Python Bytes - #309 When Malware PoC's are Themselves Malware
Episode Date: November 9, 2022Topics covered in this episode: Malicious proof-of-concepts are exposing GitHub users to malware and more The great Mastodon experiment Gitpod and the traveling dev Color in the terminal Extras Jok...e See the full show notes for this episode on the website at pythonbytes.fm/309
Transcript
Discussion (0)
Hello and welcome to Python Bytes, where we deliver news and headlines directly to your earbuds.
This is episode 309, recorded November 8th, Election Day.
I am Brian Ocken.
And I'm Michael Kennedy.
Okay, now let's look at your thing.
So, first of all, redesign the Python Bytes website to make it responsive,
so even the table gets super cool when you scroll up.
But that's not what I want to talk about. That's not why I brought it up.
I mean, I always get these emails. I know you haven't logged into our site in five years,
but we've redesigned it. Let's tell you about it. No, I don't care. The reason I'm on this page,
what is the date today? November what? It's the 8th.
It's the 8th. Yesterday was Python Byte's birthday. Six years old now.
Oh my gosh. I can't believe it's been six years.
Yeah. Six years. The intro to the show in PIP 9 is out. What are we on, like PIP 30? I don't know. I haven't paid attention.
Well, they went from...
It's past 20 for sure.
They went from Semver to Calver, so it's hard to count.
Still been a long time.
Yeah.
Absolutely. All right. Well, anyway, happy birthday to us. Let's jump in.
Yay, we should have brought cake.
I know, cake.
We have to use cake emojis somewhere today, I suppose.
All right, so I want to tell you about something
that really touches on the cybersecurity,
pen testing, red team, blue team, sort of hacker side.
And I don't know if people are aware,
but Python is used a lot
for the pen testing security
side of the world.
We've had some guests on the show here before that talked about their work, right?
We're like, we don't understand this.
You got to come share this with people yourself.
It's awesome.
But we're not worthy.
But there's a really interesting set of research.
And this research came from Sofian Yadmani and Robin The and Olga Gadyataska.
Sorry if I butchered everyone's name there.
But it is the title of the official academic article.
This is out of Norway, I think.
How Security Professionals Are Being Attacked.
A Study of Malicious CVE Proof of Concept Exploits in GitHub.
Have you run across this?
No. Interesting. So it's,
it sounds like it doesn't totally apply as maybe a Python programmer thing, but here's the deal.
In order to, when these CVEs, these vulnerabilities come out and get announced, a lot of times people are like, oh my gosh, there's some problem. But like, what does it manifest like? If I'm going to
write some code to explore it, to understand it, to do all the various
things, how do I get started, right?
A lot of these are super complicated.
And so what people will do is they'll post a simple proof of concept.
Like imagine you've got a sandboxed web browser and it shouldn't be able to access, like,
for example, your processes and other parts of your file system.
So if I went to a webpage, I could make it pop up,
I don't know, notepad with the text, na-na-na-na-na-na, we got you. You know,
something silly like that. You're like, oh my God, it opened notepad. Well, these people did
some research and they found 47,000 posted proofs of concept. And let's see, somewhere,
it's in the article, they talk about the actual language breakdown. Here you go. So when they said, what languages are these written in? HTML, 300, Ruby, 300, Go, 400, C++, 1000, Python, the most common language that they are able to determine
the language of the exploit.
So it's something that really kind of applies to us.
And of the, how many were there?
There was like 47,000 of them.
And out of those, 4,800 or 10% were malicious, which sounds like, so what?
It's a proof of concept of a malicious thing.
No, it's like a meta malicious.
So here's the deal. It says, we will show you how you can break into Active Directory
on this new exploit. What it really does is installs ransomware on your computer.
So if you as a person are like, I want to try this out and see if our system is vulnerable,
instead of it doing what it said it would do, it just takes over your computer. And there's
various ways in which it does it. It might contact a it just takes over your computer. And there's various
ways in which it does it. It might contact like a known malicious. No, I know there are some lulls
in there to be sure, but the idea is there's some, it'll like take your SSH keys and like
upload them to some malicious, you know, pay spin type place, or it will install crypto miners or it'll install, you know,
ransomware encryption types of things. And a few of them say, you shouldn't have just run code off
the internet. What are you doing? And it'll like rickroll you. But the majority of them take over
for real. So there's, isn't that nuts? Yeah. Yeah. Yeah. So rickrolls are hilarious though.
Just saying. They are. They are. Even in the paper, there's actually some, um, some
Python proof of code.
So here, let me show you down here, like, uh, pull this up.
I don't know how to link to, um, a code listing inside of a PDF.
So I'm just gonna cruise.
Here we go.
So for example, over here.
So here it says, this is an example of one of these proof of concepts that shows you how things might work.
And what is it going to do?
It's going to go and say it's going to sleep for a second, get your host name, create a user thing, da-da-da-da-da.
And then, oddly, instead of saying the URL is a thing, the URL is a base64 decoded, encoded bunch of garbage, right?
What is this?
This is the malicious website
that they're going to send your information to.
But when you look at it,
it doesn't look like here's the virus.
It's like, oh, they're just decoding this text.
I see.
No, no, no, no.
This is the virus right there.
And there's way more complicated examples,
but pretty nuts.
Anyway.
Plus the formatting is gross.
They should really run black on this.
I know they totally, they totally should. you deserve what you get if you run that now
this is a pretty interesting thing and if you're in the security space you know if there's a 10
chance of just checking out one of these proof of concepts that you'll get owned you know just
be aware i mean you consider the the audience of the people creating these so i guess you know
a bunch of hackers are like hey i made this code you should try it no but actually that we should have like a search thing or something like that
because that base 64 decode thing is a classic just don't touch it sort of thing if especially
if it's going into a url or something this is it's not good yeah they did come up with a way
to automatically test for things they said look if it's contacting a well-known
malicious command and control type IP address, which there's a listing, a database of these
types of things. It's like, you know what? That's a problem. And here's a proof of concept that
should have nothing to do with the internet and it's uploading data. That doesn't seem like it
should, right? Or it's downloading this data from somewhere else. So yeah. Yeah. Yeah. I like that Kim has got the glass half full.
A base 64 encoded URL is surely completely safe
and nothing to worry about.
And Marco is concerned about the SSH keys.
And thanks for the happy birthday wishes
out in the audience as well from everyone.
Yeah.
Yeah, thanks, people.
All right, Brian, that's all I got.
But there's a really cool paper.
There's some proof of concepts in there.
There's a couple of write-ups on it. It's worth checking out. Okay, people. All right, Brian, that's all I got. But there's a really cool paper. There's some proof of concepts in there. There's a couple of write-ups on it.
It's worth checking out.
OK, cool.
Well, I actually want to talk about something completely sort of different.
So if you've, let's just, I'll go to us for a second.
If normally I get a lot of my news from people on Twitter, but Twitter kind of is in the
news lately because
things are kind of going weird with twitter so what are people doing well a lot of people um
a lot of people actually are are checking out mastodon so i'm calling this the great mastodon
experiment uh because tons of us python people and actually tons of tech people and tons of other
people also are trying out this mastodon thing and in the back of our mind it was well like yeah mastodon seems kind of interesting
it's like a sort of maybe alternative to twitter but not many people there now there's a lot of
people there like tons of people um i don't know what the numbers are compared to twitter of course
but uh anyway so i am part of this.
I'm part of the people that have switched.
But if you like, we're showing the Mastodon, like join Mastodon.org site.
And the first thing you want to do, OK, I want to try this.
So I have to, OK, I have to create an account.
So the first thing you're hit is, well, which server do you want to use?
I was stuck here for a while and I'm like, I don't know what to do.
So I went ahead and I used Twitter and I asked and Will was there from Will said he's on
Mastodon.social, Will McCougan.
And I just asked, I'm still stuck on the choose a server.
What are people using?
And I got one reply right away saying, well, Fostodon.org has Anthony Shaw and a bunch of other people.
I'm like, good enough for me.
So I went ahead and picked it.
So I am now on Fostadon also.
And then I'm just trying stuff.
I'm like, just trying it out, playing it, playing with it, following some people, commenting,
whatever.
And so far, I kind of like it.
It's it's nice.
Now, now that I've kind of like i got
the basics down now i'm ready to learn some more and um and so i put together went through and found
some tutorials so if anybody else wants to try this also i found some kind of fun tutorials
there's one that's called the increasingly less brief guide to mastodon it's big um but it's uh it's so it that's nice though it starts out
with like uh um with like short answers like uh you know what is it how is it like twitter how
is it not like twitter stuff like that um and uh one of the things comparisons that confused me a
bit was how is it like email but uh i didn't get the analogy at first but i kind of do now so the
idea is you have to
pick a server, but you can still follow people on other servers. Just like if you have a Gmail
account, you can still email people that are not in Gmail works. So there's that there's everything
I know about Mastodon. Sorry, but it reminds me a little bit of like BBSs. Remember, go to BBS and
write email and then they would like sync at night and then you might get email from some other BBSs. Remember, like, go to BBS and write email, and then they would like sync at night, and then you might get email from some other BBS. Well, yeah, that's something I also noticed that
at first, I was a little annoyed because like, it's not as zippy sometimes, like, it's growing
a lot. So a lot of these servers are like adding capacity. And so occasionally, like the other day,
the Fostodon server was down for a couple hours. And I'm like, oh, my God, actually, I'll be fine if I don't use a social media app for two hours.
Just chill.
And so, yeah, it's a it's I it's interesting.
There's not there's a lot of stuff I've learned so far.
Like there's it's not filtering what I'm seeing.
I actually just see everything that people write that I'm following.
Actually, isn't that what I wanted? Um, so I'm pretty okay with it. So I put together,
I'll go through a couple of these. There's everything I know it's for targeted towards
data science people, but there's a lot of great info there. Um, there's a, and then, uh, Simon
Willison, he's trying this out too, said, uh, is, um, Mastodon is just blogs. So, uh, I was confused by that, but he describes how it's,
uh, how it's like it uses this active pub feature and it's into a little details, but I think he
knows what he's talking about because he wrote his own, he's on his own server. So you can have
your own, you can have your own Mastodon server. Um, but some of the people, uh, trying it out,
uh, at the same time, we've got some big names, Lucas L of the people uh trying it out uh at the same time
we've got some big names lucas langa he's trying it out um he linked to a couple things like uh
that he's learning about you know it's really supposed to repost in multiple places things
like that i've got brett cannon figuring it out so a lot of us over here uh having a little bit
of fun with uh mastodon so that's fantastic yeah so fostodon.org is the free and
open source software mastodon one right yeah but a lot of people are on so like a lot of people are
on mastodon.social um here's a cool article uh oh yeah um i clients wise there's uh there's a whole
bunch of iphone clients too but you can use it on the web or anything.
Lucas is on, or Lokesh, I'm sorry, is on Mastodon Social also.
Brett's on Fostodon, but there's a whole bunch of others as well.
Yeah.
You have to apply to get in there.
So I applied, but I have not been let in yet.
So hopefully they will find me worthy and I can join you.
Okay. We'll see. see well i know some of them
so some of them are since these are private things there's got like people running their
own servers um uh there's there's funding models on each of them and like fauceton for instance
said they want to make sure that they always have six months of running time or something like that
uh and that's cool enough for me. So anyway.
Yeah. I'd be happy to pay a dollar or two a month just to have no ads and have a well curated,
somewhat not terrible space. You know, yeah, I wasn't really getting to get into the
politics of it, but the whole $8 a month thing, actually, if I could have got rid of ads and
actually got some other cool features, I probably would have paid it anyway. I just don't want to pay it now. I'd be like two months ago. I probably would have
been up for it, but I don't want to do that right now. Yeah. I don't know. I have no intention of
leaving Twitter at the moment. There's still like a really valuable community for the podcast
listeners and stuff. But I do think it's also super interesting to reach out to these other
spaces. Macedon is one. It's kind of interesting
in that there's a bunch of little islands. And the thing that's cool about Twitter is you go to the
continent and then you find your space within that. It's like, here you got it. What is the
place I go to? I'm telling you, this is like BBSs. What BBS has the place where there's kind of cool
conversations and good games I can play? And you dial dial that one up or we could just go back to like uh you know planet python and rss feeds for
everybody yeah yeah nothing wrong with rss cool well uh thanks for bringing that up i have some
more thoughts on this uh as well later but for now for now maybe we could talk about our our
sponsor what do you think we should talk about our sponsor because it's cool that we have one
but also um it's microsoft so
this episode of python bytes is brought to you by microsoft for startups um but starting a business
a business is hard um most startups uh go out of business within the first year which is totally
lame so microsoft for startups set out to understand what startups need to be successful
and created a digital platform to help
you overcome those challenges. And they came up with Microsoft for Startups Founders Hub.
The Founders Hub provides all founders at any stage with free resources to help solve
startup challenges. The platform provides technology benefits, access to expert guidance
and skilled resources, mentorship and network connections, and so much more. Unlike others in the industry, Microsoft for Startup, Founders Hub doesn't require startups
to be investor backed or third party validated to participate. Founders Hub is truly open to all.
You can speed up development with free access to GitHub and Microsoft Cloud.
And there's other partners that they partner with, such as OpenAI.
You can get discounts through there.
So you'll have access to those extra resources, but you also get access to their mentorship network, which includes hundreds of mentors across a range of disciplines.
Need advice on marketing, fundraising, idea validation, maybe? maybe tons of topics that you might need help on, including management and coaching. And you'll be able to book a one-to-one meeting, one-on-one meeting with mentors,
many of whom were former founders themselves.
It's no longer about who you know.
Get critical support you need from Microsoft for Startups Founders Hub.
Make your idea a reality today.
To join the program, visit pythonbytes.fm Founders Hub 2022.
And that link is in the show notes.
And I know you can find this on your own by Googling, but using that link in the show notes
will help them know that you found it through this podcast. Thanks.
Yeah, absolutely. Thank you, Microsoft.
Oh, you're on mute.
I am. Thank you, Microsoft. And yeah, let's move on. A couple of these things are about
continued journeys. Sometimes we're on a
journey you know yeah and switch it over theory over on twitter not mastered on yet uh sent me
sent us a message and said hey a nice episode you know remember i was on this i talked about like
um panics um ssh uh thing called prompt and some of the other ways i was trying to like well how do i just
take my ipad and no keyboards and no extra stuff and just have a little devs opsy coding oh yeah
environment right so theory says you should check out get pod have you heard of get pod
no no uh pod as in pods from kubernetes but here uh he says um yeah basically i'll just pull up and show you what it is so if
you go over here the idea is it says always ready to code like that sounds cool right and i love
look at this little graphic right okay you're like your chair is an enter button i love it
oh i didn't notice that right at first that's cool yeah and by the way they just this happened
i think since this got sent over they just raved a $25 million series A round. So there's a good, you know, there's a lot of effort
behind this, right? Gitpod is, I believe there's an open source version and then like a hosted
version as well. So the idea is what you can do is I can go and it'll create a Kubernetes
Docker type image that I can configure.
So basically a Linux machine that's isolated for me,
which is nice.
And then I can log into it one of two ways.
I can log into it in the browser
and just like if you go to github.dev,
which is what I suggested before in the browser,
this connects to your own environment,
which the thing that's cool about this
is it's that environment, you have a root access to do whatever you want to it. So if you got a pip
install something, and that's weird, or whatever, like you're not like, Oh, well, sorry, you can't
install this dependency too bad, right? It's just it's yours, you do whatever you want with it.
That's in the browser. So on your iPad browser, for example, or if you happen to be on the desktop,
and what you want is just like a I'm on an arm machine. I want an x86 machine, or I want a Linux machine that's like production. And that is not just my Mac or my
Windows machine. You can actually connect to it with a full on VS code or even PyCharm. You can
plug directly into it and remotely edit locally on PyCharm locally, but then like debug and run
your environment there. Wow. That's really cool yeah it also works for
intellij uh the the go basically all the all the vs code and all the pi of the the jet brains ide's
which is like a huge long list and vim and also vimit wow so anyway this is really cool and um
there's uh one of the recommendations or like the reasons for it it says look you can do
multi-track development so if i'm doing like i'm working on a feature branch and I'm working on main dev and I'm
trying to do a bug fix instead of, you know, staging or stashing and then checking out
and then try that, then unstat, you know, check over to the other thing, unstat, like,
you know, juggling one working environment.
You can have multiples of these Git pods, one for each part of your project, even bring it closer to your Linux and Docker runtime. You can even do like paired
programming on it, which is kind of interesting. And here they got an example of it running on
an iPad. And apparently you can install like a bunch of different extensions and stuff and like,
you know, configure up your thing. So there's an open source version, which is free from big tech influence.
But there's also, you can get their, their version on the cloud or you can self-host it or whatever.
Right. And so there is a paid component to this, like this, you know, they got $25 million,
right. It's not just like to set on fire, although maybe there's a free version, which is gives you
50 hours of, of coding a month. That's pretty good. Or you can pay $9 a month for a hundred right it's not just like to set on fire although maybe there's a free version which gives you 50
hours of coding a month that's pretty good or you can pay nine dollars a month for 100 hours or
there's like other other higher tiers 25 40 bucks and stuff but it's open source and there's some
free versions and reasonably priced versions and yeah i don't know i think it's it's pretty cool so
thanks theory for sending it over and you know uh it's it's definitely an option out there
yeah and the self-hosted also is looks like an option out there. Yeah. And the self hosted also is,
looks like an option as well.
Yeah,
exactly.
So you can self host.
I think you basically probably set up a Kubernetes cluster and like it,
it connects and goes against that.
Oh yeah.
Just,
just throw up a Kubernetes cluster.
Yeah,
exactly.
Well,
all right.
Well,
I haven't,
I did play around with it and it worked pretty well,
but I haven't done anything serious. It still looks cool i like it yeah absolutely all right what's your last one
here oh last one is a short one i just wanted to talk about terminal colors so um so i've got
this little a little pytest plugin called pytest check and it's got some terminal output but it does talk about failures and
somebody completely reasonably uh submitted an issue and said it'd be cool if these were red
um so you could see them easier and i'm like yeah that would be cool so what should i do well i could
uh you know will i want to let you know that that the first thing I thought about was I could throw
Rich at it. So I can use Rich to put red in the terminal. But Rich is awesome. I love Rich. But
maybe it's a bit of a big hammer for just adding one color, just adding red. So I went looking
around a little bit and there's term color and there's colorama
and there's other things I ended up, I'm looking at colorama right now is what I'm playing
with.
So colorama, um, is used by a lot of, uh, applications.
And one of the reasons why is because it helps with the cross, uh, being able to use, uh,
colors on both, uh, both windows and everything else.
Windows is a little special. It doesn't act like the other stuff. So you else. Windows is a little special.
It doesn't act like the other stuff.
So you have to do things a bit special.
And I was kind of glad I looked at this
because one of the things that came up recently
in one of the new versions
is Colorama has a thing called Just Fix Windows Console.
It's just from Colorama import,
Just Fix Windows Console. And you call that. And after you call that, just fix windows console it's just uh from colorama import just fix windows console and
you call that and after you call that then your window if you run your application on windows
it acts just like a normal tty terminal uh on linux or mac or something oh wow at least in
terms of a lot of stuff uh the other thing that just fix windows console i think i get got this
right is it's you used to have to call
init and now you call this other thing but you can you can call that on mac also and it just doesn't
hurt anything it's fine um so you can and now after you've done that and it and there's a whole
bunch of text here that i just skimmed really briefly i just wanted it to work uh just call
that and then you can use these uh these color codes uh like for four dot
red for instance that's what i wanted just some red text and there i've got it so after you change
change stuff around you also have to reset it so there's a reset code now you can do the same thing
and it has it on their their uh uh readme is you can use the, the hex or whatever color code escape sequences. So backslash zero three,
three bracket 31 M is red, but I don't, I think I'll go with the, uh, the named ones.
How about some constants instead? Yeah. Yeah. So, um, this is pretty cool. And, um, I think,
I kind of think this is where I'm going to go with, with adding red to the
buy desk check.
So if you want just a little bit of color and nothing that you need rich for, Colorama
might be what you want.
So.
Nice.
Colorama is definitely a go-to for me when I just want like, this needs to be red or
green.
It just needs to stand out somehow for sure.
It's very cool.
Yeah.
Cool.
Awesome.
All right.
Well, that brings us to our extras, huh?
Yeah. Do you got any extras? You know i do let's see uh some of these are quick some slightly a little more so um roman wright who often we find here in the live streams as well make maker of
beanie love beanie beanie is powering pythonbytes.fm, by the way, for various other things.
So super awesome.
He'd been thinking, and so Beanie is PyTantic plus MongoDB async.
And he said, there's plenty of reasons
why we might want a synchronous API.
I'm just in the middle of some script
and I just need to talk to the database real quick.
Like, do I really need to upgrade this whole thing
to handle async code?
Shouldn't there just be a way to call it?
There should.
And so he created a derivative or mirrored version that is like beanie but has a synchronous
set of apis instead of asynchronous apis called bunnet which i don't know the word but it but i
think it has something to do with uh uh like something to do with a bean i'm not sure but
anyway but it uh it's it's similar toanie, except for you just don't await things,
right?
You just use the pipe Mongo base instead of the motor client under the
hood.
And then you just,
you know,
do thing insert or thing dot find one or whatever.
So people go check that out if they're into beanie,
but they don't want the async version.
Yeah.
So I just looked it up.
A bunnet is a,
it's, it's a type of hat it's like a scottish
hat okay well that would explain the uh the the icon here maybe it looks like a bean but it's
actually a hat roman's here hey roman so this is a scottish word fabulous and will mcgougan uh is a
bun is a hat worn by old sc men. Lovely. Cool. Awesome.
And congrats, Roman, on getting that out there.
That's awesome.
PyCon, you brought up PyCon 2023 last week.
Yeah.
They've got this cool like tile sort of celebration of history on their website.
And they tell you that it will be April 19 to 27.
There's a small problem with that, though.
How actionable is it? If I want to
go to the conference and I want to go see the main talks, when do I book my travel?
The whole thing.
It's awesome, right? I can come to the tutorials and do the week of sprints after. I don't know,
that's a lot. And so I reached out to Twitter and Marietta says, tutorials are on Wednesdays
and Thursdays. Talks, keynotes, expo halls are Friday to Sunday
and from Monday onwards, those are the spreads.
Perfect, perfect.
So yesterday while I was sitting,
getting studded winter tires put on my car
so I can go to the mountains and not die,
I decided to go ahead and book my travel
and I'm gonna go to the conference.
We talked about maybe we'll go, maybe not.
I'm gonna go for a whole week.
I'm gonna show up on Thursday and leave on the next thursday maybe be part of the sprints but definitely do a ton of podcasting while i'm there and try to just
make it like other people will be spreading out code i'm gonna be sprinting on podcast episodes
i gotta decide what i'm gonna do i haven't decided yet i'll probably go flights are still pretty
cheap right now they might be like hotels and stuff i think um there are really a lot of variations like there was i was like oh maybe i'll stay at the hilton three
thousand three hundred dollars like yeah maybe i won't stay at the hilton what else so i think
people are starting to book it out okay anyway um thank you marietta for sharing that information
it makes it much easier for us to plan um about participating or even just watching
icon online there cool yeah all right uh quick shout outs to uh g-force now have you heard of about participating or even just watching PyCon online. Cool. Yeah. All right.
Quick shout outs to GeForce Now.
Have you heard of GeForce Now?
No.
So my daughter's really into gaming these days.
Plays a bunch of like horse riding games
and Minecraft and Planet Zoo.
And there's like a cool Jurassic Park thing
that's like a Sims, but for dinosaurs.
And most of these games run on
Windows. And we have an Alienware computer, but it's like all set up for my sim racing. So it's
kind of hard to play games that don't involve a steering wheel. And she's like, how can I play
these games on my PC? I'm like, or my Mac, right? She has a MacBook Air. I'm like, I don't know.
She's like, how can I play if I'm not at home and i can stream so we we try out
geforce now basically it will they'll give you a high-end windows computer and like a geforce 3080
and it just streams like netflix to your your pc and it is super low latency i mean it's like
you're really just playing it there but you're not it's it's pretty awesome oh so you're playing
it's you can play a game on a remote computer then?
Yeah, or you can play it on your iPad,
or you can play it on your iPhone or Android or on your Mac or whatever,
and they've got a completely 100% free tier, so it's pretty nuts.
You should check that out.
Anyway, that was a cool techno experience.
Two new YouTube videos I've released.
One five days ago, one five hours ago.
How about
that for timing? Nice. So as part of this sort of social media, Twitter madness and various other
things, I've been thinking about this for a while. Anyway, I'm like, I really want to try to build up
my presence on other areas and that are not just Twitter. And so like, well, YouTube might be one
fun place to sort of build up a community. So I'm starting to add more videos there, right? So like
I've done in the past couple of weeks, I've done four videos.
But the last two is A Walrus Meets a Python, which is fun.
That's about the walrus operator.
And then the one that came out today is Python GC Settings,
which shows some insane stuff you can do to tweak the GC a little bit
and get crazy better performance.
Nice.
The GC being the garbage collector, right?
Yes.
Not reference counting, which does like 99.9% of Python memory.
The 0.1% or the 0.1%, whatever's left over, like that actually, you often can turn that
down because you don't really have cycles that much that get lost.
And it turns out to have some pretty interesting effects.
We think we covered, was it Instagram?
I think.
I think they wrote an article called Ding the garbage collector where they literally turned
it off in production. It was either that or, um, or I can't remember which one, which company did
it, but this is kind of like a, well, let's don't be so aggressive like that, but kind of, you know,
and it's, it's pretty, yeah. People can check those out. Um, yeah. So one of the things, uh,
uh, that I, the only extra i've got is um i really liked this
article um from simon willison about what to blog about so a lot of so people are you have a presence
somewhere other than twitter like and maybe right start writing your blog more um and i like this
what to blog about he goes through a couple things one of the things is that today i learned
and i you know i actually
at first when i first encountered the til thing i first was like why not why do you need that
can't you just like just write what you learned anyway but a lot of people have this paralysis of
if i write how to do something people are going to think it's a tutorial and i don't know how to
do everything with this tool i just learned this little thing of how to do fix my thing. So the T to D, the TIL at least is a tag that people will know. It's, it's not a full
tutorial. It's just a little snippet of somebody learned about this thing. And, and I think this
is a great way to go about writing it. It can be, it can be short and simple, or it can be longer.
Plus also, if you build up a lot of these around a topic, it might turn into a tutorial later. So, um, cause you can, you, now that you've learned a ton,
you can write a blogger, longer blog posts about it. I also just want to tell people that it doesn't
have to be a, like a full tutorial. You don't have to compete with real Python or other places. You
can just do a short thing you learned about. It doesn't have to be. Okay. The other thing he talked about was projects is to write about projects that you've done. Um, and, uh, and I
think that's a great idea. And, but I also want to make sure that people understand also the things
you're working on, right, right. As you're building stuff. Um, um, this can be part of the TIL, but it
could just be, this is the fate. And it's also another way to limit the scope, like a color in the terminal. I don't want to write about all of color in the
terminal, but maybe I could write about the, just fixing this one bug or this one feature request,
what I went through to figure out how to figure out how to use Colorama. And, and then how do I
detect whether it's a TTY terminal or not? Things like that. That can be a decent article just to write about that. And so I think these are great tips for unblocking yourself. The other
thing I want to tell people about is if you've covered it, you've learned it from somebody else's
blog already, but it didn't quite meet your needs and you looked at other places, that means that
there is a tutorial
out there that's missing. And it's the one that kind of fits your brain. You can rewrite something
that is similar to what other people have written about and just write it in a different way that
fits you better. And that'll maybe fit other people better too. So there's nothing wrong
with that. It doesn't have to be completely unique. Yeah, absolutely. Definitely doesn't.
I like it. That's all I got.
Yeah. It came out there says TILs are also handy to reread from time to time and remind yourself
of things you've figured out then forgotten. Yeah. Like you can see the search engines
with stuff that you knew. And then when you forget it, you can find it again.
And you know, that's how I started blogging and I didn't call it TIL. I would just,
I had a blog, nobody was reading and I would just throw up stuff like commands
that I looked up, like commands from a tool.
Like, I always forget how to change my commit message
after I've committed too fast.
So throwing up a little post about get commit amend
would be fine.
Yeah, absolutely.
All right.
Well, this has been a fun episode,
but it's still good sometimes
to just take a moment and relax, right? Yeah. Yeah. I mean, some people, I took my dog for a walk in
the woods during sunrise. It was like this fog that some, for some people getting out in nature
is amazing, but as software developers, a lot of times you want to get kind of close to the code
or like close to the heart of technology and what, what speaks heart of technology more than the server.
This is crazy, man. Yeah. So, so here's a thing you can play. It's on YouTube. I'll show you in
a second. And it says pure relaxation server sounds, and we can come over here and it actually
has tracks. So like it starts with desktop in the doldrum entering the engine in the engine room,
the far side of the cloud. Uh, I find co-location ventilation to be especially relaxing.
Facing the cloud.
And finally, spacewalk.
So I just want to play a little bit of this for people, right?
I think they're going to enjoy it, maybe.
It's amazing, right?
So relaxing. So anyway. You shared it with me before we started though and
and i gotta say it's hilarious so i'm gonna go check this out i mean keep in mind a lot of people
have to wear like big earmuffs sound protection to go in this room so it might be the opposite
of relaxing but you'll see you'll see okay cool nice find all right yeah thanks
just here to help people be more productive you know yeah maybe not with this though well and
some of these people that used to be around the all these server farms are now working from home
and they might miss that sound so that's that's true good roman out there points out that the
scary part is actually if the server room is quiet. Yeah. Why is it quiet?
This is not good.
Yeah.
All right.
All right.
Well, thanks a lot for, as always,
and thank everybody for watching
and showing up and listening.
You bet.
We love you.
Yep.
Thanks, everyone.
It's been an awesome six years.
We'll keep going.
Yeah.
Bye.
Bye.