1
00:00:05,320 --> 00:00:10,840
This is identity at the center. 
If it has anything to do with I 

2
00:00:11,160 --> 00:00:17,960
am, This is the go to podcast 
now your hosts Jim McDonald and 

3
00:00:17,960 --> 00:00:22,160
Jeff Steadman. 
Welcome to the Identity of the 

4
00:00:22,160 --> 00:00:24,280
Center podcast. 
I'm Jeff and that's Jim. 

5
00:00:24,280 --> 00:00:26,360
Hey, Jim. 
Hey, Jeff, how are you? 

6
00:00:26,640 --> 00:00:28,960
Oh, not so bad. 
Yourself doing great. 

7
00:00:29,440 --> 00:00:34,320
I wanted to bring up the call 
that we had the other day, Megan

8
00:00:34,320 --> 00:00:37,240
and Adrian from over at the 
Authenticate Conference of Fido 

9
00:00:37,240 --> 00:00:42,280
Alliance and that we're going to
be on the Mainstage on the first

10
00:00:42,280 --> 00:00:43,400
day. 
Scary. 

11
00:00:43,400 --> 00:00:46,440
And what it Well, it is a little
scary, believe me, it's a little

12
00:00:46,440 --> 00:00:49,400
scary. 
But what I thought was really 

13
00:00:49,400 --> 00:00:51,960
cool about or what I thought was
like hilarious, I thought they 

14
00:00:51,960 --> 00:00:54,440
were pulling our leg because I 
said. 

15
00:00:55,070 --> 00:00:57,630
You know, how long, how long of 
a session are we looking at? 

16
00:00:57,630 --> 00:00:59,070
And they're like, oh, like an 
hour and a half. 

17
00:00:59,070 --> 00:01:02,990
And I thought, oh, that's funny.
That's really funny. 

18
00:01:02,990 --> 00:01:05,830
But it was serious. 
So who knows how long it'll be? 

19
00:01:06,070 --> 00:01:07,190
Yeah. 
Because, you know, the more I 

20
00:01:07,190 --> 00:01:09,830
give it thought after after the 
fact, I was like, you know, we 

21
00:01:09,830 --> 00:01:12,110
could we have a lot of fun with 
an hour and a half. 

22
00:01:12,110 --> 00:01:14,150
What do you think? 
We definitely could. 

23
00:01:14,150 --> 00:01:16,390
I I don't think we've actually 
done an hour and a half on this 

24
00:01:16,390 --> 00:01:17,870
podcast. 
I think the closest we've got 

25
00:01:17,870 --> 00:01:21,550
maybe is like an hour 10 hour 15
even that we feels are really 

26
00:01:21,550 --> 00:01:24,740
long like most people I think. 
Prefer us to be around 45 or 50 

27
00:01:24,740 --> 00:01:27,180
minutes, but sometimes we just 
go on and on. 

28
00:01:27,180 --> 00:01:29,140
We just can't get enough of our 
own voices, apparently. 

29
00:01:30,460 --> 00:01:33,340
We try to make it sound natural 
too, but we could have a lot of 

30
00:01:33,340 --> 00:01:34,780
fun. 
I think we'll probably settle 

31
00:01:34,940 --> 00:01:36,860
probably on just under an hour 
or something. 

32
00:01:36,860 --> 00:01:38,300
That probably makes the most 
sense, but. 

33
00:01:39,020 --> 00:01:40,820
Yeah, it'll be interesting. 
We'll be up on the main stage 

34
00:01:40,820 --> 00:01:43,580
and I think we're, I think 
technically we're a keynote, you

35
00:01:43,580 --> 00:01:45,380
know we're looking at doing like
a live. 

36
00:01:45,620 --> 00:01:47,700
We haven't figured it out. 
So this is obviously all subject

37
00:01:47,700 --> 00:01:51,380
to change, but I think the idea 
is to do almost like a live. 

38
00:01:51,730 --> 00:01:54,810
Podcast episode in front of 
people, Try to get some guests 

39
00:01:54,810 --> 00:01:57,610
to come on, maybe talk about 
different issues and things that

40
00:01:57,610 --> 00:02:00,490
are going to be referenced 
throughout the conference. 

41
00:02:00,490 --> 00:02:03,410
But yeah, it's very cool. 
Yeah, the Authenticate 

42
00:02:03,410 --> 00:02:05,770
conference is coming up. 
We'll be there. 

43
00:02:05,770 --> 00:02:11,930
We've got discount code ID AC15,
podcast ID AC15, podcast. 

44
00:02:11,930 --> 00:02:14,570
Get you 15% off of your 
registration. 

45
00:02:14,570 --> 00:02:16,090
So definitely use that. 
That's a good way to show 

46
00:02:16,090 --> 00:02:17,330
support. 
You know, for the for the 

47
00:02:17,330 --> 00:02:21,370
podcast itself, it's October 
16th to the 18th. 

48
00:02:21,660 --> 00:02:26,780
It's in Carlsbad, CA, so nice on
the beach, a little bit north of

49
00:02:26,900 --> 00:02:29,540
San Diego. 
I think it's on a golf course. 

50
00:02:29,540 --> 00:02:32,780
So yeah, kind of a nice deal 
situation. 

51
00:02:33,340 --> 00:02:37,500
I've got to say, I'm not, I'm 
not proud of this, but I do kind

52
00:02:37,500 --> 00:02:41,500
of judge conferences based on 
where they're located. 100% that

53
00:02:41,500 --> 00:02:43,500
and their cookies. 
Yeah. 

54
00:02:43,540 --> 00:02:48,100
So I looked at, I was doing it a
meeting we had today and there 

55
00:02:48,100 --> 00:02:49,560
was. 
You were on it. 

56
00:02:49,600 --> 00:02:54,040
Few other friends were on it and
we jumped on Google Maps and I 

57
00:02:54,040 --> 00:02:57,520
brought up there's a four drop 
conference way back in the day 

58
00:02:57,680 --> 00:02:59,640
at the Asilomar Conference 
Center. 

59
00:03:00,000 --> 00:03:02,920
I was like that was probably one
of the coolest conferences. 

60
00:03:02,920 --> 00:03:06,640
I was at this one also and they 
also had another one at Half 

61
00:03:06,640 --> 00:03:08,920
Moon Bay. 
This one, this location looks 

62
00:03:08,920 --> 00:03:12,280
just as good man. 
I mean it is like Primo 

63
00:03:12,280 --> 00:03:15,480
location. 
So if you're on the on the 

64
00:03:15,480 --> 00:03:17,920
fence. 
I'd say the location should put 

65
00:03:17,920 --> 00:03:19,240
you on the other side of the 
fence. 

66
00:03:19,640 --> 00:03:22,080
Yeah, for sure. 
I mean ideal location, good time

67
00:03:22,080 --> 00:03:24,000
of year, October, I mean it's 
great. 

68
00:03:24,000 --> 00:03:25,680
It would be great weather. 
It's California, so it's always 

69
00:03:25,680 --> 00:03:27,120
pretty good, but that's a good 
time of year. 

70
00:03:27,720 --> 00:03:30,800
But yeah, so that's our, that's 
our plug. 

71
00:03:31,000 --> 00:03:33,600
Come visit us, come visit the 
Authenticate Conference, come 

72
00:03:33,600 --> 00:03:36,280
support Vito, come support us. 
We'll have links in our show 

73
00:03:36,280 --> 00:03:40,120
notes, Authenticate Con Co, 
n.com is where you can go to 

74
00:03:40,120 --> 00:03:42,400
find more information, make sure
you get that hotel booked so you

75
00:03:42,400 --> 00:03:44,440
can stay. 
You know, at the resort that 

76
00:03:44,440 --> 00:03:47,200
it's at, you don't have to like 
take an Uber that's always, that

77
00:03:47,200 --> 00:03:50,240
always sucks man conference. 
And you're like, it's not 

78
00:03:50,240 --> 00:03:52,120
convenient. 
It's just it makes a world of 

79
00:03:52,120 --> 00:03:54,920
difference to be right there 
rather than having to commute in

80
00:03:54,920 --> 00:03:57,160
every day. 
Absolutely, yeah. 

81
00:03:57,200 --> 00:03:59,320
And it's also not like Vegas, 
where you can just walk from 

82
00:03:59,320 --> 00:04:00,760
hotel to hotel. 
Right. 

83
00:04:01,000 --> 00:04:03,960
But even that could be like a 45
minute walk just to come from. 

84
00:04:04,200 --> 00:04:06,440
Hotel to another. 
Yeah, a. 150 degrees outside 

85
00:04:06,440 --> 00:04:09,700
too, yeah. 
We're going to talk a little bit

86
00:04:09,700 --> 00:04:11,300
about identity standards and 
stuff. 

87
00:04:12,620 --> 00:04:14,900
You were talking before we get 
started that you wanted to get 

88
00:04:14,900 --> 00:04:17,100
provocative with it. 
I don't know how you get 

89
00:04:17,100 --> 00:04:19,980
provocative with an identity 
standard, but I think you're 

90
00:04:19,980 --> 00:04:23,460
going to try. 
If the podcast just cuts off 

91
00:04:23,500 --> 00:04:27,180
unnaturally, we went too far and
we said that was not family 

92
00:04:27,180 --> 00:04:28,820
friendly. 
Yeah, or if you hear like 

93
00:04:28,820 --> 00:04:32,340
awkward edits of me trying to 
like carve out, like, yeah, we 

94
00:04:32,340 --> 00:04:34,180
probably shouldn't have gone 
there or something like that, 

95
00:04:34,220 --> 00:04:37,230
so. 
Maybe I think we'll be okay, but

96
00:04:37,270 --> 00:04:39,030
why don't we get into it? 
We're going to talk identity 

97
00:04:39,030 --> 00:04:42,230
standards today as a guest. 
We've got Justin Richer. 

98
00:04:42,270 --> 00:04:44,910
He's the security and standards 
architect and he's the founder 

99
00:04:45,190 --> 00:04:47,950
of Bespoke Engineering. 
Welcome to the show, Justin. 

100
00:04:48,550 --> 00:04:49,910
Thank you so much for having me 
on. 

101
00:04:50,830 --> 00:04:51,870
Thank you so much for joining 
us. 

102
00:04:51,870 --> 00:04:54,110
We're going to talk a little bit
about your identity background 

103
00:04:54,110 --> 00:04:56,230
and just start peppering you 
with a whole bunch of standard 

104
00:04:56,230 --> 00:04:59,190
stuff, cuz you've definitely 
been a major player in this 

105
00:04:59,190 --> 00:05:01,440
space. 
One, I'm going to compliment you

106
00:05:01,440 --> 00:05:04,840
again on your audio setup. 
You've got the nicest mic I 

107
00:05:04,840 --> 00:05:08,160
think we've had yet on the show.
You've got your whole audio 

108
00:05:08,160 --> 00:05:09,920
setup. 
I know you do music. 

109
00:05:09,920 --> 00:05:11,240
We're going to talk a little bit
of that later. 

110
00:05:11,240 --> 00:05:15,160
But I really appreciate it and 
it and I mentioned this before, 

111
00:05:15,160 --> 00:05:18,560
we hit record the breath control
and the mic technique. 

112
00:05:19,520 --> 00:05:22,560
This is an audio podcast, but we
have video that we run behind 

113
00:05:22,560 --> 00:05:24,640
your the scenes just to kind of 
you know, help us kind of 

114
00:05:24,640 --> 00:05:27,160
coordinate who's talking and 
stuff like that and for those 

115
00:05:27,160 --> 00:05:30,020
who aren't familiar. 
You know, when you're talking 

116
00:05:30,020 --> 00:05:33,540
into a microphone like we are, 
you want to try and get away 

117
00:05:33,540 --> 00:05:36,820
from, like, mouth noises, right?
And breath sounds, like, right. 

118
00:05:36,820 --> 00:05:39,100
That kind of thing. 
And we were like getting prepped

119
00:05:39,100 --> 00:05:41,220
and like going through our 
preflight checklist, right? 

120
00:05:41,220 --> 00:05:43,980
And all this stuff. 
And I noticed that as you were, 

121
00:05:44,020 --> 00:05:47,300
as we were talking, you like, 
put your head to the side and 

122
00:05:47,300 --> 00:05:49,700
like, did your exhale so it 
would go around the mic. 

123
00:05:51,180 --> 00:05:52,900
Chef, kiss my man. 
Thank you so much. 

124
00:05:54,400 --> 00:05:59,280
Happy to help, but yeah, I did 
radio back in high school and in

125
00:05:59,280 --> 00:06:05,040
college and we didn't have 
nearly as nice a gear at the 

126
00:06:05,040 --> 00:06:09,120
little College Station. 
So in order to not completely 

127
00:06:09,400 --> 00:06:13,800
trash the on air sound, you 
learned a few things about how 

128
00:06:13,800 --> 00:06:15,920
to clean up the signal. 
Yeah, for sure. 

129
00:06:15,960 --> 00:06:18,800
I go back and occasionally I 
listen to the first episode of 

130
00:06:18,800 --> 00:06:22,010
this podcast. 
It's on a condenser mic. 

131
00:06:22,530 --> 00:06:28,370
It was a blue Yeti, I think it 
was very echoey basement, no 

132
00:06:28,370 --> 00:06:31,250
sound treatment. 
I mean it sounded fine for you 

133
00:06:31,250 --> 00:06:32,490
know, we had no idea what we're 
doing. 

134
00:06:32,490 --> 00:06:35,530
And then you Fast forward now 
it's like okay now we we still 

135
00:06:35,530 --> 00:06:37,530
don't know what we're doing but 
at least it sounds a little bit 

136
00:06:37,530 --> 00:06:39,170
better. 
So gives us a little more 

137
00:06:39,170 --> 00:06:42,610
credence of that. 
Let's talk a little bit about 

138
00:06:42,610 --> 00:06:46,210
your I M background because you 
have definitely been really. 

139
00:06:46,590 --> 00:06:49,190
At the ground level of a lot of 
the stuff that a lot of 

140
00:06:49,190 --> 00:06:52,910
organizations use for 
authentication, potentially some

141
00:06:52,910 --> 00:06:57,030
authorization stuff, but we 
always like to have a little bit

142
00:06:57,030 --> 00:06:58,750
of the origin story when it 
comes to identity. 

143
00:06:58,830 --> 00:07:02,710
For our first time guest, how 
did you get into the Identity 

144
00:07:02,710 --> 00:07:05,510
and Access Management field? 
Is it something that you chose 

145
00:07:05,510 --> 00:07:10,630
or did it choose you? 
It definitely chose me, so my. 

146
00:07:11,330 --> 00:07:14,170
My research background back when
I was in undergrad was actually 

147
00:07:14,170 --> 00:07:17,610
in collaboration systems. 
So getting people to work 

148
00:07:17,610 --> 00:07:21,610
together to talk together a 
field that eventually became 

149
00:07:21,770 --> 00:07:24,090
known as sort of, you know, 
social computing. 

150
00:07:24,090 --> 00:07:27,690
And that led into the whole web,
2.0, blogs and wikis and 

151
00:07:27,690 --> 00:07:29,650
everything else when all of that
was new. 

152
00:07:31,490 --> 00:07:36,450
But in working with all of those
systems, you know, obviously you

153
00:07:36,450 --> 00:07:38,970
need to be able to identify 
people, you need to be able to 

154
00:07:38,970 --> 00:07:41,050
connect systems together, You 
need to. 

155
00:07:41,300 --> 00:07:44,460
Have security on all of these 
things or else it just you know 

156
00:07:44,460 --> 00:07:47,900
stuff doesn't work. 
And I was finding that through 

157
00:07:47,900 --> 00:07:51,540
all of these projects, you know 
as a you know an impetuous young

158
00:07:51,540 --> 00:07:54,660
engineer I would build the thing
put it out and then our info set

159
00:07:54,660 --> 00:07:58,140
group at the place where I work 
to be like, yeah, no, turn off 

160
00:07:58,180 --> 00:08:00,940
all of the functionality and 
that's that makes it secure. 

161
00:08:01,340 --> 00:08:03,940
And it's like that's you know 
you're you're missing the point 

162
00:08:03,980 --> 00:08:07,220
like that's the the point is to 
go do all of the things that 

163
00:08:07,220 --> 00:08:10,860
we're doing and. 
After going through that 

164
00:08:10,860 --> 00:08:14,900
experience a few times, I 
realized that, you know, I 

165
00:08:14,900 --> 00:08:19,060
really should learn what the 
security side is looking for and

166
00:08:19,060 --> 00:08:20,940
sort of get involved in that 
space. 

167
00:08:20,940 --> 00:08:24,780
And that's how I got involved 
with kind of looking at things 

168
00:08:24,780 --> 00:08:28,700
with a security and access and 
all of that mindset. 

169
00:08:30,020 --> 00:08:32,539
But as a consequence, because I 
kind of fell backwards into that

170
00:08:32,539 --> 00:08:37,580
space, I tend to approach a lot 
of security architecture in a 

171
00:08:37,580 --> 00:08:42,150
way of looking how can we get. 
The most functionality possible 

172
00:08:42,350 --> 00:08:45,030
and still make it secure. 
So focusing on that 

173
00:08:45,030 --> 00:08:48,070
functionality side of things and
it's like okay, this is what we 

174
00:08:48,070 --> 00:08:52,150
want to do, this is what we need
to do and how do we actually, 

175
00:08:52,270 --> 00:08:57,110
you know, make that function 
secure As opposed to how do I 

176
00:08:57,110 --> 00:09:00,390
shut off as much as I can in 
order to make it as secure as 

177
00:09:00,390 --> 00:09:06,310
possible Because at the end of 
the day, a system with tons of 

178
00:09:06,310 --> 00:09:08,870
security and no functionality is
useless. 

179
00:09:09,230 --> 00:09:11,950
But a system with tons of 
functionality and no security is

180
00:09:11,950 --> 00:09:15,790
the most popular app that 
everybody has ever used, right? 

181
00:09:15,790 --> 00:09:17,990
And then this is this is just 
true time and time again. 

182
00:09:18,470 --> 00:09:21,310
Yeah, and I find also to like 
bad security is like a rock and 

183
00:09:21,310 --> 00:09:23,070
a river. 
People will just find a way 

184
00:09:23,550 --> 00:09:26,910
around it. 
And Oh my gosh, yes, it's the in

185
00:09:26,910 --> 00:09:30,150
the workarounds often tend to be
much worse than the thing that 

186
00:09:30,150 --> 00:09:31,790
you were trying to prevent in 
the 1st place. 

187
00:09:32,590 --> 00:09:37,070
You know, we tell people like. 
You know, come up with a 

188
00:09:37,070 --> 00:09:39,750
complicated password that means 
people are just going to write 

189
00:09:39,750 --> 00:09:41,470
it down because they're not 
going to remember it. 

190
00:09:42,870 --> 00:09:49,190
And all of these things end up 
working counter towards the goal

191
00:09:49,190 --> 00:09:52,310
of the security engineering, 
like what you were actually 

192
00:09:52,310 --> 00:09:56,310
trying to do, because it gets in
the way of people actually doing

193
00:09:56,310 --> 00:09:57,990
things. 
And I think that that kind of 

194
00:09:57,990 --> 00:10:01,510
disconnect is a real problem in 
our industry on the security 

195
00:10:01,510 --> 00:10:05,910
side, on the identity side, 
people aren't often looking at. 

196
00:10:06,360 --> 00:10:10,920
Sort of their little slice of 
the world in a bit of a vacuum 

197
00:10:11,200 --> 00:10:14,520
and trying to figure out, like, 
OK, so how can I make my little 

198
00:10:14,520 --> 00:10:17,520
bit the best that it can be 
without looking at the larger 

199
00:10:17,520 --> 00:10:19,480
context of where everything 
comes together? 

200
00:10:20,200 --> 00:10:24,240
In my opinion, there's a there 
is an academic paper that should

201
00:10:24,240 --> 00:10:29,200
be required reading for 
everybody, and that's it's from 

202
00:10:29,200 --> 00:10:34,720
1988 and it's Gruden at all. 
Why collaborative? 

203
00:10:35,800 --> 00:10:40,040
Computer supported collaborative
work systems fail, and in this 

204
00:10:40,040 --> 00:10:43,080
paper they look through a 
digital calendaring system that 

205
00:10:43,080 --> 00:10:47,040
was bought by the management of 
a company and then handed to the

206
00:10:47,080 --> 00:10:50,800
admins. 
And as far as the management was

207
00:10:50,800 --> 00:10:53,040
concerned, it had all of the 
features and everything that 

208
00:10:53,040 --> 00:10:54,600
they cared about. 
It was brilliant. 

209
00:10:54,600 --> 00:10:56,840
But the admins who would 
actually manage all of the 

210
00:10:56,840 --> 00:11:00,320
calendars and that were like 
putting things in for these 

211
00:11:00,320 --> 00:11:03,440
executives. 
It was atrociously bad. 

212
00:11:03,890 --> 00:11:09,410
And this disconnect between the 
people that are sort of 

213
00:11:09,410 --> 00:11:12,050
designing and selling the system
and the people that actually 

214
00:11:12,050 --> 00:11:16,570
have to use it to do something 
at the end of the day was just 

215
00:11:17,090 --> 00:11:19,930
insurmountable. 
The entire system was a massive 

216
00:11:19,930 --> 00:11:26,210
failure and led to the writing 
of this paper and and in in my 

217
00:11:26,210 --> 00:11:29,890
in my opinion this paper should 
be like day one reading of 

218
00:11:29,930 --> 00:11:33,450
anybody getting in to really any
type of. 

219
00:11:33,770 --> 00:11:38,290
Human facing computing at all. 
You know, just as you're talking

220
00:11:38,290 --> 00:11:43,770
about this, I'm also thinking of
kind of the security architect 

221
00:11:43,770 --> 00:11:47,930
mindset almost has to be 
creative in a way, right? 

222
00:11:47,930 --> 00:11:52,130
It goes beyond just, you know, 
it's not like a type, a 

223
00:11:52,130 --> 00:11:55,370
personality type, a personality 
kind of. 

224
00:11:56,770 --> 00:12:01,170
I don't want to say it as 
excluding people, but really you

225
00:12:01,170 --> 00:12:03,470
have to. 
Be able to use that left half of

226
00:12:03,470 --> 00:12:06,430
your brain mm. 
HM Yeah, Because you need to be 

227
00:12:06,430 --> 00:12:10,990
able to think in sort of all of 
the weird ways that people are 

228
00:12:10,990 --> 00:12:16,110
going to use the system or apply
it to things that you can't 

229
00:12:16,110 --> 00:12:19,190
expect and be able to adapt to 
that. 

230
00:12:19,830 --> 00:12:24,300
And, you know, that's. 
Because, you know, 

231
00:12:24,300 --> 00:12:29,500
fundamentally, identity systems 
are all about where this stuff 

232
00:12:29,500 --> 00:12:32,220
starts touching people, where it
starts dealing with people. 

233
00:12:32,580 --> 00:12:36,540
And people are weird and 
squishy, and we do things that 

234
00:12:36,540 --> 00:12:39,380
are, like, really unexpected. 
And so when you're designing a 

235
00:12:39,380 --> 00:12:42,900
security architecture, you have 
to account for that weird and 

236
00:12:42,900 --> 00:12:46,860
squishy stuff. 
Yeah, two of the things that I 

237
00:12:46,900 --> 00:12:51,260
used to do when I was doing some
software engineering. 

238
00:12:51,650 --> 00:12:56,210
Courses and having to write some
programs was I'd find that 

239
00:12:56,930 --> 00:12:59,850
sometimes my brain was very 
active and I had to have like a 

240
00:12:59,850 --> 00:13:02,290
notebook nearby. 
I had to keep a notebook next to

241
00:13:02,290 --> 00:13:04,250
my bed because I could wake up 
in the middle of the night with 

242
00:13:04,250 --> 00:13:08,650
the solution or be going, you 
know, drinking, you know, a lot 

243
00:13:08,650 --> 00:13:11,330
of caffeine. 
And my mind would just become so

244
00:13:11,330 --> 00:13:14,490
active in the ability to kind of
solve some of these problems. 

245
00:13:14,490 --> 00:13:17,090
I'm wondering, is that what you 
experienced as well? 

246
00:13:18,380 --> 00:13:23,140
Yeah, I find that the the 
ability to kind of background 

247
00:13:23,140 --> 00:13:26,740
process hard problems is really 
important when especially when 

248
00:13:26,740 --> 00:13:30,100
you start getting up into sort 
of the architecture level of 

249
00:13:30,100 --> 00:13:32,860
stuff, when you're looking at 
systems and systems of systems 

250
00:13:33,300 --> 00:13:36,660
and how stuff comes together, 
there's there's a lot of stuff 

251
00:13:36,660 --> 00:13:40,380
that you're not going to notice 
right away. 

252
00:13:41,380 --> 00:13:44,730
But. 
If you engage in with the 

253
00:13:44,730 --> 00:13:47,930
problem space, you're going to 
kind of keep thinking about it. 

254
00:13:47,930 --> 00:13:50,210
You're going to kind of like 
keep percolating on it. 

255
00:13:50,810 --> 00:13:55,570
And then you'll come up with 
sort of these, you know, 

256
00:13:55,730 --> 00:13:59,250
interesting and creative 
approaches to things that you 

257
00:13:59,250 --> 00:14:02,050
wouldn't have if you were just 
sitting at a desk saying, I am 

258
00:14:02,050 --> 00:14:07,450
solving this problem right now. 
And so for for my part, you 

259
00:14:07,450 --> 00:14:09,490
know, I'm, I'm an independent 
consultant. 

260
00:14:09,530 --> 00:14:12,290
I have worked from home for the 
last eight years. 

261
00:14:12,330 --> 00:14:17,330
So for me the the whole switch 
to virtual meetings meant that 

262
00:14:17,330 --> 00:14:20,730
everybody else was also working 
from home during all of these 

263
00:14:20,730 --> 00:14:23,010
meetings that it didn't really 
change that part for me. 

264
00:14:23,690 --> 00:14:29,410
But what I've found personally 
helpful is I I ride my bike a 

265
00:14:29,410 --> 00:14:32,410
lot. 
I I do, you know between 10 and 

266
00:14:32,410 --> 00:14:36,690
20 miles a day. 
To just get out there, clear my 

267
00:14:36,690 --> 00:14:42,890
head and let things just kind of
background process and that type

268
00:14:42,970 --> 00:14:50,210
of contemplation I think is not 
really valued enough in the 

269
00:14:50,210 --> 00:14:53,650
technology industries nearly as 
much as it should be because 

270
00:14:53,650 --> 00:14:56,570
that's that's where creativity 
happens that's where this kind 

271
00:14:56,570 --> 00:15:00,020
of like. 
You know, I got an idea of a way

272
00:15:00,020 --> 00:15:01,540
that I might be able to approach
it. 

273
00:15:01,540 --> 00:15:04,420
I don't know if there's 
something there yet, but when I 

274
00:15:04,420 --> 00:15:08,700
get back to my desk, I'm gonna, 
I'm gonna try this thing that I 

275
00:15:08,700 --> 00:15:12,980
hadn't thought of before. 
And you see where that goes, See

276
00:15:12,980 --> 00:15:16,540
where that lands us. 
You know, I think this is this 

277
00:15:16,780 --> 00:15:18,940
is really interesting topic 
because I feel like we 

278
00:15:18,940 --> 00:15:21,760
scheduled. 
We get so busy during the day, 

279
00:15:22,000 --> 00:15:23,040
right? 
You're jumping from meeting to 

280
00:15:23,040 --> 00:15:25,040
meeting to meeting and there's 
no time to think. 

281
00:15:25,680 --> 00:15:28,160
It's just I'm reacting all day 
long, right? 

282
00:15:28,160 --> 00:15:30,520
Absolutely. 
Yeah, I think it's important to 

283
00:15:30,520 --> 00:15:33,320
to, I hate to say it, but 
schedule time to think, right? 

284
00:15:33,320 --> 00:15:35,480
Maybe if you it's bike riding 
for me, it might be playing 

285
00:15:35,480 --> 00:15:38,160
video games you know, whatever 
it may be, right? 

286
00:15:38,600 --> 00:15:40,360
Inspiration can kind of come 
wherever. 

287
00:15:40,360 --> 00:15:43,400
But we don't. 
I I feel like it's a trap that a

288
00:15:43,400 --> 00:15:46,560
lot of us get into is we don't 
actually take the time to think 

289
00:15:46,560 --> 00:15:49,090
about something. 
Yeah, absolutely. 

290
00:15:49,090 --> 00:15:54,130
And it's something that I've had
to explain to some of my clients

291
00:15:54,130 --> 00:15:58,210
over the years is just like, 
well, you know, I am, I am going

292
00:15:58,210 --> 00:16:01,890
to basically, you know, get up 
to speed on this project, which 

293
00:16:01,890 --> 00:16:05,330
means I'm going to go and read a
bunch of stuff and think about 

294
00:16:05,330 --> 00:16:08,650
it and that takes time. 
That doesn't seem like that 

295
00:16:08,650 --> 00:16:12,690
would be a billable activity. 
But me actually writing a 

296
00:16:12,690 --> 00:16:17,770
document for you or developing 
software or, you know, giving 

297
00:16:17,770 --> 00:16:21,090
you guidance on how to engage 
with something, none of that can

298
00:16:21,090 --> 00:16:27,930
actually ever happen unless I 
can get to the state where, you 

299
00:16:27,930 --> 00:16:30,450
know, I have had a chance to 
think about things. 

300
00:16:30,450 --> 00:16:34,330
I have had a chance to start to 
piece these things together and 

301
00:16:34,330 --> 00:16:38,520
be able to bring that forward. 
So yeah, if you need to schedule

302
00:16:38,520 --> 00:16:42,160
time to think, absolutely do it.
I like I I encourage it Back 

303
00:16:42,160 --> 00:16:45,960
when I had, back when I had a 
real job, I used to block out 

304
00:16:46,320 --> 00:16:53,760
parts of my day to to just not 
be in meetings constantly and 

305
00:16:54,160 --> 00:16:56,200
highly encourage people to do 
that. 

306
00:16:56,720 --> 00:17:01,040
You know value your own time. 
And the other thing that took me

307
00:17:01,040 --> 00:17:04,760
way too long to figure out in in
sort of the corporate space. 

308
00:17:05,520 --> 00:17:07,480
That you don't have to go to 
every meeting you're invited to.

309
00:17:08,200 --> 00:17:12,640
Sometimes you can just not go, 
and it feels wrong. 

310
00:17:12,640 --> 00:17:18,160
But you know what it Sometimes 
you're more valuable not being 

311
00:17:18,160 --> 00:17:22,480
at the meeting. 
And that's a really hard lesson 

312
00:17:22,480 --> 00:17:25,520
to learn because we're told 
like, oh, you have to be there. 

313
00:17:25,520 --> 00:17:27,640
You have to be in the room when 
it happens. 

314
00:17:27,640 --> 00:17:30,920
The thing is, like most meetings
is not where things happen, 

315
00:17:31,920 --> 00:17:33,680
right? 
That's that's not really what 

316
00:17:33,680 --> 00:17:37,220
meetings are, are. 
Are good at meetings are not 

317
00:17:37,220 --> 00:17:39,740
about getting things done. 
Meetings are about sort of 

318
00:17:40,300 --> 00:17:44,260
getting a direction, getting 
some cohesiveness and then you 

319
00:17:44,260 --> 00:17:46,060
get out of the meeting and get 
things done. 

320
00:17:46,780 --> 00:17:50,060
And so you got to make sure that
you have the time to get things 

321
00:17:50,060 --> 00:17:52,980
done and that's that's really, 
really important. 

322
00:17:54,020 --> 00:17:56,820
Yeah, I I I think we probably 
just end the show right here. 

323
00:17:57,620 --> 00:18:01,020
The the sound clip it, you know,
sound bite is meetings are not 

324
00:18:01,020 --> 00:18:04,300
where you go to get things done.
Yeah, There we go. 

325
00:18:04,300 --> 00:18:06,380
Done. 
Thanks for listening, everyone. 

326
00:18:06,380 --> 00:18:08,060
And yeah, we'll go for the next 
one. 

327
00:18:08,060 --> 00:18:10,260
No, no, I think you're totally 
right on. 

328
00:18:10,620 --> 00:18:14,940
You know, I think a lot of 
people don't understand that 

329
00:18:14,940 --> 00:18:16,740
they control their own schedule,
right? 

330
00:18:17,020 --> 00:18:18,740
And you need to be able to 
control it. 

331
00:18:19,020 --> 00:18:21,380
Or they're told that they don't 
control their own schedule. 

332
00:18:21,500 --> 00:18:22,860
Right. 
And I think sometimes can be 

333
00:18:22,860 --> 00:18:25,100
challenged, especially for maybe
people who are newer in their 

334
00:18:25,100 --> 00:18:27,700
careers, newer with an 
organization, you want to make a

335
00:18:27,700 --> 00:18:29,660
good impression and blah blah, 
blah, right? 

336
00:18:30,260 --> 00:18:31,780
But I think I'm with you. 
It's like, you know the. 

337
00:18:32,120 --> 00:18:35,760
The the older I get and yes, the
higher I go up with an 

338
00:18:35,760 --> 00:18:38,080
organization, I feel like I do 
have more control over things. 

339
00:18:38,080 --> 00:18:40,160
Sometimes I don't. 
I have less control because 

340
00:18:40,160 --> 00:18:41,960
sometimes there are things like,
no, you have to be there. 

341
00:18:41,960 --> 00:18:46,160
And 100% it is going to be a 
waste of my time, but I need to 

342
00:18:46,160 --> 00:18:49,240
be there, so be it, right. 
Those are there will always be 

343
00:18:49,240 --> 00:18:50,760
those. 
But yeah, I think this is 

344
00:18:50,760 --> 00:18:52,000
something I talk about with my 
team. 

345
00:18:52,000 --> 00:18:54,640
Jim knows this as well as you 
know, you control your schedule.

346
00:18:55,040 --> 00:18:58,200
It's okay to say no. 
I had a manager once, very long 

347
00:18:58,200 --> 00:18:59,640
time ago, my food service 
career. 

348
00:19:00,210 --> 00:19:01,650
The customer is not always 
right. 

349
00:19:02,690 --> 00:19:06,650
Absolutely. 
So it's it's funny that it, it's

350
00:19:06,850 --> 00:19:08,690
fascinating to me that you 
brought up that phrase because 

351
00:19:08,690 --> 00:19:11,930
one of the things that I did 
learn, so I previously worked 

352
00:19:11,930 --> 00:19:13,930
for a company called Miter for 
15 years. 

353
00:19:14,450 --> 00:19:16,610
They're a big systems 
engineering company, do a lot of

354
00:19:16,610 --> 00:19:18,290
research for the US federal 
government. 

355
00:19:18,810 --> 00:19:23,490
And one of the things that I 
really got to learn while I was 

356
00:19:23,490 --> 00:19:27,730
there at Miter was that the 
customers that we were talking 

357
00:19:27,730 --> 00:19:31,710
to, it was. 
They would come and tell you 

358
00:19:31,710 --> 00:19:34,270
what they wanted you to make, 
right? 

359
00:19:34,270 --> 00:19:37,870
I need you to build this system.
But the thing that the customer 

360
00:19:37,870 --> 00:19:40,870
says, the thing that the 
customer wants and the thing 

361
00:19:40,870 --> 00:19:44,590
that the customer needs are 
three very, very different 

362
00:19:44,590 --> 00:19:47,750
things. 
But it was really impressed upon

363
00:19:47,750 --> 00:19:50,590
us, in my group at least, that 
it was our job to be able to 

364
00:19:50,590 --> 00:19:54,230
figure that out and be able to 
articulate to the customer that 

365
00:19:54,230 --> 00:19:57,910
like, well, hey, OK, you, you 
said you needed something that 

366
00:19:57,910 --> 00:20:02,350
did this. 
But your actual problem that 

367
00:20:02,350 --> 00:20:05,630
we're seeing is actually more 
like this. 

368
00:20:05,670 --> 00:20:08,110
And so we're looking at doing 
this type of thing. 

369
00:20:08,630 --> 00:20:11,390
And because we were a research 
arm, we could be a, you know, a 

370
00:20:11,390 --> 00:20:15,310
little bit more like, hey, 
here's a weird thing that we, we

371
00:20:15,310 --> 00:20:17,350
think is going to address 
something and here's why. 

372
00:20:17,590 --> 00:20:20,590
And our customers were a little,
little more accepting of that. 

373
00:20:21,590 --> 00:20:25,070
But you know, you you need to be
able to at least tell the 

374
00:20:25,070 --> 00:20:27,670
difference between those things 
and be able to tell that story. 

375
00:20:28,290 --> 00:20:31,770
A diplomatic customer friendly. 
Absolutely, absolutely. 

376
00:20:32,250 --> 00:20:35,850
One of the other things that I 
that I'm really grateful for. 

377
00:20:36,570 --> 00:20:40,090
You know, my my department head 
at MITRE taught me that it 

378
00:20:40,090 --> 00:20:42,850
doesn't matter how right you are
if nobody's listening to you. 

379
00:20:44,290 --> 00:20:48,170
And that as a you know, hot 
headed young engineer, that was 

380
00:20:48,170 --> 00:20:53,010
a really hard lesson for me to 
learn in my 20s and it took took

381
00:20:53,010 --> 00:20:56,770
me a long time and I'm still 
learning it, I'm sure. 

382
00:20:58,160 --> 00:21:00,480
It's a but it is absolutely a 
journey. 

383
00:21:00,480 --> 00:21:03,880
It is absolutely a journey. 
But, you know, you need to be 

384
00:21:03,880 --> 00:21:08,440
able to bring people along on 
that story and be able to sort 

385
00:21:08,440 --> 00:21:11,400
of engage with people that it's 
not just hi, here's the 

386
00:21:11,400 --> 00:21:12,920
solution. 
Shut up and do it. 

387
00:21:12,920 --> 00:21:16,400
It's hi, here's the solution and
here's here's why I care. 

388
00:21:16,640 --> 00:21:19,920
Here's why you care and figure 
that out. 

389
00:21:20,440 --> 00:21:24,320
Especially especially in cases 
where. 

390
00:21:24,780 --> 00:21:27,580
You're going to be wrong in some
way or another and you just 

391
00:21:27,580 --> 00:21:32,180
don't know how yet. 
And so being able to have that 

392
00:21:32,180 --> 00:21:35,820
conversation of like yes we need
to do this and have somebody be 

393
00:21:35,820 --> 00:21:39,820
like but that's going to break 
my database and it's like okay, 

394
00:21:39,820 --> 00:21:41,580
why is that going to break your 
database. 

395
00:21:41,780 --> 00:21:47,060
Let's let's figure that out and 
and it it may upend the entire 

396
00:21:47,060 --> 00:21:50,330
set of you know. 
Poorly defined requirements that

397
00:21:50,330 --> 00:21:51,810
you were working with in the 1st
place. 

398
00:21:51,810 --> 00:21:54,330
Or it may just be a little 
tweaked to something you don't 

399
00:21:54,330 --> 00:21:55,850
know until you have that 
conversation. 

400
00:21:56,170 --> 00:21:58,650
I wanted to throw out a couple 
since we're all sharing Nuggets.

401
00:21:58,650 --> 00:22:02,410
I think some of the one of the 
early career Nuggets and it kind

402
00:22:02,410 --> 00:22:06,050
of goes with the you don't have 
to be in every meeting is that 

403
00:22:06,290 --> 00:22:10,530
it's better to be known for one 
really awesome thing instead of 

404
00:22:10,770 --> 00:22:13,490
a couple of mediocre things you 
know. 

405
00:22:13,490 --> 00:22:15,610
So if you get so spread out it's
like, yeah, you're on every 

406
00:22:15,610 --> 00:22:19,130
project and. 
We all go okay, that's not as 

407
00:22:19,130 --> 00:22:22,450
good as like, hey, you're on 
this digital identity project 

408
00:22:22,450 --> 00:22:25,010
and it was awesome. 
Like it changed the way the 

409
00:22:25,010 --> 00:22:27,290
organization works. 
That's my experience. 

410
00:22:27,290 --> 00:22:33,210
Anyway, #2 later in your career 
is kind of, I guess, know 

411
00:22:33,210 --> 00:22:36,050
thyself, know what really gets 
you. 

412
00:22:36,330 --> 00:22:40,930
So for me, digital identity if I
focus on digital identity 

413
00:22:40,930 --> 00:22:43,080
though. 
I'm probably not going to be the

414
00:22:43,080 --> 00:22:44,760
CEO of a major corporation, 
right? 

415
00:22:44,760 --> 00:22:48,040
Probably not even going to be 
the CSO or the CIO, because I 

416
00:22:48,040 --> 00:22:51,400
love digital identity so much. 
I want to focus on that. 

417
00:22:51,720 --> 00:22:54,520
I want to talk about that. 
I want to have a podcast on that

418
00:22:54,840 --> 00:22:55,800
and nobody. 
Will listen to. 

419
00:22:55,800 --> 00:22:58,000
That, but that's what makes me 
happy. 

420
00:22:58,440 --> 00:22:59,640
Right. 
Right. 

421
00:22:59,720 --> 00:23:03,720
And I feel good about what I do.
And I I'm able to get up in the 

422
00:23:03,720 --> 00:23:05,680
morning and have energy for 
work. 

423
00:23:07,000 --> 00:23:09,880
But and here's the third thing, 
this is not a career thing, but 

424
00:23:09,880 --> 00:23:12,280
this is the life thing. 
Is even though we talked about 

425
00:23:12,280 --> 00:23:15,080
like okay, you have to be able 
to have this time to think. 

426
00:23:15,480 --> 00:23:18,840
You're also at some point need 
to shut off. 

427
00:23:19,400 --> 00:23:22,800
I had a friend his his sage 
advice was everybody's got to 

428
00:23:22,800 --> 00:23:25,400
waste some time. 
Maybe it's you know the the 

429
00:23:25,400 --> 00:23:29,080
video games or whatever it is, 
but you you've got to have more 

430
00:23:29,080 --> 00:23:32,000
interest than work and maybe 
everybody knows this. 

431
00:23:32,160 --> 00:23:35,600
But if you're in that mode where
it's like you work all day and 

432
00:23:35,600 --> 00:23:38,000
then you plan your weekends 
around how you're going to get 

433
00:23:38,000 --> 00:23:40,780
all your work done. 
Then your life's not going to be

434
00:23:40,940 --> 00:23:43,500
something you really look back 
on and you're like, yeah, I 

435
00:23:43,500 --> 00:23:47,020
actually did something. 
You've got to have some some 

436
00:23:47,020 --> 00:23:49,060
time. 
So you're building a a life. 

437
00:23:49,340 --> 00:23:50,260
Anyway, I'll stop. 
There. 

438
00:23:50,620 --> 00:23:52,700
No, I I absolutely agree. 
I have. 

439
00:23:52,700 --> 00:23:55,940
I have three young kids and they
definitely help keep me 

440
00:23:55,940 --> 00:23:59,260
grounded. 
I've been lately been playing 

441
00:23:59,260 --> 00:24:03,740
through the new Legend of Zelda 
game and my middle kid, they're 

442
00:24:03,740 --> 00:24:06,660
ten years old. 
And they will just sit on the 

443
00:24:06,660 --> 00:24:10,020
couch with me while I'm playing 
it and be like, oh dad, let's go

444
00:24:10,020 --> 00:24:11,540
that, oh, we need to go get this
thing. 

445
00:24:11,540 --> 00:24:15,060
And and like, they're not 
actually playing the game, but 

446
00:24:15,060 --> 00:24:18,820
they are so engaged with it that
that's like, you know, that's 

447
00:24:18,820 --> 00:24:22,060
something that like it'll be 
getting towards the end of the 

448
00:24:22,060 --> 00:24:25,820
day and I'll, you know, come up 
upstairs from my Home Office and

449
00:24:25,820 --> 00:24:30,770
they'll be like Zelda. 
And and it's just like, all 

450
00:24:30,770 --> 00:24:35,170
right, give me 5 minutes to go 
deploy this thing and then yeah,

451
00:24:35,210 --> 00:24:38,410
then we'll then we'll go play 
and then 10 minutes later get a 

452
00:24:38,410 --> 00:24:40,010
knock on my door. 
Dad, Zelda. 

453
00:24:40,650 --> 00:24:43,650
And you know, it's it is 
absolutely important to be able 

454
00:24:43,650 --> 00:24:47,170
to to do that kind of thing. 
100% agree. 

455
00:24:47,450 --> 00:24:48,890
It's definitely not a waste of 
time. 

456
00:24:48,890 --> 00:24:51,730
We might think other people 
might say you're wasting your 

457
00:24:51,730 --> 00:24:53,770
time, but it's actually well 
used time. 

458
00:24:54,570 --> 00:24:57,210
Absolutely. 
And it all, it all comes down to

459
00:24:57,210 --> 00:25:00,130
how you measure value, right? 
What? 

460
00:25:00,130 --> 00:25:01,930
What value are you getting out 
of the time? 

461
00:25:01,930 --> 00:25:05,690
And all of your time shouldn't 
just go to creating value for 

462
00:25:05,690 --> 00:25:07,970
somebody else's company. 
Boom mic drop. 

463
00:25:09,010 --> 00:25:11,410
There it is. 
I no this I do not want to drop 

464
00:25:11,410 --> 00:25:12,130
this microphone. 
I'm. 

465
00:25:12,250 --> 00:25:13,770
Sorry, no, that's a very nice 
microphone. 

466
00:25:15,170 --> 00:25:16,810
All right, let's get back a 
little bit on track because I 

467
00:25:16,810 --> 00:25:18,770
love that conversation. 
But I do want to get a little 

468
00:25:18,770 --> 00:25:22,170
bit more about some of the stuff
you worked on and as a. 

469
00:25:22,820 --> 00:25:25,620
Multitalented individual right? 
An identity. 

470
00:25:25,780 --> 00:25:29,380
And Speaking of articulation, 
you've written a book in this 

471
00:25:29,380 --> 00:25:31,460
area. 
It's called Oauth 2IN Action. 

472
00:25:31,900 --> 00:25:35,180
It always fascinates me when 
someone can put pen to paper and

473
00:25:35,180 --> 00:25:39,060
actually have the, I don't know 
the the work ethic or whatever 

474
00:25:39,060 --> 00:25:41,100
it is, sit down and write any 
set of book. 

475
00:25:41,100 --> 00:25:43,820
But what was the impetus for 
creating that? 

476
00:25:43,820 --> 00:25:46,100
And I guess for people who want 
to check it out, give me like 

477
00:25:46,100 --> 00:25:48,660
the 32nd, like back cover 
synopsis for it because we'll 

478
00:25:48,660 --> 00:25:51,140
have a we'll have a link in our 
show notes for this as well. 

479
00:25:52,220 --> 00:25:54,620
Man. 
So yeah, the book creating it 

480
00:25:54,620 --> 00:25:57,180
was was sort of an interesting 
story. 

481
00:25:57,180 --> 00:26:01,740
I was actually approached by my 
coauthor, Antonio Sanso, who 

482
00:26:03,380 --> 00:26:07,500
wanted to write this book, 
didn't want to do it himself. 

483
00:26:07,500 --> 00:26:11,100
He's a security researcher at 
the time, he was with Adobe and 

484
00:26:11,100 --> 00:26:13,620
he's working on Ethereum now or 
something like that. 

485
00:26:13,980 --> 00:26:20,060
And but really, really, really 
smart guy, really smart security

486
00:26:20,060 --> 00:26:23,890
engineer. 
But he approached me like, you 

487
00:26:23,890 --> 00:26:27,050
know, hey, there's there's kind 
of a hole in the market for a 

488
00:26:27,170 --> 00:26:31,530
book about Oauth that actually 
takes things from start to 

489
00:26:31,530 --> 00:26:34,970
finish and explains all of the 
different parts of it and why 

490
00:26:34,970 --> 00:26:39,570
they work that way. 
And and I kind of at that point,

491
00:26:39,570 --> 00:26:42,330
I kind of looked around and I 
was just like he was, he was 

492
00:26:42,330 --> 00:26:44,490
absolutely right. 
You know, the, the books that 

493
00:26:44,490 --> 00:26:47,970
were out there were how to build
an Oauth client that connects to

494
00:26:47,970 --> 00:26:50,970
GitHub, how to log in with 
Google. 

495
00:26:51,260 --> 00:26:54,620
How to use the Facebook API. 
All of those were books that 

496
00:26:54,620 --> 00:26:58,100
would teach you parts of Oauth 
but weren't teaching you Oauth 

497
00:26:58,100 --> 00:27:01,060
for its own sake. 
And that's what we set out to 

498
00:27:01,060 --> 00:27:03,540
do. 
So going through the reader 

499
00:27:03,540 --> 00:27:07,500
learns, learns how to build a, 
you know, because I'm, I'm an 

500
00:27:07,500 --> 00:27:10,580
engineer, I build things, you 
know, it's not real unless I'm 

501
00:27:10,580 --> 00:27:13,340
building it. 
And so going through the book, 

502
00:27:13,340 --> 00:27:16,220
you build an authorization 
server, you build a couple of 

503
00:27:16,220 --> 00:27:19,180
different flavors of client, you
build a resource server. 

504
00:27:19,590 --> 00:27:21,230
And you connect them all 
together and they're all 

505
00:27:21,270 --> 00:27:25,870
actually standards compliant, 
That we do have a banner in the 

506
00:27:25,870 --> 00:27:29,270
book that says do not use any of
this in a production system, 

507
00:27:29,270 --> 00:27:34,110
please. 
And I have mostly held to my own

508
00:27:34,110 --> 00:27:39,030
advice on that. 
That's another story though, but

509
00:27:39,030 --> 00:27:43,630
we wanted people to be able to. 
Sit down, and even if you know 

510
00:27:43,630 --> 00:27:47,070
in their day job, they're only 
using one tiny little bit of it,

511
00:27:47,070 --> 00:27:50,190
like they're just writing a 
client or they're just 

512
00:27:50,190 --> 00:27:53,430
protecting an API. 
We wanted them to be able to 

513
00:27:53,430 --> 00:27:56,550
know what all of the other 
moving parts were that were that

514
00:27:56,550 --> 00:27:58,950
were out there and why they were
moving that way. 

515
00:27:59,430 --> 00:28:02,310
Like, why do I have to do all 
these redirects and all of these

516
00:28:02,310 --> 00:28:04,470
backchannel calls and all of 
this other stuff? 

517
00:28:04,870 --> 00:28:08,430
Why do I have to deal with 
authorization codes and Pixie 

518
00:28:08,430 --> 00:28:12,660
and all of this other craziness?
Because the danger is always 

519
00:28:12,660 --> 00:28:16,580
somebody looking at a protocol 
like Oauth and seeing all of the

520
00:28:16,580 --> 00:28:19,980
moving pieces and going, you 
know what, that's really messed 

521
00:28:19,980 --> 00:28:21,380
up. 
I can come up with something 

522
00:28:21,380 --> 00:28:24,580
that is just as secure and way 
easier to build. 

523
00:28:25,020 --> 00:28:28,100
And the truth is that it's like 
you can't. 

524
00:28:28,980 --> 00:28:31,660
You know you're you're going to 
come up with something. 

525
00:28:31,660 --> 00:28:34,820
It might be really, really 
clever, but it won't have had 

526
00:28:34,820 --> 00:28:38,580
the kind of scrutiny that an 
international standard like this

527
00:28:38,580 --> 00:28:42,190
has and all of those. 
Bits and pieces are there for a 

528
00:28:42,190 --> 00:28:44,350
reason. 
Is it always the best reason? 

529
00:28:44,750 --> 00:28:47,790
No. 
But there is a reason behind it.

530
00:28:47,830 --> 00:28:53,190
And So what we wanted to do with
this book was to bring people 

531
00:28:53,190 --> 00:28:56,990
through everything that was 
there and sort of show them what

532
00:28:56,990 --> 00:29:00,390
the reasons were, that things 
worked the way that they the way

533
00:29:00,390 --> 00:29:02,870
that they did. 
So if I don't know anything 

534
00:29:02,870 --> 00:29:06,550
about a lot too, can I put pick 
this book up and and have a an 

535
00:29:06,550 --> 00:29:09,270
appreciation for it? 
Or is there some prerequisite 

536
00:29:09,270 --> 00:29:11,840
knowledge that I need? 
No, I think you can. 

537
00:29:11,840 --> 00:29:15,360
You can basically come in cold. 
We tried to, we tried to write 

538
00:29:15,360 --> 00:29:19,520
it to an audience of people who 
had either heard of Oauth or 

539
00:29:19,520 --> 00:29:23,240
we're told that they are using 
Oauth and needed to needed to 

540
00:29:23,240 --> 00:29:27,320
start making sense of it. 
It used to be the case that the 

541
00:29:27,320 --> 00:29:30,320
publisher put the first two 
chapters online for free. 

542
00:29:30,870 --> 00:29:35,990
And honestly, I would say go go 
read those two and to give you 

543
00:29:35,990 --> 00:29:40,030
an idea of how how the protocol 
sort of fundamentally works the 

544
00:29:40,030 --> 00:29:43,750
way that it does. 
I do like the cover of like a 

545
00:29:43,750 --> 00:29:46,550
pirate or I'm not sure what 
that's supposed to be. 

546
00:29:46,550 --> 00:29:48,070
It's like he must be here or 
something. 

547
00:29:48,110 --> 00:29:52,910
He is a. 
Croatian Rifleman, so this is 

548
00:29:53,030 --> 00:29:56,730
part of the. 
Part of the branding of that 

549
00:29:56,730 --> 00:29:59,930
particular series of books from 
this publisher is that they get 

550
00:30:00,490 --> 00:30:05,050
very localized period costumes 
for people. 

551
00:30:05,490 --> 00:30:08,450
And when Antonio and I were 
looking at the different options

552
00:30:08,450 --> 00:30:12,690
that they were presenting us 
with, well, the first one that 

553
00:30:12,690 --> 00:30:19,650
we picked was this amazing 
illustration of this guy in 

554
00:30:19,650 --> 00:30:22,660
LIKE. 
Full chainmail armor with like a

555
00:30:22,660 --> 00:30:26,380
4 1/2 foot sword out in front of
them and we're like, yes, yes, 

556
00:30:26,380 --> 00:30:30,940
that that's that's going, but 
apparently apparently the like 

557
00:30:30,940 --> 00:30:32,780
the head publisher came back 
with no, that's the wrong 

558
00:30:32,780 --> 00:30:36,540
historical period for this 
security book and we're like, we

559
00:30:36,540 --> 00:30:38,780
don't know why what. 
Does it even mean I? 

560
00:30:39,100 --> 00:30:42,140
Know exactly. 
So we we went with a second 

561
00:30:42,140 --> 00:30:45,780
option which was this guy and 
he's. 

562
00:30:46,720 --> 00:30:49,280
A Rifleman from a village in 
Croatia. 

563
00:30:49,280 --> 00:30:53,560
I'd have to, I'd have to go back
through my archives to to get 

564
00:30:53,560 --> 00:30:58,200
the information of where. 
But yeah, that was, that was 

565
00:30:58,200 --> 00:31:04,520
apparently the sort of the the 
local dress for like you know 

566
00:31:05,000 --> 00:31:08,440
the militia and guardsmen and 
and stuff like that at the time.

567
00:31:09,160 --> 00:31:10,040
I like it. 
I dig it. 

568
00:31:10,200 --> 00:31:12,160
Check it out in our show notes. 
And the mustache. 

569
00:31:13,240 --> 00:31:17,320
But it is, and like the bandana 
anyway. 

570
00:31:17,320 --> 00:31:20,600
The the next thing I want to ask
about is Cards Against Identity,

571
00:31:20,760 --> 00:31:25,360
which is probably the opposite 
of serious Oauth 2 talk, but has

572
00:31:25,360 --> 00:31:30,080
taken the Identity Identity 
industry by storm I would say. 

573
00:31:30,320 --> 00:31:34,440
A very small storm, but yeah. 
What is Cards Against Identity? 

574
00:31:34,920 --> 00:31:37,200
Well, I'm sure a lot of your 
listeners will be familiar with 

575
00:31:37,200 --> 00:31:40,240
the game Cards Against Humanity.
It is a party game that. 

576
00:31:41,520 --> 00:31:43,640
Really kind of came to 
prominence about a decade ago, I

577
00:31:43,640 --> 00:31:48,240
think at this point. 
And the the conceit of the game 

578
00:31:48,240 --> 00:31:52,760
is that one person basically 
lays out a prompt and everybody 

579
00:31:52,760 --> 00:31:56,040
else that's playing provides an 
answer to fulfill that prompt. 

580
00:31:56,600 --> 00:32:01,040
And it became famous because it 
took that basic game mechanic 

581
00:32:01,040 --> 00:32:04,840
and just made it really raunchy 
and funny and just. 

582
00:32:05,310 --> 00:32:07,030
It's with the right group of 
people. 

583
00:32:07,030 --> 00:32:10,430
It is absolutely hilarious. 
Raunchy is not even approaching 

584
00:32:10,430 --> 00:32:12,190
the level of. 
That's. 

585
00:32:12,510 --> 00:32:14,430
Hilarious filth that is part of 
this. 

586
00:32:15,350 --> 00:32:19,230
I have played some some third 
party expansion decks that make 

587
00:32:19,230 --> 00:32:23,430
this one look almost kid safe. 
Try explaining to your 

588
00:32:23,430 --> 00:32:26,110
stepmother what certain things 
are. 

589
00:32:26,940 --> 00:32:29,540
In the middle of the game. 
I absolutely have a story about 

590
00:32:29,540 --> 00:32:32,460
that, but I don't think it is 
appropriate for this podcast, so

591
00:32:32,900 --> 00:32:35,060
maybe I'll catch you guys. 
After right of that game, 

592
00:32:35,580 --> 00:32:37,380
absolutely. 
Regardless, that's Cards Against

593
00:32:37,380 --> 00:32:40,980
Humanity, the base game. 
And so one of the things that 

594
00:32:40,980 --> 00:32:43,100
they do with copies of this game
is that they will send you a 

595
00:32:43,100 --> 00:32:46,420
bunch of blank cards so that you
can basically put in your own 

596
00:32:46,420 --> 00:32:48,140
house rules and things like 
that. 

597
00:32:48,660 --> 00:32:54,020
And there was a group of people 
that were floating around the. 

598
00:32:55,040 --> 00:32:59,080
You know the identity conference
circuit that had started to 

599
00:32:59,080 --> 00:33:03,240
collect a bunch of these house 
cards that had identity themed 

600
00:33:03,240 --> 00:33:06,000
jokes on them. 
And so one of the answer cards 

601
00:33:06,000 --> 00:33:11,200
was the entire, the entire WS 
Star documentation, which is a 

602
00:33:11,200 --> 00:33:15,160
horrifying, you know, answer to 
anybody who's ever had to touch 

603
00:33:15,160 --> 00:33:21,870
WS Star and so. 
I got invited to one of these 

604
00:33:21,870 --> 00:33:25,310
card games at the Cloud Identity
Summit way back in the day, the 

605
00:33:25,390 --> 00:33:30,990
predecessor to Identiverse, and 
it was an absolutely hilarious 

606
00:33:30,990 --> 00:33:33,670
game or like people were dying 
laughing. 

607
00:33:33,670 --> 00:33:38,270
It was it was amazing to just be
in a room with all of these 

608
00:33:38,270 --> 00:33:42,510
brilliant identity nerds making 
horrible, horrible jokes with 

609
00:33:42,510 --> 00:33:45,350
each other and and it was a 
great time. 

610
00:33:45,830 --> 00:33:50,560
So Fast forward a few years. 
And I was actually working on 

611
00:33:50,560 --> 00:33:55,840
publishing a board game I had 
run a I think at that point I 

612
00:33:55,840 --> 00:33:59,360
had just started to set up a 
Kickstarter for it was going to 

613
00:33:59,360 --> 00:34:02,000
launch it. 
That game is called Gridlock 

614
00:34:02,000 --> 00:34:07,680
Boston and it's you can find it 
under the bespoke website or I'm

615
00:34:07,680 --> 00:34:10,199
sure we can drop a link in the 
info bar too. 

616
00:34:10,719 --> 00:34:15,800
But as I was working on 
prototyping that game I realized

617
00:34:15,800 --> 00:34:19,540
that the. 
Small publisher that I was using

618
00:34:20,100 --> 00:34:24,260
could just print cards. 
And then I had the idea one day,

619
00:34:24,260 --> 00:34:29,020
like I could make Cards Against 
Identity an actual real deck. 

620
00:34:29,620 --> 00:34:34,620
And so I got out my draftsman's 
ruler and, you know, tried to 

621
00:34:34,620 --> 00:34:38,780
calculate the font pitch and the
spacing from the margins and all

622
00:34:38,780 --> 00:34:42,460
of this other stuff to get cards
that could match as closely as I

623
00:34:42,460 --> 00:34:45,500
could get them to the base Cards
Against Humanity game. 

624
00:34:45,980 --> 00:34:50,389
And then I. 
I came up with a bunch of cards,

625
00:34:50,590 --> 00:34:54,150
some of which were from that 
house deck that I remembered, 

626
00:34:54,150 --> 00:34:58,110
like the WS Star documentation 
is in there in the initial deck,

627
00:34:58,910 --> 00:35:02,430
and then added a bunch more of 
my own that I thought was 

628
00:35:02,430 --> 00:35:05,430
hilarious. 
Like one of Ian Glazer socks is 

629
00:35:05,430 --> 00:35:09,190
one of the favorite ones from 
the first year and really just 

630
00:35:09,190 --> 00:35:11,350
tried to try to just have a lot 
of fun with it. 

631
00:35:11,350 --> 00:35:13,630
And to me it was going to be 
just this is a oneoff project, 

632
00:35:13,630 --> 00:35:16,510
this is ridiculous and we're 
just going to we're going to do 

633
00:35:16,510 --> 00:35:21,240
that and. 
Whatever I brought it to, I 

634
00:35:21,240 --> 00:35:23,240
think it might have been 
identifiers at that point. 

635
00:35:23,640 --> 00:35:29,200
And somebody who lived in the 
area was actually having a a 

636
00:35:29,200 --> 00:35:33,720
party the day before, a house 
party the day before the 

637
00:35:33,720 --> 00:35:37,360
conference started. 
So I was there with my box of 

638
00:35:37,360 --> 00:35:41,840
cards, and I sold out my box of 
cards that I had printed at that

639
00:35:41,840 --> 00:35:44,700
house party. 
Now I'd only printed like, I 

640
00:35:44,700 --> 00:35:47,700
want to say like 30 copies or 
something like that, 20 or 30 

641
00:35:47,700 --> 00:35:50,140
copies. 
And so, you know, it wasn't that

642
00:35:50,140 --> 00:35:54,060
many, but I was just like, wait,
people actually want that? 

643
00:35:54,100 --> 00:35:57,660
I figured I would just be like, 
shuffling this around to A to 

644
00:35:57,660 --> 00:35:59,980
like a couple of my friends and 
I'd be going home with half of 

645
00:35:59,980 --> 00:36:03,660
this box. 
But yeah, no, it it it sold out 

646
00:36:03,660 --> 00:36:06,420
before the conference started. 
And I realized like there, there

647
00:36:06,420 --> 00:36:07,900
might be something interesting 
here. 

648
00:36:08,620 --> 00:36:11,580
And so almost every year since 
then, I've tried to. 

649
00:36:12,900 --> 00:36:18,260
You know put together a new deck
that I release each year and 

650
00:36:18,700 --> 00:36:21,820
with jokes that I find 
interesting and topical. 

651
00:36:21,820 --> 00:36:25,860
Some people will write to me 
with an idea or you know I I get

652
00:36:26,060 --> 00:36:29,500
Dms on the ID Pro Slack every 
now and again of like hey, this 

653
00:36:29,500 --> 00:36:33,740
would be a great card for next 
year and try to try to work them

654
00:36:33,740 --> 00:36:36,660
in when when they make sense 
and. 

655
00:36:37,990 --> 00:36:40,590
Yeah, I've been I've there have 
been 4 editions. 

656
00:36:40,590 --> 00:36:43,870
Now I'm planning on doing 
another one next year and it's 

657
00:36:43,870 --> 00:36:46,950
it's it's a blast. 
My favorite experience with the 

658
00:36:46,950 --> 00:36:50,110
game though has to be at the 
Oauth Security Workshop last 

659
00:36:50,110 --> 00:36:55,590
year because I brought at that 
point the three decks that have 

660
00:36:55,590 --> 00:36:59,430
been published of Cards Against 
Identity and somebody brought 

661
00:36:59,430 --> 00:37:02,910
their base game of Cards Against
Humanity, which allows you some 

662
00:37:02,910 --> 00:37:06,470
wonderful combinations, like you
know the question card of why is

663
00:37:06,470 --> 00:37:08,820
mommy crying? 
And you can answer that with 

664
00:37:09,100 --> 00:37:13,380
SAML, right? 
It just amazing bits like that. 

665
00:37:13,380 --> 00:37:18,740
And so here, here we were, a 
bunch of drunken security 

666
00:37:18,740 --> 00:37:24,100
engineers playing this game and 
just falling over, laughing at 

667
00:37:24,100 --> 00:37:29,380
ourselves because it was just so
absurd, so funny, and probably 

668
00:37:29,380 --> 00:37:31,580
one of the best times I've ever 
had at a conference. 

669
00:37:31,620 --> 00:37:35,160
It was, it was a great time. 
I can't believe I'm going to do 

670
00:37:35,160 --> 00:37:37,000
this, but I'm going to waste one
of my questions. 

671
00:37:37,080 --> 00:37:40,360
Definitely lets me ask so many 
questions per episode, but I'm 

672
00:37:40,360 --> 00:37:45,080
going to ask what is WS Star for
people who didn't live through 

673
00:37:45,080 --> 00:37:46,720
that? 
Oh my gosh. 

674
00:37:47,320 --> 00:37:52,800
So imagine that you're trying to
solve security by writing 

675
00:37:52,800 --> 00:37:57,440
documents that only can be read 
by automatically generated 

676
00:37:57,440 --> 00:38:01,040
document readers. 
So you actually have to write 

677
00:38:01,040 --> 00:38:03,520
code that writes the code that 
reads the code that your code 

678
00:38:03,520 --> 00:38:09,340
wrote. 
And in a nutshell, that's that 

679
00:38:09,340 --> 00:38:12,980
is security based on WS Star. 
It's the web security family of 

680
00:38:12,980 --> 00:38:16,380
standards and there's a lot of 
great concepts in there that 

681
00:38:16,380 --> 00:38:20,700
live on today. 
Oauth in a lot of ways is is a, 

682
00:38:21,460 --> 00:38:25,060
you know an actual functional 
and usable version of some of 

683
00:38:25,060 --> 00:38:26,980
the delegation patterns in WS 
Star. 

684
00:38:28,100 --> 00:38:31,340
You know and Sam will take some 
of the the. 

685
00:38:32,430 --> 00:38:36,630
Assertion patterns and stuff 
from WS STAR, but WS STAR itself

686
00:38:36,630 --> 00:38:40,150
is just one of those things that
is like so complex. 

687
00:38:40,150 --> 00:38:45,070
End to end. 
It is, it is nearly inscrutable.

688
00:38:46,390 --> 00:38:50,990
And so with with the joke card 
being the WS STAR documentation,

689
00:38:52,310 --> 00:38:56,270
it's it's a terrifying thing to 
ever be handed to read. 

690
00:38:57,670 --> 00:39:01,150
So I know that you are a 
musician. 

691
00:39:02,290 --> 00:39:04,450
A game designer? 
An author? 

692
00:39:04,930 --> 00:39:06,530
A security and standards 
architect? 

693
00:39:06,530 --> 00:39:08,050
So what's the common thread 
there? 

694
00:39:08,250 --> 00:39:11,570
I get interested in a lot of 
things and I've been very lucky 

695
00:39:11,570 --> 00:39:13,770
to be able to pursue a bunch of 
those. 

696
00:39:14,450 --> 00:39:19,130
A lot of the common thread 
though, I think is these are 

697
00:39:19,130 --> 00:39:24,250
things that that encourage a 
creative approach and like we 

698
00:39:24,250 --> 00:39:27,690
were talking about earlier, I 
believe with. 

699
00:39:28,500 --> 00:39:31,580
You know, architecture, 
security, architecture really 

700
00:39:31,740 --> 00:39:35,140
kind of takes a takes a creative
mindset. 

701
00:39:35,660 --> 00:39:38,140
You know that that ability to 
contemplate that ability to 

702
00:39:38,140 --> 00:39:41,860
think of how things might go 
wrong or might go right and what

703
00:39:41,860 --> 00:39:47,140
does that mean in that context? 
You really need to be able to to

704
00:39:47,140 --> 00:39:52,660
create those worlds in your head
and also share those worlds with

705
00:39:52,940 --> 00:39:54,860
the other people that you were 
working with. 

706
00:39:56,130 --> 00:39:58,450
And that takes a certain amount 
of creativity. 

707
00:39:59,130 --> 00:40:01,770
The other thing that they have 
common is that they all work 

708
00:40:01,770 --> 00:40:06,850
within constraints. 
So you know, a book has like a 

709
00:40:06,850 --> 00:40:09,970
technical book, especially 
you've got chapters and indices 

710
00:40:09,970 --> 00:40:13,410
and examples and things like 
that music, you've got scales 

711
00:40:13,410 --> 00:40:16,290
and modes and forms and timbre 
and all of this other stuff. 

712
00:40:16,770 --> 00:40:19,970
Game design is literally all 
just math and spreadsheets under

713
00:40:19,970 --> 00:40:22,730
the hood, even if if you don't 
realize it. 

714
00:40:23,810 --> 00:40:27,250
Like writing a board game is 
sitting down and doing a lot of 

715
00:40:27,250 --> 00:40:30,930
weird math to make sure that 
nobody playing your game feels 

716
00:40:30,930 --> 00:40:34,490
like they're doing weird math. 
So it's kind of like the 

717
00:40:34,490 --> 00:40:38,410
creative side of like, I wanna 
create this cool thing and I 

718
00:40:38,410 --> 00:40:40,970
say, wait, how do I create it 
exactly? 

719
00:40:40,970 --> 00:40:43,930
And then figuring that out. 
Within the constraints of the 

720
00:40:43,930 --> 00:40:47,170
system that you're applying it 
to, yeah, absolutely. 

721
00:40:47,630 --> 00:40:50,670
That makes a lot of sense to me,
so I wrote this next question 

722
00:40:50,670 --> 00:40:52,270
last night. 
Now, it kind of sounds a little 

723
00:40:52,270 --> 00:40:54,910
weird, but I'm going to ask you 
or state it anyway. 

724
00:40:55,190 --> 00:40:57,790
Have you have you seen the movie
The Godfather? 

725
00:40:58,510 --> 00:41:00,630
Yes. 
And I guess who has, right. 

726
00:41:00,630 --> 00:41:05,070
So I was going to say you're 
kind of like the Don Corleone of

727
00:41:05,150 --> 00:41:09,030
or Corleone of Open ID Connect 
and. 

728
00:41:10,610 --> 00:41:13,650
Well, well, so OK, like I said. 
I'm curious to see where you're 

729
00:41:13,650 --> 00:41:16,370
going with this one. 
So then I thought of this 

730
00:41:16,490 --> 00:41:20,970
earlier today was do you 
remember the scene where Luca 

731
00:41:20,970 --> 00:41:26,130
Bravi, Luca Brazi sits down with
Don Corleone and he's very 

732
00:41:26,130 --> 00:41:28,530
nervous. 
He's almost like reading from a 

733
00:41:28,530 --> 00:41:30,210
piece of paper. 
Don Corleone. 

734
00:41:30,610 --> 00:41:34,250
You. 
Came up with many good standards

735
00:41:34,250 --> 00:41:36,450
for the Open ID Connect 
standard. 

736
00:41:37,210 --> 00:41:42,610
Don Corleone, you've written 
many good aspects to the Oauth 2

737
00:41:42,610 --> 00:41:49,090
standard, and so where I was 
going with it was this is 

738
00:41:49,090 --> 00:41:51,290
terrible. 
I wonder where this is going 

739
00:41:51,290 --> 00:41:54,290
myself. 
So This is why the pitch count. 

740
00:41:54,730 --> 00:41:59,130
If you wouldn't edit it right to
this part, it would be Don 

741
00:41:59,130 --> 00:42:02,670
Corleone. 
If Open ID Connect was being 

742
00:42:02,670 --> 00:42:06,670
written anew today, how would it
be different? 

743
00:42:07,830 --> 00:42:12,590
That is a great question. 
Because right there. 

744
00:42:13,670 --> 00:42:17,190
Well, no, I'm, I'm going to be 
honest, I'm struggling to see 

745
00:42:17,190 --> 00:42:21,190
where The Godfather fits in with
her, even though I did have a 

746
00:42:21,190 --> 00:42:24,310
Godfather quote in the in the 
last presentation I gave at 

747
00:42:24,310 --> 00:42:27,910
Idanaverse this year. 
The whole, you know what happens

748
00:42:27,910 --> 00:42:29,550
when standards meet the real 
world? 

749
00:42:29,550 --> 00:42:31,590
It's like look at how they 
massacred my boy. 

750
00:42:33,630 --> 00:42:38,430
But yeah, I I will say starting 
off, I, you know, I was part of 

751
00:42:38,430 --> 00:42:41,310
a large group of very smart 
people who worked on all of 

752
00:42:41,310 --> 00:42:43,830
these things. 
I was very lucky to be in the 

753
00:42:43,830 --> 00:42:46,910
right community at the right 
time to be able to work on this 

754
00:42:46,910 --> 00:42:49,070
stuff. 
And you know, I'm, I'm far from 

755
00:42:49,070 --> 00:42:53,230
the only voice and lost a lot of
arguments in in all of that 

756
00:42:53,230 --> 00:42:57,200
spaces. 
So that said, I think that if we

757
00:42:57,200 --> 00:43:00,360
were building Open ID Connect in
Oauth today, it would definitely

758
00:43:00,360 --> 00:43:06,160
look different because it does 
look different today than it did

759
00:43:06,280 --> 00:43:08,640
a decade to a decade and a half 
ago when we started. 

760
00:43:09,200 --> 00:43:13,400
There are features that have 
been sort of grafted in to both 

761
00:43:13,400 --> 00:43:16,000
of these protocols that weren't 
there before. 

762
00:43:16,320 --> 00:43:21,080
So there's a pattern that's now 
becoming more well known called 

763
00:43:21,080 --> 00:43:25,420
intent registration. 
And intent registration 

764
00:43:25,420 --> 00:43:29,380
basically allows the client 
software to say this is what I'm

765
00:43:29,380 --> 00:43:37,060
about to do and do that, do that
bit in a secure way so that when

766
00:43:37,060 --> 00:43:42,300
you then go and step and start 
talking to the users, then you 

767
00:43:42,300 --> 00:43:47,380
can actually sort of deal with 
all of that sort of squishy user

768
00:43:47,380 --> 00:43:50,110
space. 
Without having to worry about 

769
00:43:50,110 --> 00:43:53,150
somebody mucking up that initial
request of this is what I'm 

770
00:43:53,150 --> 00:43:56,070
about to do. 
In the Oauth world, that and 

771
00:43:56,070 --> 00:43:58,830
Open ID Connect to that is 
implemented with something 

772
00:43:58,830 --> 00:44:00,630
called a pushed authorization 
request. 

773
00:44:01,590 --> 00:44:04,470
If we were building these 
systems today, I honestly think 

774
00:44:04,470 --> 00:44:08,630
that we would just always use 
that and that and that is that 

775
00:44:08,630 --> 00:44:12,590
is in fact the advice of the 
Fappy Working Group. 

776
00:44:12,590 --> 00:44:17,750
A high security profile of Oauth
and Open ID Connect is to always

777
00:44:17,750 --> 00:44:19,620
use that. 
Because there's a lot of 

778
00:44:19,620 --> 00:44:24,580
benefits from doing intent 
registration and asking that 

779
00:44:24,580 --> 00:44:28,140
question of like what would it 
look like if we built a system 

780
00:44:28,140 --> 00:44:32,580
today That was a lot, a lot of 
the engineering behind GNAP, the

781
00:44:32,580 --> 00:44:35,500
grant negotiation and 
authorization protocol, which is

782
00:44:36,660 --> 00:44:40,340
in i.e. 
SG review in the ITF standards 

783
00:44:40,340 --> 00:44:42,460
body, which means it's it's 
close to done. 

784
00:44:43,170 --> 00:44:47,170
And what we tried to do with 
that project was take a step 

785
00:44:47,170 --> 00:44:50,970
back and say like, okay. 
Regardless of how how you do 

786
00:44:50,970 --> 00:44:54,210
things in Oauth, what are the 
best practices and best patterns

787
00:44:54,210 --> 00:44:57,410
and things, and can we actually 
make this all kind of fit 

788
00:44:57,410 --> 00:45:01,410
together? 
So another thing in the Oauth 

789
00:45:01,410 --> 00:45:04,450
world is that when you're 
calling an API, you have a set 

790
00:45:04,450 --> 00:45:06,610
of scopes. 
Those scopes limit what the 

791
00:45:06,650 --> 00:45:10,650
resulting tokens can do. 
And it was brilliant innovation 

792
00:45:10,650 --> 00:45:15,000
for 2010. 
Because previous to that it was 

793
00:45:15,000 --> 00:45:17,640
either you get the whole API or 
you don't, right? 

794
00:45:18,080 --> 00:45:22,160
So scopes absolutely brilliant 
and work great. 

795
00:45:22,520 --> 00:45:27,800
Well today we've now got an 
extra decade of delegated API 

796
00:45:27,800 --> 00:45:31,440
access and people are realizing,
like, I want this token to be 

797
00:45:31,440 --> 00:45:37,680
able to spend $5 within the next
month, but not more than that 

798
00:45:37,760 --> 00:45:43,650
and at least $0.50 at a time. 
And being able to like really, 

799
00:45:43,650 --> 00:45:47,650
really dial in that kind of 
stuff and be able to ask for 

800
00:45:47,650 --> 00:45:51,250
that kind of thing and associate
those kind of rights with these 

801
00:45:51,250 --> 00:45:56,970
access tokens. 
And so in GNAP, we came up with 

802
00:45:57,250 --> 00:46:00,170
a structure that allowed us to 
express that. 

803
00:46:00,690 --> 00:46:04,210
And then I actually worked with 
a couple of other folks, Brian 

804
00:46:04,210 --> 00:46:08,730
Campbell and Torsten Loterstadt.
To back port that to Oauth 2 and

805
00:46:08,730 --> 00:46:12,810
that recently became an RFC of 
rich authorization requests. 

806
00:46:13,410 --> 00:46:16,490
And so in addition to scopes in 
Oauth, you can now say like 

807
00:46:16,730 --> 00:46:19,370
these are the actions I want to 
take at this location with these

808
00:46:19,370 --> 00:46:22,690
data types. 
And actually also just you know,

809
00:46:23,650 --> 00:46:27,290
customize that to whatever API 
it is that you're protecting and

810
00:46:27,290 --> 00:46:32,270
so you can say things like. 
You know, I I need to do this 

811
00:46:32,270 --> 00:46:36,350
amount of, you know, this amount
at this time or or whatever you 

812
00:46:36,350 --> 00:46:39,190
need to do. 
And I think we would have that 

813
00:46:39,190 --> 00:46:43,150
kind of stuff just baked in from
the beginning because we've 

814
00:46:43,270 --> 00:46:47,750
learned more of sort of how this
stuff gets used and and how 

815
00:46:47,750 --> 00:46:51,950
people want to use it. 
I think that everything you just

816
00:46:51,950 --> 00:46:57,150
said there was, it's like, those
are so many amazing concepts and

817
00:46:57,150 --> 00:47:01,600
I also think like, okay. 
You push out a standard or 

818
00:47:01,600 --> 00:47:04,040
you're working on a standard, it
gets published. 

819
00:47:05,480 --> 00:47:09,040
What if it doesn't get adopted? 
Does that indicate whether or 

820
00:47:09,040 --> 00:47:14,720
not you were successful? 
Or are there other measures of 

821
00:47:14,720 --> 00:47:17,240
success of publishing a 
standard? 

822
00:47:17,800 --> 00:47:21,680
There are a lot of ways to 
measure success, and some of 

823
00:47:21,680 --> 00:47:25,320
the, you know, some of the best 
things that a standard can end 

824
00:47:25,320 --> 00:47:28,480
up doing is being an organ donor
for something else. 

825
00:47:29,250 --> 00:47:31,690
You know, you get a concept and 
it might be brilliant and it 

826
00:47:31,690 --> 00:47:35,250
might work right, but it might 
not be packaged in quite the way

827
00:47:35,250 --> 00:47:39,770
that people can actually use. 
Going back to WS Star that, you 

828
00:47:39,770 --> 00:47:42,570
know, we were making fun of a 
bit earlier today, there were a 

829
00:47:42,570 --> 00:47:48,050
lot of good concepts in that and
being able to sort of talk about

830
00:47:48,050 --> 00:47:53,650
security in a in a systematic 
way was. 

831
00:47:54,920 --> 00:47:57,800
Not exactly new, but the way 
that it was done was was kind of

832
00:47:57,800 --> 00:47:59,880
new. 
It was just an absolute disaster

833
00:47:59,880 --> 00:48:05,440
to actually use. 
So a lot of people would say 

834
00:48:05,440 --> 00:48:08,600
that, you know, because of that 
WS Star is a is a failed 

835
00:48:08,600 --> 00:48:14,160
security system and by that 
measure it would be but and a 

836
00:48:14,160 --> 00:48:16,000
lot of people have scars from 
that too. 

837
00:48:16,040 --> 00:48:19,600
You know, by that measure it's 
also, you know, not successful. 

838
00:48:19,600 --> 00:48:23,440
But The thing is we wouldn't be 
where we were today without that

839
00:48:23,440 --> 00:48:26,650
as a stepping stone. 
I don't think you know because 

840
00:48:26,650 --> 00:48:28,810
we we have to learn these 
lessons somewhere. 

841
00:48:29,650 --> 00:48:35,930
And so the ITF famously says 
that, you know, I TF doesn't 

842
00:48:35,930 --> 00:48:39,690
pick market winners. 
You know it's it's not, it's not

843
00:48:39,690 --> 00:48:44,290
out there to to steer 
competition in One Direction or 

844
00:48:44,290 --> 00:48:46,890
another. 
It's out there to create the 

845
00:48:46,890 --> 00:48:48,530
best technical standards that 
there are. 

846
00:48:48,530 --> 00:48:53,490
And if there is a market niche 
that that fits things, then 

847
00:48:53,490 --> 00:48:57,050
that's great. 
If there's not, then you know 

848
00:48:57,050 --> 00:49:00,650
the documents are there and 
their archive, they they may 

849
00:49:00,650 --> 00:49:05,130
take life, they may take on life
much later in a different space 

850
00:49:05,130 --> 00:49:09,250
in a different way, or they may 
get sort of picked up, sliced 

851
00:49:09,250 --> 00:49:12,890
apart and used in something else
that you didn't anticipate. 

852
00:49:14,370 --> 00:49:18,050
So I I think this could be a 
good segue into a listener 

853
00:49:18,050 --> 00:49:21,050
question. 
So Mike Woodburn submitted the 

854
00:49:21,050 --> 00:49:23,410
question. 
What are your thoughts on the 

855
00:49:23,410 --> 00:49:27,850
current and future state of Uma?
Are you seeing it being used? 

856
00:49:27,850 --> 00:49:31,970
Does the current incarnation of 
Uma have legs, or is there a 

857
00:49:31,970 --> 00:49:37,410
need for UMA 2.0? 
So I was an editor on UMA 2.0, 

858
00:49:37,730 --> 00:49:41,370
so that already exists for like 
5 or 6 years. 

859
00:49:42,370 --> 00:49:48,530
So modifying that to UMA 3.0. 
I would say that UMA was one of 

860
00:49:48,530 --> 00:49:51,410
those things that it really 
pushed the conversation 

861
00:49:51,410 --> 00:49:54,290
especially about user to user 
delegation and how we represent 

862
00:49:54,290 --> 00:49:58,770
that in in systems. 
And it really pushed a lot of 

863
00:49:58,770 --> 00:50:02,490
the concepts and ideas forward 
in ways that were not being 

864
00:50:02,690 --> 00:50:07,930
talked about elsewhere. 
It was packaged sort of together

865
00:50:07,930 --> 00:50:13,130
in such a way that was really 
hard to apply in a lot of spaces

866
00:50:13,290 --> 00:50:18,660
And so I would say by. 
By that measure, you know there 

867
00:50:18,660 --> 00:50:24,180
are deployments of UMA, but they
don't have the type of, you 

868
00:50:24,180 --> 00:50:27,660
know, world reaching, cold boot 
capable distributed 

869
00:50:27,660 --> 00:50:32,540
authorization promise that UMA 
is technologically capable of. 

870
00:50:33,700 --> 00:50:36,980
That said though a lot of the 
design tenants of UMA went into 

871
00:50:36,980 --> 00:50:41,620
GNAP, a lot of the design 
tenants of UMA are being sort of

872
00:50:41,620 --> 00:50:45,180
picked up in. 
Different ways in different 

873
00:50:45,380 --> 00:50:49,300
different systems. 
So you know something that's 

874
00:50:49,540 --> 00:50:54,500
that kind of branched out from 
UMA is the ability to, you know,

875
00:50:54,500 --> 00:50:58,020
very dynamically connect a 
resource server and 

876
00:50:58,020 --> 00:51:01,700
authorization server. 
We're seeing some of that in in 

877
00:51:01,700 --> 00:51:05,540
some of these, you know, more 
tightly coupled, more tightly 

878
00:51:05,540 --> 00:51:11,860
regulated systems out there, not
using UMA, not using quite all 

879
00:51:11,860 --> 00:51:15,430
of that. 
Same tooling, but pulling a lot 

880
00:51:15,430 --> 00:51:20,070
of the concepts in sort of new 
and different ways that that UMA

881
00:51:20,070 --> 00:51:26,110
introduced and did well with it 
but just didn't, didn't land in 

882
00:51:26,110 --> 00:51:28,150
quite the same market kind of 
way. 

883
00:51:29,670 --> 00:51:34,270
So I want to do 2 more listener 
questions because I think it's 

884
00:51:35,510 --> 00:51:38,590
it's fantastic when listener 
send questions our way and 

885
00:51:38,830 --> 00:51:41,270
please if you're listening and 
you've got some questions. 

886
00:51:41,560 --> 00:51:44,440
Send them over. 
This one was specifically you 

887
00:51:44,480 --> 00:51:47,160
for you from Mike. 
Again, it was. 

888
00:51:47,200 --> 00:51:49,480
I'm not sure what he was driving
at, but I'm sure he had 

889
00:51:49,480 --> 00:51:55,280
something on it. 
What's your favorite star back, 

890
00:51:55,640 --> 00:51:59,320
I guess like our back about? 
Our back back things like that, 

891
00:52:02,480 --> 00:52:05,640
so. 
Please say baby, baby got. 

892
00:52:08,440 --> 00:52:09,960
That's that's that's a great 
one. 

893
00:52:12,060 --> 00:52:15,420
But I I actually have two 
answers to this. 

894
00:52:16,860 --> 00:52:22,620
The first, the first, the more 
serious answer is is attribute 

895
00:52:22,620 --> 00:52:24,660
based. 
Because I think fundamentally 

896
00:52:24,660 --> 00:52:27,900
you can model all of these other
systems using attributes. 

897
00:52:28,260 --> 00:52:31,500
The problem of course is that 
attributes then have their own 

898
00:52:31,500 --> 00:52:34,740
attributes and you get into 
attribute provenance. 

899
00:52:34,740 --> 00:52:37,220
And how do I trust this 
attribute source and all of this

900
00:52:37,220 --> 00:52:40,150
other stuff and. 
It very, very, very quickly 

901
00:52:40,150 --> 00:52:42,750
spirals out of control to the 
point where somebody says, you 

902
00:52:42,750 --> 00:52:45,390
know what, screw it, just give 
me a roll, just just give me 

903
00:52:45,590 --> 00:52:48,350
tell me which of these 
attributes is roll and I'll 

904
00:52:48,350 --> 00:52:55,630
just, I'll just go from that. 
And so I love the promise of the

905
00:52:55,630 --> 00:52:58,950
system. 
In practice it's it's a little 

906
00:52:58,950 --> 00:53:00,990
harder to deal with. 
I think some of the dynamic 

907
00:53:00,990 --> 00:53:03,470
policy engines and policy 
languages that we're seeing 

908
00:53:03,470 --> 00:53:07,310
happen today, you know it's 
going to help with that a lot. 

909
00:53:07,830 --> 00:53:11,790
But you know, it's we've still 
got a long ways to go to make 

910
00:53:11,790 --> 00:53:14,710
that really, really, you know, 
usable. 

911
00:53:14,950 --> 00:53:17,670
I'm a fan of attribute based 
access control only as a 

912
00:53:17,670 --> 00:53:21,310
starting point because I feel 
like a lot of companies, they're

913
00:53:21,310 --> 00:53:23,990
like, yeah you want to be role 
based and then they actually get

914
00:53:23,990 --> 00:53:26,630
into it a little bit and like 
wow, this is a lot harder than I

915
00:53:26,630 --> 00:53:29,190
thought it would be. 
And I feel like at least with 

916
00:53:29,190 --> 00:53:31,550
the attribute you can get a 
kickstart and say okay well. 

917
00:53:32,200 --> 00:53:34,320
Can you answer a basic question?
Are you an employee or you're 

918
00:53:34,320 --> 00:53:36,520
not an employee? 
Do you work in this location or 

919
00:53:36,520 --> 00:53:37,320
somewhere else? 
Right. 

920
00:53:37,320 --> 00:53:41,800
Those sorts of things as kind of
a starting block only because I 

921
00:53:41,800 --> 00:53:45,880
think it's easier to start 
there, but mileage may vary. 

922
00:53:46,000 --> 00:53:47,840
Obviously the consulting answer 
is it depends. 

923
00:53:48,360 --> 00:53:51,040
Absolutely. 
And you know, a lot of that 

924
00:53:51,040 --> 00:53:54,000
comes with the sort of the 
nature of these computing 

925
00:53:54,000 --> 00:53:55,600
systems and computing security 
systems. 

926
00:53:55,840 --> 00:53:58,040
They're they're good at 
computing against these discrete

927
00:53:58,040 --> 00:54:00,760
models. 
Where if value is this or 

928
00:54:00,760 --> 00:54:02,880
greater than this, then answer 
is yes. 

929
00:54:03,760 --> 00:54:08,760
Which gets me to my true 
favorite, you know star back 

930
00:54:09,360 --> 00:54:16,480
type system and that is CRBAC, 
the Cinnamon Roll Based Access 

931
00:54:16,480 --> 00:54:21,800
Control. 
So there's a there's an old 

932
00:54:21,800 --> 00:54:26,250
onion article from I think 2014.
Where somebody just has this 

933
00:54:26,250 --> 00:54:29,730
picture of this honestly rather 
mediocre looking cinnamon roll 

934
00:54:30,250 --> 00:54:33,010
and they they are saying that 
oh, it is just too good. 

935
00:54:33,010 --> 00:54:35,570
It is too perfect for this 
world, too pure. 

936
00:54:35,970 --> 00:54:39,170
And it's it's this hilarious 
little bit of writing comedy 

937
00:54:39,810 --> 00:54:44,290
that got picked up and sort of 
run with by the Internet at 

938
00:54:44,290 --> 00:54:49,040
large. 
And the sort of the epithet of 

939
00:54:49,040 --> 00:54:52,320
cinnamon roll is now being 
applied to people who are too 

940
00:54:52,320 --> 00:54:55,200
good, too pure for this world. 
Like you're you're a good 

941
00:54:55,200 --> 00:54:57,000
person. 
You're just you are a precious 

942
00:54:57,000 --> 00:55:04,600
cinnamon roll. 
And so because of that, there 

943
00:55:05,200 --> 00:55:08,600
that came to be, you know a bit 
of a joke in security circles 

944
00:55:08,600 --> 00:55:12,760
that you know what, Why couldn't
we have something that you know 

945
00:55:12,760 --> 00:55:14,520
that the system. 
Like it. 

946
00:55:14,520 --> 00:55:16,640
It knows that, oh, you're a 
precious cinnamon roll. 

947
00:55:16,640 --> 00:55:19,480
Of course we'll let you in. 
And even though that it, you 

948
00:55:19,480 --> 00:55:21,320
know, it is on the surface, it 
is a joke. 

949
00:55:21,960 --> 00:55:26,120
That's how the real world works.
Like, I couldn't tell you how 

950
00:55:26,120 --> 00:55:29,640
many times I've been able to 
just like, you know, somebody 

951
00:55:29,640 --> 00:55:33,600
just like gave me their employee
discount because like we were 

952
00:55:33,600 --> 00:55:36,160
chatting and they're like, yeah,
I'll, I'll take the 5% off. 

953
00:55:36,160 --> 00:55:39,160
You know, don't worry about it. 
And, you know, just nice little 

954
00:55:39,160 --> 00:55:41,800
things of people being people to
each other. 

955
00:55:42,470 --> 00:55:46,030
Because we have the ability to 
kind of deal in that squishy 

956
00:55:46,030 --> 00:55:49,790
space. 
I honestly think computers and 

957
00:55:49,790 --> 00:55:52,670
computer security are going to 
have to address that space 

958
00:55:53,790 --> 00:55:56,510
because that's how we model 
things in the real world. 

959
00:55:56,990 --> 00:55:59,950
There's a whole thing in 
identity proofing, saying that, 

960
00:55:59,950 --> 00:56:03,310
like, we need to move away from 
asking people what their 

961
00:56:03,310 --> 00:56:05,670
birthday is, because all I need 
to know is if you're old enough 

962
00:56:05,670 --> 00:56:08,990
to drink, right? 
But The thing is like. 

963
00:56:09,970 --> 00:56:11,130
So. 
So I should be able to hand the 

964
00:56:11,130 --> 00:56:13,930
bartender something and they 
check that yes, is old enough to

965
00:56:13,930 --> 00:56:17,090
drink. 
That's tested and verifiable, 

966
00:56:17,090 --> 00:56:19,650
and we're good. 
Oh, that's great and all except 

967
00:56:19,650 --> 00:56:24,330
that in the real world, you 
don't always get carded all the 

968
00:56:24,330 --> 00:56:26,610
time. 
You don't get carded every time 

969
00:56:26,610 --> 00:56:30,210
that the bartender you go back 
up to order a drink. 

970
00:56:30,210 --> 00:56:34,610
If the bartender recognizes you 
or you fit the expectations of 

971
00:56:34,730 --> 00:56:38,330
you're probably supposed to be 
here doing this thing then. 

972
00:56:39,020 --> 00:56:40,940
You're probably not going to get
checked. 

973
00:56:41,300 --> 00:56:45,900
This is effectively Cinnamon 
rollbased Access Control. 

974
00:56:46,380 --> 00:56:48,300
They're like you're somebody I 
don't have to worry about. 

975
00:56:48,300 --> 00:56:51,020
I'm not going to get in trouble 
by selling you a drink. 

976
00:56:51,740 --> 00:56:54,340
I get a good vibe from this and 
we'll be just fine. 

977
00:56:54,700 --> 00:56:59,380
We'll we'll we'll be fine. 
And you know, this can slew on 

978
00:56:59,380 --> 00:57:02,820
one side or another of the 
should this have actually gone 

979
00:57:02,820 --> 00:57:06,340
through according to the formal 
rules of the system. 

980
00:57:08,020 --> 00:57:14,300
You know, and this is, this is a
space where I think that a lot 

981
00:57:14,300 --> 00:57:18,820
of a I based modeling is going 
to open some really interesting 

982
00:57:18,820 --> 00:57:23,220
doors, some terrifying doors, 
because suddenly we have a 

983
00:57:23,220 --> 00:57:25,660
potentially nondeterministic 
security system. 

984
00:57:26,460 --> 00:57:28,860
But we're already getting into 
that space with all of these 

985
00:57:28,860 --> 00:57:32,940
risk engines that have all of 
these inputs that like nobody 

986
00:57:32,940 --> 00:57:35,140
has all of that in their head at
any given point. 

987
00:57:35,470 --> 00:57:38,870
Like, nobody can tell me how 
Azure actually figures out when 

988
00:57:38,870 --> 00:57:42,390
to prompt you for a password. 
Like, I guarantee you ask 

989
00:57:42,390 --> 00:57:44,910
anybody on the Azure team and 
they're just like, there's the 

990
00:57:44,910 --> 00:57:47,950
risk engine has it in there. 
There's I can show you all the 

991
00:57:47,950 --> 00:57:51,630
inputs, I can show you the math,
but like, nobody's sitting there

992
00:57:51,630 --> 00:57:55,470
doing all of that because that's
what the computer is there for. 

993
00:57:55,990 --> 00:57:59,070
That's what kind of scares me 
about AI overall. 

994
00:57:59,070 --> 00:58:03,030
I mean, if you had some major 
financial crime take place. 

995
00:58:03,570 --> 00:58:06,410
You know, I broke into a bank 
and I was able to transfer $10 

996
00:58:06,410 --> 00:58:08,250
million and I never got 
prompted. 

997
00:58:08,650 --> 00:58:11,970
And it's like, well, the system 
determined you didn't need to be

998
00:58:11,970 --> 00:58:14,050
prompted. 
That's not a good enough answer.

999
00:58:14,730 --> 00:58:18,890
Well, The thing is like you go 
into a bank and ask to ask to 

1000
00:58:18,890 --> 00:58:21,650
withdraw $10 million as a 
person. 

1001
00:58:22,730 --> 00:58:28,610
That request on its own is going
to raise the risk and that's 

1002
00:58:28,610 --> 00:58:32,410
where these systems I think can 
really start to be smarter about

1003
00:58:32,410 --> 00:58:34,700
it. 
You know, it's because the 

1004
00:58:34,700 --> 00:58:38,420
banker is sitting there going 
like, this feels kind of funny. 

1005
00:58:39,180 --> 00:58:43,700
Like, so I do all of my banking 
with a local bank here since 

1006
00:58:43,940 --> 00:58:45,460
since you brought up banking 
with the example. 

1007
00:58:45,460 --> 00:58:47,660
And the last time I had to go in
to get a cashier's check for 

1008
00:58:47,660 --> 00:58:53,740
something, they were, they 
didn't ask for my ID like the 

1009
00:58:53,740 --> 00:58:55,980
bank manager. 
The bank manager knows me. 

1010
00:58:55,980 --> 00:58:58,020
She's just like, Oh yeah, how 
much do you want this check made

1011
00:58:58,020 --> 00:58:58,660
out for? 
Yep. 

1012
00:58:58,700 --> 00:59:02,180
OK, you know, X number, $1000. 
Here you go. 

1013
00:59:02,630 --> 00:59:06,110
Have a good day. 
And she was just like Yep, no 

1014
00:59:06,110 --> 00:59:07,310
problem. 
It's in your account. 

1015
00:59:07,310 --> 00:59:08,830
I know who you are. 
This is fine. 

1016
00:59:09,150 --> 00:59:10,790
Which bank is that and where is 
that? 

1017
00:59:10,790 --> 00:59:12,710
At right, exactly. 
And. 

1018
00:59:13,790 --> 00:59:17,430
And so The thing is like, yeah, 
if you could convince Maria, the

1019
00:59:17,430 --> 00:59:21,190
bank manager, that you're me, 
you deserve that money. 

1020
00:59:21,270 --> 00:59:23,470
Honestly, go for it. 
There's not a lot in. 

1021
00:59:23,550 --> 00:59:25,270
There I'm trying. 
Not a great example. 

1022
00:59:25,270 --> 00:59:27,230
I'm sure we come up with other 
examples. 

1023
00:59:27,230 --> 00:59:29,320
I just kind of feel like. 
If we're going to have 

1024
00:59:29,320 --> 00:59:33,920
algorithms in a I, some human 
being should be able to explain 

1025
00:59:33,920 --> 00:59:35,920
them. 
So in other words, like hey, 

1026
00:59:35,920 --> 00:59:39,360
what if I looked at your health 
insurance records or something 

1027
00:59:39,360 --> 00:59:42,600
and I didn't get, I didn't get 
prompted or something like that.

1028
00:59:42,600 --> 00:59:47,920
So there is a scenario where 
maybe it does not fit that risk 

1029
00:59:47,920 --> 00:59:52,380
engine trigger. 
And and that's that is 

1030
00:59:52,380 --> 00:59:56,540
interestingly another space 
where I think that some of the 

1031
00:59:56,540 --> 00:59:59,860
recent developments in natural 
language AI are really going to 

1032
00:59:59,860 --> 01:00:05,020
come into come into play. 
Being able to query a system and

1033
01:00:05,020 --> 01:00:09,940
say that like hey, you've got 
this policy, explain it to me, 

1034
01:00:10,620 --> 01:00:13,820
what is this doing? 
Why did you make that decision? 

1035
01:00:14,700 --> 01:00:17,660
So if somebody went and asked 
the bank manager like, hey, why 

1036
01:00:17,660 --> 01:00:21,380
did you just write that check? 
You know, if the if the regional

1037
01:00:21,380 --> 01:00:25,380
manager had been in that day and
they were just like, wait, why? 

1038
01:00:25,460 --> 01:00:27,180
Why didn't you ask for his 
license? 

1039
01:00:27,180 --> 01:00:28,820
Like why? 
Why did you just write that 

1040
01:00:28,820 --> 01:00:30,900
check? 
The manager could be like he's 

1041
01:00:30,900 --> 01:00:33,540
been banking here for 15 years. 
We know him. 

1042
01:00:33,540 --> 01:00:35,540
It's fine. 
You know, he used to live like 

1043
01:00:35,540 --> 01:00:38,500
walking distance from from the 
bank. 

1044
01:00:38,500 --> 01:00:40,660
Like you know, we we know this 
guy. 

1045
01:00:41,020 --> 01:00:43,180
Don't worry about it. 
It's totally fine. 

1046
01:00:43,560 --> 01:00:50,120
Just just watch and and being 
able to explain that is 

1047
01:00:50,120 --> 01:00:53,080
something that the human that 
made the decision does. 

1048
01:00:53,600 --> 01:00:57,400
Right now we're at the precipice
of having systems that make 

1049
01:00:57,400 --> 01:01:02,800
these decisions that they can't 
explain themselves and we're not

1050
01:01:02,920 --> 01:01:06,240
requiring them to explain 
themselves Because in you know, 

1051
01:01:06,240 --> 01:01:10,000
in that scenario if the regional
manager was just like, yeah, no,

1052
01:01:10,000 --> 01:01:12,840
never do that again For these 
reasons. 

1053
01:01:13,290 --> 01:01:17,050
You can change behavior and even
if nothing bad had happened from

1054
01:01:17,050 --> 01:01:20,250
that incident, that can be a 
learning experience for that. 

1055
01:01:20,250 --> 01:01:23,970
And then the next time that kind
of thing happens, the bank 

1056
01:01:23,970 --> 01:01:28,650
manager could tell me like, Oh 
yeah, sorry, we need to ask for 

1057
01:01:28,650 --> 01:01:32,450
your ID because of, you know, 
such and such regulation or 

1058
01:01:32,450 --> 01:01:35,450
whatever. 
And it is, it's, you know, it's 

1059
01:01:35,450 --> 01:01:37,250
now policy that I have to 
enforce this. 

1060
01:01:37,810 --> 01:01:39,450
Yeah, sorry. 
I know it's annoying. 

1061
01:01:40,690 --> 01:01:44,660
She can explain it to me. 
As much as she can explain, she 

1062
01:01:44,660 --> 01:01:47,300
can explain the change of policy
to me and the change of behavior

1063
01:01:47,300 --> 01:01:50,060
to me. 
Right now we've got systems, 

1064
01:01:50,180 --> 01:01:54,340
whether they, they're AI driven 
or not, are doing absolutely 

1065
01:01:54,340 --> 01:01:59,740
inscrutable things to users and 
just firing off results and 

1066
01:01:59,740 --> 01:02:01,180
expecting people to deal with 
them. 

1067
01:02:01,580 --> 01:02:05,460
We have no insight into the 
underlying models that are, you 

1068
01:02:05,460 --> 01:02:08,780
know, moving us about the 
Internet on a daytoday basis. 

1069
01:02:10,150 --> 01:02:11,750
And I would like more insight 
into that. 

1070
01:02:11,750 --> 01:02:15,790
Personally, I I think that 
there's a lot of room for that 

1071
01:02:15,790 --> 01:02:18,670
type of thing. 
So one can even imagine a space.

1072
01:02:18,670 --> 01:02:22,190
And I had a conversation with a 
with a colleague about this at a

1073
01:02:22,270 --> 01:02:24,870
recent conference. 
One can even imagine a space 

1074
01:02:24,870 --> 01:02:29,430
where I implement a set of 
policy system a a set of 

1075
01:02:29,430 --> 01:02:32,710
policies in my system by just 
explaining to it what I want to 

1076
01:02:32,710 --> 01:02:36,430
get done and it will go and 
translate that to whatever 

1077
01:02:36,430 --> 01:02:38,470
policy language that I that I 
have. 

1078
01:02:39,270 --> 01:02:41,630
And execute that in the system. 
And then I say okay. 

1079
01:02:41,630 --> 01:02:45,550
Explain to me what you just did 
independently of what I put in. 

1080
01:02:45,550 --> 01:02:48,750
Explain to me what that is. 
And I can read that be like 

1081
01:02:48,750 --> 01:02:51,190
okay, that makes sense. 
And then I can take that 

1082
01:02:51,190 --> 01:02:54,270
explanation over to another 
system with a different policy 

1083
01:02:54,270 --> 01:02:56,710
language and say here's what we 
want. 

1084
01:02:57,270 --> 01:03:01,150
Like this is what I want out of 
this system and go through the 

1085
01:03:01,150 --> 01:03:04,670
same process. 
And the underlying formal 

1086
01:03:04,670 --> 01:03:07,350
language and modeling can be 
completely different in both 

1087
01:03:07,350 --> 01:03:11,290
cases. 
And we've got this sort of 

1088
01:03:11,330 --> 01:03:14,130
buffer of human language in 
between all of them. 

1089
01:03:14,930 --> 01:03:19,810
We're nowhere near there yet, 
but we're getting close to that 

1090
01:03:20,290 --> 01:03:23,410
in very, very interesting ways. 
All right, we got one more 

1091
01:03:23,410 --> 01:03:25,090
question. 
This is from another listener. 

1092
01:03:25,490 --> 01:03:27,570
This is from Marcus, who reached
out to me. 

1093
01:03:28,090 --> 01:03:31,290
He shared this story and I 
figure this is a good one to get

1094
01:03:31,290 --> 01:03:33,010
3 identity consultants to weigh 
in on. 

1095
01:03:33,570 --> 01:03:36,650
So here we go. 
So I'm going to paraphrase it. 

1096
01:03:36,650 --> 01:03:41,230
So. 
Basically joined a company 

1097
01:03:41,230 --> 01:03:43,750
recently. 
They're implementing automation 

1098
01:03:44,310 --> 01:03:47,350
was more of a political issue 
than a technical one. 

1099
01:03:47,990 --> 01:03:51,030
And the root of this is 
basically trust for HR. 

1100
01:03:52,510 --> 01:03:57,030
It sounds like to me there were 
issues with data quality from an

1101
01:03:57,030 --> 01:04:03,310
HR perspective and so automating
it joiners, movers, levers, 

1102
01:04:03,310 --> 01:04:06,070
right, that kind of thing based 
off of that suspect data. 

1103
01:04:07,680 --> 01:04:11,440
People didn't really want to do 
and he and I think he's he's had

1104
01:04:11,440 --> 01:04:13,720
some prior experience of this 
where you know like an HR feed 

1105
01:04:13,720 --> 01:04:17,520
failed and you know people got 
terminated incorrectly, right. 

1106
01:04:17,960 --> 01:04:19,720
Every once in a while you hear 
this kind of those horror 

1107
01:04:19,720 --> 01:04:22,360
stories right around identity 
management gone wrong. 

1108
01:04:22,360 --> 01:04:26,000
That's probably a book right 
there and they put extra text 

1109
01:04:26,000 --> 01:04:28,160
you know extra checks and stuff 
like that in there. 

1110
01:04:28,160 --> 01:04:31,000
And it's actually you know it 
was on a conversation earlier 

1111
01:04:31,000 --> 01:04:35,200
today where there was a very 
similar issue the the HR. 

1112
01:04:35,740 --> 01:04:39,660
Data quality and I, and probably
it's not H R's fault per se, but

1113
01:04:39,660 --> 01:04:43,060
the data quality and the 
authoritative source wasn't good

1114
01:04:43,060 --> 01:04:47,020
enough, it was causing problems.
So it boils down to do you trust

1115
01:04:47,020 --> 01:04:51,940
HR to basically keep their data 
clean? 

1116
01:04:52,180 --> 01:04:54,580
Because if you're going to 
automate, you need cleaning to 

1117
01:04:54,580 --> 01:04:56,740
start with, otherwise you get 
automated garbage at the end. 

1118
01:04:57,620 --> 01:04:59,620
And so I thought it was kind of 
an interesting topic to kind of 

1119
01:04:59,620 --> 01:05:02,980
say, well, you know, how does an
IT team. 

1120
01:05:03,350 --> 01:05:06,470
And I am person whoever's in 
here go off and say, okay, well,

1121
01:05:06,670 --> 01:05:09,350
we know a suspect data is coming
out of HR. 

1122
01:05:09,350 --> 01:05:13,510
How do we address that in a way 
that doesn't alienate us from 

1123
01:05:13,510 --> 01:05:16,030
our friends over at HR, You 
know, diplomatic way. 

1124
01:05:16,030 --> 01:05:17,510
What are the right thing is 
because I think a lot of 

1125
01:05:17,510 --> 01:05:21,950
organizations struggle with this
fact of look, this is just what 

1126
01:05:21,950 --> 01:05:23,630
we've been given and we just got
to work with it. 

1127
01:05:24,350 --> 01:05:25,630
I don't know, man, I don't buy 
it. 

1128
01:05:25,670 --> 01:05:29,310
I mean sometimes it's it's you 
have to keep knocking on the 

1129
01:05:29,310 --> 01:05:31,670
door and raising the arms like, 
look, this is a problem. 

1130
01:05:31,670 --> 01:05:34,130
This is a problem. 
I'm curious to hear both your 

1131
01:05:34,130 --> 01:05:36,610
guys's thoughts and Justin, we 
can start with you as the guest 

1132
01:05:36,610 --> 01:05:39,130
of honor. 
You know, this concept of 

1133
01:05:39,130 --> 01:05:43,090
trusting HR, trusting X with 
data quality. 

1134
01:05:43,690 --> 01:05:45,570
You know, where do you start 
with a conversation like that? 

1135
01:05:45,890 --> 01:05:49,290
So imagine you have a river. 
That river is your water source.

1136
01:05:49,290 --> 01:05:51,930
You're depending on this right 
now because you were told that 

1137
01:05:51,930 --> 01:05:56,450
this is the water source that 
you're depending on, and you 

1138
01:05:56,450 --> 01:05:59,370
pull water from that source and 
it's polluted. 

1139
01:06:00,150 --> 01:06:03,390
It might sometimes be more, 
might sometimes be less, but 

1140
01:06:03,390 --> 01:06:07,630
there's a problem with it. 
So then the question that you're

1141
01:06:07,630 --> 01:06:10,190
asking is akin to all right, how
do I? 

1142
01:06:10,230 --> 01:06:12,270
How do I deal with that polluted
water source? 

1143
01:06:13,790 --> 01:06:18,670
And the answer is really similar
in data streams as it is in 

1144
01:06:18,870 --> 01:06:21,270
physical streams. 
You can. 

1145
01:06:21,680 --> 01:06:25,280
Address pollution at the source.
You can filter it as you go out 

1146
01:06:25,280 --> 01:06:27,360
and sort of clean it up as best 
you can. 

1147
01:06:27,560 --> 01:06:32,240
You can augment it or replace it
with a separate water source, 

1148
01:06:32,680 --> 01:06:34,400
right? 
You can drill a well instead of 

1149
01:06:34,400 --> 01:06:37,760
pulling from the river and hope 
that that's, you know, less 

1150
01:06:37,760 --> 01:06:41,840
polluted. 
The real answer is to do all of 

1151
01:06:41,840 --> 01:06:46,720
those you know. 
If HR is giving you garbage 

1152
01:06:46,720 --> 01:06:50,800
data, go help HR stop giving you
garbage data. 

1153
01:06:52,120 --> 01:06:55,560
Like if you're on the IT and 
Identity team like they should 

1154
01:06:55,560 --> 01:07:00,600
not like that system. 
If it's not directly in your in 

1155
01:07:00,600 --> 01:07:05,840
your purview, you should at 
least have a hand in saying what

1156
01:07:05,840 --> 01:07:08,440
goes on with it, what goes into 
it, what comes out of it, how 

1157
01:07:08,440 --> 01:07:11,680
you use it, you know and how 
it's managed. 

1158
01:07:13,040 --> 01:07:19,520
And so bring that to the table 
being like you know we need this

1159
01:07:19,520 --> 01:07:24,400
to be cleaner. 
And it will help you if this is 

1160
01:07:24,400 --> 01:07:28,200
also cleaner. 
But that's not good enough 

1161
01:07:28,680 --> 01:07:31,320
really. 
You cannot expect pristine data 

1162
01:07:31,560 --> 01:07:35,120
anywhere. 
So yeah, still have the 

1163
01:07:35,120 --> 01:07:38,440
filtering on the way out, still 
augment it with locally 

1164
01:07:38,440 --> 01:07:44,120
collected attributes or roles or
caches or any number of things. 

1165
01:07:44,400 --> 01:07:47,280
That allow you to deal with this
because you know that an 

1166
01:07:47,280 --> 01:07:53,040
external source is not always 
going to be 100% reliable, but 

1167
01:07:53,200 --> 01:07:57,480
you in cases like this you 
really, I honestly think you 

1168
01:07:57,480 --> 01:08:02,040
have to try to fight to help 
make that source as reliable as 

1169
01:08:02,040 --> 01:08:05,400
possible. 
So clean up the river, get 

1170
01:08:05,400 --> 01:08:08,210
better filters and drill a well.
Problem solved. 

1171
01:08:08,250 --> 01:08:10,930
No problem not solved at all. 
It is an ongoing journey. 

1172
01:08:11,090 --> 01:08:13,290
No, we got, we got the water. 
It's perfect. 

1173
01:08:13,770 --> 01:08:17,090
We're good to go. 
Yeah, I mean, so you know, with 

1174
01:08:17,090 --> 01:08:21,810
the question Marcus said that is
more of a political issue. 

1175
01:08:21,810 --> 01:08:25,370
So I don't really know exactly 
what that means is like if that 

1176
01:08:25,370 --> 01:08:30,010
HR doesn't care, you know, 
they're not willing to do things

1177
01:08:30,010 --> 01:08:33,130
to address it. 
They don't have a communication 

1178
01:08:33,130 --> 01:08:36,130
path. 
I think if if it's not those 

1179
01:08:36,130 --> 01:08:38,520
things like. 
You know, if you can sit down 

1180
01:08:38,520 --> 01:08:40,760
with the folks and try to 
address the issues because they 

1181
01:08:40,760 --> 01:08:43,279
don't know how serious the 
issues are, but when it you talk

1182
01:08:43,279 --> 01:08:48,080
about people being terminated in
the incorrect time frame, then 

1183
01:08:48,080 --> 01:08:51,319
I'd say is definitely something 
major, right? 

1184
01:08:51,319 --> 01:08:54,000
Something major is happening 
like this data is really bad. 

1185
01:08:54,200 --> 01:08:57,800
Not just people's names are 
being misspelled or things like 

1186
01:08:57,800 --> 01:09:00,680
that. 
I was thinking about some kind 

1187
01:09:00,680 --> 01:09:04,160
of layer of abstraction, which 
I've seen a lot of clients do, 

1188
01:09:04,160 --> 01:09:06,479
where they create some kind of 
table. 

1189
01:09:06,910 --> 01:09:10,870
And database where they're 
precleaning the data prior to 

1190
01:09:11,270 --> 01:09:13,950
moving it into their identity 
management system. 

1191
01:09:14,189 --> 01:09:16,069
So that could potentially be the
answer. 

1192
01:09:16,069 --> 01:09:20,270
But you know the, the political 
side, I think, I think kind of 

1193
01:09:20,270 --> 01:09:23,710
to Justin's point, even if you 
do it a layer of abstraction or 

1194
01:09:23,790 --> 01:09:29,870
either even if you do say the HR
system just can't, can't fit our

1195
01:09:29,870 --> 01:09:32,830
needs, maybe the company has 
40HR systems, right? 

1196
01:09:33,029 --> 01:09:34,550
Maybe that's what the problem 
is. 

1197
01:09:36,080 --> 01:09:38,479
Maybe some of them are good and 
some of them are not good and 

1198
01:09:38,680 --> 01:09:42,720
you just have to like figure out
how do we exist in this 

1199
01:09:44,560 --> 01:09:47,279
environment where the data is a 
total mess. 

1200
01:09:47,520 --> 01:09:51,200
But I do think you need to work 
on all these things, especially 

1201
01:09:51,200 --> 01:09:53,920
that political angle like if you
have a broken down communication

1202
01:09:53,920 --> 01:09:57,600
process or somehow like that 
team just doesn't care about 

1203
01:09:57,600 --> 01:10:01,520
your needs, that's dysfunctional
for the organization and it's 

1204
01:10:01,520 --> 01:10:04,160
resulting in the organization's 
suffering so. 

1205
01:10:04,550 --> 01:10:08,150
You have to do something to fix 
that and in the meantime try to 

1206
01:10:08,150 --> 01:10:12,910
do the patchwork and you know, 
to make sure that you don't have

1207
01:10:12,910 --> 01:10:15,030
outages. 
Because I do think kind of 

1208
01:10:15,030 --> 01:10:18,070
stepping away from HR data 
holistically is not the right 

1209
01:10:18,070 --> 01:10:21,910
solution. 
But you know, in that 40HR 

1210
01:10:21,910 --> 01:10:24,390
system scenario, what I've seen 
is like okay, you might have 

1211
01:10:24,710 --> 01:10:28,790
this HR system and I don't want 
to pick on any particular 

1212
01:10:28,790 --> 01:10:31,550
country, let's say it's like 
really far from wherever your 

1213
01:10:31,550 --> 01:10:34,650
home corporate office is. 
And they just do things so much 

1214
01:10:34,650 --> 01:10:36,690
differently. 
They only update the HR system 

1215
01:10:36,970 --> 01:10:40,490
once a month or it's offloaded 
to some kind of third party. 

1216
01:10:40,770 --> 01:10:43,890
They won't give you extracts, 
things like that. 

1217
01:10:43,890 --> 01:10:49,010
So you know, it might be that 
kind of scenario that just can't

1218
01:10:49,010 --> 01:10:51,490
easily be fixed. 
And when it gets fixed is when 

1219
01:10:51,490 --> 01:10:55,050
the whole company moves over to,
you know, work day to pick the 

1220
01:10:55,450 --> 01:11:00,740
HR system du jour. 
So yeah, fix your fix your 

1221
01:11:00,980 --> 01:11:04,540
governance process, relationship
process, whatever, and then do a

1222
01:11:04,540 --> 01:11:09,180
multitier technical approach. 
I poked fun a little bit Justin 

1223
01:11:09,180 --> 01:11:10,820
saying problem solved because I 
like. 

1224
01:11:10,820 --> 01:11:13,260
I really liked your answer. 
It was a great analogy. 

1225
01:11:13,340 --> 01:11:15,820
I think people will really under
will hopefully understand that 

1226
01:11:15,860 --> 01:11:19,660
it is a layered effect, right. 
It's it's almost like you're 

1227
01:11:19,660 --> 01:11:21,860
filtering the filter right? 
You're going to throw these 

1228
01:11:21,860 --> 01:11:26,620
different levels of of cleaning.
To try and make sure you remove 

1229
01:11:26,620 --> 01:11:29,900
as many you know defects as 
possible from the process. 

1230
01:11:30,180 --> 01:11:34,700
Will it ever be 100%? 
Maybe not, but 50% is better 

1231
01:11:34,700 --> 01:11:37,860
than nothing and 75% is better 
than 50%. 

1232
01:11:37,860 --> 01:11:39,180
So it is a journey as you go 
along. 

1233
01:11:39,180 --> 01:11:41,540
So absolutely weighed in on 
that. 

1234
01:11:42,060 --> 01:11:45,660
I mean, how many people are on 
municipal water in their houses 

1235
01:11:45,660 --> 01:11:49,660
that is perfectly safe to drink 
but still use Brita filters or 

1236
01:11:49,660 --> 01:11:51,300
you know, a refrigerator with a 
water filter? 

1237
01:11:51,340 --> 01:11:53,180
I know, I do. 
And. 

1238
01:11:54,350 --> 01:11:57,270
You know, I can absolutely drink
the water out of the tap here. 

1239
01:11:57,270 --> 01:12:01,830
It's totally fine. 
I have no reason to, you know, 

1240
01:12:02,110 --> 01:12:06,350
be concerned about it. 
But it's kind of set up so that 

1241
01:12:06,350 --> 01:12:10,790
it's actually easier to get a 
cup of, you know, cold water by 

1242
01:12:10,790 --> 01:12:13,470
going to the refrigerator, which
has this extra filter in it. 

1243
01:12:13,470 --> 01:12:16,150
And maybe it tastes a little 
different, maybe it doesn't. 

1244
01:12:16,150 --> 01:12:20,070
I don't know if I would actually
pass a blind test on that, but. 

1245
01:12:21,430 --> 01:12:24,270
You know, at the end of the day,
the result is like. 

1246
01:12:24,270 --> 01:12:27,350
That's what I go to because 
that's what works. 

1247
01:12:28,230 --> 01:12:31,430
It feels good, looks good, it 
tastes good, whatever it may be.

1248
01:12:31,430 --> 01:12:32,670
And sometimes that's all it 
takes, right? 

1249
01:12:32,830 --> 01:12:34,350
Exactly. 
Yeah. 

1250
01:12:34,350 --> 01:12:37,270
You need to navigate your 
identity systems by taste. 

1251
01:12:37,310 --> 01:12:40,190
That should be really the 
biggest take away from today's 

1252
01:12:40,190 --> 01:12:44,070
episode. 
So Becky or Enrique, if you guys

1253
01:12:44,070 --> 01:12:48,190
are listening, I'd love to see 
another dimension added to the 

1254
01:12:49,150 --> 01:12:52,860
the. 
Identity rankings for you know 

1255
01:12:53,140 --> 01:12:55,860
mouth feel almost like a fine 
wine, right? 

1256
01:12:55,860 --> 01:12:58,700
Like you know what does this 
would have legs, you know what's

1257
01:12:58,700 --> 01:13:00,780
the coloring look like? 
Is it full bodied when it comes 

1258
01:13:00,780 --> 01:13:03,060
to identity? 
System viscous is for draw. 

1259
01:13:04,100 --> 01:13:06,100
There you go. 
All right, let's start to wrap 

1260
01:13:06,100 --> 01:13:07,260
things up. 
Because this, you remember how 

1261
01:13:07,260 --> 01:13:09,740
we talked about, wow, there's no
way we spent an hour and a half.

1262
01:13:09,740 --> 01:13:13,180
Well, we're already at like an 
hour and 15, so let's wrap 

1263
01:13:13,180 --> 01:13:16,340
things up. 
You mentioned musician and I 

1264
01:13:16,340 --> 01:13:20,180
want to talk about this band 
called Cyclic. 

1265
01:13:21,320 --> 01:13:25,520
Tell me about the band cyclic. 
So first I will caveat to say 

1266
01:13:25,520 --> 01:13:29,040
that when you're 19 and an 
idiot, you should not be allowed

1267
01:13:29,040 --> 01:13:32,280
to pick your band name and I 
really should have moved away 

1268
01:13:32,280 --> 01:13:38,680
from that at some point. 
But so Cyclic is the name of a 

1269
01:13:38,760 --> 01:13:44,320
musical project that I started 
on my own and have been doing 

1270
01:13:44,320 --> 01:13:48,960
stuff on and off for gosh, 
almost 20 years now, 1520 years 

1271
01:13:48,960 --> 01:13:53,330
in one fashion or another. 
And I I grew up around music. 

1272
01:13:53,330 --> 01:13:59,010
I've been playing piano since I 
was like 6 or 7 years old, did 

1273
01:13:59,010 --> 01:14:05,330
classical lessons for a long 
time, selftaught on guitar and 

1274
01:14:05,370 --> 01:14:08,170
you know, synthesizers and all 
of the the things that I play 

1275
01:14:08,170 --> 01:14:10,610
now. 
And I also, you know, I just 

1276
01:14:10,610 --> 01:14:12,250
come from a really musical 
family. 

1277
01:14:12,890 --> 01:14:16,210
You know, my, my grandmother had
a, you know, regionally known. 

1278
01:14:16,740 --> 01:14:20,500
Band that like my dad and uncle 
played in and and all of all of 

1279
01:14:20,500 --> 01:14:22,660
that kind of stuff. 
I always grew up around music 

1280
01:14:23,140 --> 01:14:27,980
and so I just, you know, kind of
just always kept doing that. 

1281
01:14:28,500 --> 01:14:33,580
And these days I've been really 
lucky that, you know, to live in

1282
01:14:33,580 --> 01:14:36,580
a time where self-publishing, 
self recording and 

1283
01:14:36,580 --> 01:14:40,820
self-publishing stuff is within 
reach of kind of like average 

1284
01:14:40,820 --> 01:14:45,460
working people, you know, to be 
able to get decent quality. 

1285
01:14:46,660 --> 01:14:52,300
Audio out of a system doesn't 
take a huge investment and I've 

1286
01:14:52,300 --> 01:14:57,460
got a decent studio set up now, 
but that's because you know, I'm

1287
01:14:57,940 --> 01:15:00,620
I'm approaching my mid 40s. 
I've collected little bits and 

1288
01:15:00,620 --> 01:15:05,300
pieces over the years to like, 
you know, as as I've been able 

1289
01:15:05,300 --> 01:15:09,220
to, but I mean this whole time, 
you know, I could a lot of what 

1290
01:15:09,220 --> 01:15:13,020
I do, I could do it probably not
as easily but I could still do 

1291
01:15:13,020 --> 01:15:17,260
it on. 
Just a little dinky laptop and a

1292
01:15:17,300 --> 01:15:22,100
tiny little USB interface and 
come out all right. 

1293
01:15:22,780 --> 01:15:27,860
And so anyway, I've just, I've 
always been around music, I've 

1294
01:15:27,900 --> 01:15:33,940
always had it in me, and I enjoy
the process of creating and 

1295
01:15:33,940 --> 01:15:39,750
sculpting from sort of. 
The textures of the sounds and 

1296
01:15:39,750 --> 01:15:44,230
sort of the stories that you can
tell with the music itself. 

1297
01:15:44,590 --> 01:15:46,230
A lot of what I write is 
instrumental. 

1298
01:15:46,350 --> 01:15:49,750
I do have some non instrumental,
you know, some vocal tracks here

1299
01:15:49,750 --> 01:15:51,590
and there. 
Most of what I do is 

1300
01:15:51,590 --> 01:15:55,630
instrumental and I really like 
being able to kind of bring 

1301
01:15:55,630 --> 01:15:59,350
someone on a journey without 
telling them what that journey 

1302
01:15:59,350 --> 01:16:01,230
is. 
You know, I want to show you, I 

1303
01:16:01,230 --> 01:16:02,670
don't want to necessarily tell 
you. 

1304
01:16:03,190 --> 01:16:06,910
And that's that's what I've 
always really loved about it. 

1305
01:16:07,480 --> 01:16:12,560
And you know for the last five 
years or so I've I've let other 

1306
01:16:12,560 --> 01:16:16,800
things kind of get in the way of
of the music side of things. 

1307
01:16:16,960 --> 01:16:18,320
I've done little bits here and 
there. 

1308
01:16:18,320 --> 01:16:21,280
I, you know contributed to a 
couple of indie film scores, 

1309
01:16:21,760 --> 01:16:24,160
little little bits here and 
there. 

1310
01:16:24,640 --> 01:16:30,600
But I am finally I I've made it 
a sort of a personal resolution 

1311
01:16:30,600 --> 01:16:35,320
to actually get back into proper
composition and recording and 

1312
01:16:35,320 --> 01:16:37,200
and actually trying to get 
something new out. 

1313
01:16:38,670 --> 01:16:41,350
Maybe this year, I don't know. 
I'm, I'm not going to commit to 

1314
01:16:41,350 --> 01:16:44,270
that on on a on an international
podcast here. 

1315
01:16:44,270 --> 01:16:47,870
But you know, one one can hope 
that I'll be able to do that 

1316
01:16:49,190 --> 01:16:54,630
because I love doing it and you 
know, I just, I love the 

1317
01:16:54,630 --> 01:16:58,350
creative process and I love the 
creativity that comes with the 

1318
01:16:58,350 --> 01:17:01,630
constraints of sort of these 
music systems because not 

1319
01:17:01,630 --> 01:17:03,710
everything sounds good, not 
everything sounds pleasing. 

1320
01:17:03,710 --> 01:17:07,970
So how do you work with that? 
It always fascinates me because 

1321
01:17:08,210 --> 01:17:11,050
I love music, but I am not a 
musician. 

1322
01:17:11,130 --> 01:17:15,210
I cannot figure out for the life
of me how you would even start 

1323
01:17:15,530 --> 01:17:20,090
to create anything like that. 
I, you know, I listen to a bunch

1324
01:17:20,090 --> 01:17:24,010
of your stuff actually, when we 
first heard about it, and I 

1325
01:17:24,010 --> 01:17:26,090
think it's great. 
I don't think it's really 

1326
01:17:26,090 --> 01:17:28,210
diverse. 
I mean, there's two songs that I

1327
01:17:28,210 --> 01:17:30,850
kind of want to point out there.
There's one called Snow Runner, 

1328
01:17:31,450 --> 01:17:34,250
and this is my this is my 
amateur take on it, right? 

1329
01:17:34,250 --> 01:17:37,750
It's a very fastpaced. 
And I kind of mentioned before 

1330
01:17:37,750 --> 01:17:40,950
we hit record here, it's like it
reminded me of something that I 

1331
01:17:40,950 --> 01:17:43,510
would hear playing in the game 
wipe out, which is like this 

1332
01:17:43,510 --> 01:17:46,270
futuristic racer on PlayStation 
from days of old. 

1333
01:17:46,590 --> 01:17:48,070
And I love it. 
Like that's that's my jam, 

1334
01:17:48,070 --> 01:17:51,350
totally. 
So funny anecdote about that 

1335
01:17:51,350 --> 01:17:54,430
song. 
I originally wrote that as an 

1336
01:17:54,430 --> 01:18:01,830
accompaniment bit to a video 
game, and that was that we did 

1337
01:18:01,830 --> 01:18:06,800
in grad school. 
So we had a point in point in 

1338
01:18:06,800 --> 01:18:10,720
this little, you know, graduate 
class video game where somebody 

1339
01:18:10,720 --> 01:18:12,800
basically gets a speed boost and
takes off. 

1340
01:18:12,800 --> 01:18:16,480
And I'm just like I I want more 
than just like oh, it goes and 

1341
01:18:16,480 --> 01:18:19,000
does a thing. 
And so I, I went home and wrote 

1342
01:18:19,000 --> 01:18:22,840
the Rift to that and recorded it
in like an hour and like sent 

1343
01:18:22,840 --> 01:18:27,000
the MP3 to my to my teammates. 
And it was just like just just 

1344
01:18:27,200 --> 01:18:31,800
played, you know call MP3 dot 
play when when that event fires.

1345
01:18:31,800 --> 01:18:34,940
And and that was. 
That was the origin of that 

1346
01:18:34,940 --> 01:18:37,100
song. 
I eventually went and made it 

1347
01:18:37,100 --> 01:18:40,620
into a full song, but but that's
that's where that originally 

1348
01:18:40,620 --> 01:18:41,820
came from. 
Okay. 

1349
01:18:41,820 --> 01:18:43,580
So I'm not totally crazy because
it really did. 

1350
01:18:44,020 --> 01:18:47,140
It conveys like a sense of speed
is the way when I was listening 

1351
01:18:47,140 --> 01:18:49,820
to it, the other one that I 
really liked was called 

1352
01:18:49,860 --> 01:18:52,940
Incognito Shuffle, which I don't
know if it could be any more 

1353
01:18:52,940 --> 01:18:57,060
different than that other one 
because it's it's it gives me 

1354
01:18:57,060 --> 01:18:59,340
kind of like this vibe of like a
Speakeasy. 

1355
01:18:59,420 --> 01:19:01,700
It's a lounge. 
It's kind of like a very cool. 

1356
01:19:02,020 --> 01:19:05,340
Jazzy type of vibe to it. 
I thought it was great. 

1357
01:19:06,340 --> 01:19:10,740
Yeah, like my my music tastes 
are really pretty diverse. 

1358
01:19:10,740 --> 01:19:13,860
I'm I'm really all over the map 
and in the stuff that I write, 

1359
01:19:13,860 --> 01:19:16,980
you know, there's there's a lot 
of electronic rock kind of at 

1360
01:19:16,980 --> 01:19:20,460
the surface. 
But honestly, I've got a ton of 

1361
01:19:20,460 --> 01:19:24,300
like, jazz and Blues influence 
in what I write. 

1362
01:19:24,660 --> 01:19:29,140
And so sometimes it really, 
really comes to the forefront, 

1363
01:19:29,220 --> 01:19:33,150
like an Incognito shuffle. 
Like deliberately. 

1364
01:19:33,150 --> 01:19:36,190
Like I'm going to strip out 
everything except like and just 

1365
01:19:36,230 --> 01:19:39,030
just do this. 
Can I actually write that right.

1366
01:19:39,030 --> 01:19:40,470
Like that was that was the 
constraint. 

1367
01:19:40,470 --> 01:19:44,950
It's like can I do just this 
style of of song without adding 

1368
01:19:44,950 --> 01:19:48,230
all the piles of synthesizers 
and guitars and all of the other

1369
01:19:48,510 --> 01:19:50,110
stuff that I usually hide 
behind. 

1370
01:19:51,230 --> 01:19:54,310
And other times it's like no 
bring bring the wall of noise. 

1371
01:19:54,310 --> 01:19:58,270
Bring everything in do all of 
this all together and. 

1372
01:19:59,470 --> 01:20:04,350
But yeah, a lot of the different
stuff that I listen to and I've 

1373
01:20:04,350 --> 01:20:06,750
been exposed to shows up in the 
stuff that I write. 

1374
01:20:07,470 --> 01:20:12,590
And you know, that's I I think 
that that's true with most of my

1375
01:20:12,590 --> 01:20:14,630
life. 
Like, you know, just all of 

1376
01:20:14,630 --> 01:20:18,670
these different things that I've
done as, you know, Jim Jim was 

1377
01:20:18,670 --> 01:20:20,870
talking about before, all these 
different things that I've 

1378
01:20:20,870 --> 01:20:24,390
gotten involved in. 
Like to me they're all, they're 

1379
01:20:24,390 --> 01:20:27,990
all just like connected by like 
that is interesting and I have 

1380
01:20:27,990 --> 01:20:32,980
an opportunity. 
But there's a lot of commonality

1381
01:20:32,980 --> 01:20:34,940
that does actually thread 
underneath them. 

1382
01:20:35,260 --> 01:20:39,300
So I'm going to try and play a 
song after this show ends. 

1383
01:20:40,020 --> 01:20:42,780
It's probably going to be a 
Spotify exclusive because it's 

1384
01:20:42,780 --> 01:20:44,300
sort of built into that 
platform. 

1385
01:20:44,580 --> 01:20:47,780
So if you're not listening on 
Spotify, you probably won't hear

1386
01:20:47,780 --> 01:20:49,460
it. 
But definitely check it out. 

1387
01:20:49,460 --> 01:20:52,020
I don't have a link in our show 
notes right to cyclic.com. 

1388
01:20:52,060 --> 01:20:53,300
So you can kind of check out 
more there. 

1389
01:20:53,300 --> 01:20:56,340
But it's got, I think the one 
that you recommended is called 

1390
01:20:56,340 --> 01:20:58,860
Every morning Orange in Blue, Is
that right? 

1391
01:20:59,780 --> 01:21:01,540
Tell me about that one. 
So if people are checking it 

1392
01:21:01,540 --> 01:21:03,260
out, they can kind of get the 
story behind it as they're 

1393
01:21:03,260 --> 01:21:06,450
listening. 
So like with a lot of things 

1394
01:21:06,450 --> 01:21:09,090
that I a lot of music that I 
write it started off with me 

1395
01:21:09,090 --> 01:21:14,050
just playing around and coming 
up with kind of a a feel for a 

1396
01:21:14,050 --> 01:21:16,650
riff that I that I liked. 
And I was just like where where 

1397
01:21:16,650 --> 01:21:19,130
can I go with this You know what
kind of sounds can I can I work 

1398
01:21:19,130 --> 01:21:23,970
with this and the title of this.
Like a lot of the titles in my 

1399
01:21:23,970 --> 01:21:26,890
songs are just kind of like 
that's what the music is kind of

1400
01:21:26,890 --> 01:21:29,570
telling me that this is the 
story that's here. 

1401
01:21:29,650 --> 01:21:32,650
Like I don't necessarily go into
write something named that. 

1402
01:21:33,250 --> 01:21:35,410
It's like I start to write 
something and it's like, oh, 

1403
01:21:35,410 --> 01:21:37,530
this is, this is what this is 
named. 

1404
01:21:39,130 --> 01:21:45,610
But to me the in that particular
song, the energy that it kind 

1405
01:21:45,610 --> 01:21:49,650
of, you know, starts out with 
and just kind of dives through 

1406
01:21:49,650 --> 01:21:54,050
the whole, the whole thing. 
To me it's it's always felt 

1407
01:21:54,050 --> 01:21:57,410
like, you know, you're getting 
up at sunrise and you're 

1408
01:21:57,410 --> 01:22:00,570
training for some, you know, big
athletic thing like this is you 

1409
01:22:00,570 --> 01:22:04,210
getting up and just going. 
Like whatever you're whatever 

1410
01:22:04,210 --> 01:22:05,810
you're trying to tackle, 
whatever you're trying to get 

1411
01:22:05,810 --> 01:22:09,730
to, you are getting up and going
and getting out there in the 

1412
01:22:09,730 --> 01:22:12,050
world. 
And you know, sometimes it's 

1413
01:22:12,050 --> 01:22:14,090
smoother, sometimes it's more 
chaotic. 

1414
01:22:14,530 --> 01:22:17,610
But you're you're moving 
forward, you never stop moving 

1415
01:22:17,610 --> 01:22:21,290
forward, even when even when it 
seems like things might be a 

1416
01:22:21,290 --> 01:22:24,970
little bit slower. 
So to me that's that's always 

1417
01:22:24,970 --> 01:22:28,500
been the story of that song. 
So I'm going to try and play it 

1418
01:22:28,500 --> 01:22:30,580
afterwards. 
It might be a region based 

1419
01:22:30,580 --> 01:22:31,780
thing. 
I don't know how positive 

1420
01:22:31,780 --> 01:22:33,740
advanced people need to go check
it out after fact, but. 

1421
01:22:33,980 --> 01:22:36,180
Digital rights are so strange. 
They are. 

1422
01:22:36,180 --> 01:22:38,620
And you know, we've made it this
far without a copyright strike 

1423
01:22:38,620 --> 01:22:41,060
or any of that crap. 
So I'm trying to trying to keep 

1424
01:22:41,060 --> 01:22:46,420
the streak alive, Jim. 
You know, an hour and 20 some 

1425
01:22:46,420 --> 01:22:47,820
minutes already. 
We did it. 

1426
01:22:48,100 --> 01:22:51,420
There's our show. 
That's our show and we started 

1427
01:22:51,420 --> 01:22:54,140
off, you know, before the show 
saying we've never hit an hour 

1428
01:22:54,140 --> 01:22:55,740
and a half. 
I'll never hit an hour and a 

1429
01:22:55,740 --> 01:22:57,330
half. 
Yeah, I'm sure with a little 

1430
01:22:57,330 --> 01:22:59,410
tweaks, I'll probably get down a
couple minutes and stuff like 

1431
01:22:59,410 --> 01:23:02,130
that. 
But yeah, I think we've set the 

1432
01:23:02,130 --> 01:23:04,690
record. 
Congratulations, Justin, now the

1433
01:23:04,690 --> 01:23:07,330
world record holder for longest 
identity at the Center podcast 

1434
01:23:07,370 --> 01:23:09,770
episode. 
Well, at least for now, I'm sure

1435
01:23:09,770 --> 01:23:14,330
you guys will will break that 
wall soon as sooner than you 

1436
01:23:14,330 --> 01:23:17,290
think. 
We're gonna go ahead and wrap it

1437
01:23:17,290 --> 01:23:20,530
up for that one. 
I have like a laundry list of 

1438
01:23:20,610 --> 01:23:24,730
show notes and links. 
I've got your LinkedIn profile. 

1439
01:23:24,730 --> 01:23:28,010
Justin got the website for 
bespoke engineering. 

1440
01:23:28,690 --> 01:23:32,330
While you were talking about the
the why applications fail, I 

1441
01:23:32,330 --> 01:23:36,890
found a link for that as well. 
The book link Gnap. 

1442
01:23:37,370 --> 01:23:39,490
Sorry gnap. 
I keep saying gnap. 

1443
01:23:39,970 --> 01:23:42,850
So small anecdote on that. 
I know we're already pushing the

1444
01:23:42,850 --> 01:23:45,850
links of the show, but there was
actually a big debate in the 

1445
01:23:45,850 --> 01:23:48,730
working group about what the 
official pronunciation of the 

1446
01:23:48,730 --> 01:23:51,370
working group was. 
I strongly came down on the side

1447
01:23:51,370 --> 01:23:53,050
of there is no official 
pronunciation. 

1448
01:23:53,210 --> 01:23:56,050
Because, like, we can't dictate 
how people are going to read 

1449
01:23:56,050 --> 01:23:58,050
this text without somebody 
reading it to them. 

1450
01:23:58,490 --> 01:24:01,650
So I say nap, I've heard people 
say G, nap I've heard people say

1451
01:24:01,650 --> 01:24:04,850
nap. 
I've with a soft G I've heard 

1452
01:24:04,850 --> 01:24:06,730
all sorts of things. 
I think they all apply. 

1453
01:24:07,730 --> 01:24:10,250
So yeah, don't. 
Don't apologize for it being 

1454
01:24:10,250 --> 01:24:11,570
different. 
All right. 

1455
01:24:11,570 --> 01:24:13,410
So I have, I have a grace period
there. 

1456
01:24:13,770 --> 01:24:15,010
What? 
So I have a link to that. 

1457
01:24:15,370 --> 01:24:18,330
We'll have a link to cards 
against identity gridlock, 

1458
01:24:18,330 --> 01:24:22,290
Boston, obviously cyclic. 
And then? 

1459
01:24:23,340 --> 01:24:25,700
You kind of told the story a 
little bit earlier during the 

1460
01:24:25,700 --> 01:24:29,940
conversation, but the precious 
cinnamon roll and so The Onion 

1461
01:24:29,940 --> 01:24:32,020
article that that's sort of like
based on as well. 

1462
01:24:32,020 --> 01:24:34,660
So chock full of links. 
Yeah. 

1463
01:24:34,660 --> 01:24:36,380
So that's that's for people to 
look at. 

1464
01:24:37,700 --> 01:24:38,860
Yeah, we're going to leave it 
there. 

1465
01:24:38,940 --> 01:24:41,820
You know, we're on the web, 
idacpodcast.com. 

1466
01:24:41,820 --> 01:24:46,420
We're on Twitter at IDAC 
podcast, we're on Mastodon at 

1467
01:24:46,420 --> 01:24:49,620
IDAC podcast at infosec dot 
exchange. 

1468
01:24:50,170 --> 01:24:52,330
No, we're not on threads yet. 
I don't know if you ever will 

1469
01:24:52,330 --> 01:24:54,290
be. 
Most of our engagement comes on 

1470
01:24:54,290 --> 01:24:56,890
LinkedIn and Twitter and that's 
probably what we'll stick for 

1471
01:24:56,890 --> 01:24:57,930
now. 
But definitely you can always 

1472
01:24:57,930 --> 01:25:00,050
connect with Jim and I on 
LinkedIn. 

1473
01:25:00,490 --> 01:25:02,250
If you've got questions, send 
them in right. 

1474
01:25:02,250 --> 01:25:05,290
This is our opportunity where we
can get smart people, you know, 

1475
01:25:05,290 --> 01:25:09,010
on the line with us and get some
real expert opinions of some of 

1476
01:25:09,010 --> 01:25:11,090
those stuff. 
So hopefully people enjoy that 

1477
01:25:11,090 --> 01:25:12,570
as well. 
And don't forget about 

1478
01:25:12,570 --> 01:25:15,170
authenticate. 
So use our conference code it 

1479
01:25:15,210 --> 01:25:17,810
is. 
If I could find it here I DAC. 

1480
01:25:18,370 --> 01:25:22,650
15 podcast, 15% off. 
Hopefully we'll see a lot of 

1481
01:25:22,650 --> 01:25:25,210
friendly faces there. 
Hopefully you'll help us figure 

1482
01:25:25,210 --> 01:25:28,690
out what that live show looks 
like, Jim, when we when we get 

1483
01:25:28,690 --> 01:25:30,170
up on the stage as we kind of go
along. 

1484
01:25:30,170 --> 01:25:33,570
But yeah. 
So Justin, thank you so much for

1485
01:25:33,570 --> 01:25:36,010
your time. 
Jim, thanks for your time and 

1486
01:25:36,010 --> 01:25:37,130
we'll go ahead and leave it 
there. 

1487
01:25:37,410 --> 01:25:39,250
Thanks for listening. 
We'll talk with everyone in the 

1488
01:25:39,250 --> 01:25:41,960
next one. 
You've been listening to 

1489
01:25:41,960 --> 01:25:45,840
Identity at the Center. 
We hope you've enjoyed the show.

1490
01:25:46,040 --> 01:25:50,240
Make sure to like, rate and 
review and we'll be back soon. 

1491
01:25:50,400 --> 01:25:52,680
But in the meantime, hit the 
website at 

1492
01:25:52,680 --> 01:25:59,760
identity@thecenter.com and find 
us on Twitter at IDAC Podcast. 

1493
01:26:00,240 --> 01:26:04,320
See you next time on Identity at
the Center.

