Cory DoctorowToday's threads (a thread)
Inside: Delusion as a service; and more!
Archived at: https://pluralistic.net/2026/06/04/mission-space/
1/
Periodic@pluralistic I think I just realized why I've found most start-ups so frustrating to work at/with.
"Code is a liability". That's certainly not how most start-ups treat it!
The whole SV start-up mindset requires ignoring liabilities as long as possible. Scale! Revenue growth! Headcount growth! More powerful AI! There's always an excuse to put off any threat that isn't immediate.
I hate having a Sword of Damocles hanging over my head. It's no wonder I clashed with leadership so often.
Viss@periodic @pluralistic thats like the 'race to acquisition' concept i noticed when i was on twitters security team 2011-2012. they acquired several orgs and i had to do the security assessments on them. all of them were hot garbage. turns out speeding towards mvp at lightspeed and getting acquired is more favorable because when the problems are discovered its someone elses problem. go fast, fuck everything up, sell, get paid, bail, liability is someone elses now
@Viss @pluralistic Just gotta make it to a liquidity event!
I do not envy your position on a security team. It was all I could do to prevent features from shipping that would cause an outage in 6-12mo. Security was sometimes explicitly ignored.
@periodic @pluralistic oh dude, they asked me back then if they could use hipchat as the team chat. i did a review. i found open s3 buckets of all attachments and i could link them to external companies. i didn thave time to find the actual text of the chats, but all the attachments for the entire platform landed in a massive open s3 bucket. i said this was a massive liability and we should avoid hipchat
"we'll take it under advisement"
it was live 2 days later.
whats even the point?
Mitch RoseIf this place was doing it right, someone with due diligence responsibility would have signed off on the risk of ignoring your expert opinion.
If that's not what happened, hopefully you kept a copy of your opinion handy (including who was informed) when they tried to pin it on you later. Then happily keep collecting your paycheck.
@mrose @periodic well, this was twitter, and my boss at the time was a guy who was later fired for doing nothing when he was supposed to do something. he then went on to a consulting firm to be a 'ciso in residence' but was fired 7 months later. last i heard he went to work for the DNC... and.. well.. you read the news, i wager.
@mrose @periodic he also famously told me that 'java rhino' didnt exist, and told me he would have to 'confirm with his contacts' about it being real shortly after i was hired, as i was explaining that it was a zero-click way to shell victims on every available platform (this was back in the java applet days).
several months later that massive 2012 watering hole attack happened, hitting eveyrone in sf/sv, and it was ... java rhino.
working there was .. a ride.
RE: https://infosec.exchange/@bontchev/116698651512805013
https://universeodon.com/@bontchev@infosec.exchange/116698651549027853
Yes I know the company changed hands, but the stupid remained
whoops. sorry my mistake