Transcript #309: When Malware PoC's are Themselves Malware
Return to episode page view on github00:00 - Hello and welcome to Python Bytes where we deliver news and headlines directly to your earbuds.
00:05 This is episode 309, recorded November 8th, election day.
00:09 I am Brian Okken.
00:10 - And I'm Michael Kennedy.
00:11 - Okay, now let's look at your thing.
00:13 - So first of all, we designed the Python Bytes website to make it like responsive.
00:18 So even like the table gets like super cool when you just scroll up.
00:21 But that's not what I wanna talk about.
00:22 That's not why I brought it up.
00:24 I mean, I always get these emails.
00:25 I know you haven't logged into our site in five years, but we've redesigned it.
00:28 Let's tell you about like, no, I don't care.
00:30 The reason I'm on this page, what is the date today?
00:32 November what?
00:33 - It's the eighth.
00:35 - It's the eighth.
00:36 Yesterday was Python Bytes birthday.
00:38 Six years old now.
00:40 - Oh my gosh.
00:42 Can't believe it's been six years.
00:43 - Yeah, six years.
00:45 The intro to the show in pip nine is out.
00:47 What are we on like pip 30?
00:49 I don't know, I haven't paid attention.
00:50 - Well, they went from--
00:51 - It's past 20 for sure.
00:53 - They went from a SemVer to CalVer.
00:55 So you can't, it's hard to count.
00:57 - Still been a long time.
00:58 >> Yeah. >> Absolutely. All right.
00:59 Well, anyway, happy birthday to us.
01:02 Let's jump in.
01:04 >> Yay, we should write cake.
01:04 >> I know, cake.
01:06 We have to use cake emoji somewhere today, I suppose.
01:08 All right. So I want to tell you about something that really touches on the cybersecurity pen testing, red team, blue team, hacker side.
01:20 I don't know if people are aware, but Python is used a lot for the pen testing security side of the world.
01:27 We've had some guests on the show here before that talked about their work, right?
01:31 We're like, "We don't understand this.
01:32 You got to come share this with people yourself." It's awesome, but we're not worthy.
01:37 But there's a really interesting set of research, and this research came from Sofiane Yadmani, and Robin Thay, and Olga Gagliataska.
01:48 Sorry if I butchered everyone's name there.
01:51 But the title of the official academic articles is out of Norway, I think.
01:56 how security professionals are being attacked, a study of malicious CVE proof of concept exploits in GitHub.
02:03 Have you run across this?
02:05 >> No. Interesting.
02:07 >> It sounds like it doesn't totally apply as maybe a Python programmer thing, but here's the deal.
02:12 In order to win these CVEs, these vulnerabilities come out and get announced, a lot of times people are like, "Oh my gosh, there's some problem," but what does it manifest like?
02:21 If I'm going to write some code to explore it, understand it to do all the various things, how do I get started, right?
02:28 A lot of these are super complicated.
02:30 And so what people will do is they'll post a simple proof of concept, like imagine you've got a sandboxed web browser and it shouldn't be able to access, like for example, your processes and other parts of your file system.
02:42 So if I went to a webpage, I could make it pop up, I don't know, notepad with the text, na na na na na, we got you.
02:49 You know, something silly like that.
02:50 You're like, oh my God, it opened notepad.
02:51 Well, these people did some research and they found 47,000 posted proofs of concept.
03:00 And let's see, somewhere, it's in the article, they talk about the actual language breakdown.
03:06 Here you go.
03:07 So when they said, what languages are these written in?
03:10 HTML, 300, Ruby, 300, Go, 400, C++, 1,000, Python, 8,000.
03:15 So that's a lot, right?
03:20 So Python is by a factor of eight, the most common language that they are able to determine the language of the exploit.
03:27 So it's something that really kind of applies to us.
03:30 And of the, how many were there?
03:32 There was like 47,000 of them.
03:35 And out of those, 4,800 or 10% were malicious, which sounds like, so what?
03:41 It's a proof of concept of a malicious thing.
03:43 No, it's like a meta malicious.
03:45 So here's the deal.
03:46 we will show you how you can break into Active Directory on this new exploit.
03:51 What it really does is installs ransomware on your computer.
03:54 So if you as a person are like, I want to try this out and see if our system is vulnerable, like instead of it doing what it said it would do, it just takes over your computer.
04:04 And there's various ways in which it does it.
04:06 It might contact like a known malicious.
04:08 No, I know.
04:10 There are some lulls in there to be sure, but But the idea is there's some, it'll take your SSH keys and upload them to some malicious pastebin type place, or it will install crypto miners, or it'll install ransomware, encryption types of things.
04:29 A few of them say, you shouldn't have just run code off the Internet.
04:32 What are you doing? It'll like rickroll you.
04:34 But the majority of them take over for real.
04:38 Isn't that nuts?
04:40 >> Yeah.
04:40 >> Yeah.
04:41 >> Recurls are hilarious though, just saying.
04:43 >> They are. Even in the paper, there's actually some Python proof of code.
04:50 Here let me show you down here, pull this up. I don't know how to link to a code listing inside of a PDF, so I'm just going to cruise. Here we go.
05:02 For example, over here.
05:04 Here it says, this is an example of one of these proof of concepts that shows you how things might work.
05:09 What is it going to do?
05:10 It's going to go and say it's going to sleep for a second, get your host name, create a user thing, da-da-da-da-da, and then oddly, instead of saying the URL is a thing, the URL is a base 64 decoded, encoded bunch of garbage.
05:23 What is this? This is the malicious website that they're going to send your information to.
05:29 But when you look at it, it doesn't look like here's the virus.
05:32 It's like, "Oh, they're just decoding this text.
05:34 I see." No, no, no, no.
05:36 This is the virus right there.
05:38 There's way more complicated examples, but you know, pretty nuts anyway.
05:41 What's the format?
05:42 If you were serious, they should really run black on this.
05:44 I know they totally, they totally should.
05:47 You deserve what you get if you run that now.
05:48 This is a pretty interesting thing.
05:50 And if you're in the security space, you know, if there's a 10% chance of just checking out one of these proof of concepts that you'll get owned, you know, just be aware of it.
05:58 You consider the audience of the people creating these.
06:01 So I guess, you know, a bunch of hackers are like, Hey, I made this code.
06:04 You should try it.
06:05 But no, but actually we should have like a search thing or something like that.
06:09 'Cause that base 64 decode thing is a classic, just don't touch it sort of thing.
06:15 Especially if it's going into a URL or something.
06:17 This is, it's not good.
06:19 - Yeah, they did come up with a way to automatically test for things.
06:22 They said, look, if it's contacting a well-known, malicious command and control type IP address, which there's a listing, a database of these types of things.
06:32 It's like, you know what, that's a problem.
06:34 And here's a proof of concept that should have nothing to do with the internet, and it's uploading data.
06:38 that doesn't seem like it should, right?
06:39 Or it's downloading this data from somewhere else.
06:43 Yeah.
06:43 - Yeah.
06:44 - Yeah, I like that Kim has got the, he's got the glass half full.
06:47 A base 64 encoded URL is surely completely safe and nothing to worry about.
06:51 And Marco is concerned about the SSH keys.
06:55 Kind of got me.
06:55 - Yeah.
06:56 - And thanks for the happy birthday wishes out in the audience as well from everyone.
06:59 - Yeah, yeah, thanks people.
07:01 - All right, Brian, that's all I got.
07:02 But there's a really cool paper.
07:03 There's some proof of concepts in there.
07:04 There's a couple of write-ups on it.
07:05 It's worth checking out.
07:06 - Okay, cool.
07:07 Well, I actually want to talk about something completely sort of different.
07:12 So if you've, let's just, I'll go to us for a second.
07:17 If normally I get a lot of my news from people on Twitter, but Twitter kind of is in the news lately 'cause things are kind of going weird with Twitter.
07:27 So what are people doing?
07:29 Well, a lot of people, a lot of people actually are checking out Mastodon.
07:35 So I'm calling this the great Mastodon experiment because tons of us, Python people, and actually tons of tech people and tons of other people also are trying out this Mastodon thing.
07:45 And in the back of our mind, it was, well, like, yeah, Mastodon seems kind of interesting.
07:51 It's like a sort of maybe alternative to Twitter, but not many people there.
07:55 Now there's a lot of people there, like tons of people.
08:00 I don't know what the numbers are compared to Twitter, of course, but anyway.
08:03 So I am part of this.
08:05 I'm part of the people that have switched.
08:07 But if you like here, we're showing the Mastodon, like join mastodon.org site.
08:13 And the first thing you wanna do, okay, I wanna try this.
08:16 So I have to, okay, I have to create an account.
08:18 So the first thing you're hit is, well, which server do you wanna use?
08:22 I was stuck here for a while and I'm like, I don't know what to do.
08:25 So I went ahead and I used Twitter and I asked, and Will was there from, Will said he's on mastodon.social.
08:33 Will McGugan and I just asked, I'm still stuck on the chooses server.
08:37 What are people using?
08:39 And I got one reply right away saying, well, fostered on.org has Anthony Shaw and a bunch of other people.
08:46 I'm like good enough for me.
08:47 So I went ahead and picked it.
08:48 So I am now on fostered on also.
08:52 And then I'm just trying stuff.
08:54 I'm like, just trying it out, playing it, playing with it, following some people, commenting, whatever.
09:01 And so far I kind of like it.
09:03 It's nice.
09:04 Now, now that I've kind of like, I got the basics down, now I'm ready to learn some more.
09:09 And so I put together, went through and found some tutorials.
09:14 So if anybody else wants to try this also, I found some kind of fun tutorials.
09:18 There's one that's called the Increasingly Less Brief Guide to Mastodon.
09:22 It's big, but it's, so it, that's nice though.
09:25 It starts out with like, with like short answers, like, you know, what is it?
09:31 How is it like Twitter?
09:33 How is it not like Twitter, stuff like that.
09:35 And one of the things, comparisons that confused me a bit was how is it like email?
09:40 But I didn't get the analogy at first, but I kind of do now.
09:44 So the idea is you have to pick a server, but you can still follow people on other servers.
09:49 Just like if you have a Gmail account, you can still email people that are not in Gmail, works.
09:54 So there's that, there's everything I know about Mastodon.
09:58 - Sorry, but it reminds me a little bit of like BBSs.
10:00 Remember, like you go to BBS and write email, and then they would like sync at night and then you might get email from some other BBS.
10:06 - Well, yeah, that's something I also noticed that at first I was a little annoyed because like it's not as zippy sometimes.
10:14 Like it's growing a lot.
10:15 So a lot of these servers are like adding capacity.
10:18 And so occasionally, like the other day, the Fostadon server was down for a couple hours and I'm like, oh my God, actually I'll be fine if I don't use a social media app for two hours, just chill.
10:32 And so, yeah, it's interesting.
10:36 There's a lot of stuff I've learned so far.
10:39 Like, it's not filtering what I'm seeing.
10:41 I actually just see everything that people write that I'm following.
10:44 Actually, isn't that what I wanted?
10:46 So I'm pretty okay with it.
10:48 So I put together, I'll go through a couple of these.
10:50 There's everything I know.
10:51 It's targeted towards data science people, but there's a lot of great info there.
10:56 There's, and then Simon Willison, he's trying this out too, said is Mastodon is just blogs.
11:04 So I was confused by that, but he describes how it's like, it uses this active pub feature and it's into a little details, but I think he knows what he's talking about because he wrote his own, he's on his own server.
11:18 So you can have your own, you can have your own Mastodon server.
11:22 But some of the people trying it out at the same time, we've got some big names, Lucas Lange, he's trying it out.
11:29 He linked to a couple of things like that he's learning about, it's really supposed to repost in multiple places, things like that.
11:36 I've got Brett Cannon figuring it out.
11:38 A lot of us over here having a little bit of fun with Mastodon.
11:42 >> That's fantastic. Yeah. So Fosstodon.org is the free and open-source software Mastodon 1, right?
11:50 >> Yeah. But a lot of people are on.
11:52 A lot of people are on Mastodon.social.
11:55 Here's a cool article.
11:57 Oh yeah, clients wise, there's a whole bunch of iPhone clients too, but you can use it on the web or anything.
12:04 Lucas is on, or Lokesh, I'm sorry, is on Mastodon Social also.
12:11 Brett's on Fosstodon, but there's a whole bunch of others as well.
12:15 Yeah, you have to apply to get in there.
12:18 So I applied, but I have not been let in yet, so hopefully they will find me worthy and I can join you.
12:23 Okay.
12:25 We'll see.
12:26 >> I know some of them are, since these are private things, there's got people running their own servers.
12:33 There's funding models on each of them.
12:36 Like Fossadon, for instance, said they want to make sure that they always have six months of running time or something like that.
12:43 That's cool enough for me. Anyway.
12:46 >> Yeah. I'd be happy to pay a dollar or two a month just to have no ads and have a well-curated, somewhat not terrible space.
12:54 So yeah, I wasn't really getting to get into the politics of it, but the whole $8 a month thing, actually, if I could have got rid of ads and actually got some other cool features, I probably would have paid it anyway.
13:05 I just don't want to pay it now.
13:07 I'd be like two months ago, I probably would have been up for it, but I don't want to do that right now.
13:11 Yeah, I don't know.
13:12 I have no intention of leaving Twitter at the moment.
13:14 There's still like a really valuable community for the podcast listeners and stuff.
13:18 But I do think it's also super interesting to reach out to these other spaces.
13:23 is one it's it's kind of interesting in that it's there's a bunch of little islands and the thing that's cool about Twitter is you go to the the continent and then you find your space within that and it's like here you got it what is the like the place I go to I'm telling you this is like bbs's like what what bbs has the place where there's kind of cool conversations and good games I can play and you dial that one up or we could just go back to like uh you know planet python and rss feeds for everybody yeah yeah nothing wrong with rss cool well uh thanks for bringing I have some more thoughts on this as well later, but for now.
13:57 For now, maybe we could talk about our sponsor.
13:59 What do you think?
14:00 - We should talk about our sponsor because it's cool that we have one, but also it's Microsoft.
14:06 So this episode of Python Bytes is brought to you by Microsoft for Startups.
14:11 But starting a business is hard.
14:14 Most startups go out of business within the first year, which is totally lame.
14:19 So Microsoft for Startups set out to understand what startups need to be successful and created a digital platform to help you overcome those challenges.
14:27 And they came up with Microsoft for Startups Founders Hub.
14:30 The Founders Hub provides all founders at any stage with free resources to help solve startup challenges.
14:36 The platform provides technology benefits, access to expert guidance and skilled resources, mentorship and network connections, and so much more.
14:44 Unlike others in the industry, Microsoft for Startups Founders Hub doesn't require startups to be investor backed or third party validated to participate.
14:52 Founders Hub is truly open to all.
14:55 You can speed up development with free access to GitHub and Microsoft Cloud.
14:59 And there's other partners that they partners with such as OpenAI, you can get discounts through there.
15:07 So you'll have access to those extra resources, but you also get access to their mentorship network, which includes hundreds of mentors across a range of disciplines.
15:17 Need advice on marketing, fundraising, Idea validation, maybe?
15:20 Tons of topics that you might need help on, including management and coaching, and you'll be able to book a one-to-one meeting, one-on-one meeting with mentors, many of whom were former founders themselves.
15:31 It's no longer about who you know.
15:33 Get critical support you need from Microsoft for Startups Founders Hub.
15:37 Make your idea a reality today.
15:39 To join the program, visit pythonbytes.fm/foundershub2022, and that link is in the show notes.
15:46 And I know you can find this on your own by Googling, but using that link in the show notes will help them know that you found it through this podcast.
15:53 Thanks.
15:54 - Yeah, absolutely.
15:55 Thank you, Microsoft.
15:56 - Oh, you're on mute.
15:57 - I am.
15:58 Thank you, Microsoft.
15:59 And yeah, let's move on.
16:01 A couple of these things are about continued journeys.
16:04 Sometimes we're on a journey, you know?
16:07 - Yeah.
16:07 - And switch it over.
16:08 Siri over on Twitter, not mastered on yet, sent me, sent us a message and said, "Hey, nice episode." You know, remember I was on this, I talked about like Panix, SSH, thing called prompt and some of the other ways I was trying to like, well, how do I just take my iPad and no keyboards and no extra stuff and just have a little Devopsy coding environment.
16:32 Theory says, you should check out Gitpod.
16:35 Have you heard of Gitpod?
16:36 >> No.
16:37 >> No. Pod as in pods from Kubernetes.
16:41 But here, he says, basically I'll just pull up and show you what it is.
16:47 So if you go over here, the idea is, it says, "Always ready to code." Like, that sounds cool, right?
16:52 And I love, look at this little graphic, right?
16:53 Okay, you're like, your chair is an enter button.
16:56 I love it.
16:57 - Oh, I didn't notice that right at first.
16:59 That's cool.
17:00 - Yeah, and by the way, they just, this happened, I think, since this got sent over, they just raved a $25 million Series A round.
17:06 So there's a good, you know, there's a lot of effort behind this, right?
17:10 Gitpod is, I believe there's an open source version, and then like a hosted version as well.
17:16 So the idea is, what you can do is I can go and it'll create a Kubernetes Docker type image that I can configure.
17:26 So basically a Linux machine that's isolated for me, which is nice.
17:30 And then I can log into it one of two ways.
17:33 I can log into it in the browser, and just like if you go to github.dev, which is what I suggested before, in the browser this connects to your own environment, which the thing that's cool about this is it's that environment you have a root access to do whatever you want to it.
17:48 So if you got a pip install something that's weird or whatever, like you're not like, oh, well, sorry, you can't install this dependency, too bad, right?
17:54 It's just, it's yours.
17:55 You do whatever you want with it.
17:56 That's in the browser.
17:57 So on your iPad browser, for example, or if you happen to be on the desktop and what you want is just like a, I'm on an arm machine and I want an x86 machine, or I want a Linux machine that's like production and that is not just my Mac or my Windows machine.
18:10 You can actually connect to it with a full on VS Code or even PyCharm, you can plug directly into it and remotely edit locally on PyCharm locally, but then like debug and run your environment there.
18:23 - Wow, that's really cool.
18:25 - Yeah, it also works for IntelliJ, the Go, basically all the VS Code and all the JetBrains IDEs, which is like a huge long list, and Vim, and also Vimit.
18:35 - Wow.
18:36 - Anyway, this is really cool.
18:37 And there's one of the recommendations or like the reasons for it, it says, look, you can do multi-track development.
18:44 So if I'm doing like, I'm working on a feature branch and I'm working on main dev and I'm trying to do a bug fix, instead of staging or stashing and then checking out and then try that and then check over the other thing, unstack, like juggling one working environment, you can have multiples of these Git pods, one for each part of your project even.
19:05 Bring it closer to your Linux and Docker runtime.
19:10 You can even do like paired programming on it, which is kind of interesting.
19:15 And here they got an example of it running on an iPad.
19:19 And apparently you can install like a bunch of different extensions and stuff and like configure up your thing.
19:24 So there's an open source version, which is free from big tech influence.
19:30 But there's also, you can get their version on the cloud or you can self host it or whatever, right?
19:35 And so there is a paid component to this.
19:38 Like this, you know, they got $25 million, right?
19:40 It's not just like to set on fire, although maybe.
19:43 There's a free version, which gives you 50 hours of code in a month.
19:47 That's pretty good.
19:48 Or you can pay $9 a month for 100 hours, or there's like other higher tiers, 25, 40 bucks and stuff.
19:53 But it's open source and there's some free versions and reasonably priced versions.
19:57 And yeah, I don't know, I think it's pretty cool.
19:59 So thanks Theory for sending it over.
20:01 And you know, it's definitely an option out there.
20:04 - Yeah, and the self-hosted also is, Looks like an option as well.
20:08 - Yeah, exactly.
20:09 So you can self-host.
20:10 I think you basically probably set up a Kubernetes cluster and like it, it connects and goes against that.
20:14 - Oh yeah, just throw up a Kubernetes cluster.
20:17 - Yeah, exactly.
20:18 (laughing)
20:19 Cool, all right.
20:20 Well, I haven't, I did play around with it and it worked pretty well, but I haven't done anything serious.
20:25 - It still looks cool though.
20:26 I like it.
20:27 - Yeah, absolutely.
20:28 All right, what's your last one here?
20:30 - Oh, last one is a short one.
20:32 I just wanted to talk about terminal colors.
20:35 So I've got a little pytest plugin called pytestCheck, and it's got some terminal output, but it does talk about failures, and somebody completely reasonably submitted an issue and said, "It'd be cool if these were red "so you could see them easier." And I'm like, "Yeah, that would be cool." So what should I do?
20:59 Well, I could, you know, Will, I wanna let you know that the first thing I thought about was I could throw a rich at it.
21:05 So I can use rich to put red in the terminal.
21:10 But rich is, now rich is awesome.
21:12 I love rich, but maybe it's a bit of a big hammer for just adding one color, just adding red.
21:20 So I went looking around a little bit and there's term color and there's colorama, there's other things.
21:27 I ended up, I'm looking at colorama right now, is what I'm playing with.
21:31 So Colorama is used by a lot of applications.
21:34 And one of the reasons why is because it helps with the cross, being able to use colors on both Windows and everything else.
21:44 Windows is a little special.
21:46 It doesn't act like the other stuff.
21:48 So you have to do things a bit special.
21:50 And I was kind of glad I looked at this because one of the things that came up recently in one of the new versions is Colorama has a thing called just fix Windows console.
22:02 It's just from Colorama import, just fix Windows console, and you call that.
22:06 After you call that, then if you run your application on Windows, it acts just like a normal TTY terminal on Linux or Mac or something.
22:16 >> Oh, wow.
22:17 >> At least in terms of a lot of stuff.
22:19 The other thing that just fix Windows console, I think I got this right, is you used to have to call a knit, and now you call this other thing, But you can you can call that on Mac also and it just doesn't hurt anything.
22:31 It's fine.
22:32 So you can.
22:34 And now after you've done that in it and there's a whole bunch of text here that I just skimmed really briefly, I just wanted it to work.
22:40 Just call that.
22:41 And then you can use these these color codes like for four dot red, for instance.
22:46 That's what I wanted.
22:47 Some red text.
22:48 And there I've got it.
22:49 So after you change, change stuff around, you also have to reset it.
22:53 So there's a reset code.
22:55 Now you can do the same thing and it has it on their read me, is you can use the hex or whatever color code escape sequences.
23:06 Backslash 033 bracket 31m is red, but I think I'll go with the named ones.
23:15 >> How about some constants instead?
23:18 >> Yeah. This is pretty cool and I think this is where I'm going to go with adding red to the pytest check.
23:27 If you want just a little bit of color and nothing that you need rich for, Colorama might be what you want.
23:34 >> Nice. Colorama is definitely a go-to for me when I just want, this needs to be red or green.
23:38 It just needs to stand out somehow.
23:40 For sure, it's very cool.
23:41 >> Yeah. Cool.
23:42 >> Awesome. All right. Well, that brings us to our extras.
23:44 >> Yeah. Do you have any extras?
23:47 >> You know I do. Let's see.
23:49 Some of these are quick, some are slightly more.
23:53 Roman Wright, who often we find here in the live streams as well, maker of Beanie, love Beanie.
24:00 Beanie is powering PythonBytes.fm, by the way, for various other things.
24:05 So super awesome.
24:07 He'd been thinking, and so Beanie is Pydantic plus MongoDB Async.
24:12 So there's plenty of reasons why we might want a synchronous API.
24:15 I'm just in the middle of some script and I just need to talk to the database real quick.
24:19 Like, do I really need to upgrade this whole thing to handle async code?
24:22 shouldn't there just be a way to call it?
24:24 There should.
24:24 And so he created a derivative or mirrored version that is like Beanie, but has a synchronous set of APIs instead of asynchronous APIs called Bunnet, which I don't know the word Bunnet, but I think it has something to do with, like something to do with a bean, I'm not sure.
24:42 But anyway, Bunnet, it's similar to Beanie, except for you just don't await things, right?
24:46 You just use the Pype Mongo base instead of the motor client under the hood.
24:50 and then you just do thing insert or thing.find one or whatever.
24:56 People can check that out if they're into Beanie, but they don't want the async version.
25:01 Yeah, it's brand new.
25:02 >> I just looked it up, a bunnet is a type of hat.
25:08 It's like a Scottish hat.
25:09 >> Well, that would explain the icon here.
25:13 Maybe it looks like a bean, but it's actually a hat.
25:15 Rowan's here. Hey, Rowan.
25:17 So this is a Scottish word. Fabulous.
25:19 Will McGugan is a bun is a hat worn by old Scottish men.
25:22 Lovely.
25:22 Awesome.
25:25 And congrats, Roman, on getting that out there.
25:27 That's awesome.
25:27 PyCon, you brought up PyCon 2023 last week.
25:32 Yeah.
25:32 They've got this cool like tile sort of celebration of history on their website.
25:38 And they tell you that it will be April 19 to 27.
25:41 There's a small problem with that, though.
25:43 How actionable is it if I want to go to the conference, and I want to go see the main talks.
25:49 When do I book my travel?
25:50 - Yeah, the whole thing.
25:52 - It's awesome, right?
25:53 I can come to the tutorials and do the week of sprints after.
25:56 I don't know, that's a lot.
25:57 And so I reached out to Twitter and Marietta says, "Tutorials are on Wednesdays and Thursdays.
26:04 Talks, keynotes, expo halls are Friday to Sunday.
26:07 And from Monday onwards, those are the spreads." Perfect, perfect.
26:11 So yesterday while I was sitting, getting studded winter tires put on my car so I can go to the mountains and not die.
26:18 I decided to go ahead and book my travel and I'm gonna go to the conference.
26:22 We talked about maybe we'll go, maybe not.
26:23 I'm gonna go for a whole week.
26:25 I'm gonna show up on Thursday and leave on the next Thursday.
26:27 Maybe be part of the sprints but definitely do a ton of podcasting while I'm there and try to just make it like a, other people will be spreading out code, I'm gonna be sprinting on podcast episodes.
26:36 - I gotta decide what I'm gonna do.
26:38 I haven't decided yet.
26:39 I'll probably go.
26:40 - Flights are still pretty cheap right now.
26:41 They might be, like hotels and stuff, I think, There are really a lot of variations.
26:46 Like there was, I was like, oh, maybe I'll save the Hilton $3,300.
26:49 Like, yeah, maybe I won't save the Hilton, what else?
26:51 So I think people are starting to book it out.
26:54 - Okay, yeah.
26:54 - Anyway, thank you Marietta for sharing that information.
26:58 It makes it much easier for us to plan about participating or even just watching PyCon online.
27:04 - Yeah, cool.
27:04 - Yeah, all right.
27:06 Quick shout out to GeForce Now.
27:08 Have you heard of GeForce Now?
27:10 - No.
27:11 - So my daughter's really into gaming these days.
27:13 plays a bunch of horse riding games and Minecraft and playing at the zoo.
27:19 There's a cool Jurassic Park thing that's like a Sims but for dinosaurs.
27:25 Most of these games run on Windows and we have an Alienware computer, but it's all set up for my Sim racing.
27:31 It's hard to play games on that don't involve a steering wheel.
27:33 She's like, "How can I play these games on my PC?" I'm like, "Oh, my Mac." She has a MacBook Air.
27:39 I'm like, "Oh, I don't know." She's like, "How could I play if I'm not at home "and I can stream?" So we try out GeForce Now.
27:46 Basically, they'll give you a high-end Windows computer and like a GeForce 3080, and it just streams like Netflix to your PC.
27:55 And it is super low latency.
27:57 I mean, it's like you're really just playing it there, but you're not.
28:00 It's pretty awesome.
28:01 - Oh, so you can play a game on a remote computer then?
28:06 - Yeah, or I mean, you can play it on your iPad, or you can play it on your iPhone or Android, or on your Mac or whatever, and they've got a completely 100% free tier, so it's pretty nuts.
28:17 We should check that out.
28:17 Anyway, that was a cool techno experience.
28:21 Two new YouTube videos I've released.
28:23 One five days ago, one five hours ago.
28:24 How about that for timing?
28:26 - Nice.
28:27 - So as part of this sort of social media, Twitter madness, and various other things, I've been thinking about this for a while.
28:32 Anyway, I'm like, all right, I really want to try to build up my presence on other areas that are not just Twitter.
28:39 And so like, well, YouTube might be one fun place to sort of build up a community.
28:42 So I'm starting to add more videos there, right?
28:44 So like I've done in the past couple of weeks, I've done four videos, but the last two is a walrus meets a Python, which is fun.
28:51 That's about the walrus operator.
28:53 And then the one that came out today is Python GC settings, which shows some insane stuff you can do to tweak the GC a little bit and get crazy better performance.
29:02 - Nice.
29:03 The GC being the garbage collector, right?
29:04 - Yes, not reference counting, which does like 99.9% of Python memory.
29:08 a 0.1% or the 0.1%, whatever's left over, like that actually, you often can turn that down 'cause you don't really have cycles that much that get lost and it turns out to have some pretty interesting effects.
29:21 We think we covered, was it Instagram, I think?
29:25 I think they wrote an article called Dismissing the Garbage Collector where they literally turned it off in production.
29:29 It was either that or I can't remember which company did it, but this is kind of like a, well, let's don't be so aggressive like that, but kind of, you know, and it's pretty, yeah.
29:39 - Nice.
29:40 - People can check those out.
29:41 - Yeah, so one of the things that I, the only extra I've got is I really liked this article from Simon Willison about what to blog about.
29:50 So a lot of, so people are, you have a presence somewhere other than Twitter, like maybe write, start writing your blog more.
29:58 And I like this what to blog about.
30:00 He goes through a couple things.
30:02 One of the things is the today I learned.
30:04 And I, you know, I actually, At first, when I first encountered the TIL thing, at first it was like, why do you need that?
30:11 Can't you just like, just write what you learned anyway?
30:13 But a lot of people have this paralysis of, if I write how to do something, people are gonna think it's a tutorial and I don't know how to do everything with this tool.
30:22 I just learned this little thing of how to do fix my thing.
30:25 So the TIL at least is a tag that people will know, it's not a full tutorial, it's just a little snippet of somebody learned about this thing and I think this is a great way to go about writing it. It can be short and simple or it can be longer. Plus also if you build up a lot of these around a topic it might turn into a tutorial later. So now that you've learned a ton you can write a blog or longer blog post about it. I also just want to tell people that it doesn't have to be a like a full tutorial.
30:56 You don't have to compete with real Python or other places. You can just do a short thing you learned about it doesn't have to be this. Okay the other thing you talked about was projects is to write about projects that you've done and I think that's a great idea and but I also want to make sure that people understand also the things you're working on right as you're building stuff.
31:18 This can be part of the TIL but it could just be this is the fate and it's also another way to limit the scope like color in the terminal. I don't want to write about all of color in the the terminal, but maybe I could write about the just fixing this one bug or this one feature request, what I went through to figure out how to figure out how to use Colorama and and then how do I detect whether it's a TTY terminal or not, things like that. That could be a decent article just to write about that.
31:45 And so I think these are great tips for unblocking yourself. The other thing I want to tell people about is if you've covered it, you've learned it from somebody else's blog already, but it didn't quite meet your needs and you looked at other places, that means that there is a tutorial out there that's missing, and it's the one that kind of fits your brain.
32:10 You can rewrite something that is similar to what other people have written about and just write it in a different way that fits you better, and that'll maybe fit other people better too, so there's nothing wrong with that.
32:21 It doesn't have to be completely unique.
32:23 >> Yeah, absolutely.
32:24 It definitely doesn't.
32:25 I like it.
32:26 >> Yeah, I came out there says, TILs are also handy to reread from time to time and remind yourself of things you've figured out and forgotten.
32:33 You can see the search engines with stuff that you knew, and then when you forget it, you can find it again.
32:38 >> That's how I started blogging and I didn't call it TIL.
32:41 I had a blog nobody was reading and I would just throw up stuff like commands that I looked up, like commands from a tool.
32:49 I always forget how to change my commit message after I've committed too fast.
32:54 So throwing up a little post about Git commit amend would be fine.
32:59 >> Yeah, absolutely. All right.
33:01 Well, this has been a fun episode, but it's still good sometimes to just take a moment and relax.
33:06 >> Yeah.
33:07 >> I mean, I took my dog for a walk in the woods during sunrise, it was like this fog.
33:11 For some people, getting out in nature is amazing.
33:15 But as software developers, a lot of times you want to get close to the code or close to the heart of technology.
33:22 What speaks heart of techno analogy more than the server?
33:26 - This is crazy, man.
33:27 - Yeah, so here's a thing you can play.
33:30 It's on YouTube, I'll show you in a second.
33:31 And it says pure relaxation, server sound.
33:34 So we can come over here and it actually has tracks.
33:36 So like it starts with desktop in the Draldrum, entering the engine room, the far side of the cloud.
33:43 I find co-location ventilation to be especially relaxing.
33:47 Facing the cloud.
33:50 And finally spacewalk.
33:51 So I just want to play a little bit of this for people, right?
33:54 I think, I think they're going to enjoy it.
33:56 Maybe.
33:56 It's amazing.
34:04 Right.
34:04 So relaxing.
34:05 So, anyway, you shared it with me before we started though.
34:09 And I got to say it's hilarious.
34:12 So I'm going to go check this out.
34:13 I mean, keep in mind, a lot of people have to wear like big earmuffs, sound protection to go in this room.
34:19 So it might be the opposite of relaxing, but you'll see.
34:22 You'll see.
34:23 Okay, cool.
34:24 Nice fight.
34:25 All right.
34:25 Yeah.
34:26 Thanks.
34:26 Just here to help people be more productive, you know, maybe not with this though.
34:30 Well, in some of these people that used to be around the, all these server farms are now working from home and they might miss that sound.
34:36 So that's true.
34:37 Roman out there points out that the scary part is actually if the server room is quiet, why is it quiet?
34:46 This is not good.
34:46 Yeah.
34:47 all right.
34:48 All right.
34:49 Well, thanks a lot for as always.
34:50 And thank you everybody for watching and showing up and listening.
34:55 We love you.
34:56 And thanks, everyone.
34:57 It's been an awesome six years and we'll keep going.
34:59 Yeah. Bye bye.