Larry’s Fun Dip: Exploring SBOMs for Fun and Profit [46]

Posted on Tuesday, Feb 21, 2023
Ned educates us about an SBOM and the terror of Derrick’s onion dip, Chris feels salty about Tesla’s Self Driving Beta, and we all agree that going back to the office is stupid.


[00:00:00] Chris: I hate computers.

[00:00:03] Ned: Anyone I know who’s worked with technology for as long as we have has come to the same exact conclusion.

[00:00:13] Chris: They’re very mean. They’re jerks. Computers are jerks.

[00:00:20] Ned: I’m not going to disagree with you, but I’m curious. In this particular instance, how was your computer being a jerk?

[00:00:31] Chris: So what happened was I clicked on the link, and what’s supposed to happen is zoom opens.

[00:00:43] Ned: Okay.

[00:00:45] Chris: You’re familiar, right?

[00:00:46] Ned: I have used zoom once or twice, yeah.

[00:00:51] Chris: So what was happening was I clicked on the link and then nothing happened.

[00:00:59] Ned: That’s wrong. That’s not what’s supposed to happen.

[00:01:03] Chris: And I was confused.

[00:01:07] Ned: I mean, that’s very common for you.

[00:01:10] Chris: It’s not nice.

[00:01:12] Ned: It’s not wrong.

[00:01:13] Chris: I feel like you enjoy being unkind.

[00:01:17] Ned: Computers and I have that in common.

[00:01:22] Chris: And at a certain point, I was like, you know what? I don’t care. I’m just going to reboot the whole situation. It’s been a while. Let’s reboot. And you know what happened? I rebooted, and everything worked.

[00:01:38] Ned: Have you tried turning it off and on again?

[00:01:43] Chris: Thank you for eventually getting to the joke.

[00:01:46] Ned: Yes, it would be funnier if it wasn’t the solution to so many problems with technology. Maybe that’s how we solve climate change. Maybe we just need to turn everything off and turn it back on again.

[00:02:07] Chris: You’re not wrong. I think that could possibly work.

[00:02:12] Ned: It would do more than whatever the hell we’re doing right now, which is nothing. That’s the one. Yeah. Actually, I think the first part of that solution is the best part. The part where we turn everything off.

[00:02:29] Chris: Oh, right. Okay.

[00:02:30] Ned: Yeah. Turning it on again is the mistake. Let’s turn it all off and then go outside.

[00:02:41] Chris: Go play.

[00:02:44] Ned: Yeah, let’s not take it too far. I don’t do well with team activities.

[00:02:49] Chris: No, you don’t seem like a teamwork kind of guy.

[00:02:55] Ned: You and my fourth grade soccer team would agree on that point.

[00:03:00] Chris: You were a middling midfielder. There, I said it.

[00:03:05] Ned: That is kind of used to say I was more of a despotic defender. But why mint’s words?

[00:03:15] Chris: I enjoy the alliteration.

[00:03:17] Ned: Thanks. It also wasn’t true. I was trying to think of something insulting to go with D, and I came up empty.

[00:03:24] Chris: Wait, insulting towards you or insulting towards me?

[00:03:29] Ned: I mean, ideally, both.

[00:03:31] Chris: Fair.

[00:03:35] Ned: So now that your computer has had its little fit, do you think we’re ready to proceed.

[00:03:44] Chris: Reluctantly? I think we should.

[00:03:48] Ned: Hello, alleged human, and welcome to the Chaos Lever podcast. My name is Ned, and I’m definitely not a robot. I have climbed the highest mountains. I have run through the fields, only to be with you. With me is Chris, who still hasn’t found what he’s looking for.

[00:04:13] Chris: Have you ever climbed a mountain?

[00:04:16] Ned: Defined mountain and defined climbed.

[00:04:22] Chris: So what I’m hearing is no.

[00:04:28] Ned: It’s hard to say.

[00:04:29] Chris: Actually, this is an interesting question because I would love to hear your take on this.

[00:04:34] Ned: Okay.

[00:04:35] Chris: I personally think that mountain climbers are crazy. You know what it takes to climb a mountain?

[00:04:49] Ned: The will.

[00:04:51] Chris: Well, that’s only part of it. You need an oxygen tank. You need to expect temperatures of, like, less than negative 20 degrees Fahrenheit.

[00:05:03] Ned: You and I might be thinking of slightly different mountains.

[00:05:08] Chris: Technically, I’m thinking of mountains. I’m not sure what you are thinking of.

[00:05:14] Ned: Technically, the poconos, which are not too far from us, are mountains. Granted, they’re very angel.

[00:05:23] Chris: Sweetie, baby.

[00:05:27] Ned: Honey. Thank you.

[00:05:28] Chris: I need you to stop. But you know what Pennsylvania does not have?

[00:05:37] Ned: Doesn’t have a u.

[00:05:38] Chris: Mountains. We don’t have mountains.

[00:05:41] Ned: Okay? Fair.

[00:05:42] Chris: We have hills. We have enthusiastic hills.

[00:05:45] Ned: We do.

[00:05:47] Chris: And I need you to stop pretending otherwise.

[00:05:51] Ned: All right, that’s fair. And having been recently out to Arizona, I can say without a doubt I have not climbed a mountain. But that at least had something approximating mountains. Pennsylvania the state.

[00:06:05] Chris: That’s right. I forgot about that trip. How was that trip?

[00:06:07] Ned: It was a good trip. I also learned that elevation matters when you’re running.

[00:06:15] Chris: It has an effect.

[00:06:17] Ned: It might slow you down a little bit, but I managed to finish, and that was the goal. And I was out in the desert in February. Which is the only time you should be out in the middle of the Arizona desert.

[00:06:32] Chris: Correct. Should we do the thing?

[00:06:37] Ned: Let’s talk about some tech garbage.

[00:06:39] Chris: Woo.

[00:06:40] Ned: Today we’re going to talk about what an S bomb is anyway. And no, it’s not your drunk cousin’s newly discovered favorite band. There’s a bomb?

[00:06:51] Chris: First of all, it’s my drunk uncle. I would appreciate you getting that. Right?

[00:06:56] Ned: I don’t know. I’ve met some of your cousins also.

[00:06:59] Chris: What was the question?

[00:07:00] Ned: What is an S bomb? Now, I came up with some fun. Potential expansions of the acronym Sulfuric Basalt osmosis meditation. Sounds like fun. You could do it on the weekend. Super based occidental memes. They come from the west coast. Ain’t no meme like a West Coast meme.

[00:07:25] Chris: Oh, no. I’m good with things being based or.

[00:07:28] Ned: Some basic operational malarkey. Now we’re getting closer. It stands for software build materials, which is horribly boring, I know. Now, I was going to do a little play on Dr. Strangelove and how I learned to Love the sbomb, but apparently someone did that last week. I also thought about doing a Scott Pilgrim thing with sex bombamb. But honestly, who’s going to get that one? Aside from Dweebs like Chris, I still.

[00:08:03] Chris: Maintain that that movie is way better than anyone gives it credit for.

[00:08:09] Ned: And this might get me catch me some slack, Flack flack. That’s the one. I’ve been using slack too much. I have read some of the comics, and the movie is better than the comics. There, I said it.

[00:08:23] Chris: No, you’re not wrong.

[00:08:25] Ned: Far more enjoyable.

[00:08:27] Chris: For one time in your life, you’re not wrong.

[00:08:30] Ned: Okay, well, I’m glad we could have this moment between the two of us. I’m Azure. We’ve lost our last singular listener.

[00:08:38] Chris: Oh, they’re going to be so mad.

[00:08:42] Ned: So that does leave me without a pithy title for this week’s main article, but instead we’ll get right into the topic. That is software. Bill of materials.

[00:08:50] Chris: Let’s do it.

[00:08:52] Ned: So why do we even need this damn thing? There was a time long ago when software was written entirely by a single person, or maybe even a small group of people without using components from other programmers. Now that time was vanishingly short, as rewriting common functions to stroke your own ego is both inefficient and stupid. Programmers quickly realized they could develop reusable functions and modules and libraries, et cetera, that could be called by other programmers as needed. Now, the library could do something pretty simple, like manipulating strings, measuring a string’s length or generating substrings, finding a character in a given string, et cetera. Or it could be something really complicated like handling cryptographic functions, something that you should never roll your own on, which.

[00:09:51] Chris: Are also somehow strings.

[00:09:54] Ned: Yes, but they’re different. So once you start using the code of others in your program, you’re creating a dependency on that code. And you’re kind of assuming that the borrowed code both does what it says on the tin and that it does it in a way that is acceptably, efficient, and secure. You know what they say when you.

[00:10:23] Chris: Make assumptions that’s not a good idea.

[00:10:27] Ned: It makes an ass out of you. And omptions.

[00:10:33] Chris: So you wrote that?

[00:10:37] Ned: I really enjoyed it. Yeah.

[00:10:39] Chris: Okay, let’s just move on.

[00:10:42] Ned: Doesn’t matter if anybody else.

[00:10:43] Chris: We are all very proud of you.

[00:10:45] Ned: I am. Tickled chartruse modern applications use the technical term a metric shit ton of other software to assemble themselves, for instance.

[00:10:58] Chris: Not an imperial shit ton.

[00:11:00] Ned: No, this is metric. Yeah, we’re playing with the big boys now. Of course, for an example, let’s look at, say, a common JavaScript framework react JS. I found an example calculator application. Now, the application, if you look through the package JSON file, it lists for dependencies, but those dependencies actually expand to over 100 individual dependencies when you look at the package lock JSON file, which is what lists all the versions of those dependencies, right? That file has each package, the version of that package, the file path, and an integrity check for that package. And that’s all for a very simple calculator application running in the browser.

[00:11:53] Chris: So are you implying that that is excessive?

[00:12:00] Ned: I don’t think anyone, even in the JavaScript community would argue otherwise using JavaScript. And the frameworks or NodeJS has shown time again that there are just a preposterous number of packages that get added when you load up the packages and initialize whatever the software is. So let’s talk about an instance that’s written in a real language. And I want to be clear, I’m being facetious because, Jesus, people are touchy about that.

[00:12:35] Chris: The JavaScript community just got furious.

[00:12:39] Ned: You know what? As a PowerShell user. I get it. Moving on. So how about Kubernetes, which is written in Go? I looked at that repository, and if you want to build Kubernetes, we’re looking at about 200 required Go modules to build Kubernetes. So it is dependent on at least 200 modules. So what I’m saying is that modern software relies on a lot of other dependencies, which themselves rely on dependencies, which may also rely on dependencies or put more succinctly, its turtles all the way down.

[00:13:20] Chris: And what’s interesting is if you think about Kubernetes, which I don’t ever, I try not to, kubernetes is a big project. That’s a significant platform.

[00:13:39] Ned: Yes.

[00:13:42] Chris: Making a calculator that works in the browser, not as sophisticated.

[00:13:54] Ned: One would think that it would be an order of magnitude less independencies.

[00:14:00] Chris: But we’re still talking about a ridiculous amount of dependencies for both of those projects.

[00:14:06] Ned: Precisely. Yeah. And if you have a security issue with one of those upstream dependencies, that now becomes a security risk for every downstream component, and there’s a good chance you might have one of those components and not even know you’re using it. Log for Shell and Heartbleed immediately come to mind, and that’s only because they were high profile events that everybody, or at least everybody in the security and technology community has heard of. In particular, Log for Shell forced developers to evaluate hundreds or thousands of applications to see if they were using the Log Four J library, which they probably were, and if they could upgrade it. Maybe yes, probably no.

[00:14:57] Chris: The part that amazed me about that was in most cases they were like, oh, wait, we’re using that.

[00:15:06] Ned: Precisely. I had no idea. Because it came inside a package which came inside a package which was from some commodity off the shelves software that they bought from Joe’s Crab Shack and Application Emporium.

[00:15:21] Chris: I have personally never trusted Joe.

[00:15:25] Ned: No, I mean, we bought Ram from him that one time and it tasted like crab dip. That’s no good rancid, mind you. Naturally. So this is why we need a software bill of materials for applications. So, you know, what the hell’s in it, right?

[00:15:45] Chris: What is in an S bomb?

[00:15:49] Ned: That’s a great question, Chris, and I’m glad that you thought of that organically. So the SBOM borrows from the concept of a bill of materials in the physical world. So a typical bill of materials includes each component that is part of an order or part of a design. So if I were building, say, a treehouse, the bill of materials would include the lumber, the nails, the roofing paint, and any other materials I would need to construct the treehouse to accomplish what’s in the design. It wouldn’t include common tools like things that I would already have a hammer, a saw. I mean, let’s be serious. I don’t have any of those things. But if I was a handy person, I might this is all hypothetical. I would just cut. Of course, I’d be missing fingers at this point, but.

[00:16:44] Chris: I think the audience knows that we wouldn’t trust you to build a bird house in my soul or anywhere else.

[00:16:54] Ned: Bearing in mind, Chris does not have a soul. Unlike me, the human in this conversation.

[00:17:00] Chris: There has to be at least one.

[00:17:02] Ned: You decide which one. So it wouldn’t include those common tools, but it would include the raw materials that you need for the job. Right. A more advanced build material, and one that you and I both dealt with when we worked at Avar, would include maybe the providence of the components and a unique Identifier. So the bomb that comes with an order for servers for a data center would probably list out each server and its serial number and possibly some of their removable components and their serial numbers, like the Dims or the SSD drives or components along those lines.

[00:17:42] Chris: Right.

[00:17:43] Ned: So likewise, a software bill of materials should include the components necessary to build that piece of software. And the organization that has worked to determine and define what’s included in an SBOM is the National Telecommunications and Information Administration, which is part of the US. Department of Commerce.

[00:18:07] Chris: Why?

[00:18:07] Ned: I have no goddamn idea. I was like, what? You would think that if it would be anyone, it would be the Cybersecurity Infrastructure and Security Agency? Like, that makes sense. But no, that’s the government for you. If it walks like a duck and talks like a duck, it’s probably a cow wearing a duck costume from the NSA.

[00:18:32] Chris: Also, ducks are assholes. Wait a minute. That might be why.

[00:18:40] Ned: Because they’re really cows.

[00:18:42] Chris: Yeah. Think about it. How upset would the cow be that he has to pretend that he’s a duck?

[00:18:50] Ned: I was going to apply the same to geese, but I think geese are just intrinsically assholes.

[00:18:57] Chris: That’s true.

[00:18:58] Ned: Yeah. Anyhow, so at its most basic, was it NTIA? Yes. The NTIA define an S bomb as a formal machine readable inventory of software components and dependencies, including information about each component and its hierarchical relationships. So it’s going to list out the dependencies of each component and upstream and downstream dependencies as much as possible.

[00:19:32] Chris: Right.

[00:19:33] Ned: Now, the NTIA defines the SBOM at an abstract or theoretical level. It doesn’t get into the nitty gritty of the implementation, in part because they rightly recognize that a single implementation standard wouldn’t fit all necessary situations out there. So they’re trying to balance utility and specificity. Their what they call framing document defines baseline attributes like the author of the document, the timestamp when the document was created, the supplier of the software, which could be different than the author, the components, and the relationships. Now, the part I found interesting, and it harkens back to our episode last year on distributed Identifiers, is the concept of a globally unique Identifier for each component. So each component, and specifically each version of that component needs a globally unique ID across all Sbombs, and that is a tough nut to crack. There are some suggested options. Like one’s called Common Platform Enumeration. Another one’s called Package URL, which is shortened to Perl, which I like just because it’s fun to say. And another one’s called Software Heritage ID Heritage that’s smacks of people who claim to be the sons of the Revolution or Mayflower descendants.

[00:21:06] Chris: Yeah, I was just thinking it’s really about white people.

[00:21:12] Ned: I don’t need my software again all uppity just because it’s the great great great because it’s great great great grandfather managed to avoid Typhus long enough to reproduce. No one’s impressed Derek. And your onion dip is terrible. There, dude, I said it. Stop bringing it to the party. Derek, why do you think there’s a full bowl at the end?

[00:21:40] Chris: Jeez, Derek is going to be real mad.

[00:21:44] Ned: Well, he knows what he did now. So there are three referenced implementations of the S bomb in NTIA’s, Quicksheet, SPDX, speedix. I don’t know if anybody says that, but that’s what I say in my head. Cyclone DX and ISOIEC 199770 2015.

[00:22:13] Chris: That’s hot.

[00:22:14] Ned: The ISO IEC standard is closed, closed source, and you have to pay about $200 to read it. So fuck that and their stupid name. The SPDX and Cyclone DX standards are both open source and free to use. So I don’t know enough to recommend one versus the other. But I’m sure the two of them are both very capable and well thought out.

[00:22:44] Chris: Based on the zero amount of research that I have done. I’m going with SPDX.

[00:22:51] Ned: Good, because we’re going to look at Cyclone DX instead. Awesome.

[00:22:56] Chris: I am glad that I chose poorly.

[00:22:58] Ned: Let’s do it. You don’t read ahead. So let’s say we’re going to use the Cyclone DX implementation. How do we go about creating one of these fantastic S bombs in the first place? Now, first, I want to say that I chose Cyclone DX for no other reason than the name is cooler.

[00:23:22] Chris: Oh, really? I thought that you did it to spite me.

[00:23:25] Ned: Well, that too past me wanted to spite future you. I know that you and I shit on names a lot here at Chaos Lever because a lot of names are terrible.

[00:23:39] Chris: Yeah, fair.

[00:23:41] Ned: So I thought it would be nice to just acknowledge a well named product now and then. Cyclone DX. Well done.

[00:23:49] Chris: Ideally, you know what Cyclone DX makes me think is a CPU a little bit? The late ninety S. Oh, see, it.

[00:24:01] Ned: Made me think of an RC car for some reason. Like Saturday Morning Cartoon. Kids. Check out the new cyclone. DX It can climb up rocks. It can climb up your sister.

[00:24:14] Chris: I don’t have a sister.

[00:24:17] Ned: Don’t make this weird.

[00:24:19] Chris: You already made it weird.

[00:24:26] Ned: So, creating Sbombs. Yeah. Ideally, the time for you as the creator of the software, or the packager of the software, is to create the S bomb when you’re building your software. So, as part of your application release pipeline, you usually have to run some sort of build process depending on the programming language. And you could be actually producing an executable binary, or you could just be zipping up all the necessary files of the application in a tarball. Regardless, while the application is being put into this built format, one of the tasks that can run can call to a tool that will create the SBOM for that specific version of the build. And that resulting S bomb will include the name of the application, the vendor who created it, and the version of the application that corresponds to that S bomb. Now, I actually looked at one such tool for Cyclone DX and the net framework, and it’s called Cyclone DX. Net. They can’t all be winners.

[00:25:31] Chris: Chris, I have no notes.

[00:25:33] Ned: Okay. It creates a cyclone. DX compliant sbomb for net applications. If that wasn’t obvious enough, the tool itself is actually written in.NET and it includes an sbomb for itself, which begs the question, what builds the SBOM for the sbomb builder? Do you know there’s compilers written in their own language?

[00:26:05] Chris: Do you want to go down this rabbit hole?

[00:26:07] Ned: All right, stop. So the sbomb itself is in JSON and it runs about 5000 lines long for this open source tool. So I’m going to say these things are neither brief nor human. Well, you could read them. They are readable it’s in plain text, but they’re not human consumable. You would have some other tool that would take a look at that, unless you’re like Derek’s auto. Didact father who memorized the first 10,000 numbers of pie. Yes, Derek, you may have mentioned that a few times. Now take your felonious onion dip and GTFO.

[00:26:53] Chris: All right, so I just need to pause for a moment.

[00:26:58] Ned: Yeah.

[00:26:58] Chris: And I want you to be honest with yourself and the audience. How happy are you with yourself that you use the word autodact?

[00:27:12] Ned: Shut up.

[00:27:16] Chris: Fair enough. Carry on.

[00:27:19] Ned: All right, now, for any other software stack or programming language, the process would be remarkably similar with slightly different tooling. You would have a task in your build process that would invoke one of these tools that’s specific for your language. It would produce the S bomb. Of course. What do you do about software dependencies that don’t include an SBOM? What about closed source software or commodity off the shelf software that’s already running in your organization? Don’t you want to know what’s inside of those things as well? Like maybe they’re running log four J? They definitely are. So there are analysis tools that take a look at the binary and try to determine the providence of its components. And this is helpfully called binary analysis. I know they dug deep for that one. I do appreciate that’s exactly what it.

[00:28:14] Chris: Does sometimes when you’re doing naming it’s okay. It’s okay to be specific.

[00:28:22] Ned: Yes. Now, there are upsides and downsides to both the source code and binary analysis approach. And you can check out an excellent post and series of videos by Andrew Hoog. I’m going with Hoog. We’ll include a link in the show notes. He goes into more detail about why you might prefer one over the other, or how you can use the two in tandem. So we know what an S bomb is. We’ve created our S bomb because we’re awesome. What the hell do we do with it now?

[00:28:57] Chris: I am on pins and needles, my friend, begging you. I am desperate to know.

[00:29:04] Ned: As you should be.

[00:29:07] Chris: I can’t wait. I’m torn apart inside.

[00:29:13] Ned: You know I can just edit all this out, right? I hold the power. An SBOM isn’t just for security, although it can be. Knowing all the components that are in your software can help you identify components that really aren’t being used anymore, or could be replaced with the better components. You might realize that out of the 100 plus dependencies in your JavaScript application, you only need four. So maybe you can trim the fat a little bit. You could also realize you’re using an extremely old version of one of those components, and it’s time to upgrade. Some components might require a license to use. And you can use the SBOM to find and verify your licensing status when you’ve got Rapacious legal entities, masquerading, AWS software companies, and yes, I am talking about Oracle, then you may want to know if you’re using their Java SDK software and suddenly it needs to be licensed. And then, of course, you’ll swap it out with open JDK, because Larry doesn’t really need another yacht, no matter what Derek’s father says. With all that being said, honestly, the most common reason to have an sbomb is to remediate dependencies with known vulnerabilities.

[00:30:37] Ned: You can take that.

[00:30:38] Chris: Is Larry Derek’s father?

[00:30:44] Ned: No.

[00:30:47] Chris: Like allegedly, or like, for real?

[00:30:49] Ned: Well, we’re not sure. Derek’s Law has been a little cagey on that.

[00:30:54] Chris: Interesting.

[00:30:55] Ned: Yeah. Though his onion dip is called Larry’s Fun dip.

[00:31:03] Chris: That just made me nauseous.

[00:31:06] Ned: Best not to read too much into it.

[00:31:10] Chris: I don’t ask much for you. I need you to never say that again.

[00:31:15] Ned: Oh, good, we have an episode title. Since the S bomb is machine readable, it can be checked against a database of known CVE’s to quickly identify any potential issues. And some of the tools that can create S bombs can also do that. Comparison analysis. Other tools are specifically designed for that purpose. And if you look at either of the standards SPDX or Cyclone DX, they have a whole list of tools and what each one does. Sbombs increasingly also carry with them a cryptographic signature that a consumer can use to verify the source of the application. And if each component in the SBOM contains a signature proving its source, then you can hopefully avoid a malicious component masquerading as the real thing. Getting into your build chain. And I’m thinking of say, the Solar Winds debacle and software supply chain security. This could have helped to prevent that, though they’d have actually infiltrated the build systems at that point, so maybe not.

[00:32:29] Chris: I mean, it could also have helped if they weren’t stupid.

[00:32:34] Ned: They weren’t big stupid dummy heads.

[00:32:37] Chris: Yeah, dumb, dumb faces, I guess. I hate to use such foul language.

[00:32:43] Ned: But shit man, why do you got to be like that? So the S bomb can be used to help build and maintain a chain of trust from the base components of an application up to the commercial deployments of something like Kubernetes. S bombs are kind of a big deal right now, and even if you’re not a developer or a security professional, I think it’s probably going to come up in conversation with your peers. Hopefully we’ve armed you with enough information to avoid sounding like some idiot who’s never heard of Sbombs Chives or Tasteful Seasoning. Like Derek. Don’t be Derek.

[00:33:31] Chris: Now, when you are building software, yes, this seems to me to be a no brainer indeed. You recognize what you are using as support and external software packages. You highlight them and you move on. So my question to you yes. Why would anyone not do that?

[00:34:10] Ned: Because it’s extra work.

[00:34:12] Chris: Oh, right.

[00:34:16] Ned: If you’re asking people to do additional work and you’re not paying them to do that extra work or making it mandatory, then they’re probably not going to do it. Especially if it’s coming from the security team because no one wants to listen to those dicks.

[00:34:36] Chris: Those guys are jerks.

[00:34:38] Ned: Totally. So I think for applications that are developed internally at companies that already have a solid build process, this is a no brainer. Like you said, very easy to add it into their existing build system and produce that S bomb. My expectation is that we’ll see more and more open source projects also producing these, and then maybe eventually some closed source software also producing these. But there’s a whole bunch of legacy heritage, whatever the hell we’re calling it this week, of existing applications that do not have this, and no one has a way to reliably build them anymore. So no one knows what’s in them. And that’s where the binary analysis piece comes in, right? Lightning round.

[00:35:37] Chris: Lightning round.

[00:35:38] Ned: Okay.

[00:35:41] Chris: Turns out Microsoft’s AI just as bad.

[00:35:46] Ned: As Google’s, possibly worse.

[00:35:49] Chris: We all enjoyed watching advertising company Google’s AI Helperbot, which was called Bard Crash and Burn last week. But Eagleeyed journalists read not US noticed that something else should have been highlighted. Microsoft’s AI sucks too. One advantage to being AI that we highlighted was that it shared its sources. One disadvantage to the Bing AI is that it apparently doesn’t read its sources. Dimitri BarrettAn highlights a few answers that the AI returned. These answers shared some interesting facts, or should I say not facts such as a quote, short chord was 16ft long. That’s not a short chord.

[00:36:54] Ned: No.

[00:36:57] Chris: On the other hand, it’s even worse because the vacuum in question turns out.

[00:37:05] Ned: Cordless didn’t seem helpful.

[00:37:09] Chris: Check the sources because it’s all there, and Bing AI just seems to have ignored them. These reports are all over Twitter and they are beautiful. Another user shared this gem directly from the mouth of being AI. Quote avatar the Way of Water has not been released yet. It is scheduled to be released on December 16, 2022, which is in the future. Today is February 12, 2023, which is before December 16, 2022. Unquote. I have no notes. That’s amazing.

[00:37:56] Ned: It really is. Oh, we’ll include a link to the the full post of a bunch of delightful interactions. And apparently now their AI has been neutered reigned, backed in, possibly canceled. We’ll see what happens. Web Three continues to go great. Stable coins are my favorite oxymoron of the decade. Doe Khan, the CEO of TerraForm Labs, has been charged by the US SEC with securities fraud to the tune of multiple billions of dollars. For those who don’t recall, Terra Labs maintained a stable coin called Terra USD that was supposed to track the US dollar for value counterbalanced by their other cryptocurrency, Lunacoin. In May of 2022, following a crash in the value of Lunacoin, the value of Terra USD began to slide, ultimately crashing both currencies in a death spiral that wiped out over $40 billion in market value. At the time, this was the worst crypto securities fraud of all time, right up until SBF said hold my appletini. The collapse sent reverberations through the large crypto economy, causing Three Arrows Capital, Voyager, Digital, and Celsius Network to all file for bankruptcy. Doe Khon is not yet in custody, with warrants for his arrest in both the US.

[00:39:31] Ned: And South Korea. As much as we like to point at Web Three failures and laugh, ultimately these investment houses got their money from individuals that probably couldn’t afford the loss. And it’s those people our hearts go out to. With any luck, funds from Doe Khan’s secret bitcoin cashes can be seized and some recompense can be made to those affected.

[00:39:57] Chris: Just a reminder that it’s not just Twitter. Elon Musk is still failing at running Tesla two. So let’s play a game. Let’s pretend that you, Ned Bellevans, are in charge of a car company. Now, stick with me here.

[00:40:21] Ned: I’m with you. Okay.

[00:40:22] Chris: A car for this thought experiment can be considered a what do we want to say? A 4000 pound missile that can move at speeds approaching 100 mph, right? And contains within it fleshy, easily injured meatbags. This car will be, say, traveling at said speeds all around other cars, as well as other free range meatbags. Let’s also say that you want this car to be self driving. Considering all the risks involved in such a venture, you probably would want the self driving platform to be pretty solid, right?

[00:41:19] Ned: Yeah, I feel comfortable saying that.

[00:41:23] Chris: Tesla doesn’t. Tesla, which is somehow still allowed to be an ongoing commercial concern for some god forsaken reason, introduced what they called and I’m putting this in quotes because this is an exact quote, full self driving beta software to their fleet. Beta? Are you fucking kidding me? Self driving beta. Now, naturally, because Elon is inept and impatient and everyone else in the company with decision making abilities is a coward, the software was released and then very quickly, voluntarily recalled from over 350,000 cars who paid to be in their beta program. Why, you might ask? Well, because the software caused cars to run red lights, ignore lane designations, completely disregard speed limits, and roll stop signs. Oh, did did I mention that they.

[00:42:47] Ned: Had to pay to be part of.

[00:42:49] Chris: Did they say how much they had to pay?

[00:42:51] Ned: No.

[00:42:52] Chris: They have to pay $15,000 for the privilege of making themselves and those around them substantially less safe.

[00:43:05] Ned: Suckers born every minute. Did you see the video?

[00:43:09] Chris: I’m not going to lie. Yeah, I’m a little upset.

[00:43:13] Ned: Did you see the video of the Tesla that thought a freight train carrying tankers was just a line of trucks? It’s pretty amazing. I highly recommend taking it’s.

[00:43:27] Chris: Not to see that, but holy shit.

[00:43:29] Ned: It just thinks it’s a bunch of tractor trailers driving in front of the car. It’s amazing. But also, Elon Musk is terrible with Twitter, too.

[00:43:40] Chris: I have heard that rumor.

[00:43:42] Ned: SMS two factor authentication is not the most secure. It’s still better than not using any two factor authentication. Twitter has announced yet another new policy, decidedly not agreed on by a poll. You remember that promise? Starting March 20, all users that wish to use text messagebased twofactor authentication will need to sign up for Twitter Blue. AWS. Many security experts swiftly noted. And yes, you’re all very smart. You get a cookie. SMS two factor authentication is less secure than using an authenticator app or a hardware token. And that is 100% true, of course.

[00:44:28] Chris: So are you going to give me a cookie later?

[00:44:33] Ned: After the show?

[00:44:34] Chris: Excellent.

[00:44:35] Ned: I made sticker. Doodles.

[00:44:36] Chris: Carry on.

[00:44:37] Ned: All right. Of course, not everyone has a smartphone capable of running such an app, and others lack the technical sophistication to use authentication apps. These are the same types of users who either won’t have the money or the interest in paying for Twitter Blue. The policy change makes users de facto less secure, and those who can afford to pay already have access to authenticator apps. Now, one could reasonably ask what Twitter’s motivation is behind this bizarre policy, and the answer is money. Because of course it is. Sending thousands of SMS messages every day costs Twitter money, and they don’t want to pay that money. So force people to either stop using SMS two FA or pony up the cash. On the one hand, it makes financial sense. On the other hand, Christ one asshole.

[00:45:42] Chris: And I just want people to understand how much it takes for Ned to call someone an asshole.

[00:45:52] Ned: Aside from being from Connecticut. Yeah.

[00:45:58] Chris: All right. This February. Updates to Windows Server 2022 break. Windows Server 2022 one day I am going to compile a list of Patch Tuesdays that cause catastrophic failures in enterprise critical deployments of Windows. I am not going to count the total number of those catastrophic failures, because that number probably nears infinity. Just the number of days where this allegedly routine and tested patch bundle comes out is loyally applied by dedicated citizens, and then everything melts down. Honestly, the number of failure days might be equal to the number of actual Patch Tuesdays. Wait, why does this all sound familiar? Anyway, this time KB 502-2842 was released and might cause guest VMs running on ESXi 6.7 or 7.0 to, I quote again, not start up. The damage appears to only affect systems that are using the secure boot option in VMware, which, if you have already installed the patch, even uninstalling it will not undo the damage. You will either have to run without secure boot or force an update to ESXi Eight. Nice one, Chaps. Just amazing work all around. I guess the one person that Microsoft has left in their organization that runs VMware was, what, on vacation that day?

[00:48:12] Chris: Not like ESXi is a major platform used by millions of customers or anything. Why would we test it? It’s ridiculous.

[00:48:22] Ned: It’s not like Microsoft Azure doesn’t offer a service that runs VMware as a service. Amazon employees tasked with mandatory fun, citing increased productivity, improved team building, and zero hard data, CEO of Amazon, Andy Jassy, is requiring almost all of the 300,000 corporate staff at Amazon to return to the office at least three days a week. Clearly, Jassi is concerned about the slowing growth of Amazon in 2022, where they eked out a slim 9.4% increase over the previous year compared to increases of 21.7% in 2021 and 37.62% in 2022. That was the pandemic. It certainly does seem like things have shifted for Amazon, and as the head, Andy has to appear to be doing something, what better than to force everyone back into the office? Surely that’s what empowered previous growth. Never mind the 21.7% growth of 2021 during the Pandemic while people were working at home. Clearly, being in the office will return us to our former glory. What we’re actually seeing here is a return to form. Amazon’s revenue for 2022 was $513,000,000,000, and you simply cannot maintain 20% annual growth on such a large number. $44 billion in growth is perfectly acceptable and in line with pre Pandemic growth on a dollar basis.

[00:50:09] Ned: Maybe shareholders could learn how to do actual math. Nah. Infinite growth forever.

[00:50:22] Chris: I don’t think you believe that. No, I think you were being sarcastic.

[00:50:29] Ned: That doesn’t sound like me at all. Hey, thanks for listening, or something. I guess you found it worthwhile enough if you made it all the way to the end so congratulations to you, friend. You accomplished something today. Now you can sit on the edge of your seat, put on Zootopia and have some lemonade. Octung, baby, you too can have it all. You’ve earned it. You can find me or Chris on Twitter.

[00:50:53] Chris: Are you okay with that?

[00:50:56] Ned: So good about it.

[00:50:58] Chris: You are 1000 years old. Like, make a Taylor Swift reference, for God’s sake.

[00:51:06] Ned: We know our audience. It’s fine. You can find me or Chris on Twitter at ned. 1313 Anne Heiner 80, respectively. Or follow the show at Chaos underscore Lever if that’s the kind of thing you’re into. Show notes are, as is the sign up for our newsletter where you can get these lightning round articles beamed straight into your eye holes. I feel uncomfortable now.

[00:51:34] Chris: You are actively making things worse.

[00:51:40] Ned: Larry’s. Fun dip. We’ll be back next week to see what fresh hell is upon us. Tata for now, little ball.

[00:51:55] Chris: So I actually talked to a listener.

[00:51:59] Ned: Oh, God. Why?

[00:52:03] Chris: Apparently, we are vague, ugly, entertaining.

[00:52:07] Ned: That sounds unlikely in the extreme, but I appreciate the feedback.


Chris Hayner

Chris Hayner (He/Him)

Our story starts with a young Chris growing up in the agrarian community of Central New Jersey. Son of an eccentric sheep herder, Chris’ early life was that of toil and misery. When he wasn’t pressing cheese for his father’s failing upscale Fromage emporium, he languished on a meager diet of Dinty Moore and boiled socks. His teenage years introduced new wrinkles in an already beleaguered existence with the arrival of an Atari 2600. While at first it seemed a blessed distraction from milking ornery sheep, Chris fell victim to an obsession with achieving the perfect Pitfall game. Hours spent in the grips of Indiana Jones-esque adventure warped poor Chris’ mind and brought him to the maw of madness. It was at that moment he met our hero, Ned Bellavance, who shepherded him along a path of freedom out of his feverish, vine-filled hellscape. To this day Chris is haunted by visions of alligator jaws snapping shut, but with the help of Ned, he freed himself from the confines of Atari obsession to become a somewhat productive member of society. You can find Chris at coin operated laundromats, lecturing ironing boards for being itinerant. And as the cohost on the Chaos Lever podcast.

Ned Bellavance

Ned Bellavance (He/Him)

Ned is an industry veteran with piercing blue eyes, an indomitable spirit, and the thick hair of someone half his age. He is the founder and sole employee of the ludicrously successful Ned in the Cloud LLC, which has rocked the tech world with its meteoric rise in power and prestige. You can find Ned and his company at the most lavish and exclusive tech events, or at least in theory you could, since you wouldn’t actually be allowed into such hallowed circles. When Ned isn’t sailing on his 500 ft. yacht with Sir Richard Branson or volunteering at a local youth steeplechase charity, you can find him doing charity work of another kind, cohosting the Chaos Lever podcast with Chris Hayner. Really, he’s doing Chris a huge favor by even showing up. You should feel grateful Chris. Oaths of fealty, acts of contrition, and tokens of appreciation may be sent via carrier pigeon to his palatial estate on the Isle of Man.