Category Archives: Work

[un]prompted review

Posted on by
1

I’m excited to be going to conferences again, after 5 years of not really doing any. I like the thrum of so many people in one place, conversations with random folks in the lunch line, and seeing old friends. The one I went to this week was [un]prompted, about the overlap of AI and security. I saw some tried and true exploits brought to new scale with AI, and I heard about a lot of potential routes to securing existing code bases with AI. I also saw a fair amount of what I’d call “put a bird on it” approaches to AI.

I’m walking away with two big questions (beyond the preexisting “where is all this energy coming from?” and “how does wealth redistribution work with these new models?”), one about complexity and the other about trustworthiness.

What complexity is worth taking on?

Mudge, I think somewhat famously, long ago pointed out that exploits were happening nonlinearly, becoming more likely the larger and more complex a codebase became. In contrast, the exploits themselves were remaining steadily small. So one of my sniff tests now for how load bearing a system can be has to do with how complex and tested it is.

The technical talks I saw at [un]prompted had to do with increasing complexity, not decreasing it. It piles MORE layers on, it doesn’t remove the unknown or unnecessary. The closest I saw to removing complexity were analysis of proliferated documentation to come up with a summary and a (new) single source of truth. I’d like to see more adventures in “cheap” refactors that simplify and streamline code bases.

I’m the vendor now

The conference organizers did a fabulous job on many fronts, but they did not do a good job of stopping sales pitches from happening on stage. So many of these amounted to “your vendor for $thing is slow and doesn’t meet your needs, but ✨our AI can solve this for you✨” which is just so boring. 

Beyond being boring, however, I truly wonder how we can trust any of these providers to not inject backdoors (intentionally or otherwise) when their values so clearly scream that they’re open for business on every front. So saying “hey just ask for what you want and trust the outputs!” seems shady AF. And if we do what some suggested, of making agents fully autonomous, we wouldn’t ever have cause to pause and reflect (let alone catch) this happening.

What I am interested in using these things for

I’m interested in reviewing code humans don’t have time for. Several of the better talks shared the goal of complete code coverage. I’m also interested in putting in guidance and nudges towards doing better work (either from humans or from robots), rather than adding layers on other layers. I’m interested in help for what we know needs doing, and investigations in formats that humans are bad at and machines are good at.

From this conference, I’m now prepared to spend even more time on evaluation than I expected to (50% after baseline systems are in place). And I have new ways of talking about where to interject to inspect the system instead of just trusting it’s working.

I now have more supporting evidence for continuing to think that a workflow or premise needs to be figured out before automation, which happens before AI tooling. And that organizational structures need to allow for this happening at a deep layer, not as something that gets tacked on later as an afterthought.

It also seems like we’re moving away from “zero click attacks” towards “zero user intervention attack” – what can we get agents to do without you noticing?

Saying the quiet part out loud : a missing stair

Posted on by
1

The only other time I’ve written something like this was 10 years after leaving an abusive relationship, to describe what it was like to try to get over it and how I still carried it with me in some ways. I tried hard to be compassionate to Corey, even then. I’m less interested in being compassionate in this post about Gunner. Corey at least had youth to pin things on, could still possibly change. I have sat down with Gunner to talk to him about all this, and while he didn’t get defensive in the moment, it seems he’s up to his old games still, I’ve offered to meet with him again, and I’m frankly pretty sick of this dead weight on the tech justice space.

I had written a very long-form thing to get all my feels out. Receipts there if you ask me for a password and agree not to share outwards, but it boils down to this: Gunner is pathologically unable to move from ideation space into execution, and does this at very high cost to the marginalized people he surrounds himself with, who have built their prior careers on being able to execute. Gunner has a great nose for potential, and taps into that potential, but then absolutely destroys your potential if you try to realize your dreams around him. He does this while making it your fault. This tendency has slowed (stopped, in some cases) the social justice technology space he is involved with. We no longer have time for this, and so I’m deciding to speak up.

I am confident enough of this that I will buy you dinner, wherever you are, with or without my company, to talk through it if you have hard data to the contrary. This only applies to people of a marginalized identity, not other white dudes or people in a funding position; and must be about executing on something, not just the ideation stage.

This is not a call to cancel someone. This is a call to be cautious about what sorts of ideas you bring to him, and what sorts of work you try to do with him.

The first 30 days

Posted on by
1

I’ve now been at GoFundMe for 30 days! Hooray! In an act of reestablishing how I like to learn and share, I asked if I could write blog posts about my experiences in learning to manage, and got a thumbs-up. Here’s what I’ve gotten up to!

Setting up support

There are a bunch of lovely folk in my life who I respect who also manage. I have put them into a Signal thread where I can ask questions. Yes, they’re all pretty spicy and I’m worried about the fights that might happen. Yes, also I have slept with all of them. Yes, it’s already proven pretty invaluable.

I also asked explicitly for a mentor at GFM who’s established there and could counter balance what I have blind spots in. I’ve been set up with someone and we’re off to a good start.

Read a fucking book

There’s a lot to read out there (and I’m making my way through a fair amount of it, mostly recommended by an infosec Slack I’m in), but I also wanted a focused book for this time. My brother recommended The First 90 Days and it’s been REALLY good so far. The parts that are useful are really useful, the parts that are less useful are easy to skip over.

So far, I’ve learned to separate out focus areas into political, cultural, and technical things, and to check in with those around me about which lane I should be focused in most. I’ve also learned to think about if folks are better at sustaining or being a hero, and at what stage of a business. This is all helping as I get to know new folks, I can plug them into my little database of people.

Get to know the people

I’m not just paying attention to the folks that report to me, or the people further up in the chain. I’m also getting to know peers near and far. As we talk, I ask each person if there’s anyone else I should be talking to. Sometimes they have someone not already on my list, but often not. I take notes and structure the data so we can start our next conversation in a more advanced place. Plus, it’s way better to say hello to someone BEFORE something is on fire.

Hack my own tendencies

The first while at a new job should be about learning the terrain and people. Learning what not to step in. Learning root causes to what might seem like disparate problems.

Problem is, if I don’t have a thing to do, I will FIND something to do, and that’s not great for this period of onboarding. So I have found a low-stakes project that touches a lot of what I’m getting up to, plus some interactions with nearby teams, in order to give me a thing to focus on while I move more slowly elsewhere. You probably guessed this, but I’m organizing our documentation and starting to come up with a stronger onboarding story.

Start to make a plan

I’ve started laying out where I think we are, and where I think we can get to next. I’m waiting to bring this to my reports until I have it pretty well dialed in and have broad categories in place. I want a strong story to tell. But I am testing bits and pieces for readiness and accuracy in most conversations I’m having, regardless of with who.

I’m excited! This seems to be really promising.

Lying to people about time

Posted on by
Reply

I’m not a good liar. I don’t enjoy it, although I seem to be good at it when the need has arisen. Games like Werewolf frankly make me sick to my stomach and I play up how much I don’t want to lie as a mechanic for when I do have to lie in those games. However, in two areas of my life, I lie my ass off: facilitation and program management. But I only lie about one thing in both of these contexts: time.

Most people need to feel a sense of urgency in order to get anything done, and also a sense of spaciousness to really be thoughtful about outcomes. Both of these are necessary to facilitate a good conversation, and both are necessary to help guide a project well. It’s a balance navigated with nuance, intuition, and experience.

Continue reading

How I think about retrospectives

Posted on by
Reply

I believe in self-improving systems, and retrospectives are a core way of reflecting and then changing behavior accordingly. There’s a lot out there on what a retrospective is, formats to use, and other techniques, so I’ll just highlight my facilitation thoughts on them here. This is influenced by the CAST handbook and my own facilitation background.

Must be blame-free / a psychologically safe space

People will not open up and be actually present and interrogative if they don’t feel safe. It is your responsibility when setting up, facilitating, and debriefing to make sure the system is what is being critiqued, not the humans within it. The humans made the best possible choice they could given the circumstances they were in, so let’s change the circumstances in the future. Make this explicit early and often. As Charity says on the sticker on my megaphone, “communicate positive intent.”

A picture of a megaphone focused on a sticker in Lisa Frank obnoxiously bright styling, "communicate positive intent." Additional stickers that are visible are the Priceless Baroot, the edge of a pleading taco emoji, and one that seems to ready "...necessarily a crime."

Must be scoped well

If people don’t know what they’re talking about, they won’t talk about the same thing, and getting to concrete outcomes will become nearly impossible. Focus on a specific project, timeline, or outcome. Communicate this early and often.

Should encourage creative thinking

Whatever format you pick should be mildly novel (not so novel that it disrupts how people approach things, but novel enough to edge them out of their comfort zone). Use a different prompt set or a different tool, but rarely both at the same time. Ask more of people to engage and challenge them into someplace new.

Needs to lead to concrete, actionable tweaks

If you don’t arrive at experiments that will change how you’re behaving, you have wasted everyone’s time. I like to set aside about 1/4 of the time of the retro to listing, refining, and then selecting one or two these experiments. I ask the following questions:

  • What will change if we take this action?
  • What would prevent us from making the change?
  • How will we know if we’re successful or not?
  • When should we check back?
  • What is our next step, and who is responsible for it?

I only pick up 1-3 concrete steps to take after each retro. I track them just like any project, and I report back on them before the next retro to show that the time and vulnerability is worth it.

One goal should be building trust with the team

A core part of the system is team trust, and in improving the system, we should be focused on building that part of it. By being blame free, enacting suggestions, and pushing people to engage more, we build that trust. If something about the retro process is eroding trust, pause and reassess your approach.

Historical income

Posted on by
Reply

So I found some of my old tax documents and figured I’d map what the income trajectory has been like for me since I started working at 16. I often held 2-3 jobs at a time before moving into a nonprofit career, before deciding I was tired of the constant stress of paying rent and moved to the private sector.

Chart of income over time, boxed out for what was going on in life at certain points. Boiled-down summary follows in blog post.


Moving to full time work with an undergrad degree 3-4x’d my income.
Moving from jobs to a career tripled it.
Moving to the private sector doubled that again.
Leveling up to senior increased by about 50%.

The job hunt

Posted on by
Reply

So I’ve just signed to start in mid-December as the manager of the AppSec team at a well-known platform. I’m REALLY excited for this for many reasons I’ll get into after I’ve actually started and it feels real. I’m really excited to be able to talk about this part of my life again.

I’ll do a separate post about how I structured my consulting because that’s it own fun setup, but I wanted to take a moment here to talk about how grueling the job hunt is right now and to offer some scaffolding, because being intentional about things is how I stay sane when in a chaotic situation.

This is long because I have a lot to say on keeping track, experiments in approach, and what actually worked this time.

Resources mentioned in here:

  1. Job hunt tracking spreadsheet
  2. Sankey HTML file and associated page/image
  3. Financial burn-down spreadsheet
Continue reading

Dimming my own light

Posted on by
2

I’ve always enjoyed being under the influence. Whether alcohol or more illicit things, I usually have a good time, even when the times aren’t particularly good.

This is absolutely not a “drugs are bad” post. I still enjoy drugs (including alcohol), in the right context. More research is being done on the usefulness of drugs ranging from run-of-the-mill THC to ketamine to hallucinogens. No, this post is about why I used a specific drug to dim my own light (by which I mean “exercising my mind and expecting great things from other people exercising theirs”), where it got me to, and where I’m at now.

Continue reading

Distributed playbook

Posted on by
Reply

While I was at Truss, I helped move us from a dozen people in the Bay Area to nearly a hundred across 20 states. Through monthly meetings to run experiments in improving our practices, we came up with the Distributed Playbook. It’s since changed format enough that I missed the original version, so I’ve ported it over from Github to a page on this blog. It, along with the onboarding guide, are two of the things of which I’m most proud from my time at Truss. Hope they can help you out, too!