This week is going to be a short retro, unfortunately I was exposed to Covid on Tuesday and have been getting progressively sicker throughout the week, so I had a difficult time doing much of anything. I did, however, manage to deploy a privacy-conscious analytics platform to my blog this week, which is covered in more detail below.
If my job was a child, it would now know how to draw a circle and know not to touch a hot stove. It would also know how to use a fork and string items together. It’s definitely got those last two down, I feel like that’s my whole job.
Today marks my 3 year anniversary at my current job, which also means that I recently passed the 3 year anniversary since switching from full time red team work to full time security engineering work. I’ve previously written on my thoughts around this transition back in 2021, and it is probably due for a longer form update. Short of that, I wanted to capture a couple notes here.
In the three years I’ve been at my current company, we’ve gone through some wild market conditions. We were in a rapid growth stage around when I joined, and we’ve since had two layoffs in the past two years. My boss is the only person on my team who has been here longer than me, and there are only a few engineers left who were here before me. The product and design teams have seen complete turnover, as has a lot of the go to market side of the business.
It’s been interesting being in this position, especially compared to how it felt when Intel did layoffs while I was working there. Intel laid off something like ten thousand people in one sweep while I was there and I think barely anyone I knew was impacted. But in a much smaller startup, everyone impacted is someone I know.
At Intel, there were people who had been working there since before I was born. At my current job, 3 years is a milestone not seen by many. Not just because of the layoffs, but because in the world of startups, people seem to be more keen to move on to things that are more interesting to them, or are better opportunities for them.
In my time as a security engineer, I’ve also become quite proficient in performance engineering, observability and monitoring, optimizing CI/CD pipelines, optimizing developer experience, and python type annotations. Basically all of these fall outside the realm of traditional security engineering roles, but I see myself as an engineer with security expertise, rather than an engineer who just builds security things. I’ve taken on probably a dozen big hairy projects that everyone wanted done but nobody had time to do. If something’s the thing to do, you do it.
I’m looking forward to seeing what the coming years bring, as the company shifts its focus towards sustainable, profitable business.
I have been on the fence about deploying analytics to my site. I don’t really feel like I need numerical feedback on my writing, and I didn’t want to introduce any sort of tracking or privacy-compromising javascript into my site. It’s a simple blog, it doesn’t need to know if you’re signed into Facebook or Google.
Ultimately I decided to deploy analytics because I wanted to understand where my readers are located and what people are mostly reading. I chose a self-hosted Plausible.io instance, and I made the dashboard available for public consumption via plausible.0xda.de/0xda.de in the interest of transparency. You can see what I can see.
It was easy to deploy via docker, but reminded me that it’s important to be aware that docker will hijack your firewall rules if they are defined and managed by ufw. I’ve typically resolved this by following the readme in ufw-docker. I don’t want my docker containers to ever accidentally expose a public service if I didn’t mean for it to be public.
I don’t currently have it setup, but I will also be adding a toggle to let people opt out of analytics without disabling javascript, following guidance provided by plausible. I want to get an idea of how my site is doing, but more importantly I want folks to be able to control their experience on my site.
I’ve also automatically excluded the javascript for plausible from my onion site. Both because if you’re using tor, you are probably making a choice to not be tracked, and because I have no idea how well Plausible would handle the unique visitor identification via Tor.
I was also curious approximately how many people were reading my posts from RSS readers and found this post by Darek Kay about estimating the number of RSS subscribers you have. From what I saw, I have 93 subscribers using Inoreader and 78 using Feedly. This is neat, I didn’t expect there to be so many.
The Bezzle
By Cory Doctorow
ISBN: 978-1-250-86587-8
Learn More
I’ve just passed the halfway point and I’ve been enjoying it a great deal. Cory always manages a good blend of fictional storytelling with real facts and history. I was somewhat surprised to see the story shift from a fast food fueled ponzi scheme towards the prison industrial complex, but overall it’s been interesting and I’ve learned quite a lot.