Adam Stacoviak: What is the idea of staking? I understand it in crypto as normal, but if I bought in and I staked against a project, what does that do for it?

Drew Wilson: Crypto will be great for collectibles, and hopefully also another spot, like through Bitcoin, the name brand crypto, will be another spot for super-wealthy people to move money, and so that way they don’t have to move it into real estate, and harm the real estate industry… In that by doing so, by buying up a bunch of properties, it makes property go up everywhere; property values go up everywhere, and it makes it harder for regular people to buy homes at an affordable price… That’s one, if we’re staying on the crypto train. If we’re not staying on the crypto train, another hard belief - let’s see… Maybe a hard observation, how about that? I still think it’s interesting that design and engineering are now a regular job. I was always the young guy in tech, and so that will never kind of go away from me. But this idea of getting into tech and it being a job, and not like a hobby and something that you want to do is still so strange to me… Especially when you get into running companies and having employees or having teams, and you start to realize that “Okay, this person does one thing, and they’re probably only ever going to do one thing.” And maybe they have aspirations of being really good at this one thing, but they don’t really want to spread out, and like think of tech as one thing, and there’s many aspects to it. They think of “I’m a designer” or “I’m an engineer” or “I’m a product manager.” So that’s the segue into my hard belief. Here comes my hard belief.

Chris Benson: [04:30] Yeah… Although, before we kind of move fully over to the AI side from the crypto side, I happen to be staring at Sam Bankman-Fried’s Wikipedia page, and I’m looking at his hair… And as you mentioned the barber and stuff, there’s gotta be a joke there. That’s all I’m saying.

Roland Shoemaker: We use it in crypto TLS. It’s the basis for a number of key exchanges that we have to do intercompatibility. And yeah, right, before we just reached deep into parts of the standard library that nobody should ever see or touch, that were in hindsight probably a big mistake to add… But we have to live with our mistakes. And this new library replaces tens of lines of very scary-looking code with a single call to an API that is incredibly well-designed, thanks to Filippo… I think this is part of what we’ve been trying to do over time, is taking away the rough edges of the crypto libraries that we have accumulated over almost 15 years at this point, of design and experience with getting things wrong.

Jerod Santo: So this reminds me of this post from Gabe Kangas, who listened to our OpenTF interview last week… And he said “Just listened about OpenTF. A bunch of people band together, forked a major project, and found enough people who were interested in it existing and wanted to be involved. I wish this could happen with a browser. Sure, there’s a ton of small indie browsers that are using forks of Gecko and Chromium, but I’m talking about a real organization. A real, open source-first nonprofit, whose job it is to build a browser for the people. No Google slipping in advertising features, no Mozilla taking money from Google, no Brave adding crypto… A browser from the people, for the people, without corporate ownership and direct control. It’s a pipe dream, but it’s a hell of a dream. I’m sure it’d be hard, but I don’t think it would be impossible. Everybody needs a browser. Why can’t it be treated as a public good?” Nice sentiment there, Gabe. That’s what we need… So who’s coming with me?! [laughter]

Jerod Santo: Well, I can tell you the rabbit hole I’ve gone down trying to fix it, which is that basically our Twitter Auth has been offline ever since then… Which so far only Mat Ryer seems to know about, so maybe he’s the only one who uses Twitter Auth on a regular basis… Because he’s always like, “I can’t sign into the website.” And I’m like, “Dude, just put your email address in there and we’ll send you a magic link.” And he’s like, “Oh, you can do that?” Anyways… He really likes Twitter Auth. We offer GitHub Auth and Twitter Auth. Well, we did offer Twitter Auth for a while, until we upgraded to Erlang 24… And this crypto HMAC error happens deep inside of the ueberauth_twitter library that we use. And it’s a difficult situation, because it basically – I don’t know if “segfault” is the right word, but it just crashes the interpreter altogether. This is not a nice stack trace, and everything. It’s deep down in there, but what it’s saying, this crypto HMAC error, is not exactly the problem, I don’t think… But it’s very difficult for me to debug, because I have to debug it from inside of ueberauth_twitter, the package. And that package doesn’t handle the situation gracefully at all; it handed up the stack to me in order to debug… And I can’t actually repro in dev.

So that’s as far as I’ve gotten… I’ve found out what the problem is. I think it’s when it’s passing in an empty session cookie, for some reason, and it’s trying to HMAC an empty string, if I recall correctly… It’s hairy down in there, but actually, it’s just navigating the debugging which has made me not be able to fix it… So what I do is every couple of weeks I go check their repo and see if they’ve cut a new release, and then I upgrade, and I’m like, “Please, have it fixed…” and then it still doesn’t work. Because I don’t even know what issue to open at this point. It’s such a small use of our website, and I’m pretty sure most of those things hitting that error are just robots hitting that route; they’re not people.

So I haven’t fixed it, I haven’t opened an issue yet… I hope that somebody just upgrades the thing and it goes away. Maybe – is Erlang 25 out yet? I don’t know… What changed, Gerhard? What’s going on in there? Because I can’t figure it out quite yet.

Adam Stacoviak: It seems so. And the reason why I asked as it seems like the kind of business you’re building is - and correct me where I might be wrong or where I might be right - an investment business, with really smart people behind the scenes that know how to invest and know how to lead funds across the different products you have. You have sort of this media side that can be blossoming for you, and then you also have the technology. Like, you’ve got to have those three things in your business. To share the message, you’ve got to do different research, you’ve got great content out there, so you’re a media business, so to speak… And you want to be able to be authentically connecting to the audience out there, so you want to put these great investment folks behind your products out there, sharing their ideas and sharing how the crypto market’s moving, or how there’s a dip, so buy, or whatever it might be. You want to have that heartbeat mentality. So, investment, media-ish business, and tech business. Is that–

Perry Mitchell: [24:08] I’ve got a bit of a pessimistic view on the whole data breach thing. I think it’s extremely damaging brand-wise, especially for someone like us, where we’re starting out… The crypto and the security measures there are definitely a primary concern for us, just making sure that’s all put together properly.

Filippo Valsorda: No, that’s the thing. It’s not about security focus. I don’t need anybody to – I mean, if they also want to review the security of it, great. But no, no, we just need people who use crypto TLS - which, like Roland was saying, is everybody - to try the release candidate…

Feross Aboukhadijeh: I totally agree with what you’re saying, Jerod. I feel like the whole crypto space has been a little disappointing. There was like all this really cool decentralization work happening before the ICO craze started; there was – I’m gonna shout out some of my friends here, but I feel like the Dat Project, Mathias Buus, Chris and Kelby, and Paul Frazee, and all the people building that… The Secure Scuttlebutt project, with Dominic Tarr, and a whole cool community there… And then I’ll throw WebTorrent in there, too; I thought it was pretty cool.

So basically, there was all this stuff that was actually working, right? It worked, it actually did what it said it was supposed to do, it worked. It had almost no – or literally no financial backing behind it, and yet, we shipped stuff that worked. And then this whole crypto thing kind of took the air out of the room, and everybody started throwing money at it, and for several years I kept wondering “Okay, when is this stuff gonna actually start to work, and do what it says it’s supposed to do?” And it took a really long time for that to start materializing.

And then now, if you kind of look at “Okay, what has all this accomplished?” I mean, there’s definitely real stuff happening, and I don’t want to be totally cynical about it… There’s definitely good people doing real computer science, and like making new stuff. But overall, I kind of just feel like the whole thing is so self-referential. If you ask people “Okay, what does your project do? What does this company do? What does this product do?”, it’s always like “Oh, well it connects this chain to this other chain.” And then it’s like “Okay, cool, that seems useful”, but then you go and ask those two chains, “Okay, what do you guys do?” and then it’s like “Well, we connect this thing to this other thing.” And it’s like, at what point does it terminate with actually doing something useful, right? It’s just a little bit too self-referential and too circular, and there’s only a couple of use cases that I can think of that are actually real.

I don’t know, it’s just – my hope for this whole thing is that it ends up actually doing useful things for real people at some point. That’s the real letdown for me so far.

Kevin Ball: And they were found legally liable for it. So if you go too far into “Oh, these things are magic”, you will end up you shooting yourself in the foot with them. However, they are not pure hype. They’re not crypto, it’s not just technology for the source of making money and not valuable for anything else… Sorry, Feross, or whoever it was – it wasn’t Feross. Who was into crypto?

Jerod Santo: We are back for a follow-up episode to episode 450 on Vim. First of all, I wanna say that I appreciate all of the positive feedback around our Vim episode. We’ve put a lot of work into that, and it sounds like everybody enjoyed it. We’re happy to hear that. And one of the things that we’ve heard over and over and over again was “When Neovim?” Similar to the Crypto Kitties say “When Moon?”, the Neovim kitties were saying “Hey, you’ve done Vim… Now give us the Neovim treatment.” So by popular demand, we have TJ DeVries here to talk Neovim with us. TJ, thanks for coming on the show.

Kelsey Hightower: So one thing I have to realize is that I think a lot of times when people get money, they believe that they’re smarter than other people that don’t have money. So they think that their ideas should rise at the top. They’re obviously right about something, because their bank account reflects just how right they are. That’s the mistake. To me, I know that I’m lucky, and a lot of things could have went in multiple directions, and it doesn’t end up with this particular number. And so one thing I’ve challenged myself for the last maybe 20 years, “Who am I, and why do I believe what I believe?” That’s it. Sometimes I believe things because I didn’t have time to research them, so I had to just take them at face value, they were taught to me, I didn’t have time to challenge them, so I took them.

So these days, when I look at it, I try to humble myself, and be like “Kelsey, do not fall into the lifestyle inflation. Do not over-index on showing people what you have. It is okay if people don’t think you’re in the top X percentage of anything.” Remind myself that “Yes, you could buy it, but you don’t need to. What’s caused you to want to do that kind of thing?” And that helps me avoid the conspiracy. For example, if you say “I need more money”, you will be really mad that you pay taxes, because people are taking away the very thing you want. I don’t mind paying for the bridges, the highways, the medical stuff…

[01:02:05.01] Do I like the waste? Absolutely not. I’ve seen waste in enterprise, so I’m not surprised that there’s waste in government. So I don’t over-index in that, because I also know that people are hard to be very good 24 hours a day forever. It’s not happening, folks. So I’m a pragmatist when it comes to that stuff.

But the conspiracy theories - whenever one pops into my mind, I say “Kelsey, it’s time to do some research here. Before you start running your mouth, before you go on Twitter just saying random stuff…” For example, when I wanted to understand inflation, I had to go read The Monster on Jekyll Island, how the Federal Reserve was formed… Buy some, Treasuries actually buy Treasuries from Treasury Direct, look at the interest rates, look at the curve… Why do people start feeling a certain way when it goes up, start feeling a certain way when it goes down? Who buys them, who doesn’t? How big is the Treasury market versus the stock market? Treasury market’s dramatically bigger. Why is that?

So these are the types of things that I go into to just try to resolve the conspiracy components with actual facts. And then I just talk to people. “Hey, explain to me how this works, please, because I don’t know.” And then people give me insight, give me something I don’t know, they close the knowledge gap. And then I’ll test. So if I’m really afraid of something, I’ll test it. When the whole crypto movement was going, I was so afraid, because I saw [unintelligible 01:03:25.25] It doesn’t matter if things are logically correct or not. It don’t matter. If the world decides that we should all jump off our roofs, with no helmets, then just people start doing it. It’s like “Oh, what are we doing?”

Kevin Ball: I do wonder, coming back to the generative AI thing, if part of the challenge right now - and this is coming in from the chat, but the challenge right now is sort of this assumption pushed by people who have a lot of investment in AI, that AI can actually replace people coding. And they’re pushing – you have all these studies, “Oh, it’s improving your productivity, it’s doing all this”, and so everybody thinks “Oh, I’ve got to do this or I’m falling behind.” And as we were highlighting, for some problems it’s a big help, and for other problems, it’s crap. And it’s not helping you get more done, and at the same time, it’s inhibiting your ability to learn.

So I think some of this is pushed by people like the Sam Altmans of the world, who - they have an agenda. And it’s very clear that they have an agenda, but they’re kind of taking this… It’s like the NFT boom. “This is gonna replace all these things. This is gonna be doing these things.” Well, there’s more value in AI than I think there was in crypto, but there’s also a whole lot of junk.

Amal Hussein: Yeah, this one’s a really hot topic, and coincidentally, I was having a conversation with some friends last night about this topic of like monetization on the internet, and how we really need to figure out a way to do this cleanly, through standards, because we cannot leave our content creators in the hands of companies like Google, that are just very – they have a very different, specific set of incentives, right? So this story is from Brave, it’s from the Brave Browser team. For those of you who are like “Brave, the browser?”, let me just give you a quick summary. So Brave is a browser that’s been around for a few years now. It’s been my primary browser on my personal machine, on my phone… It means some of my experiences on the web are not great as a result of it, because Brave is intentionally very privacy-focused, and they aggressively block trackers, and all that jazz.

One of the founders of Brave is Brendan Eich, who is the person who also created JavaScript, ECMAScript. And love Brendan, hate Brendan, it doesn’t matter. I’m just stating he’s one of the people involved with this project. He’s been a little controversial in our community lately… And Brendan – I was excited about this project, I still am, but there’s a crypto elements to this, which I have just always ignored… But there is something called the BAT, Basic Attention Token, and so the idea is your attention is time, and we could potentially show you ads in a private way, and you can earn and get BAT credits, and whatever else. I don’t really do anything with that personally, so I can’t speak to that… But for me, it’s just the best browser in terms of limiting your tracking footprint.

[13:53] And so what Brave came out with is this a bit like – they’re letting you now, just through the browser, opt out of those annoying cookie banners, right? …which are getting like infinitely more complex, right? Because it just went from Accept or Not Accept, to now it’s Accept or See the Options, that will bring a confusing menu that’s worded –

Kris Brandow: You know, a little bit lower. But no, I think you’re right though. I’ve been doing a bunch of security engineering-related work at work, and I’m like, more people need to understand security; not to implement it themselves… Please don’t go roll your own crypto… But I think from an actually getting in and understanding how public key infrastructure, how certs work, how public/private key pairs work, how cryptography in general works - I think enough people don’t get exposed to that, because security is in a specialized area. I think reliability is the same sort of thing, where it’s like “Oh, there is the SRE team. They tackle stuff.”

So I am in general agreement with you. I think software engineers need to be taking more on as far as what their rement is. It shouldn’t just be “Go build some products. Go write some code.”

Mitchell Cohen: They were a hodgepodge of different things. And that’s true about any sufficiently large piece of software - you end up with all sorts of bits and pieces built over the course of years, kind of connected together. But one issue was that they all felt very different. So the way I started to think about it was it almost felt like someone was making third-party, fan clients for our service, even though we were the ones making them… And definitely, that was something on our minds when we set out to build our new tech stack, and of course, our new design language and feature set that accompanied that tech stack.

But the other interesting thing about them is that they also all had web technologies in them, and we always have used web technologies heavily and pioneered them… So as Andrew already alluded to, we used web crypto very early on to power our web service and to make sharing possible over the web. But even on the desktop apps and mobile apps, we had web views, we had web-based integrations. And in fact, the most important part of our desktop app, which people interact with every day, has always been web-based and very heavily so. And that of course is the browser extension.

[16:16] So it’s interesting to see people think of what we’re doing as sort of like a move, or a shift, when really it’s just taking something we’ve always cared about deeply and continuing to use it in our product for the things that appeal to us about it.

Mitchell Cohen: They were a hodgepodge of different things. That’s true about any sufficiently large piece of software - you end up with all sorts of bits and pieces built over the course of years, kind of connected together… But one issue was that they all felt very different. So the way I started to think about it was it almost felt like someone was making third-party fan clients for our services, even though we were the ones making them… And definitely that was something on our minds when we set out to build our new tech stack, and of course, our new design language, and the feature set that accompany that tech stack.

But the other interesting thing about them is that they also all had web technologies in them, and we always have used web technologies heavily and pioneered them… So as Andrew already alluded to, we used web crypto very early on to power our web service and to make sharing possible over the web. But even on the desktop apps and mobile apps, we had web views, we had web-based integrations… And in fact, the most important part of our desktop app, which people interact with every day, has always been web-based, and very heavily so… And that of course is the browser extension.

It’s interesting to see people think of what we’re doing as sort of like a move or a shift, when really it’s just taking something we’ve always cared about deeply and continuing to use it in our product for the things that appeal to us about it.

Kris Brandow: [01:03:52.23] You know, a little bit lower. But no, I think you’re right though. I’ve been doing a bunch of security engineering-related work at work, and I’m like, more people need to understand security; not to implement it themselves… Please don’t go roll your own crypto… But I think from an actually getting in and understanding how public key infrastructure, how certs work, how public/private key pairs work, how cryptography in general works - I think enough people don’t get exposed to that, because security is in a specialized area. I think reliability is the same sort of thing, where it’s like “Oh, there is the SRE team. They tackle stuff.”

So I am in general agreement with you. I think software engineers need to be taking more on as far as what their [unintelligible 01:04:38.07] is. It shouldn’t just be “Go build some products. Go write some code.”

Victor Dibia: [03:57] My background is a mix of computer science - software engineering - and a bit of human-computer interaction, and more recently applied artificial intelligence. I have a masters degree from Carnegie Mellon University that’s focused on software engineering, some management courses… And as part of that I did this thesis in building a web-based public key crypto system that was introduced by my advisor. That was a nice experience, it’s just that there was a lot of time spent implementing cryptographic functions in Java. After that I felt it would be nice to move away from just the technical aspects of computer science, and also look at some of the human aspects of computer science.

Right after that, I made an interesting choice… I moved to Africa, Lagos, Nigeria to be specific, and I started a company focused on making software, focused on the African market. I did that for about a year, and as a part of that I also taught at the university in Lagos, Nigeria, through some project that was co-sponsored by MIT and Google.

At that time I figured out I’m really interesting in human aspects of computer science, and I had all this experience building software tools within the framework of a startup, and also teaching at a university… And then I decided to do a Ph.D. My Ph.D. was in information systems. I did it at the City University of Hong Kong. The main focus was quantitative user behavior studies.

At some point during my Ph.D. I had the opportunity to do an internship at IBM Research, and that’s where I got into AI. So I interned with a group called the cognitive environmental lab at IBM. Most of what that group did was trying to figure out good user experiences for applied machine learning. So we spent time taking APIs built by other research groups - APIs around speech-to-text, text-to-speech and computer vision, and our goal was to use these tools and build them into interactive, in some cases [unintelligible 00:06:20.13] experiences.

That’s where all of my interests with AI started. I started out applying models, and after a while I spent time implementing some of these models in TensorFlow and Keras, and essentially made the transition to start applying some of these custom-built models in new problem spaces.

I was at IMB Research as a post-doc, and then a research scientist, and earlier this year I joined Cloudera’s Fast Forward Labs as a research scientist. It’s a bit of a journey, but this is kind of how it all went down.

Aaron Hnatiw: I think the point that you bring up about having the basics covered is really important. It is intimidating to think about all of the things you need to think about to be an expert in security, to know what different kind of vulnerabilities there are out there… And I’m gonna let you know a little secret - no matter how much you catch, there’s always gonna be something there. I don’t think it’s possible to have code that is completely secure, unless it’s maybe one line, developed in isolation, and has no callouts and no inputs. It’s almost impossible. I don’t think you can necessarily lose sleep over that. You have to look at it from the basics perspective, and then from there, I think what a good security person will do is understand – because the way to make something the most secure is to make it not functional at all. You have to have a tradeoff.

A good security person will look at something and understand the business risks and understand really what it’s trying to do, and find the best way to put the most security measures in place. But some of the basics – I mean, I can go over some of the basics you should probably know, as a reference, to cover the basics.

I think three main things stand out that you can easily do and keep in mind when you’re developing something, and then you’re covering a substantial amount of vulnerabilities. The first one is the patch. Just make sure your libraries are up to date as much as possible, especially if there’s a security vulnerability. So just be aware that the latest one is probably going to be the best for that. It’s not always possible to keep things up to date, I understand that. In an environment where you have so many dependencies, sometimes upgrading is not an option. From there, there’s other mitigations you can put in place - put something in front of it, or try to learn what the exact vulnerabilities are and find out the ways of mitigating it. So patching and keeping things up to date is probably one of the most important things and one of the easiest wins you can have. That applies to operating systems as well, and applications and libraries.

The second thing - and probably the most important thing - is input validation. Understanding that the input that you’re getting from a user is what you think it is, and checking that on the server, rather than on the client. Because client-side control can be bypassed very easily.

[28:01] In a browser, if you use a proxy like Burp or ZAP you can intercept the request, change the data after it’s left the browser, and then send it on and it completely by-passes any kind of client-side input validation. So checking that the information that you’re getting is what you think it is, and not some malformed input like a super long string to get a buffer overflow, or negative numbers when you don’t expect negative numbers, or special characters that you don’t expect… The best way to do that is to use a whitelist over a blacklist.

The difference between a whitelist and a blacklist means – a whitelist is looking for a set number of things that are allowed, whereas a blacklist is looking for a set number of things that are not allowed. The number of inputs that can be allowed through is significantly less when you use a whitelist, so you are much more aware and you’re much more in control about the data that comes through, as opposed to with the blacklist… Where there may be a ton of things that you haven’t even thought of that could come through and could get around your validation.

So input validation is probably the most important, because really any vulnerability, any exploit comes from user input. If you can control that, if you can find some way of mitigating that, you could probably reduce at least 50% of the vulnerabilities that you may have in place, which is huge.

The third one is output encoding, and this is more of a preventative measure. When you’re outputting data onto a web application, for example, if you encode it with HTML encoding, for example, by doing that you will then reduce the likelihood of something like cross-site scripting, which is essentially when an attacker can get JavaScript to run in a client browser through input they provided. So if you can encode those characters, then it won’t look like JavaScript and it won’t execute like JavaScript, it will just look like a string of gibberish, almost.

So doing patching, input validation and output encoding are three of the biggest things. There’s a few other things that I can just briefly mention, in case you’re taking notes and you want some more depth… One is hardcoded credentials in API keys. I think probably like four months ago it showed up on Hacker News that you could just do a search for password in Git pushes - you search that and you find thousands and thousands of Git commits that had a password in it, or had someone mentioning a password, or taking a password out of their application. So having those hardcoded credentials, especially in open source software, is trivial to find, and then someone could take that easily; they don’t have to have any skills, and they could just access your machine. So making sure you have a safe way of passing up strings and secure information and secrets to an application is important.

Then two other key things is authentication and authorization, so making sure that people are doing the things that they should be doing, and they’re allowed to do that and they’re gated from doing things they shouldn’t be doing. Then the last key point is encrypting data arrested in transit; making sure that you’re using a TLS over the web, you’re implementing a security certificate. Letsencrypt makes it super easy to do that now. And then encrypting it at REST, so using proven crypto, like AES or Bcrypt for hashing - just some examples.

I know that was a lot to take in, and I’m sure that a lot of people are probably gonna go back and review over that… But if you can just cover those things, just keep those in mind as you’re developing, I guarantee you’ll reduce at least 90% of the vulnerabilities that can be introduced in your application just from those things alone.

Jacob Hoffman-Andrews: … or now we have to call them The First Crypto Wars. So NSA, GCHQ and other spy agencies were kind of used to having a lock on cryptography. They were the cryptography experts. Ordinary people wouldn’t have access to encryption; they wouldn’t even know the algorithms. But with computers really taking off, you had a lot more academics researching these questions of “How do we make things safe?” and they started discovering good crypto algorithms. Some had already been secretly discovered inside spy agencies, some were new.

The U.S. government decided “These secrets, these abilities to keep secrets are too dangerous for us. We don’t want people outside the U.S. to be able to keep their stuff safe, so we’re gonna pass Arms regulations. We’re literally gonna say cryptography is a munition, and it’s governed under ITAR (arms export rules).” So if you write crypto software, or even if you write about cryptography, you can’t export that from the United States unless it’s intentionally weakened to the point where we think the NSA can break it.

James Snell: There’s two things there. With HTTP/1 in Core right now, a number of design decisions were made early on to favor performance over spec compliance. It turns out that there are a number of compliance things in the spec that says “Don’t allow white space in headers”, right? And there’s very good reasons for that, because you get into request smuggling and response splitting, and there’s a lot of real specific security issues that come if you allow invalid characters into an HTTP/1 request. Node was like, “We want things to go fast, so we’re not gonna check this, we’re not gonna check that”, and it was a very deliberate decision not to fully support that HTTP/1 spec. And what we found is that that caused a number of security issues that we have been dealing with over the past year or two years.

With HTTP/2, we’re gonna be taking an approach where we’re gonna be very spec-compliant. We’re not favoring performance over that. We’re not sacrificing one over the other. It is going to be absolutely compliant to the specification, without taking those performance shortcuts. And that is something that I am emphasizing in my own development as I’m going through this, that making sure that we’re hitting all of those “You must do this” or “You must not do this” that are found in that specification. By adhering to the spec as closely as we possibly can, we mitigate a lot of those potential security issues.

[11:47] The other important thing is that even though HTTP/2 does not require TLS - per the spec you can do plain text if you want - the browser implementation’s the primary client of HTTP/2 right now… Chrome, Firefox, Safari and some of the others, they require that they will only talk to HTTP/2 server over TLS. It’s just mandated. They won’t even connect to a plaintext server, so automatically out of the gate you’re using secured connections, and that alone is going to be a significant improvement to security.

The one limiting factor there is Node hasn’t really had a great reputation as a TLS terminator. A lot of people, just as the best practice, put a proxy in front of it, and then they’ll reverse proxy back over a plaintext connection back to Node just to ensure the performance. A lot of that has to do with the way the crypto works with the event loop and OpenSSL and that kind of thing. So I think a lot of work is gonna need to go into trying to improve that if we want to improve the performance of Node as a TLS endpoint and improve on that story.

James Snell: There’s two things there. With HTTP/1 in Core right now, a number of design decisions were made early on to favor performance over spec compliance. It turns out that there are a number of compliance things in the spec that says “Don’t allow white space in headers”, right? And there’s very good reasons for that, because you get into request smuggling and response splitting, and there’s a lot of real specific security issues that come if you allow invalid characters into an HTTP/1 request. Node was like, “We want things to go fast, so we’re not gonna check this, we’re not gonna check that”, and it was a very deliberate decision not to fully support that HTTP/1 spec. And what we found is that that caused a number of security issues that we have been dealing with over the past year or two years.

[11:46] With HTTP/2, we’re gonna be taking an approach where we’re gonna be very spec-compliant. We’re not favoring performance over that. We’re not sacrificing one over the other. It is going to be absolutely compliant to the specification, without taking those performance shortcuts. And that is something that I am emphasizing in my own development as I’m going through this, that making sure that we’re hitting all of those “You must do this” or “You must not do this” that are found in that specification. By adhering to the spec as closely as we possibly can, we mitigate a lot of those potential security issues.

The other important thing is that even though HTTP/2 does not require TLS - per the spec you can do plain text if you want - the browser implementation’s the primary client of HTTP/2 right now… Chrome, Firefox, Safari and some of the others, they require that they will only talk to HTTP/2 server over TLS. It’s just mandated. They won’t even connect to a plaintext server, so automatically out of the gate you’re using secured connections, and that alone is going to be a significant improvement to security.

The one limiting factor there is Node hasn’t really had a great reputation as a TLS terminator. A lot of people, just as the best practice, put a proxy in front of it, and then they’ll reverse proxy back over a plaintext connection back to Node just to ensure the performance. A lot of that has to do with the way the crypto works with the event loop and OpenSSL and that kind of thing. So I think a lot of work is gonna need to go into trying to improve that if we want to improve the performance of Node as a TLS endpoint and improve on that story.

Jerod Santo: Yeah. I’m in full support of every effort to accomplish that as well. I think Tea is interesting. The proof will be in the pudding with that one. I think they launch officially in January, or end of the year or something, and we’re all waiting to see if it works. And I hope it does. And I see that there are efforts of trying to accomplish that. I think, like you said, with Phosphor and with Departure, you’re definitely a direct relationship to your users, and so that one’s a little bit easier, because they go and download your icons, and they think “I love these icons. I love these people. I’m going to give them 10 bucks.” But not everybody has that relationship. Some people have an even better relationship, like your web framework, for instance, where it’s like “I could not possibly do what I’d do without this thing.” Whereas icons, as crucial as they are, they are interchangeable, and you have easier switching costs, and you could probably go without, or whatever. But with like your web framework, or your programming language, or - these certain things are just crucial.

And so they have a very easy way of - it’s not even easy; easier than many of us way of getting their projects and their passion supported by others. But the people who are the dependency of the dependency of the dependency are the ones that are just completely invisible. And nobody ever gives any credit, or crypto, to the invisible ones, you know? So I’m with you. I think it’s cool, I hope it works, and I hope other ideas are also in the works to help get more money to people who are bringing value in big ways.

That being said, they are open-sourcing their work, and they are giving it as a gift to the world, just like you all are. And so that’s a choice they’re making as well. So I don’t think they have the right to demand money, but certainly, if we can get them some and get more of that goodness going out, everybody wins.

Suz Hinton: Yeah, I think I did a mix of them. So I did CCDC, which is the Collegiate Cyber Defense Competition. I did that with a team, and that was just the defense side of what you just said. So they do hire professional red teamers, and they’re a team from every single college that’s participating. And there’s eight of us, and you have to lock down – they give you an incredibly vulnerable network. The gist of the story is they’ve just sacked the entire IT team, and they’ve hired you on as the new IT team, and you have to basically audit the whole system, find out how it’s vulnerable, lock it down… So it’s the same as what you were saying, but we don’t have to attack anybody. But you spend the first day just auditing, trying to lock things down. They interrupt you with business requests constantly. So you’re emailing the CTO, he’s like “Oh, I want you to look into crypto as a product. Can you give me a report on crypto by the end of the day?”, or something. And so they’re constantly interrupting you and trying to simulate a real business environment where you’re just fighting for your life.

And then yeah, like you said, if they just find one vulnerability, which they will, all of a sudden you’ve got choo-choo trains on your console, and then certain other boxes are boot looping, and you’re just like “Oh, my God… It’s an actual fire right now.”

And so that was a very stressful one that I did, but the others were more about – they’re trying to give you experience with everything in cybersecurity, so there’ll be an encryption section where there’s puzzles. They’ll give you a bunch of encrypted text and they’re like “What does this say?” And it’s more about answering the questions, and completing as many of the challenges as possible. And they’re just smaller toy challenges. And they’ll also challenge you to actually get into a box, for example, and then yeah, find the flag and report what the flag was. So I’ve done a big mix of them.

And then there was the reverse-engineering one, which was NSA, and that’s totally different again. Yeah, it’s been a variety. I think I like the ones where I can just sit and tinker… But the cyber defense one - I really feel like I leveled up, especially in Linux. We spent months practicing, and running password reset drills, and things like that… And being able to audit – and we had this big notebook we were all throwing notes into for each other, and we were on a Zoom call for the entire weekend, talking to each other… It was very high stress, it took me a few days to recover. But I really feel that it forced me to level up, and I’m sure you felt similarly, Jerod.

Adam Stacoviak: These projects are not many businesses, what you’re saying. You don’t think that these open source projects should transcend from communities to many businesses that aren’t really businesses. Not necessarily disagreeing with that either, by the way. So the trend line, I think, for capitalism right now is it’s becoming more and more pervasive. Fractal. And there are better tools and representations of value - one of which is crypto, by the way - that will allow people to participate in capitalism more easily, in a more fractional way in the future. You can come up with some buzzword for all that. I don’t know what that would be. I do not think philanthropy, donations, chipping something into a hat is sustainable. Nope. That is not sustainable, because it is not a system that creates more inputs relative to the outputs. It’s not.

[01:42:17.21] So your example - the way I would describe your example is this person is respected by a community, they raised their hand, and the community responded and said “Look, you asked for this. We’re going to chip in. There’s what you asked for.” Great. That is not sustainable, though. It’s like a one-off activity. How many more times could that individual make such a request? I mean, I guess it would depend on the value of what they’ve done before… Things are going to get, I think, pretty weird in the future as these AI systems can produce very valuable technologies… And so how do you actually sustain the notion of value, and then connect a currency to that? I think that we’re careening - not gradually, we are careening towards a world of completely repricing and reshaping the way value is represented, both in terms of basic standard goods and services in the economy, like bananas and bread, to digital products, and also the price of advertising, which is like the predominant business model of the internet still today.

So I try to remain humble about – like, I have no freaking clue how these things are going to get solved… But I deeply believe capitalism is a very sustainable thing. And you want to create a continuous stream of revenue and income, and have your cost structure and your spend be less than that. To me, that’s called sustainability. There are many other – I’m just like a business person, sort of, so I kind of use the business example… There’s many other examples that you can use… Like in physics, and systems that have inputs and outputs; the same principle applies. To me, that’s how I think about sustainability.

Mat Ryer: Yeah. So a similar kind of idea, really. And yeah, passing things in, making it deterministic… As I was saying, Roberto Klapis told me… Because I used to it with rand, random numbers. Same thing. So you’d just have a function that’s going to return a random number. In production you use the real crypto random thing; in your test code, you pass a new function in and you can just return the deterministic numbers.

And Roberto made the point, “Well, if in production your code is dealing with random stuff, maybe in your test code it should be as well.” And then I started experimenting with using actual real random numbers… Which you can sometimes do. And it depends on the case, again, as usual.