@leak.bsky.social
Security, privacy, respect. Was the Twitter CISO until it was terrible. Now LinkedIn CISO. they/them
Dashboards are a curation of sharing information, not the choice on collecting it, which may be made differently.
(And in the case of information about people is way more complicated)
bsky.app/profile/leak...
28.01.2026 16:08 β π 2 π 0 π¬ 0 π 0I swear I have something I want people to do when they read the post! I want people to think through that question when they share information.
Honestly, good dashboards have helped me get so much done, especially wrangling an entire company at once.
This is my biggest pet peeve about dashboards: what is someone going to *do* when they get this information? If it's "be informed" that's the same as saying "nothing" and why did you even bother?
28.01.2026 15:48 β π 21 π 6 π¬ 4 π 1
Screenshot of a text message: Phone rings. Answer. "And if she asks for more wipes, I don't know what to say. Oh. Hello. Hi, I'm looking for the Chief Information Officer of Lacework?" Me: "I honestly don't know what to say. This is the wrong number for that."
I have no idea what this person wanted when they called my spouse, but if they ask me for more wipes I also do not know what to say.
23.01.2026 01:36 β π 18 π 0 π¬ 0 π 0Not trying to shame the vendor so I left out more identifying statistics.
14.01.2026 01:18 β π 5 π 0 π¬ 0 π 0
Purple gradient paper with yellow box, blue caution sign, and text "Breach Reduce likelihood of beach to 5% With automated IAM"
A security vendor sent me a pile of paper with many statistics where [citation needed]. For instance.... Why does automating IAM reduce the likelihood of a breach to 5%? From what? And how is that independent from, say, use of passkeys or auto-escaping templates?
14.01.2026 01:18 β π 16 π 1 π¬ 2 π 0
The other masechot and the Yerushelami are on the overflow table π
12.01.2026 19:42 β π 1 π 0 π¬ 0 π 0
I can't find the original artist anymore, but looks like this
www.amazon.com/dp/B09XGS7DV...
The pink-ish background watercolor is a golem named Emmett (which is a pun) who has a security blanket. Also a pun.
There's a very cool piece of Twitter artwork.
The turtle is a gift from a coworker in the Bangalore office.
Over on the other wall is a card with messages and sketches like "this place is not a place if honor" and "the danger is still present in your time as it was in ours" from a project to figure out how to label nuclear waste. Also heavily memed.
en.wikipedia.org/wiki/Long-te...
Weirdly the USPS took down their page about it, but the little frame has a Women Cryptologists of WWII stamp
www.nsa.gov/Press-Room/N...
The writing with a key over it is the first known poem written about cryptography, beginning "Il nest plus rien dessous les Cieux/ Qu'on puisse caches Γ tes yeux". I got it from The Codebreakers, which is eminently worth reading.
en.wikipedia.org/wiki/The_Cod...
The knife has my password on it. The Google security leaving tradition is that (if you agree) people will try to steal your password. If they succeed, they engrave it on a knife.
Someone on my team had to own the user-facing account system to get mine!
bughunters.google.com/blog/the-gre...
The big map is how John Snow figured out that cholera is water-borne not spread by miasmas. He's considered the father of modern epidemiology.
en.wikipedia.org/wiki/John_Snow
The oldest customer service complaint: the tablet of Ea-Nasir (top left)
If you haven't heard of this yet, it's partially delightful for the rich trove of memes. Rich. Trove. I cannot explain how many memes over the last few decades.
en.wikipedia.org/wiki/Complai...
Progress in my ongoing effort to decorate the wall behind me with something other than stacks of books. 𧡠for the fun stuff
The round thing is the Incident Hat/Bad News hat. I can't remember if I've told this story here, but basically I trained several companies to be scared of a hat instead of me
I'm speaking as someone with a very limited diet here, so I can't buy commercial jam, but chia seed jam is both easier to make than the normal kind and has more fiber/protein (and probably some random nutrients that I'm not getting somewhere else). It tastes perfectly fine and it's easy π€·
12.01.2026 15:04 β π 2 π 0 π¬ 0 π 0
Folks in privacy engineering and related fields, it's PEPR time again -- submit talk proposals about topics related to designing, building, and understanding products and systems which foster privacy and respect. I'm looking forward to seeing your talks!
www.usenix.org/conference/p...
Zoom has customers who *really* like phones. Anecdotally based on which customers were yelling at me would particularly say lawyers and banks, but sometimes connectivity is just bad especially when people are traveling and phone is what they've got.
07.01.2026 20:34 β π 4 π 0 π¬ 1 π 0The Zoom people were legit surprised when I explained that their "end to end" security wasn't. Now there's a setting to turn it on -- not everyone should turn E2EE on, though. For example, if you need to call in with a normal phone, E2EE won't work because phones don't do that.
07.01.2026 20:26 β π 7 π 0 π¬ 1 π 0I'm using the app π€·
05.01.2026 00:42 β π 0 π 0 π¬ 1 π 0It started dubbing French shorts for me, but not Hebrew, so either it does a bad job of assessing fluency or it doesn't have full language coverage
04.01.2026 17:27 β π 1 π 0 π¬ 0 π 0It dubs and I haven't checked on desktop so I haven't messed with the URL
04.01.2026 17:10 β π 1 π 0 π¬ 1 π 0I know perfectly well there are bilingual people at Google, so what were they thinking by having YouTube automatically translate videos with no way to turn it off? Thank goodness they haven't managed to translate every language yet, so I can coherently watch at least some non-English videos
04.01.2026 16:00 β π 25 π 1 π¬ 4 π 0In this particular case it did work out for our customers on a security level, but given how many security breaches are coming through dependencies these days, I have an awfully hard time thinking it's fine enough, personally.
02.01.2026 13:36 β π 0 π 0 π¬ 1 π 0I promise I pay more for better security and reliability. Feel free to ask my finance partners on this point. π
Honestly I would strongly suspect it ends up costing us less. Incidents are *expensive*.
One big worry is sales tools. They have to have access to the sales data in order to function... at which point you have to trust them to have that access. You can monitor, but there has to be some trust there.
01.01.2026 19:59 β π 1 π 0 π¬ 0 π 0I don't know how one can comprehensively "solve" 3p security in virtually any company. At some point you've got to trust a bunch of people -- have employees in France? You'll need to pay taxes there and the software doesn't even support SSO.
01.01.2026 19:59 β π 1 π 0 π¬ 1 π 0:lolsob:
To be fair, they're very useful for certain things. This isn't it.
