jacobian Profile picture
mediocre and proud; he/him; some ways I might be able to help you: https://t.co/Yld2KpDrmv
May 5 4 tweets 1 min read
status.heroku.com/incidents/2413…

This appears to be the worst-case scenario: compromise of Heroku’s own core database. I’m afraid this is going to continue to get worse. I won’t be surprised if env vars got popped too. What I’m going to be doing/have done:

- change my account passwords
- reset my totp second factors
- rotate all my database credentials
- rotate all ssl private keys
- invalidate and re-set-up log drains
- audit all my env vars and rotate any secrets

Overkill? Perhaps.
Jan 14 12 tweets 2 min read
A lot of people in my TL are angry about open source orgs not getting invited to the WH OSS Security summit. I normally don't write about OSS any more because I get flamed, but fuck it here goes.

This anger is misdirected and based on serious misunderstandings. 🧵 First, what is this event anyway?

It's not an event where decisions get made. They're mostly about optics and politics, The people who attend — CEOs and other executives, and their Gov't counter-parties — don't do the work. Most barely understand open source or security.
Nov 17, 2021 10 tweets 2 min read
Work sample tests are a critical part of hiring well. But they're a minefield; so easy to build unfair tests.

My new article has the rules I follow to build fair tests. Check it out, or 🧵👇 for the short version: jacobian.org/2021/nov/17/ws… 1. Simulate real work as closely as possible: always use exercises that are close as possible to the real tasks candidates would perform if hired.

Don't ask candidates to do things in tests they'd never have to do in real life. Don't add bullshit requirements like "no googling".
Apr 22, 2021 5 tweets 1 min read
PSA: if you're in tech, know that comp is up A LOT (10% - 50%) over last year. This is most pronounced at FAANG and for Senior-plus level engineering roles, but is true to a lesser extent nearly everywhere I've looked. If you're looking, or thinking about a raise: ask for more. If you'd like a gut check on your salary, or an offer you're looking at, or on what you might ask for: please reach out. I'm happy to share what I'm seeing, and any thoughts specific to you and your role.
Jan 7, 2021 13 tweets 3 min read
So much this. A physical breach is a nightmare scenario for infosec.

On the off-chance that any of my followers are involved in this -- I do have some experience in scenarios like this and would be happy to help. If I can be of assistance hit me up. Just to give folks who aren't in the field an idea what we're talking about:

- we must assume that foreign agents were among the rioters
- snooping devices can be implanted into anything with a power cord
- so every device in the capitol is now a potential foreign asset
Nov 2, 2019 6 tweets 4 min read
THREAD: some marginalia and further reading for folks who attended my #nbpy talk and would like to explore further

👇🏻 On password complexity and rotation:

- Laurie Cranor, the then-Chief Technologist for the FCC, sums up the issues with rotation: ftc.gov/news-events/bl…

- Appendix A of NIST SP 800-83B is a wonderful roundup of how to think about complexity: pages.nist.gov/800-63-3/sp800…
Aug 19, 2019 5 tweets 1 min read
I'm not ashamed to admit that sometimes I miss PHP.

Over 20 years later, and still nobody's even come _close_ to PHP's ease of deployment.

This tweet brought to you by the 3 programming languages and 5 Docker images I need just to run one app. Turns out having what I thought was a mild opinion about web app deployment was an invitation for people to yell at me, assume I'm stupid, or sell me thier Next Great Thing.

Ugh.