Season 4 Episode 8 Jun 3, 2021

An Elaborate Phishing Hack, Autonomous Lethal Drones, a Questionable m1 Security Flaw, and a Devnews Behind the Scenes

Pitch

Hear how the sausage is made.

Description

In this episode, we talk about an elaborate phishing hack, a questionable M1 security flaw, and the first autonomous lethal drones targeting humans. Then we chat with our producer, Levi Sharpe to give a behind the scenes look at how we make DevNews.

Hosts

Saron Yitbarek

Disco - Founder

Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.

Josh Puetz

Forem - Principal Engineer

Josh Puetz is Principal Software Engineer at Forem.

Guests

Levi Sharpe

Forem - Senior Podcast Producer

Levi Sharpe is the senior podcast producer at Forem, currently making their CodeNewbie, DevNews, and DevDiscuss podcasts. Previously, he was lead podcast producer at Gizmodo Media Group, where he produced Lifehacker’s Webby-nominated podcast, The Upgrade, as well as Jezebel's DirtCast and Big Time Dicks podcasts. You can hear his sound design work on the narrative fiction podcast, Roommate From Hell, and the Webby award-winning comedy musical podcast, Propaganda.

Show Notes

Audio file size

71812344

Duration

00: 49:52

Transcript

[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.

 

[00:00:20] JP: And I’m Josh Puetz, Principal Engineer at Forem.

 

[00:00:22] SY: This week, we’re talking about an elaborate phishing hack, a questionable M1 security flaw, and the first autonomous lethal drone targeting humans.

 

[00:00:32] JP: Then we’re going to chat with our producer, Levi Sharpe, to give you a behind-the-scenes look at how we make DevNews.

 

[00:00:37] LS: It just sort of colors the way that I see future episodes that come out and it sort of, just to me, adds like an extra little spice to the show.

 

[00:00:48] SY: So this first story is a cautionary tale, a security firm called Proofpoint identified a really elaborate phishing hack that took the form of a website called BravoMovies. The interesting thing about this site is the amount of effort the hackers put into it to make it look like a legitimate movie streaming service, like a Netflix or a Hulu. And just like many streaming sites all it does is prompt you to create an account with your email for a free trial and then prompts you to put in your credit card information. Now the other wild thing is that if you were dissatisfied with this fake service, there is even a phone number you can call that puts you in touch with a call center. Of course, this call center person directs you to an FAQ page that downloads and installs malware on your computer called BazaLoader, when you click the button to cancel your subscription. Wow!

 

[00:01:42] JP: Wow! So I have almost clicked on the link to load the fake movie.

 

[00:01:49] SY: Just for research. Just for research.

 

[00:01:50] JP: Just for research. So they went through the trouble of like finding all this clip art and making fake movie titles.

 

[00:01:56] SY: It looks really legit.

 

[00:01:57] JP: It looks legit in a way that if you scroll all the way to the bottom of Netflix or Hulu and you get like the real bottom of the barrel, like movies, that’s what these movies look like. So you could almost think like maybe it’s legit.

 

[00:02:10] SY: Yeah.

 

[00:02:10] JP: The really crazy thing about this is like the mechanism of, “Oh, I got an email. What is this description? I want to cancel. To cancel, I have to call the phone number at the movie site.” That all tracks with how a lot of actual legitimate businesses make you cancel their service. The twist is that’s when they direct you to download what is basically an Excel Spreadsheet. You have to open the Excel Spreadsheet. This is where it like loses it for me. I don’t know who played along at home would have gotten all the way to, like, “I don’t know what this service is. I don’t recognize it. I’m going to cancel it. Okay. You want me to download something to cancel your service? That’s weird. Okay. What you want me to download is an Excel Spreadsheet?” But that’s unknowingly what injects the malware loader onto your system. Crazy.

 

[00:02:59] SY: Yeah. I feel like they have this really great plan halfway through, and then they were like, “Excel!” And didn’t really kind of think through how the second half of the plan was actually kind of work. But yeah, I thought this was just so fascinating because when we hear about phishing attacks and malware and that sort of thing, we think of like email, right? You get the Nigerian prince email and usually it’s targeting older people who just may not be as comfortable with the internet, that sort of thing. And this just feels so different. This feels like we are going to build an entire app. I mean, a fake app, but like an entire app. It makes me wonder who they’re targeting. Are they targeting like early adopters who want to be the first to try BravoMovies? You know what I mean?

 

[00:03:50] JP: Right.

 

[00:03:51] SY: Is this trying to go for a different demographic than the usual people that we target in phishing attacks? That was kind of my first thought about this.

 

[00:04:00] JP: What I thought was really interesting was they talked about how they’re getting people to go to the site by sending them an email that says, “Hey, your trial subscription is expiring and we’re going to charge your credit card.” And I’ve definitely been in a situation where I was like, “Wait, I had a trial to that? Oh, no!”

 

[00:04:15] SY: Yeah. Yeah. Yeah.

 

[00:04:15] JP: We need to cancel that.

 

[00:04:16] SY: Exactly. Exactly. Yeah.

 

[00:04:18] JP: But I thought the interesting twist was the link, it’s not a spoofed link. The link does ostensibly what it says. It takes you to BravoMovies. Security researchers think the reason they’re doing that is if you just have a fake email, it says, “Oh, your Netflix account is wrong. Click here.” And it’s not the address for Netflix. Gmail will catch that stuff now. A lot of email clients will catch that stuff and say, “Whoa! It says they’re from Netflix, but it’s a different URL. Beware. Don’t click this.” But this gets around this whole problem and that it’s a valid link, it takes you to BravoMovies. And then once you’re in their site, I don’t know. It’s not so inconceivable that you might have a subscription that you didn’t remember signing up for.

 

[00:05:05] SY: That you just forgot about.

 

[00:05:06] JP: Okay, that seems weird, but like that you have to call someone to cancel subscription? That’s definitely a situation I’ve been in.

 

[00:05:10] SY: Yeah. Yeah, exactly. I mean, you sign up for all these free trials, beta things, and especially if you’re an early adopter, you’re excited hearing about the latest thing. And so it totally makes sense to me that you just set up for stuff. Oh, that’s the other thing too. I get emails from services I’ve used because I used a different service, right? I went to some event. They use some platform that I never really paid attention to and then that platform started sending me emails and I’m like, “Wait, who are you? How did we meet?” It’s very confusing. And then I kind of traced it back and I was like, “Oh, you’re the platform hosted by this other platform.” And so it totally makes sense to me that you could start something that you just very simply forgot about. And ultimately it comes down to social engineering, right? That’s really what we’re talking about. It’s not some super sophisticated algorithm or anything like that. And it just really says to me that these things are evolving just as our security is getting better. It sounds like they’re getting better too.

 

[00:06:12] JP: I mean, ultimately though Gmail can put in filters. They can try to filter out emails that have links that the domains don’t match the from or the sender. But yeah, ultimately that social engineering part is the most difficult part to protect against because it requires education and vigilance and it’s an old-fashioned swindle. And I don’t know how email providers or tech providers can ever catch up with that.

 

[00:06:39] SY: At the end of the day, it’s up to us to stay vigilant and to just really pay attention and just hopefully be better at identifying when things seem a little off. In this ways, the Excel Spreadsheet is probably the big sign.

 

[00:06:52] JP: The Excel Spreadsheet is definitely your sign that things have gone weird.

 

[00:06:58] SY: Yeah.

 

[00:07:00] JP: Well, speaking of creative websites, a security engineer by the name of Hector Martin discovered a flaw in Apple’s M1 chips. Now it’s officially called CVE-2021-30747, but Martin has dubbed it M1RACLES, that’s miracles with a 1 replacing the I. And that stands for M1ssing Register Access Controls Leak EL0 State. I think it’s debatable which name is better. However, he built a whole site that goes into details about this vulnerability with an original header photo, a fact page, and a sponsor image at the bottom to go to Asahi Linux. So he says about the flaw in the chips, “It allows any two applications running under an OS to covertly exchange data between them without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange.” He says this vulnerability is baked into the chips themselves and the only way to fix the flaw is by altering the hardware of the chip. Ultimately though, and this is where it gets really interesting, he says, “It’s not really a vulnerability anybody can exploit. These covert channels can’t be used unless your computer’s already compromised. And in that case, there’d already be a bunch of side channels the malware could already use.” So what’s the point of the website? Well, he’s answered that very question on his FAQ, which states, “Poking fun at how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn’t mean you need to care. If you’ve read all the way to here, congratulations. You’re one of the rare people who doesn’t just retweet based on page title.”

 

[00:08:46] SY: I don’t know if I’d buy that FAQ.

 

[00:08:51] JP: So this is such a lovely looking page. It’s got a name. It’s really interesting. And I love that he just admits at the bottom. Yeah, this is a nothing burger of an exploit. It’s interesting for computer researchers. I’m sure it’s going to be fascinating to see if Apple fixes this flaw in future versions of Apple silicon chips. But I thought it was really honest of him to call out that like, “Hey, this really isn’t a vulnerability that anybody can do anything with,” which is always a question I have with those security vulnerabilities. What’s the worst that could happen?

 

[00:09:25] SY: Does it really matter? Yeah.

 

[00:09:26] JP: Yeah. I was really interested about the naming and the branding of this, and this, of course, isn’t the first time we’ve seen a security vulnerability branded and named. It reminds me of how a couple of years ago the National Weather Service started naming winter storms. It used to be just like, “Hey, there’s going to be like 12 feet of snow this next week.” And now they all have names like Hector or Thor.

 

[00:09:48] SY: Yeah.

 

[00:09:49] JP: And they’re an event, Thor, Winter Storm Thor is coming to blanket the Midwest. You’re seeing that with security vulnerabilities as well. I wonder why. Do you think it helps the mind share that security vulnerabilities get among the public?

 

[00:10:03] SY: I totally do. I totally think that when you name something, especially if it’s something that sounds interesting like Heartbleed, is the one that comes to mind, it definitely makes you go, “Ooh, what is that? What does that mean?” Like M1RACLES, the M1RACLES’ vulnerability. Like, “IS this about Jesus? What are we really talking about? What’s going on?” And just makes people, I think, more curious, more interested, and it kind of makes this guessing game of what is the connection with heart bleeding and then technology? You know what I mean?

 

[00:10:36] JP: Why did they name it like that?

 

[00:10:37] SY: Yeah. Why did they name it like that? Why is this called M1RACLES? And I think it just makes it more interesting. It’s branding, right? When you brand something, well, you get people interested in the product and that’s exactly what this is.

 

[00:10:49] JP: So CVE, I noted the CVE name of this vulnerability at the beginning. CVE stands for Common Vulnerabilities and Exploits, and there’s a group that assigns names to them. The 2021 part of that is the year it was discovered in and then there’s just a numeric identifier afterwards. It’s really boring, but it’s a very precise way referring to security vulnerabilities.

 

[00:11:08] SY: So boring. Very uninteresting. They need to work with the brand managers. They can really get us excited about these vulnerabilities. But no. And what I love about this website is if you go to the link, which is M1RACLES.com, again, the I is replaced with the number 1, it’s these two glowing hands.

 

[00:11:32] JP: It’s a great logo.

 

[00:11:32] SY: One is red and the other is like a neon/purple. And in between the hands, it says the word “M1RACLES”, also glowing gradient from red to blue. And this is the part that I don’t understand. There’s just the number 01. And it’s being like tossed from one hand to the other hand.

 

[00:11:57] JP: I think that’s the miracle that data is being transmitted between these two. I cannot believe we’re going into this. I think that’s the miracle, that 01 is like a bit of data that’s being transmitted between these two hands or two processes without any kind of like existing channel. It’s the miracle.

 

[00:12:16] SY: Right.

 

[00:12:16] JP: We’re seeing so much into this website. It worked. I totally invested in this security vulnerability.

 

[00:12:20] SY: I’m with you on that. I believe what you just said. I totally agree, what you just said.

 

[00:12:24] JP: Right at the top, the header, that’s the CVE name. There’s like a little header that says, “Should you be worried? Probably not.” And there’s a link down to like why you shouldn’t be worried. It’s still fascinating. Great job. Great job, Hector. This is a fantastic site.

 

[00:12:39] SY: Yeah and it’s also very detailed and very thorough, which I thought was really interesting. And this is why I was kind of like, “I don’t know if I really buy the FAQ that we just read,” because he says that, but then if you read the website, It’s a legitimate branding website for a legitimate vulnerability. You know what I mean? He goes into, like, “This is a relatively lengthy page.” He goes into a lot of detail about how it works and what it does, and if you’re infected, there’s a demo video, there’s technical details, there’s an executive… You know what I mean? It does definitely feel like a very legitimate vulnerability website, even if he says he’s making fun of it. That doesn’t change the fact that he also did it. You know what I mean? They are both true.

 

[00:13:21] JP: There’s a great call-out. At one point in the FAQ, he’s like, “I came here from a news site. They didn’t tell me any of this.” He answers, “We should perhaps operate that news site.” They probably stopped reading this site after the first two paragraphs. That’s us, listener, we read the whole thing, but it’s a good point.

 

[00:13:36] SY: Yeah, exactly. I definitely feel like this is very informative and very educational. As a developer, it’s really fun, just to be like, “Ooh! How does this work and what are the details?” So I think it’s a great resource for vulnerabilities in general. I think that all the vulnerabilities should get their own little splash page so we can learn a little bit more about them.

 

[MUSIC BREAK]

 

[AD]

 

[00:14:18] RudderStack is the Smart Customer Data Pipeline. It makes it easy to build event streaming, ETL, and reverse ETL pipeline. It’s warehouse first. RudderStack doesn’t persist any of your data. It builds your customer data lake and your identity graph in the data warehouse and it’s open source. Sign up for free at rudderstack.com and give them a star in GitHub.

 

[00:14:37] Scout APM is the leading edge application performance monitoring designed to help developers quickly find and fix performance issues before the customer ever sees them. See why developers call Scout their best friend and sign up for your 14-day free trial today at scoutapm.com/devnews.

 

[AD ENDS]

 

[00:14:55] SY: In nightmarish, apocalyptic news, first reported by New Scientist, it was found that fully autonomous drones attacked humans for the first time last year, according to a report by the United Nations. The drone, which they call “Lethal Autonomous Weapon System” targeted soldiers and convoys in Libya. Full details haven’t been released yet and it is yet to be disclosed if there were any injuries or casualties. So?

 

[00:15:25] JP: So when they say autonomous, do they mean the drone is just controlling itself? That’s what I read from this story.

 

[00:15:31] SY: Yeah.

 

[00:15:32] JP: So it’s just flying around on the fly thinking, “Hey, that looks like an enemy combatant. I think I’ll shoot them.”

 

[00:15:39] SY: Yeah, that is the part, because, I mean, drones obviously are used to kill people. That’s not a new phenomenon, right?

 

[00:15:44] JP: Right.

 

[00:15:45] SY: That’s a thing. I think the part that makes this scary is not having a person be the one that actually pulls the trigger and kind of “does it” and it feels really scary to just have a drone who’s responsible for that and has that as a job, essentially. Apocalyptic, I think, is the right way to describe this.

 

[00:16:05] JP: The report kind of calls out, they say that, “Lethal Autonomous Weapon Systems were programmed to attack targets without requiring data connectivity between the operator and the munition: in effect, a true ‘fire, forget and find’ capability.” That is terrifying. So you’d signal. I mean, this is basically the plot of Terminator, right?

 

[00:16:28] SY: Yeah. And it has begun.

 

[00:16:32] JP: That is terrifying. I guess there’s been some calls among ethicists to ban autonomous weapons systems. And in the UN, predictably some countries, the United States included, have been dragging their feet on the ban. And they say that the technology is nowhere near the point where it is accurate or reliable enough to require a ban, which why are we waiting for the technology to get that good before we ban it.

 

[00:17:00] SY: Exactly. Let’s wait until it does a really good job of killing people and we’ll talk about it. It makes no sense.

 

[00:17:07] JP: That’s absolutely terrifying. So there was a piece in Protocol about a new startup called “The Browser Company”. I love this name. And they are hoping to solve what they believe are some shortcomings of our current web browsers. Apparently, the Browser, which their team is just calling Browser right now, essentially would try to include many of the functionalities to help with things like overwhelming tabs, giving you personalized feeds or being a shared multimedia space. This browser isn’t out yet, but you can join the waitlist on their website. And it joins a recently long list of companies that are “trying” to fix the Browser such as Brave, Mighty, Synth, and Sidekick. And when this story came across our desks, Saron, we were talking about like, do we really need another browser? Is there a browser problem?

 

[00:17:53] SY: Yeah.

 

[00:17:54] JP: And I think we want to just have a quick conversation about what are the problems we see in browsers and do they really need solving? And what kind of things would we like to see solved in browsers?

 

[00:18:05] SY: Yes. Yes. So I thought this was really interesting because as you said, they’re not the first people to talk about the web browser being broken and it’s interesting because the copy on their website speaks to that and it says, “We love the internet, but it can be overwhelming. What if a browser could help us make sense of it all?” Which I guess I don’t find the internet to be overwhelming so I couldn’t really relate to that. But I took a step back and said, “What is it about the browser that I would change?” The only thing I could really think about is just how slow it is.

 

[00:18:36] JP: Right.

 

[00:18:38] SY: If I have too many tabs open, the whole thing just really slows down. Even when I do like suspend mode, it still takes a while for it to un-suspend itself, you know what I mean, and kind of come back to life. So the suspension part is helpful, but it takes a second or two, things loading, oh my goodness, especially if there’s like ads or lots of big images, that takes a while. So speed is really, again, I don’t think it’s overwhelming. That’s not really the word I would think of, but speed is definitely an issue I have felt the pain of when it comes to a browser. Besides that, I don’t know. I think it’s fine. What about you?

 

[00:19:16] JP: I mean, I think the thing I miss most is the sense of competition between browser companies in the late ’90s and early 2000s, you had basically the same players we had now. You had Internet Explorer, you had Microsoft, you had Mozilla, you had Apple. You had a bunch of different large companies fighting for market share, but the difference was they were each trying to be everything. Each one of those browsers was trying to do it all to be all things to all people. And now with these browser-focused startups, just scrolling through the pages of all the companies like Mighty wants to make the browser faster, take less memory, and they’re going to stream it to your computer from a remote computer. Brave wants to make your browser more secure. The Browser Company wants to make your browser less confusing and they all seem like they’re targeting one particular niche of web browsing and none of them is trying to become the do it all alternative browser. And maybe that’s because it’s easier as a startup to focus on one little part of the browsing experience than trying to take on Google. I can’t imagine trying to raise VC and saying like, “We’re going to make the next Google Chrome.” That’s a really tough hill for a brand new startup to do. But making the browser faster, making tabs easier to understand, yeah, maybe that’s something that a small company could do.

 

[00:20:47] SY: So what do you think would be the future of browsing then? If we have all these competitors and they’re each doing their own take on the browser, they’re each focusing on what they feel is the biggest pain point of the browser, do you see the users just kind of regularly switching between browsers? Do you think we’ll pick the problem we care about the most and have a new go-to browser? How do you see that changing the way users think about browsers?

 

[00:21:11] JP: I mean, I think right now, as long as we have a situation where we have a few different web rendering engines, like WebKit and Chromium, and we have companies that are directing the development of those engines, also making browsers, namely Safari and Chrome, as long as we have that situation, I think it’s going to be hard for anybody else to come on in and say, “We made a better browser,” because ultimately they have to use one of those rendering engines.

 

[00:21:41] SY: Right. Right.

 

[00:21:42] JP: And they’re going to be competing then with either Apple or Google for the browser share. Think about if you make tabs less confusing, is that ultimately a whole browser in itself? But if you’re just using Chromium or WebKit underneath, what’s to stop Apple or Chrome? We’re just saying like, “That’s a feature we would love to have and making that a feature and putting you out to pasture”? I think until we start seeing companies develop new web rendering engines or we see companies make browsers that handle web applications better that do something radically different with the web browser. I think we’re still going to be in the situation we’re currently in where we have a very few major players and a couple of little fish around the periphery, but nothing really sticking.

 

[00:22:31] SY: Yeah. I mean, when I think about my browser, I'm curious to hear what your go-to browsers are. Mine, I use between Brave, Firefox, and Chrome. And Firefox is my default. If I open it, all my tabs load, I’ve got my bookmarks. That’s kind of my go-to, but sometimes screen-sharing doesn’t work well on Firefox, then I have to go to brave. And then there’s this one software that only works on Chrome so I have to go to Chrome. And that annoys the crap out of me, having kind of multiple places to go to and having to remember, “Okay, when I get on a video call, but I have to do screen share, don’t use Firefox.” Those kinds of little details are really annoying to me. So I don’t think I’m the kind of user that would be happy going to different browsers as they see fit. I wouldn’t do that by choice.

 

[00:23:18] JP: Right.

 

[00:23:19] SY: So for me, I think I’m closer to maybe the average user who I’m going to pick the one that gets the most amount of things done that is all encompassing. So for me, I think it’s going to be hard to get me away from the big, main browsers. I think it’s going to take a lot of features, ingenuity, maybe finding problems that I don’t feel right now or don’t see to really get me to try something new.

 

[00:23:44] JP: I think I’m in the same bucket. I mostly use Safari for personal things and then I use Chrome for work things or web development and sometimes I have to switch browsers, certain sites won’t work on certain browsers. But between those two, the majority of the web works for me. I’m interested in these startups. I’m really interested in alternative browsers. I think I ended up downloading every single one and trying them out and then I kind of forgot about them after a week. That’s really, really bad. But none of them seem to have a feature that hooks me that I really, really need. The other big thing for me is I use my phone a lot. I browse the web on my phone a ton and I’m an iOS user. So that means it’s Safari all the time. Even if I’m using Chrome on my phone, it’s still a WebKit underneath. I feel like a lot of these startups are targeting desktop browsers and I think mobile browsing is really where I’d like to see some innovations come. Saving by sessions, I don’t know, like sinking where I am on a page. Like not just what page I’m on, but how far am I into reading an article, having that sync between multiple devices. That kind of stuff would be really handy to me. I don’t see a lot of browser startups in the mobile space. I think that’s just maybe chasing where the number of users are and side effects of some of the anticompetitive practices that Apple has.

 

[00:25:06] SY: Yeah. Yeah. I’m totally with you. I forgot about that as an entire category, mobile browsing, that’s an area of browsers that I definitely, I mean, yeah, I use Safari on my phone just because that’s the default app. And yeah, I can’t remember the last time I switched between browsers on my phone. You just use the thing that’s there and I haven’t really thought about it, but I’d be really interested to see what ingenuity looks like if someone focused just on the mobile browser. I’d be really curious to see that.

 

[00:25:37] JP: Yeah. Yeah, I agree.

 

[00:25:39] SY: Coming up next, we have a behind-the-scenes chat about this show with our producer, Levi Sharpe.

 

[MUSIC BREAK]

 

[AD]

 

[00:26:02] Scout APM pinpoints and resolves performance abnormalities, like N+1 queries, memory bloat, and more. So you can spend less time debugging and more time building a great product. With developer centric UI and tracing logic that ties bottlenecks to source code, get the insights you need in less than four minutes without dealing with the overhead of enterprise-platform feature bloat. You can rest easy knowing Scout’s on watch to help you resolve performance issues with Scout’s real-time alerting and weekly digest emails. As an added bonus for DevNews listeners, Scout APM will donate $5 to the open source project of your choice when you deploy. Visit scoutapm.com/devnews for more information.

 

[00:26:39] RudderStack is the Smart Customer Data Pipeline. It gives you the flexibility to choose the tools you want to use without worrying how to connect your customer data. Instrument once with RudderStack to capture event data, then send it to your entire customer data stack. It integrates with over a hundred cloud tools with new integrations releasing all the time. Start building a smarter customer data pipeline today. Sign up for free at rudderstack.com.

 

[AD ENDS]

 

[00:27:04] SY: So for this season finale’s interview, we’re doing something a little bit different. Since you’ve been listening to this show for four whole seasons now, we thought it’d be fun to invite our producer, Levi Sharpe, to fill some questions for us about the making of this show. Hello, Levi.

 

[00:27:20] LS: Hello! So I’m really excited about doing this chat because I love getting behind the scenes and like seeing how the sausage is made. The reason is because when I’m really invested in a show, the hosts are like friends in my ears, it’s neat to see like what their job entails and the things, the challenges they go through, the things that they themselves liked, it just sort of colors the way that I see future episodes that come out and it sort of, just to me, adds like an extra little spice to the show. So I wanted to do that for our audience.

 

[00:28:00] SY: Cool!

 

[00:28:00] LS: All right. When we were deciding on what podcast to make here at Forem, after the acquisition of CodeNewbie, we had a bunch of people send in pitches, people as in Forem employees. And Saron, you submitted one, which is now this show, DevNews, because it’s sort of like been a brainchild of yours for a long time brewing. And I kind of want you to talk about like why did you want to do a show like this. Because you made a compelling argument.

 

[00:28:33] SY: Hopefully, it was compelling.

 

[00:28:34] LS: Because now we have a show.

 

[00:28:35] SY: We are.

 

[00:28:36] LS: It was fine. It was an okay pitch. Well, this is charity. We’re just doing this charity for you.

 

[00:28:43] SY: Just for me. I appreciate that. I appreciate that. Yeah. So I’ve wanted to do this show for a very, very long time. And when I was doing CodeNewbie on my own, I just didn’t have the bandwidth. So it just kind of sat in the back of my mind for a while, but I wanted to do this show because I’m a huge fan of Leo Laporte and he has a show called “This Week in Startups” and he has an entire media company, a huge media company with tons of different shows and they do live streams, they do a bunch of stuff around tech. And I love his stuff, but his stuff is very consumer focused. It’s very kind of hobbyist tech/purchasers of tech for the most part. And it really wasn’t dev centric. It wasn’t for the engineers, for the developers, for the programmers. It wasn’t from that point of view. And I will listen to this show and I would think, “Man, it’d be so cool if we talk about similar topic, maybe even the same topics, but instead of it being for the consumer, it’s instead focused on the developer as the audience.” So I just always loved that idea. And so that’s what I pitched, and luckily, other people liked it too.

 

[00:29:46] LS: Yeah. I was really excited about this because the other show that we chose dev discuss is very much like CodeNewbie, but like a roundtable. And instead of like beginner focused, it’s more intermediate focused or even veteran focused or developers. Both of those shows, their content is very evergreen, which is cool. But I mean, me coming from a journalism background, having the hustle of talking about things that are literally happening the week of is a very fun challenge. That was why I liked your pitch.

 

[00:30:18] SY: Thank you.

 

[00:30:19] LS: I mean, also I’d do another show with you.

 

[00:30:23] SY: Yeah, I definitely appreciate the newsiness of it and this is a little bit more on you, less on me, but just the hustle of livelihood. We got our news story. Is it breaking news? It just came out. What are we going to say about it? Okay. Let’s book it. I mean, we turned around a show in three days, right? Like being able to do that and to do it consistently every week, to me, is just exciting. And like you said, it’s different from what we usually do and I definitely appreciate that.

 

[00:30:52] LS: Let’s go through some of the process of what we do in those three days to crank out an episode.

 

[00:30:57] JP: Right. I would say it starts like as soon as we record this podcast during the week, our preparation for next week’s episode starts right away. It’s a little low key where you, myself, and Saron are all kind of looking at stories that are happening in the tech press and that’s happening on a Wednesday all the way through the weekend. And we’re just keeping our eyes peeled for what kind of conversations are happening on Twitter, what kind of stories are getting attention in the tech press and which of those stories do we think would be interesting to developers to hear about. And we gather those all in a Google Doc. And then Monday morning is when the process really starts. We in an editorial meeting go over all those potential story ideas and I would say we talk about them quite at length, like what’s behind the story, is it going to be interesting to developers, what’s the developer angle, is it more general interest, but is there a way we can take this story and point out something that would be interesting to developers or bring something to developers that they might not have heard about through regular channels. And once we settle on our stories, and we potentially settle on which stories we would want to talk to someone about, have an interview, you, Levi, have a whopping two days to try to convince people to schedule a session with us and show up for an interview. I don’t know how you do it every week, but somehow you do it.

 

[00:32:29] LS: I threatened them. I have a crowbar and I go house to house just threatening people.

 

[00:32:35] JP: Everyone’s really agreeable considering…

 

[00:32:37] LS: Yeah. That’s a part of the deal. Yeah.

 

[00:32:40] JP: Wow! Tuesday night, we kind of like have a final check to make sure is everything said, what interviews do we have booked, did something breaking really happen. We kind of have a window between Tuesday night and Wednesday morning where if there’s a huge tech story that we just don’t think we can ignore because it’s so important, so large, we might fit it into the schedule. I don’t think that’s happened very often.

 

[00:33:04] SY: No, I don’t think so.

 

[00:33:05] LS: Yeah. I mean, a lot of times those windows are for different conferences or like Apple events…

 

[00:33:13] JP: It’s company announcements that we know ahead of time. They’re always on a Tuesday. So during this whole process, Levi is writing the script and then Saron and I are looking at our parts of the script and kind of like doing a little bit of copywriting and just putting it a little more in our voice. And then Wednesday is when we record and we typically have our guests dial in pretty close to each other. We record the non-guest parts of the show, and then the real magic happens. Levi goes off and he edits it and makes us sound even more amazing. Gets rid of all the ahs and the ums, like that, does an amazing job editing it and then releases it the next day. I’m constantly amazed by how fast the turnaround is, and then Thursday it gets released.

 

[00:34:03] LS: Yeah. Surprise, surprise, listeners, pretty much most radio and many, many podcasts you listen to, there is like some heavy editing that goes through. It’s funny because I’ll tell people about this part of being an audio producer. There is a lot of, like, you’re thinking about the narrative arc of a story and that also includes interviews, like every interview in my mind is a story that has a narrative arc and the way we write out our questions and stuff is to sort of like give that narrative arc. But then also guests will just go on crazy tangents sometimes. Then it’s like, “Okay!” And then maybe they get back to their point and stuff. And so sometimes it’s like cutting out chunks that are just repetitious or moving a chunk from like, “Okay, well, they went on a tangent, but I like that tangent, but then they got back to the thing, but that thing really would just like flow a lot better if you shoved it at the end of when they were actually talking about it first,” and things like that. And then ums and other vocal whatevers, a lot of times we cut those out because, one, you’d be surprised how much time you save, like minutes of time. And in my mind is like filler and it’s not really adding anything. You don’t want to change the way somebody talks or like change the meaning of what they’re saying or anything, but like just cutting out some ums really can like give you a significant amount of time back that could be given to content, which I prefer to give people content than ums. And the other thing is that what we’re constantly battling in audio production is that people listen to podcasts while they’re doing everything else in the world. Right? And so if you give anybody like a reason to be distracted, and maybe that is just like somebody like having a long awkward pause or like maybe they just like have too many ums or something and then the listeners are just like, “Get on with it.” They’re going to get distracted. They’re going to lose their place, or worst of all, they’re going to turn off your podcast.

 

[00:36:05] SY: Right.

 

[00:36:06] LS: So I want to get into how do we pick these stories. To me, this is one of my favorite parts of this process.

 

[00:36:13] JP: Really?

 

[00:36:13] LS: Yeah.

 

[00:36:14] SY: Really?

 

[00:36:15] LS: The thing I like about it is that I think all of us, in terms of our interests, we can differ widely.

 

[00:36:24] JP: Oh, absolutely.

 

[00:36:25] LS: And I think that that just gives a better breadth of things that like end up in this document and also what gets chosen for sure. So Saron, you want to get into how we pick stories?

 

[00:36:37] SY: Yeah. So I think that we do a pretty good job of scouring different new sites, see what’s going on, on Twitter. Sometimes there’ll be some Twitter beef.

 

[00:36:48] LS: It’s my favorite!

 

[00:36:55] SY: Those are always fun to cover and those to me are the most interesting because obviously you don’t want to be like a gossip podcast. You don’t want to go like, “This is what this said.” But there are legitimate discussions that happen on Twitter based on news and based on things that are happening in our world that have some good merits. So we’ve definitely leveraged that and incorporated some of that into the discussion, looking at news sites. One of the things that I think differentiates us from maybe other tech podcasts is that a lot of our guests are actually journalists. So we don’t just cover only developers themselves. We cover the people covering developers. And a lot of times those people have a bigger breadth of information because they’ve talked to a lot of developers and they’ve done deeper research. So I think that’s one of the things that we rely on as well as just other media publications and figuring out what are the different stories. And the main part of picking the stories that fit us specifically is asking ourselves the question, “But what does this have to do with developers?” Right? That’s the question we always come back to. What is the implication for developers? Why is this about our community and our people? And reframing everything that we see in those eyes. I think that’s what really differentiates us from a regular news show, from a regular tech news show. We are the news show, as we say, for developers, by developers, and really taking some of these bigger stories and putting them through that lens is a big part of how we pick them.

 

[00:38:27] JP: I thought what you pointed out Levi was really interesting that we all definitely have our areas of interest and it’s not unanimous, the stories we pick. We will argue and push for and advocate for different stories that are of interest to us or that we think would be of interest to our listenership and our opinions on that differ quite a lot quite frequently. We have some pretty spicy conversations about whether we think something’s going to be interesting to us or to our listeners. I think that’s ultimately the main thing we’re using to pick stories is, “Is it interesting from a developer perspective to our listeners? Is it a perspective they’re getting that they can’t get from somewhere else?” I mean, everybody can just open up the New York Times or the Wall Street Journal Tech Section and get a review of the latest phone or whatever, but to hear about a story, asking questions about what would it be like if I work at this company as a developer and what could I do with that. Those are the kinds of questions that we ask and really want to bring.

 

[00:39:28] LS: Let’s talk about a couple that didn’t make it in, and for whatever reason, we ended up not covering that maybe we wish we would have.

 

[00:39:34] JP: Yeah. The way we record the show, we record for eight weeks and then we have a little bit of a break. Sometimes it’s two weeks, sometimes it’s two months. There’s a variety of factors that go into that. But one of the longer breaks we were on, I want to say it was between Season 3 and 4, but I’m not a hundred percent sure. NFTs, Non-Fungible Tokens, blew up and then simultaneously imploded during the break. I still find them ridiculously fascinating. It’s one of the very few nerdy developer tech topics that I’ve been asked about in the real world by non-developers. And I was talking with an artist the other day about NFTs, and I really wish we would have gotten a chance to talk about it on the show. I really, really wish we could have interviewed someone either from an NFT clearing house or an artist or someone. I still find them fascinating. Was that one for you as well, Saron?

 

[00:40:30] SY: Totally, a hundred percent. I feel like it came and went so quickly. I really thought they’d have a little bit more staying power. I was very surprised, but it was here one second. It blew up. It was huge. It was everywhere all over my timeline. Everyone was talking about it. And then it just kind of collapsed and just kind of quietly went away. And I still hear a couple people mention it here and there, but it’s definitely not as big and not even close to as big as what it used to be. So yeah, that was the one that I was like, “Oh, man, we missed the boat on that one.”

 

[00:40:59] LS: Still hearing quiet whispers of NFTs.

 

[00:41:02] JP: NFT!

 

[00:41:03] LS: What? You’re still here?

 

[00:41:06] JP: Something else that comes to mind is we didn’t talk a lot about the game stock blog.

 

[00:41:13] SY: Very true.

 

[00:41:14] JP: It was happening while we were recording. I think we had decided that there was ample coverage of what was happening with it from a financial perspective. But I still kind of think there might’ve been some of the nitty-gritty about like how developers were writing code to either try to exploit it or predict it. There’s actually still a very healthy market around this kind of speculation and software that’s written for that kind of speculation. I think that was just an example of a story that was so big and prevalent in the mainstream media that we didn’t want to like rehash it.

 

[00:41:51] LS: Yeah.

 

[00:41:52] SY: Yeah. And I remember part of the conversation was also what’s the developer angle for that story. And at the time, it felt so Wall Street. We don’t talk about like economics again unless it pertains to developers more directly and it just didn’t feel like the right fit for the show. But in retrospect, I can totally see us taking the algorithmic trading route. I recently found out about a couple of APIs that allow you to build your own trading platform just for your own personal use that allows you to use their APIs. You can build your own algorithms to predict and to pick and buy and sell stocks, for example. So one thing we could have done is we could have used game stock as kind of the excuse almost to talk about some of the tools that developers are using to be a part of things like that. So that’s an angle that we could have taken.

 

[00:42:45] LS: Let’s quickly go through some of like our favorite interviews and why they were interesting to you.

 

[00:42:50] SY: One of the stories we covered recently that I appreciated was our video game studio instability conversation with Jason Schreier where we read his book and then asked him a bunch of questions about the industry. And I really liked that because, in general, our angle is kind of the technical side of things, how does this affect developers in terms of what they do, our technology, how we work, that sort of thing. And this one was kind of taking a little bit of a step back and talking about the industry, and how does the industry treats specifically game developers and how does the industry either make it easier or make it harder for people to develop these games, and what does the future look like. And I thought it was a nice way to still keep it developer focused, but also just take a step back and hear about an industry that as developers who are not necessarily game developers maybe we don’t talk about as much. So I thought that interview was just really insightful and really taught me a lot about that industry.

 

[00:43:50] LS: It’s a really good book.

 

[00:43:51] SY: It is. Yeah.

 

[00:43:51] LS: And very much like humanizes this industry.

 

[00:43:56] SY: Absolutely.

 

[00:43:56] JP: I think some of my favorite segments have been interviews that we’ve done. And a couple that stand out, we interviewed Jason Scott, Co-Founder of the Archive Team, about their efforts to archive sites that are going away, in particular Yahoo Answers. And it is just a delightful intersection of weird internet and very technical details and a bunch of volunteers coming together to make something happen that companies either don’t care about or actively trying to prevent and hearing about all that, I was really glad we did that interview. Another interview we did, we talked with Kevin Miller, who’s the lead for the COVID Tracking Project, and it was, again, kind of the same theme, a bunch of volunteers filling a void that governments or corporations aren’t filling. And just to hear about that process and what it takes to organize all of these volunteers to March in the same direction and to really affect some meaningful change is really inspiring.

 

[00:45:04] SY: What about you, Levi? What are some of your favorite episodes?

 

[00:45:07] LS: So lately I started to create a Spotify playlist of some of my favorite episodes across CodeNewbie, DevDiscuss, and DevNews.

 

[00:45:15] SY: Nice!

 

[00:45:16] LS: Because sometimes when I’m reaching out to folks, they’ll be like, “Hey! Maybe I want to be on the show.” Or like, “Can you direct me towards like some episodes?” Or things like that or even just like friends and things like that. They want to know what I do in my life. Sometimes I feel kind of like Chandler from Friends, nobody quite knows what he does. So I created like the Spotify playlist. One of them from DevNews is the episode where we just covered a lot of hacks. And it was the CD Projekt Red Hack, Florida Water Supply Hack.

 

[00:45:45] SY: Yes.

 

[00:45:45] LS: And this dependency confusion hack.

 

[00:45:48] SY: Yeah, absolutely.

 

[00:45:49] LS: So final question, what’s your biggest piece of advice for those who want to jump in and make a podcast or specifically a tech podcast? Because it seems like everybody wants to have a podcast, but maybe they need some advice.

 

[00:46:08] SY: Yeah. I mean, for me, I would say to pick something you’re genuinely interested in, because if you’re not, you’ll just quit. I think that, at first it, the idea of having like thousands of people, tens, hundreds of thousands of people listen to your show is very appealing, but it’s also just very hard to do in most shows. I can’t remember the exact number, but I think like most shows have like a couple hundred or I think it’s like less than a thousand listeners per episode. And so it’s a lot easier to build that audience, build that library and get to the thousands of listeners that you want to get to if you just really like what you’re doing. And if you produce it more for you than you are for the audience. And so pick something that you like, pick something that you would still want to do even if only five people will listen to it. Like what would that show be? And then from there you can focus on growing it and hopefully getting more ears to tune in.

 

[00:47:02] JP: The only thing I would say is that recognize this is work.

 

[00:47:06] SY: Right.

 

[00:47:07] JP: I mean, friends that I’ve had that have started podcasts and other podcasts that I’ve been on, it’s fun, let’s start a podcast. We’re passionate about something. Let’s talk about it. But recognizing that it’s work, it’s a side job, we’re all lucky enough to be employed by an organization that is putting money and time into this podcast. And if you're not in that situation, recognize that this is like starting a side hustle. It’s not always fun, but the product at the end is great. And like Saron said, you have to really be producing it for you and it’s something you want to do. Just recognize that it takes effort. It’s a lot. It’s a lot of work.

 

[00:47:46] LS: Yeah. My two pieces of advice that I always give people is, one, if you’re thinking of a show, really the main question is, “Why should it exist?” And that was on like the pitch template that people filled out for the shows that we were choosing is literally like, not to be mean or anything, but literally why should this exist? Is there something else like that? And what is the thing that you’re trying to provide? And for us, it was news with a dev angle. I hadn’t seen any shows like this that were quite like this and that’s why I wanted to pursue it. So it’s, “Why should this exist?” You can’t just rely on you and your friends being funny people, I think. The other thing is, and this is because I’m an audio snob, but for the love of God, if like you’re the one that’s going to be like producing and editing, take your time and learn the audio editing software. There’s a learning curve, but it’ll pay dividends in the future. Podcasts that aren’t well edited, I just can’t. But also I’m a jerk. So that’s my advice. Learn the technical aspects too. Spend some time. You don’t have to be like an expert, but definitely take your time.

 

[00:48:57] SY: Absolutely.

 

[00:48:59] LS: Saron?

 

[00:49:00] SY: Yes?

 

[00:49:01] LS: Josh?

 

[00:49:01] JP: Yes?

 

[00:49:02] LS: Thank you for being here. That’s creepy. It’s just funny because you’re always here.

 

[00:49:10] SY: Yes. Thank you for having us.

 

[00:49:10] JP: Thank you for having us.

 

[00:49:24] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at [email protected] Please rate and subscribe to this show on Apple Podcasts.