The New Stack Podcast

In the early 1990s, many kids got into programming video games. Tina Huang enjoyed developing her GeoCities site but not making games. Huang loved automating her website. "It is not a lie to say that what got me excited about coding was automation," said Huang, co-founder of Transposit, in this week's episode of The New Stack Makers as part of our Tech Founder Series. "Now, you're probably going to think to yourself: 'what middle school kid likes automation?' " Huang loved the idea of automating mundane tasks with a bit of code, so she did not have to hand type – just like the Jetsons and Rosie the Robot -- the robot people want. There to fold your laundry but not take the joy away from what people like to do. Huang is like many of the founders we interview. Her job can be what she wants it to be. But Huang also has to take care of everything that needs to get done. All the work comes down to what the Transposit site says on the home page: Bring calm to the chaos. Through connected workflows, give TechOps and SREs visibility, context, and actionability across people, processes, and APIs. The statements reflect on her own experience in using automation to provide high-quality information. "I've always been swimming upstream against the tide when I worked at companies like Google and Twitter, where, you know, the tagline for Google News back then was "News by Robots," Huang said. "The ideal in their mind was how do you get robots to do all the news reporting. And that is funny because now I think we have a different opinion. But at the time, it was popular to think news by robots would be more factual, more Democratic." Huang worked on a project at Google exploring how to use algorithms to curate the first pass of curation for human editors to go in and then add that human touch to the news. The work reflected her love for long-form journalism and that human touch to information. Transport offers a similar next level of integration. Any RSS fans out there? Huang has a love/hate relationship with RSS. She loves it for what it can feed, but if the feed is not filtered, then it becomes overwhelming. Getting inundated with information happens when multiple integrations start to layer from Slack, for example, and other sources. "And suddenly, you're inundated with information because it was information designed for the consumption by machines, not at the human scale," Huang said. "You need that next layer of curation on top of it. Like how do you allow people to annotate that information? " Providing a choice in subscriptions can help. But at what level? And that's one of the areas that Huang hopes to tackle with Transposit."

Welcome to the first in our series on The New Stack Makers about technical founders, those engineers who have moved from engineering jobs to running a company of their own. What we want to know is what that's like for the founder. How is it to be an engineer turned entrepreneur? We like to ask technologists about their first computer or when they started programming. We always find a connection to what the engineer does today. It's these kinds of questions you will hear us ask in the series to get more insight into everything that happens when the engineer is responsible for the entire organization. We've listened to feedback about what people want from this series. Here are a few of the replies we received to my tweet asking for feedback about the new series.If they have kids, how much work is taken on by their SO? Lots of technical founders are only able to do what they do because their partner is lifting a lot in the background — they hardly ever get the credits tho— Anaïs Urlichs ☀️ (@urlichsanais) August 4, 2022 I host the first four interviews. The New Stack's Colleen Coll and Heather Joslyn will co-host the following shows we run in the series. We interviewed Cycle.io Founder Jake Warner for the first episode in the series about how he went from downloading a virus on an inherited Windows 95 machine as a 10-year-old to leading a startup. "You know, I had to apologize to my Dad for needing to do a full reinstall on the family computer," Warner said. "But it was the fact that someone through just the use of a file could cause that much damage that started making me wonder, wow, there's a lot more to this than I thought." Warner was never much of a gamer. He preferred the chat rooms and conversation more so than playing Starcraft, the game he liked to talk about more than play. Warner met people in those chat rooms who preferred to talk about the game instead of playing it. He became friends with a group that liked playing games over the network hosted by Starcraft. Games that kids play all the time. They were learning about firewalls to attack each other virtually, between chat rooms, for example. "And because of that, that got me interested in all kinds of firewalls and security things, which led to getting into programming," Warner said. "And so it was, I guess, the point the to get back to your question, it started with a game, but very quickly went from a lot more than that. And now Warner is leading Cycle, which he and his colleagues have built from the ground up. For a long time, they marketed Cycle as a container orchestrator. Now they call Cycle a platform for building platforms – ironically similar to the story of a kid playing a game in a game. Warner has been leading a company that he described as a container orchestrator for some time. There is one orchestrator that enterprise engineers know well. And that's Kubernetes. Warner and his team realized that Cycle is different than a container orchestrator. So how to change the message? Knowing what to do is the challenge of any founder. And that's a big aspect of what we will explore in our series on technical founders. We hope you enjoy the interviews. Please provide feedback and your questions. They are always invaluable and serve as a way to draw thoughtful perspectives from the founders we interview.

Web Application Firewalls (WAF) first emerged in the late 1990s as Web server attacks became more common. Today, in the context of cloud native technologies, there’s an ongoing rethinking of how a WAF should be applied. No longer is it solely static applications sitting behind a WAF, said Tigera CEO Ratan Tipirneni, President & CEO of Tigera in this episode of The New Stack Makers. “With cloud native applications and a microservices distributed architecture, you have to assume that something inside your cluster has been compromised,” Tipirneni said. “So just sitting behind a WAF doesn't give you adequate protection; you have to assume that every single microservice container is almost open to the Internet, metaphorically speaking. So then the question is how do you apply WAF controls? Today’s WAF has to be workload-centric, Tiperneni said. In his view, every workload has to have its own WAF. When a container launches, the WAF control is automatically spun up. So that way, even if something inside a cluster is compromised or exposes some of the services to the Internet, it doesn't matter because the workload is protected, Tiperneni said. So how do you apply this level of security? You have to think in terms of a workload-centric WAF.The Scenario The vulnerabilities are so numerous now and cloud native applications have larger attack surfaces with no way to mitigate vulnerabilities using traditional means, Tiperneni “It's no longer sufficient to throw out a report that tells you about all the vulnerabilities in your system,” Tiperneni said. “Because that report is not actionable. People operating the services are discovering that the amount of time and effort it takes to remediate all these vulnerabilities is incredible, right? So they're looking for some level of prioritization in terms of where to start.” And the onus is on the user to mitigate the problem, Tiperneni said. Those customers have to think about the blast radius of the vulnerability and its context in the system. The second part: how to manage the attack surface. In this world of cloud native applications, customers are discovering very quickly, that trying to protect every single thing, when everything has access to everything else is an almost impossible task, Tiperneni said. What’s needed is a way for users to control how microservices talk to each with permissions set for intercommunciation. In some cases, specific microservices should not be talking to each other at all. “So that is a highly leveraged activity and security control that can stop many of these attacks,” Tiperneni said. Even after all of that, the user still has to assume that attacks will happen, mainly because there's always the threat of an insider attack. And in that situation, the search is for patterns of anomalous behavior at the process level, at the file system level or the system call level to determine the baseline for standard behavior that can then tell the user how to identify deviations, Tiperneni said. Then it’s a matter of trying to tease out some signals, which are indicators of either an attack or of a compromise. “Maybe a simpler use case of that is to constantly be able to monitor and monitor at run time for known bad hashes or files or binaries, that are known to be bad,” Tipirneni said. The real challenge for companies is setting up the architecture to make microservices secure. There are a number of vectors the market may take. In the recording, Tipirneni talks about the evolution of WAF, the importance of observability and better ways to establish context with the services a company has deployed and the overall systems that companies have architected. “There is no single silver bullet,” Tipirneni said. “You have to be able to do multiple things to keep your application safe inside cloud native architectures.”

Passage adds device native biometric authorization to web sites to allow passwordless security on devices with or without Touch ID. In this episode of The New Stack Makers, Passage Co-Founders Cole Hecht and Anna Pobletts talk about how the service works for developers to offer users its biometric service. Hecht and Pobletts have worked in product security for many years and the recurring problem is always password-based security. But there really is no great solution, Pobletts said. Multi-factor authentication adds security but the user experience is lacking. Magic links, adaptive MFA, and other techniques add a bit of improvement but are not a great balance of user experience and security. “Whereas biometrics is the only option we've ever seen that gives you both great security and great user experience right out of the box,” Pobletts. The goal for Hecht and Pobletts: offer developers what is challenging to implement themselves: a passwordless service with a high security level and a great user experience. Passage is built on WebAuthn, a Web protocol that allows a developer to connect Web sites with browsers and various devices through the authenticators on those devices, Pobletts said. “So that could be anything right now,” Pobletts said. “It's things like fingerprint readers and face identification. But in the future, it could be voice identification, or it could be, you know, your presence and things like that like it could be all sorts of stuff in the future. But ultimately, your device is generating a cryptographic key pair and storing the private key in the TPM of your device. The cool thing about this protocol is that your biometric data never leaves your device, it's a huge win for privacy. In that passage, your browser, no one ever actually sees your fingerprint data in any way.” It’s cryptographically secure under the hood with Passage as the platform on top, Pobletts said. WebAuthn is designed for single devices, Pobletts said. A developer authenticated one fingerprint, for example, to one device. But that does not work well on the Internet where a user may have a phone, a tablet, and a computer. Passage coordinates and orchestrates between different devices to give an easy experience. “So in my case, I have an iPhone, I do face ID,” said Hecht showing the service. “And then I'm going to be signed in on both devices automatically. So that's a great way to kind of give every user access to the site no matter what device they're on.” With Passage, the biometric is added to any device a user adds, Hecht said. Passage handles the multidevice orchestration. Use cases? “FinTech people like the security properties of it, they kind of like that cool, shiny user experience that they want to deliver to their end users,” Hecht said. And then any website or business that cares about conversions is kind of a general term. People who want signups, who are trying to measure success by the number of people registering and creating accounts, are signing up. “Passage has a really nice story for that because we cut out so much friction around those conversion points.”  

In this episode of The New Stack’s On the Road show at Open Source Summit in Austin, Webb Brown, CEO and co-founder of KubeCost, talked with The New Stack about opening up the black box on how much Kubernetes is really costing. Whether we’re talking about cloud costs in general or the costs specifically associated with Kubernetes, the problem teams complain about is lack of visibility. This is a cliche complaint about AWS, but it gets even more complicated once Kubernetes enters the picture. “Now everything’s distributed, everything’s shared,” Brown said. “It becomes much harder to understand and break down these costs. And things just tend to be way more dynamic.” The ability of pods to spin up and down is a key advantage of Kubernetes and brings resilience, but it also makes it harder to understand how much it costs to run a specific feature. And costs aren’t just about money, either. Even with unlimited money, looking at cost information can provide important information about performance issues, reliability or availability. “Our founding team was at Google working on infrastructure monitoring, we view costs as a really important part of this equation, but only one part of the equation, which is you’re really looking at the relationship between performance and cost,” Brown said. “Even with unlimited budged, you would still care about resourcing and configuration, because it can really impact reliability and availability of your services.”

In this episode of The New Stack’s On the Road show at Open Source Summit in Austin, Amanda Brock, CEO and founder of OpenUK, talked with The New Stack about revenue models for open source and how those fit into building a sustainable project.Funding an open source project has to be part of the sustainability question — open source requires humans to contribute, and those humans have bills to pay and risk burnout if the open source project is a side gig after their full time job. That’s not the only expenses a project might accrue, either — there might be cloud costs, for example. Brock says there are essentially eight categories of funding models for open source, of which really two or three have been proven successful. They are support, subscription and open core.So how do we define open core, exactly? “You get different kinds of open core businesses, one that is driven very much by the needs of the company, and one that is driven by the needs of the open source project and community,” Brock said. In other words, sometimes the project exists to drive revenue, sometime the revenue exists to support the project — a subtle distinction, but it’s easy to see how one or the other orientation could change a company’s relationship with open source.Are both types really open source? For Brock, it all comes down to community. “It’s the companies that have proper community that are really open source to me,” she said. “That’s where you’ve got a proper project with a real community, the community is not entirely based off of your employees.”

AUSTIN, TEX. — In one of the most compelling keynote addresses at The Linux Foundation’s Open Source Summit North America, held here in June, Aeva Black, a veteran of the open source community, said that a friend of theirs recently commented that, “I feel like all the trans women I know on Twitter, are software developers.” There’s a reason for that, Black said. It’s called “survivor bias”: The transgender software developers the friend knows on Twitter are only a small sample of the trans kids who survived into adulthood, or didn’t get pushed out of mainstream society. “It's a pretty common trope, at least on the internet: transwomen are all software developers, we all have high-paying jobs, we're TikTok or on Twitter. And that's really a sampling bias, the transgender people who have the privilege to be loud,” said Black, in this On the Road episode of The New Stack Makers podcast. Black, whose keynote alerted the conference attendees about how the rights of transgender individuals are under attack around the United States, and the role tech can play, currently works in Microsoft Azure's Office of the Chief Technology Officer and holds seats on the boards of the Open Source Initiative and on the OpenSSF's Technical Advisory Council. In this episode of Makers, they unpacked the keynote’s themes with Heather Joslyn, TNS features editor. Citing Pew Research Center data, released in June, reports that 5% of Americans under 30 identify as transgender or nonbinary — roughly the same percentage that have red hair. The Pew study, and the latest "Stack Overflow Developer Survey," reveal that younger people are more likely than their elders to claim a transgender or nonbinary identity. Failure to accept these people, Black said, could have an impact on open source work, and tech work more generally. “If you're managing a project, and you want to attract younger developers who could then pick it up and carry on the work over time, you need to make sure that you're welcoming of all younger developers,” they said.Rethinking Codes of ConductCodes of Conduct, must-haves for meetups, conferences and open source projects  over the past few years, are too often thought of as tools for punishment, Black said in their keynote. For Makers, they advocated for thinking of those codes as tools for community stewardship. As a former member of the Kubernetes Code of Conduct committee, Black pointed out that “80% of what we did …  while I served wasn't punishing people. It was stepping in when there was conflict, when people you know, stepped on someone else's toe, accidentally offended somebody. Like, ‘OK, hang on, Let's sort this out.' So it was much more stewardship, incident response mediation.” LGBT people are currently the targets of new legislation in several U.S. states. The tech world and its community leaders should protect community members who may be vulnerable in this new political climate, Black said. “The culture of a community is determined by the worst behavior its leaders tolerate, we have to understand and it's often difficult to do so how our actions impact those who have less privileged than us, the most marginalized in our community,” they said. For example, “When thinking of where to host a conference, think about the people in one's community, even those who may be new contributors. Will they be safe in that location?” Listen to the episode to hear more of The New Stack’s conversation with Black.

AUSTIN, TEX. —What’s the future of WebAssembly — Wasm, to its friends — the binary instruction format for a stack-based virtual machine that allows developers to build in their favorite programming language and run their code anywhere?For Matt Butcher, CEO and founder of Fermyon Technologies, the future of Wasm lies in running it outside of the browser and running it inside of everything, from proxy servers to video games.”And, he added, “the really exciting part is being able to run it in the cloud, as well as a cloud service alongside like virtual machines and containers.”For this On the Road episode of The New Stack Makers podcast, Butcher was interviewed by Heather Joslyn, features editor of TNS.With key programming languages like Ruby, Python and C# adding support for WebAssembly’s new capabilities, Wasm is gaining critical mass, Butcher said.“What we're talking about now is the realization of the potential that's been around in WebAssembly for a long time. But as people get excited, and open source projects start to adopt it, then what we're seeing now is like the beginning of the tidal wave.”But before widespread adoption can happen, Butcher said, there’s still work to be done in preparing the environment the next wave of Wasm: cloud computing.Along with other members of the Bytecode Alliance, such as Cosmonic, Fastly, Intel and Fermyon is working to improve the developer experience and environment this year. The next step, he added is to “start to build this first wave of applications that really highlight where it can happen for us.”The rise of Wasm represents a new era in cloud native technology, Butcher noted. “We love containers. Many of us have been involved in the Kubernetes ecosystem for years and years. I built Helm originally; that's still, in a way, my baby.“But also we're excited because now we're finding solutions to some problems that we didn't see get solved in the container ecosystem. And that's why we talk about it as sort of like the next wave.”Wasm and a ‘Frictionless’ Dev ExperienceFermyon introduced its “frictionless” WebAssembly platform in June here at The Linux Foundation’s Open Source Summit North America. The platform, built on technologies including HashiCorp’s Nomad and Consul, enables the writing of microservices and web applications. Fermyon’s open source tool, Spin, helps developers push apps from their local dev environments into their Fermyon platform.One aspect of Wasm’s future that Butcher highlighted in our Makers discussion is how it can be scalable while also remaining lightweight in terms of the cloud resources it consumes.“Along with creating this great developer experience in a secure platform, we're also going to help people save money on their cloud costs, because cloud costs have just kind of ballooned out of control,” he said.“If we can be really mindful of the resources we use, and help the developer understand what it means to write code that can be nimble, and can be light on resource usage. The real objective is to make it so when they write code, it just happens to have those characteristics.”For those interested in taking WebAssembly for a spin, Fermyon has created an online game called Finicky Whiskers, intended to show how microservices can be reimagined with Wasm.

VALENCIA, Spain —  WebAssembly (Wasm) is among the more hot topics under the CNCF project umbrella.  In this episode of The New Stack Makers podcast, recorded on the show floor of KubeCon + CloudNativeCon Europe 2022, Liam Randall, CEO and co-founder, Cosmonic, and Colin Murphy, senior software engineer, Adobe, discuss why Wasm’s future looks bright. A quintessential feature of Wasm is that it functions on a CPU level, not unlike Java or Flash. This means, Randall said, that Wasm “can run anywhere.” “Everybody can start using Wasm, which functionally works like a tiny CPU. You can even put WebAssembly inside other applications.”The fact that Wasm has a binary format (with .wasm file format) and can be used to run on a CPU level like C or C++ does means it is highly portable. “WebAssembly really is exciting because it gives us two fundamental things that are truly amazing: One is portability across a diverse set of CPUs and architectures, and even portability into other places, like into a web browser,” said Randall. “It also gives us a security model that's portable, and works the same across all of those different landscape settings.”This portability makes wasm an excellent candidate for edge applications. Its inference capabilities for machine learning (ML) at the edge are particularly promising for applications distributed across many different applications, Murphy described. Wasm is also particularly apt for collaboration for ML edge and other applications. “Collaborative experiences are what WebAssembly is really perfectly in position for," he continued.In many ways, the name “WebAssembly” is not intuitively reflective of its meaning. “WebAssembly is neither web nor assembly — so, it's a somewhat awkwardly named technology, but a technology that is worth looking into,” Randall said. “There are incredible opportunities for your internal teams to transform the way they do business to save costs and be more secure by adopting this new standard.”

In this episode of The New Stack’s On the Road show at Open Source Summit in Austin, Julia Ferraioli, open source technical leader at Cisco’s open source programs office, spoke with The New Stack about some alternative ways to define what is and is not ‘open source.’ When someone says, well, that’s ‘technically’ open source, it’s usually to be snarky about a project that meets the legal criteria to be open source, but doesn’t follow the spirit of open source. Ferraioli doesn’t think that the ‘classic’ open source project, like a Kubernetes or Linux, are the only valid models for open source. She gives the sample of a research project — the code might be open sourced specifically so that others can see the code and reproduce the results themselves. However, for the research to remain valid, they it can’t accept any contributions.“It’s no less open source than others,” Ferraioli said about the hypothetical research project. “If you break things down by purpose, it’s not always that you’re trying to build the robust community.” The social model of open source, Ferraioli says, is about understanding the different use cases for open source, as well as providing a framework for determining what appropriate success metrics could be depending on what the project’s motivations are. And if you’re just doing a project with friends for laughs, well, quantifying fun isn’t going to be easy.