Charles_Wood
Hey there and welcome to another episode of JavaScript Jabber. This week on our panel we have AJ O'Neill.
Aj:
Yo, yo, yo, coming at you live from the Heat Room.
Charles_Wood
Dan Shapir?
Dan_Shappir:
Hey from Tel Aviv, I'm alive! Did you miss me?
Aj:
I did.
Charles_Wood
Yeah. Steve Edwards?
Steve:
Yo, only one yo, not yo, yo, yo from Cloudy and Cool Portland.
Charles_Wood
and Charles Max Wood from Top End Devs. We got a little bit of sprinkled rain. I think it's a little over freezing here, so it's cold. But yeah, great to be here. We have a special guest. That is Gal Wiseman.
Gal_Weizman:
Hey guys.
Charles_Wood
I didn't get your pronunciation thing to load, so I guessed.
Gal_Weizman:
You nailed it. Garwizeman is just about right. Uh yeah, coming from Tel Aviv as well.
Charles_Wood
Good deal.
Gal_Weizman:
Yeah.
Charles_Wood
So do you wanna introduce yourself? Let us know who you are and why it's exciting to talk to you. And then Dan can tell us why it's actually exciting to talk to you.
Gal_Weizman:
Well, right now I'm the one who's
Dan_Shappir:
Ha
Gal_Weizman:
excited
Dan_Shappir:
ha.
Gal_Weizman:
to talk to you guys, but my name is Gal. I'm doing JavaScript security for the past 10 years, I think. Started off doing that in 8200, which is the cybersecurity unit of the Israeli IDF. I am kind of in love with JavaScript security, so I found myself doing that in startups that I worked for afterwards. for a while and I'm doing JavaScript security in MetaMask today as well. So that's pretty much about me.
Dan_Shappir:
Metamask is a company, right?
Gal_Weizman:
Yeah, so Metamask is a famous crypto wallet that belongs to a bigger company called ConsenSys. And lately they have a really cool initiative called Lava Mode, and Lava Mode is a project that tries to improve JavaScript security in terms of supply chains. So my project was kind of an interesting fit there. We're gonna talk about it, I assume.
Dan_Shappir:
So,
Charles_Wood
Yeah, that's the plan.
Dan_Shappir:
yeah,
Gal_Weizman:
Hehehe
Dan_Shappir:
for sure. So the word security and the other term supply chain security have come a lot up a lot during your introduction. So maybe you'll tell us a little bit about what they are and what they mean in general and to you in particular. So, I'm going to start with the first question. So, what is the most important thing that you think about when you're working with the company and what is the most important thing that you think about when you're working
Gal_Weizman:
Yeah, so I guess supply chain is a term that has been discussed a lot in the past few years, but I think that we have this massive problem where in the past years we're building web applications on top of different, on top of supply chain and different dependencies that we're relying on. And that could be kind of a big mess because it's really hard to understand what is going on building your web application, for example, out of 97% code that you don't really know and understand. And potentially it could be malicious and it could find itself executing within your web application. So to me that is supply chain security, trying to identify that problem and find a way to protect against it.
Dan_Shappir:
Are you referring mostly to stuff that we install via, let's say, NPM, or to just script tags that we embed inside our web application to load third-party scripts, or both? What are you focusing on?
Gal_Weizman:
Well, I think it really depends on the angle that you're coming from, but the security technology that I usually find myself working on is from like within the browser. So the answer to that would be all types of them, because to me, it's less about how malicious code found itself executing within any web application. It could be through NPM install, it could be through a third-party script tag. My mission is to understand how I can protect the application in runtime against malicious entities, regardless of how they ended up running within my application.
Steve:
So one of the guests we've had on here before was for us, a book DJ and talked about his company socket. Um, and you know, their attempts to help make, uh, NPM and, you know, dependencies and stuff safer and with security issues and stuff. I'm curious to see how one, if you're familiar with that, I'm assuming you might be into if you are, what's the difference between what you're doing and what socket is doing.
Gal_Weizman:
Yeah, I'm familiar with them in general, but maybe not enough. I'm pretty sure that their solution is not executing within the browser in runtime. My angle is usually about running from within the application in runtime and identifying sketchy things that might happen and then try to understand what I can do about them. That is an angle that I did before working in MetaMask, and in MetaMask, in a lot of ways, but I think that's the main difference between the approaches. Supply chain security is such a big problem that you have so many different projects and initiatives and different projects and angles trying to approach this problem.
Dan_Shappir:
By the way, just to mention that we also had the Liran Talonar show from Sneak, and they are also, their businesses are all about supply chain security. So it's worthwhile to listening to that show as well. So if I'm understanding correctly what you're saying, then you're saying that these types of solutions, Socket and Sneak, they kind of focus on preventing avoiding bringing in the malicious stuff to begin with. You're kind of focusing on the assumption that, whatever I do, some malicious stuff may find its way in. And so I've got to try to mitigate that at runtime. Am I understanding this correctly?
Gal_Weizman:
Yes, that is exactly it. It's about trying to claim that it would be pretty hard to identify those breaches when they happen and assume that maybe we'll miss some of them and try to defend the application in runtime instead of in the build process.
Aj:
So I'd looked at your project snow, which I think is what we're primarily going to be talking about, right?
Gal_Weizman:
Yeah.
Aj:
So my understanding from that was it's you load it before you load any other JavaScript and you load it as a plain old script tag so that it doesn't get screwed up by any of the bundlers or malicious software that might be tampering with the build system. And that it, uh, neuters the global object. So that the the let's use the term middleware perhaps the middle where that you want to protect runs in place of the default so the fetch that's provided is going to be your middle where fetch rather than the raw fetch. Can you can remove things from the global object is that did i get the right sense of it.
Gal_Weizman:
That's the sense of it. I mean, I guess fetch is a problematic example only because fetch is not part of what I'm trying to defend. But as an example, yes, that is the essence of it. The idea with Snow is to act as a JavaScript shim. And part of it is to hook and monkey patch different APIs within the browser in order to be able to allow Snow's logic execution.
Aj:
So why not fetch? Is that because we already have the content security policy that can whitelist?
Gal_Weizman:
So the reason Snow doesn't treat fetch is because fetch is not one of the problems that Snow has to deal with. So just to put things in context, Snow's job is to make sure that any new realm that comes to life within the application goes through Snow. And that is because realms are actually kind of a security hazard in terms of supply chain. that we can also try to explain.
Aj:
Yeah, what's a realm?
Gal_Weizman:
Okay, yeah, that's
Charles_Wood
Yeah,
Gal_Weizman:
a good.
Charles_Wood
that's what I was gonna ask.
Gal_Weizman:
All right, yeah, great question.
Charles_Wood
I read fantasy novels, I know what that means there.
Gal_Weizman:
So the context here is a little bit different than that. But a Realm is basically the execution environment and the set of APIs and the global object that you receive when you create a new execution environment. So for example, just to make it more clear, when I go on Facebook.com, then Facebook runs within an entire Realm called Top. presentation of that realm. And then within Facebook, for example, I can create new iframes. So iframes have their own realm. They have their own execution environment. They have their own global object. They're meeting their own window. And they have their own set of APIs, which are different than the set of APIs of the top window.
Dan_Shappir:
If I can, so if I am trying to think about it, basically it seems to me that what you're saying is that the realm is defined as all the objects that I can get to via the global object which I can always access, like the
Gal_Weizman:
Yeah,
Dan_Shappir:
global
Gal_Weizman:
that's...
Dan_Shappir:
scope. The root object, like if I'm thinking about it from the perspective of let's say garbage collection, then you have kind of a root object that through it can get to all sorts of things. And as long as you can get at something, it needs to continue to exist. It can be collected once you can't get to it. So the realm kind of is defined by everything that you can get to by getting to the global object. I think it's now defined to be called something like global this, but most people who are using the browser are familiar with it as basically as the window object like that. And
Gal_Weizman:
Yeah, that's exactly right. Sorry.
Dan_Shappir:
from the window, I can get, like you said, I could do window.top or window.document and all the various globals. I know that JavaScript has some globals that don't exactly live on the window. They live kind of somewhere else, but they're also kind of global. So effectively, everything that's global and everything that you can get to via global.
Gal_Weizman:
Yeah.
Dan_Shappir:
challenging because the same thing that you said that you work by monkey patching, that's possible because JavaScript is so amicable to monkey patching. It was intentionally designed this way. I think Brendan Eich, when he created JavaScript, realized that he's not going to be able to create this as a fully functional, completely specced and designed and implemented environment days that he had, so he intentionally made it very monkey patchable so that it could be extended over time. And that's what enables polyfills and stuff like that, everything that makes JavaScript be able to be backward, forward compatible, and so forth. And that, I understand from what you've said so far, is also kind of what you leverage to create a secure realm. But at the same time, it seems to me in the way of creating a secure realm since I can, like, well, effectively monkey patch everything. You know, like, I don't know, inject something into the prototype or I don't know, whatever. But again, maybe I'm kind of jumping the gun and let's get back to what you were explaining about realms.
Gal_Weizman:
Oh, yeah, no, I think that's a great point. I think that's actually a big part of the challenge in creating Snow. So Snow's job is to allow you to register a callback. And Snow's job is to call that callback with every new Realm that comes to life within the application before the creator of that Realm has access to it. So that means if any piece of code creates an iframe, for example, that Snow's job is to identify that and synchronously provide that new iframes window to the register of the Snow callback before providing that window onto the creator of that window. And achieving that is really complicated because of all the stuff you said. I need to make sure that I hook every possible way of creating an iframe. I need to make sure that I can do so synchronously, which is very complicated. And I need to make sure that every API that cannot be monkey patched by a different entity that executes afterwards. And that is really challenging but so far seems to be possible.
Dan_Shappir:
So what? You're not actually blocking things you're you're Creating a callback that allows me to know and then do what?
Gal_Weizman:
Yeah, so that's the point about Snow. Snow's job is not to apply its own security logic. The idea is to allow you to create your own security logic, your own security tool that you expect to run in a web page, and use Snow to apply your logic not only to the top mainframe, but automatically to all the different realms that might come up in the application. Let's say I have a security tool that simply blocks the access to local storage for scripts that are third-party scripts just because I want to protect it in a certain way. Obviously, I can think of more complicated logic to implement, but let's stick to that for now. So I can use Snow to automatically apply that protection to all new realms that any piece of code might create within the application. important because if as an attacker I want to gain access to local storage even though your security tool I can do so by just creating a new iframe and then accessing the local storage from within that iframe because your security mechanism is only applied to the top main realm. Snow allows you to take your security mechanism and automatically apply it to all new realms and that is done by providing it with the callback.
Dan_Shappir:
When you talk about I-frames, are you talking about mostly about same origin I-frame, different origin I-frames, both? What's the focus here? Because I-frames behave very differently if they're coming from the same origin or from a different origin.
Gal_Weizman:
Yeah, that's an excellent question. That's a big part of the project. So Snow's job is only around same region realms, because the idea is that same region realms are dangerous in the sense that anyone can just create new same region frames and then use their APIs to bypass any security mechanism that apply to the top main frame. cross origin frame, then an attacker wouldn't be able to leverage it synchronously because you don't have access to cross origin frames, that would be a security breach. So in the same sense, Snow only tries to protect same origin frames and Snow has a complete, like an advanced technique to understand whether the iframe that he's just catched is same origin and should be applied with the protection or cross origin and should be left alone.
Dan_Shappir:
So basically what you're saying is that if it's a cross-origin iframe, then the cross-origin security policies that browsers have in place are effectively good enough from your perspective. Going back to your local storage example, they can read and write to the local storage, but they can't read and write to your local storage. So they can put whatever junk they want in their own local storage. You want to prevent somebody creating an iframe in order to get... So, going again back to your local storage example, let's say I'm putting stuff... I want to put stuff which I kind of want to keep private in local storage. We can debate whether it's a good idea or not, but
Gal_Weizman:
Mm-hmm.
Dan_Shappir:
let's say I'm doing that. And in order to prevent third-party code from getting at it, what you're saying, the local storage, I'm replacing it with my own shim, which let's say gets an extra parameter, which is some sort of a security key or whatever, and without that security key, you can't read or write from that local storage or something like that. You know if I want to make sure that somebody doesn't create an asset an iframe with the same origin and Within that iframe the local storage is not replaced because it lives on the window of that Iframe not on the main window, which like I said I patched So I want to catch that and and do what what do you see people usually doing?
Gal_Weizman:
So I want to, that was exactly right. The idea is to do just that and apply the security mechanism that you just described for local storage. So you just described a mechanism that needs to get a key and only with that key you can have access. So I want to use Snow to automatically apply that to the iFirms realm as well. So basically automatically monkey patch that security mechanism local storage key to the window of the iframe as well. And then does that make sense?
Dan_Shappir:
Yeah, I'm just thinking about whether it's possible to monkey patch a service like local storage in a way that makes it quote unquote secure to begin with. Because it feels almost to the extent that whatever data gets to the client side, I can't rely on it being like secure almost.
Gal_Weizman:
So it doesn't have to be local storage access. It could be any type of an example. So for example, one thing that we're trying to do in lava mode, which is a whole new project, but we're trying to actually make realms unusable. So the idea is to use Snow to catch every new iframe that might be created in the web app and then basically delete it or delete its properties. its properties, like its global objects properties, unusable by deleting them or redefining them. Because we have the ability to protect the top main realm with the LavaMode's different techniques, which are basically out of scope here. But defending those realms and preventing an attacker from using the APIs of those realms is a different task. And we don't want anyone to create realms with our web because there is no need to that. So we can use Snow to just eliminate them basically. And that's just one example. You can use Snow to basically just shape how you want the realms to look like. And if you want to apply certain monkey patches or different APIs to your top main realm and you want every new realm to look the same, then you can use Snow to accomplish that.
Charles_Wood
Yeah, I'm still trying to wrap my head around some of this. So first of all, just to kind of back up a little bit. So if I create an iframe with the same domain origin that I have for my primary website or my main realm, I mean, how does that usually lead to some kind of compromise on the front end? Because I have to admit, at all. I probably have some plugins on my website that do, I think, discuss the comments section right on top of devs. It does that kind of thing, but it's a cross-domain thing. We're not even talking about that, but for my own development, I just don't use them. I'm trying to figure out where the security vulnerability is. It sounds like those realms to the local storage, probably have access to the session data and things like that on the
Dan_Shappir:
cookies.
Charles_Wood
cookies. All that stuff could make API calls to the back end and be authenticated through the cookie session, whatever. I understand how that is compromised, but if it's the same domain or how are people compromising that realm?
Gal_Weizman:
Yeah, so I think it's really important to understand the context of this security aspect. So what we're trying to defend here is the application from malicious code being executed there. Now, let's back it up before Snow. You have today different security tools. I know ParameterX are developing such security tools and you have Akamai and you also have LavaMode which we're
Charles_Wood
Gal_Weizman:
working on. And those different security tools basically saying, so my application might execute malicious code, and it might use network access and storage access and DOM
Charles_Wood
Mm-hmm.
Gal_Weizman:
access to steal information from the web application. And I want to understand if I can stop them. So
Dan_Shappir:
Thanks for watching!
Gal_Weizman:
I can implement different security mechanism with those tools to protect access to storage, to protect access to monitor anything that goes to the network and those security tools, they exist and they do different stuff and they're trying to protect that aspect. Now, what I'm trying to accomplish with Snow is basically tell those security tools, hey, your security mechanism is an important mission to accomplish. But if you're trying to protect different APIs by monkey patching them, but you're not doing that automatically
Dan_Shappir:
you
Gal_Weizman:
that means that an attacker can ignore your security mechanism and ignore your monkey patches that are trying to protect the web application
Charles_Wood
Okay.
Gal_Weizman:
by simply going through the iframe instead of the top main realm. Allow Snow to automatically apply your security mechanism to all the different realms so an attacker wouldn't be able to create an iframe and bypass your mechanism.
Dan_Shappir:
Chuck, I'll give you an example. I think it kind of relates to an example that you, Gal, gave in one of your posts that you wrote about this. Think about this way. Let's say I have an iframe, the same domain iframe, and once it's the same domain iframe, you know, you don't need post message to communicate between the containing window and the iframe. You can just call functions back and forth and all executing in the same quote unquote thread. Let's say I create an array within the iFrame, or within let's say the global window, and pass it into the iFrame, into a function within the iFrame. Within that iFrame, I use isArray to test whether this is an array or not. Do you know what it
Charles_Wood
Mm-hmm.
Dan_Shappir:
will say? is array will actually say that it is, I think. But if you use it to compare via prototype, it will say that it isn't. An
Charles_Wood
Mm.
Dan_Shappir:
array within the iframe and an array from outside the iframe would have different array prototypes.
Charles_Wood
Okay.
Dan_Shappir:
So if you try to prevent certain operations being performed on an array modifying the array prototype, that would take effect in the, let's say, your main window. But if malicious code running within your main window created an iframe behind your back, passed an array into that iframe, copied data, let's say, into an array created within that iframe, those protections that you put in place would not be there.
Gal_Weizman:
Yeah.
Dan_Shappir:
I'm kind of struggling to think about what protections I can actually put, but I gather that's not really your problem, Gal.
Gal_Weizman:
Hehe
Dan_Shappir:
You're just there to prevent people creating these types of malicious iframes, or at the very least to know that some code created such a malicious iframe, trying to, like you said, maybe you close it, maybe you neuter it, maybe you do something else with it, but problem is if I understand correctly.
Gal_Weizman:
Well, technically, yes, it is not my problem. It is out of scope, but it is definitely my problem in the sense of if there isn't any use for that, then there isn't any use for snow, and then I'm working for nothing. So hopefully, people
Charles_Wood
Mm-hmm.
Gal_Weizman:
will find it useful. But to try to explain a little bit more what Dan just said, Dan was referring to identity discontinuities. So I think the best example is, For example, if I create a new anchor element, and then, so you know you have instance of, so you can ask if that new anchor element is an instance of the HTML anchor element prototype, and the answer would be yes. But if you try to compare that anchor element to the prototype of the anchor element that comes from an iframe, then the answer would be no. That is because it is not an instance encore prototype of the top main frame, it is an instance of the encore element of an iframe, and that is not the same thing. And that is basically
Charles_Wood
Mm-hmm.
Gal_Weizman:
identity discontinuity. So Snow's job is basically to make sure that if there is a security mechanism that you want to implement, no matter what it is, and there are actual examples today. So there are, for example, patch network requests and instead of using CSP to try to identify specific bits of the request or specific bits of the post message and try to understand if there's anything there that should be blocked or not. And they accomplish that by monkey patching the top mainframe. But as I said before, that is basically useless if you don't monkey patch those network
Charles_Wood
Right.
Gal_Weizman:
as well.
Steve:
Can I ask one quick question here? We've been throwing around the term monkey patch. Has anybody defined it?
Gal_Weizman:
Yeah, so monkey patching is the ability, as Dan said before, in JavaScript you have the ability to override the behavior of functions. So for example, we have the alert function that comes from the window object. So I can override alert to, instead of popping an alert message, to become a new function that console logs
Dan_Shappir:
you
Gal_Weizman:
the content of the message instead of popping the alert.
Charles_Wood
Mm-hmm.
Gal_Weizman:
That's like an example for monkey patching.
Steve:
The point is that you're doing it at runtime as compared to say compile time.
Gal_Weizman:
That's exactly right. Yeah.
Steve:
Okay.
Dan_Shappir:
Yeah, it's the same mechanism that enables polyfields. In JavaScript, I kind of refer to JavaScript as being the most dynamic of all dynamic languages and the browser environment to be like a reflection of that. So for example, you can take any existing JavaScript object and add properties to it, remove properties from it, replace properties. And this way you can modify
Aj:
I'm going to go ahead and start the presentation.
Dan_Shappir:
a whole class of objects.
Aj:
Okay.
Dan_Shappir:
And as we know,
Aj:
Okay.
Dan_Shappir:
polyfields kind of depend on that.
Aj:
Okay.
Dan_Shappir:
Also, you can go to the global
Aj:
Okay.
Dan_Shappir:
object and add stuff there.
Dan_Shappir:
JavaScript itself and the browser environment in general is very malleable. By the way, I recently learned something interesting that Dino intentionally prevents certain modifications to the prototype chain. I think they block the
Aj:
you
Dan_Shappir:
underscore, underscore, proto, underscore, underscore property on objects so that people don't intentionally abuse it. They see it as an attack vector. So they decided to block it, which is really interesting. But like I said, Brendan and I intentionally made JavaScript very malleable. reduces certain security issues. Although again, you might argue that the client side is such a vulnerable environment in any event that any really important data that needs to be kept secure just needs to be kept on the server side and that's it.
Gal_Weizman:
Yeah, I also think that you can look at Snow not only in the security aspect, but the idea is that you have the ability with Snow to shape all the new same-region realms in the page the way you want it. So, for example, let's look at it in a monitoring perspective rather than security. I do know that there are different monitoring tools that are trying to network calls or stuff like that. And today they cannot do so for same region realms. Now there are web applications that create same region realms and they have actual activity in there, but there is no possible way for those monitoring tools to monitor the activity within those realms as well because they don't have snow. So if I want to monitor with my monitoring tool, exceptions that might be thrown, I can do so within all same region realms automatically using snow. So that's also an example that is not security oriented to how snow is useful.
Dan_Shappir:
Now, you said that the way to embed Snow within my website is basically put in a synchronous script tag at the very top of the HTML. It kind of blocks everything until it downloads. When it downloads, it runs. And then you kind of, like you said, you patch all the ways in which an iframe can be created. Are there ways to create same origin realms other games, by the way.
Gal_Weizman:
Yes, so you can achieve the same region realms via embed object, sorry, embed element, object element. There is also the deprecated frame element that still works and accomplishes the same thing. You can achieve the same realm or region by using the Open API. So you have window.open that creates a new tab. And if that tab is same region, then you have synchronous access to it. And there are just so many other examples. to patch the different ways, whether I use programmatic JavaScript to insert new realms, aka create element, and then append to body. But I also have to make sure I can do so for inner HTML, because you can introduce the same original realms via iframes within inner HTML calls, which just goes to show how complicated this project is.
Dan_Shappir:
And it's an open source project from what I understand. It's not a product provided by the company that you work at or is it?
Gal_Weizman:
So right now, it's an open source project licensed as MIT. Lava mode, by the way, is the same story so far. We're trying to show that there are important security aspects that should be treated. And we invite anyone to have a look, to build on top, and to just use it, basically.
Dan_Shappir:
So how is lava mode different from snow? What does it provide?
Gal_Weizman:
So Lava Mode is kind of a whole different project, but the idea there is to, so Lava Mode is a tool that allows you to build your web application using Lava Mode. And Lava Mode has its own policy that basically says which dependency can access what APIs in the web app. So for example, if I have a web application that creates network access using fetch. So lava mode would have within its policy, a directive that says this dependency can only access the fetch API. And that is, and then it builds itself with a protection mechanism that uses this policy to enforce it in execution in runtime. So why is that actually useful? certain dependency
Aj:
Thanks for watching!
Gal_Weizman:
gets breached by a third party entity that tries to implement access to, I don't know, cookies, for example, then the access would be blocked
Aj:
Thanks for watching!
Gal_Weizman:
in real time just because the policy, the Lava Mode policy in real time doesn't reflect access to document.cookie. It only reflects access to network API. So that's what Lava Mode does, and it's a really interesting project as well. If that makes sense.
Aj:
So I wanted to ask about, well, if anybody else had anything to say about love mode, but I wanted to ask about diminishing returns and where the focus of security is best spent because there's a million things that can do. It gets really confusing. One of the terrible things is that people are told, oh, security is too hard. Don't learn it. And not everything that can be done should be done There are some things like putting a deadbolt on your front and back door are going to eliminate 99% of threats if you use the deadbolt correctly, right? Then there's barring up your windows is going to reduce another 0.1% of threats and then Putting steel plates around your house is going to reduce another 0.00001% So when you're looking at our web application and where the security needs to be, what are your thoughts on where are you getting the 90% with the least amount of custom configuration or, or highly specific application knowledge? And then what works towards the diminishing returns of, you know, at some point, you know, you're doing something that's highly specific that doesn't really provide a lot of protection.
Gal_Weizman:
So I don't know if I'd see it that way. I think that security is important. When it comes to technology, security is important in most aspects. I think what SNCC is doing and the companies that are trying to secure against supply chain attack and build time is really important. But I think it was proven over and over that even though we have tools like SNCC and tools that work in a build time, there are still ways to breach the supply chain. And also, you might find web application execute malicious code that were not introduced as part of the supply chain. So for example, third-party script tags can also be breached. And you don't have a way to control that because it's not part of your supply chain. It's just embedded within your application, not to mention XSS attacks, which are less common today, but are also potentially a problem. So I think runtime protection is important. I think there are multiple companies that are trying to solve that issue by creating advanced security tools. And I'm just trying to bring Snow to help those security tools to be complete. Because if you don't use your security mechanism on all potential realms, you might find yourself just as vulnerable
Dan_Shappir:
Yeah,
Gal_Weizman:
That's how I see it.
Dan_Shappir:
I have to concur with that because I don't think the concept of the diminishing return in the analogy that you used, AJ, kind of fits here. Because when you're looking at the effort about breaking into a house, it's not the same as the concept of hacking into systems. along, it becomes so immensely valuable and profitable that everybody will gain access to that sooner or later because of the way in which hacking tools are propagated. So I see it that the way that is that even if you leave like a 1% entry point into your 1% is identified, it's as if you have no protection at all. So I don't totally agree with the concept of diminishing returns here. I am...
Aj:
Well, so for example, for example, if you don't include third party scripts on the page through sources that you can't audit, right, you could eliminate, you make things part of your supply chain. So when you say third party scripts, I think of things like Stripe, right. Which
Gal_Weizman:
Mm-hmm.
Aj:
Stripe is one of the few that I think are reasonable to trust, but you could download that and you could load it from your own domain. And then you could eliminate Stripe as something that has third party risk because you could say, well, all the functionality of what Stripe needs to do is contained in this JavaScript file. If we host this JavaScript file from our own server, then we have eliminated the ability for Stripe to be compromised and for it to send us malicious code, which I think Stripe is a, an unlikely example in this case, but it's But if you've got some sort of stupid widget that I don't know, automates dark mode or something, uh, you know, you, you could have these widgets that are third-party scripts that if you just host them yourself so that you're not, or, or put them in your CDN, actually pay for a CDN. That's that's a real CDN, not a, not one of these fake buzzword type CDNs, but pay for a real CDN if you need it, or just, you know, host it off your server, bring those third-party dependencies, just download them. You don't just download them. Then you've eliminated third party scripts being modified without you're being aware. That way when you push to prod, that's the only time those scripts get modified unless the CDN becomes vulnerable.
Dan_Shappir:
Yeah,
Aj:
Right.
Dan_Shappir:
but...
Aj:
So there are things you can do
Charles_Wood
Yeah...
Aj:
to eliminate 99%
Dan_Shappir:
Yeah,
Aj:
of the
Gal_Weizman:
I
Dan_Shappir:
but...
Aj:
risk.
Gal_Weizman:
think effectively there's a reason why that's not the case forever, basically, because even though we understand the implications, we still see web applications being built that way for multiple reasons. One of them is that a third-party script sometimes answers a certain service that you need in your web application. And you
Aj:
Yeah, you can just download it. You don't need to.
Dan_Shappir:
No, but realistically...
Gal_Weizman:
want the provider to be able to update it
Dan_Shappir:
Yeah,
Gal_Weizman:
your
Dan_Shappir:
I think that's the key thing. I think that most third-party script providers don't really want you to be downloading their script and running their script off of your own CDN or domain or whatever because they want to be able to update that script. So if we're looking at the majority of third-party scripts that come in not via NPM but via script tags or stuff You know, we're talking about various pixels and marketing pixels and stuff like that. They all unfortunately
Aj:
So all that's
Dan_Shappir:
come
Aj:
the vulnerability,
Dan_Shappir:
from...
Aj:
right?
Dan_Shappir:
Yeah.
Charles_Wood
Okay, I want to pump the brakes here just for a second, because it feels like this is a huge tangent off of what we're actually talking about in the sense that, yeah, in the broader discussion of supply chain vulnerabilities, I mean, some of these things matter, and speaking to specific strategies makes sense. But what we're talking about here with Gal is this specific approach and this specific and all of your other security tools like the things that would do the audits during the build or do the audits in runtime or things like that. Those are all things that we can pull in and make sense for attacking supply chain vulnerabilities. But I'd like to go as deep as we can on this particular area of vulnerability and make sure that our listeners understand it and understand how to mitigate it in place because I feel like we've covered those on other episodes.
Dan_Shappir:
Oh.
Aj:
Okay, but my question is, you can't just say, oh no, this is just as important as everything else. That's a cop out. You got to give me some sense of scale of, you know, if you're to prioritize, where does this fit in? It's got to have some sort of priority. Not everything is priority one.
Charles_Wood
I agree with you, but my point with this is this applies the... It's really distracting the delay in the video here.
Gal_Weizman:
Thanks for watching!
Charles_Wood
My point is, is if we're looking at this and we're thinking about, okay, how do we bring this stuff in? What we're saying is this closes the door if you have the other pieces in place so that they can't be exploited across the other parts of your application.
Dan_Shappir:
And
Charles_Wood
priority, but once you have these other pieces in place, you're closing the door to this particular type of end
Aj:
you
Charles_Wood
run around your security.
Dan_Shappir:
I would add to that, or I would phrase it as following. If you have a system in place that supposedly adds a layer of protection at runtime, unless that system also addresses the issue of additional realms in the same domain,
Charles_Wood
Mm-hmm.
Dan_Shappir:
then it's done nothing. So basically the point is either you're not using such a solution at all, whatever tests you're doing at build time. But if you have decided to also address supply chain security at runtime, then you have to factor in realms because you know that otherwise they'll be exploited. That's, I think, is the basic,
Charles_Wood
Yeah.
Dan_Shappir:
is the gist of the thing. Correct me if I'm wrong, Gal.
Gal_Weizman:
Yeah, I agree completely.
Charles_Wood
So one thing that I do want to add in here, because this also goes to the idea of when and how to implement this, is that sometimes there's a bit of a setup process. There's a real cost in time or effort to putting something like Snow in. And sometimes it's relatively simple. Can you just walk us through that process so we can also evaluate not just, OK, somebody might write their script such that it tries it on the main realm, and then it tries see if you've plugged that hole. Yeah. How much work is it to put this in so that they can't use the realm or they can't create their own realm and end run you.
Gal_Weizman:
Yeah. So for example, if I want to eliminate access to realms completely using snow, are you talking about, are you referring to the implementation of snow or the
Charles_Wood
Yeah.
Gal_Weizman:
usage of snow?
Charles_Wood
Usage. Like, how do I stick this on my page and know that it's, you know, to the extent that it's effective and I'm assuming you've got most of the use cases, if not all of them, that are currently known covered, you know, what do I have to do to get that in my app?
Gal_Weizman:
Yeah, so if you're the creator of the app, then what you'd have to do is to, as Dan said before, have the script tag that brings Snow in synchronously. And then in another script tag, you can just call the new callback that's set to window called Snow. And you pass Snow a callback. And that callback will be provided with every new window that comes to life. So that is how you implement Snow. If you're a third-party service that security tools and want to enhance your security mechanism using Snow, then you can also include Snow as a dependency and then serve your mechanism, your security tool, with Snow within it and consume it just the same. And if you want to use Snow, then all you have to do is just call the callback and provide it with a callback that will shape the new if I want to use Snow to eliminate all new realms because my web application should not allow realms, I can do so by getting that window, accessing its frame element and detaching it from the window, for example. But usually the best case for using Snow would not be by the web application. I expect the third party security vendors automatically to the realms using snow.
Charles_Wood
So the other question that this brings up for me then is, let's say that I install, I put snow on my page, right? And then I pull in some security feature function that also includes snow. And I pull in a third one that also includes snow. How does that stack up? Do I wind up with three instances of snow? Or does it sort of merge the configs from all of them? How does it figure that out?
Gal_Weizman:
So being a shim, you can't really have multiple snows in your page because they eventually apply different monkey patches, as we mentioned before. And it
Charles_Wood
Okay.
Gal_Weizman:
makes sure they are non-configurable due to security reasons. So if you have another instance of snow, you'll see a clash. But making sure that there's only one instance of snow in your self-maintained application should be possible.
Charles_Wood
Okay. I'm
Gal_Weizman:
Yeah.
Charles_Wood
just still kind of wrapping my head around. Yeah.
Gal_Weizman:
Mm-hmm.
Charles_Wood
If I include, let's say
Dan_Shappir:
Thanks for
Charles_Wood
sneak
Dan_Shappir:
watching!
Charles_Wood
includes one, right. And they give me a script to put on my page or put into my build process. And then I want to use it as well. Yeah. I guess that's my concern is do I have to kind of de-duplicate it somehow or.
Gal_Weizman:
So if two different vendors want to use Snow, so one thing that could be done is to, I
Dan_Shappir:
you
Gal_Weizman:
mean, eventually you have access to the callback and you can provide it with a callback, you can call that function multiple times. You can provide it with multiple callbacks and then Snow would pass
Charles_Wood
Okay.
Gal_Weizman:
the new window to the chain of callbacks.
Dan_Shappir:
By the way, how big is snow?
Charles_Wood
Okay.
Gal_Weizman:
That's a good question. I'm not even sure, but it's really, it's pretty small. I can check that real quick also.
Dan_Shappir:
And like you said, it's an open source project. Are you working on this alone? Are there other contributors? I get one of the things that, you know what, answer that before I bring up to the next point.
Gal_Weizman:
Yeah, so currently I work on Snow almost all by myself. I have a couple of coworkers from Metamask and Lavamode project who helped me with different parts of the project. I also managed to get other security experts interested in the project, and they suggested ways to bypass Snow, which was excellent. It just showed how complicated the problem to solve. And a big part of the job was also to address those issues and make sure that I can patch them and that Snow can address those issues and remain as secure as possible. But right now, I work on Snow almost only by myself.
Dan_Shappir:
Are you looking for additional people to work with you on the project?
Gal_Weizman:
Yeah, I would love any help. I'm looking for help. I'm mainly looking for adoption. And anyone who's just interested in the initiative and wants to pitch in, in any way.
Dan_Shappir:
By the way, we kind of mentioned
Charles_Wood
So.
Dan_Shappir:
it during our discussion at the beginning of the show or I think we also talked about it, you and I, before the show, that you kind of achieved something of the holy grail of the open source maintainers
Charles_Wood
haha
Dan_Shappir:
that you're effectively being paid to work on your open source project. Is that correct?
Gal_Weizman:
Well, to a certain extent, we came up with a small agreement on when I joined MetaMask and brought Snow with me. Because Snow was a project that I started off before MetaMask. So coming along, working on lava mode, and bringing Snow with me was part of that. Yeah.
Dan_Shappir:
So basically you said if you want me, you got to also take my project along with me or something along those lines.
Gal_Weizman:
To a certain extent, I think the tone was more about, I love what you do in Lava Mode. I think that's a really interesting initiative. And I think that if you're looking to secure the supply chain for other people and for Metamask as well, I think that Snow is a really interesting way to do that in just a different layer. And we already found a useful example of how Snow is implemented with Lava Mode to all different realms within the application. So it's really cool to see how those things combine.
Charles_Wood
I think I just heard that it's story time. Is there somebody out there using snow or lava mode or both that had some kind of measurable or noticeable effect?
Gal_Weizman:
That's a good question. I'm mostly on the research and development part at this point. I do know that, well, MetaMask, it is built within MetaMask, so that's easier to implement, but MetaMask eventually is a really big project with like, I think, 30-something million users, and both Lava Mode and Snow protect MetaMask at this point. because we're not really reporting those attacks. We just make sure that they're not possible to begin with. But we do know that once in a while, you hear of different dependencies that were breached and somehow managed to access different web applications. I think it never happened to Metamask, but they were already so into creating such a security tool just out of fear of being a company that
Charles_Wood
sense.
Gal_Weizman:
Yeah.
Charles_Wood
Well, we've been going for about an hour. Are there any other points that we need to bring up before we start moving toward self-promo and picks?
Gal_Weizman:
Um, yeah, I think another point is that, well, I guess, I think that's pretty much it. That was about Snow. I think it's a cool project, and I would love to see people either use it or maybe help out with it or at least showing some interest. I find it really interesting how difficult it is to push this forward. But I love how that's part of the journey, so it's pretty fun.
Charles_Wood
Yeah,
Steve:
I would like
Charles_Wood
makes
Steve:
to make
Charles_Wood
sense.
Steve:
a point about how coding relies on animals. Um, for instance, we talked about monkey patching and if you think about rubber ducking and I've heard the term duck punching, um, which to me seems rather violent, so I think it's important that we recognize coatings dependence on animals for illustrations.
Dan_Shappir:
Camel casing.
Steve:
That's all camel casing. Thank you very much.
Charles_Wood
Duck typing.
Steve:
Yep. Yep. The duck seems to take the most abuse and praise as well. So it's sort of a two edged sword, I guess.
Charles_Wood
Yeah, well, and then they anyway, Gal, if people want to connect with you either to volunteer to help or because they have questions or they want to see where this could take them with the stuff they're working on, what's the best way to connect with you?
Gal_Weizman:
Well, I am as reachable as possible and I'm making sure to look out for messages, but Twitter is a good place, at Wiseman Gal, GitHub on Wiseman. Yeah,
Dan_Shappir:
You're not on Mastodon
Gal_Weizman:
those two are
Dan_Shappir:
yet?
Gal_Weizman:
good. That's a really good question. I am
Charles_Wood
There's
Gal_Weizman:
avoiding
Charles_Wood
another animal.
Gal_Weizman:
it.
Charles_Wood
That one's extinct.
Dan_Shappir:
Ha!
Gal_Weizman:
Yeah, yeah, yeah, I might have to transfer there at some point. I'm just trying to deny the whole situation, but like
Dan_Shappir:
Well...
Gal_Weizman:
might not be able to do it for long.
Dan_Shappir:
Well, what I...
Aj:
No, you gotta get Twitter blue. You gotta support, you gotta support free speech.
Dan_Shappir:
I'm basically straddling both worlds. I'm basically, I'm using this tool that anything that I tweet gets tooted and I've not yet gone the other way around, but I might do it as well. But
Gal_Weizman:
Thanks for watching!
Dan_Shappir:
that way, it just has that I need to look at two places instead of one. But other than that, it's okay, I can live with that. By the
Charles_Wood
Yeah.
Dan_Shappir:
way, how do people find the actual project, both snow and lava mode?
Gal_Weizman:
Yeah, so they're both out under the organization LavaMode. So if you go on github.com slash LavaMode, you'll find all of them.
Dan_Shappir:
How do you spell
Gal_Weizman:
I think
Dan_Shappir:
that, by the way?
Gal_Weizman:
LavaMode, so you spell it Lava, L-A-V-A, and then mode would be M-O-A-T. So just combine them, and you get LavaMode. And when you go on the organization on GitHub, you get, I think the two pinned projects are LavaMode and Snow. So you'll find both of them.
Steve:
Now how does that work where you have lava and snow working against each other? Does the lava usually
Gal_Weizman:
Yeah,
Steve:
melt
Gal_Weizman:
that's an
Steve:
the snow or vice versa?
Gal_Weizman:
excellent question. When we published one of the articles talking about how I think it's really important to implement snow within lava modes, so we actually used Dolly to come up with a cool picture that combines snow and lava and also a fox, because Metamask's logo is a fox. And after a couple of tries, it actually turned out pretty cool. volcano with lava and it's like a snowy view and it turned out pretty cool so good work
Charles_Wood
Good deal. Now, I think we were gonna talk a little bit about chat GPT, but we'll hold that for after the picks. And we'll just leave it on as bonus content. So we added a section a few weeks ago, maybe a month ago, where people get to self-promote, they get to talk about the stuff that they're working on, and then we do our picks, which is the normal thing. AJ, do you wanna start us off with the self-promo? What are you working on?
Aj:
What am I working on? I don't know right now. Ha ha ha.
Charles_Wood
Okay. There are those weeks. All right, how about you, Dan? Anything you're working on you wanna let people know
Dan_Shappir:
Well,
Charles_Wood
about?
Dan_Shappir:
I'm a working stiff, so most of the job, most of the work that I do is just working for the man, doing the day-to-day. Part of my picks will be the conference that I recently spoke at, and maybe mention some of the conferences that I'm about to speak at. So these are the things that they do are kind of outside my normal day-to-day. I'm mostly focusing about performance both on the front end and on the back end at Next Insurance, the company that I'm working at. It's interesting because we use a variety of frameworks and a variety of services and platforms. So working across all of these, both on the front end and the back end, can be really challenging. And yeah, those are the things that I'm currently working on.
Charles_Wood
All right, good deal. How about you, Steve?
Steve:
I guess the closest thing I can think of from a public standpoint is a couple of episodes we've done on Views on View, our other podcast lately, where I talked to Adam Jar from View Mastery.
Charles_Wood
Cool.
Steve:
The impetus was a course that I did for View Mastery, Shameless Plug, called Nux 3 Essentials. We just talked about View Mastery and how they do their stuff, how they make their magic, any other course that's out there. And then another one I did with one of my favorite guests, Debbie O'Brien from the Nux community and a new testing tool she has called Playwright. It's an end-to-end
Dan_Shappir:
Oh, Playwrights
Steve:
type
Dan_Shappir:
famous!
Steve:
tool, sort of like Cypress. Yeah, it's really pretty sweet if you look at it and all the things that it can do, some of the stuff it spins up for you just right out of the box, you know, generating some test stubs and things like that. So yeah, those are some pretty cool episodes. I like those. So you can check out views on view for those.
Dan_Shappir:
I think we said that we should bring you on the show once, you know, sometime in the future, not as a host, but as a guest representing Vue and the Vue community.
Steve:
Yeah, I don't know how much I can represent the community as a whole, but yeah, I could certainly talk about what I know and see.
Charles_Wood
Yeah, that'd be awesome. I'm gonna throw up a few things that I'm working on. One of the things that I've been working on lately is just getting basically an RSS subscription via email through ActiveCampaign. So watch for an email form to show up on the website where you can go and you can get emailed when we put out a new episode. The other thing that I'm working on, and this is a new podcast, to pull at your coding career. I have people ask me questions all the time about how to learn new things or figure out what's going on in the community or how to get unstuck, how to work with their boss, how to get a raise. And so I'm just going to answer those questions. It's not going to be as long form as this, where we're talking for an hour or so. I'm aiming for about 10, maybe 15 minutes at the outside. Probably going to do it multiple times a week. Yeah, just talk through those things. If you want a longer session with me, you can pick up a half hour session with me. Just go to topendevs.com slash coaching. You do have to apply to one of the two coaching programs, but from there, we'll work that out. If you wanna just slide a question in and you don't want to go the full coaching route, topendevs membership, we try and make sure we have one or two Q&A calls every month. You can submit your questions ahead of time, and then we'll make sure that
Aj:
Mm.
Charles_Wood
we're talking through that stuff. So yeah, I mean, no guarantees on that one, right? If you're doing coaching, either group coaching or one-on-one coaching, you'll get your questions answered every time. If you get on that, then it just kind of depends on who's submitting questions and how many we get. But I'll try and get to as many people as I can. Right now, those calls tend to be pretty open, just because the membership is new, but I don't anticipate that it will always be that way. So anyway, Gal, do you have anything else you're working on that you wanna promote, let
Gal_Weizman:
Well,
Charles_Wood
people know about?
Gal_Weizman:
yeah. So this is a project that I'm less working on at the moment because I had to focus on snow, basically. But there is a really cool technology that is built on top of snow that I created. I call it a cross. And To keep it short, a cross allows two scripts within the same web application to exchange messages and communication safely while knowing that the message that script A got from script B really came from script B, and that's something that is not possible to accomplish as of today. It's an experimental project. It's pretty cool. because creating new realms and getting APIs from within it can assist an attacker to bypass across. So that's a really cool project that I love, but right now it's experimental and I'm not working on it just as much. But if anyone's interested, it's pretty cool and I would definitely check it out.
Charles_Wood
Very cool. All right, we're gonna do some picks. Dan, you wanna start us off with picks?
Dan_Shappir:
Sure, why not? So, you know, as I kind of alluded at the beginning of the show, I was, if you haven't noticed, I've been away for a while. I haven't participated in the show for about a month. So if you were kind of wondering where I went, I went to Australia. And so my first pick is going to be Australia because it was, you know, just awesome. It's a place that I think everybody should visit at least once. It's not easy to get there. So if and when you do get there, it's certainly worthwhile spending some time. People don't just realize how big Australia is. I think it's bigger than Europe. It's almost as big as the US, I think. And
Steve:
Thanks for watching!
Dan_Shappir:
there's like a ton of space because there are only like 30 million people living in or something along these lines. And a lot of them are concentrated in like two or three big cities. So all the rest is kind of pretty empty. and they say they have more crocodiles than people and And I wouldn't be and
Charles_Wood
Ha
Dan_Shappir:
I wouldn't
Charles_Wood
ha
Dan_Shappir:
be
Charles_Wood
ha.
Dan_Shappir:
surprised and
Aj:
It seems natural.
Dan_Shappir:
It's funny and
Steve:
Hahaha.
Dan_Shappir:
you know, one of the things that kind of surprised us, you know, we live in Israel and you know next to the Mediterranean and we all like to go to the beach and In Australia and a lot of parts you you can't really You know into the water because you'll die, because the sharks will get you and if the sharks don't then the crocodiles will and what probably will kill you though is a tiny jellyfish that's really, really venomous. So yeah, but anyway, like as I was saying, Australia is just beautiful and awesome. We visited several places there. We went to Tasmania, which was amazing. We which was amazing, Grampians and the Great Barrier Reef and whatnot. We really tried to see as much as we could within the one month that we were there. And like as I said, I highly recommend it. By the way, aside from the views being amazing, the people were great. They were just, you know, super friendly people. It made life a lot easier for us that they all speak English, obviously. And they're just so nice, you know, you just down the street and people will just say hello or good day and they mean it. They don't just say it and they, you know, people just smile at you and they're also friendly and courteous and whatnot. So again, I highly recommend visiting there. By the way, they're kind of moving towards a cash-free society. You know, there are places where you can't even pay with cash. You need to pay with a credit card and it's to the extent that when you know on the street, they actually get their money via an app or something like that.
Charles_Wood
Oh wow.
Dan_Shappir:
You give them money from your phone or like street artists as well. It's kind of funny that way. Anyway, so that would be my first pick. My second pick would be the reason that I originally went to Australia, which was the Web Direction Summit Conference. Created and run by John Alsop. It was an amazing conference It was a hybrid conference which the unfortunate implication of that is that currently I don't think the talks are Available to everybody. I don't know when they will be Currently, they're only available to people who actually pay to watch them But it was a great conference nonetheless There were some like six tracks a lot of talks a lot of excellent content of great people and I really enjoyed it a lot. It was in the beautiful city of Sydney. So that would be my second pick. If you get a chance to ever attend that conference or speak at that conference, I highly recommend it as well. And my third pick, when's the last time you've heard about the war in Ukraine? I'm betting that you haven't heard about it in a while. Actually, that does not mean that it's over. In fact, it's going on as much as it previously did. Russians are still bombing civilian infrastructure and population centers and whatnot, and it's pretty horrible. So that's the pick that I will continue picking, even though you're not hearing about it in the news anymore, because everybody's moved on to something else. there, please do. And those would be my picks for today.
Steve:
So Dan, while you were in Sydney, did you, you know, I know there's a lot, I see a lot of tourist attractions around and stuff. Did you go looking for that famous dentist office from Finding Nemo,
Dan_Shappir:
Hahaha!
Steve:
you know, where they held him in the fish tank and then he escaped?
Charles_Wood
Ha ha ha ha.
Steve:
I've heard that's a real famous tourist attraction there.
Dan_Shappir:
honest, I didn't even remember that Finding Nemo takes place there, although it's not surprising. So no, we did not look for that. But Sydney is
Steve:
Okay.
Dan_Shappir:
pretty amazing. They have obviously the Opera House, which is really famous, but they also have like a couple of amazing beaches, Bondi Beach and Manly Beach, and they have amazing botanical gardens and the city itself is just lovely. You know, see buildings from hundreds of years ago. It's more like the US in that regard. Everything is like the oldest buildings are 200 years old, which in Israel, by the way, basically means they were built yesterday. But
Steve:
It's true.
Dan_Shappir:
yeah, but still it was really a lovely city and, you know, lovely people. As I said, I enjoyed it a lot.
Charles_Wood
Nice. So Quora says that there's no way that that office could be located the way that it is. Just so you know, Steve.
Steve:
Oh, dang.
Charles_Wood
In fact, why don't you give us your picks?
Steve:
Okay, so I actually have an actual pick before I get to the high point of every episode. It's an interesting article from National Geographic. And a lot of us, I can speak for myself and I've heard other people mention this, that as developers, a lot of times we're stuck on a problem and we'll go away and some people will purposely take walks or a lot of times you'll come up with ideas or fixes or something when you're doing something like taking a shower. called National Geographic, called The Science of Why You Have Great Ideas in the Shower. And
Aj:
Hmph.
Steve:
it talks about some recent research been on this. And the gist of it is that the idea is that you're going to come up with ideas when your mind isn't really trying to think of something as sort of a default, relaxed mode. And therefore, your brain has the capability to wander and think about other things that you might not be thinking of when you're really trying to come up with a solution. So we'll put a link in the show notes, obviously, but sort of an interesting article. one of those things that you know sort of confirms what a lot of people have known and practiced for a while is just sort of a confirmation and an explanation as to why. Now for the highlight the dad jokes of the week. Dad jokes of the week. So not too long ago I entered the World Kleptomaniac Championships. I took gold, silver and bronze.
Gal_Weizman:
I'm sorry.
Steve:
There we go. A little delay on the drum joke there, sorry. My son, he likes to watch TV and stuff and he randomly turns in actually turns into a TV sometimes so I got him admitted to the hospital. The doctors are currently watching him. And then finally, for the last few months, you know, Christmas was, as of recording, it's probably about two, three weeks ago. My wife had been leaving jewelry catalogs all over the house. You know, I finally got the hint and I got her a magazine rack for Christmas.
Aj:
That was a good one. That
Gal_Weizman:
Yeah,
Aj:
must
Gal_Weizman:
the
Steve:
Yes.
Gal_Weizman:
last
Aj:
have gone
Gal_Weizman:
one was
Aj:
over
Gal_Weizman:
pretty
Aj:
splendidly.
Gal_Weizman:
good. Yeah.
Steve:
Thank you. Thank you. Anyway, those are my
Charles_Wood
All
Steve:
picks.
Charles_Wood
right, AJ, what are your picks?
Dan_Shappir:
Thanks for watching!
Aj:
Uh, so first of all is going to be the ubiquity dream machine. So I've now set up two of these things, actually a little bit annoying to set up because you kind of have to reboot them on the first time, cause they ship with the version of software that's older than the version of the app. And so the first time set up as of today is annoying because they just switched between version two and version three. But once, once it's set up, it's pretty amazing. Once you actually get logged in, it's pretty amazing. You can just plug in access points, ubiquity access points and they just boom, they just work. You do have to, you click adopt and you set the network name or whatever, but it's very simple. You plug in security cameras and they just work. Again, you just click on adapt and then there's just a couple of settings you can choose. Do I want it to record all the time when there's motion detected
Dan_Shappir:
you
Aj:
or only when there's persons detected or whatever. But I think that Ubiquiti is really doing a bang-up job of providing higher quality products at lower prices that are pretty easy to set up and use once you got it updated out of the box to the latest part of the security system. And then I found out about all the cool networking tools that it had. And I thought that was great. And then, uh, because we need to meet certain compliance guidelines, we're isolating our network at, uh, savvy. So that we are, cause we were in a shared coworking space. So our office is just one building that, and it's an old building. So the way the networking is done, everything's just really hodgepodge. isolation from the network, we put one of those in and it's great because now we have audit logs for what devices connect to the network and when and what websites are visiting and all that, you know, good stuff that, that is both helpful and checks boxes on, uh, you, if you have to deal with sock two compliance and things like that, uh, I'm also going to pick the zoom H one in handy mic recorder I still as far as I could tell there's nothing out there that is as good as the zoom h1 in in terms of Versatility it can work as a podcast mic it can work for recording. It's got auto leveling meaning that the gain if You're recording at a meetup or at a conference Maybe not a conference because that might be too big of a room But if you're recording at a meetup and you're speaking and then you pause and somebody asks a question And so you don't hear the question. You just hear the speaker answering the zoom H1 in. It just, you know, if you, if you don't have a $10,000 sound set up, but you can afford 65 bucks, I just, and that's kind of the two options, you know, either you're going to go heavy into setup or you get a zoom H1 in and that's sort of the way it works. And so I think that's the way it works. And I think that's the way it works. And I think that's the way it works. And I think that's the way it works. And I think that's the way it works. So I just, I'm thrilled with it. Every time I look in to see if there's something better, there isn't, I just wish they would put USB-C on it. So I quit having to carry around the USB micro cable, but I love it. And let's see, I think I had one other thing. Oh, I think I made mention of this before, but it finally arrived. There's this guy in Australia, speaking of Australia, who has taken these soldering irons become somewhat popular. They're called T12s because they're relatively cheap and you can get a variety of them and they're actually really high quality. So they rival some of the other brands
Charles_Wood
Did his
Aj:
like,
Charles_Wood
sound cut out for anyone
Aj:
oh
Charles_Wood
else?
Aj:
gosh,
Dan_Shappir:
I
Aj:
I'm
Dan_Shappir:
think
Aj:
forgetting
Dan_Shappir:
AJ
Aj:
the
Dan_Shappir:
just...
Aj:
names of the Hakko and well, I mean, they rival above that even. Anyway, this guy has created 3D printed fixtures with a little microcontroller. I think it's a blue pill similar to the Raspberry Pi Zero. I think it's based on the Raspberry Pi Zero slash blue pill architecture. So he's three printed these boards, put a circuit board in there, a knob, a screen and a plug, and you can attach it to a Dewalt battery, to a rigid battery. You can pick the one for the battery system that you have for your power tools. And it will heat up the iron in about six seconds to 300 degrees Celsius, six, maybe seven seconds. I mean, it's fast and it's got all of it's the software on the little chip has got all of the features of a professional two or $3,000 soldering station where it does temperature detect if the temperature is not changing. It goes for so long. It goes into standby mode. If the temperature does change, then it starts heating up again. And for those that don't know the reason the temperature would change when it's sitting still is from the soldering iron causing the temperature of the tip of the soldering iron to drop and these tips have temperature sensors while they use the combination of metal they use ends up acting as a temperature sensor and so they're able to anyway it's just you're getting a two thousand dollar soldering iron for a hundred bucks that is portable and heats up in six seconds to full sauce.
Charles_Wood
Cool. Let me throw in a few picks of my own. The first one, I always do a board game or card game pick.
Aj:
Am I disconnected?
Charles_Wood
This is a game
Aj:
Hello?
Charles_Wood
that I put.
Aj:
Is anybody there?
Charles_Wood
Yeah, we're here.
Aj:
Hello? Well,
Charles_Wood
All right, I'm
Aj:
I think
Charles_Wood
just
Aj:
I
Charles_Wood
going
Aj:
got
Charles_Wood
to
Aj:
disconnected.
Charles_Wood
keep talking. So anyway, this is a game we got from my daughter a year or so ago for Christmas. And then we got her the, I guess the sequel game. This last year for Christmas, it's called Sleeping Queens. Now Sleeping Queens came out in 2005. It is a card game. It's a game that, yeah, she can play. She was six when we bought it. And, you know, she really likes winning. Which means she's my daughter, for sure.
Gal_Weizman:
Thanks for watching!
Charles_Wood
Anyway, we... Basically it's a matching game. And you've got... So you can use knights to slay dragons, dragons to steal queens, kings to wake up queens, and then you put together math problems to trade out cards. And that's it. It has a weight on Board Game Geek of 1.06. This last year we got our Sleeping Queens 2. It is new enough to where it does not have a board game geek weight. It's a little more complicated because you use the math problems now to... So you use a pair of cards, I think, to wake up the queen, and then you use, or wake up all of your queens, and then it has other things to put the queens to sleep, or let you trade cards. And the queens are trying to rescue the kings, and this one is sleeping queens to the rescue. And the way you rescue a king is you get the queen and her animal companion, and you trade them in and wake up a king. Anyway, it's a fun game. It's a little more complicated than Sleeping Queens, so I would wait it probably at 1.2-1.3. It's still relatively easy to pick up. She loves playing it. The other kids, I have teenagers, they're usually game to play it. It's not their favorite game, but it's one that they like enough to play with her. Sleeping Queens and Sleeping Queens 2 are my picks for board games. for kids. It says 8 plus, but my six-year-old picked it up no problem. So I'm gonna pick those. As far as other picks go, one thing that I started doing here this last week is I set up a Plex server, and so now I'm importing music. I actually have CDs in my office that I am ripping onto the Plex server.
Aj:
What are you using to listen?
Charles_Wood
So Plex has apps that you can install on your Apple TV or your Amazon Fire Stick. You can get a desktop app for your computer. You can get a Plex app for your phone. And the other thing is, is you can do port forwarding and hook it up so that you can connect to it from outside of your home network. I haven't done that yet, but it's, I had some issues getting it to run. that I set up is just an old PC. And the issue that I had was that it kept hanging when I try and do anything with it before I even got to installing Plex. But I have a Windows machine that's sitting under my desk that I don't do a ton with. And so I just installed it on there and it runs fine. So yeah, so that's what we're doing. I haven't ripped the DVDs yet to it. Probably just use Handbrake for that. But yeah, I've been pretty happy with it so far. Like I said, used it yet, but you just tell it what folders to watch and it'll index your music and stuff. You can put photos on it. And so yeah, I'm working through all that stuff. But yeah, been happy with it so far. I turned it on. I put the Plex app on my Apple TV downstairs and it worked like a charm. So the only issue I really have So Plex, they prompt you periodically to get a paid subscription. You don't need it, but they want you to have it. They have a bunch of content that's on there for free, and so I'm trying to figure out how to turn parental controls on on it. That's really the only rub that I've gotten so far. If you can do that and you know how to do that, I would love to hear from you. Both for some of the stuff that we have on DVD or Blu-ray.
Aj:
I've got the plin
Charles_Wood
Yeah,
Aj:
parental
Charles_Wood
it's...
Aj:
controls on mine.
Charles_Wood
Okay, I just need to figure it out then. But
Aj:
It's
Charles_Wood
yeah,
Aj:
just a separate account.
Charles_Wood
so,
Aj:
You create a separate account
Charles_Wood
oh,
Aj:
and
Charles_Wood
okay.
Aj:
you and then you select. There's two ways you can do it. One, you can select folders and only put folders that are for kids or movies that are for kids
Charles_Wood
Mm-hmm.
Aj:
in the kids folder and you can just add that folder to the account. The other thing that you can do, there's also a PG rating system of older kids, younger kids kind of thing, but that.
Charles_Wood
I gotcha.
Aj:
You know, it works as well as it works.
Charles_Wood
Right. But yeah, so I've been happy with that. Let's see, my wife and I just finished watching Blacklist, the latest season of that, and we enjoyed that. That was pretty good. There was something else I was gonna pick and I am totally drawing a blank on it. So I will just pick it later. But yeah. Gal, what are your picks?
Gal_Weizman:
Well, I think I only have one pick, speaking of TV shows. There is Severance on Apple. I don't know if you guys had the opportunity to watch it, but it is an excellent show. We watch it here and I had a really good time. It's about, so obviously not having any spoilers, but it's about people who chose to participate in a program where they separate their consciousness and when they are in work.
Charles_Wood
Hmm.
Gal_Weizman:
So they're basically two different people that are not aware of each other when they're in work or not. And that is a really interesting idea and the plot is like super interesting and it finishes in a way where you're just wishing to see the next season. One of the best shows I got to be my single pick for today.
Charles_Wood
Awesome. All right, well, we're gonna go ahead and wrap up this, but you know, we were talking about it before. Do we wanna take 10 minutes and talk about chat GPT?
Steve:
I gotta run myself. I got a meeting.
Gal_Weizman:
Yeah, I think
Charles_Wood
Okay.
Gal_Weizman:
me too. Sorry about that.
Charles_Wood
Nope, it's
Aj:
Dan
Charles_Wood
all good.
Aj:
left us.
Charles_Wood
Maybe, yeah, Dan had to take off too. Let's just plan to do a bonus chat one of these days and talk through it. We'll just wrap it up here. Till next time, folks, Max out.