you're using an interpreted language like Node or Python or whatever,
pick your flavor, would you do the thing where you attach to something running
and just start replacing code and putting output on the screen or whatever?
Or would you waste or not waste?
Would you spend the time like I did for a day to figure out how to get everything running in an environment that you could actually step through?
I've done it both ways and I've regretted both ways.
There are definitely times when I'm like, well, man,
I did all this and I could have just whatever.
And there are other times it's like,
why I spent all this time.
I should have just set it up.
Yeah.
That's what I don't really know.
It depends.
I mean,
I guess,
yeah.
Depending on like how much time you think you're going to put into it,
you know,
like how big a problem it is.
You know,
if you're just like,
you know, moving, moving the logo three pixels to the left. Yeah. Maybe not take the time to
set up a debugger and all that kind of stuff. But for the type of thing that you're describing,
I don't know why anyone would want to like give themselves a limitation, you know, like you're, you're purposely
you're handicapping yourself, you know? And it's like, well, why, why, why wouldn't you want to
take full advantage of everything that you have at your disposal? It's just, it's the same kind
of thing when I see people who you know there are people
we've talked about this before too in the show that are like very efficient at using them and
i'm like well that's great but there's so many other ids out there that i would rather use
right that you know okay i'm not saying you can't do a lot with it but
man i don't know if you can say do a lot with it, but man,
I don't know if you can say that you like, I know this is, you know,
I'm probably like just stepped into a whole world of hate.
So I'm going to get a bunch of hate mail, but yeah,
but you know what I'm saying?
Like there are IDs out there for a reason that are like tailor made to,
to help you develop things more efficiently. And, you know, we live in a world
where those IDs are even tailor-made for a given language. So like, why, why wouldn't you, if,
yeah, in, in the situation you're describing, I almost view taking the time to set up the ID
to work in is like, that's part of the job. That's part of, that's part of the ticket kind of thing.
Cause like, imagine, you know, 10, 20 years ago, right? Like you're the, you get hired,
you're the new, the new guy at the, at, at that particular dev shop, right? Setting up your
environment for development to, to compile. That was like, you know, one of your first tasks,
literally day one. So I view it as that, like that.
Well, you know, taking it a step further, the part that kind of bothered me more was, you know, I'm only working on this for hopefully a very short period of time to try and figure out what's going on.
Well, not once you get the IDE working, you'll be on it.
Oh, sorry.
Yeah, right, right.
That's why I said, hopefully, but, but why for somebody else who may have spent
or does spend more time in it, like it seems like not doing it is just killing your productivity
and your ability to actually see what's happening. Right. Like we've talked about multi-threaded
debugging is it's, it's almost an art, right?
Like you, you have to really understand how to use your ID and stuff, but without it,
it's super difficult, super difficult to debug that stuff.
So I don't know, man, it just, it kind of bugged me.
I hated it that I lost a day trying to, trying to get it set up.
But in the end, it allowed me to go exactly to what I needed to find and I just can't imagine somebody else working in a code base for any
period of time and not taking the time to do something like that right instead are syncing
files back and forth and it's like man that that seems wrong yeah but I don't know
anyways that was it for my boomer and last topic yeah uh and i got a
topic here uh y'all familiar with cwe no or cwe's yeah it's uh i'm sure you've seen it before but
kind of tends to be mentioned with a bunch of other acronyms that look really similar, like CVEs and CVSSs and,
uh,
all sorts of other stuff.
But basically it's,
uh,
it stands for common weakness enumeration,
and it's a community developed list of common software and hardware
weaknesses.
And it's been maintained since like,
it's got started around 1999.
Uh,
and for comparison,
OWASP,
we've talked about many times.
It started around, uh, for comparison owasp we've talked about many times it started around
2001 and um basically it's not too different uh than owasp you know it's basically a collection of
things that can be wrong in software like mistakes that people can make in code that
can ultimately lead to a vulnerability so if you you look at the infamous NVD database,
like the National,
or I forget what it stands for,
National Vulnerability Database
or NIST Vulnerability Database,
the one that has the CVE numbers,
like when there's a big log4j problem
or some big Windows vulnerability
and gets the CVE number 14528, whatever.
If you go there,
and I've got a link here in the show notes for one,
and you scroll down a little bit, you'll got a link here in the show notes for uh for one uh and you scroll down
a little bit you'll see a link to cwes which is basically a list of the weaknesses that it's
related to and so you might see uh weakness like uh i think this is the log4j one that i've got
linked here like the kind of the famous one that went out around recently and so if you look down
at the weakness enumeration uh it's linked to
vulnerabilities or gosh it's hard to use the right terms you have to be precise here but
it's linked to code weaknesses like improper neutralization of special elements uh deserialization
of untrusted data improper input validation uncontrolled resource consumption uh that sort
of thing which sounds
an awful lot like hey that sounds like the type of stuff you know we talk about no wasp with like
sql injection or just injection in general and um you know not validating user input stuff like that
so i just kind of ended up going out like a small rabbit hole uh kind of trying to figure out these
acronyms and figure out the difference between cwe and owasp and so i thought it, kind of trying to figure out these acronyms and figure out the difference between
CWE and OWASP. And so I thought it was kind of cool and wanted to bring it up.
So what did you land on as the difference between CWE and OWASP?
So OWASP is very specific to web application security. And so that organization takes a look
at basically the vulnerabilities every couple of years that have come in specifically around web applications. And they, you know, rank them based on severity, and they rank them based on
like, how often they see it out in the wild, stuff like that. And CWE is run by the MITRE
Corporation. And I'm still trying to figure out exactly who they are. It's kind of weird,
but they're basically like a consulting firm that do stuff in the national you know the u.s national security arena um but it's
kind of kind of strange and so you'll see a lot of cross links between uh their stuff and uh nist
that i figure out in this stands for but it's basically like national security stuff in the u.s um but uh the main difference is that uh cwes are much more
general and uh they you know starting in 1999 you can imagine uh cover a lot different a lot
of different kinds of competing so um they do cover things for like um you know managed code
vulnerabilities uh you're gonna hear a lot more about, like, buffer overflows,
stuff like that, unmanaged memory,
and also hardware vulnerabilities.
So if your, you know,
if your chip has some sort of security vulnerability,
then you're going to see it show up there,
which is something you wouldn't ever see on, like, a Wasp list.
Hey, I want to clarify one thing, though.
NIST is the National Institute of Standards and Technology, so nothing to do with security. Oh, I want to clarify one thing though. NIST is the National Institute of Standards
and Technology. So nothing to do with security. Oh really? I did not know. So it's like measurements
and things like that. Oh yeah. I always thought I just associate so strongly with security. That's
crazy. That's pretty cool. That's cool. They, um, they do maintain the official database. MITRE,
the company that I mentioned, uh, you you know maintains almost like a mirror of like
their own copy of it there's some there's some weird kind of mixing of those two that i don't
understand like they definitely seem to be friends yeah and the link that you have in the show notes
is pretty cool if if you guys go check it out is the trends and they were basically saying it's
nice to not nice it's good to know how things are trending
like you know things that may not have even really been on the list but have started moving up the
ranks really quick but they've also got these top lists right like the top 25 software the top
hardware so yeah and one thing i thought was particularly cool about the the list and oas
does this kind of thing too when they evaluate,
is that CWB, they looked at the last five reports
to figure out who's consistently moving upwards,
which means when we see something's moving upwards,
it means we're seeing more of it or they're seeing more of it,
which is kind of sad in a way because this list has been around for a long time.
These items that we're seeing move up in the list are items that have already been on the list which means
people should be seeing them in their corporate security trainings and they should be seeing them
in kind of security arena so these are things that are known and are talked about but are still
increasing out in the wild and that doesn't necessarily mean that coders are like getting
lazy or anything it could just mean that attackers are getting more sophisticated for example or um the like
the attackers tooling has gotten has made it easier we've talked about like um various different
kind of hacking toolkits before that people can use like kali linux or whatever that come like
bundled with uh tools that make it really easy to try it a variety of exploits very quickly
um so the three uh consistently
consistent upward movers these are items that have moved up for the last five uh times the list
has been renewed over the last couple years which it's not perfect one one once per year but it's
pretty close um missing authorization so a spot that's just a call somewhere that doesn't have the specific
authorization. And remember, this is weakness. This isn't vulnerability. So this could be
somewhere that isn't even exposed to the internet, but someone can get to laterally. So it just means
that there are places in code that are missing the proper authorization checks. Server-side
request forgery, which kind of goes hand-in-hand where you can get
a server to make requests on your behalf, almost like a proxy, and then authorization bypass
through user control key, which I didn't read about that one. I forget what that is.
But it's kind of interesting. And the other one I wanted to mention was consistent downward
movers, which are things that are known issues that seem to be getting better over a year.
And so this is another case
where it could be the tooling around things getting better.
So like the programming languages and the frameworks
and the database systems that people are using
are making this stuff easier to get right.
And so this is things like integer overflows,
permissions,
some XML, external entity reference, I don't even know what that is,
and an untrusted search path.
So you know what's pretty neat about this?
The one that you mentioned first, the missing authorization, it moved up five places.
It was number 16 on the list last year, and now it's number 11.
So, you know, the trending up thing.
Moving on up.
But what's crazy, though, is what the very first one is on the list. Out-of-bounds writes.
So, basically, if you're writing past where the buffer was allowing, that's the number one software weakness,
which is pretty interesting.
I would imagine you're dealing with that in things like C
or anything that has low-level access, right?
You're probably not hitting that with managed languages
like Java or C Sharp or something like that.
Yeah, if you click into it,
it actually tells you applicable platforms
and it's like languages C, C++ assembly.
And yeah, you got it exactly right.
That's exactly what the deal is.
Basically, you have a buffer size of like 256, but somehow somebody managed to get a string that's 512 in there.
And then, you know, that data is potentially writing over the boundaries that you're expecting it.
And then they can kind of put malicious stuff in there.
And so a lot of times it would be like a new system and an old system working together.
And the old system has 256 and the new one takes more.
And you put those things together, you start integrating them.
People maybe not necessarily thinking about proper data types and stuff,
especially if you're working with modern languages and frameworks and stuff,
and you don't really think about string links and stuff like that is
vitally important in these
older native languages.
It's cool.
Go ahead. No, you do.
I just wanted to mention, too, another
reason that you might see things consistently
moving upwards doesn't
necessarily even have to do with the attackers getting
any better or the tools getting worse.
It could just mean more applications moving to the cloud or moving online yeah moving out in
mainframes or whatever so so what i was going to say that is really interesting to me here though
is number one that that was very much a low level you know system type thing that you're going to
run into the next two though are very web heavy type things, which are cross site scripting.
So it's number two on the list here.
It's always been high in OWASP, but the fact that it moved up all the way in the software ranks here was kind of interesting.
And then the other one was SQL injection, right?
Number three.
So the thing that it almost feels like to me, like it's a foregone thing, like you should be doing things to eliminate SQL injection.
We've been talking about it for probably since we started the podcast.
Yeah, right.
So it just it seems weird that it's still this high on the list.
I mean, I guess there's just so much code out there written and used after free is another interesting one.
Yeah, right.
Yeah. Right. Yeah.
So,
you know,
I should say too,
that,
um, there is,
uh,
another big difference between a wasp and CWE is like,
Oh,
wasp is super focused on the top 10.
Like you can't even find number 11,
you know,
they,
they,
they've got,
they've got some other stuff you can find are kind of in the arena,
but it's very much focused on the biggest things that you should be going
after.
And they focus training around that. And like like they really try to educate the public on
those things uh cwe is literally just a collection of like every kind of weakness we can think of
there's i think hundreds of them if not thousands uh let's see and they do focus on the top 25
but it's uh it's very much easier to see you see numbers up into the hundreds or whatever
that are linked to CVEs, which are, I forget what that stands for,
but basically it's an instance of actual vulnerability.
Like this version of Log4J is vulnerable to this kind of attack in this situation.
Very cool. Good stuff.
Yep. And of course, you can break it down so you can say like oh let me see
stuff in uh java or php or things that maybe affect um hardware credit cards i don't know
all righty well we'll have plenty of links and otherwise in their resources we like
so otherwise we head into alan's favorite portion of the show. It's the tip of the week.
Let's do it.
Hey, it's me again.
I got a tip.
So I saw a cool Windows utility called Wind Recorder.
And I have not installed it.
So disclaimer.
But I thought the idea for it was so cool that I thought it was worth mentioning, and you'll also understand why I didn't install it.
The idea is that this utility records video and text from your desktop computer, and it lets you rewind and search.
So if you've ever had something where you couldn't remember that website or didn't –
I managed to check out with my old address.
Was that a bug or did I make a mistake uh that type thing yeah this is something that you could rewind and
actually replay and say like oh i did do it right you can actually do text searches as well and it
searches things like application names that were running or things that maybe you had typed and i
think it even does like image descriptions i'm not sure how it does that uh it does it in 15 minute
increments so you can kind of do a search
and it'll give you all the blocks that you did that.
So you can be like,
hey, let me see all the times
that I've gone to my bank website.
And I'll say, okay, here's the seven times this week
that you went to your bank website.
Yeah.
So that's why I didn't install it.
But it's pretty cool, right?
It's a cool idea of like kind of recording
the things that are going on in your life in a way
because you spend a lot of time on these devices and be able to kind of go back in time and see
exactly what happens so your tip of the week if i understand correctly is hey have you ever been
annoyed that your keylogger wasn't visual yeah try wind recorder now i should say it does store
all the files locally there's not there's no you know network
access but uh you know that's i should say that's what the author says and so you have to like
really take a hard look at the code that's on github also all those third parties like you know
all that stuff is just so scary to me because i don't have time to audit it and it's just not
worth it but i just thought it was cool it's like this uh there's a black mirror episode even where
like people are kind of recording their lives
and then being able to kind of go back
and replay memories or whatever.
Wait, hold up, hold up.
You just, all right, you just recommended a tool
that you referenced a Black Mirror episode off of.
I'm pretty certain I've never seen one of those
with a happy ending.
I'm just going to say.
For sure. But yeah, no, this isn't a tip like you should install. I'm just going to say. For sure.
But yeah, no, this isn't a tip like you should install.
Yeah, definitely.
Definitely.
This is amazing.
The tip isn't that you should do it.
Have you ever watched Black Mirror and thought, how can I be like that?
Are you bothered by the lack of visualizations in your keylogger?
If you can't beat them, just join them.
If we all installed, then it would be like nobody installed it.
It won't matter.
I can actually see his stars rating on his shirt.
It's going down right now.
I don't think we're allowed to talk to him anymore.
So if it works, it's a pretty cool concept.
I will not be installing it,
but it's,
it's a pretty neat concept.
It's cool.
It's not often that you hear like kind of novel,
like a,
or just different type solutions to the other kind of problems.
Like this is something like I never would have thought to do.
I'm never going to do it,
but it's cool.
I'm glad people are still coming up with new ideas after all this time
yeah i'll have a couple links where the author describes like what they did and how they did it
and then the open source repository cool but don't install it yeah don't install it it's a look at it
don't install it yeah okay so thank you for that tip of the week that's something i won't be installing um so this came up recently uh things that you can do with um spotlight on your mac os uh computer
that you probably didn't know about so this this, this came about because we were, a friend was doing a screen share and he launched spotlight and used it to open up the calculator. And my mind was
blown. Cause I'm like, why didn't you just do the math right there in spotlight? So I thought I
would like share a couple of links here of things that you can do in spotlight. So yes, you can
launch apps, but you can do other things. You can search by keyword. You can even, you can even
give it a kind. So you could say like, uh, you know, maybe your, your, uh, the file name has
Alan in it, but you want to search kind image. It's a kind colon image. You can do searches
using natural language, like apps from last month. You can search your contacts.
So you could say like, hey, search Jay-Z.
You find calendar events, access dictionary definitions of words.
I said make calculations, which can also, by the way, use natural language.
So you could say like 14 inches in centimeters.
So you're doing a conversion there as well.
You could say, I gave an example earlier where it was like three times pi divided by four,
you know, like whatever.
But the point is, is like I said PI, I didn't obviously write out pie to, you know, whatever degree of, uh, you know,
digits. You remember that, which most people only remember to, uh, you can get the weather,
you could check out sports scores, you can get stocks, uh, you know, whatever that stock is
currently trading at, you can get exchange rates, you can watch the, uh, progress of a flight listen to music find local movies get directions um
wow what were some of the other ones uh
yeah whatever there's weather i've already said weather but um yeah point is there's a bunch of
stuff in here unit conversions oh i don't think i did that one
if you want well i did kind of said the 14 inches in centimeters um and your you know searches could
be in natural language which i think i kind of hinted on about like apps from last month or
whatever but yeah you could say photos from last year or whatever you can search using emojis
how about that you're i don't know why you would want to, but if you're like, hey, show me all the times I ever said pizza.
You can search apps using initials of the apps, right?
That's cool.
Weird, but cool.
Yeah, Spotlight's pretty useful.
There's so much you can do so yeah the point is is that uh
there's there's probably a trick or two that you didn't realize that you could do with spotlight
and it's just right there at your fingertips so very cool all right so i've got one that
that blew my mind the other day so i i was streaming logs from a Kubernetes pod. So a cube cuddle logs, you know, whatever the pod name
was, and I was tailing it and following it. Right. And so I was getting like the last hundred lines
and had it follow, but I wanted to find it. I wanted to find entries that had a particular word in it. Right. So then I piped
that I did a pipe and then grep dash I, and then whatever, whatever I was looking for.
But then I also wanted it to find stuff that didn't have a particular set of text in it. Right.
So if you think about logs, right, like you might want to see something that has the word error in
it, but you don't want every single error. So you want to get rid of the ones that have errors that you don't care about. So,
so then I piped that to another grep and did a dash V for the inverse. So, Hey, don't give me
anything that has this word in it. Right. And, and I was sitting there doing it and I did the
first grip and things were coming out and look fine. And I was like, all right, cool. Then I piped the second grip and nothing came out. And I'm like, hold on a second.
I know, I know what I'm doing with this grip command. Why is it not working? So it turns out
I didn't know this. There is a buffer when you're using pipes and streams. So when you pipe from like a cube cuddle logs command,
when you do your grep statement, you need to do a dash dash line dash buffered,
and it will make sure that grep is hitting the stuff in that buffer and it passes it along.
And so when I did the next pipe, I needed to also do grep dash dash line dash buffered.
And then all my output came out exactly as i wanted it
and this reminded me of something that i know that i think jay-z and i have both experienced
in the past we used to use uh kafka cuddle to pull stuff out and we would grep and sometimes
like not all the entries would come back i totally don't i was always wondering why that was yeah yeah and and so it hit me when i when i
figured this out the other day i was like i guarantee you that's what it was back in the day
like there would just be some entries that would drop off we'd know that there should be three
that came out and we'd only get two and it was like hold on a second and so i just abandoned
using the tool i thought there was something wrong with the and it was like hold on a second and so i just abandoned using
the tool i thought there was something wrong with the tool it was my usage of grep without the line
buffered that was causing the problem so ah good catch i just thought grip didn't work seriously i
mean i i was i was so annoyed and frustrated i think i even posted a message out there like man
grip is really making me mad right now um yeah so so I put it in there, right? Yeah. And, and this isn't a typo, you know? So at any
rate, that's a great one. If you don't know about it, go, go read up on it. Go look at it. Just do
a grip dash dash help, or maybe even man grip. I can't remember. Um, but you'll see that, that
line buffered in there. And then, then so this one this is a bonus one here
based off what outlaws tip was with with mac os and using spotlight so i'm i'm sitting in my
living room the living room the other day and my wife's like hey i need you to type something up
for me and i'm like why do i gotta type it up she's like because you type
faster not i'm like well i don't like that what am i typing up and she had a document that needed
to be typed up and i'm like whoa well wait a second like it might have been a piece of paper
i think it was a piece of paper i was like like, no, no, I'm not typing anything. Hold on, hold that paper up.
So if you don't know this, if you have an iPad or an iPhone, and I'm sure this exists
on Android, I haven't tested it.
But if you open up your camera, point it at a document, there's a little icon on the screen
that looks like a box with some lines in the middle of it.
That's the thing that identifies text.
You can point your camera at it, hit that thing. It'll put a block around all the texts that it
thinks it sees and you could copy it. And so that's exactly what I did. I clicked the thing,
copied it, put it into a, I think, what is it? Pages document on, on my iPhone, pasted it and then just formatted
it and I was done. Right. Like, so it took me a minute instead of 10 to, to get this whole thing
out there. So yeah, if you're not aware of that, it's super useful. And if I remember, right,
you can even do it with existing photos. So so yeah if you have a photo that you took
of a document and you need to get the text out of it just open up your gallery I want to be clear
it doesn't have to be a document it just has to be a picture a picture of work with anything with
words on it like I did I took a picture of a box that you know and it recognized that i took a picture of a um serial number i've done before
like a postcard thing that you know for instructions for a coming show here in the atlanta area
it did it well yeah anything with and and and like the box example that i gave the reason why i called
that one out is because like i wasn't trying to take a picture where I wanted to grab the text from that.
So it's not like the text is off at an angle.
And it's a logo text, too.
So it's not even like, what font is that?
I don't know.
But it recognizes it.
And it's like, oh, yeah, I can figure that out.
Yeah.
I mean, if you've never used it, it's helpful.
Now, what I'm not sure of, maybe you know this, Outlaw.
Maybe you do, Jay-Z.
Can you do it with a QR code?
Because that's the one thing that's always frustrated me.
There's a QR code, and it's like, oh, that's great.
It's on my phone.
How do I use it? I can't scan the QR code from the screen of my phone.
Like, what do I do with this thing?
If you take a picture, if you have a photo of something with a QR code on it and you click on the QR code, you'll get an option.
It'll show you.
Well, I don't have preview turned on on mine.
So I see the URL and then it's like, hey, do you want to open this in Safari?
Oh, OK.
So I can copy the link or I can share the link.
But yeah.
OK. safari oh okay so or i can copy the link or i can share the link but yeah okay and it's like
another one what i mean by like examples of it doesn't have to be a document like i have a
picture of one of my guitars and that i had taken pictures of the the back of it where it had the
serial number and i can click on the the back of that and it recognizes the number it thinks
it's a phone number but it recognizes the number that's awesome yeah so uh so this feature by the
way is called live text apparently okay i didn't know that i will put a link in the show notes so
again this is iphone i'm i'd be shocked if android didn't have this same feature right
yeah google had it like eight years ago and then turned it off they they killed that project they
do all and went away with wave and well don't don't we hope that they do that with gchat that's
what we're waiting for oh yeah yeah poor gchat all right well subscribe to us whatever we'll see you later Oh, yeah. Yeah. Poor G-Chat. All right.
Well, subscribe to us.
Whatever.
We'll see you later.
Why?
Why?
Man.
See, if we were all in the same room, there'd probably be a wrestling match right now.
Like, no, you're going to say it.
You know, I do the intro, so I'm not going to fight. I i'm gonna give up on that exit yeah you know the
deal by now hey at least go to the website at codingbox.net and this is slash episode 233 so
you can check it out oh hey and we actually had somebody by the way if you've made it this far
into the episode we had somebody ask us about swag the other day i actually need to go by the
box as they said they sent us an envelope.
If you're interested in watching some stickers,
head to coding blocks.net slash swag and,
um,
you know,
do what it says there and we will,
we'll hook you up.