Here is Jesse's piece for those that missed it. blog.fsck.com/2026/01/30/L...
12.02.2026 19:00 β π 1 π 0 π¬ 0 π 0Here is Jesse's piece for those that missed it. blog.fsck.com/2026/01/30/L...
12.02.2026 19:00 β π 1 π 0 π¬ 0 π 0
I was inspired by @s.ly 's recent piece on Latent Space Engineering. I wanted to see if his observations also applied to the security domain.
What started as small experiment turned into a full blown agentic AI benchmark that I'm releasing as OSS at 1Password.
1password.github.io/SCAM/
Getting phished is both scary & humiliating and with AI its happening more often.
As we've said, the long-term answer is passkeys, but not everyone uses them. Today, 1Password is shipping a deceptively simple change that massively improves the situation for passwords.
1password.com/blog/as-ai-s...
Great news for all who depend on a Ruby ecosystem that's healthy and secure.
17.10.2025 17:27 β π 4 π 0 π¬ 0 π 0
Good news for the Ruby ecosystem.
RubyGems now has the same governance as Ruby itself. Matz and Ruby Core as stewards.
If Ruby Core has authority over where gems (by default) install from, this alignment makes sense.
Viva la Ruby!
www.ruby-lang.org/en/news/2025...
The reason legal stuff is so important when first setting up entities, is thatβs when everyone is in alignment and there are smiles all around the table.
Once thatβs gone, it turns into a knife fight and it becomes impossible. Now courts will need to ultimately litigate.
Letβs be clear this post shows that operationally, this whole set up is a mess. You have creds all over the place, a confused OSS manager, and no clear cut docs that establish clear ownership. No IT inventory.
Ruby Central and Ruby Together set this up to only work if everyone perfectly got along.
Arko in this post says heβs in control of a second 1Password account. One thing he should do is check if heβs the only owner. If he is, no one can evict him and regain the account.
IMO he should have disclosed this access to them in his original email, esp if itβs how he got AWS root access.
I got so excited thinking about banana splits that I typoed!
03.10.2025 19:02 β π 1 π 0 π¬ 0 π 0Congrats, I canβt eat banana splits nearly that fast, but I similar heart rate though.
03.10.2025 18:54 β π 1 π 0 π¬ 1 π 0
I am so excited by this feature.
developer.1password.com/docs/environ...
Yep became a member last year and yes I was at Rails world and spoke about passkeys.
30.09.2025 22:10 β π 0 π 0 π¬ 0 π 0A great start for Andre is to sign an affidavit attesting he didnβt abuse his access to the systems or retain any PII from that access either during his contracted employment or afterwards. That would be a great start rebuilding trust.
30.09.2025 22:09 β π 0 π 0 π¬ 0 π 0
Andre is entitled to have an IP dispute.
What I wonβt do is watch silently as he erodes the public trust in the only legal entity capable of running all of Rubygems.[org] so that he has an monitor advantage in the IP dispute. Thatβs an existential threat to the Ruby community.
How do you know Andre didnβt use it? You continue to assert things you canβt possibly know. I truly hope he didnβt use it and I hope Ruby Central investigates to make sure.
I also hope he didnβt retain copies of any PII. Someone should look into that.
Literally the exact opposite of the definition of responsible disclosure.
30.09.2025 21:52 β π 2 π 0 π¬ 1 π 0
I frankly do not care (and did not care) about GH repos. What I care about is Arko had (has?) access to prod systems with my PII in it after being terminated & didnβt responsibly disclose it by virtue of telling you.
This is all the evidence I need to know something is extremely wrong here.
If I left any company (fired or otherwise) and still had access to prod systems and told them and also told the press or social media about it I would rightfully be permanently unhirable.
I would NEVER do what he just did to my worst enemy. Itβs just not done.
You are allowed to point it out and deal with the consequences when the full story comes out. It usually always does. You are placing your entire reputation in this community on the line based on incomplete info. Hope you know what you doing.
30.09.2025 21:34 β π 1 π 0 π¬ 1 π 0
It is simply no longer relevant if Arko is right or not. The whole ecosystem is at risk and you are contributing to the risk.
If you are successful and Ruby Central canβt the service, who exactly wins?
Not anyone. Letβs get it functional and deal with this Arko thing when the stakes are lower.
This is a big deal. Ruby Central is running this service and if they fail to do so, it will have dire consequences that far eclipse the minor spat.
I speak for many when I say we need to get Ruby Central healthy. Them failing is threat to the whole Ruby community.
I agree they should have locked him out right away. Them not doing so doesnβt prove they donβt think of him as a risk. It shows they arenβt prepared to do access revocation. They need help not mudslinging.
His actions of putting them on blast paint him unfavorably to in the know security folks.
> He email them to disclose that he still had access.
Yes and then he told you so you can be manipulated into covering it.
I agree it's not great that Ruby Central didn't revoke access. I wouldn't have a job if orgs got that right every time, let alone a resource constrained non-profit.
You have no way of knowing what Ruby Central knows about Arko. How could you possibly know they lied?
30.09.2025 21:06 β π 1 π 0 π¬ 0 π 0
This settles it. Based on this blog post, I believe Ruby Central acted correctly in parting ways with Arko
I'm eager to hear Ruby Central's side. Arko is not in charge of RubyGems[.]org. Him using the info of lingering access as a wedge to win in the court of public opinion is clear manipulation.
Clearly not always true, but itβs a good sign that you did something right.
18.11.2024 19:55 β π 2 π 0 π¬ 0 π 0How can you tell if non-tech leadership understood your tech idea? Their first questions are about patent status.
18.11.2024 19:54 β π 1 π 0 π¬ 1 π 0βShine a flashlight into the soup. If the beam bends slightly, itβs properly seasoned.β
17.11.2024 23:37 β π 2 π 0 π¬ 0 π 0
3 things I found are always true when making SaaS.
1. To know what you need to build, you must first build it.
2. A fast and cost-effective way to find and fix bad bugs is to ship them to production.
3. If you're nervous about deploying to production, the solution is to deploy more frequently.
The tasteβ¦itβs like mothballs coated in chlorine and then soaked in a solution of aspartame and Binaca.
05.07.2023 10:48 β π 0 π 0 π¬ 0 π 0