Episode 55 – Bring in the Copilot

Peter and Scott use AI, but why? And why does Okta never believe it when someone tells them they've been hacked?

Scott: And we’re live

Soundboard: Friends with Brews.

Scott: It’s always the second time. What I should do is I should have a thing that just tries to record once Scott: and then automatically stops it and then starts it again.

Peter: Stops. Throws it away. Yeah, exactly.

Peter: Oh, hey, Scott.

Scott: Hi, Peter.

Soundboard: Hi, Peter.

Peter: What are you drinking?

Scott: Okay, what are you drinking?

Peter: I already sent you a pic of what I’m drinking. I am drinking a cup of Wegmans Just Tea.

Scott: Just Tea.

Peter: English Breakfast Black.

Scott: Oh, wow. And it’s decaf, right?

Peter: It is not, but tea doesn’t affect me nearly the same way that coffee does.

Scott: No, tea never. Processed tea doesn’t have that much caffeine.

Peter: No.

Scott: I am having a tantamount stout evasion. It’s from. Oh, I guess it’s tantamount stout from Evasion Brewing. It’s a gluten-free beer. It’s 6% alcohol by volume. And I will tell you that I’ve had this.

Peter: So you’re desperate.

Scott: No, no, no. I’ve had gluten-free before that I liked. Why do you say that? No, you’re thinking of your dumb running beer, whatever those people are. The athletic.

Peter: Desperate Regret Beer.

Scott: The Athletic a$$----$ Association or whatever they call themselves.

Peter: Oh, God.

Scott: Okay, here we go. I’m pouring.

Peter: I think it was Athletic Brewing.

Scott: Oh, whatever. Same thing.

Scott: I was told today by Ronnie that I frame my opinions way too strongly. And I was like.

Peter: He’s right.

Scott: But Peter, there used to be an expectation that when you stated an opinion to somebody, they would suss out whether they think it’s your opinion or fact.

Scott: Now everybody wants everyone else to do the legwork for them. They want you to say, this is only my opinion. Here’s a sign above my head that says I’m about to utter an opinion. And I don’t think you need to do that.

Peter: I don’t think you need to do that.

Scott: Obviously, unless you’re talking to me about proven laws of physics, it’s probably an opinion. It may be a very well validated opinion, but it’s probably a friggin opinion, right?

Peter: Oh, wait. Are you one of those people who believes in science?

Scott: Science. Oh, now I need a weird science clip. Damn it. Okay, whatever.

Peter: Oh, man.

Scott: I do tend to believe in science. Science is not a claim that everything is known. Science is a process. Science is a process of learning more. That’s why if scientists change their mind about something, it doesn’t mean, oh, let’s give up on science. It means as humans, we’re always trying to learn. And when something comes around that says you’re wrong about this, we change our minds. What else are you going to do?

Peter: Well, some of us change our minds.

Scott: Yeah, yeah.

Peter: Others try to burn the heretic.

Scott: Right. Burn the witch. So tell me, how does your tea taste? How do you like it?

Peter: It’s nice. It’s pretty smooth. It’s an English breakfast tea. I tend to like breakfast teas.

Scott: Yeah.

Peter: Unsweetened. And just it’s drinkable. There are some days, like if I’ve noticed more recently, like if I drink Peter: tea on an empty stomach, I can get nauseous really quickly. It doesn’t happen with anything else usually.

Scott: I’ve had that happen.

Peter: But this is late enough in the day. I’ve eaten a couple of snacks and, you know, had a meal or two. Hey, I see a pumpkin behind you.

Scott: I’ve also found that if I just chug tons of tea, it also does weird things to my skin, which I find to be really odd.

Peter: Interesting.

Scott: Okay. I’m going to drink this stout beer. Now I have had this before and I’m going to give this a thumbs up. And yet, Peter,

Peter: And yet, Scott,

Scott: it’s a little thin and slightly medicinal, but it’s still better than that Blackbird stout that I really wanted to like. Maybe beer shouldn’t be gluten-free, but I really like the idea of a gluten-free beer. And I think I’ve had one that I think this is my third gluten-free beer.

Scott: Maybe I should go to friendswithgluten.com. I mean, friendswithbrews.com and search for the word gluten.

Peter: Yeah.

Scott: Vanishing Point Pale Ale I’ve had. Oh, I’ve had a Olallie Ale. I’ve had Vanishing Point Pale Ale, which I don’t think I liked. No, I did not. I didn’t realize that was gluten-free at the time. I’ve had the Blackbird stout, which I really wanted to like and didn’t like. And I’ve had the Olallie Ale, which I do like. Olallie Ale is a really good gluten-free one.

Peter: Olallie Ale.

Scott: Olallie!

Peter: All right, so let’s move on. We are on an accelerated schedule today because I am drinking caffeine. So let’s move.

Scott: And oh, and I’ve had the Felix Pilsner from the same beerly that made the Blackbird stout. And that one I did like.

Peter: Beerly.

Scott: Yeah.

Peter: So you have some updates. You had some site updates.

Scott: I do. If you look at the transcripts on episode 51, you will see that going forward, I should have automatic speaker attribution.

Scott: So instead of just breaking it up into paragraphs and you have to figure out who said what, I’m using MacWhisperer’s newish podcast transcription feature where you drop all the tracks for your podcast on the podcast transcription option and it will attribute who said what.

Peter: Okay.

Scott: Based on the track names or you can edit the names. It takes forever to generate a transcript that way. I don’t know why. It’s more than three times the amount. And when I say three times, that’s because there’s your track, my track and the soundtrack, AKA, Farrago. It takes way longer than it would just to transcribe each of those individually. I don’t know why. Anyway, the result is pretty good, so I don’t care and whatever. Anyway, so that should be good for the transcripts.

Scott: I do need to catch up on the transcripts. This will be episode 55 and I think 51 or 52 is the latest that I have transcribed. I’m not sure.

Scott: Also some server news. You might find this interesting. I was running two servers at Linode. One was named Dragonfly and one was named Midnight and the server named Midnight was running friendswithbrews.com. And whenever I would compile the site, because it’s graphics heavy or image heavy, because there’s tons of images of bruise, it would take forever to upload the site.

Scott: And yes, I don’t always have to re upload all those images, but the easiest way to make sure I don’t miss anything, anything that got changed is just to re upload everything. Midnight took forever to upload the entire site, and now my new single server, Blue Dragonfly, it just uploads so fast. It’s the same files. There’s more of them, if anything, and it’s just way faster and I can’t figure that out.

Peter: So do I need to adjust my SSH keys and stuff?

Scott: Oh, that’s a good question. No, they should be the same. I made a clone of Dragonfly, which is the server that you were uploading to.

Peter: So just change the host name to just change the host name.

Scott: Yeah, well, actually, that’s a good point. I didn’t even think about that. Actually, let me send you the IP address.

Scott: So anyway, I just found that fascinating that, okay, it is an upgrade because I had two of the smallest servers, not the nanodes, but the smallest regular servers. And now I’ve got one server and it’s double the price, but there’s only one. So the cost is the same, but it’s a better, it’s a two CPU, more memory, etc. I don’t think that should affect the upload speed, though. Not that dramatically.

Peter: Not that dramatically.

Scott: The only other thing I did was I changed it from Fresno, California to Seattle, Washington, which, yeah, Seattle is a little closer, but still, that shouldn’t make that much difference.

Peter: So, OK, so that’s done. Good. Good to know. We’ve made some progress. You’ve got a faster server. Maybe the listener might even notice something. Who knows? I wouldn’t wouldn’t bet on it, though.

Scott: Very doubtful.

Peter: Yeah. So cool. All right.

Peter: Did you know that there’s an Apple event happening tonight?

Scott: I did know that.

Peter: Isn’t that weird?

Scott: It is weird.

Peter: Is it scary?

Scott: No.

Peter: OK.

Scott: Not for me, because I genuinely don’t really care that much.

Peter: It’s going to be scary fast?

Scott: That’s what Apple says.

Peter: Yeah. So so you’re thinking, are you in line with the rest of the, you know, the prevailing thought that it’s going to be like processor upgrades, like an M3 or something?

Scott: Probably, yeah.

Peter: All right. Well, I’m not trading in my M2 for an M3. That’s that’s not.

Scott: No, I wouldn’t do that. I would not do that. On the other hand, if I can get if they come out with an M3 Pro or M3 Macs MacBook Pro and I can get more SSD and more memory and then hand this one off to my daughter, I may very well do that.

Peter: Yeah. So you have someone to hand stuff off to.

Scott: Right.

Peter: Yeah. What if they came out with an M3 iPad Pro?

Scott: I don’t give a **** to iPad Pro anymore. I really don’t. I’m not kidding. I seriously doubt that I will ever have an iPad Pro again. Actually, what I would like is an iPad Mini just because they’re easier. They’re perfect for reading.

Peter: I love my iPad Mini, but mostly what I use it for these days is journaling. And I’m actually getting to the point sometimes where I say, you know, this would be nice Peter: if I had just a slightly larger screen.

Scott: Cat, you can’t eat that. That’s made out of rubber. What are you doing?

Peter: But in general, yes, I believe that the iPad is the Mini is a great. But did the cat just drink your beer?

Scott: No, I spilled it trying to get it away from cat.

Peter: Oh, so you should have just given it to the cat.

Scott: Luckily, there wasn’t much left in there.

Peter: So are you calm and composed or are you all a flutter?

Scott: Ah, I feel calm and composed. That’s an inside joke.

Peter: We’re just getting ready for Halloween.

Scott: That’s an inside joke, which you will understand if you listen. What are they called? The Blues Brothers, the Banana Boys, the Big Sandwich, the Weekly Planet.

Peter: Yes, the Weekly Planet or go to Big Sandwich Co.

Peter: And go to Big Sandwich Co.

Scott: Yes.

Peter: Yeah.

Scott: Anyway, so you don’t really care about the Apple event either, other than it’ll be interesting to see if they come out with an M3.

Peter: Yeah, it’s always interesting to see, but it’s not going to affect my I do not expect Peter: to be running to the Apple store to buy anything as a result.

Scott: Well, you can’t because your knee is injured.

Peter: This is true. I’m not going to be biking or driving to the Apple store, nor will I be going to store dot apple dot com or apple dot com slash store to buy something that’s announced tonight.

Scott: Or friends with store dot com.

Peter: Or friends with store friends with bruised stores. I don’t know. We’re not doing that.

Scott: This cat is eating my greeting cards. Okay, sorry.

Peter: So let’s talk AI.

Scott: Let us talk about AI, Peter.

Peter: So another podcast that I listen to. So the AI chat podcast that you were listening to for a while. So he you sound calm and composed.

Scott: Keep going.

Peter: Yes. So same guy, he’s still doing that podcast, but he also has launched another one, which I think is going to be less prolific. But it’s all about actually using AI. So like daily use, like what you could do these days with AI.

Peter: So not like this is what companies are creating or releasing, but this is how I’m using this product. And I listened to one episode so far and they did a review of perplexity dot AI, which as I understand is a bit of an aggregator of chat GPT and Claude.

Scott: Yes, that’s right.

Peter: Which are the two AIs that I use the most. So I’m actually interested.

Scott: Yeah, I’ve read about that.

It is an alligator of chat GPT.

Peter: An alligator, right. So I’m interested in a pair of alligator slippers made of perplexed stuff. So I might try that out. I figured I might give the 20 bucks a month thing before I renew my GPT for subscription.

Scott: So explain this to me. It is, there is an iPad app, there is an iPhone app, and then what? Web access on the Mac?

Peter: I believe there’s a web access as well.

Scott: Yeah. There better be, otherwise it’s useless too.

Peter: Yeah.

Scott: Yep. Perplexity dot AI.

Peter: So I’m looking at that. There’s no free trial though that I was able to see.

Scott: Perplexing, you might say.

Peter: It is perplexing. Well, you know, but then again, I go to the website and it’s like, here’s knowledge begins, ask anything. So maybe I can just talk to, you know.

Scott: Ask it if it has a free trial.

Peter: Yeah, that’s interesting. So they do have, you know, try pro upgrade to Claude 2 or GPT 4, boost co-pilot uses, and upload more files. But when I tried to just run the app on the iPhone, it wanted me to buy right off the bat. So yeah, so I’m going to perplexity.ai right now. I’m going to say, how are you different from Claude or chat GPT?

Scott: I am Claude GPT. I am chat Claude.

Peter: Okay. So here’s some of the difference between me and Claude and chat GPT. Training data. I’m trained on a diverse range of data sources, including books, websites, and other texts to provide comprehensive and accurate information.

Peter: On the other hand, Claude is trained on the latest real-time data, allowing you to answer questions about current events and topics. File analysis.

Peter: Claude has the ability to read, analyze, and summarize files such as word docs, PDFs, and text. This is not available in chat GPT or me.

Scott: Or me.

Peter: Word processing. Claude 2 can process more than 75,000 words at once, making it useful for handling lengthy pieces of texts such as transcripts or reports. In contrast, I have a token limit that restricts the amount of text I can process in a single prompt. Well, Claude has a limit too, but it’s just pretty high.

Scott: You can’t just upload your entire Xcode project to chat GPT and say, analyze this.

Peter: Analyze this. Yeah. And then plugins. While I do not offer any plugins, chat GPT plus has a wide array of plugins designed specifically for language models.

Scott: And it can make use of those? Is that what it’s saying? Or is it saying that’s a difference?

Peter: GPT has those.

Scott: But this makes use of GPT and Claude, correct?

Peter: But not plugins.

Scott: Okay.

Peter: So it has no access to differences. So that was the Claude differences. While it’s saying that it’s saying about differences between me and Claude, but it was giving me GPT differences too.

Peter: Then there’s a second section, separate section for differences between me and chat GPT. Unlike me, GPT has the ability to access the web. GPT plus is a larger model and excels in creative creativity and complex reasoning, making it Peter: suitable for variety tasks, free version limitations, both GPT and I have free versions that anyone can use. However, these versions have limitations such as slow response times and lower quality output.

Peter: I don’t know, given that I’m like, maybe I just want to start plunking down the 20 bucks a month for GPT four again. I don’t know.

Scott: Well, here’s the thing. Depending on how you use GPT four, if you don’t use the API, first of all, I don’t even know if GPT four has the same type of API as GPT 3.5 turbo. Does it?

Peter: It has the API, but again, that’s not a feature that you get by plus. That’s still a pay as you go thing.

Scott: Oh, okay. So I guess why not just subscribe to the Raycast AI, get GPT four and see if it works for you. And then you can quit if you, well, but they want you to pay yearly. Don’t they?

Peter: I think they do. I don’t remember if they do a monthly or thing or not.

Scott: Yeah.

Peter: I think anyway, anyway, I’m getting to the point where, you know, I think Claude has been pretty good and it was hilarious because the other day I was telling a colleague that I’ve been using Claude and you know, they have a pro version, but I haven’t paid for it because it’s been working fine and they promise better response times when it’s busy, but it’s never been busy for me before.

Peter: And that was the first time I told her, I tried to do something and it’s like, oh, we’re sorry. Try back later. I was like, ah, kind of hilarious.

Scott: Way to go, Peter. They don’t need more people on their service. Quit telling people about them.

Peter: Yeah, exactly.

Scott: So my question is, what are you doing with it? What are you using AI for? Before you were using it to generate game characters.

Peter: Yeah, I’ve done that. I’ve used it to create some documents at work, review some more documents at work, really. Use it for some brainstorming, some ideas as a sounding board for some plans and procedures Peter: I’ve put together. So, you know, just, just random stuff.

Peter: You often, as a second opinion, definitely still used it for a little bit of code here and there, just some code snippets.

Scott: What do I do when one of my friends has strong opinions and he refuses to say, this is my opinion before he states his strong opinion, that kind of thing?

Peter: Yeah, that kind of thing. Exactly.

Scott: Right.

Peter: And his name is Scott.

Scott: The AI or the opinions?

Peter: Yes. So talk to me about what you are using AI for.

Scott: Well, it’s interesting, Peter, because I have been reading a lot about how chat GPT in general and GPT-4 especially has been getting worse at programming.

Scott: But I’ve been using it a lot lately for like Linux server admin questions and even some Windows stuff and programming, specifically in languages that are well documented, like Python, Perl, that kind of stuff.

Peter: Okay.

Scott: And it’s good. I really don’t have any problems with it. It’s not like it’s throwing me, like in the past when I’ve used GPT 3.5 and I tried to do AppleScript, it would give me dumb mistakes and they weren’t even necessarily AppleScript related. They were just logic related.

Peter: Right.

Scott: But GPT-4, it does great. And in fact, I also have GitHub Copilot, you may remember.

Peter: Yes.

Scott: GitHub Copilot is pretty cool because it integrates with VS code really easily. And I can do things like write in the VS code editor. I can type, okay, write me a function that does this and it’ll dump out the function for me.

Scott: And I can say now modify it to do this because it’ll do things like, let’s say it’s using interpolation to construct a variable name or something like that, or, you know, whatever it’s using part of the text is dynamic and part isn’t. It’ll instead of making a new variable that contains that value and then from then on just referring to that variable, it’ll keep constructing that interpolated string from from then on.

Scott: And I’m like, okay, just make a variable, you know, you have to give it some prompting. But it’s pretty, but Copilot is pretty good.

Scott: It does have issues sometimes where depending on where you place the prompt, it might put the code that you want inside a given block outside the block, or it might put part of it in the block you want and then part of it outside the block. It’s a little weird.

Scott: You have to pay close attention, but you should be paying attention anyway. You definitely should know enough that when it gives you the code, you should be able to read the code and understand the code and know whether the code’s right or not.

Scott: You may not know, like I’m not super familiar with Python, although I’m learning it pretty quickly now, but you should be able to look at the code and go, okay, I see what they’re doing and that doesn’t make sense to me.

Scott: But what I have been able to do is in a couple cases where it does something weird, I just throw it at GPT-4 and I say, hey, what’s wrong with this? Can you fix it? It’ll throw back something that works perfectly.

Peter: Sounds good to me.

Scott: And I haven’t had a lot of bogus answers when it comes to like Linux server admin stuff. I think it’s getting better, not worse. And you know, Peter, I am not a guy who want who came to using these AI assistants wanting to believe.

Peter: No, you did not want to believe you wanted to not believe.

Scott: Yeah, I was skeptical. I think it won’t take long to get to a point where it’s too easy to place too much trust in them because they’re right so very often. But then if you think about it, how is that any different from a mentor at work?

Peter: Bingo. And again, and I take it more again, I’ve treated GPT usually as a junior rather than a senior to myself, right? But there are some things where I’m like, I don’t know anything about this. Start telling me that you are an expert veteran, yada, yada, yada.

Peter: So yeah, I’ll tell you one quick thing though, too, related to copilot. One thing that I did want to try and yet was not able to is Microsoft security copilot.

Scott: Oh, interesting. Does that that guy pops in and starts telling you what settings you should change to make yourself more secure?

Peter: No, I think it’s mostly for things like incident response. So yeah, but apparently early access is out, but I’ve been told that it’s supposedly horrendously expensive.

Scott: I’m sure it is.

Peter: So we’ve been trying to get access to that though, too, because I’m rolling out a whole new incident response offering.

Scott: Well, that’s targeted at people that get called when somebody’s point of sales terminals get hacked and all their customer data gets leaked. It’s not targeted at people like us who think, huh, I wonder how they would respond to a specific incident.

Peter: Well, no, but I mean, you got to remember that, you know, I’m building out a program of incident response and remediation now.

Scott: Yeah, yeah, yeah, yeah. But I’m saying, I think right now they’re probably pricing it at big companies that come in and charge dollars per hour to do incident response.

Peter: Oh yeah. But our firm that I’m doing this for is.

Scott: Are you charging hundreds of dollars per hour, Peter?

Peter: That we’re not puny.

Scott: How am I getting your time for free on this podcast?

Peter: You’re grandfathered in.

Scott: Wow. Thank you, grandfather. He looks so young.

Peter: So, okay, so that’s interesting.

Scott: I didn’t even know that that was a thing.

Peter: Yeah.

Scott: How do you access that? How does that, what is that built into?

Peter: Well, right now I don’t. That’s the thing.

Scott: I know, but if you were going to like, is it a website?

Peter: I don’t know.

Scott: Is it built into specific tools?

Peter: That’s the thing. I don’t know. I don’t know anything about it and I want to find out. I don’t know if it’s going to be a, you know, Office Microsoft 365 E5 thing, you know, or it’s going to be a separate thing. Is it only going to work with Office, you know, with Microsoft products for starters, but then.

Scott: That’s exactly what I was wondering. Like if you have a Windows domain and everything on there is Windows, that’s great. But if you have a few Linux servers on there, it’s not going to be able to help you with that portion.

Peter: Exactly. So right now I just don’t know. I don’t know what’s going on. So, but I’m curious.

Peter: I did just for kicks, I signed up for a few, you know, GPT courses. And again, they’re already, you know, I’ve gone through a couple of them and just like fast forwarding through and I was like, nope, I know all these. I know all these.

Peter: I was like, it was amazing. Like there still seems to be a bunch of like, this is how you can do something cool with GPT. And it’s all, you know, this is how you can make it write an email. You can use it to brainstorm. And I’m like, I already know all these things.

Peter: And you know, some tips about like, give it a persona, you know, tell it who tell, tell GPT what it is, what role it’s supposed to take. Tell it what you are, tell it what you want it to do. Tell it what the intended audience is. Tell it what the parameters are.

Scott: Right. I was at a party like that once and it got really weird.

Peter: But this is the things that I do all the time. This is what I, you know, I do as a standard course.

Scott: I know, but you know what’s hilarious though? Think about this. What if we did that with employees? You are an expert on so-and-so and then we just expect it to be an expert on so-and-so.

Peter: Like that’s happened. That’s that’s that’s definitely happened to me before. I’ve been put into situations where like, you’re smart, you can do this. We need you to do such and such. And I was just like,

Scott: but the difference between you and the AI is you knew that you really weren’t actually an expert on that topic.

Peter: How do you know? How do you know I didn’t just start hallucinating. You’re right. I am an expert on this. I do have 10 years of training in this identity and access management product that was released for the first time five years ago. How else can I help?

Scott: Oh man, that’s awesome.

Peter: So that’s interesting.

Scott: Oh, so for the Linux stuff, maybe they need a code Linus. Maybe there’s a code Linus product that’s going to be released.

Peter: Well, there was, I sent you an open source.

Scott: Yes.

Peter: Copilot alternative for the Mac, right?

Scott: Llama or something.

Peter: Well, it’s built on code Llama. So yeah, but there was another copilot type of thing. I forget. It was like Mac pilot or something.

Scott: Right. And it was a locally run thing, right? Which the biggest problem that I have with running models locally is that, you know, I have limited storage on this particular Mac. I’ve got one terabyte. I’ve still got a lot of it free, but if I start dumping models on here, it’s going to get filled up pretty fast.

Scott: The other thing is I would assume that those models are regularly updated and you download updates to the model because they must be doing server side learning. Otherwise your model is going to be useless to you at some point.

Peter: I’m still watching your cat in the background. Jump up on things. It’s great.

Scott: Yeah.

Peter: Down off of things.

Scott: Yeah. He was eating the carpet for a while. He ate all the greeting cards that I had up here on this shelf. He, I don’t know. He’s out of control.

Peter: Have you tried feeding him?

Scott: Peter, this cat will eat. In fact, now he’s starting to lose weight again, but he got really fat when we were trying to use food as a way of introducing the two cats so that they wouldn’t fight.

Peter: Okay. So how many times, how many introductions were required? It sounds like a lot of introducing.

Scott: Well, we’re still in that process. It’s still in that process. In fact, the vet has prescribed, it’s like an antidepressant. Anyway, she’s prescribed small doses of that to help calm him down so that, because his, his main interaction with midnight is as soon as there’s no barriers between them, he leaps on midnight, they embrace in a clutch and they bite each other’s faces. That’s they go straight to biting each other’s faces.

Peter: I mean, that’s, that’s love.

Scott: It’s something.

Peter: As long as they’re not rabbit kicking each other with the claws out.

Scott: Well, nobody’s getting injured, but it, yeah. Anyway, we’re anyway, we’re working on it, but.

Peter: All right.

Peter: Talk to me about octaword.

Peter: One octaword.

Scott: You brought to my attention that one password detected suspicious activity. And it turns out it wasn’t on their own network per se, but they have an internal Okta account, I guess. So maybe it was on their network. I’m not sure.

Scott: Anyway, Okta apparently a while back had some credentials hacked and they were not very good about responding to the person that notified them of it. And they took a few, a couple of weeks to determine that they had indeed been hacked. And one password is one of Okta’s customers.

Peter: Another one is beyond trust.

Scott: Right.

Peter: And as it happens, I happen to use both of those products fairly regularly at various engagements. So I was very interested in this.

Scott: Yeah, I bet you were. So basically it looks like what one password uses Okta for is to upload HTTP archives. And then they use those for troubleshooting HAR files because it shows things that customers did.

Peter: Yeah. HAR files. It shows things that customers were doing during sessions and then they troubleshoot with that. But in that information are authentication cookies and session tokens, which is something that you and Adam have been talking about recently, by the way, on blurring the lines.

Peter: Yes.

Scott: And if you have somebody’s session tokens and their authentication cookies, guess what you can do? You can be them.

Peter: You can be them. Exactly.

Scott: You don’t even need someone to say you are an expert in blah, blah, blah. And you can access this blah, blah, blah. You can just magically do it. You just be them.

Peter: Yes. You can.

Scott: So yeah.

Peter: Well, you can say you are Peter Nikolaidis, former security operations manager for such and such. And here’s the session cookie to prove it.

Scott: Yeah, exactly.

Peter: Well, the funny thing is I have had extensive experience with HAR files because another vendor that I used to do a lot of work with, thankfully, haven’t been doing so much lately also routinely would have you submit HAR files as part of troubleshooting.

Scott: Yeah.

Peter: And I would bet that not unwillingly, I probably gave them some good old session cookies from time to time.

Scott: Probably. I’m sure you did.

Peter: Yeah.

Scott: So I’m like, let’s hope they took good care of them.

Peter: Well, let’s hope. Fortunately, I’m no longer with that company and those accounts have all been invalidated and deactivated, et cetera, et cetera at this point.

Scott: But yeah, and Okta claimed that it was a small subset of customers. Unfortunately, the fact that one password was one of them got my attention.

Peter: Well, Beyond Trust is also no small player in the identity and access management space. They’re a big company up there with psychotic or psychotic change their name. I don’t remember now. But anyway, CyberArk, those guys.

Scott: Yeah. And I will say one passwords blog wasn’t that amazing on the topic. However, they did link to a post that had more detail and that was a little bit better. But when I first read their blog post, I was really underwhelmed. I was like, what are you guys not telling us?

Peter: Yeah.

Scott: And then I read their more detailed post and it was better.

Peter: But yeah, definitely a better response than what we got from the last pass.

Scott: Oh, my God. Well, that’s not hard to do.

Peter: Exactly.

Scott: So yeah, I’m intrigued by this. I’m definitely paying attention to because I think one password itself has been really careful and really good about data and treating user data. And I will say one difference between one password and last pass is that one password does not have your master key.

Scott: Now, you still are assuming that their encryption isn’t flawed and breakable, but they don’t have your master key. So even if and they said no one did, but even if someone had gotten access to user data, then it’s still encrypted. But they’re saying that they don’t believe that any one password user data was accessed.

Peter: Do they encrypt all the fields in the password vault too?

Scott: Yeah.

Peter: Not leave out some of them?

Scott: Well, they encrypt the whole vault.

Peter: Yeah.

Scott: No, I think the whole thing is encrypted.

Peter: No, we don’t need to encrypt all of those things. No one ever comes. No one’s going to want those.

Scott: Nobody wants those notes that people put the recovery codes in. So I guess, you know, as you know, though, it’s really hard to prove a negative.

Peter: Yes.

Scott: You might be able to detect when somebody did access certain data, but how do you know for sure that just because you don’t see any signs of it? Like, how do you prove that nobody accessed that data? How do you prove it? What are you going off of? Are you going off of log files? Because log files can be altered.

Peter: And that’s the thing that I just never liked. You know, I would see these reports coming out. They’re like, no, we, you know, we weren’t breached.

Peter: I was like, you don’t know that you weren’t able to find, you know, you can say after doing all these exhaustive, you know, techniques and methods to, you know, investigate this, we were not able to find any evidence of a breach.

Peter: But that’s not the same as saying, nope, we totally weren’t, weren’t, weren’t breached.

Peter: Nope.

Scott: Yeah. We had the guy who normally runs tests on our software look through the logs and he didn’t see anything.

Scott: So we’re good to go. Seriously, it would be like setting me loose on some log files and saying, if you can’t see anything, we’re good.

Peter: Yep. We’re good. I don’t know if you’re, are you referring back to the breach that I responded to last year?

Peter: No, that exact, that was exactly what got, what happened to one of my, at one of my engagements, Peter: one of their vendors was compromised. I let incident response for this organization to find out what had happened. Then we interfaced with the vendor who had been compromised. Their head of software development came in and determined, determined, quote unquote, how they had gotten compromised.

Peter: And then they wiped and reinstalled the operating system to make sure it was safe. Basically destroying all the evidence. So I thought that, I thought you were remembering and referring to that incident.

Scott: No, but couldn’t they, couldn’t they have made a copy of that server or taken that?

Peter: That just goes to show these people didn’t know what the hell they were doing at all.

Scott: I don’t know anything about response. I don’t, I am not trained to respond to security incidents. And even I know that you should probably make a copy of the affected server and get it off the line.

Peter: These people didn’t. And that was one of the reasons I was like, yeah, we should probably just toss these guys Peter: to the curb and stop using their stuff.

Scott: Did they change their name to Okta?

Peter: I don’t think so. I think they changed it to LastPass.

Scott: Yeah.

Peter: So anyway, we should start wrapping up. Did you want to really quickly go through any of the links? You want to save those for next episode?

Scott: No, the links were the things that we already talked about.

Peter: Oh, well, in that case, let’s move on.

Scott: Yep.

Peter: I say we wrap things up.

Peter: I think if you want to find us friends, listeners, you can find us at friendswithbrews.com. That’s B-R-E-W-S. And I guess that’s all I got.

Scott: That’s all you need, Peter. That is all you need.

Peter: Boom. The only thing I need in addition to that is to push the big red button.

Scott: The big red button.

Soundboard: Tell your friends.