The Life-Changing Magic of Six Months

Earlier this year, I read Marie Kondo‘s bestselling book, “The Life-Changing Magic of Tidying Up” after reading a review in the New York Times. Her fantastic “KonMari” decluttering / home organization methodology was, for me and many others I know who’ve read it, life-changing. Asking yourself whether an item “sparks joy” and then thanking it for its service if you choose to discard it has had a transformative effect on how I think about the stuff in my space, and has been particularly useful as I whittle down my 1-bedroom-apartment’s worth of stuff into a more reasonable amount for my current studio.

Throughout the book, she directs the reader to embark on their tidying effort “all at once” and “in one go.” I found this extremely intimidating! I have a lot of crap from a decade of mostly living on my own, and there are many ~feels~ associated with said crap. Processing those feels is a lot of work – as Kondo puts it, “The question of what you want to own is actually the question of how you want to live your life.” So “all at once” felt, at times, super overwhelming to read.

Except that when she says “all at once,” she means six months. She only says this once in the whole book:

To achieve a sudden change like this, you need to use the most efficient method of tidying. Otherwise, before you know it, the day will be gone and you will have made no headway. The more time it takes, the more tired you feel, and the more likely you are to give up when you’re only halfway through. When things pile up again, you will be caught in a downward spiral. From my experience with private individual lessons, “quickly” means about half a year. That may seem like a long time, but it is only six months out of your entire life. Once the process is complete and you’ve experienced what it’s like to be perfectly tidy, you will have been freed forever from the mistaken assumption that you’re no good at tidying. (kindle link)

When I got to this passage I breathed a sigh of relief, and I wanted to share it in the hopes that it will encourage others to read her book and go a little easier on themselves in doing so. Here’s to sparking joy!

Bounty Launch Lessons

Cross-posted from Ryan over on Medium.

@magoo and @hypatiadotca

You’re thinking of launching a security bug bounty program where you pay researchers cold hard cash to report their security bugs directly to you.

Great!

But before you write your shiny announcement blog post and collect the precious retweets, let’s do some thinking and build a launch plan so you don’t drown yourself.

You Get What You Ask For

The root cause of many bounty problems is launching too fast. Bug bounties aren’t going to be the right move for every organization when there’s a lot of work that could be spent on the fundamentals. While you should always have security in mind developing software, bounty programs require particular ways of prioritizing work and allocating staff that may not be right for your team right now. Let’s walk through each burden a bug bounty program will bring, and then you’ll be ready.

Before the Bounty

Before you even consider a program, your engineering house should be in reasonable order. A bounty program will always give you more engineering work. It is not a development framework, firewall, network appliance, or other magic security product. It is a program of “exercise and vegetables” that will succeed with care and attention.

Here are the attributes we’ve seen make for successful programs:

  • Reality Check: Do you already have extensive security debt — known vulnerabilities and creaky infrastructure?
  • Triage: Are bugs centralized, tagged, prioritized, and do they generally find an ultimate owner? Are security bugs reasonably prioritized versus their owner’s other work?
  • Culture: Is there an appetite from your engineers to fix security bugs? Do you have leadership buy-in to prioritize externally reported issues, and executive air cover for the PR noise that will come out of a bounty program?
  • Backstop: Who will be fixing bugs with no clear owner, or project manage systemic issues requiring substantial engineering effort?

If you aren’t already treating security issues like you would treat scale issues, you risk creating a new problem. Some teams have used bounties as an instigator to fix these issues, but that’s your own call — it can be a risky move. Having the above items in place is your best chance for success.

Starting Slow

Don’t make the mistake of launching a bounty program in one fell swoop. You do not want public commitments and press haunting you while running headlong into signal versus noise issues and internal engineering drag.

Instead, design your launch properly.

Minimize the scope so that you’re only receiving reports for areas you are confident are more robust, have lots of room to mitigate issues, or are under active development and able to make changes with the most agility. Grow the scope as you become confident until your program has broad coverage.

Start with lower bounty amounts to keep things lower-stakes. Increase the amounts as you become confident, until you’re competing with going rates in your industry.

Invite high quality researchers in a private program so you’re not suddenly following up with a horde of mixed quality researchers. As your spikes become lulls, start inviting more researchers until the program is public.

Having a project manager onboard to attach milestones to your program rollout can be very helpful, for example “Full scope within 3 months” or “$1k bounties by EOY”. It’s all a matter of your own pace.

Running Smoothly

The bulk of the work of running a bounty program can be broken down into the following parts: triage, engineering fixes, and public communications.

Incoming bugs will need initial triage for signal. Submissions will include product misunderstandings, disagreements on risk trade offs and best practices, and your standard OWASP Top Ten bugs. Reputation systems can be an important tool to keep noise under control, and give the folks running triage a good metric for how much to dig into a particular bug.

Having security and non-security engineers collaborate on first level triage can be a great way to promote awareness and empathy towards the security mission. As your security team grows and specializes, you’ll likely move from an all-hands-on-deck rotation to dedicated triage, with higher level triage going to engineers who are closer to mitigation.

Contracting can also make sense for initial triage. Budget 2–5 hours per week for first level triage for a startup with a small attack surface, or work out a per-bug fee with a reputable vendor.

Be wary of burnout when it comes to triage, particularly if one person ends up handling most or all of it. However you handle triage — collaborating with non-security engineers, sharing a rotation, or contracting it out, it becomes easier to involve others if your culture can appreciate a nasty bug. The folks interfacing with researchers will spend a lot less time crafting the perfect “sorry but not a bug” message if they know that their company has their back.

Engineering fixes for bounty bugs will range from changing one line in a config to substantial coordination between multiple teams, outside vendors, or upstream open source projects. Treat this like you would any systemic problem within your engineering organization and have project management capability in place to shepherd the complex bugs.

When it comes to public communication, don’t let your submission threads turn into typical internet debate. Some researchers will permanently disagree on the severity of bugs, submit low quality bugs, or threaten hostile blog posts. It’s important to expect this and involve level headed teammates who are well practiced in empathy. Try to be payout-lenient and encourage good research (even when off the mark), but have clear policies for what constitutes a bug and what you’ll pay out for when you find research that is way off the mark. If there’s a conflict over the severity of a bug and you’re certain it’s low risk… disclose the details. With the specifics out in public, misrepresentation can’t happen.

Bounties Forever!

Once you’re paying public bounties under a wide scope, you should have plans to track the interaction of your bounty program with the engineering team on a regular basis.

Here’s some basic questions to ask regularly:

  • Budget: How much are we paying weekly / quarterly / annually?
  • Risk: What are our top five bugs in severity this quarter?
  • Regression: What issues keep recurring? What tools or practices can we deploy to prevent them in the future?
  • Hiring: Which researchers should we recruit?
  • Atrophy: What bugs took too long to fix?
  • Happiness: Are researchers happy?

We should all aspire for a million dollar bounty. It should be so hard to score a bug in a product that we’ll someday be willing to put a million dollars behind it.

Someday, your security program could be described by expensive bugs.

Good luck.


@magoo

I’m a security guy, former Director at Facebook, Coinbase, and currently a HackerOne founder / advisor and consultant for a handful of startups. Incident Response and security team building is generally my thing, but I’m mostly all over the place.

@hypatiadotca

I’m a security engineer at Slack. Prior to Slack, I worked at Salesforce.com, Microsoft, and Symantec. I care a lot about building sustainable, healthy security cultures that help developers ship code with confidence.

Take action to fight white supremacy

Emanuel African Methodist Episcopal (AME) Church
“Emanuel African Methodist Episcopal (AME) Church” by Cal Sr, CC-BY-SA

I’ve often said that guilt is not a useful emotion, and in particular I’ve always thought that “white guilt” was whiny self-serving bullshit. White people can choose to leave the status quo as it is, with all the institutional, unconscious, and direct ways that white people are privileged in American and other cultures. Or we can choose to take action to support equality – to stand in solidarity with people of colour and recognize their full humanity. Acts like the white supremacist terrorist assault on the Emanuel African Methodist Episcopal Church in Charleston last week are stark reminders that there are white people who most definitely do not recognize that humanity. In the wake of such violence, doing nothing says that you are ok with the world as it is.

Inspired in part by my friend Val’s earlier donations, but in particular by Zoé S.’s tweet:

I have donated $250 each to each of these organizations:

The American Civil Liberties Union, which works on the fight for voting rights, against the infuriating school-to-prison pipeline, and on many other racial justice issues. Follow @aclu on Twitter, and donate here. Donations to the ACLU are not tax-deductible or employer-matchable; if that matters to you, donate to the ACLU Foundation here.

We the Protesters works to “fulfill the democratic promise of our union, establish true and lasting justice, accord dignity and standing to everyone, center the humanity of oppressed people, promote the brightest future for our children, and secure the blessings of freedom for all black lives.” Follow the amazing activists behind this movement on Twitter, or donate via the PayPal button at the end of their homepage. Donations are not tax-deductible.

Black Women’s Blueprint works “to develop a culture where women of African descent are fully empowered and where gender, race and other disparities are erased” through research, historical documentation, and movement-building. Follow @BlackWomensBP on Twitter, and donate here. Donations are tax-deductible and eligible for employer matching – you’ll need to get the match by looking up JustGive (EIN 94-3331010) in your employer’s matching system and designating the donation towards BWB.

The Equal Justice Initiative works “to reform the criminal justice system, challenge poverty and the legacy of racial injustice, educate the public and policymakers, and create hope in marginalized communities.” Follow @eji_org on Twitter, and donate here. Donations are tax-deductible and eligible for employer matching.

Giving to any (or all!) of these four organizations is a direct way to fight racism and white supremacy in the United States. Guilt is useless. Take action.

Please feel free to leave comments with links to other organizations which fight for racial justice in the US and around the world.

If You’re Going to Hang Pictures in San Francisco

I grew up pretty much smack dab on the middle of the Canadian Shield, one of the more seismically stable places on the planet. Now that I live in San Francisco, I’m basically always thinking about how to survive an earthquake. When I went to hang some pictures, this ended up being a major research project, so for all my Canadian friends in the Bay Area or just other paranoid types, here’s what you need to have pictures hung as well as these:

  
1) OOK Tremor Hangers – these babies have a clip to keep your cable from jumping out of the hook, and come with OOK’s excellent hardened picture-hanging nails. The kit I linked to is the best deal for a bunch of them; if you need fewer, check out Home Depot. One alternative which some friends speak highly of but which I haven’t tried are the Quakehold “maze” style hangers – these might be easier to find at your hardware store, too.

2) Quakehold Putty – it’s like the blue sticky tacky stuff used to put posters up in camp and university dorms, except it doesn’t stain everything that nasty greasy blue. There’s even a clear version for sticking glassware to shelves etc.

3) 3M Picture Hanging Strips – I could write a whole blog post about how much I freaking love 3M Command Adhesive stuff. It’s the best. The picture strips are this weird velcro-like stuff that is great for hanging lightweight stuff on its own, or also are great at stabilizing and load-balancing in conjunction with the OOK hangers.

  
Those will do you right for drywall walls. If you’re a renter and nervous about your landlord noticing your hasty post-move-out spackle job, I highly recommend the 3M Sticky Nails. They don’t have clips like the OOKs, but if you’ve got quake putty and the hanging strips you’ll be alright up to a point. There’s a version for sawtooth type picture frames (which I hate), or wire-backed.

I had one concrete wall at my first SF apartment (the one that jacked up my rent by $500/mo when the lease was up for renewal… needless to say I don’t live there any more) and this taught me the joys of hard wall hangers. These are plastic hooks with small nails embedded in them, which will get just enough grip on a concrete wall to hold up a pretty large picture. I was nervous about the cable “jumping” out of the anchor, so I fashioned a complicated arrangement where I sandwiched the cable between the anchor hook on the bottom and a 3M Command “sticky nail” on top to keep the wire from jumping. And earthquake putty on both the anchor hook itself as well as a couple places on the frame. And 3M picture strips on the sides. This was a real belt and suspenders kinda operation…

Which is good, because four days after I finished hanging those pictures, there was a minor earthquake. All of my stuff stayed securely on my walls. Victory!

  
I’ve linked to products on Amazon, but Home Depot carries all of these as well, and the Container Store has quake putty and the full assortment of 3M Command delights. Cole Fox, which is a wonderful local hardware chain in SF, carries putty, 3M stuff, and hard wall hangers, the “maze” hangers, and some safety/tremor hangers that look similar to the OOK ones.

Happy picture hanging!

If you tell a story three times, blog it

Most anyone I know will confirm that I love telling stories. I stew on and re-tell anecdotes, and given enough of them on a given topic string them together into theories – theories of organization, models to understand and change the world. I sometimes forget that I’ve told you a particular story before, and tell it again – sorry about that :)

I’m a big fan of the CBC’s annual Massey Lectures, and one of my favourites is Thomas King’s “The Truth About Stories: A Native Narrative” from 2003. In it, King tells us as a sort of refrain or chorus that “the truth about stories is that’s all we are.” It’s one of those lines that gets under your skin, that sticks with you. It’s stuck with me for over a decade.

He closes one of the stories he tells in the lectures as such:

Take Charm’s story, for instance. It’s yours. Do with it what you will. Tell it to friends. Turn it into a television movie. Forget it. But don’t say in the years to come that you would have lived your life differently if only you had heard this story. You’ve heard it now.

This is we tell stories – in the hopes of sharing things we’ve learned, of giving another person data to “life their life differently” – whether by choosing to take a particular story into account, or to not do so. We tell stories in the hopes that we’ll help others make better mistakes. Or at least, different ones.

(As an aside, this year’s Massey Lecturer will be Margaret Macmillan, a historian whose work I’ve long admired. I’m looking forward to listening to it – listening to the CBC keeps me from getting too homesick.)

I’ve been trying to write more lately, and one metric I’ve been using is that if I tell a story more than three times, I should blog about it. So far this has resulted in dozens of drafts strewn across WordPress, Trello, and Google Drive, but I found myself telling people my idea that if you tell a story three times you should blog it… at least three times, so here we are.

Some of the stories I am hoping to tell this year:

  • finishing my series of posts on undermanagement in tech
  • magical thinking and time
  • Fuck Yes” But No
  • on coping with finding out that one’s friend is an abuser
  • how pair programming is like piloting a Jaeger in Pacific Rim
  • revisiting Naomi Klein’s No Logo in the context of the Gig Economy
  • how impostor syndrome is a perfectly rational outcome of being called an impostor all the time

Here’s to a 2015 full of more stories :)

Leigh’s Informal Security Salary Survey 2014

The ISC2 is running their annual salary survey, but I want something a bit more personal, and hopefully, localized. So I’m going to run my own survey. Hopefully I don’t end up regretting this :)

Send me as much or as little of the following via FB message, email (salaries at hypatia dot ca), Twitter DM, or carrier pigeon, and I will collate, anonymize, and publish the results:

  • Company
  • Title
  • City/Country
  • Base Salary
  • On hire stock and cash
  • Annual bonus (stock and cash)
  • Education level
  • Years at current job
  • Total years experience
  • Gender / ethnicity if you’re comfortable sharing – I will only use these in aggregate because they are so identifying when one is a minority :(

Anonymization-wise, I will bucketize the titles so they aren’t too specific. I will report all figures in $10k bands and years of experience in ~3-year ranges for obfuscation purposes. For companies with fewer than 5 reports, I won’t mention the company. I’m really good at de-anonymization; I’ll apply that level of expertise to anonymizing your data. And I will delete your data once I’m done this project.

Joining the advisory board of Mod N Labs

I’m pleased to announce that I am joining Mod N Labs, a new security startup accelerator based in San Francisco, as an advisor. I’ll bring my industry experience as well as diversity and inclusion expertise as we help entrepreneurs build the next generation of security companies. I’m still at Heroku as my day job – it continues to be awesome.

If you have a cool security startup idea and would like to work with an amazing community of advisors and investors, please reach out – we want to hear from you. We are particularly interested in hearing from founders who are currently underrepresented in the security industry, including women, people of colour, LGBTQ people, and people with disabilities. We recognize that there is a mountain of research showing that diverse teams perform better, and we’d be remiss in not seeking out founders as diverse as the security landscape we live in.