Personality shift

Posted on by
Reply

Something has shifted deeply for me over the last 5ish years, which I think merits calling out for folks who have known me for a long time. I’m eager to hear how this has landed with folks, especially as part of a birthday missive. However, so many things have changed in the last 5ish years that it’s hard to pinpoint a single origin. In this post, I explore some of those things and the impact I expect they’ve contributed to. Here they are in chronological order for when they started.

Relationship with Reed

Reed is a difficult person. He is also, hands down, the best partner I could think of for myself. He is extremely predictable, self aware, and invests heavily in a few choice things. Our lives together are one of those choice things, which means I can offload a lot of cognitive overhead about home, bicycle, self, etc care to him and it gets done better than I’d bother doing it myself. Reed can also be incredibly selfish (again, in a self-aware way). He has the most attuned sense of what “enough” is of anyone I’ve met. He sets goals for what he would like his life to look like, and when those goals are met, he enjoys the fruits of his labor.

Being around this as the main touchpoint of human interaction in my life (we are romantic partners, co-parents, and dear friends) means some of this has rubbed off on me. I have always had high standards, but now I am more comfortable doing something myself or with others than dragging along someone who is struggling in a non-self-aware way. For most of my youth, I had a strong savior complex, which I have worked on overcoming for years. Both my work with GWOB and my relationship with Reed have helped me truly wrap that up. Perhaps too far in the other direction, but all things are oscillations.

Working at Apple

While most of the individuals I worked with at Apple were truly lovely, the company itself has a culture of extreme arrogance. Success has gone to the proverbial head, and it seeps into everything. Even the hiring process is terrible because the recruiters know having Apple on your resúmé is life changing (or was, before this market, phew), and that people want to work there regardless of other factors. Every chance I had to be more collaborative, I tried to take, and I was (mostly politely) redirected to try to find other paths.

I remember trying to explain that an executive coming up with a problem statement that then a bunch of brilliant people came up with in-depth responses to individually, which then the exec picked “the best of”, and then program managers dolled out the work was not actually “collaborative” but a process diagram instead, and it fell on deaf ears. 5 years of that, and not being able to talk to other people about it, sure did a number on me.

Becoming a Parent

I gave birth alone via emergency c-section after a very scary night. Covid meant no guests unless you were in labor, and because I was two months early, they were trying to stop the labor and so wouldn’t admit me as such. After a month in the NICU, we brought Locke home only to discover that Reed had severe misophonia related to infant screaming, and so then I was on the hook for taking care of two creatures who couldn’t fend for themselves and were actually often at odds with each other’s needs. Our agreement that Reed was going to be the stay-at-home parent exacerbated this because it made asking for outside help at odds with our goals and plans. It was the worst 18 months of my life. And in part because Reed is already a difficult person, my care network saw this as a personal failing on his part rather than a disability, which led to even more long-term issues.

This also led to some extreme division of labor — Reed still wanted to help out, but it needed to be in discrete, scheduled chunks that he could prepare for. Which was good in some ways because it meant I got clear time off, instead of always being “on.” However, that shifted us away from the collaborative, flowing parenting style we now actively and intentionally implement.

While I’ve done deep therapy around all this and mostly moved past it, I still have a trauma response to some things, and repairing other relationships is still taking significant effort. Going through this also deepened my relationship with Reed. Now, when something is difficult, we know it’s not as difficult as this thing we did that one time.

Being on Testosterone

I love being on testosterone for many reasons, and have also already highlighted the ways it has shifted my experience of the world in ways I’m less of a fan of. I have a shorter fuse, less empathy on the surface, and less patience. I take up space more now than I used to, and focus less on making space for others. The first I don’t think is a bad thing — I deserve just as much space as anyone else, it’s that now I’m expecting to get it. And I haven’t figured out yet how to balance taking space for myself with my old habits of taking space for others as well. Whether that’s because of an actual biological reaction or “just” the validation, who knows.

Where I am now

Who knows how much any of these, or collection of these, led to my brain issues worked on last year. But I am now less warm and collaborative than I used to be. I miss it, it was aligned with how I’d like the world to be and for people to treat each other. I’ll keep working to be warmer again.

Again, I’d love your insights into how I’ve changed, and how that has impacted our relationship, for my birthday this year. And I have yet to talk about all this with my therapist, so who knows what will change about it as I continue to explore.

Oh yeah, I guess we also went through the collective trauma of Covid in that time, too. That matters as well.

Let them take the risks they can afford

Posted on by
Reply

The title is one of the few pieces of advice my mum gave me about child rearing. It came through pretty clearly in how she and my dad raised me — I’ve even got a tattoo about it, and how it’s not just about parenting but also my approach to security. I’m lucky that Reed and I are also well aligned on this front. Sometimes other parents are pretty aghast at how far away we let Locke get from us, how we let him do mildly dangerous things. Here’s our reasoning: the kid is going to have a bad time while learning, at some point (getting burned on something hot, getting separated from us, etc), so we may as well control as best we can the first time that happens. That’s different than how others approach it: using their control to prevent it happening, such that when it inevitably does happen, it’s when they’ve lost control, and then it can be truly bad.

Here are some examples of our approach.

The stairs he’s allowed to fall down

Our house is a split level, so while it’s two stories high, we have 4 sets of stairs. Some of them are quite steep. So Locke was going to fall down stairs at SOME point, and we wanted to decide which set of stairs that would happen on. Thankfully, we have two steps between two rooms in our house. Yes, it’s on hardwood, but it’s the shortest set we have. So when he was learning to crawl, we decided that was the set of stairs he was allowed to fall down. We did safety protocols around the other sets of stairs, but none around those. He fell down them. He cried. We comforted him. He is now incredibly confident around stairs.

How Locke got down stairs for most of his childhood, after falling down 2:

Getting lost

As Locke was learning to walk, we took him to the zoo a lot. There’s a lot going on there, and lots of space to explore. But it’s also pretty well contained, full of other parents, and there are protocols in place for lost kids. What a great place for him to get lost! The first time he wandered away on his own from Reed (I wasn’t there), Reed discretely followed him for awhile. Locke eventually realized he wasn’t near Reed anymore and didn’t know where he was. He had a whole Experience, which Reed let him have for a bit, and then went to him. There was a lot of validating feelings with “you couldn’t find me, and it was scary!” instead of focusing on Reed not being able to find Locke. Now Locke knows it’s on him to know where we are, and to stay as close as feels necessary.

Do we still keep tabs on him? Of course! But if he runs off for a bit, we have high confidence that he’ll return when he needs us.

Hot things are hot

No matter how many times you tell someone about how something might hurt them, usually folks have to experience it directly before really believing it (this is not just about kids). So while we tell Locke when something is hot or dangerous, we also still let him do things like pour hot water for his tea. Recently, he burned himself on the kettle while trying to handle it. Of course we comforted him about it and made sure it got the treatment the (very mild) burn needed, but we also didn’t fuss about it much more than that. He had learned a lesson by taking a risk he could afford.

Collaboratively building a service catalog

Posted on by
Reply

As our AppSec team matures, we’re defining our processes and expectations. One of the next things for us to try out is a Service Catalog, where we list what sorts of services we can offer to other teams. Having one is a tool to allow us to plan our work, get better at the work we’ve decided to focus on, and be better partners to engineering. But what should such a catalog look like?

Collecting potential offerings

  1. reviewed the last 10ish requests that came to our team through our various intake portals, classified the request types, where the work happened, and what the output looked like.
  2. put together a form for my reports to continue tracking incoming requests while I was out for a week (yay taking time away!)
  3. hosted a whiteboarding session to collect all the different services team members wanted to offer.

We then took that pile and voted for things in two ways — items that had a deep security impact, and items we thought we were set up for success for. We picked the top 6 and moved them onto the next phase.

Can we handle this?

Wanting to provide a service is one thing. Handling the incoming load is another thing entirely. Luckily, GoFundMe is a pretty transparent company, and I was able to get my hands on the full set of projects Engineering hopes to work on this year, along with what area of focus they’re in (Keep The Lights On, tech debt, new business, etc). For a back-of-the-napkin sketch of commitment load, for each of our offerings we sketched out

  1. How much work it would take us to get into a “refined” spot
  2. How much time we thought we’d spend per instance once in that refined spot
  3. How much coverage we wanted humans to be doing (combination of “most risky 10%” and “automation should handle 30% of this workload for us”)
  4. Which types of projects we thought the offering applied to

I did some spreadsheet magic to generate how much time per sprint we’d end up spending on each of the offerings. In this discussion, we realized one offering was something we wanted to improve our capacity around, but didn’t want to officially offer as it being needed would indicate we had failed to catch something earlier in the lifecycle. Ends up we can handle it, even if we’re wildly successful!

Fitting into the flow

Then it’s a matter of ideal time to offer our services for each of these projects. So we’re setting up automations to detect when a project moves from one phase of our Product Lifecycle to another, so we can proactively reach out.

I’ll also need to shop the catalog around to our partners to be sure we’re offering things that make sense to them and that they see the value in.

Being explicit

We’re now working on being clearer about what each of these offerings means, how to request each one, etc. So far, I think the following are the important bits of information:

  • What it is, and which part of the Product Lifecycle it aligns with
  • What an output looks like and where it lives
  • What to expect (from a human; from AI)
  • How to set yourself up for success
  • Specifics to add to our backlog

Metrics

From all this, we can

  • occasionally track how much time we’re spending on these items
  • measure hit rate of how many projects we covered
  • be intentional about what we’re automating
  • track coverage of security touchpoints across projects and add that to our overall risk assessment

Celebrations and Death

Posted on by
2

I’ve been dealing with a lot of death lately. And while it’s just a part of life, it sure does start to make one think after awhile. So I’m using my birthday as processing time, as I am wont to do. I’m test running my death infrastructure for my birthday this year, and requesting notes from folks.

If you can see this message, it’s because I would want you to be aware of when I die. THIS IS ONLY A TEST — I am fine, everything is good, I’m just an elder goth now and I like to plan everything, even death. 

This is an experiment with bureaucracy and documentation. As you know, I love LARPing Serious Business. I am doing a test run of the systems that would announce my death to the many beautiful communities I’ve had the honor of being a part of. If it was logistically difficult to get this message, when you’d want to get it, let’s improve that process — reach out. If it was emotionally hard for you to get this message, this event is probably not for you, and I’d love to see you in another context some other time soon.

On April 18th at 16:30 PT / 19:30 ET, I’m hosting a time to talk about preparing for death (not dying — they’re different. We’ll talk about ceasing to exist, not how you want to be treated while going through a however-long process of getting there). We’ll take about an hour to talk through digital estate planning (a passion of mine), and then we’ll also have some time to talk about any feelings folks might have had about thinking about death. We’ll be at this link at that time.

Selfishly this year, I’d also love notes about what we mean to each other. One of the things that’s come up time and again at the wakes I’ve been attending is wishing to have said some things before the option was no longer there. Let’s say those things to each other. I’m not looking to be shrouded or to do a mock service, I’m looking for open and honest views of who we are together. Roasting, power points, and poetry all lovingly accepted. Email to me, please, so I can label and revisit.

You do not have to do both, or either, if they’re not your cup of tea.

If you would prefer to learn about my death from an email instead of a social media post, please get me your email address and I’ll add you to the mailing list. That will be posted to before social media posts go up.

Looking forward to being inappropriately morbid with you. 

[un]prompted review

Posted on by
2

I’m excited to be going to conferences again, after 5 years of not really doing any. I like the thrum of so many people in one place, conversations with random folks in the lunch line, and seeing old friends. The one I went to this week was [un]prompted, about the overlap of AI and security. I saw some tried and true exploits brought to new scale with AI, and I heard about a lot of potential routes to securing existing code bases with AI. I also saw a fair amount of what I’d call “put a bird on it” approaches to AI.

I’m walking away with two big questions (beyond the preexisting “where is all this energy coming from?” and “how does wealth redistribution work with these new models?”), one about complexity and the other about trustworthiness.

What complexity is worth taking on?

Mudge, I think somewhat famously, long ago pointed out that exploits were happening nonlinearly, becoming more likely the larger and more complex a codebase became. In contrast, the exploits themselves were remaining steadily small. So one of my sniff tests now for how load bearing a system can be has to do with how complex and tested it is.

The technical talks I saw at [un]prompted had to do with increasing complexity, not decreasing it. It piles MORE layers on, it doesn’t remove the unknown or unnecessary. The closest I saw to removing complexity were analysis of proliferated documentation to come up with a summary and a (new) single source of truth. I’d like to see more adventures in “cheap” refactors that simplify and streamline code bases.

I’m the vendor now

The conference organizers did a fabulous job on many fronts, but they did not do a good job of stopping sales pitches from happening on stage. So many of these amounted to “your vendor for $thing is slow and doesn’t meet your needs, but ✨our AI can solve this for you✨” which is just so boring. 

Beyond being boring, however, I truly wonder how we can trust any of these providers to not inject backdoors (intentionally or otherwise) when their values so clearly scream that they’re open for business on every front. So saying “hey just ask for what you want and trust the outputs!” seems shady AF. And if we do what some suggested, of making agents fully autonomous, we wouldn’t ever have cause to pause and reflect (let alone catch) this happening.

What I am interested in using these things for

I’m interested in reviewing code humans don’t have time for. Several of the better talks shared the goal of complete code coverage. I’m also interested in putting in guidance and nudges towards doing better work (either from humans or from robots), rather than adding layers on other layers. I’m interested in help for what we know needs doing, and investigations in formats that humans are bad at and machines are good at.

From this conference, I’m now prepared to spend even more time on evaluation than I expected to (50% after baseline systems are in place). And I have new ways of talking about where to interject to inspect the system instead of just trusting it’s working.

I now have more supporting evidence for continuing to think that a workflow or premise needs to be figured out before automation, which happens before AI tooling. And that organizational structures need to allow for this happening at a deep layer, not as something that gets tacked on later as an afterthought.

It also seems like we’re moving away from “zero click attacks” towards “zero user intervention attack” – what can we get agents to do without you noticing?

Decision Making and Economics

Posted on by
Reply

I have this Future Shape in my head and in my heart, that I’ve long meant to share, but haven’t quite known how. I met Asya, and we got into a good conversation, and so now seems as good a time as any to talk about it. She helped me flesh this post out with more detail and deeper dives.

I don’t think there’s one solution when it comes to what economics style we should have, or what governance should look like. Like I drafted way back when, a “mixed mode system” is where it’s at instead.

Decision making

Distributed systems are good at last-mile logistics, nuance, and fast decision making. They are not good at doing simple things at scale. So for actual implementation and innovation, I think distributed networks are where it’s at.

Hierarchical systems are good at making simple decisions at scale. So good for North Star guidance and things you want to take a socialist approach with. That might include assurance of human-rights-shaped things like

Continue reading

On not being enough

Posted on by
Reply

The world has been offering ample opportunities to test my newfound comfort with being uncertain about if I’m “enough,” if I’m “adding value,” etc.

There’s this thing my favorite old therapist introduced me to, of “unanswerable questions.” It’s like.. no matter how much data you get about people loving you, you’re still like “guess we’ll never know if I’m lovable or not.” Mine has long been about if I’m bringing value or not, which has put me at risk of abusive relationships as I’m easy to tear down in that way. But I’ve been working hard on therapy and on self-love, and I think I’ve come a pretty long way on this front in recent years.

My first glimpse at doing better at this was getting feedback while at Apple that I was successfully selecting which things to half-ass and which things to full-ass. After all, we can’t get all the things done all the time, and some things only need some of our attention. Sometimes, our full attention can actually be detrimental to a project, and can inhibit others’ ability to grow.

But on Sunday February 15th, I had two things happen, either of which might have previously completely destroyed me, and now I’m just kind of fine with both having happened on the same day.

Continue reading

So you want your own surveillance…

Posted on by
Reply

Mark wrote up this piece that is relevant to our neighborhood, but didn’t have a good spot to post it, so we’re sticking it here.

Very understandable. I had a random person walk into my backyard a few months ago, uninvited and unwelcome. That made my family want a little more visibility into our home when we were not there or when our kids were home by themselves. So I’m with you. Let’s get cameras. There are so many cameras, and systems, and oh my! What to do?

Considerations

Continue reading

Coming from a family of alcoholics (4 months in)

Posted on by
Reply

This is the second of three checkins during 6 months of not drinking. The first was written 2 months in, this is being written 4 months in.

Things that have changed since last checkin

I’m pretty happy just not drinking. Sure, there are times and days that it would be really nice to crack open a cold cider, but I’m actually doing pretty well not drinking. The bees mentioned in the first post have subsided in most cases, and been dealt with in other ways for the other times. It’s nice.

Mother in law found a great NA wine that doesn’t just taste like fruit juice. It’s still not good wine, but it is tolerable for a mild wine snob to have a treat.

The data

Overall, I’m getting more of what I want out of not drinking. While this data is skewed because I knew I wasn’t getting everything I wanted out of my relationship to alcohol before this experiment, it’s still wild to see the move from 15 to 40% in a positive experience, and to even see a “strongly positive” experience show up a few times.

Image is described in blog post above
Continue reading

My beloved Lantern Library

Posted on by
1

Many years ago, I was carving jack-o-lanterns in an anarchist house in the Boston area. The friend who had invited me wandered over and suggested we check out the basement. Not my favorite for Halloween times (I don’t enjoy being scared), but this friend is gentle and so I went with her into the aforementioned basement.

It was full of books.

And this was not a small basement.

Shelves upon shelves of radical literature.

And then I met James, the person who had compiled the library. When the anarchist who owned the house had moved away, they had said folks could continue living in anarchist glory in the house, so long as James could also remain there. James was maybe in his 70s when I met him, and had been collecting and organizing books during his tenure at the house. They were organized for radicals — different flavors of anarchism, different ways capitalism fails, lots and lots of ephemera.

But James knew he was getting older, and he wanted his collection to survive him — not just the books themselves, but also how well organized they were. So I tapped into my network and we found some passionate open source folks and librarians who wanted to help index the library. We got all the books scanned so James could offer the library up to a new home as one collection.

James took his first ever selfie with me while we were doing this. He’s dear to my heart.

He’s found a new home for the collection. But shipping books is expensive. So James is doing a fundraiser to get the books to their new radical home where radical folks can make use of his decades’ worth of work.

If you also want to touch this amazing resource, and help it on its way, you can do so here.