jacobian Profile picture
14 Jan, 12 tweets, 2 min read
A lot of people in my TL are angry about open source orgs not getting invited to the WH OSS Security summit. I normally don't write about OSS any more because I get flamed, but fuck it here goes.

This anger is misdirected and based on serious misunderstandings. 🧵
First, what is this event anyway?

It's not an event where decisions get made. They're mostly about optics and politics, The people who attend — CEOs and other executives, and their Gov't counter-parties — don't do the work. Most barely understand open source or security.
These types of events _can_ be important, but really only as the very beginning of any real work. In the best case these events merely create the political top-cover for people in the trenches to do the work.
But the other part that people don't understand — and here's where I'm afraid of getting flamed — is the reason open source organizations weren't invited to this kind of event is entirely because these open source organizations just don't know how to engage in politics like this.
The people who come to these events are expected to make big broad commitments on behalf of their organization. Its these commitments that create that political top-cover. Without them it's ALL optics, all heat, no light.
And open source organizations are woefully ill-equipped to make these sorts of broad commitments. We don't have executives; we have boards and members and communities. We take AGES to agree on anything, and don't have people who can speak to us.
Take the PSF: (a) who at the PSF could speak with authority on behalf of the entire Python community and (b) how would they ensure follow-through?

It's not just the PSF; every OSS org I know is like this. Our greatest strength — community — is a weakness in this case.
Anger at the White House for not inviting the PSF or OSI or whoever is misplaced. If we want organizations that can join these rarefied circles, we need new kinds of organizations.
BUT! As I said, these events, when they work, are just the beginning of the real work. And there's good news there: there are some really smart and dedicated public servants at the White House and elsewhere in the gov't who are working on this. Many are my friends.
It'll be easier to engage at the individual level, so don't write the government off because of one weird event. There's a lot we could do, if open source communities can figure out better ways to work with the government.
If we want make progress here, we need leadership that's thinking about how we want to engage. What do we want from governments? Money? Regulation? Policies? Do we know how to ask for those things, and to get what we want when Facebook tries to block us?
Open source communities and government agencies will struggle to speak the same language; the anger over this event shows this. Open source communities need leaders who can bridge this gap. If I'm honest, I don't think we do.

Please prove me wrong.


• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with jacobian

jacobian Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jacobian

17 Nov 21
Work sample tests are a critical part of hiring well. But they're a minefield; so easy to build unfair tests.

My new article has the rules I follow to build fair tests. Check it out, or 🧵👇 for the short version: jacobian.org/2021/nov/17/ws…
1. Simulate real work as closely as possible: always use exercises that are close as possible to the real tasks candidates would perform if hired.

Don't ask candidates to do things in tests they'd never have to do in real life. Don't add bullshit requirements like "no googling".
2. Limit work sample tests to less than 3 hours. Be explicit about that time-box. Asking more than that is unfair.
Read 10 tweets
22 Apr 21
PSA: if you're in tech, know that comp is up A LOT (10% - 50%) over last year. This is most pronounced at FAANG and for Senior-plus level engineering roles, but is true to a lesser extent nearly everywhere I've looked. If you're looking, or thinking about a raise: ask for more.
If you'd like a gut check on your salary, or an offer you're looking at, or on what you might ask for: please reach out. I'm happy to share what I'm seeing, and any thoughts specific to you and your role.
To give one specific example: I know of a few people — staff-plus engineers; director-plus managers — making over $1M in total comp. These are outliers, but before 2021 I'd only heard of those much at those levels once or twice; now I know of at least a half-dozen.
Read 5 tweets
7 Jan 21
So much this. A physical breach is a nightmare scenario for infosec.

On the off-chance that any of my followers are involved in this -- I do have some experience in scenarios like this and would be happy to help. If I can be of assistance hit me up.
Just to give folks who aren't in the field an idea what we're talking about:

- we must assume that foreign agents were among the rioters
- snooping devices can be implanted into anything with a power cord
- so every device in the capitol is now a potential foreign asset
So, just for starters:

- all computers need to be inventoried, inspected inside and out, and the OS paved/rebuilt
- keyboards, mice, &c might now have implants, they probably should be tossed (see eg keelog.com/forensic-keylo… which looks like a usb cable but is in fact a logger)
Read 13 tweets
2 Nov 19
THREAD: some marginalia and further reading for folks who attended my #nbpy talk and would like to explore further

On password complexity and rotation:

- Laurie Cranor, the then-Chief Technologist for the FCC, sums up the issues with rotation: ftc.gov/news-events/bl…

- Appendix A of NIST SP 800-83B is a wonderful roundup of how to think about complexity: pages.nist.gov/800-63-3/sp800…
On issues of usability vs security:

- Sydney Dekker, _The Field Guide To Human Error_: amazon.com/Field-Guide-Un… - a must-read IMO

- @Pinboard's _What I learned Trying to Secure Congressional Campaigns: idlewords.com/2019/05/what_i…
Read 6 tweets
19 Aug 19
I'm not ashamed to admit that sometimes I miss PHP.

Over 20 years later, and still nobody's even come _close_ to PHP's ease of deployment.

This tweet brought to you by the 3 programming languages and 5 Docker images I need just to run one app.
Turns out having what I thought was a mild opinion about web app deployment was an invitation for people to yell at me, assume I'm stupid, or sell me thier Next Great Thing.

The thing that boggles my mind is how people just assume no nuance whatsoever. Most replies seem to think that I don't get that there are good reasons things got more complex, or that I don't know there are downsides to yolo editing in production, or etc.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!