This Week in Enterprise Tech 533 Transcript
Louis Maresca (00:00:00):
On this weekend, enterprise tech, we have Mr. Brian Chee, Mr. Curtis Franklin back on the show. Now storage might be the holy grail of the enterprise world, but in North storage reliably, we gotta have a new medium, right? Well, what if we could store data on quartz wafers? We'll definitely talk about if that's possible. Let's, DevSecOps is a complex thing that requires developers and DevOps alike to really have a culture shift to get it right. Today we have André Keartland, he's solutions architect at Netsert. We're gonna talk about giving you the tools that you need to pivot to the solutions to really do Dev SecOps. Correct? Definitely shouldn't miss it. Quiet on the set.
Announcer (00:00:39):
Podcasts you love from people you trust. This is TWiT
Louis Maresca (00:00:52):
This is twit this week in Enterprise Tech. Episode 5 33 recorded March 3rd, 2023, quantifiable risk. This episode of this week, enterprise Tech is brought to you by Bit Warden. Get the password manager that offers a robust and cost effective solution that drastically increases your chances of staying safe online. Get started with a free trial of a teams or enterprise plan, or get started for free. Cross all devices as an individual user at bit warren.com/twit. And by Kolide, Kolide is a device trust solution that ensures that if a device isn't secure, you can't access your apps. It's zero trust for Okta as it Kolide.com/TWiT. And book a demo today. And by decisions, don't let complexity block your company's growth decisions. No code rules driven process automation software provides every tool needed to build custom or close empowering you. Modernize legacy systems, ensure regulatory compliance and renew customer experience. Visit decisions.com/twitch to learn how automating anything can change everything.
(00:02:09):
Welcome to twit this week in enterprise tech. The show that is dedicated to you, the enterprise professional, the IT grow, and that geek who just wants to know how this worlds connected. I'm your host, Louis Maresca, your guide through this big world of the enterprise, but I can't guide you by myself. I need to bring in the professionals and the experts starting their very own senior analyst. And I'm Dia is the man who knows everything about enterprise and security. That's right. He is the very own Mr. Curtis Franklin. Curtis, it's amazing to see you. How are you doing? And how's the gear up for RSA going?
Curtis Franklin (00:02:40):
The gear up for RSA is going reasonably well. Can't can't complain. And as part of that one of the things that should note is that I am no longer a senior analyst at Omnia. I am a principal at amia. So
Louis Maresca (00:03:01):
Congratulations.
Curtis Franklin (00:03:03):
The all of the, as they said when we graduated from college, the rights and privileges, they're in two astaining which thus far means that I've gotten to order new business cards. So appreciating that. But writing a bunch of stuff got a number of client and potential client calls coming up. It's one of the things I enjoy getting to talk to companies as part of my job. And have some, some cool research happening in the way we're dealing with risk. Way different companies are dealing with risk and putting some sort of number to risk. You know, we all talk about, you know, more risky, less risky, little risky, a lot risky, but if you want to quantify it, if you want to be able to, to measure changes, how do you do that? And it turns out there are a bunch of different ways many of them very good. What we don't have so far is one standard way so that companies can compare their risk and their appetite for risk with those of their competitors. So that's what I'm gonna be doing for a while. Having a good time talking to lots of people. And of course, enjoying the opportunity to take a break every Friday afternoon to come and tiptoe lightly through the loving embrace of the Twit Riot.
Louis Maresca (00:04:30):
We, we, we, we thump, we don't tiptoe lightly. But thank you for being here, Curtis <laugh>, appreciate you being here. Well, we also have to wa welcome back our very own architect of Sky Faber. He's also one of my favorite tech geeks. He's Mr. Brian Chee. Now sheer, I hear that there's a little bit of congratulations in order today. Today's the start of something new.
Brian Chee (00:04:47):
Yeah, interesting enough. Yesterday was the first day of the Central Florida Fair which is a 5 0 1 [inaudible] charity. But I also officially got installed onto the board of directors and this is actually gonna be my first non-technology oriented board that I'll be serving on. The first one was actually a convention center internet service provider. So this is gonna be a big change for me especially since the chair is actually a also chair on one of the local YMCAs. So a little bit of learning and gonna be interesting getting them signed up for federal surplus so that we can get things like forklifts. Much less expensive.
Louis Maresca (00:05:37):
Very lucky to have you cuz you're definitely the guy to do the job. So appreciate you being here and thanks so much for for being co-host so well today. We should get started cuz there's, there's lots to do. There's lots to talk about. Busy, busy Weekend enterprise. Now we have talked about storage in the past. It's, it's one of those things we call the Holy Grail enterprise world. It's storing a lot large amounts of data. Being able to access it reliably is an important thing. Well, what if the data was actually stored on a court's wafer? What happened? Is it reliable? Talk about that was DevSecOps. This is a complex thing. It requires DevOps and developers alike to really have a culture shift to manage things, right? Well, today we have André Keartland, he's solutions architect at Nets Sheret. He's professional services. We're gonna talk about things like pivoting your solutions to do the right thing for DevOps.
(00:06:24):
So definitely stick around lots to talk about here. But before we do, we have to go ahead, jump in this week's news blitz. Now other companies misfortunes can definitely used as learning opportunities for us, right? Well this dark reading article points out that observed client exploitation cases have nearly doubled. Doubled in 2022. While the number of incidents where threat actors interacted with cloud resources have tripled. That's right. That means better practices, policies and processes need to be put in place for companies resources. Now in the case of cloud security firm sig, they uncovered a series really serious scenario where a threat actor exploited a Kubernetes cluster using an internal service to gain temporary credentials and then use those credentials to actually enumerate other elastic cloud compute services that been deployed in the company's infrastructure. Now they dubbed the attack scar Teal. Now the attacker centered through a vulnerable, actually entered through a vulnerable internet exposed service that allowed access to the Kubernetes pod.
(00:07:24):
Now once in the cluster, the attacker used the access to deploy containers with crypto jacking software. Essentially stealing processing capacity from the victim's cloud infrastructure to actually mine cryptocurrency. Now the attackers had knowledge of how to move through the AWS cloud, including e C two, connecting to Lambda services, serverless con functions, and using the C I C D information as service known as Terraform, they essentially exploited a role to do the enumeration in the cloud, searching for sensitive information and then SU stealing proprietary software data. Now what they learned in the end, the security firm learned like that is was the company that was breached had actually properly limited the scope of permissions for the stolen identity, which actually blunted the attack of the attacker. Now the incident truly underscores a couple things. The need for organizations to really be careful when configuring the controls that allowed cloud services resources to interact with each other.
(00:08:19):
Now having e C two roles being used and able to access other resources is actually a common scenario. But usually it's really tightly scoped to prevent incidents like described by Csig. You know, in the past threat actors focused on just rudimentary interaction with cloud services. They would deploy crypto jacking software in that case. Now the more they understand the vulnerabilities introduced by businesses in their own environments, cloud focus attacks are becoming even more prevalent. Now, what can you do to protect yourself, your organization Now for one, companies need to ensure that they have good visibility into the operation and telemetry of their cloud infrastructure. In addition, they need to limit access, even assigning read only access to specific cloud resources cuz then it can make all the difference in stopping the attack while in progress. Now the more attackers hammer at resources using stolen identities, the greater chance of detecting them. In that case. Now zero trust. Focus on that. Ensure the least privileges plus enable MFA because we've talked about this a ton in past episodes and it's table stakes in today's enterprise world.
Curtis Franklin (00:09:24):
So what do you think about attack match? The attacks failed A t t Emper sand ck. If your first response is, huh, you're not alone, but you're also not in the know about a powerful tool to help guide cybersecurity strategy. Mir, the organization paid to do a lot of the strategic thinking for government agencies and cisa. The US Cybersecurity and infrastructure security agency want to make it easier for companies and individuals to use the attack framework by making it easier for defenders to map threat actions onto the framework. According to an article at Dark Reading Decider is a web application created by a partnership between the US Homeland Security Systems Engineering and Development Institute, that's H S S E D I. For those who list love acronyms and mire, the purpose of the application is to make it simpler to map activities onto attack and make those results available to analysts up and down throughout an organization.
(00:10:33):
Now why you might ask, would an organization want to do this? It's because the goal of attack is to help an organization anticipate the bad guy's next moves and shut down attacks as quickly as possible. The framework is incorporated into a wide variety of security tools where it generally provides a standard language for communication between cybersecurity peers and stakeholders during incident response and letting those people communicate with their peers outside the organization. At the government level, analysts at CISA and Mire believe that a wider use of attack is encouraged by the cider will lead to better, more actionable threat intelligence and better cyber defense outcomes. Decider makes attack mapping more accessible by walking users through a series of guided questions about adversary activity with the goal of identifying the correct tactics, techniques, or sub techniques in the framework that fit the incident in an intuitive way. From there, those results can inform a range of important activities like sharing the findings, discovering mitigations, and detecting further techniques. The ultimate goal is for attack to become part of the infrastructure and culture of security organizations. So they find it easier to talk about attacks and defenses both within their departments and throughout the cybersecurity community.
Brian Chee (00:12:09):
Thank you to ours technical for this article. And it's interesting, it's actually not the biggest article in the world. And depending on who you talk to, some people think, oh, that's cool, but I think it's actually a fairly major development. So this last Friday meta announced a new AI powered large language model called LAMA 13 B, that it can outperform open AI's G P T three model. Despite being 10 times smaller, smaller size AI models could lead to running chat G P T style language assistance locally on devices such as PCs and smartphones. It's part of a new family of language models called lag, large language model meta AI or llama for short. So I really recommend you read this our technical article for yourself, especially since the overall impact is a ways off from being available to the general public. I will however say that scaling down the G P U processor overhead is a step in the right direction for voice assistance that don't require a long run on sentence to describe what you're trying to do in home automation. It also means hopefully in the near future that when I ask for directions to local restaurant that it won't try to route me 150 miles out of the way.
Louis Maresca (00:13:37):
We've all heard about Secure Boot. Not lots of organizations are forcing the upgrading people to ensure their hardware and software support it. Now, as they do adversaries look for ways around it, of course, according to those bleeping computer article, secure Boot Pipe Pass capabilities and toolkits are actually on the rise. That's right. In fact, black Lotus U E F I boot kit have actually improved the malware to impact Windows 11 machines now too. That's right. If you haven't heard of Black Lotus, it's the first That's right, the first public example of U U E U E F I malware, they can avoid the secure boot mechanism. No, essentially disabling security protections that come with the operating system. Now what does this mean? Well, it means it can actually impair Vic Locker protections. It can affect antivirus. It can also have an effect on hypervisor protected code integrity.
(00:14:27):
In fact, black Lotus's malware emerged last year promoting on hacking forms with a feature set that makes it virtually invisible. That's right, invisible to antivirus agents installed on the compromised host. It's pretty scary if you think. Now the advertiser said that the malware takes only 80 kilobytes after installation and the cost of the license is $5,000. Although it rebuilds where the rebuilds or the upgrades can actually cost $200 a piece. So it's <laugh>, it's a legitimate software going on here, guys, I don't know what they're doing. In fact, the report from the researchers at esat, they confirm that the malware functions exactly as advertised. They can actually bypass the secure boot mechanism by leveraging vulnerability from the last last year's tracked this as C V E 20 22, 20 1,894. Now the attack starts with executing an installer that deploys the boot kits files to the EFI system, partition it then disables the HF or H V C I and BitLocker protections, and then it reboots the host.
(00:15:26):
Now EFI boot kits are the opposite of the normal, the run of Themi malware. In fact, they are actually rare findings and they're not really normally seen in attacks due to the advanced capabilities of them. Now, although the proof of concept boot kits that have existed since 2013, a malicious E f I boot loaders that prevented the machine from booting were actually found in 2021. The list of full-blown boot kits in the world are actually really short. There's Fin Spy, there's ees Specter, and there's also Cosmic Strand. Now the interesting thing here is Black Lotus is the first one to publicly disclose its capabilities and it's associated with a lot of crime on the dark web. The first lesson, we always jump on this, ensure your hardware, firmware, bios, and software are updated frequently. The less gap there is the less chance of falling in it.
(00:16:19):
Well, folks, that does it for the blips. Next up we have the bites, but before we get to the bites, we have to thank an amazing sponsor of this weekend Enterprise Tech and that's bit warden. Now, you may have been following what's going on around the, you know, industry and the world of passwords lately, having switched to Bit Warden personally, I can tell you it's an amazing platform. It's super easy to use. You can import all your passwords, biometrics, all that stuff. Plus it's fun. And I would say make it part of your 2023 goals to be more secure. Just use Bit Warden. Bit Warden is the only open source cross-platform password manager that can be used at home, at work on the go and is trusted by millions. Even our own Steve Gibson has switched over and you know how high standards he has.
(00:17:01):
Well, with Bit Worn all the data in your vault is end-to-end encrypted, not just passwords. Protect your data and privacy with bit worn by adding security to your passwords with strong randomly generated passwords for each account. Go further with the username generator. Create unique usernames for each account, or even use any of the five integrated email alias services. The greatest thing about Open Source is how things evolve over time. Right? They can improve over short periods of time. Well in Bit Worn has a number of new features in its February release. In fact, they have significant updates to the key derivation function encryption. That means that New Bit worn accounts will use 600,000 Kdf iterations for PBK DF two as recommended by O osp. Now, argon two ID is also optional alternative to KD f for users seeking specialized protections. And a stronger master password has a higher impact on security than kdf iteration.
(00:17:58):
So you can have as long, should have a long, strong and unique a master password for that. Now they also have master password security checks. That's right. New users who created their new their accounts on mobile apps, browser extensions and desktop apps can now check known data breaches for their prospective master password via their H I B P. Now, logging in with a device is now available for additional clients. Login requests can also be initiated from browser extensions, desktop apps, mobile apps, and other desktop apps. Now, bit Orton is great for companies. That's right. It lets you share private data securely with coworkers across any department or the entire company. And what makes it simple is the fully customizable and adaptive plans. It has like Bit Orton's teams organization option, which is $3 a month per user. They also have enterprise organization plans just $5 a month per user.
(00:18:53):
Plus remember, the individuals can always use the basic free account for an unlimited number of passwords, upgrade any time to premium account for less than a dollar a month, or bring the whole family option to actually give up to six users premium features for only $3 and 33 cents a month. That's exactly what I did. I started out on the basic and now the entire family uses Bit Warden. Really helpful. At twit, we are fans of password managers. Bit Warden is the only open source cross platform password manager that can be used at home on the go or at work and is trusted by millions of individuals, teams, and organizations worldwide. Get started with a free trial of a teams or enterprise plan or get started for free across all devices as an individual user@bitwarren.com slash TWiT. That's bit warden.com/twit and we thank Bit warn for their support of this week in enterprise tech. Well, folks, it's now time for the bites. And today we have a really interesting one because, you know, storage is one of those things that all, especially all cloud services are looking to expand and make easier and make it, make it to expand and do it reliably, right? Well, cheaper. What's going on with this new technology?
Brian Chee (00:20:08):
Well, interesting enough lose not driving this story because he's, he works for Microsoft. So we thought, okay, someone else will. Now we've all heard of the Doomsday Vault. It currently holds 1,145,693 backup copies of the world's seed varieties. Now the plan in this extreme tech article is that a new vault will be joining them and it's going to be the global music vault. Interesting. Well, in order to accomplish this giant storage related task, organization running effort has tapped Microsoft as a partner. Together they are embark embarking on trial to achieve resilient long-term archival storage. They will be using Microsoft's Project Silica and working on a proof of concept to see if it will work for music storage. It uses wafers of quarts as a storage medium. The group's press release notes that while tape is still the preferred way to archive data, I beg to differ in high humidity environment tape is horrible.
(00:21:17):
I have lost so many backups. Anyway read, read the article. It's, it's worth doing. Sorry, I've got a fly going baking. Anyway, the concept is that it can be baked, boiled, scarred, flooded, subjected to E M P and other ways to tamper with them without degradation of the data written in the glass. The mountain and Norway where it's located, is also considered the safest location on earth to a mixture of geological and geopolitical stability. Each court quartz wafer will be the size of a drip coaster at 75 millimeters by 75 millimeters and two millimeters thick. Each plate will be able to store 100 gig of data. Data is added to the wafer of reveal laser that creates three dimensional nanoscale, gradings, and deformations to retrieve the data. A polarized light is used to shine through the glass. There are machine learning algorithm to decode it.
(00:22:15):
The group says the proof of concept should allow data to be be preserved for many thousands of years. Project Silica has been in the work for several years now. Okay, now this is cool. However, like I said, tape is a problem, especially if you're in a high heat, high environment humidity environment like Hawaii or shipboard. Typically, if you are so inclined and you have your D L T tapes and they've been sitting on the shelf even in an air conditioned building for upwards of two years. The last time I tried to restore a D L T from a tape that was more than two years old, large pieces of the magnetic media actually flaked off. To say that that restore didn't work was an understatement. To that end, I have been really, really hot on using optical just because I wanted something that was more reliable that is going to last longer than two years in case we need to go and bring back some really sensitive, say seismological or hydrophone data for research.
(00:23:28):
Now, what I have been using, and I'm gonna ask Mr. At to go jump to the next r l I've been using an optical jukebox. Now, one thing that's interesting is five dimensional glass memory which related to this also an extreme tech story is now starting to become reality. Now the technology that I've been using has been Blu-ray and Blu-rays great, because unlike CDs or DVDs, the recording media is not exposed. It is encased in polycarbonate and does not suffer from what's called laser rot. The old laser discs I lost several very valuable titles because mildew got in there and destroyed the recording media Blu-rays are sealed. So I actually have been trying to get researchers to go to something like this. It's actually a system that will allow you to store to a NA and then set rules for archiving.
(00:24:40):
And the archive would burn to a Blu-ray and, but keep the metadata online so you can still search and still, you know, browse the metadata. But when you try to actually bring down the data, it'll give you a interrupt and a message saying this is being brought back from cold storage or whatever term you use and issues an operator message to please take this dis pack, you know, with certain number, pull it off the shelf, stick it, mount it on the system, and it'll bring back the data so you can get to it. Problem is we're not talking about a ton of storage. You know, we're only talking maybe a couple terabytes, ideally with the five dimensional storage that the University of South Hampton and the United Kingdom has been creating. Maybe a combination of the two. Sounds good. So now what I'm gonna do is, Mr. Kurt and I have had many conversations about data archiving. And so, so has Lou. And a lot of people say, well, hey, data doesn't really exist unless it exists in at least three places. So I'm gonna throw this to Kurt first. How many times have you actually heard the corporate world get excited about storage? And does data only existing in two places, get people worried?
Curtis Franklin (00:26:09):
The corporate world outside of IT operations tends to be aware of storage in the abstract. They assume that they have to have some because they have some on their laptop. But that's about all the detail they want to know. And again, outside of the resilience group, I would say that most folks in the enterprise don't think about backup about redundancy, about resiliency. They assume that it's someone else's job, and so they assume that it's going to be there by some magic whenever they need it. I find it fascinating. You know, we've been talking about storage along the lines of this idea for a very, very, very long time. I remember when conceptually people were saying this was going to be the future of storage in the last millennium. You know, as, as you well know, Brian optical disks were around for storing movies and transporting movies a long time ago.
(00:27:40):
And so people have known that this was the inevitable direction we were going. To me, the interesting thing about the story is when you look at the difference between the theoretical maximum density of that storage unit and the actual density that they're going to be using, it's multiple terabytes versus a hundred gigabytes. That tells me there is a ton of redundancy and error correction various bit check schemes going on, which is good because this is supposed to be the safest sort of archive. Now I'm looking forward to this. And furthermore, I'm looking forward to it doing the inevitable drift down market once the proof of concept is put into place in some massively usable thing. On the one hand in the enterprise, I think we'll start to see internal petabyte farms become the norm while on personal devices and home storage area networks, we're looking at hundreds of terabytes.
(00:29:03):
The question then becomes for most of us, what don't we store? As our storage online becomes the data equivalent of that kitchen drawer packed full of old wrinkled receipts that many of us have to sort through just to find the, the spare set of keys. I'm happy about this. I'm thrilled that it's going to be used for what I think is a very good and noble purpose. I'm looking forward to it. Serving a second useful purpose by being the first major utilization of a technology that all of us, with any luck at all, will get to use Before I forget how to use computers,
Brian Chee (00:29:52):
<Laugh>. Yeah, actually my interest in all this actually got kicked off because of Google. <Affirmative> university Google accounts used to be unlimited storage, but they just started slapping the university or research group with some very, very hefty bills. And so now lots of university research groups all over the world are probably scrambling to find another long-term storage media. And I'll tell you right now, the number of nine track tapes that have failed on restore is staggering. Even DLTs have had the problem. Now I'm gonna toss a little bit towards Mr. Lou only because that chemtronics system that I happen to be pretty high on, which is an optical jukebox, is actually based on a Microsoft product. Obviously Microsoft has some really, really interesting things cooking behind the scenes. And Mr. Lou, your your up to your armpits in the office, Microsoft Office world. Has there been any kind of rumors or any kind of things that might be coming up on how Microsoft Office is handling data archiving? Because remember, there's backup, but then there's archiving. So are you nearline or offline? Those hooks have been in the Microsoft world for ages, but are, do you know if they're getting dusted off
Louis Maresca (00:31:36):
<Laugh> now? Like physical medium? I, I don't know because obviously these are hidden behind in the data centers, behind, behind services that you know, that, that we utilize for these types of things. So I think that that I'd probably, I don't have a lot of insights into, but I can tell you that a lot of scenarios we've used or other services have used, you know, blob storage or archive storage in Azure. That's a big thing. You know, we have a lot of office services that are like for instance, OneDrive and thing SharePoint. They use a specific data technology that does have cold and warm and, and you know, cold storage that, that does archive things behind the scenes. And this is, this is terabytes and terabytes of terabytes of data, petabytes of data. So I do know that they are utilizing these technologies, but again, they are abstraction layers above the physical medium.
(00:32:26):
So like I, I don't know exactly what the data centers are doing because I'll tell you one thing. These types of data centers, especially companies like Microsoft and Amazon, they're highly guarded and their technology that they use and you know, how they and who has access to, to the physical medium or even what they're using for the physical medium is again, highly guarded stuff even from people who work at the company. So I can tell you, I don't have too much knowledge in that, but I, what I can tell you is things are getting faster, things are getting more efficient and we're getting just more storage and more availability from these things and consistency across globally from these, these storage mechanisms as days go on.
Brian Chee (00:33:06):
Yeah, very cool. Actually, the university the research group that I work for we would have a Blu-ray burner robot that would then use an inkjet printer to print the metadata on top of the Blu-ray. We'd make two copies of everything. One goes on the shelf for day-to-day use and you know, pulling data off the archive. But the last one actually goes to a salt mine in Utah. Ever since we had a big flood at the University of Hawaii and lost petabytes of data in the basements of a couple of buildings researchers have had had a wake up call. And that's why I'm so excited about optical storage that can survive this because I'll tell you right now, d l t tapes when a basement gets flooded and even though the d l t tapes were in a locked storage cabinet, the cabinet got ripped apart and the tapes got crushed.
(00:34:11):
I actually was waiting through eight inch deep mud in the basement of Hamilton Library poking around looking for the servers that got pour off the shelves and actually got slung around the basement <laugh>. So yeah, I, to whoever's running this Microsoft project, I would say please bring it to market cuz there is certainly a need and the research community will kiss your feet because I can't tell you how much data we've lost, you know, ship, shipboard, leak, shipboard sinking, we've lost tons and tons of data. It's a big, big, big problem. And I for 1:00 AM really excited. Can you tell, anyway, I think it's time for us to we'll see what our guest has to say.
Louis Maresca (00:35:09):
Indeed. Thank you Cuber. Well, we'll get to our guests in just a moment, but before we do, we do have to thank another great sponsor of this week, enterprise Tech and that's Kolide. Kolide is a device trust solution that ensures unsecured devices can't access your apps. That's right. As easy as that, Kolide has some big news to it. If you're an Okta user, Kolide can get your entire fleet to a hundred percent compliance that Kolide patches one of the major holes in zero trust architecture, device compliance. It's a big one. Think about it. Your identity provider only lets known devices log into apps. But just because a device is known doesn't mean it's actually a secure state, right? In fact, plenty of devices in your fleet fleet actually probably shouldn't be trusted. Maybe they're running out on out of date OS versions or maybe they've got unencrypted credentials lying around.
(00:35:59):
Now, if a device isn't compliant or isn't running the Kolide agent, you can't actually access the organization's SaaS apps or other resources. So the device user can't log into your company's cloud apps until they've fixed the problem on their end. It's that simple, it's that easy. Now, for example, a device will be blocked if an employee doesn't have an up-to-date browser or using end user remediation helps drive your fleet to a hundred percent compliance without overwhelming your IT team. Now without Kolide IT teams have no way to solve these compliance issues or stop insecure devices from logging in. Now with Clyde, you can set and enforce compliance across your entire fleet, whether it's Mac, windows, or Linux. Kolide is unique in that it makes device compliance part of the authentication process. When a user logs in with Okta Kolide alerts them to compliance issues and prevents unsecured devices from logging in, now it's security you can feel good about because Kolide puts transparency and respect for users at the center of its products. To sum it up, Kolides method means fewer support tickets, less friction, and most importantly, a hundred percent flea compliance. Visit Kolide.com/TWiTto learn more or book a demo. That's k O L I D e.com/twit and we think Kolide for their support of this week and enterprise tech. Well folks, it's my favorite part of the show. We actually get to bring in a guest to drop some knowledge on the twit, right today. Today we have André Keartland, he's solution architect at netsert Professional Services. Welcome to the show André.
André Keartland (00:37:38):
Thanks for having me.
Louis Maresca (00:37:40):
Absolutely. Now, I, now our audience obviously has is a, as different spectrums it's different parts of the spectrum in their careers and they love to hear people's origin stories. Can you take us through a journey through tech and what brought you to answer?
André Keartland (00:37:53):
Sure. didn't start out thinking that I was going to end up in a tech career. I think I was 18 and like every other 18 year old didn't have a clue. So for lack of better ideas, went to college did courses, but I had the wisdom at least to say I needed to get some practical experience. I started doing a ton of part-time jobs and that was late eighties and it just coincided with that time that the BC revolution was happening. So a lot of these companies where I was doing filing or shuffling pieces of paper around or making coffee sort of had their first PCs sitting on a desk somewhere. Nobody had any idea what these things were supposed to do. And I was curious enough, I started scratching around and I started bolding little tech solutions for people.
(00:38:41):
You know, the next moment I was writing them apps and I was setting up their first networks. And so over time, eventually I did every single job in the IT industry from laying cables to writing code to servicing printers. And that sucked me into eventually a career as a IT tech. And I grew up eventually inadvertently got into a training job, which I had never intended to do. I'd always believed those who can do and those who can't teach. And so I took this as a part-time gig and absolutely loved it. And one of the things I really enjoyed out of it was it forced me that I really had to get to know the technology because it's one thing to work with it, it's a totally different level that you need to explain it to other people. And this led to an opportunity that in 1999 Microsoft was about to release the product that would become Windows 2000, which had active directory in it. And I got an opportunity to do some work for them developing and then delivering some internal readiness training on active directory and accidentally became a subject matter expert on it. And from there I was very much an identity person for many years and identity led into security and here I am <laugh>, I'm
Louis Maresca (00:40:13):
Rest is history. Yeah,
André Keartland (00:40:14):
Still drinking that.
Louis Maresca (00:40:16):
Fantastic. Well that's great. I think, you know, it's interesting to to hear people's journeys because I think that, you know, everything, every stepping stone along the way really brings us to the point that we are today. And I, I think that also let's kind of segues into our segment cuz we're gonna talk about DevSecOps and I think, you know, we like to poke out lots of organizations in the world to kind of use them as learning opportunities. And I, I wanna poke a little bit about LA at last pass a little bit cuz we, we've been uncovering a lot about their breaches in the last couple months. And I think it, what it's doing is it's actually providing some good lessons that we can learn in the dev DevSecOps world. Let me go over the first one first. I wanna get your thoughts on this.
(00:40:56):
The first one that I've actually noticed is the fact that a lot of this had to do with this breach had to do with the facts that they, they had very lack security policies, which where they mean they, they allowed users or their own employees that is to actually access critical company data and services from their home computer. And they did this in a way using federated services. And I don't know about you, but when I work with a DevOps team or even a developer team that's deploying something through a, through a, a continuous deployment method, like they have to do this in a way where they use a device that is not necessarily even their personal computer. And it's essentially used a secure enclave on the device or whatnot, a secure vm. And they are required to do that in a very secure way, and they can't actually access all re resources j admin access only for a couple minutes. It's restricted. So it sounds like there's some missing company policies that goes with standard you know, practices that we've all talked about. What do you think here Are you seeing this allotted organizations?
André Keartland (00:42:00):
Yeah, unfortunately, a lot of those things that you're mentioning are all really, really good ideas and they are done a lot less often than what you would imagine. You know, you, you work for Microsoft and Microsoft went through a journey itself, you know, round about the year 2000 where we were getting the code Reds and the nmda, you know, Microsoft sort of invented the software development lifecycle concept, you know, because they had to learn how to get from a point where we need to write the code and we need to write it fast to a point where they had to say, and we need to write it secure. And a lot of organizations just have not yet reached that point. Very often what I see is when where, where we often get involved is somebody has written an application, it's either a new app or it's a new version, and then we get called in to say, we have this new code, can you review it for us? And that's the first time anybody of a security hat is looking at that application and all the code and all of the dev practices up to that point. That's just not really at a security focus and that's where things go wrong.
Louis Maresca (00:43:15):
Yeah, it, it's interesting that you brought that up because I think there's, there's kind of a separation of concern sometimes there, like for instance, developers, they wanna quickly iterate on their code, they wanna deploy it, they wanna meet the customer's demands, and on the other hand you have security teams that are really focused on you know, making sure that the code is secure. Now there's sometimes, you know, disparate Yeah,
André Keartland (00:43:36):
They pulling it,
Louis Maresca (00:43:37):
They kinda cross each other. Where, how are you helping organ, how are you seeing organizations help themselves or how are you helping organizations overcome that battle?
André Keartland (00:43:45):
Look, a lot of it is you have to make a cultural change. The, the, it's a adoption change management exercise where a big part of it is training people getting them to understand what is the importance of the security. One of the little exercises that I find works very well is at some point you arrange a hackathon and you actually get those developers to go see how insecure code can be and how things can be pulled apart, you know, and then bad things can happen because often they don't believe it. A a a lot of developers have zero background in security. They haven't trained on it for one minute, they have never had a particular interest in it. They get excited by the tech of coding, they get excited by the functionality in their apps.
Louis Maresca (00:44:36):
Yeah, I agree. I think that that's a great idea actually. I really like that idea. A lot of just having little hackathons to, to poke at services. I've, I've worked with organizations, they do lots of disaster recovery drills, you know, they try to take their services down, but they don't necessarily do it in a way where they're trying to, you know, access data in badly. Now I have worked with companies that use the, you know, the red and blue teams where they'll go hire you know, an audit, a team to come in and, you know, and, and, and be the red team and, and they'll have their security team be the blue team and so and so forth. Are you seeing that more with the organizations to kind of just try to gauge where they're at with security?
André Keartland (00:45:15):
I'm seeing it more and a lot of it is driven by compliance because you're getting that a lot of organizations now have a lot of pressure on them from rules, regulations, laws, that says you have to show that you are compliant. A lot of the organizations I deal with are dev companies and they are in the business of writing code for other people. And the other people are now saying to them, before I will accept your code, you need to put a stamp on it to prove that there's security in this, you know, and so again, they forced to do it. And then insurance, right? So in this age, a lot of organizations have to take out insurance against cyber incidents and the insurers, the underwriters obviously going okay, we are not as accepting any risks. Show us that their security baked into this, that that is forcing a change, but it's not totally prevalent. You still get a lot of people that are going. Security is something that happens to other people
Louis Maresca (00:46:12):
Right now. I mean, I work with a lot of organizations. They build a lot of software, a lot of services. They have things like source code management and c I CD loops, and they have build tools and deployment change and binary libraries, and they do code reviews and they try to monitor problems in telemetry. Like, there's lots of things going on there with this whole process. Why don't we go to fundamentals here? Why don't we talk about, can you maybe give us some key tactical things that an organization can do to ensure that they are focusing on DevSecOps for today's kind of organizations?
André Keartland (00:46:44):
Sure. well, to start with sort out the basics of security. So if you look at what happened to laspas it was really security basics that trip them up. So even just things like saying developer has dedicated machines that they develop their corporate code on, and this case wasn't a developer, it was a, a DevOps engineer. And you need to protect those people. You need to protect their accounts, you've gotta prevent that. Somebody does a phish attack against one of those people hijacks their account, and then a bad actor starts acting as this internal person with immense powers inside of the systems. We've been very used to protecting like the, the domain admins, the global admins that are have, have got supervisor access, but we need to look after the developers and the DevOps engineers just as much. Okay. Because they get act, the whole environment is act then. When you build your DevOps infrastructure, that's when you want to make sure that you actually put a security flavor into it. Hence not just DevOps, but dev SecOps. So those code repositories have got code scanners in them. Those C I C D loops have got testing cycles in them where we are looking for security vulnerabilities, et cetera. And yeah, go,
Louis Maresca (00:48:12):
Yeah, that's great. I think that's instituting additional testing, additional tooling is always good. I think from, from from multiple cases. I, you know, I've, I've heard of, you know, some terms thrown around like the C S S C A, which is software consumption analysis. There's also static security testing that's coming out. There's, there's lots of things going around, right? There's lots of things that people can do. Are there a set of like fundamental foundational things that lots of organizations are doing that are really like moving the needle quite a bit in this case to secure things and help with DevOps?
André Keartland (00:48:45):
I think there are there's practices that are obviously developing, but I think it's early enough days that these are not universal standards. And you still do get that every organization does it slightly differently. That of course, confuses the message a little bit. You know, there's lots of tools as well. So you know it's, it's probably a work in progress and ultimately companies got a, an organization have got to want to do it, and very often it's the motivation that's lacking, you know, it's right. One of my favorite sayings is measurement drives behavior. And when the dev team is being measured on how fast can we get the software out the door, can we deliver the functionality we are looking at or that that was, was specked, but there's no measure in there to say, and we need to meet a, a qu a, a security bar, then they're not gonna put that much effort into it. And the problem isn't just the devs, it's the program managers, the project managers, the executive sponsors that are paying for the software. They all need to buy into this, otherwise nothing will happen. Right,
Louis Maresca (00:49:54):
Right. We have lots more to talk about here, and of course my co-hosts have some questions as well, but before we get to that, we do have to thank another great sponsor of this weekend Enterprise tech, and that's decisions now we see with the latest enhancements that are rolling around the industry. Automation is the way to improve your productivity and enhance your processes. That's where decisions comes in. They give IT and business experts the tools to automate anything in your company, all within one no-code platform. Now decisions is proven to fix any business process and prepare you to withstand economic uncertainty. You know, in, in the current climate, you need to do more and be more deliberate in managing your resources and be able to adapt quickly, be more agile. If you wanna be agile, decisions will make it simple for you. It has a no-code environment that allows your team to collaborate, build, and adjust workflows, dynamic forms and decision processes, and are constantly evolving.
(00:50:47):
Now this is especially important with today's IT talents shortage. That's right. So it's hard getting really good IT people out there. And a decisions process automation software is a complete toolkit. It allows business users, it's actually advanced enough for developers to build applications and automations with no code required. Now it really is a powerful platform that includes a ton of predefined rules and workflow engines. Plus it has a host of pre-built integrations that can connect any legacy system with via api, all within a simple drag and drop visual interface design. Whether you're on-prem or in the cloud, you can deploy it anywhere. The companies were caught off guard and were flatfooted at the start of the pandemic. But decision customers had the advantage and were equipped to respond quickly. In fact, one of the country's largest private banks built an entire P p p loan application process for small businesses affected by covid 19 in just two days.
(00:51:50):
They were the first to market issuing a billion dollars in loans before their competitors even started. Decisions that you customize workflows to automate the small decisions, producing faster results with greater accuracy, allowing your team to focus on the important decisions a scale your business to better serve your customers while reducing operational costs and saving your team valuable time. Here's one great example of how decisions automation software can help Otis Elevators. That's right, you, you know them. You probably wrote a one today. Now implemented decisions to run daily pulse checks across their 2 million units operating globally by finding potential problems before they actually occurred. They avoided downtime and managed their service technicians efficiently. If you happen to be riding on a notice elevator, you can rest assure that you're gonna rely safely and those things are gonna get you to the destination. Now on the incur industry, the durability of a business' foundation will directly impact its performance and ability to survive.
(00:52:50):
How strong is your foundation decisions? Automation platform provides the solution to any business challenge, automating anything and changing everything to improve your company's speed to market financial growth and operational success. They help industry leaders alleviate bottlenecks and automate pain points in their business so you can do what you do best and change the world. To learn more about decisions, no-code automation platform and scope, your free proof of concept visit decisions.com/TWiT. That's decisions.com/twit. And we thank decisions with our support of this week in enterprise tech. Well, folks, we've be talking with André Keartland about DevSecOps, but I do wanna bring my coast back in cuz they have a lot of questions here as well. Who wants to go first? Hubert?
Brian Chee (00:53:45):
Well, hey, I, I got my first taste of security during the development process when I was working for the US federal government. And one of my huge, huge wake up calls was going to this, at that time, relatively small conference in Las Vegas called Defcon. One, I didn't look like a typical fed, so they didn't spot me immediately. But watching what they were doing, especially the crew that were breaking into boxes with security seals and so forth, that was actually a real wake up call because it started getting me looking at, okay, we need to think beyond the password. We need to think beyond the the, you know, the code. We also need to go and look at, you know, how the systems are put together. Now in an ideal world world, this is getting to my real question. In an ideal world, what kinds of advice would you give to management? Because the management is the ones that are gonna determine whether or not the dev DevOps team can actually do this. What sage advice would you give management to try and avoid some of the problems that you've been hearing about in the news?
André Keartland (00:55:16):
I think that experience that you had going to DEFCON was the absolute best way to do it, because what you did there is you got awareness of the threat. So you were essentially doing your own little version of threat modeling. And that is very much what I think the execs that are sponsoring the dev projects need to do. They need to go and say, what is the actual threat? What do they need to be afraid of? And they need to go and quantify that or put it into what is the business impact if this goes wrong. So it's really important that they go and basically show the r ROI of baking in the security because if they don't, they're going to go, this is just extra expense and it's slowing down my dev project, so let's not do it. So you need to go and say, build a picture of what does the threat look like.
(00:56:09):
And when you do that, diversity is incredibly important. Don't sit down in the boardroom and ask each other what is the threat. Don't get the dev team to just sit down and say, what is the threat? Get external people that are perhaps experts in the field. Do things like red team and, and paint testers and similar people to come and demonstrate or at least explain what are possibly the things that could happen. And think about if this goes badly, if my sense of data that is sitting on this application suddenly is out there on the dark web, or if somebody hijacks my application and uses it as a platform to attack the rest of my infrastructure, what does that mean to my business? What does that mean to my reputation out there? People at Lost Pass are probably busy asking themselves a couple of those questions right now.
Brian Chee (00:57:05):
Yes, indeed. One, one of the other pieces of advice I like giving to people that I run into now is in the us the Federal Bureau of an investigation has a program and for the life of me, I, I just forgot the name, just went outta my head. Anyway, it's where the FBI experts get together with the civilian experts and share critical data, you know, how to do this, what you should be doing and so forth. Does such organizations exist elsewhere? Like you're in Johannesburg? Yes. does your federal information system people actually reach out to the civilian world?
André Keartland (00:57:53):
They do. I think in our country it's mostly towards the larger corporates. The banking industry especially, we have a really sophisticated financial services industry, but I think it's also an extent of organizations collaborate amongst themselves. And I know in this us in Europe, a lot of countries you get that there are industry associations that get formed where organizations do share information based practices, et cetera. And there's several nonprofits a a really good one in, in the cybersecurity space is os the open web application security project. They have excellent guidance on how to go about creating security for your applications and describing the threats against them and, you know, so that's a, a good place to start.
Curtis Franklin (00:58:58):
You got drink, Kurt. Well, you know, one of the things we've been talking about is the whole third party issue, whether they're helping herding coming in to, to do, I'm, I'm curious, as we're talking about all of the bits of of software development and of the, the entire, you know, DevOps process, how much are you finding the need to be verifying the security of third party components? You know, building your SBOs and looking at dependencies. How, how a necessary are you finding that? And B, how complex is that process? How, how much does it add complexity to the development process?
André Keartland (00:59:56):
Yes and yes, <laugh>. So the third party risk is one of the major issues. Because increasingly when people are developing a piece of enterprise software, they're not sitting down and writing every line of code, you know, one to a million on their local i d e. There's a lot of reuse of external libraries of APIs and web services that are out there. And these get integrated into your application and you are not always sure where those come from and what standards that they are being held to and whether they are actually secure enough. So it does make it quite complex when you're then evaluating the security of an application. Cause you have to not just look at the app. You've gotta go and look at every one of those dependency components. And there are tools that help you with that.
(01:00:49):
So a lot of your code scanning tools that we mentioned earlier on one of the things that they will do is they will basically do a reputation check against some of those external components that you're including. And they will warn you if there's something, if you are using a library that has a known vulnerability in it then that can get into your bill of materials that you can then know, okay, I need to avoid that. One of the reasons why it's really, really important that you start looking at that very early in your dev process so that you don't have your entire app written and then discover that major components of it have to be ripped out and replaced for, for those reasons. And then suddenly the, the people you have to know if you are bringing in third party external outsource developers, you know, often, you know a company might hire an entire company in another country to develop big parts of their application. Do you know who are the people that are working on that? Are they trustworthy? Have you vetted them?
Curtis Franklin (01:01:55):
Well, I know we're coming down towards the end of our time, but, but one final little question on this. With all the complexity, with all that must be done, are we passing the point at which a small organization can develop applications? You know, the, our history as an industry is filled with small companies that had to build an to, to meet their specific needs. Is that still still a realistic possibility? Or is software development and let's say here, secure and trustworthy software development, something that is now beyond the capabilities of a small team working for a small organization?
André Keartland (01:02:43):
I think it is still possible, but it is harder. It is more challenging. And that is where you do probably have to start working in collaboration between organizations where you might say, okay, we are two people in a garage and we are writing, you know, the the app that's gonna become Apple. But we perhaps u use external security professionals to actually come in and just spend some hours on our app, you know, and it's a cost and that little startup doesn't want to spend that money. But I think if you have a view that your application is going to be sold to serious customers the serious customers are going to demand that sort of level of compliance in order to move forward before they're going to spend money with you.
Louis Maresca (01:03:33):
André, time flies when you're having fun. Thanks so much for being here. Running a little low on time, but I did wanna give you a chance to tell the folks at home where they can learn more about Net Sur and maybe all the wealth of services they have to offer.
André Keartland (01:03:44):
Sure. obviously our website, so net sur.com, N E T S U R I, and thanks for putting it on the screen. Can find the links there to what we do when we do it. We obviously do a full range of professional services around especially security and we actually do a lot of work helping organizations build their security practices. Inhouse,
Louis Maresca (01:04:11):
Thanks again. Well, folks, you've done it again. That's right. You've sat through another hour. The best thing enterprise and IT podcast in the universe of tune your podcaster tow. I want to thank everyone who makes this show possible, especially to my wonderful co-host starting their very own Mr. Brian Chee sheer, you have a busy week coming up. What's going on for you in the coming week and where could people find you?
Brian Chee (01:04:33):
Actually, I'm going to be eating really good junk food <laugh> over at the central Florida Fair. They have a sick cut bacon that is just amazing and I had my first funnel cake in God, maybe 10 years. My arteries are hardening just talking about it, but you know what, I'm also really looking forward to hearing ideas for shows and so forth. We try to go by threads. So for those of you keeping score, this was part of the managed service provider thread. A lot of these threads are driven by you, the listener, and I try to go and, you know, weave that in and try and bring in guests, you know, that will fulfill your wishes. And I gotta admit, you know, this was a great talk and it's amazing how fast 30 minutes goes. But why don't you drop me a line. I still listen to my Twitter account that A D V N E T L A advanced net Lab, you're also welcome to throw an email at me. My email is scheiber spelled C H E E B E R T twit tv. And you're also welcome to throw email atw TWiT.tv and that'll hit all the hosts. Look forward to hearing from you and look forward to hearing your show's suggestions. Take care everybody.
Louis Maresca (01:06:04):
Thank you, Chiefer. We also have to thank our veryo and Mr. Curtis Franklin. Curtis also has a very busy week ahead of him. Curtis, what's coming up for you in the coming work? People find you in all your work.
Curtis Franklin (01:06:14):
Well, I will get to go over and help out Brian A. Little bit at the fair. And I'm looking forward to being able to see some of the livestock stuff while I'm there. I was a four H kid and always enjoy seeing the young people in the animals they've raised for fair. But when I'm not doing that, I'm doing research on a variety of things largely around training, both cybersecurity awareness and professional training. Doing a lot now with risk. And as I said, the quantification, which is a fascinating topic. How do you, how do you put some sort of quantity on risk? And is it possible to do so in a way that lets two corporations that might be using different tools compare their level of risk? That's where I'm gonna be spending a bunch of time this year getting ready for the RSA conference.
(01:07:17):
I'm gonna be an enterprise connect. If anyone is gonna be at either of those, would love to find out about it. You can see me going on about these things on Twitter at KG four gwa also on Mastodon KG four GWA at mastodon dot sdf, that's sierra delta foxtrot.org. And you can also follow me on LinkedIn, on Facebook. I'm pretty much everywhere there is a social network with the exception of TikTok. I just, it's not that I'm worried about them, I just have trouble saying things in little tiny video snippets. So follow me, catch up with me. I'd love to hear from you and we do appreciate you listening and watching.
Louis Maresca (01:08:09):
Thank you Kurt. It's great having you here. Well, we also have to thank you as well. You're the person who drops in each and every week to listen to our show and get your enterprise goodness. We wanna make it easy for you to listen and catch up on your enterprise news. So go to our show page right now. That's right twit.tv/TWiT. There you'll find all the amazing back episodes, the show notes, the codes information, the guest information, of course, the links of the stories that we do during the show. But more importantly right there next to those videos. There, you'll get those helpful. Subscribe and download links. Support the show by getting your audio version, your video version of your choice. Listen on any one of your devices, any one of your podcast applications cuz we're on all of them and it's really the best way to support the show.
(01:08:49):
So definitely subscribe and join the move. Now leave also heard. That's right. We also have Club Twit. It's a members-only ad free podcast service with the bonus TWIT plus feed that you can't get anywhere else. And it's only $7 a month. Only seven bucks a month. And there's a lot of great things about it. One of 'em is the exclusive access to the members only Discord server. And there's a lot of great things about that. You can chat with hosts, you can chat with producers. We have separate discussion channels plus there's also some amazing special events. That's right. Check those out as well. Lots of fun discussions going on there. Join Club twit, be part of that movement. Go to TWIT tv slash club twit. And also I want you to remember that they also offer corporate group plans as well. That's right. It's a great way to give your team access to our ad Free Tech podcasts.
(01:09:36):
And the plans start with five members at a discounted rate of $6 each per month. And you can add as many seats as you'd like. It's a really great way for to have your IT departments, your developers, your DevOps teams, your tech teams to stay up to date with access to all of our podcasts. And just like regular memberships, you can join that TWIT Discord server as well and get the TWIT plus bonus feed. So join to club twit, TWIT TV slash club twit now after you subscribe and press your friends, your family members, your coworkers with the gift of Twit, cuz we talk a lot about FunTech topics on the show and I guarantee they find it fun and interesting as well. I run into different people every day, whether it's at work or just out and about. And I tell 'em about Twit, they really enjoy it.
(01:10:20):
In fact, I got some emails recently from some people telling me how they just really enjoyed this show because I introduced it to 'em. So definitely introduced twit, twit and twit to them and make them part of that movement as well. Now I wanna make sure that you know that we do this show live. That's why Fridays 1:30 PM Pacific Time. You can check out the live streams right now, go to live TWiTtv, all the live streams are on there. Come see how the pizza's made. All the behind the scenes, all the fun stuff, all the banter we have during the show and after the show. Definitely check out the show live. If you can watch the show live. You gotta jump into our famous IRC chatroom rrc channel. That's right. Go to irc TWiTtv there. You'll find the way to just jump into the chat room right away and find some amazing characters in there.
(01:11:03):
We have some great discussions and topics that come out of that. And you know, it's just great to have a community in there. So definitely join the chat room and be part of the live show now. And I definitely want you to reach out to me. Go to twitter.com/lum. Whether it's enterprise tidbits, discussions, whatever. I'm also lu lumm at twi, that social on Macedon. You can direct message me there. Of course. Also on LinkedIn, I got a lot of messages on LinkedIn from different people all over the industry. Show ideas, guest ideas, topics about things, how to do things on office. Hey, reach out to me. I'm, I'm here for any of that stuff. If you wanna know what I do at Microsoft and in office, definitely check out developers.microsoft.com/office. There. We post all the amazing I ways for you to customize office to make it more productive for you.
(01:11:50):
And definitely check out office scripts cause that's the latest and greatest ways to record macros and run 'em across platform for Excel. I want to thank everyone who makes this show possible, especially to Leo and Lisa. They continue to support this weekend enterprise tech each and every week and we couldn't do the show without them. So thank you for all the support of the years. Thank you to all the staff and engineers at twit and of course thank you to Mr. Brian Chee one more time. He's not only our, our co-host, but he's also our tireless producer. That's why he does all the show bookings and the playings for the show. So we couldn't do the show without him. Thank you Cheever, for all your support. I want to thank a couple people before we sign out too as well, our editor for today, because of course they make us look good after the fact.
(01:12:33):
Cut out all of my mistakes and I have a lot of them. And of course we also have to thank our technical director for today, Mr. Ant Pruitt. He is the talented Mr. Ant Pruitt because he does an amazing show as well called Hands on Photography. And I'll tell you, I learned something every week on this show. Like I actually look forward to the new episodes. It's kind like me waiting for I like Will watch the Rookie or whatever. I love watching shows and waiting for the next iteration Mandalorians coming out. So, you know, I watch hop every week, what's going on this week and on Hop.
Ant Pruitt (01:13:04):
Well, thank you for that support my man. This week on the show we're talking about capturing lightning photography. I don't care what camera you have, you can capture lightning photography. It's just gonna take a little bit of patience, understanding of the exposure triangle and and making sure you're safe too. So yeah, check it out, twit.tv/for hands-on photography and I'll walk you through this tutorial, even my Las Vegas hotel room.
Louis Maresca (01:13:34):
Fantastic, thank you Anne. And until next time, I'm Lewis Maresca. Just reminding you, if you want to know what's going on in the enterprise, just keep TWiT.
Mikah Sargent (01:13:44):
Oh hey, that's a really nice iPhone you have there. You totally picked the right color. Hey, since you do use an iPhone and maybe use an iPad or an Apple Watch or an Apple tv, well you should check out iOS today. It's a show that I Mikah Sargent and my co-host, Rosemary Orchard host every Tuesday right here on the Twit Network. It covers all things iOS, tv, os, home, pod, os, watch, os, iPad os. It's all the OSS that Apple has on offer and we love to give you tips and tricks about making the most of those devices, checking out great apps and services and answering your tech questions. I hope to check it out.