Author Archives: bl00

Collaboratively building a service catalog

Posted on by
Reply

As our AppSec team matures, we’re defining our processes and expectations. One of the next things for us to try out is a Service Catalog, where we list what sorts of services we can offer to other teams. Having one is a tool to allow us to plan our work, get better at the work we’ve decided to focus on, and be better partners to engineering. But what should such a catalog look like?

Collecting potential offerings

  1. reviewed the last 10ish requests that came to our team through our various intake portals, classified the request types, where the work happened, and what the output looked like.
  2. put together a form for my reports to continue tracking incoming requests while I was out for a week (yay taking time away!)
  3. hosted a whiteboarding session to collect all the different services team members wanted to offer.

We then took that pile and voted for things in two ways — items that had a deep security impact, and items we thought we were set up for success for. We picked the top 6 and moved them onto the next phase.

Can we handle this?

Wanting to provide a service is one thing. Handling the incoming load is another thing entirely. Luckily, GoFundMe is a pretty transparent company, and I was able to get my hands on the full set of projects Engineering hopes to work on this year, along with what area of focus they’re in (Keep The Lights On, tech debt, new business, etc). For a back-of-the-napkin sketch of commitment load, for each of our offerings we sketched out

  1. How much work it would take us to get into a “refined” spot
  2. How much time we thought we’d spend per instance once in that refined spot
  3. How much coverage we wanted humans to be doing (combination of “most risky 10%” and “automation should handle 30% of this workload for us”)
  4. Which types of projects we thought the offering applied to

I did some spreadsheet magic to generate how much time per sprint we’d end up spending on each of the offerings. In this discussion, we realized one offering was something we wanted to improve our capacity around, but didn’t want to officially offer as it being needed would indicate we had failed to catch something earlier in the lifecycle. Ends up we can handle it, even if we’re wildly successful!

Fitting into the flow

Then it’s a matter of ideal time to offer our services for each of these projects. So we’re setting up automations to detect when a project moves from one phase of our Product Lifecycle to another, so we can proactively reach out.

I’ll also need to shop the catalog around to our partners to be sure we’re offering things that make sense to them and that they see the value in.

Being explicit

We’re now working on being clearer about what each of these offerings means, how to request each one, etc. So far, I think the following are the important bits of information:

  • What it is, and which part of the Product Lifecycle it aligns with
  • What an output looks like and where it lives
  • What to expect (from a human; from AI)
  • How to set yourself up for success
  • Specifics to add to our backlog

Metrics

From all this, we can

  • occasionally track how much time we’re spending on these items
  • measure hit rate of how many projects we covered
  • be intentional about what we’re automating
  • track coverage of security touchpoints across projects and add that to our overall risk assessment

Celebrations and Death

Posted on by
2

I’ve been dealing with a lot of death lately. And while it’s just a part of life, it sure does start to make one think after awhile. So I’m using my birthday as processing time, as I am wont to do. I’m test running my death infrastructure for my birthday this year, and requesting notes from folks.

If you can see this message, it’s because I would want you to be aware of when I die. THIS IS ONLY A TEST — I am fine, everything is good, I’m just an elder goth now and I like to plan everything, even death. 

This is an experiment with bureaucracy and documentation. As you know, I love LARPing Serious Business. I am doing a test run of the systems that would announce my death to the many beautiful communities I’ve had the honor of being a part of. If it was logistically difficult to get this message, when you’d want to get it, let’s improve that process — reach out. If it was emotionally hard for you to get this message, this event is probably not for you, and I’d love to see you in another context some other time soon.

On April 18th at 16:30 PT / 19:30 ET, I’m hosting a time to talk about preparing for death (not dying — they’re different. We’ll talk about ceasing to exist, not how you want to be treated while going through a however-long process of getting there). We’ll take about an hour to talk through digital estate planning (a passion of mine), and then we’ll also have some time to talk about any feelings folks might have had about thinking about death. We’ll be at this link at that time.

Selfishly this year, I’d also love notes about what we mean to each other. One of the things that’s come up time and again at the wakes I’ve been attending is wishing to have said some things before the option was no longer there. Let’s say those things to each other. I’m not looking to be shrouded or to do a mock service, I’m looking for open and honest views of who we are together. Roasting, power points, and poetry all lovingly accepted. Email to me, please, so I can label and revisit.

You do not have to do both, or either, if they’re not your cup of tea.

If you would prefer to learn about my death from an email instead of a social media post, please get me your email address and I’ll add you to the mailing list. That will be posted to before social media posts go up.

Looking forward to being inappropriately morbid with you. 

[un]prompted review

Posted on by
2

I’m excited to be going to conferences again, after 5 years of not really doing any. I like the thrum of so many people in one place, conversations with random folks in the lunch line, and seeing old friends. The one I went to this week was [un]prompted, about the overlap of AI and security. I saw some tried and true exploits brought to new scale with AI, and I heard about a lot of potential routes to securing existing code bases with AI. I also saw a fair amount of what I’d call “put a bird on it” approaches to AI.

I’m walking away with two big questions (beyond the preexisting “where is all this energy coming from?” and “how does wealth redistribution work with these new models?”), one about complexity and the other about trustworthiness.

What complexity is worth taking on?

Mudge, I think somewhat famously, long ago pointed out that exploits were happening nonlinearly, becoming more likely the larger and more complex a codebase became. In contrast, the exploits themselves were remaining steadily small. So one of my sniff tests now for how load bearing a system can be has to do with how complex and tested it is.

The technical talks I saw at [un]prompted had to do with increasing complexity, not decreasing it. It piles MORE layers on, it doesn’t remove the unknown or unnecessary. The closest I saw to removing complexity were analysis of proliferated documentation to come up with a summary and a (new) single source of truth. I’d like to see more adventures in “cheap” refactors that simplify and streamline code bases.

I’m the vendor now

The conference organizers did a fabulous job on many fronts, but they did not do a good job of stopping sales pitches from happening on stage. So many of these amounted to “your vendor for $thing is slow and doesn’t meet your needs, but ✨our AI can solve this for you✨” which is just so boring. 

Beyond being boring, however, I truly wonder how we can trust any of these providers to not inject backdoors (intentionally or otherwise) when their values so clearly scream that they’re open for business on every front. So saying “hey just ask for what you want and trust the outputs!” seems shady AF. And if we do what some suggested, of making agents fully autonomous, we wouldn’t ever have cause to pause and reflect (let alone catch) this happening.

What I am interested in using these things for

I’m interested in reviewing code humans don’t have time for. Several of the better talks shared the goal of complete code coverage. I’m also interested in putting in guidance and nudges towards doing better work (either from humans or from robots), rather than adding layers on other layers. I’m interested in help for what we know needs doing, and investigations in formats that humans are bad at and machines are good at.

From this conference, I’m now prepared to spend even more time on evaluation than I expected to (50% after baseline systems are in place). And I have new ways of talking about where to interject to inspect the system instead of just trusting it’s working.

I now have more supporting evidence for continuing to think that a workflow or premise needs to be figured out before automation, which happens before AI tooling. And that organizational structures need to allow for this happening at a deep layer, not as something that gets tacked on later as an afterthought.

It also seems like we’re moving away from “zero click attacks” towards “zero user intervention attack” – what can we get agents to do without you noticing?

Decision Making and Economics

Posted on by
Reply

I have this Future Shape in my head and in my heart, that I’ve long meant to share, but haven’t quite known how. I met Asya, and we got into a good conversation, and so now seems as good a time as any to talk about it. She helped me flesh this post out with more detail and deeper dives.

I don’t think there’s one solution when it comes to what economics style we should have, or what governance should look like. Like I drafted way back when, a “mixed mode system” is where it’s at instead.

Decision making

Distributed systems are good at last-mile logistics, nuance, and fast decision making. They are not good at doing simple things at scale. So for actual implementation and innovation, I think distributed networks are where it’s at.

Hierarchical systems are good at making simple decisions at scale. So good for North Star guidance and things you want to take a socialist approach with. That might include assurance of human-rights-shaped things like

Continue reading

On not being enough

Posted on by
Reply

The world has been offering ample opportunities to test my newfound comfort with being uncertain about if I’m “enough,” if I’m “adding value,” etc.

There’s this thing my favorite old therapist introduced me to, of “unanswerable questions.” It’s like.. no matter how much data you get about people loving you, you’re still like “guess we’ll never know if I’m lovable or not.” Mine has long been about if I’m bringing value or not, which has put me at risk of abusive relationships as I’m easy to tear down in that way. But I’ve been working hard on therapy and on self-love, and I think I’ve come a pretty long way on this front in recent years.

My first glimpse at doing better at this was getting feedback while at Apple that I was successfully selecting which things to half-ass and which things to full-ass. After all, we can’t get all the things done all the time, and some things only need some of our attention. Sometimes, our full attention can actually be detrimental to a project, and can inhibit others’ ability to grow.

But on Sunday February 15th, I had two things happen, either of which might have previously completely destroyed me, and now I’m just kind of fine with both having happened on the same day.

Continue reading

So you want your own surveillance…

Posted on by
Reply

Mark wrote up this piece that is relevant to our neighborhood, but didn’t have a good spot to post it, so we’re sticking it here.

Very understandable. I had a random person walk into my backyard a few months ago, uninvited and unwelcome. That made my family want a little more visibility into our home when we were not there or when our kids were home by themselves. So I’m with you. Let’s get cameras. There are so many cameras, and systems, and oh my! What to do?

Considerations

Continue reading

Coming from a family of alcoholics (4 months in)

Posted on by
Reply

This is the second of three checkins during 6 months of not drinking. The first was written 2 months in, this is being written 4 months in.

Things that have changed since last checkin

I’m pretty happy just not drinking. Sure, there are times and days that it would be really nice to crack open a cold cider, but I’m actually doing pretty well not drinking. The bees mentioned in the first post have subsided in most cases, and been dealt with in other ways for the other times. It’s nice.

Mother in law found a great NA wine that doesn’t just taste like fruit juice. It’s still not good wine, but it is tolerable for a mild wine snob to have a treat.

The data

Overall, I’m getting more of what I want out of not drinking. While this data is skewed because I knew I wasn’t getting everything I wanted out of my relationship to alcohol before this experiment, it’s still wild to see the move from 15 to 40% in a positive experience, and to even see a “strongly positive” experience show up a few times.

Image is described in blog post above
Continue reading

My beloved Lantern Library

Posted on by
1

Many years ago, I was carving jack-o-lanterns in an anarchist house in the Boston area. The friend who had invited me wandered over and suggested we check out the basement. Not my favorite for Halloween times (I don’t enjoy being scared), but this friend is gentle and so I went with her into the aforementioned basement.

It was full of books.

And this was not a small basement.

Shelves upon shelves of radical literature.

And then I met James, the person who had compiled the library. When the anarchist who owned the house had moved away, they had said folks could continue living in anarchist glory in the house, so long as James could also remain there. James was maybe in his 70s when I met him, and had been collecting and organizing books during his tenure at the house. They were organized for radicals — different flavors of anarchism, different ways capitalism fails, lots and lots of ephemera.

But James knew he was getting older, and he wanted his collection to survive him — not just the books themselves, but also how well organized they were. So I tapped into my network and we found some passionate open source folks and librarians who wanted to help index the library. We got all the books scanned so James could offer the library up to a new home as one collection.

James took his first ever selfie with me while we were doing this. He’s dear to my heart.

He’s found a new home for the collection. But shipping books is expensive. So James is doing a fundraiser to get the books to their new radical home where radical folks can make use of his decades’ worth of work.

If you also want to touch this amazing resource, and help it on its way, you can do so here.

The value of thoughts

Posted on by
Reply

I have this sweetie who also adores sci-fi books. We were on a bike ride at some point, and he asks if I’ve read There is No Antimemetics Division. I reply that I have not, and he offers to give me his copy (he knows I prefer reading paper copies in bed even though I love a good Creative Commons story even more, and self-published copies are also a way to support the author). I say yes. I read it, it’s delightful, I find the ending a bit flat because it’s antithetical to how the rest of the book went, BUT it’s still very good and I’m glad I read it. I stick it somewhere as a book I like enough to want to share with other folks if they spot it.

I suggest Reed also read it. He picks it up and likes it so much he also gets a copy for his brother for Christmas. The new copy is different, a hardback, and the main character’s name seems to have changed. That’s ok, sometimes there are further editions of things, must meant the author is doing well.

Reed comes to me and says “hey do you still have your copy?” and I reply that yet I do unless I stuck it in the LFL. He tells me it’s now worth $500. Apparently the bitcoin bros have found out about it and want copies of the first self-published run.

Willow's new albatross, a paperback copy of There Is No Antimemetics Division, now somehow kept in a plastic bag.

Now, I have some Feelings on this. Mainly that it’s under Creative Commons and so you can just get the actual words for free, and so wanting this particular printed version is pure status signaling, which is not a thing I think you should be able to be able to come to via money. I’m a goth punk kid from the Midwest where people didn’t even WANT to pretend to be like us, who then moved to bigger cities where having stuck to that background made you “cool” and so there were lots of folks adopting the trappings without the values alignment (history is something you can always build).

But also, I’m doing a bunch of stuff in my neighborhood out of my own pocket and I don’t like asking my neighbors to throw in to help cover the costs, and this book could now cover nearly all of the radios I just got for all of us. And that would be nice, and it’s ridiculous to throw money at something that’s literally freely available.

So I’ve offered to give the copy back to the sweetie who gave it to me. Philosophy is not my favorite place to be trapped.

Saying the quiet part out loud : a missing stair

Posted on by
1

The only other time I’ve written something like this was 10 years after leaving an abusive relationship, to describe what it was like to try to get over it and how I still carried it with me in some ways. I tried hard to be compassionate to Corey, even then. I’m less interested in being compassionate in this post about Gunner. Corey at least had youth to pin things on, could still possibly change. I have sat down with Gunner to talk to him about all this, and while he didn’t get defensive in the moment, it seems he’s up to his old games still, I’ve offered to meet with him again, and I’m frankly pretty sick of this dead weight on the tech justice space.

I had written a very long-form thing to get all my feels out. Receipts there if you ask me for a password and agree not to share outwards, but it boils down to this: Gunner is pathologically unable to move from ideation space into execution, and does this at very high cost to the marginalized people he surrounds himself with, who have built their prior careers on being able to execute. Gunner has a great nose for potential, and taps into that potential, but then absolutely destroys your potential if you try to realize your dreams around him. He does this while making it your fault. This tendency has slowed (stopped, in some cases) the social justice technology space he is involved with. We no longer have time for this, and so I’m deciding to speak up.

I am confident enough of this that I will buy you dinner, wherever you are, with or without my company, to talk through it if you have hard data to the contrary. This only applies to people of a marginalized identity, not other white dudes or people in a funding position; and must be about executing on something, not just the ideation stage.

This is not a call to cancel someone. This is a call to be cautious about what sorts of ideas you bring to him, and what sorts of work you try to do with him.