Category Archives: GoFundMe

[un]prompted review

Posted on by
1

I’m excited to be going to conferences again, after 5 years of not really doing any. I like the thrum of so many people in one place, conversations with random folks in the lunch line, and seeing old friends. The one I went to this week was [un]prompted, about the overlap of AI and security. I saw some tried and true exploits brought to new scale with AI, and I heard about a lot of potential routes to securing existing code bases with AI. I also saw a fair amount of what I’d call “put a bird on it” approaches to AI.

I’m walking away with two big questions (beyond the preexisting “where is all this energy coming from?” and “how does wealth redistribution work with these new models?”), one about complexity and the other about trustworthiness.

What complexity is worth taking on?

Mudge, I think somewhat famously, long ago pointed out that exploits were happening nonlinearly, becoming more likely the larger and more complex a codebase became. In contrast, the exploits themselves were remaining steadily small. So one of my sniff tests now for how load bearing a system can be has to do with how complex and tested it is.

The technical talks I saw at [un]prompted had to do with increasing complexity, not decreasing it. It piles MORE layers on, it doesn’t remove the unknown or unnecessary. The closest I saw to removing complexity were analysis of proliferated documentation to come up with a summary and a (new) single source of truth. I’d like to see more adventures in “cheap” refactors that simplify and streamline code bases.

I’m the vendor now

The conference organizers did a fabulous job on many fronts, but they did not do a good job of stopping sales pitches from happening on stage. So many of these amounted to “your vendor for $thing is slow and doesn’t meet your needs, but ✨our AI can solve this for you✨” which is just so boring. 

Beyond being boring, however, I truly wonder how we can trust any of these providers to not inject backdoors (intentionally or otherwise) when their values so clearly scream that they’re open for business on every front. So saying “hey just ask for what you want and trust the outputs!” seems shady AF. And if we do what some suggested, of making agents fully autonomous, we wouldn’t ever have cause to pause and reflect (let alone catch) this happening.

What I am interested in using these things for

I’m interested in reviewing code humans don’t have time for. Several of the better talks shared the goal of complete code coverage. I’m also interested in putting in guidance and nudges towards doing better work (either from humans or from robots), rather than adding layers on other layers. I’m interested in help for what we know needs doing, and investigations in formats that humans are bad at and machines are good at.

From this conference, I’m now prepared to spend even more time on evaluation than I expected to (50% after baseline systems are in place). And I have new ways of talking about where to interject to inspect the system instead of just trusting it’s working.

I now have more supporting evidence for continuing to think that a workflow or premise needs to be figured out before automation, which happens before AI tooling. And that organizational structures need to allow for this happening at a deep layer, not as something that gets tacked on later as an afterthought.

It also seems like we’re moving away from “zero click attacks” towards “zero user intervention attack” – what can we get agents to do without you noticing?

The first 30 days

Posted on by
1

I’ve now been at GoFundMe for 30 days! Hooray! In an act of reestablishing how I like to learn and share, I asked if I could write blog posts about my experiences in learning to manage, and got a thumbs-up. Here’s what I’ve gotten up to!

Setting up support

There are a bunch of lovely folk in my life who I respect who also manage. I have put them into a Signal thread where I can ask questions. Yes, they’re all pretty spicy and I’m worried about the fights that might happen. Yes, also I have slept with all of them. Yes, it’s already proven pretty invaluable.

I also asked explicitly for a mentor at GFM who’s established there and could counter balance what I have blind spots in. I’ve been set up with someone and we’re off to a good start.

Read a fucking book

There’s a lot to read out there (and I’m making my way through a fair amount of it, mostly recommended by an infosec Slack I’m in), but I also wanted a focused book for this time. My brother recommended The First 90 Days and it’s been REALLY good so far. The parts that are useful are really useful, the parts that are less useful are easy to skip over.

So far, I’ve learned to separate out focus areas into political, cultural, and technical things, and to check in with those around me about which lane I should be focused in most. I’ve also learned to think about if folks are better at sustaining or being a hero, and at what stage of a business. This is all helping as I get to know new folks, I can plug them into my little database of people.

Get to know the people

I’m not just paying attention to the folks that report to me, or the people further up in the chain. I’m also getting to know peers near and far. As we talk, I ask each person if there’s anyone else I should be talking to. Sometimes they have someone not already on my list, but often not. I take notes and structure the data so we can start our next conversation in a more advanced place. Plus, it’s way better to say hello to someone BEFORE something is on fire.

Hack my own tendencies

The first while at a new job should be about learning the terrain and people. Learning what not to step in. Learning root causes to what might seem like disparate problems.

Problem is, if I don’t have a thing to do, I will FIND something to do, and that’s not great for this period of onboarding. So I have found a low-stakes project that touches a lot of what I’m getting up to, plus some interactions with nearby teams, in order to give me a thing to focus on while I move more slowly elsewhere. You probably guessed this, but I’m organizing our documentation and starting to come up with a stronger onboarding story.

Start to make a plan

I’ve started laying out where I think we are, and where I think we can get to next. I’m waiting to bring this to my reports until I have it pretty well dialed in and have broad categories in place. I want a strong story to tell. But I am testing bits and pieces for readiness and accuracy in most conversations I’m having, regardless of with who.

I’m excited! This seems to be really promising.