Writing
Potential causes of accidents in outdoor pursuits (the Meyer/Williamson matrix)
Changing Directions
I have two important announcements:
I’m leaving the tech industry. Hopefully “for good”; if not, at least “for now”.
As such, the content on this blog is going to shift, perhaps dramatically. I’m going to be writing about a broader range of topics that interest me (projects around my hobby farm, wilderness trips, emergency medicine) – more writing for me, less writing for some imagined audience. (I’ll probably still end up writing about some of the same topics as I’ve been covering since 2020, just less often.)
I’m writing this post mostly to give myself permission to make that change, and to give readers the opportunity to unsubscribe/unfollow if they’re not interested.
If you’re interested in more details about why I’m leaving the industry and what’s next for me and this blog, read on.
🔗 Decision making matrix for alpine climbing (#)
Great example of a simple risk framework in action.
How to report a security issue in an open source project
Beware tech career advice from old heads
🔗 Building a Community Privacy Plan (#)
Really great guide. I love the community focus — so many of these security guides are individually-oriented, which limits their applicability to groups, especially volunteer groups.
Thinking About Risk: Sidebar #4: Quantitative Risk Revisited
Thinking About Risk: Sidebar #3: Two Flavors of Medium Risk
Thinking About Risk: Sidebar #2: The Swiss Cheese Model
Thinking About Risk: Sidebar #1: "Exposure"
🔗 Cognitive Biases Codex.pdf (#)
🔗 The 2025 journalist’s digital security checklist (#)
A pretty good checklist. Some things are tailored for the relatively-higher risk faced by journalists, but with some judicious “not applicable” application could be a good checklist for anyone.
Thinking About Risk: Mitigation
Thinking About Risk: An introduction to thinking about risk
Free digital security checkups for people/organizations concerned about the incoming US government
🔗 Democratising publishing (#)
“Ghost is a distributed non-profit foundation which gives away all of its intellectual property under a permissive MIT license. The company has no investors and, in fact, no owners of any kind. I don’t own any part of Ghost, and neither does my co-founder Hannah.
We currently generate around $7.5M in annual revenue, and have been profitable and sustainable for the past 12 years.
“Wait, what?”
I’m glad you asked.”
🔗 Phishing simulations - Rami's Wiki (#)
Round up of research and commentary on phishing sims
Why you should run for the DSF Board, and my goals for the DSF in 2025
🔗 Reflections on Palantir (#)
I suspect the tone here — largely laudatory, abd looking up to people like Peter Thiel and Paul Graham — will rub most of my readers the wrong way.
Look past that, and pay attention to the notes on what makes Palentir work. I completely agree with a lot of the conclusions about how important being embedded with real customers is. It happens also to be the model that I saw working at 18F and USDS!
🔗 Prioritizing Detection Engineering (#)
Detection Engineering is a concept that has emerged in the detection space. It acknowledges the complexity of a detection stack and the…