Very High Activity
I Use This!


Analyzed 9 days ago. based on code collected about 1 month ago.
Posted 1 day ago by Mitchell Baker
Today Mozilla is hosting the second meeting of the Digital Economy Board of Advisors of the United States Department of Commerce, of which I am co-chair. Support for the global open Internet is the heart of Mozilla’s identity and strategy. We build ... [More] for the digital world. We see and understand the opportunities it offers, as well as the threats to its future. We live in a world where a free and open Internet is not available to all of the world’s citizens; where trust and security online cannot be taken for granted; and where independence and innovation are thwarted by powerful interests as often as they are protected by good public policy. As I noted in my original post on being named to the Board, these challenges are central to the “Digital Economy Agenda,” and a key reason why I agreed to participate. Department of Commerce Secretary Pritzker noted earlier this year: “we are no longer moving toward the digital economy. We have arrived.” The purpose of the Board is to advise the Commerce Department in responding to today’s new status quo. Today technology provides platforms and opportunities that enable entrepreneurs with new opportunities. Yet not everyone shares the benefits. The changing nature of work must also be better understood. And we struggle to measure these gains, making it harder to design policies that maximize them, and harder still to defend the future of our digital economy against myopic and reactionary interests. The Digital Economy Board of Advisors was convened to explore these challenges, and provide expert advice from a range of sectors of the digital economy to the Commerce Department as it develops future policies. At today’s meeting, working groups within the Board will present their initial findings. We don’t expect to agree on everything, of course. Our goal is to draw out the shared conclusions and direction to provide a balanced, sustainable, durable basis for future Commerce Department policy processes. I will follow up with another post on this topic shortly. Today’s meeting is a public meeting. There will be two live streams: one for the 8:30 am-12:30 pm PT pre-lunch session and one for the afternoon post-lunch 1:30-3:00pm PT. We welcome you to join us. Although the Board has many more months left in its tenure, I can see a trend towards healthy alignment between our mission and the outcomes of the Board’s activities. I’m proud to serve as co-chair of this esteemed group of individuals. [Less]
Posted 1 day ago
A few weeks ago I listened to Hanno Böck talk about TLS version intolerance at the Berlin AppSec & Crypto Meetup. He explained how with TLS 1.3 just around the corner there again are growing concerns about faulty TLS stacks found in HTTP servers ... [More] , load balancers, routers, firewalls, and similar software and devices. I decided to dig a little deeper and will use this post to explain version intolerance, how version fallbacks work and why they’re insecure, as well as describe the downgrade protection mechanisms available in TLS 1.2 and 1.3. It will end with a look at version negotiation in TLS 1.3 and a proposal that aims to prevent similar problems in the future. What is version intolerance? Every time a new TLS version is specified, browsers usually are the fastest to implement and update their deployments. Most major browser vendors have a few people involved in the standardization process to guide the standard and give early feedback about implementation issues. As soon as the spec is finished, and often far before that feat is done, clients will have been equipped with support for the new TLS protocol version and happily announce this to any server they connect to: Client: Hi! The highest TLS version I support is 1.2. Server: Hi! I too support TLS 1.2 so let’s use that to communicate. [TLS 1.2 connection will be established.] In this case the highest TLS version supported by the client is 1.2, and so the server picks it because it supports that as well. Let’s see what happens if the client supports 1.2 but the server does not: Client: Hi! The highest TLS version I support is 1.2. Server: Hi! I only support TLS 1.1 so let’s use that to communicate. [TLS 1.1 connection will be established.] This too is how it should work if a client tries to connect with a protocol version unknown to the server. Should the client insist on any specific version and not agree with the one picked by the server it will have to terminate the connection. Unfortunately, there are a few servers and more devices out there that implement TLS version negotiation incorrectly. The conversation might go like this: Client: Hi! The highest TLS version I support is 1.2. Server: ALERT! I don’t know that version. Handshake failure. [Connection will be terminated.] Or: Client: Hi! The highest TLS version I support is 1.2. Server: TCP FIN! I don’t know that version. [Connection will be terminated.] Or even worse: Client: Hi! The highest TLS version I support is 1.2. Server: (I don’t know this version so let’s just not respond.) [Connection will hang.] The same can happen with the infamous F5 load balancer that can’t handle ClientHello messages with a length between 256 and 512 bytes. Other devices abort the connection when receiving a large ClientHello split into multiple TLS records. TLS 1.3 might actually cause more problems of this kind due to more extensions and client key shares. What are version fallbacks? As browsers usually want to ship new TLS versions as soon as possible, more than a decade ago vendors saw a need to prevent connection failures due to version intolerance. The easy solution was to decrease the advertised version number by one with every failed attempt: Client: Hi! The highest TLS version I support is 1.2. Server: ALERT! Handshake failure. (Or FIN. Or hang.) [TLS version fallback to 1.1.] Client: Hi! The highest TLS version I support is 1.1. Server: Hi! I support TLS 1.1 so let’s use that to communicate. [TLS 1.1 connection will be established.] A client supporting everything from TLS 1.0 to TLS 1.2 would start trying to establish a 1.2 connection, then a 1.1 connection, and if even that failed a 1.0 connection. Why are these insecure? What makes these fallbacks insecure is that the connection can be downgraded by a MITM, by sending alerts or TCP packets to the client, or blocking packets from the server. To the client this is indistinguishable from a network error. The POODLE attack is one example where an attacker abuses the version fallback to force an SSL 3.0 connection. In response to this browser vendors disabled version fallbacks to SSL 3.0, and then SSL 3.0 entirely, to prevent even up-to-date clients from being exploited. Insecure version fallback in browsers pretty much break the actual version negotiation mechanisms. Version fallbacks have been disabled since Firefox 37 and Chrome 50. Browser telemetry data showed it was no longer necessary as after years, TLS 1.2 and correct version negotiation was deployed widely enough. The TLS_FALLBACK_SCSV cipher suite You might wonder if there’s a secure way to do version fallbacks, and other people did so too. Adam Langley and Bodo Möller proposed a special cipher suite in RFC 7507 that would help a client detect whether the downgrade was initiated by a MITM. Whenever the client includes TLS_FALLBACK_SCSV {0x56, 0x00} in the list of cipher suites it signals to the server that this is a repeated connection attempt, but this time with a version lower than the highest it supports, because previous attempts failed. If the server supports a higher version than advertised by the client, it MUST abort the connection. The drawback here however is that a client even if it implements fallback with a Signaling Cipher Suite Value doesn’t know the highest protocol version supported by the server, and whether it implements a TLS_FALLBACK_SCSV check. Common web servers will likely be updated faster than others, but router or load balancer manufacturers might not deem it important enough to implement and ship updates for. Signatures in TLS 1.2 It’s been long known to be problematic that signatures in TLS 1.2 don’t cover the list of cipher suites and other messages sent before server authentication. They sign the ephemeral DH params sent by the server and include the *Hello.random values as nonces to prevent replay attacks: h = Hash(ClientHello.random + ServerHello.random + ServerParams) Signing at least the list of cipher suites would have helped prevent downgrade attacks like FREAK and Logjam. TLS 1.3 will sign all messages before server authentication, even though it makes Transcript Collision Attacks somewhat easier to mount. With SHA-1 not allowed for signatures that will hopefully not become a problem anytime soon. Downgrade Sentinels in TLS 1.3 With neither the client version nor its cipher suites (for the SCSV) included in the hash signed by the server’s certificate in TLS 1.2, how do you secure TLS 1.3 against downgrades like FREAK and Logjam? Stuff a special value into ServerHello.random. The TLS WG decided to put static values (sometimes called downgrade sentinels) into the server’s nonce sent with the ServerHello message. TLS 1.3 servers responding to a ClientHello indicating a maximum supported version of TLS 1.2 MUST set the last eight bytes of the nonce to: 0x44 0x4F 0x57 0x4E 0x47 0x52 0x44 0x01 If the client advertises a maximum supported version of TLS 1.1 or below the server SHOULD set the last eight bytes of the nonce to: 0x44 0x4F 0x57 0x4E 0x47 0x52 0x44 0x00 If not connecting with a downgraded version, a client MUST check whether the server nonce ends with any of the two sentinels and in such a case abort the connection. The TLS 1.3 spec here introduces an update to TLS 1.2 that requires servers and clients to update their implementation. Unfortunately, this downgrade protection relies on a ServerKeyExchange message being sent and is thus of limited value. Static RSA key exchanges are still valid in TLS 1.2, and unless the server admin disables all non-forward-secure cipher suites the protection can be bypassed. The comeback of insecure fallbacks? Current measurements show that enabling TLS 1.3 by default would break a significant fraction of TLS handshakes due to version intolerance. According to Ivan Ristić, as of July 2016, 3.2% of servers from the SSL Pulse data set reject TLS 1.3 handshakes. This a very high number and would affect way too many people. Alas, with TLS 1.3 we have only limited downgrade protection for forward-secure cipher suites. And that is assuming that most servers either support TLS 1.3 or update their 1.2 implementations. TLS_FALLBACK_SCSV, if supported by the server, will help as long as there are no attacks tampering with the list of cipher suites. The TLS working group has been thinking about how to handle intolerance without bringing back version fallbacks, and there might be light at the end of the tunnel. Version negotiation with extensions The next version of the proposed TLS 1.3 spec, draft 16, will introduce a new version negotiation mechanism based on extensions. The current ClientHello.version field will be frozen to TLS 1.2, i.e. {3, 3}, and renamed to legacy_version. Any number greater than that MUST be ignored by servers. To negotiate a TLS 1.3 connection the protocol now requires the client to send a supported_versions extension. This is a list of versions the client supports, in preference order, with the most preferred version first. Clients MUST send this extension as servers are required to negotiate TLS 1.2 if it’s not present. Any to the server unknown version numbers MUST be ignored. This still leaves potential problems with big ClientHello messages or choking on unknown extensions unaddressed, but according to David Benjamin the main problem is ClientHello.version. We will hopefully be able to ship browsers that have TLS 1.3 enabled by default, without bringing back insecure version fallbacks. However, it’s not unlikely that implementers will screw up even the new version negotiation mechanism and we’ll have similar problems in a few years down the road. GREASE-ing the future David Benjamin, following Adam Langley’s advice to have one joint and keep it well oiled, proposed GREASE (Generate Random Extensions And Sustain Extensibility), a mechanism to prevent extensibility failures in the TLS ecosystem. The heart of the mechanism is to have clients inject “unknown values” into places where capabilities are advertised by the client, and the best match selected by the server. Servers MUST ignore unknown values to allow introducing new capabilities to the ecosystem without breaking interoperability. These values will be advertised pseudo-randomly to break misbehaving servers early in the implementation process. Proposed injection points are cipher suites, supported groups, extensions, and ALPN identifiers. Should the server respond with a GREASE value selected in the ServerHello message the client MUST abort the connection. [Less]
Posted 1 day ago by (Kim Moir)
I've had the opportunity to attend the Beyond the Code conference for the past two years.  This year, the venue moved to a location in Toronto, the last two events had been held in Ottawa.  The conference is organized by Shopify who again managed to ... [More] have a really great speaker line up this year on a variety of interesting topics.  It was a two track conference so I'll summarize some of the talks I attended.   The conference started off with Anna Lambert of Shopify welcoming everyone to the conference.The first speaker was Atlee Clark, Director of App and Developer relations at Shopify who discussed the wheel of diversity. The wheel of diversity is a way of mapping the characteristics that you're born with (age, gender, gender expression, race or ethnicity, national origin, mental/physical ability), along with those that you acquire through life (appearance, education, political belief, religion, income, language and communication skills, work experience, family,  organizational role).  When you look at your team, you can map how diverse it is by colour.  (Of course, some of these characteristics are personal and might not be shared with others).  You can see how diverse the team is by mapping different characteristics with different colours.  If you map your team and it's mostly the same colour, then you probably will not bring different perspectives together when you work because you all have similar backgrounds and life experiences.  This is especially important when developing products.  This wheel also applies to hiring too.  You want to have different perspectives when you're interviewing someone.  Atlee mentioned when she was hiring for a new role, she mapped out the characteristics of the people who would be conducting the hiring interviews and found there was a lot of yellow.So she switched up the team that would be conducting the interviews to include people with more diverse perspectives.She finished by stating that this is just a tool, keep it simple, and practice makes it better.  The next talk was by Erica Joy, who is a build and release engineer at Slack, as well as a diversity advocate.  I have to admit, when I saw she was going to speak at Beyond the Code, I immediately pulled out my credit card and purchased a conference ticket.  She is one of my tech heroes.  Not only did she build the build and release pipeline at Slack from the ground up, she is an amazing writer and advocate for change in the tech industry.   I highly recommend reading everything she has written on Medium, her chapter in Lean Out and all her discussions on twitter.  So fantastic.Her talk at the conference was "Building a Diverse Corporate Culture: Diversity and Inclusion in Tech".  She talked about how literally thousands of companies say they value inclusion and diversity.  However, few talk about what they are willing to give up to order to achieve it.  Are you willing to give up your window seat with a great view?   Something else so that others can be paid fairly?  She mentioned that change is never free.  People need both mentorship and sponsorship in in order to progress in their career.I really liked her discussion around hiring and referrals.  She stated that when you're hire people you already know you're probably excluding equally or better qualified that you don't know.  By default, women of colour are underpaid. Pay gap for white woman, African American women and Hispanic women compared to a white man in the United States. Some companies have referral system to give larger referral bonuses to people who are underrepresented in tech, she gave the example of Intel which has this in place.  This is a way to incentivize your referral system so you don't just hire all your white friends.   The average white American has 91 white friends and one black friend so it's not very likely that they will refer non-white people. Not sure what the numbers are like in Canada but I'd guess that they are quite similar.    In addition, don't ask people to work for free, to speak at conferences or do diversity and inclusion work.  Her words were "We can't pay rent with exposure". Spend time talking to diversity and inclusion experts.  There are people that have spent their entire lives conducting research in this area and you can learn from their expertise.  Meritocracy is a myth, we are just lucky to be in the right place in the right time.  She mentioned that her colleague Duretti Hirpa at Slack points out the need for accomplices, not allies. People that will actually speak up for others.  So people feeling pain or facing a difficult work environment don't have to do all the work of fighting for change.  In most companies, there aren't escalation paths for human issues either.  If a person is making sexist or racist remarks, shouldn't that be a firing offense?  If people were really working hard on diversity and inclusion, we would see more women and people of colour on boards and in leadership positions.  But we don't.She closed with a quote from Beyonce:"If everything was perfect, you would never learn and you would never grow"💜💜💜 The next talk I attended was by Coraline Ada Ehmke, who is an application engineer at Github.  Her talk was about the "Broken Promise of Open Source".  Open source has the core principals of the free exchange of ideas, success through collaboration, shared ownership and meritocracy.However, meritocracy is a myth.  Currently, only 6% of Github users are women.  The environment can be toxic, which drives a lot of people away.  She mentioned that we don't have numbers for diversity in open source other than women, but Github plans to do a survey soon to try to acquire more data.Gabriel Fayant from Assembly of Seven Generation's talk was entitled "Walking in Both Worlds, traditional ways of being and the world of technology".  I found this quite interesting, she talked about traditional ceremonies and how they promote the idea of living in the moment, and thus looking at your phone during a drum ceremony isn't living the full experience.  A question from the audience from someone who worked in the engineering faculty at the University of Toronto was how we can work with indigenous communities to share our knowledge of the technology and make youth both producers of tech, not just consumers.  If everything was perfect, you would never learn and you would never grow.Read more at: everything was perfect, you would never learn and you would never grow.Read more at: next talk was by Sandi Metz, entitled "Madame Santi tells your future".  This was a totally fascinating look at the history of printing text from scrolls all the way to computers.She gave the same talk at another conference earlier so you watch it here.  It described the progression of printing technology from 7000 years ago until today.  Each new technology disrupted the previous one, and it was difficult for those who worked on the previous technology to make the jump to work on the new one.  So according to Sandi, what is your future? What you are working on now probably won't be relevant in 10 years You will all die All the people you love will die Your body will start to fail you Life is short Tell people that you love them Guard your health Spend time with your kids Get some exercise (she loves to bike) We are bigger than tech Community and schools need help She gave the example of Habitat for Humanity where she volunteers These organizations also need help to write code, they might not have the knowledge or time to do it right The last talk I attended was by Sabrina Geremia of Google Canada.  She talked about the factors that encourage a girl to consider computer science (encouragement, career perception, self-perception and academic exposure.) I found that this talk was interesting but it focused a bit too much on the pipeline argument - that the major problem is that girls are not enrolling in CS courses.  If you look at all the problems with environment, culture, lack of pay equity and opportunities for promotion due to bias, maybe choosing a career where there is more diversity is a better choice.  For instance, law, accounting and medicine have much better numbers for these issues, despite there still being an imbalance.At the end of the day, there was a panel to discuss diversity issues: Moderator: Ariti Sharma, Shopify, Panelists: Mohammed Asaduallah, Format, Katie Krepps, Capital One Canada, Lateesha Thomas, Dev Bootcamp, Ramya Raghavan, Google, Kara Melton, TWG, Gladstone Grant, Microsoft Canada Some of my notes from the panel Be intentional about seeking out talent Fix culture to be more diverse Recruit from bootcamps. Better diversity today.  Don't wait for universities to change the ratios. Environment impacts retention Conduct and engagement survey to see if underrepresented groups feel that their voices are being heard. There is a need for sponsorship, not just mentoring.  Define a role that doesn't exist at the company.  A sponsor can make that role happen by advocating for it at higher levels Mentors do better if matched with demographics.  They will realize the challenges that you will face in the industry better than a white man who has never directly experienced sexism or racism. Sponsors tend to be men due to the demographics of our industry At Microsoft, when you reach a certain level your are expected to mentor an unrepresented person Look at compensation and representation across diverse groups Attrition is normal, it varies by region, especially acute in San Francisco. Women leave companies at 2x the rate of men due to culture You shouldn't stay at a place if you are burnt out, take care of yourself. Compared to the previous two iterations of this conference, it seemed that this time it focused a lot more on solutions to have more diversity and inclusion in your company. The previous two conferences I attended seemed to focus more on technical talks by diverse speakers.As a side note, there were a lot of Shopify folks in attendance because they ran the conference.  They sent a bus of people from their head office in Ottawa to attend it.  I was really struck at how diverse some of the teams were.  I met group of women who described themselves as a team of "five badass women developers" 💯 As someone who has been the only woman on her team for most of her career, this was beautiful to see and gave me hope for the future of our industry.   I've visited the Ottawa Shopify office several times (Mr. Releng works there) and I know that the representation of of their office doesn't match the demographics of the Beyond the Code attendees which tended to be more women and people of colour.  But still, it is refreshing to see a company making a real effort to make their culture inclusive.  I've read that it is easier to make your culture inclusive from the start, rather than trying to make difficult culture changes years later when your teams are all homogeneous. So kudos to them for setting an example for other companies.Thank you Shopify for organizing this conference, I learned a lot and I look forward to the next one! [Less]
Posted 1 day ago by Air Mozilla
Three days talks around the Linux Kernel
Posted 1 day ago by David Keeler
In response to recent developments attacking Diffie-Hellman key exchange ( and to protect the privacy of Firefox users, we have increased the minimum key size for TLS handshakes using Diffie-Hellman key exchange to 1023 bits. A ... [More] small number of servers are not configured to use strong enough keys. If a user attempts to connect to such a server, they will encounter the error “ssl_error_weak_server_ephemeral_dh_key”. [Less]
Posted 1 day ago by Air Mozilla
Three days talks around the Linux Kernel
Posted 2 days ago by Air Mozilla
Digital Economy Board of Advisors (DEBA) 2016
Posted 2 days ago by Michał
Hello, SUMO Nation! Change is a constant, and Mozilla is no different. Bigger and smaller changes are coming up across many a project, including SUMO – and we need your help figuring out what they should be like. Learn more about the ways you can ... [More] make us be better below! Welcome, new contributors! Pranav Karakavalasa rajivjhaimin heeralsakrani If you just joined us, don’t hesitate – come over and say “hi” in the forums! Contributors of the week All the forum supporters who tirelessly helped users out for the last week. All the writers of all languages who worked tirelessly on the KB for the last week. All the Social Superheroes – thank you! ComputerWhiz aka Wesley Branton – for his great assistance with a tough user question. You rock! All the Mozilla Brasil community members who organized and took part in the first #MozPizzaSUMOBR – hats off to you all! Airton Cynthia Fabio Geraldo Jaime Jhonatas João Paulo Luiz Samuel Thiago Zilmar Wolfgang We salute you! Don’t forget that if you are new to SUMO and someone helped you get started in a nice way you can nominate them for the Buddy of the Month! SUMO Community meetings LATEST ONE: 28th of September- you can read the notes here and see the video at AirMozilla. NEXT ONE: happening on the 5th of October! If you want to add a discussion topic to the upcoming meeting agenda: Start a thread in the Community Forums, so that everyone in the community can see what will be discussed and voice their opinion here before Wednesday (this will make it easier to have an efficient meeting). Please do so as soon as you can before the meeting, so that people have time to read, think, and reply (and also add it to the agenda). If you can, please attend the meeting in person (or via IRC), so we can follow up on your discussion topic during the meeting with your feedback. Community Help Mozilla choose the new look – take this survey! Reminder: MozFest is a bit more than a month away! Are you going to attend this year? Ongoing reminder #1: if you think you can benefit from getting a second-hand device to help you with contributing to SUMO, you know where to find us. Ongoing reminder #2: we are looking for more contributors to our blog. Do you write on the web about open source, communities, SUMO, Mozilla… and more? Do let us know! Ongoing reminder #3: want to know what’s going on with the Admins? Check this thread in the forum. Platform PLATFORM REMINDER! The Platform Meetings are BACK! If you missed the previous ones, you can find the notes in this document. (here’s the channel you can subscribe to). We really recommend going for the document and videos if you want to make sure we’re covering everything as we go. Several Admins will be meeting with members of the Lithium team to work closely on the platform migration. More updates and questions in this document. Don’t forget about the main migration thread, with the list of areas that can benefit from your input: Roles Gamification: ranks & badges Metrics and measurement Design ideas (1st wave) Forum moderation Shutting down Kitsune If you are interested in test-driving the new platform now, please contact Madalina. IMPORTANT: the whole place is a work in progress, and a ton of the final content, assets, and configurations (e.g. layout pieces) are missing. QUESTIONS? CONCERNS? Use the migration thread to put questions/comments about it for everyone to share and discuss. Social Thank you for the SUMO Day today! It was a record day for the number of people logging in – you rock! The new training for filtering in widgets is available here: – it also shows the new support thread-specific inbox for the dashboard. Some issues popping up nowadays are startup crashes – caused by AVG and WebSense in particular. Inactive accounts may be removed soon, so if you’re still active, please log in this week. If you no longer have an account, please get in touch with Rachel! Want to join us? Please email Rachel and/or Madalina to get started supporting Mozilla’s product users on Facebook and Twitter. We need your help! Use the step-by-step guide here. Take a look at some useful videos: Getting started & replying to users Replying to users (continued) Support Forum Thanks to everyone who participated in last week’s SUMO DAY! We’re still looking for interesting and international examples of … click here ;-) Knowledge Base & L10n We are 5 weeks before next release / 1 week after current release What does that mean? (Reminder: we are following the process/schedule outlined here). No work on next release content for KB editors or localizers  All existing content is open for editing and localization as usual; please focus on localizing the most recent / popular content Since pizza turned out to be a great success, if you have ideas how to virtually gather your l10n team mates, contact me about that! Firefox for Android Version 50 is slated to come out on November 8th. It should bring video viewing and controlling improvements. for Desktop Version 50 (November 8th as well) will bring the following goodies: WebRTS – full duplex audio streams Tracking Protection supporting Do Not Track Electrolysis – e10s RTL for Windows and Mac First e10s sandbox for Mac OS X and Windows Find in page with a mode to search for whole words only New preference for cycling tabs using Ctrl + Tab Improved printing options via the Reader Mode for iOS Still quiet… Keep using 5.0! …and that’s it for this week! Remember that we <3 you all for being there for the users when it matters most! Keep rocking the helpful web! [Less]
Posted 2 days ago by Air Mozilla
Weekly project updates from the Mozilla Connected Devices team.
Posted 2 days ago by sole
I recorded an episode for the WeCodeSign podcast. It’s in Spanish! You can download / listen from their website. We actually talked about more than Web Audio; there’s a list of links to things we mentioned during the episode. From progressive ... [More] enhancement to Firefox’s Web Audio editor, to the old PCMania tracking stories, to Firefox for iOS… lots of things! I was really pleased with the experience. The guys were really good at planning, and did a great job editing the podcast as well (and they use Audacity!). Editando el #podcast de mañana con @supersole sobre Web Audio desde Londres para que esté a tiempo si la "conexión" me deja bajar un archivo — WeCodeSign Podcast (@wecodesign) September 26, 2016 Totally recommended—in fact I suggested that both my fantastic colleague Belén and the very cool Buriticá are interviewed at some point in the future. I’d love to hear what they have to say! Throwback to the last time I recorded a podcast in Spanish–at least this time I wasn’t under a massive cold! [Less]