Tim's Avatar

Tim

@helloitstim.bsky.social

Infosec, software dev, politics, puns. πŸ‡ΏπŸ‡¦ living in the tiny land of tall people.

21 Followers  |  119 Following  |  11 Posts  |  Joined: 17.08.2023  |  1.8242

Latest posts by helloitstim.bsky.social on Bluesky

Who's asking for these features? Show yourself!

25.07.2025 20:46 β€” πŸ‘ 6    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0
Preview
In Praise of β€œNormal” Engineers This article was originally commissioned by Luca Rossi (paywalled) for refactoring.fm, on February 11th, 2025. Luca edited a version of it that emphasized the importance of building β€œ10x engi…

I just released my edit of "In Praise of 'Normal' Engineers": why the best engineering orgs in the world are the ones where ✨normal engineers✨ can consistently move fast, ship code, fix shit, help their users, and move the business forward...a little more, every day.

charity.wtf/2025/06/19/i...

19.06.2025 17:22 β€” πŸ‘ 129    πŸ” 31    πŸ’¬ 4    πŸ“Œ 5

An astronomy professor colleague of mine once relayed trying to explain to his students why it was important that they actually write their class reports themselves. β€œThe point is not to teach ME about neutron stars,” he said.

15.04.2025 12:18 β€” πŸ‘ 5311    πŸ” 1326    πŸ’¬ 43    πŸ“Œ 28
Preview
I fought a DDoS and lived to tell the tale Episode 1 - A Developer's Saga

"I fought a DDoS and lived to tell the tale" is one of my favourite blog posts. It's been many months since I read it, but I remember it whenever I think of WAF. Give it a read; I promise it will be worth it.

open.substack.com/pub/funkbyte...

30.03.2025 11:38 β€” πŸ‘ 7    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

Corollary: ICs who believe that AI can replace middle management think that it would result in them having more power and freedom, not realizing that it would mean taking an infinite stream of vibes-driven AI-generated tickets from their exec overlords

18.03.2025 17:33 β€” πŸ‘ 55    πŸ” 8    πŸ’¬ 1    πŸ“Œ 0

Hypothesis: The belief that AI can replace middle management is actually the wish of execs who never gave up on "command and control" models of leadership and just didn't feel able to execute them at scale, but now believe that the machines will allow them to do so

18.03.2025 17:04 β€” πŸ‘ 147    πŸ” 29    πŸ’¬ 5    πŸ“Œ 8

Thank you this is really helpful

07.03.2025 16:23 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Every tech company* has platform teams trying to build:

1. Heroku, except hand-rolled
2. One giant shared database, so engineers can ignore analytics without consequence
3. If they have a monolith, microservices. If microservices, a monolith
4. A solution to the halting problem

* Hyperbole. I hope

05.03.2025 22:24 β€” πŸ‘ 446    πŸ” 94    πŸ’¬ 23    πŸ“Œ 16
Post image Post image

# avoid the nightmare bicycle

03.03.2025 22:31 β€” πŸ‘ 127    πŸ” 39    πŸ’¬ 6    πŸ“Œ 2

Does this include updating old/vulnerable dependencies? Also, what happens if the signal from the analyzer is a high quality one?

As a security engineer I avoid wasting dev time on low quality findings, but there’s also the challenge of just enough upkeep to avoid incident-inducing problems

30.01.2025 06:10 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Is your PIN code among the first ones hackers are likely to try? The ABC analysed 29 million stolen codes to help you avoid using an insecure one.

This is such cool analysis of PIN in @haveibeenpwned.com's Pwned Passwords. Scroll through the page and watch the heat map change alongside the explanations of how people are creating (somewhat) predictable PINs: www.abc.net.au/news/2025-01...

27.01.2025 22:37 β€” πŸ‘ 83    πŸ” 36    πŸ’¬ 4    πŸ“Œ 2
Graph showing that programmers who introduce more files tend to have more of those files changed by others. Duh. But also there is variance above and below the trend line.

Graph showing that programmers who introduce more files tend to have more of those files changed by others. Duh. But also there is variance above and below the trend line.

I'm not anti-metric. I'm anti metric abuse. Data mostly asks questions, not answers them. Here's an example of using data to ask questions about who are influential programmers on a project. tidyfirst.substack.com/p/measuring-...

27.01.2025 17:29 β€” πŸ‘ 47    πŸ” 9    πŸ’¬ 6    πŸ“Œ 2

Always do this prior to going through a security checkpoint or interacting with law enforcement

25.01.2025 23:46 β€” πŸ‘ 97    πŸ” 31    πŸ’¬ 2    πŸ“Œ 0

Angertainment is a great way to describe the emotional experience most social media platforms are optimizing for.

17.01.2025 19:33 β€” πŸ‘ 5461    πŸ” 692    πŸ’¬ 165    πŸ“Œ 62
Preview
Passkeys: they're not perfect but they're getting better Passkeys are the future of authentication, offering enhanced security and convenience over passwords, but widespread adoption faces challenges that the NCSC is working to resolve.

Today at NCSC we published two blogs on our position regarding passkeys - the first is below (links to the second) - they are our future, not perfect but getting better..

.. call to action within!

www.ncsc.gov.uk/blog-post/pa...

15.01.2025 09:58 β€” πŸ‘ 20    πŸ” 6    πŸ’¬ 2    πŸ“Œ 1

This is what frustrates me most about AI companies with opaque language about what they do with data sent to their models - it opens very genuine questions about the ethics of pasting material into the bot to get a summary or explanation

04.01.2025 23:19 β€” πŸ‘ 105    πŸ” 11    πŸ’¬ 3    πŸ“Œ 0

who is this for? that's what I can't wrap my head around - who wants to follow someone who's not real, and is posting about their regular day to day life except none of it is really happening? who is this *for*?

03.01.2025 11:01 β€” πŸ‘ 591    πŸ” 118    πŸ’¬ 38    πŸ“Œ 6

This is well worth a read.

02.01.2025 00:21 β€” πŸ‘ 69    πŸ” 5    πŸ’¬ 9    πŸ“Œ 0

Thanks for this, very timely as we’ve experimented with magic links, will definitely check out those links experiment with passkeys. Always been hesitant about passkeys due to transferability issues, with magic links it’s a great match.

02.01.2025 16:09 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

TIL how easy it is to ask curl to dump TLS session keys to disk πŸ› οΈ

Simply set the environment variable `SSLKEYLOGFILE=/path/to/file` πŸ˜… Note: it also works for Firefox and Chrome

Extremely useful when combined with Wireshark πŸ‘

20.12.2024 11:35 β€” πŸ‘ 134    πŸ” 36    πŸ’¬ 6    πŸ“Œ 0

πŸ˜‚ Oh boy I came here to write exactly this, the pain…I imagine there is some supposed sales logic here, but I have no idea what it is.

23.12.2024 16:59 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

This is the way

21.12.2024 13:22 β€” πŸ‘ 8    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Example: Companies pay big bucks for all sorts of tools that run on desktops, mail systems, servers, etc. instead of deploying FIDO authentication to eliminate password phishing entirely.

The basics are still the basics. But we're in an industry built on misplaced fear and hacklore.

20.12.2024 16:32 β€” πŸ‘ 10    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

I don't want a video! I want a text writeup! I don't want a video! I want a text writeup! I don't want a video! I want a text writeup! I don't want a video! I want a text writeup! I don't want a video! I want a text writeup! I don't want a video! I want a text writeup! I don't want a video! I want a

19.12.2024 20:51 β€” πŸ‘ 4256    πŸ” 948    πŸ’¬ 104    πŸ“Œ 126
Preview
β€œFounder Mode” and the Art of Mythmaking I’ve never been good at β€œhot takes”. Anyone who knows anything about marketing can tell you that the best time to share your opinion about something is when everyone is all worked up about it. Hot …

The best response to β€œFounder Mode” that I’ve seen: charity.wtf/2024/12/17/f...

Thank you @mipsytipsy.bsky.social

18.12.2024 19:56 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Any roles open in the Netherlands? Looks like some great opportunities.

10.12.2024 08:22 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I’m enjoying the fact that the prevalence of AI tech is leading people to ask β€œwhat _should_ our tech do for us?”. Should have been asking that all along….

07.12.2024 18:59 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

If you’re using an iPhone, the likelihood of that being compromised compared to computer is way less, so yes to your original Q. However as you’ve pointed out, if you have both on phone then same risk is there, just lower. Safest is to never have both on same device (and take the UX hit).

07.12.2024 18:55 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

If you think of risk as likelihood and impact, the impact angle makes this risk go up a lot as popping your 1Password now means insta access to everything. Which is what MFA tries to prevent…as someone else has said, I do it for low value accounts, where I’m ok that trade-off.

06.12.2024 21:06 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Cybersecurity Isn't Special This blog post explains why cybersecurity shouldn’t be a special stream of work in organizations, and presents opportunities for security programs to become more constructive and less gatekeepy.

greetings gentleblues, I bring you tidings of hot takes and shade

my new post discusses why cybersecurity isn’t special (nor should it be) kellyshortridge.com/blog/posts/c...

plus eight opportunities for security programs to become constructive vs. constrictive

13.12.2023 15:46 β€” πŸ‘ 21    πŸ” 10    πŸ’¬ 1    πŸ“Œ 0

@helloitstim is following 20 prominent accounts