The Changelog: Software Development, Open Source - The great escape room (Friends)
Episode Date: August 23, 2024Adam & Jerod catch up with our ol' friend, Suz Hinton! It's been a couple years since Suz was a regular on JS Party. Since then, she moved back to Australia, earned a degree in cyber security & won a ...fidget spinner from the NSA... but that's not all!
Transcript
Discussion (0)
Welcome to Changelog and Friends, a weekly talk show about Beverly Hills, 90210.
Thanks as always to our partners at Fly.io.
Over 3 million apps have launched on Fly,
and so can you in five minutes.
Learn how at Fly.io.
Okay, let's talk.
Okay, friends, here are the top 10 launches
from Supabase's launch week, number 12.
Read all the details about this launch at Supabase.com slash launch week.
Okay, here we go.
Number 10, Snaplet is now open source.
The company Snaplet is shutting down, but their source code is open.
They're releasing three tools under the MIT license for copying data, seeding databases, and taking database snapshots.
Number nine, you can use PG Replicate to copy data, full table copies, and CDC from Postgres
to any other data system. Today, it supports BigQuery, DuckDB, and MotherDuck with more
syncs to be added in the future. Number eight, Vect2PG, a new CLI utility for migrating data for vector databases to Subbase
Or any Postgres instance with PgVector
You can use it today with Pinecone and Qdrant
More will be added in the future
Number 7, the official Subbase extension for VS Code and GitHub Copilot is here
And it's here to make your development with Subbase and VS Code even more delightful
Number 6, official Python support is here And it's here to make your development with Supabase and VS Code even more delightful.
Number six, official Python support is here.
As Supabase has grown, the AI and ML community have just blown up Supabase.
And many of these folks are Pythonistas.
So Python support expands.
Number five, they released LogDrain so you can export logs generated by your super-based products to external destinations like Datadog or custom endpoints.
Number four, authorization for real-time broadcast and presence is now public beta.
You can now convert a real-time channel into an authorized channel using RLS policies in two steps.
Number three, bring your own Auth0, Cognito, or Firebase. This is actually a few different announcements, support for third-party auth providers, phone-based multi-factor
authentication, that's SMS and WhatsApp, and new auth hooks for SMS and email. Number two,
build Postgres wrappers with Wasm. They released support for Wasm WebAssembly foreign data wrapper.
With this feature, anyone can create an FDW and share it with the Superbase community.
You can build Postgres interfaces to anything on the internet.
And number one, Postgres.new.
Yes, Postgres.new is an in-browser Postgres with an AI interface. With Postgres.new, you can instantly spin up an unlimited number of Postgres databases that run directly in your browser and soon deploy them to S3. there is now an entire book written about Supabase. David Lorenz spent a year working on this book,
and it's awesome.
Level up your Supabase skills and support David
and purchase the book.
Links are in the show notes.
That's it.
Supabase launch week number 12 was massive.
So much to cover.
I hope you enjoyed it.
Go to supabase.com slash launch week.
That's S-U-P-B-A-S-E dot com slash launch week.
Well, it's good to catch up with Suze again.
Absolutely.
You know, it's been years.
That's no fun.
A couple years.
To be years.
It's fun to catch up, of course, though.
Right?
That's the fun part.
Yeah, that's what kind of makes it all right again.
Yeah.
I am noticing some familiar background items for you I think a while back on Twitter you got
some maybe in the last year I don't know some requests or questions about your pegboard back
there and your desk setup and what you're doing on it I don't know it seems familiar to me that
am I catching that wrong you're not on Twitter anymore though right or x whatever you call the
platform these days yeah I'm not really on there anymore. I did do, I did chat with Quincy
from Freeco Camp and I promised him I would actually send him like a picture for his Instagram
or whatever of the background. And then I bloody forgot. So I just reminded you, but I'll have to
get around to it. So yeah, no, you were correct. How far back was that this because i recall like it didn't seem
maybe a year or two ago i don't know it seems familiar to me in terms of like in my memory but
it doesn't seem like it was yesterday i might have actually so the quincy with twins and i chatted
a couple of months ago but maybe i shared a photo of kind of the initial setup on twitter
and it was probably one of the last tweets I did so yeah that's probably
it yeah so how long ago do you think that might have been a year year and a half two years something
like that a year and a half maybe yeah it was one of the first things I set up when I got into this
space so that would add up it's very important to me okay it's very important I do recall questions
being asked popular in terms of what you've done.
And I think it was like you made it yourself.
I don't know.
What's the situation?
The background?
Yeah, the pegboard.
Oh, yeah.
I didn't make the pegboard myself.
That's just from Ikea.
It's their like SCADIS range.
Oh, that's right.
S-K-A-D-I-S.
I took inspiration from just some other pictures that i'd seen online including someone
i know called thea her setup was really cool she had the shelves with the pegboard underneath and
i just thought that was such a cool look so i decided to sort of do my own take on it and then
sort of put it into a corner to make kind of look like you're surrounded by
your lab um and so that was the look that I was after.
And so it, I mean, don't get me wrong,
even though I didn't make the pegboard myself,
it took a really long time and a lot of swearing to get everything up and like
stable and like, you know,
not actually pulling the walls out while I went along.
So yeah, it was great.
It was a great experience and it's actually a really versatile space.
I've already rearranged it so many times so i think actually when i saw this from you i was like what is that
now i'm remembering you did not make it so thank you for closing the loop on that and that it was
ikea and that on etsy it's very hackable like a lot of people are making 3D printed things for it. Have you begun to like explore the vast world of SCADIS?
Yes.
Yeah.
I have like a thingiverse like collection where I've just got them all saved.
And I definitely want to design my own.
There's a few things that I want to put on the wall that just they're obviously like a specific product that I have.
Right.
That's someone might not have also owned and wanted to put on a SCADIS pegboard.
So yeah, it's a work in progress as usual, but it's kind of that thing where like it
sort of feels like tweaking your, you know, your IDE, set up your code editor.
It's like, there's only a certain amount of stuff you should really be doing for it
before you just move on and actually use the space to make something you know and so i see it like that too not to obsess too much about it
now do you 3d print yourself or do you save these for the later date when you get the printer what's
your what's your uh experience with 3d printing yeah so that's a 3d printer right behind me the
one with all the stuff stuck on it it's also like my post-it note board because it's just a big sheet of Perspex.
It's got an enclosure on it because it's also a laser cutter and a CNC machine in one.
So it kind of needs that enclosure around it.
I mean, I've been in the 3D printing scene since I think 2009, 2010.
Dang.
Forever, basically.
Yeah, kind of when I got started as like a consumer at home sort of thing.
And, you know, I released my own jewelry line, 3D printed jewelry line and all of that.
And then since then, it's become much more sort of utilitarian for me.
Like I use the 3D printers to solve my problems or to print like enclosures for my electronics
projects and stuff like that.
That's sort of why I also got
it because being able to custom make parts is just very satisfying, especially if you're
interested in certain hobbies that require it. What kind of problems are you solving?
What kind of problems do you have? Well, right now I'm working on a silly project as usual.
And so I want to be able to mount that project to the wall actually and have sort of, you know, a little screen on it
and some buttons and things like that.
And so I can kind of 3D print this sort of plastic interface
to hold the rest of the project and to mount it onto the wall.
So that would be an example.
But then I also do boring stuff like I have a set of drawers on my desk
and they sort of had little like holes
drilled in the drawers and you just put your finger in and pull it out and it just got really
annoying because if you've got stuff in the drawer like your finger hits it and things like that so I
just ended up printing some drawer knobs that work really well for that set of drawers and so you
wouldn't even know that it was 3D printed I color matched it exactly and things like that but
there's a lot of invisible things around here
that are just really satisfying as well
outside of the more exciting stuff.
Always with the funny, weird, offbeat projects going on.
So for our listeners' sake who may not know
that we've known you, Suze, for many years now,
I think we met at OzCon perhaps.
We did.
Yeah, we took the selfie that we all took together. Oh, nice.
Yeah, I was really excited. And that had to be
like 2017, 2018,
something like that? 2018. Yeah, July.
There you go.
Was it in Austin? No, it was in
Portland. Portland. Okay.
Yeah. And we had you on the show.
Was I on the show, like, in the expo
with you guys?
You did a quick recording there because I think we'd done a show before,
but then that was the first time we'd met in person.
Yeah, that sounds about right.
We had you on the show just cold email style and then met in person there
and then did another show.
Maybe it was part of a, we call them anthologies,
where we just put together a bunch of interviews from a show.
And I
do recall that. And then after that,
I was like, we've got to get,
we've got to hang out with Steve's more often, so I invited you
as a JS Party panelist, right?
That was really fun. And you did something like 40
or so episodes on JS Party
for a couple of years.
And we were, so we got to know each other
and we were friends through a couple of transitions
in your life. And then, I mean, it to know each other and we were friends through a couple of transitions in your life.
And then, I mean, it was Microsoft
and then it was Stripe.
It was New York and then Seattle.
Or what was the other way around?
You can remind me.
No, you've got it right.
Okay, I do.
New York and Seattle.
Yeah, that's right.
I guess Microsoft would be Seattle.
So yeah, New York, Seattle.
I remember Stripe.
And then Visa issues. I'm not sure how much you want to go into
any of that, but you're obviously from
Australia. Anyways, we didn't talk for a couple
of years.
And then I emailed you like,
let's catch up. And then I realized you haven't
talked publicly online
very much in the last couple of years.
Not Twitter, your Twitch stream, which was
one of the things that made you most well-known.
Doesn't look like you streamed for a while unless you have a new twitch account and
now you're back in australia so as much as you're willing like tell us the story what what's the
last couple years been like for you it's interesting you say that because like it's sort of like
someone else narrating their interpretation of it it's actually really interesting it's not
inaccurate it's just um it's just like me putting it together from what I can gather,
but have no idea.
I have no idea what happened.
So,
yeah,
I know.
And it almost feels like my goal,
the goal I set out to achieve was actually successful based on what you
said.
Yeah.
I don't know.
So,
you know,
we all went through something pretty big,
which was the pandemic.
Right.
And I think I stopped doing JS Party around then like 2020 and I actually really miss it a lot but yeah we talked about sort
of why I stepped away for a little bit off the record and so since then honestly it's been kind
of hectic um I was just having you know running into so many immigration issues and with the
pandemic and the previous administration everything just got many immigration issues and with the pandemic and
the previous administration, everything just got really difficult to stay in the US. And
I found myself with fewer and fewer reasons to stay in the US and more and more reasons to just
come back like home, which is where I consider my cultural home to be, which is Australia, right?
And yeah, there were just a bunch of goals that I wanted to achieve
that I couldn't unless I had some kind of permanent residency
or citizenship in where I was living, right?
It was really just a paperwork thing as well as obviously
a cultural decision.
And so, yeah, there were just things I wanted to do.
I couldn't do them.
I got sick of putting my life on pause.
So I started taking a step back very gradually.
So I stopped streaming around the time I decided that I was going to spend the next year sort
of trying to find my way back to Australia, but sort of established myself in a smart,
grown-up way where I'm, you know, obviously being able to do things properly and, you
know, in the least stressful way possible.
So I started pulling back more and more.
I was going through college at the time too, and that was taking up a lot of my time and it was
actually something that I was really interested in and having a great time with. So I also wanted to
step away from Twitch just to give myself a bit more time to study and things like that.
So yeah, so over that next year, which would be from 2021 to 2022, because I think I gave
up streaming in 2021, like May, I bought a house.
I graduated with my first ever degree in my life, a bachelor degree in cybersecurity.
I found myself a job that I could work remotely here that was based in the United States,
you know, sort of like just planned everything, planned my exit.
Because once you've lived in a country for more than a decade, you do have a lot of roots,
right?
There's a lot of bank accounts and all these other things that you have to deal with, right?
And taxes and planning and that kind of thing.
And so I just did a lot of administrative stuff behind the scenes
and packed all my stuff up and put it on a boat and all of that.
So it was just a very tumultuous year, but I managed to move back here
in the middle of 2022.
And since then, honestly, I've just been so busy reestablishing myself
that I haven't really wanted to be in the public eye while doing that,
public eye, so to speak.
So just been taking
some time for myself and to reflect because this is a pretty big life change for me too right so
I just wanted to be able to do it in reasonable privacy and have some space to do it so yeah
sounds like you did it though it succeeded yeah it's been two years now so I think I've been able
to reflect back I think it was a really tough two, but I'm sort of settling into a good place
and feel like it was a good decision in the end.
But yeah, you sort of have to trust the process, I guess.
So yeah.
Trust the system.
What was the hardest part to step away from?
It seems like maybe your Twitch stream,
because there was a lot of people that just loved to hang out with you every week.
And that stream, which I watched it a few times over the years,
was very intimate and seemed like there was a lot of friends there.
They probably missed you when you decided to stop.
It was really nice, actually.
That was hard to step away.
It was an easy decision for me to make just because I'd been doing it for five years.
I didn't start the stream to become famous or to make lots of money
or to get attention or anything like that.
I really did start the stream because I wanted to connect with people and sort of
show them what it's like to work on open source and show them that JavaScript hardware is
really not that difficult.
You're still, you know, writing JavaScript.
It's just a slightly different context.
And so it wasn't, I have struck up some really lovely friendships with my mods and with a
lot of the people that were contributing to the repos that I was sort of reviewing on on stream and everyone I just had such an amazing
experience with it over five years but it just felt like it was time to step away so it was an
easy decision but obviously I missed that weekly community right it was just really fun to have
everyone in the chat but it sort of wasn't something that I was relying on as an outlet, you know, to like seek approval or, you know, compliments
or anything like that.
So it just felt like it got to a point where it was too popular for me, to be honest.
It's not as if I was like the people that get millions of viewers, you know, in esports,
but 300 people on a Sunday morning is a lot to handle, especially for my mods too. And I would
say that that was just too successful for me. It's just, it broke outside of the tiny community that
I would have been happier with. And we were getting less and less productive as a result too.
And I don't know, it just, it it bothered me a lot I was starting to lose
a lot of privacy and I was just starting to feel that it wasn't really I wasn't really streaming
for myself anymore I was streaming because there was an expectation too that got really serious
really quickly I'm sorry but like it just I had such a nice time but it after five years it really
just felt like you know I just I think that I go through a lot of change as a person.
And I think I was just ready to, you know, pull back a little bit.
It's hard to show up whenever you feel like you have to show up.
Not when you want to show up for the right reasons or even if you want to, but you get to perform versus just create and explore.
We're seeing that on youtube over time there's lots of cycles where
long-time youtubers will step away because they feel like they have to serve the algorithm not
their creative selves or their audiences sort of like have an expectation and they will publish
something or put something out that is like off from center from what their normal content is like
hey can
you get back to talking about this thing that i expect you to come on monkey dance you know
kind of put the quarter in kind of thing and that's kind of bad when it comes to
because you kind of it's kind of a double-edged sword right you you get out there and you do your
thing and then it's like well you're kind of popular or you have some version of popularity
and that just kind of like compounds and morphs and grows.
And some people like us, Jared and I, grow into a business and we're fortunate and we show up and we like doing it.
And I think there's a part of our job even, Jared, that is chore and also very much love.
And that kind of comes with anything.
At some point it becomes toil, right?
How do you stay in the game and love the game and kind of keep that privacy that you want to when you're famous or at least
internet famous yeah i know like famous is kind of this very highly contextual thing and like what
we're talking about is we're all nerds and there's like we have x amount of nerds who
want to interact right or like watch your stuff
or listen to your stuff.
So I think you two are very well poised to talk about this again
and like because you do so many of these recordings too,
I can imagine there are days where you're just like,
I just don't want to show up.
I just don't want to do this at all.
But it is really rude when you have people expecting you
to conform in a certain way.
You know, it's like that monkey dance sort of thing.
And I think that where I was really fortunate was that because I didn't rely on it for my livelihood, and again, like I wasn't doing it for, you know, to feel like I was worthy
or that I was like cool or anything.
It was just so easy for me to step away because, you know, as soon as it's not fulfilling in the intrinsic way for me, it was just way easier for me to walk away.
And so I think I'm thankful for that.
But I think people didn't really understand at the time why I did it because I think a lot of people aspire to be popular or famous or have people say really nice things about them and follow them online.
And I've never given a – I've just never cared about Twitter followers or amount of followers or amount of this,
blah, blah, blah.
And I think that some people project those values on you because they have them and they
look up to you and see you as having achieved something they want to achieve.
And that also made me feel uncomfortable too.
And so it is a lot easier to walk away when, you know, you compare it to YouTubers who are doing it full time and they need people to watch to make the money, you know, from the advertising and things like that.
And so I think that's a really hard place to be in.
But, you know, it's not something that I super relate to just because, yeah, like I can kind of do what I want, if that makes sense.
Why didn't you start it?
What was your internal intrinsic motivation to begin with?
It's sort of what I said before, which was,
like I saw my friend Nolan Lawson do a stream of him maintaining PatchDB.
Remember when the offline sort of stuff started coming up
in local first and all of that.
And I have open source libraries that I maintain,
but like really small, you know, like just very small activity on them because they're very niche.
Whereas, you know, PatchDB was something that was being used by a lot of large companies,
but also small startups and individuals. And so watching Nolan just, you know,
maintain open source in his way and go through the issues and triage them and like bug squash and stuff. Just thought it was so interesting because it was a totally different
open source experience that, you know, to me. And I was like, that's so cool. And I remember thinking
maybe this would take a lot of the fear out of, like, I just, I was already doing public speaking
and I was already finding that people were putting me on a pedestal and I absolutely cannot stand
that because I think that it's very self-defeating and if you want to do things you should just do them
and you shouldn't let others you look up to make you feel like you're not good enough to do it and
things like that and so I already didn't like the reaction and the way I was being treated by others
just because I was up there at certain conferences giving talks and so I thought I'm just going to
show people that I'm just literally like everyone else. I sit in my code editor and I stumble and I do typos. And also, again, it's, you know,
the JavaScript hardware stuff seems intimidating, but at the end of the day, it's writing in the
same language that, you know, you write in for your job, if you're a front end developer or
full stack, you know, sort of Node.js web developer so um yeah it was really
just demystifying stuff because I I benefited so much from Nolan's stream that one time I was like
geez this is fascinating and I just really wanted to help dispel a lot of that and then ironically
I ended up even more on a pedestal for my stream which you can see now why it was so frustrating for me where
i was like cool that just made everything worse and i don't i can't control how people are going
to treat me right and that was a lesson that i learned you can't control the narrative in that
way you're just not going to be able to so yeah there's a weird psychological thing maybe adam
you know more about this than i do from your brain science studies but there's something about confidence that comes from not caring that actually like refeeds the same loop
you know like even with attraction where it's like the person who's not desperate it ends up
being more attracted attractive to other people because of that mere fact that they aren't and so
there's something about that with i think confidence as well where
it's like the fact that you weren't there for these ulterior motives is actually even cooler
than if you were and it's like that feeds back into the coolness factor
you guys understand what i'm saying here i don't know how to describe it very well but there's
something to that isn't there adam i'm just not sure if confidence is the right word. I'm not either. I'm just talking.
I'm not very confident about this.
So this might blow your mind, but I learned this recently.
The confidence is memory of past success.
So you have confidence and you move with confidence, I suppose,
to use the word in the description or the definition.
You can't do that. It's illegal.
It's illegal, right? It's illegal.
Confidence essentially
is memory of past success. And so I'm not sure that translates, if that's true, if that translates
like that, but maybe self-assurance. I think that when you're secure as a person, secure in who you
are, secure in who you want to be, your identity is intact. You're not wayward with who am I,
what am I, why am I? I think it's a little bit easier to
be more steadfast and strong in those regards. And that is an attractive trait, obviously, or traits.
Right. I think self-assurance is a good way of describing it. And I think that it does take that
in order to go live on the internet and code in front of strangers. I mean, you have to have some
self-assurance because they're going to be watching near every move, right, Su strangers, I mean, you have to have some self-assurance
because they're going to be watching near every move, right, Suze?
I mean, the fact that you're okay with just making mistakes
in front of people requires a certain level of self-confidence.
Ah, not confidence, I guess.
It's okay.
I'm still going to stick with it.
I think it's self-confidence.
It works.
It's challenging as well.
Yeah.
It's a podcast.
That a lot of people don't have.
I mean, or you have to build it.
Even your, what about your keynote speaking,
like speaking in public and stuff?
Are those things that require practice, nerves,
like all that kind of stuff?
Or do you have similar lack of fear in that area?
I thought I'd call it a story.
Stu, did you tell us a story about a speaking engagement?
Was it private that you told us the story? Or is I'm remembering the wrong person? I feel like you told us a story. Did you tell us a story about a speaking engagement? Was it private that you told us a story?
Or is I remembering the wrong person?
I feel like you told us a story, you were nervous when
speaking. Does this
ring a bell to you? No.
I mean, I get nervous when I'm speaking.
I just don't think I told you this story.
I'm not just like, no, I don't care.
Yeah, like, no, I don't get nervous.
Maybe, I mean, so I was really
nervous when I gave that keynote at OzCon,
the same OzCon I met you to, because they said you have eight minutes.
And then I came up with something super ambitious as usual,
because to me, that was a pretty big opportunity
to give one of the opening keynotes at OzCon.
And I wanted to, and somebody had recommended me,
so I also was like, oh my God, their reputation is at stake.
And so I took it extra seriously.
I take all my talks seriously, but I took that one extra seriously.
And you can see in the video, my hands are just like this.
Because they had to zoom in.
Was it live coding or was it scripted?
I remember there was a demo.
Was it live coding?
It was live coding and it was semi-scripted.
So I had almost like a dice roll thing where I rolled the dice and it chose like a sensor and
then like some kind of output, like a motor or a screen or something. And then I had to come up
with an idea in between. And to be honest, it wasn't super planned. I just knew that I'd be
able to remember how to interface with every single device that I'd brought along with me, right? And so it really was
actually unplanned. And the two things that I ended up rolling were actually random. I remember
re-rolling just because the first one I was like, I just, I'm not feeling that one. But you know,
the second one I ended up choosing. So it was semi-scripted in that there was some constraints
there, right? But I really had to do it on the spot. But the point was, I was trying to prove that, again, in eight minutes, if you know a
little bit of JavaScript, it's really not that hard to take a sense of value and then like,
you know, do something fun with it on the other side of it. But I think I ended up accidentally
intimidating people more because they focus more on the fact that I was able to achieve it.
But I was really nervous actually for that particular talk
because at eight minutes and there were, you know,
a thousand people in the audience there for the keynote.
That was my biggest audience as well.
I'm going to put this on my camera.
Check this out.
Yeah, that was it.
Oh my God.
You can hear it in my voice and everything.
It's only because I was there with a camera.
I was really into photography then.
Oh, you took that picture, Adam, huh? I took this photo.
Yeah, that was it. We can include this as chapter
two if you'd like, Jerry. I think we actually talked to you
shortly after that. I think you had just
come off the keynote. Almost directly after.
You were decompressing live in front
of us. It was awesome. It was a lot.
Because you were so wound up for it.
There's something about that moment
when you're done, where it's like
everything's better you know
like that's how I feel because I always go into I always go into a hole afterwards actually I um
I think that when the adrenaline washes off some people feel that kind of relaxation and euphoria
that they're done and for me um I sort of go into a hole and i think i'm not great at compliments and so i got a lot of
compliments and accolades as soon as i walked off the stage um people were sending me crypto
as well like crypto micropayments and stuff it was just so weird and so see people kept
stuffing me on the floor and saying you know i'm gonna put put some money in the in the coin slot
see it's all it's how it works i was getting tipped on some platform where you can tip people
and a lot of it was crypto.
So it was really nice of people, but I was getting this thing like,
great talk at OSCO.
And I'm like, where is this coming from?
And so again, when I got off the stage and people were like,
I could never do that, that's when again I was like, I failed.
I ended up just being a show-off instead of being accessible and so I fell into a hole about it because I felt that the attention that
I got was unwarranted for the message I was trying to put out so I just I just never learned that
lesson apparently but I also just cared so much about creating you know how when you go to the
keynotes and a lot of them are sponsored and they're just like oh my god like you're just
waiting for them to finish and I just didn't want to be that keynote even though technically
I did have to mention the sponsor which was you know the company I was working for and everything
but I was like I just don't want it to feel like one of those really sterile very clean you know
keynotes that are just very constrained in what people are allowed to say.
It's just doing the audience a disservice, right? I wanted to get them pumped up for the conference.
Yeah. How did you end up mentioning the sponsor or the brand you worked for at the time?
Yeah. So I think I had the easy setting working at Microsoft because you can basically choose
almost anything as long as it's a Microsoft product.
And so I was using VS Code, which at the time was almost like a cheat code for being able to get it in there. But I also think that I was mentioning something else that I was using, one of the
workbench tool sets or something that was particularly good for Arduino that Microsoft
put out at the time. And I think I also recommended another platform they have called MakeCode,
which was this really cool in-browser IDE for interacting with some of their hardware pieces
too. So I think I made mention of that at the end. If people are feeling intimidated,
that's actually a really good way to get started.
You gotta hate it when a successful keynote backfires, you know?
It sounds so ungrateful, doesn't it?
All you get is compliments and crypto.
It sounds so ungrateful, but I think that it's good to talk about this because it does explain
why I sort of seemingly disappeared. I just don't think it's for me. Again, I never really sought
the attention side of it. And it just bothers me a lot because I
am quite introverted. And also I want people to focus on my work and not me.
Sure.
And I think that's where I also struggled too. I was like, no, so I'm trying to show you this thing
and you keep putting the attention back on me. And it just, I wasn't having the conversations
with people afterwards that I wanted to be having. And so I felt kind of lonely and frustrated as well. And again, I think it's a huge privilege
to be a public figure and you don't sort of feed off the attention. And I didn't do it because I
was sort of trying to fill that sort of void for myself. But at the same time, yeah, it sort of
made me feel very ungrateful for it because I know a lot of people would kill to be in my position and I just sort of in their opinion I might have thrown everything away
so yeah it's interesting yeah I'm very grateful obviously for a lot of the doors that open as a
result of me doing this I want to make that very clear and I like that just the fact that I talked
on changelog like years ago that was because of the public work I was doing so it's it's opened
a lot of doors.
Yeah, it's really helped me in my career.
But I think they were just kind of surprising side effects for me at the time.
So it's sort of hard to, sometimes it's hard to really reflect on that as much as I should be.
So given that, what is your, if you don't care for the attention put on you when you put yourself out there and your ideas, what is your perfect world in terms of when you show up to the world and you do what you do,
what would the better or more preferred reaction be?
I think people coming up to engage about the technical parts of what I talked about, more just technical discourse. I don't know. I'm such a nerd. I just want to talk about that. And so, like, I caught up with someone recently who I hadn't seen in, like, 16 years.
We used to teach together at the community college.
And I met up with him and we went for lunch.
And he was just like, what are you working on?
And I told him about, you know, what are the projects I was doing?
And I also told him about another hobby I've picked up, which tends to get a lot of questions very quickly and people going, that's so awesome. You're amazing. You know, and they focus on me
again, but he was focusing on the tech stuff and he immediately started asking me technical
questions about the project I was working on. And I wanted that because I wanted somebody to sort of like ask questions from their perspective, which will
help me either improve the project or just talk things out, you know, almost like a rubber duck
kind of way and just like nerd out with each other. And so I think my idea would be just me
having a, just going back to the early twos like having a blog like I used to have back then
too and publishing a project and like 99.9% of the online population does not care about it but you
get like you know two or three people that are like this is awesome and like can I send you this
link to this other person who's done this thing that reminds me of your project and like I have
some questions or I think you could improve it with this that's the only discourse I really want I want it to be about the works and about people helping
each other change and improve and push things a bit further and not be about the personalities
I think that's just what I want What's up, friends?
I'm here with a new friend I made over at Speakeasy.
Founding engineer, George Hadar.
Speakeasy is the complete platform for great API developer experience.
They help you produce SDKs, Terraform providers, docs, and more.
George, take me on a journey through this process. Help me understand exactly what it takes
to generate an SDK for an API at the quality level required for good user experience, good
dev experience. The reality is the larger your API becomes, the more you want to support users
that want to use your API. And to do that, your instinct will be to ship a library,
a package, and what we've been calling an SDK.
There's a lot of effort involved in taking an API
that lives in the world and creating a piece of software
that can talk to that API.
Building SDKs by hand is a significant investment
and a lot of large companies might pour a lot of money
into that effort to create something that's like approaches good developer experience.
And then another group of a more growing group of companies will rely on tooling like code generators.
And so they're very interested in like once you make the decision to use a code generator,
you're kind of forfeiting some of your own opinions and what you think a good developer experience is because you're going to delegate that to a code generator to give you an SDK that you think users will enjoy using. robust SDKs, enterprise-grade APIs crafted in minutes.
Go to speakeasy.com.
Once again, speakeasy.com.
Have you ever considered going anonymous?
Yeah.
Yeah.
I'm actually, I'm not close to my bookshelf.
I think actually we talked about weird stuff like dead man switches and things
like at Ozcon. I'm not near my bookshelf right now in my living room,
but I have, I forget the title of the book, but it's quite well noted.
Something like how to completely disappear or something like that.
I forget what it's actually called. I thought about it a lot.
I do have an anonymous pseudonym online and I do have the domain name for it.
And I do have like, I got an artist to actually draw sort of like the character and everything.
So yes, it is a thing and it's something that I've thought about for a long time.
And I think that's what I'd like to do with certain projects just so that, you know, it's
kind of like, you know, when famous authors do like a pen name or whatever, they have
like a different name because they want to release the book
but not have it be received with their infamy.
I think it's very similar for me.
So we were talking with Chris Wanstroth a couple weeks ago,
founder of GitHub, one of the founders.
And obviously after GitHub sold to Microsoft,
he took his money and went home and took some well-earned rest time.
And during that time, he got eventually bored of playing video games and stuff,
and he got back into coding.
But he didn't want anybody to know that it was him,
because everyone's going to treat him differently,
especially on GitHub.com being defunct.
You're not going to just treat him like a regular person.
And so he went and just created an anonymous handle,
and he was contributing to people's projects
for a long time as this rando person
that likes open source.
And I think he had a lot of success with that.
Eventually he said he pulled the mask off
to a few folks who he became friends with eventually,
that he was long-time contributors to their project
that became friends and then he would tell them
who he actually is.
But he had a lot of success with that and I think that that's one way that you can get what you want if what you want
is like focus on the work focus on the technical focus on maybe my thoughts my words and not so
much on my person you know yeah 100% agree with that and yeah I feel like I am on a very similar
wavelength to him oh the book by the way is called, the book, by the way, is called Extreme Privacy. Okay.
And then the byline is something like how to disappear or whatever.
You could be like the Banksy of the programming scene.
But that's the thing.
But now he has infamy, right?
And people are going to find out who he is.
Right.
You just can't ever pull the mask off.
That's all.
I just have to do really lackluster projects as well.
Yeah, you just have to suck more, you know?
Just don't be good.
Sorry for my spit take.
That was so gross.
It's wild to hear this because so many people,
I don't really know why, I suppose,
or what is drawing folks to this desire,
but a lot of young kids, I have young kids and so I'm
seeing them grow up and I'm seeing the friends that they are making and friends that I'd like
them to make less friends with and I just see their influences and they're younger they're not
like in their teens they're younger than teens and I have an older daughter too and so she she's in
her 20s and I'm seeing this you know shift between different folks for a
while there people want to be youtubers they want to be instagrammers or whatever this thing is they
want for some reason this spotlight even at a young age and I'm not really sure what exactly
it is that attracts them there I suppose it's the opportunity of various influence but i think even
at a young age i couldn't imagine having influence in in my 20s like if i was influential in my 20s
like wow the world would suck a whole lot more less or more it would suck more than it already
does and it's not it would not be have been a positive thing for me to have any sort of primary
influence on the world in my 20s right it's so strange that people seem to chase some version of fame or influence.
And that's wild.
I don't find it strange.
I mean, I think it's pretty common, right?
I mean, strangely common.
The desire for fame and fortune is like deep down inside of us, isn't it?
I suppose, but it seems like it's a cultural norm where it's dramatically more than there was.
Like I, let me think of when I was a kid, let me show some of my cards.
I desperately wanted to be a ninja when I was growing up as a kid, right?
And I think that's maybe a character.
I wasn't seeking fame.
Now, I can also say that for a long time there, I said I wanted to be a corporate lawyer.
And the only reason was because I thought I could be rich.
And I didn't know any better.
I was young.
Because you're a really good storyteller, right?
Something like that.
I remember this.
Other than that, I was not interested in being famous.
Were there any heartthrobs, Adam, when you were growing up and you thought,
I would love to be like him?
For instance, I can say, when I was young,
I have an older sister, three years older,
and she had friends.
And so, of course, younger boy, older sister,
sister's friends, very stereotypical, right?
And they were very much into New Kids on the Block.
This was like 1990.
For sure.
So I was eight, nine, 10 years old. And specifically, was it Donnie Wahlberg? I don't
know. I can't remember who the New Kids on the Block were. But they were heartthrobs. They'd
walk into a room and all the women would scream. And then they'd have all this money and these
cars and everything. And it's like, I wanted to be that guy. I don't think that's abnormal.
Did you have anything like that? Or you just wanted to be a corporate lawyer ninja?
Yeah, corporate lawyer ninja all the way.
I think I'll answer your question, but I think what I'm driving towards is a little different.
Okay.
And I don't disagree with what you're saying necessarily, but I'll share the story because this is fun.
This is fun stuff.
This is fun.
Susie, you having fun over there?
I'm very excited about this story, actually.
So I have five numbers for you, and I'll say it.
9-0, 2-1-0.
Okay.
So, you wanted to be Matthew Perry.
No, not Matthew Perry.
That's from Friends.
Well, either.
I guess so much either.
But Jason Priestley, I was like, if I could be that.
Or he's Jason Priestley.
That's his name.
Yes.
If I could be him, my life is solved.
Because of the sideburns.
Sure.
The wavy hair.
I don't know.
All of it.
California.
All of it.
Yeah.
You know, pick a.
They were very cool.
They were extremely cool.
They were very cool.
They were cool.
And what an interesting TV show.
What an interesting premise to even reflect on mentally right now.
But I think what I'm talking about
is different than that.
And maybe it's different
but kind of the same.
And I think what I mean by that
is that it seems like
kids are really into Jordans.
There's like shows about Jordans
like, you know,
pawn shops,
getting them people
trying to stand.
Yeah, like, you know,
that's always been a thing.
Jordans have been a thing.
But I think there's
a lot of people
trying to show off
the things they do on the internet, primarily on YouTube.
Everything from really cool Lego building, which is like super admirable, very engineering focused, a lot of opportunity if you chase it, to Lego cooking.
Who watches Lego cooking?
Lego cooking?
Lego cooking.
Never even heard of it.
Suze, tell me.
You're with me on this.
I'm sorry. I've never heard of this. Oh, me you're with me on this i'm sorry i've
never heard of this oh gosh okay so you cook legos no when you go and you find out lego cooking
you're gonna be like oh yeah this is the coolest it is stop motion film the person cooks it's just
stop motion film it's very artistry cute okay and they make everything so they take a hatchet and
cut something and it's lego inside like it's all lego everything's lego everything's lego okay so
that's cool stop motion video i love it i just feel like all this stuff like in this media is
is getting people to want to they see the people they look up to be famous through platforms right
and so it it's obvious like 90210, Jason Priestley.
Although I didn't want to drive a Corvette and I didn't want to be any of those people.
If I could do that, I would have arrived.
Suze, who did you want to be when you were a little kid?
Did you have any?
Yeah, it's a really good question.
I don't really remember.
I'm sure I had them.
Yeah.
Mostly, so I was very unpopular in high school.
So any female pop star, I just wanted
to be as attractive as them more than anything, because, you know, I think that everyone, I think,
latches on when they're young to what their model of power is. Right. And so, you know, I think these
days having a YouTube channel, making lots of money and then being able to have the freedom to
do what you want with that money, that's power. Right? And so for me, you know, when you grow up as a cisgender woman,
you are told that your power is in your looks.
So I don't know if I looked up to anyone specifically and wanted to be them,
but I remember just thinking, like, I would probably not be treated
as poorly as I was if, if you know if I looked more like
Britney Spears or something like that right um yeah so sorry that was a very disappointing answer
but I just honestly I don't remember if I if there was anyone who I wanted to be that's fair
what did you say something of power remind me the just said. I just think that everyone has their own idea of
what would give them power and how to actually get there. And I think power is a lot of different
things, right? It's the ability to influence. And so, yeah, like I just think that people
latch onto a certain form of power that they want and they think that they have a chance of sort of
being able to acquire. But yeah,
I think, you know, when you're a teenager, you're not quite moved out. You're not quite, you know,
a kid anymore and you're trying to have more control over your life and you're trying to
establish your identity and things like that. And I think that's a very influential time and
formative time. And I think that's where you sort of really start thinking about power in a grown-up way as well and how to acquire that power so I'm glad you mentioned that because I think
that's spot on because I think you may have answered my question which is what is the reason
why I don't really think it's super strange behavior Jared to want to be famous but I think
it's kind of strange that it's so it's so pervasive it's so out there for everyone it seems at least
and i could be you know just being hyperbole but i think you're right is that when you're especially
when you're younger teens 10 to 16 you're trying to assert yourself you're trying to assert your
any version of dominance regardless of gender you're trying to showcase that you can control
situations or be in control of your own life and your own destiny and you're trying to direct things.
And I think that that probably is a reason.
It's like, well, if I have this, then I have power to assert my beliefs, my ideas, control over my future, etc.
I think we just see it more now because it's so easy to put yourself out there.
Whereas,
you know,
you go back to when we were children and those people who wanted to be famous
while they had to go move to Los Angeles and wait tables while they did,
while they did all these tryouts and stuff.
And like their failures weren't public.
Like they were just,
they happened,
but we didn't see them or their desires
to be that thing. Nobody knew that I wanted to be Donnie Wahlberg or whatever his name was. I
actually, more than that, that was just, I remember being like, man, girls like the new kids on the
block. I wish I was one of them. Like that was a fleeting moment. But my desire was more to be a
professional athlete, which is another route to all the exact same things, right?
Oh, wow.
And so I wanted to be either Michael Jordan or Ken Griffey Jr.,
so like baseball or basketball.
Those are actually guys that I really wanted to be.
Same with Ken Griffey.
Whereas a passing fancy was like, oh, I'd love to be a famous singer.
But I actually was like, if I could be Ken Griffey Jr.
and do what he did, that would be a great life.
And so I
actually like put effort into that kind of stuff for a while but I don't know I just feel like we
see it more I think it's more tangible to how easy it is I mean it's hard but it's also easier now
I mean there's more more accessible I think and it's yeah I think it feels more achievable like
you cannot be what you cannot see and I think if you see regular people, even Justin Bieber and Billie Eilish,
oh, they had a SoundCloud or whatever, and that's how they blew up.
I think that that story now just feels much more accessible
than the moving to LA thing.
I think you've got something there.
Should I close the loop for you, Jared, on the names of all the NKOTBs?
Yes, please do.
Jordan Knight, Jonathan Knight.
Yes, brothers.
Joey McIntyre.
Okay, the baby face.
That's right.
There's always a baby face in these boy bands, right?
Yeah, there's the bad guy.
Donnie Wahlberg may have been the bad guy.
Yeah, I think Donnie was.
And then Danny Wood.
Now when I say,
Whoa.
What does that make you think of?
Hanging tough, right?
Hanging tough.
There you go.
Yeah.
Suze, do you remember New Kids on the Block?
Were you around?
I do, but I'm a tiny bit younger than you.
So I do.
It was more.
NSYNC.
Yeah, Backstreet Boys, NSYNC.
Yeah. What is it? 98 degrees, 90 something degrees. NSYNC. Yeah, Backstreet Boys, NSYNC. Yeah.
What is it?
98 degrees, 90 something degrees.
Oh yeah, 98 degrees.
Blue.
Do you remember Blue, the UK guy?
I'm blue.
D.I.
No, no, no, not I-465.
There was a UK group called Blue, but anyway.
But I do remember like Wham as well.
And like, so I'm an 80s girl.
So I do remember a lot of that stuff.
It's just by the time I was sort of at that impressionable sort of you know like tween stage it was backstreet boys and
things like that that was actually more my timing as well it was my older sister that was new kids
on the block so i just i think i was more i had them at a younger age but yes in my formative
years it was in sync and Backstreet Boys.
By then, I didn't look up to those guys.
I was just kind of annoyed by them, although there is some talent there.
But thanks for closing the loop, Adam. Now please move us to a new loop before we start singing again.
Yeah, I'm not going to sing again.
I just had to put that.
I hummed, basically.
It was not a sing.
Hey, friends. I'm here with todd kaufman ceo of test double you may know test double from friend of the show justin serals so todd on the home page for test double you say
great software is made by great teams we build both that's a bold statement yes we often are
brought in to help clients by adding capacity to their teams
or maybe solving a technical problem that they were, you know, didn't have the experience to
solve. But we feel like we want to set up our clients for future success and the computers
just do what we tell them. So, well, at least for now, we try to work with our client teams to make
sure that they're in a great state, that they have clarity and
expectations, healthy development practices, lean processes that allow them to really deliver value
into production really quickly. So we started a lot of our engagements by just adding capacity
or technical know-how. We end a lot of our engagements by really setting up client teams
for success. Very cool, Todd.
I love it.
So listeners, this is why Edward Kim, co-founder and head of technology at Gusto says, quote,
give Test Double your hardest problems to solve, end quote.
Find out more about Test Double's software investment problem solvers at testdouble.com.
That's testdouble.com, T-E-S-T-D-O-U-B-L-E.com.
And I'm here with Farash Abugadije, founder and CEO of Socket, socket.dev.
So Farash, you put out this fire post recently on X.
And I'm going to paraphrase.
You say the XZ package backdoor was just the tip of the iceberg.
Give me just a peek behind the scenes of this incident and what you mean by it's just the tip of the iceberg. Give me just a peek behind the scenes of this incident
and what you mean by it's just the tip of the iceberg. Yeah, so I think the XZUtils backdoor
was really eye-opening to a lot of developers. It showed the vulnerability of the open source
ecosystem. You had this maintainer who had been tirelessly maintaining this package for 15 years,
who was targeted by nation state actors who created like literally it's like
a spy movie right they had multiple personas fake personas that were contacting this poor maintainer
and uh you know working on him psychologically to convince him over the course of two years to add
them to the repository and give them publish permissions and they did this through us through
a bunch of kind of negative messages but also by being helpful and by sending good positive pull requests. And what they were
able to do is get access to this package. This is built into pretty much every Linux server out
there. And what this would have let them do is it would have let them SSH into any server and run
any command without knowing the password, without being authenticated to the server. So this would
have been like a world ending potentially kind of an attack, right?
It would have been probably the worst attack we've ever seen.
I'm not exaggerating.
It could have been that bad.
But we were lucky.
Through a total accident, this backdoor dependency had made it into the beta builds of some popular
Linux distros.
And a developer who was testing out the beta versions of these linux distros noticed
some some weird weird behavior he noticed that his ssh connection was taking half a second too long
and so he he pulled the thread and traced it back to uh this this backdoor dependency and we were
we were all saved because of this total accident it's mind-blowing to me in a couple for a couple
reasons like one obviously like wow there's so there's there's literally states out there countries that are that are trying to target
open source now, clearly, there's like a team behind this, they probably didn't just work on
this one dependency, they were probably working on getting access to many other ones in parallel.
If you just look at the time between the emails they sent to the maintainer, they were about a
month between some of these emails. So they were probably working on other maintainers and trying
to get access during that time. So that's really scary. I also think it's pretty scary to see kind of the fact that it took an accident to find the attack.
It makes me think like, how many have we not caught as a community? How many have we missed
if this one was caught by a total accident? It was eye-opening to a lot of people and it made
people realize that there really is a threat in the open source ecosystem. And it's not because
most people are bad, it's the opposite. Most people are good, but there are few bad actors out there
taking advantage of the trust in the system.
That's really where we come in.
We're trying to give every company the tools
to protect themselves from those types of attacks.
And that's what we do at Socket.
Okay, friends, go to socket.dev.
Security dependencies.
Socket is on the front lines
of securing the open source ecosystem.
Their developer first security platform that protects your code from both vulnerable and malicious dependencies.
Install the GitHub app or book a demo.
Again, socket.dev.
That's S-O-C-K-E-T dot dev. what is on your mind she's like what is it that's uh got your attention in terms of like technical
prowess exploratory are you playing with hardware still yet i did not catch your conversation with
quincy yet but i'm understanding that you're now a white hat hacker and the nsa sent you a fidget
spinner like without sharing the whole entire podcast. Now that's cool. Hold on.
Let's stop right there and talk about that.
You can go probably listen to the conversation
with Quincy, but without
literally copying what was there,
what are you into?
I was a little bit just like,
that was such a tongue-in-cheek moment in the podcast
that I didn't realize it was going to become
this big thing and part of the title and everything.
No, honestly, I went through the bachelor degree to get my cybersecurity
diploma and mostly because I just wanted like a curated curriculum, right? Because I tried to
learn cybersecurity before that. And it was just, it's so broad and so deep, you know, it felt like,
yeah, it just felt like sort of starting again. And so I went through
that degree program, just really, really enjoyed it, to be honest. And through that, you know,
through the cybersecurity club at the college I was at, you know, I got exposed to the capture
the flag competitions, which are like hackathons, but instead, you're actually hacking, right? So
they're giving you puzzles to solve and boxes to hack into and,
you know, across all the different disciplines of cybersecurity. And so I was just really enjoying
that, right? I've always been very interested in not just front end development, which is how we
met, but like just everything to do with tech. I just love learning new things and I love being
able to sort of, like I have the breadth now over the years, but I love being able to choose something and go, I'm going to go super deep for a bit and
then sort of come out and then look for something else. And cybersecurity was sort of the most
recent deep dive for me. And just, I still really, really enjoy it. And then I landed a job at a
cybersecurity company right as I was graduating, which was just dumb luck because I was putting a lot of my certifications
and CTF results and stuff on LinkedIn,
and I think that got a recruiter's attention.
So, yeah, that's sort of how that conversation
with Quincy came about.
It was just something that I'd been into,
and I'm still actually pursuing that in my spare time,
pursuing cybersecurity projects
and learnings and deep dives and stuff like that.
How do you cybersecurity?
What do you mean?
Exactly.
How do you cybersecurity?
Like what exactly is cybersecurity?
If it's so broad, I'm also sort of mesmerized and also enamored by the idea of hacking things
or being aware there's a box over there and there's some sort of vulnerability and I and also enamored by the you know the idea of hacking things were
being aware there's a box over there and there's some sort of vulnerability i've got to find it
and i there is a way in but it's up to me to find the 10 or 15 or hundreds of ways you could get in
that to me is interesting i'm not pursuing a person but it's it's very there's a lure there
for me yeah i think that's what the lure is for almost everyone getting into cyber security it's
that intrigue.
And it's kind of getting to feel like the bad guy without being arrested and put in prison.
Right.
I mean, honestly, a lot of people just say the same thing as what you'd tell to somebody who wants to learn to code, right?
Just jump in, just get going, like find some resources.
There's, you know, so many resources online.
Kali Linux, right? Spin up a VM of Kali Linux or install that. jump in just get going like find some resources there's you know so many resources on kali linux
right spin up a vm of kali linux or install that yeah kali linux spin up a bunch of vms
blah blah blah yeah exactly it's not difficult to get started it's just that it's the same thing
when you start anything you don't know what you don't know and you can just feel lost you're just
like there's all these different directions i could go in it's exactly the same as someone
learning how to code it's just a slightly different technical discipline I guess um but yeah
there's a lot of appeal in just having a go at these ctfs because it is really it is a really
fun puzzle it's like an escape room essentially kind of vibe like if you really enjoy escape
rooms obviously you'll really enjoy cyber security as well. Did you enjoy the movie Escape Room?
I haven't actually seen it.
I've seen Panic Room, but I haven't seen Escape Room.
Oh, Jodie Foster?
It might get you.
I've not seen Escape Room either.
It might get you.
What about Mr. Robot?
That's too intense for me.
Occasionally I come around to the idea of I'm going to watch it,
but I'm very sensitive as a person.
And so I actually get my friends to pre-vet most of the idea of I'm going to watch it, but I'm very sensitive as a person. And so I
actually get my friends to pre-vet most of the shows that I watch because they're like, is this
something Suze can watch or not? Because if it's a bit too full on, I either can't sleep or it's
just like, I'm not relaxing while I'm watching it. You know, like I'm not sort of there for
the tension thrillers and things. I don't get a sort of thrill out of it like a lot of people do
but I love the idea of Mr. Robot because I've heard it's quite technically accurate
so it can be really satisfying to watch I can concur with that it's very from what I understand
of how do you cyber security it was a joke to ask you how do you cyber security it was not
it was not meant to be a perfect sentence I'm bad bad at jokes, yeah. Yeah, sorry about that. I can attest that
Mr. Robot was an amazing series. It doesn't go where you think it should. You may enjoy it,
but it's very technically accurate and quite scary in terms of maybe how fragile the world is. You
probably see that now that you're deeper into it, how fragile the world can be with cybersecurity. We just had, you know, a major outage, a BSOD across the world.
And it's crazy.
Like, it's now sort of front and center to everyday citizens globally because it was a global scenario, you know?
Yeah, 100%.
Full disclosure, I just left that company.
Okay. Full disclosure, I just left that company. So it was very close to home when it happened because I left CrowdStrike in March.
And so the fact that I was on the inside, I know a lot about how the software is developed.
I know how careful the company is about rolling that stuff out.
And I do respect the company a lot, really enjoyed working for them and did enjoy learning about how a company does modern antivirus software.
And so even seeing a company that's doing so well just make one small mistake,
I think that what you're saying is a really good point.
And considering I had even more context, I was actually quite surprised that it happened,
just given how cautious I've seen them, you know,
having worked for the company, that, yeah,
even the good guys can take everyone down, right?
Right.
And so it is incredibly vulnerable and it grounded flights.
You know, it was very much like that Die Hard movie with like Justin Long where they figured
out how to, you know, manipulate all the traffic lights and all the things around the city,
right?
You'd be surprised at how few of these systems are actually well secured.
And, you know, my time at CrowdStrike, I did a little bit of work on industrial control
systems as well.
And just knowing there's like this what
is it called the seven bullet rule or something it's like with just seven bullets you can do a
lot to take down most of the you know important energy infrastructure in the united states like
i'm talking off the top of my head so i'm getting a lot of the details probably messed up but
there's this kind of like saying in industrial control systems the seven bullet theory like if you had them like could you take down
entire grids and yeah like a lot of those systems are running on old software like you see ATMs
running Windows XP right when you see it crash and it's just horrifying how fragile those systems are
and when you work for a cyber security company and you're watching customers get hacked
and you're seeing how it happened,
a lot of the CTFs aren't necessarily very contrived
as far as the vulnerabilities
that they're leaving on the machines.
They're quite realistic vulnerabilities.
They're just a contrived storyline and narrative,
but it's really not that different
from everyday ransomware attacks
and things like that, right?
So CTFs are fun.
I did those back in college.
I really loved it.
And I think working on a red team would be super cool.
I don't like the fact that at the end of it,
you just have to write this long report.
I don't know.
Maybe,
maybe the LLMs write that for you now and it's less cumbersome,
but I hated that part. It's like, Oh, now we've got to write a hundred page you now and it's less cumbersome. But I hated that part.
It's like, oh, now I've got to write a 100-page report.
And it's like, well, I'd rather just do the hacking
than you write the report.
Thank you very much.
But is that what you were actually doing?
Was red teaming and stuff?
Or what's your day-to-day?
I'm of the same opinion as you.
I think it would be very tedious as well.
Because it's not like you're sitting there having fun
on a Saturday night with a whiskey.
You're having to be very methodical as well about how you go about things.
You have to be very careful not to take down their systems.
Like it's not a sort of a realistic hacking scenario, right?
There's like there are the rules of engagement, which is literally a document you have to cover with them first.
And then you have to make sure that they're not going to call the cops on you if you physically get into the building.
But then they catch you.
And like it sounds thrilling, but it's actually quite methodical and i think it takes a
lot of the fun out of it um so i was working on a research and development team for um threat
hunting technology essentially so the human side of cyber security where you're constantly looking ahead and trying to find heuristics and like,
you know, what's, what are the latest sort of nation state hacker groups? Like what are the
tools that they're using? What are the technologies? Like how can we get ahead of them? How can we
design tools that are sort of always ahead of the curve and not necessarily just trying to be sort
of whack-a-mole and things like that.
So it was more I worked with data scientists, researchers,
you know, really smart people with PhDs,
and I'm like this code monkey, you know,
helping them prototype their ideas and things like that.
So I was definitely more on the blue team side
and not the red hat hacking.
Yeah, that sounds better actually.
That sounds pretty sweet.
It's still a game, right?
Like we were still playing the game. We just yeah on the other side of the game and so it can
be really satisfying if you design a tool that helps track down something that hasn't been
tracked down before you know um or just helps threat hunters do their job much more efficiently
so that they can you know just kind of look like these supernatural hunters.
There's just something that was really interesting about that problem that I really enjoyed
working on.
What are the various tools in the tool belt of a threat hunter?
I don't know if I can talk about the specific ones at that company.
Sure, generalize maybe.
Working with intel groups so that they can, you know, there are a lot
of intel groups around the world that, including, you know, governments who are embedded in
these groups and are operating under pseudonyms online and are actually interacting with these
groups and finding out information.
So a lot of it is intel, but also threat feeds, like being able to see new signatures and things like that.
But the actual tools themselves tend to be tools that allow these threat hunters to look at an intrusion after it's happened, be able to kind of look at the chronological events that took place, you know, and just get a holistic view of it, you know, it gets to the point where threat
hunters can look at a couple of lines of command line commands that would run on like an infected
computer or a computer with a successful intrusion, a compromised one, and they can immediately
say, oh, that's that threat actor in China, you know?
And so it's more about knowledge and knowing patterns and being able to then be incredibly agile
with being able to get ahead of the, I guess, the attacker.
What kind of signatures are they leaving?
Like what's the breadcrumbs they're leaving behind?
Is it like literally a signature?
Is it like a DAT file that's left behind with like, you know, a one-liner?
That sounds really cool.
That sounds really cool. No's not a very good hacker if they leave their signature behind,
you know,
or they leave a file that says,
you know,
don't delete me.
Read this.
But he was Banksy.
It was somebody named Banksy.
It can be everything from,
did this person switch to a specific language keyboard?
It can be the specific actual hacking tool. So for example,
let's think of a hacking tool like Bloodhound or Mimi Cats or something like that. You know,
what specific tools are they using? And in conjunction with other tools, it can also be
things like, okay, does this country have a major national holiday? And was there zero hacking
activity on this machine that day?
And then it resumed the next day.
Okay, well, maybe they're located in a specific country then,
which narrows it down to a smaller collection of threat actors, right?
And so there are all these little sort of bits and pieces
that come together and a threat hunter needs to be able to find something that that happened piece together what actually happened and be able to inform
future you know um detections how do these threat hunters get access to this the infected systems
without fear of additional hacks?
Or is it like the Heisenberg effect?
By inspecting it, you're actually modifying it. And so how do they, is it like clone a snapshot of the disk
and work with it offline?
Or what do they do in order to actually go about their work?
Yeah, so I think you're also thinking of things like forensics.
I am. I think that's probably more the appropriate discipline threat hunting is not exactly quite like that um it's more sort of data sifting than anything um and so i'm just being really careful
about my nda right now i knew can tell like there are certain things I'm sharing that
are very vague because I don't know what would be considered proprietary information. I don't talk
about this topic very often. So it is very difficult for me to delineate that. But yeah,
I think you're talking more about forensics and that's something that I learned in
college, how to successfully image a hard drive without actually changing a single bit,
which is harder than it sounds. It is. And I think this is also a lot of incident response too. So
incident response and forensics are a little bit different to threat hunting in that they tend to
be doing the hands-on work and actually getting into the machines and doing that. I think threat
hunters are taking information after the fact that's being collected and they're not necessarily doing that work so yeah like i said cyber security is
really broad and so you can split these skill sets out into different focuses yeah i definitely
was categorizing forensic people with threat hunting but I assume they would be operating at least in similar time frames with regards to a breach.
How do they get their tasks?
Are they just sitting in JIRA getting threat hunting tasks?
I'm just joking, of course, but how do they get their missions?
How do they know what systems?
Are they active in literal crime scenarios?
Are they working for folks like the NSA and the FBI
or private companies like you were?
It's usually like a self-destructing letter, isn't it?
Ten seconds, and then it self-destructs.
There are threat hunters at private institutions.
So for example, CrowdStrike threat hunters
are actually threat hunters for hire.
So they work with companies directly.
And, you know, if you look at the product offering online, it's called Overwatch.
There are different tiers of it where they'll even give you, you know, briefings on the
latest threats to look out for and things to maybe specifically look at for your industry
even.
So, you know, if this company is a financial tech industry
and they're working with CrowdStrike, the Overwatch team,
the threat hunters can, you know, give actual briefings
on what they're seeing as trends in that financial industry
based on attacks on other companies that are similar to them.
And so the threat hunters do a lot of different services.
And so it's going to depend on whether you're in the private
or public sectors to like what tools you use as well.
So I'm sure that there are teams that use Jira to keep track
of intrusions and dump a bunch of data in there.
But I think that a lot of these tools tend to be very proprietary.
And so, you know, they've been designed and developed and incrementally you know improved
based on the specific kind of work that these threat hunters doing at their institution
that's all i can say yeah what's the best way in to get into this this layer of cyber security
whether it's threat hunting or you you know, looking at signatures or
something like what's the, is it go to school for it or just get steeped in it, find a community?
What's the best way in? It's exactly the same as coding, really. I think if you know what you want
to do in cybersecurity, such as threat hunting specifically or forensics or something like
related to that, I think that makes it a lot easier. What you can do is just try and look online for resources,
for free resources, or you can actually enroll
in some certification programs as well,
which will give you the foundation so you kind of know
where to go from there and obviously taking part in CTFs.
So the Codebreaker CTF that NSA puts out,
the National Security Agency of the United States,
we all can have complicated feelings about that company.
I just want to sort of like, you know, preempt that.
But they have a CTF every year called Code Breaker, and it's a reverse engineering competition.
And that's where I sort of got the fidget spinner from because I took part in it and
I sort of placed at a certain level to get a fidget spinner.
But that particular CTF I would recommend for threat hunters because there's a sort of fictional
narrative they put out as part of the CTF and they keep drip feeding you all of this additional
evidence of a breach and you're supposed to unwind what happened. And so the one that I
participated in, they were giving you everything
from compromised Docker containers to network logs to, yeah, like Wireshark PCAP dumps showing
network traffic. And so you had to reverse engineer a bunch of binary executables. You had
to figure out how the Docker container got compromised. Then you had to reverse engineer the protocol that the threat actors were using on the network.
And then you had to kind of then hack back into their computer to find further evidence,
you know.
And I think being able to sift through evidence like that is probably the best skill to practice
when it comes to wanting to get into that side of cybersecurity.
How much does that draw out your coding skills i imagine quite a bit as you go through that stuff because
there's so much tdm otherwise yeah i'd say i had a huge advantage in a lot of the cts because i
could write simple scripts even right so let's say you get a giant apache log file right and
like it's a pretty structured log file, right?
And so you can use, you know, bash one liners,
you can use orc and you can use like truncate and unique
and all of those command line tools.
And you can just kind of like glue something together.
But if you want to do something a bit more complex,
that's where scripting just really comes into its own.
And so during the CTFs, I was writing all sorts of different scripts to filter things and to count things and to accumulate things. And
also there was one time where there was something was encrypted using RSA and it was kind of hard
to find a tool online to just like dump the text in and decrypt it. And I think that was the point
of the CTF. They were trying to make it difficult. So I was able to just write a quick JavaScript implementation of the RSA algorithm that sort of
like brute forced through and figured out the key. And they obviously gave us a weak key because
otherwise you need like a quantum computer to crack it. But that was so advantageous. Most
people either didn't solve it or they had to find a tool online that only let you put in one character at a time to crack it whereas I had it written in you know like maybe 10 minutes and it was done so
it's a huge advantage I think being able to code but also you you understand how computers work as
a foundation right and that gives you a really good intuition for solving problems like I've
seen people who have come into cyber cybersecurity but not having an IT background
and there's a certain intuition that they're missing
where you can infer things from certain pieces of evidence
and even the Docker container thing,
like I was able to just jump in,
whereas a lot of people were like,
I don't even know how to run this thing.
I'm going to have to spend half an hour an hour
learning Docker.
So I've always had a huge advantage in CTFs
because I do have that coding background.
Yeah, it's a lot easier to know what to look for in an Apache log
if you've actually managed an Apache web server for a while
for whatever reason.
Or it's a lot easier to use Docker if you use Docker
and all these things.
I mean, maybe that sounds obvious,
but when you lack that context,
you really are poking out a black box, you know?
And you're just like,
you can't really get in past the surface very easily.
So were you on your own or as a team?
That particular one, Codebreaker, it was very strictly by yourself.
And so I think there were 10 problems and I made it to problem eight.
And that's where I felt that I was hitting a ceiling, right?
It was very specialist reverse engineering like I ended up looking at the solution afterwards from people doing write-ups and I was like I never would have
got that you know that you had to sort of do this weird um you had to roll the protocol correctly
but then you also had to kind of plan to buffer overflow in order to sort of get through it and
I'm just like I was like I know how to do toy buffer overflows when the conditions have been presented to me in the
correct way but i can't actually sort of you know it's a lot harder for me to do that because i
don't have a lot of practice with it so yeah yeah that's as far as i got back when i was in school
was like i understood how they work yeah and I could recreate one given certain circumstances.
But if you wanted me to actually go in
and execute arbitrary code,
like with the no ops sled and stuff,
like I don't know how long to do this thing
in order to land in the right spot.
Yeah, yeah.
And like, how much do you keep going
until you give up?
Because you're just like, just one more,
just one more, you know, one more nop.
And so in the end, the solution was to use a,
was it called a RopChain as well, right? So using gadgets, using assembly gadgets after the
knob sled in order to then like return to C or whatever that, so that you could then run little
snippets of the assembly code that were present in the program itself to get what you need.
And so I looked at that and I was just like, yeah, there's no way I'd be able to assemble that.
That's something that I want to practice that
for next time sort of thing.
Yeah, that's some expert level stuff right there.
Us mere script kiddies can't go there.
We can just run the script.
Well, it was interesting because one of the write-ups
that I read was by a high schooler
and I've never felt so insecure in my life after that.
Well, that's the thing.
They're on YouTube getting impressed at a young age.
And next thing you know, White Hat Hacker for the NSA.
Yep.
You said you did eight of 10.
Is that right?
Mm-hmm.
How did you even get involved in this,
capture the flag in the first place with the NSA?
What made you find it, discover it, want to do it?
It was through my cybersecurity club at my community college college it was actually a really high quality cyber security
club I'm still in contact with them I still volunteer and help people ramp up to doing ctfs
like I'll teach them the coding sort of stuff it's like oh here's how github works so if you
need to clone down a tool that you can't find anywhere else and get it running here's how to
sort of use github GitHub in its basic form.
And yeah, so it was through the Community College
Cybersecurity Club.
They have a Discord that you can join when you're a student
and they just put, there's like specific channels set up
even for specific CTFs.
So it's almost impossible to miss out on when there are actually
CTFs going and people
will announce them and they'll also hold information sessions. And like I said, like tutorial
nights where you can go along and follow along and learn a new skill that will help you to tackle
those CTFs better. And then for the CTFs that have teams, that school would also help people
form teams as well, which was really cool. So I think that getting involved in the cybersecurity community
is one of the only ways to really know,
unless you literally Google like cybersecurity CTF list or something,
that can also help.
But most of the CTFs I was doing were the collegiate level too,
so they were a bit easier, I think.
And so that was a huge help just to get sort of your feet wet.
You're making me kind of want to get back in the game and give it a shot. It's been probably...
Yeah, I didn't know you used to do this. It's really cool.
Yeah, I had an information assurance sub program at my university. And so I spent the last two
years doing all InfoSec things. I actually did some penetration testing right out of college and between the report writing and the fact that i felt like when you audit somebody like you do
your best but you can't really say anything at the end of the day except for well we did our best
you know and it's better than not having been audited but i always was like there's like a
false sense of security that you have now which i don't feel really i don't feel great like selling that you know as a service a false sense
of security and so i realized also i wasn't that great at it like i don't have as much of a hacker's
a breaker's mind as i do a maker's mind i like to create more than i like to break it's kind of what
i learned about myself but also just that i like, I kind of went a different direction from there.
Managed some Linux networks for a while,
and that's when I found out about web development
and started doing all that kind of stuff.
And that just mapped to my mind better
than breaking in and breaking stuff.
But it was fun, and I think the CTS was the best part
because they were very much stereotypical,
drinking Mountain Dew, staying up all night,
doing all the things that happens in the movies without having to write a report afterwards or stamp
a thing that says you're secure on it.
They're just fun.
They're way more fun than actually doing it as work, for sure.
And I relate to the point
about feeling like a hacker and stuff like i always put on like the mood lighting in here and
then i'll put on the the scents and the garage tracks and you know um all that kind of thing
and like i really go all in and if it's just a weekend like you know i don't have a family so
i can just literally lock in with the mountain dew and just do it. And so it's a lot of fun.
And again, it's very low stakes, right?
But you learn a lot and you're still tickling the part of your brain you want to.
Just, yeah, like there's no responsibility, I guess, to it either.
So, yeah.
And I mean, they do design the CTF to be really satisfying too.
There's nothing more satisfying than running a bunch of checks on a company
and you're like, well, you guys are pretty good,
but we can't give you a guarantee.
It's like what you said, it's very anticlimactic,
whereas they design the CTFs to specifically be a game.
And so you do get those moments where you just miss something
and then you find out the answer and you're like, oh, you know, and then there are other times where you're one of the only people that found something
and it feels really thrilling and so i think the escape room analogy is a is a good one like the
way it feels yeah are you trying to find something like you may have said this and i glossed over but
like the goal is to find a secret or get into a certain place.
What exactly, like what is the artifact that you find?
Is it a physical or a digital physical thing?
Or is it just access?
Or is it something you take back and you show, hey, here's proof I've got this thing?
Joe, what were yours like before I go ahead?
The main ones that we did were there there was a planted vulnerability, and it was teams.
And you were attacking each other's machines and protecting your own.
I'm not sure if that has a very specific name to it, that style of capture the flag.
And so then there would be a vulnerability on everybody's network.
And the vulnerabilities were all different.
And so as a team, you'd have to fortify your network
while attacking the other people's networks, basically.
And there would be some sort of a proof, like a flag,
whatever you imagine a flag would be,
like a string of characters that you'd have to fetch off
of their remote machine in order to prove
that you penetrated it.
And in the meantime, you'd have to be trying to find whatever vulnerabilities were on your
machines in order to remove those vulnerabilities before you got hacked.
And I remember one time we did them nationally and we got hacked and we got completely destroyed
in like 18 minutes one time.
We were like had our Mountain Dews and we're ready for a Friday night and we lost within
the first half an hour because somebody was so much better than us. And I was like, oh, very, talk about anticlimactic. It's like, oh, and we're ready for a Friday night and we lost within the first half an hour because somebody was so much better than us.
And I was like, oh, very,
talk about anticlimactic.
It's like, oh, and we're dead.
So that was fun,
but it could have been more fun
if we were better at it.
That's the ones that I did.
I'm not sure.
I'm sure there's different ways
they can set them up to do different things.
Yours sounds like it was levels,
like there's levels of things
that you have to do
that you progress through. Yeah, I think I did a mix of them so i did um ccdc which is the
collegiate cyber defense competition i did that with a team and that was just the defense side
of what you just said so they do hire professional red teamers and there are you know like you know
a team from every single college that's participating.
And there's, you know, I think eight of us and you have to lock down.
They give you an incredibly vulnerable network. The gist of the story is they've just sacked the entire IT team and they've hired you on as the new IT team.
And you have to, like, basically audit the whole system, find out how it's vulnerable, lock it down.
So it's the same as what you were saying, but we don't have to attack anybody. But you spend the
first day just auditing, trying to lock things down. They interrupt you with business requests
constantly. So you're emailing the CTO. He's like, oh, I want you to look into crypto as a product.
Can you like give me a report on crypto by the end of the day or something, you know? And so
they're constantly interrupting you and trying to simulate a real business environment where
you're just fighting for your life and then yeah like you said if if they just find one vulnerability
which they will all of a sudden you've got two two trains on your console and then certain other
boxes are boot looping and you're just like oh my god didn't you just like it's an actual fire right
now and so that was a very stressful one that I did.
But the others were more about they're trying to give you experience with everything in
cybersecurity.
So, you know, there'll be an encryption section where there's puzzles.
They'll give you a bunch of encrypted text and they're like, what does this say?
And it's more about answering the questions and completing as many of the challenges as
possible.
And they're just smaller toy challenges.
And they'll also, you know, challenge you to actually get into a box,
for example, and then, yeah, find the flag and report what the flag was.
And so I've done a big mix of them.
And then there was the reverse engineering one, which was NSA,
and that's totally different again.
And so, yeah, it's been a variety.
I think I like the ones where I can just sit and tinker.
But the cyber defense one, I really feel like I leveled up,
especially in Linux.
Like the amount we spent months practicing
and running password reset drills and, you know, things like that
and being able to audit.
And, like, we had this big notebook we were all throwing notes into for each other.
And we were on a Zoom call for the entire weekend talking to each other.
And it was very high stress.
It took me a few days to recover.
But I really feel that it forced me to level up.
And I'm sure you felt similarly, Jared.
For sure, for sure.
And it definitely felt like my Linux administration skills
were peaking at that moment
because you have to know all the commands.
The heat is on, which is the way it is.
I guess I've never been on a network
that's under attack in the real world,
but I'm sure it feels a lot like that
where it's like if you have an actual threat actor
who has access to your internal network,
we're moving as fast as we can right like you got to figure out what machines they have access to how they got in
like all these things what are we going to turn off or unplug or like it is a got to be a very
stressful situation and so when the heat's on you got to know the commands you can't google you can't
be sitting there googling like how do I reset the password on this and that?
All those things kind of go out the window
and you've got to just move fast.
And so I definitely leveled up through those experiences,
even when it only lasted 18 minutes.
Those are good 18 minutes.
Yeah, but it's so satisfying sometimes
when you see you'll run a couple of commands
and you'll run who, for example,
and you see someone's logged in and then you find their process ID
for their Telnet session or SSH and then you kill the process
and you're just like, they're out.
And it's like, then you're sort of scrambling.
And so it can be incredibly satisfying.
And then you run it again and they're back and you're like,
oh, they're back.
Yeah, we ended up using Tmux and just opening all of these different sessions.
And we had Who running and Top running and Netstat and everything.
And we had them sort of self-updating constantly so that we could just keep track of it.
And everyone was assigned two machines to look after.
And that was way too much overhead as well, right?
It was just
so hard so what are the things you would look for on top like a new process id from that just
seems obscure doesn't belong yeah something that's burning up a lot of cpu too some of the tools are
really badly written so they'll they'll rise to the top of that list and you'll actually see it burning a lot of stuff so what we need is top top top the
top top top top mm-hmm I feel like we should team up and do one I need a team you know I don't have
a team anymore sis although you're uh you're you're located you know three quarters of the
way around the world for me so probably wouldn't be the best but it has been really difficult yeah
I've stopped participating in the team months now because of that,
which sucks.
The last team one I did, I actually was in San Diego for a work trip,
and so I stayed an extra couple of days through the weekend
because there happened to be one going on, and that was really cool.
Hacking from the hotel, it felt even more hacker movie.
More hacker, yeah.
Right?
From a hotel room, yeah.
Do people travel to do these a lot?
Is it meant to be in the same space, really?
Is that where the fun really is at, like co-located?
Yeah, prior to COVID, I think that was much more common.
The cyber defense competition that I did, we all did it remotely,
but if you, for the regionals, but if you make it through the nationals,
you actually go there in person and you're put in a room.
And you can only bring print books you
can't bring anything digital and so you've got Linux freaking command line books and you've got
all of these printouts of cheat sheets you're going to use and stuff and so they're very strict
and locked down and I think those can be really fun too but I mean a lot of people go to DEF CON
because there are a lot of CTF competitions there too. I went to B-Sides in
Canberra last year, which is our capital state. So there were lots of feds there as well, but they
were holding a CTF and you could just go into the room and just play the CTF from there and pop in
and do a little bit of it if you wanted to. So I think it's like esports. There are a lot of
in-person stuff. I would see it as an esport almost
they're probably doing them live on twitch you probably twitch stream this yeah a lot of people
are probably doing hack the box and um try hack me which are both like online vm platforms that
give you puzzle boxes to solve um there's a lot of people on twitch doing those even if they're
not talking they're just streaming themselves doing it is there a big big career in this? Obviously, I mean, like as we
as software eats the world and systems
morph and you've got more and more things being
obviously modernized,
is this a lucrative
or not even lucrative
since you're not chasing fame or money,
but is there a major
upside? Like if there's people listening to this thing
and, geez, I haven't thought about this or
I've got a fancy for it, but I never considered that I'm super bored in this current position
and maybe I can pivot. I think there's a lot of job security in it
because, depending on the role you're in, because it's going to be whack-a-mole forever.
There's always going to be hackers and it's impossible to
release code without vulnerabilities. There's always going to be those kinds of things.
And so it is really good job security in a depressing way. And there is a lot of money
in it if you specialize. There's a lot of really great career opportunities that again, sometimes
it can feel like you're actually doing something important as well. I think that the feeling of,
again, it depends on the role you're in, but feeling like you are preventing citizen data from being breached. Like if you work on the defense side, even the pen testing side,
you're helping companies, you know, lock down their systems better. I think there's a lot of
reward in it, even if it can be a bit of a depressing industry to be in, because you see
a lot of stuff you can't unsee. And it does make you feel more worried about just how vulnerable a lot of
systems are. It can be incredibly rewarding, I think, because it's, I think some of the jobs
are a bit more tangible. You're not just shipping things to make more sales, right? Which I've done
in previous jobs. I've worked for a shoe retailer and it's like, yay, we made more money this quarter.
Woo. You know, it's just, that's not very fulfilling for some people,
including myself.
Whereas if you're like,
I helped develop this tool that kept out the hackers
or I pen tested this company
and now they're going to be
in a much better security position.
Like that just feels a bit more tangible
and a bit more rewarding
that you're actually helping add some good in the world.
Yeah, I think it depends on where you land because i've definitely heard horror stories as well and i've heard a lot of uh infosec
industry people kind of liking it to game dev you know which is of all the software development
careers game dev is like looks like the best but is actually the worst because everybody wants to
be one and they're like the sweatshop of
developers yeah it's so crunchy it definitely depends on where you're at and yeah a pretty
depressing example of that too is if you're in forensics there are a lot of really nasty stuff
that you can have to sift through in forensics you know it's the same as content moderation
it's it's you're seeing similar things and so I'm really interested in forensics, but I don't think that I, again, if I can't
watch Mr. Robot, if I can't watch scary movies, there's no way that I can work in forensics
without feeling psychological damage from that and it affecting my mental health.
So cybersecurity has a lot of mental health problems just because of the nature of how
things are really messed up.
And I think that it's a tech community too.
So it has its own sort of toxic parts,
which we're all familiar with in coding communities as well, right?
There's just, yeah, I think that tech has a lot of immaturities
that still, you know, haven't resolved as well as they could.
And I see very similar patterns in cybersecurity, to be honest.
So, you know, it does come with a warning. could and so I see very similar patterns in cybersecurity to be honest so you
know it does come with a warning but I think given that cybersecurity is such a
broad field there are a lot of things you can do that can either keep you out
of trouble or can find your niche without really being exposed to some of
the darker parts of cybersecurity but I think that's a really good point that
you bring up it's not all sunshine and rainbows that's for sure and you can
ruin your hobby if you're not careful. Like I think that if I did pen testing as a hobby, it would
be way more fun than doing it professionally, such as like bug bounty, right? Like you can make quite
a bit of money from bug bounty. If you find a particularly bad vulnerability, you can have a
$10,000 payout. And so I know a lot of people chase that as a bit of a game or a side hustle,
and that can be really satisfying. Well, what's next for you Suze is that something that's predetermined or you're
still trying to figure it out still trying to figure it out can you talk about it or no
I can't talk about it because I don't know and I'm trying not to put too much pressure on it I
think I have a lot of options that's great and I don't want to rush into something so
just for full context and if anyone's watched my recent interview with Quincy, they'll know,
but I quit my job in March and then I focused on finishing my master's thesis.
I did a master's in education technology.
So very different from cybersecurity and my coding background.
Teaching is something I did early in my career, really enjoyed it.
I'm starting to think that it's possible I might want to go back.
But also I just found, I just thought that that was a really interesting topic for me
to study just for my own satisfaction as well.
So there's not a lot of pressure on whether or not I want to go back to teaching at community
college.
I teach technical topics, obviously.
Maybe I can do some online courses or something like that.
But there's just a, I have a lot of options, right?
Like, you know, I have a 20 year career to look back on
and I can get a coding job.
I can go into another cybersecurity role.
I can do teaching part-time maybe
and freelance for the rest of it.
I'm sort of considering my options right now,
but I've sort of, I very deliberately planned my position
to have some time off
because I am pretty burnt out right
now. So I'm trying to focus more on the things that bring me joy. And then I think it'll eventually
lead to something that will be really enjoyable and fruitful for me. So yeah. And then just doing
my own silly projects again, I think that four years of college, both a bachelor's and a master's
really took a lot of time away from me being able to be over
in this corner. Like I'm always at the, this corner, the computer corner, and I'm not in the
lab corner. And so I want to get back to that corner of the room. And then on top of that,
I'm getting my pilot's license. So that's requiring a lot of study and time commitment from
me as well. So I'm sort of trying to focus on what I currently have going on and
then I'll sort of figure it out from there. A lot of facets to you. Seriously. No wonder why
people are so interested in you. Just throw on the pilot's license and they're so many facets.
Yeah, I don't talk about it a lot because it tends to get a lot of, I think that's what I
was alluding to earlier when I said I have other hobbies and then people sort of latch onto it and
they're like, that's really awesome. And I'm like, no, but can we just talk about the planes
and can we talk about the laws and regulations? I find that really interesting, but then they just
want to be like, oh, so you're going to be a pilot. And I'm like, it's not about me. I just
want to talk about aviation. So it's the same thing, you know? But yeah, no, I, I just love
learning and I love machines. And I think that planes or aircraft are a particularly interesting human machine interface, actually.
Like I drive a manual car.
I just love machines.
And it's not just computers.
You must love knobs and switches.
Yeah, that kind of stuff.
So I'm learning in a Cessna, an old school plane, because it has all of the knobs and the vacuum instruments.
And it's a bit sort of
flying on hard mode compared to some of the more modern glass cockpits but I just love anything
that's a human machine interface and so to me the pilot made sense but everyone's like why are you
doing that and I'm like well it actually makes sense if you track all the way back to what my
interests actually are but it can seem a bit eccentric to people sometimes I think
more dangerous than eccentric in my mind you know I think about flying planes and I'm like well
what about when you're not good at it isn't that when you crash yeah I'm not very good at it I'm
not very good at it at all I've only got like 35 hours I think now but I have gone on my first solo
and I didn't crash the plane so so I can't be super terrible.
Right, you must be all right.
But here's the thing,
planes are a lot more tightly regulated as far as safety goes,
as far as the maintenance required.
And they're very strict on, you know,
after the next amount of hours,
you need to completely overhaul the engine.
And it's actually safer technically than, you know, being on the highway.
But I know with ultralight aircraft and light aircraft, you know, the danger level goes. But I know with ultra light aircraft and light
aircraft, you know, the danger level goes up a bit compared to a commercial airliner.
Yeah, the smaller the plane, the scarier I, the more scared I am.
Yeah, I'm in a four seater. The one that I learned in at Cessna 172, which is a classic
student pilot plane to learn, but it's also a very common one that you can rent
once you've got your license. So it's sort of, it's a good fit.
But yeah, there's a lot of things that can go wrong.
I've been in traffic incidents when I've been solo, where there's been a plane that confused
the runway and they're heading straight for me and I've got to like fix it and stuff.
So I've seen how dangerous it can be already.
But I think it's better than, it's much safer than a motorcycle.
So I'll just stick with it, I guess.
Oh, yeah.
100%.
Yeah.
Motorcycles are scary.
Yeah, for sure.
I've never been a motorcycle guy personally.
I just was thinking like, I see so many people here in Texas not wearing helmets because
it's illegal to not wear a helmet.
Oh my God.
And I'm like, you do not like your life at all.
I mean, you have no concerns or cares because like there is no way you crash and come
back from that. No, it's not. Like I, when I was a kid in elementary school, we got asked like,
oh, what, what car do you want to drive or something? I forget why they even asked us this.
And I was like, I want to ride a motorcycle. That's what I'm going to do. And then I got
older and I realized I don't trust myself and I don't trust anyone else on the road.
So it is interesting that I picked up aviation because I think it does feel
like it's a lot more dangerous because you're adding like another dimension,
right?
Like cars are 2D and like planes are 3D and they're much more susceptible
to weather as well.
And so there's a lot more, there are a lot more variables to them.
And so motorcycling seems, and I think is a lot more simpler as well just to pick
up and actually learn but it's interesting that the danger levels are actually very different from
each other well you know the skies are white more wide open you know there's less idiots out there
in the skies you still have issues i guess with who's landing when and where but that's the problem with motor vehicles
is like everybody else making bad decisions like you can't you can't control them right yeah pretty
much and i think as a student pilot i've been taking my time because i feel that the more dual
hours i get in the plane with an instructor the better because i can be exposed to a wider variety
of scenarios but have the safety of having someone who can take over immediately if they
need to. And that's been really beneficial. And even just facing an incident on my second solo
and my third solo in a controlled airspace, right, where air traffic control knows I'm on my solo,
so they can give me additional instructions and things like that. I think it is really important to expose yourself to as many of that as
possible because I don't, you know,
I'm getting my license in a few months quite close,
but right now I feel that I want more time to face those uncertainties to
really get a feel for how I would handle them under pressure.
Sounds cool. Well, how do we land this plane, Suze?
I think we just say goodbye.
Love catching up with you.
Up to cool stuff.
I'm looking forward to your pseudonymous, anonymous, open source contributions upcoming.
I won't know.
I won't know it's you.
But I like the idea that you're out there,
that you're out there
doing your thing
even if nobody knows.
You'll find her signature
in something, I'm sure.
She's got a pattern
you can match to.
Right.
I don't have to
reach for threat hunt.
She's hitting open source.
Yeah, it was good
catching up with you.
It's good to see
that you're well.
Good to see just
generally your,
you know,
the way you approach life, you know, the way
you approach decision making, even from things you're fearful of or concerned about or things
that give you more comfort and safety.
It's interesting to see that part of your life.
Yeah, I appreciate talking to you guys.
I miss you guys a lot, actually.
I was just, yeah, I was saying in the email, I was just thinking about you guys and then
you emailed and I was quite thrilled.
So I always feel like our conversations always go this way they're always very fruitful very
thoughtful and yeah I'm just glad that you sort of understand the journey that I'm on right now
because I think it's a very privileged one but it's also maybe not as typical and I'm really
enjoying just quietly living my life I think so it feels like you guys get that. Yeah, we get it.
We do get it.
And we appreciate you opening up and sharing with us.
Absolutely.
All right, I guess we now will just say goodbye.
And that's where we're hanging out.
Bye, friends.
Bye, friends.
What do you think?
Should I dust off my old copies of Nmap, Wireshark, and Metasploit
and try my hand at capturing the flag once again?
Let us know in the comments.
We love hearing from you.
One more thanks to our sponsors of this episode.
Superbase, Speakeasy, Test Double, and Socket.
And of course, to our partners at Fly.io
and to our beat freak in residence, Breakmaster Cylinder.
Oh, and don't forget Sentry.
Use code CHANGELOG when you sign up for a Sentry team plan
and save yourself 100 bucks.
Why not, right?
Next week on The Changelog,
news on Monday,
Ryan Wuerl from WarpStream on Wednesday,
and our next edition of the award-worthy Pound
Define Game Show on Friday. Have a great weekend, leave us a five-star review if you haven't yet,
and let's talk again real soon.