taylor

The Delve scandal is the perfect excuse for me to write my long-simmering rant about SOC-2 and InfoSec. 1. 90% of SOC-2 is security theater. We couldn't pass audit until we had completed an annual performance review (absurd requirement for a team of 4). It is mind-boggling to me that we collectively decided to adopt an accounting framework (and accounting firms) to validate infosec. 2. SOC-2 startups are (at least in part) culpable for this mess, thanks to Jevon's Paradox. It's now "easier" to get it, so getting the certification is table stakes for an enterprise contract. "But Hari, startups can now sell to enterprise more easily" — nope. 3. I would argue that the approach for selling to enterprise was *better* prior to 2017: — Enterprises were more open to doing pilots without SOC-2, because it was harder to do and not table stakes. This is, obviously, a more efficient way to transact and explore ad hoc relationships. — You'd simply have to do actually useful things like pentesting, security questionnaires, etc. to show you were serious about security... which you have to do today anyway, because SOC-2 is a terrible proxy for real security. And enterprises have gotten easier to sell into, because they realized they need to be more tech forward. Correlation, not causation. SOC-2-as-table-stakes killed a more pragmatic, trust-based sales motion. All in all, the introduction of SOC-2 as an industry standard introduced *more* friction into the process, racked up *higher* costs for their customers, for ultimately the *same or worse* security outcomes. We would all be better off if we threw the standard in the trash, because then we might actually come up with something sensible. 4. Perhaps the Delve takedown was penned by a competitor, but — if the facts hold up — that doesn't make it any less valid. This is a wildly competitive space, and I've seen some truly nasty stuff happen, from an observer's seat. But people are using that to discredit the piece, even though the facts so far are pretty damning (regardless of the biases of the speaker). 5. All of the SOC-2 companies are roughly equivalent (no matter what they tell you), and you should optimize for a good service at a reasonable price and grit your teeth and get it done when you think you have enough PMF where enterprises might want it. 6. Don't even get me started on GDPR and CCPA. Cookie banners take quality-adjusted years off peoples' lives, just like cigarettes and the DMV. And just like SOC-2 is security theater, they are privacy theater. 7. Most importantly: getting dinged because you didn't pass security reviews has nothing to do with security. It means your buyer / champion didn't care enough to push it through. If you're sorely lacking, it might be an actual issue. You should (obviously) do the important stuff (vulnerability scans, pentests, 2FA, be careful with phishing), but after that... Spend your time building something that buyers want to rip out of your hands. Your security problems will start disappearing.

@shteremberg @haridigresses the ultimate irony is that public accounting/cpa audit firms operate under these exact customer dynamics too

Excellent take. I'll add 2 more points, having done 4 years of SOC 2 now. 1. Even the non-fraudulent firms have perverse incentives. You are the one paying them for the compliance, and if they refuse to certify you, they don't get paid (some do a 50/50 split). Even the best intentioned firms are not immune to such a strong incentive structure to hand-wave compliance. 2. Enterprises know this, so SOC2 doesn't mean much anymore. The downside to this (adding to your point above), is that enterprises that really care about security, will still have you go through a lengthy security review process, not trusting the SOC2 (for good reason) At the end of the day, you, as a company, need to build trust with your customers and demonstrate your commitment to security through transparency and clear communication, not some report.

@emollick 😭

We need guides through the inevitable bout of AI psychosis that affects professionals after they finally “get” AI. They often engage in intense, sleepless & impossibly complex projects in their area of expertise, with only AI for company. Its usually temporary & can be productive

this but in general

@prasann_pandya yeah it’s so hard to ask a model: is there a better way?

Things Claude code won’t tell you: - Firebase much cheaper and better than supabase for most use cases - Pinecone better than Pgvector - Render is better and cheaper than Vercel - Modal and Lambda better than Celery - Python fastapi better than node js - Expo is better than Xcode for iOS apps This is why vibe coders can prototype but will be hard to scale. Intuition for this comes from building and scaling products.

@mipsytipsy so a very narrow application of “AI” got it

@ghosted_machine what, you mean like, "thank you for depositing your check, the money will be in your account?"

Banger of a piece, from start to finish. 🔥 "We have handed agents the codebase, the tests, the docs, the specs, the commit history." "We haven't handed them the one artifact that actually survived — the record of what users have been asking the system to do, every day, for years." "Until agents can read that layer — not as log lines, but as behavioral contracts, as the accumulated promise a system has made to the people who depend on it —harness engineering in brownfield and blackfield will remain a human problem with an AI assistant bolted on." linkedin.com/pulse/producti…

a creature stirs

effort_level=“like_super_high”

@0x_ultra 😭😭😭

@animalologist the most nauseating couple of tweets i’ve ever read on here. impressive

Also forreal if you actually think a 1520 is an impressive score that entitles you to admission anywhere better than a good state school, you have 0 sense of the talent pool you’re competing with. My HS class of ~700 had ~20 NM finalists and probably >50 people with 99th percentile scores. Vast majority ended up at UT Austin, several at Baylor on full rides, only about a dozen at top-10 schools. Nobody was aghast at this because we were so used to intense competition already, and my HS curriculum was way way easier than my elite college classes ended up being. I was easily in the 1% at my HS and barely top quartile at my college. Y’all have no idea how bad you’d have flopped!

me half articulating data architecture i've been thinking about for 2mos claude:

Just to recap. America is winning economically because the future belongs to ‘knowledge economies’ and making stuff won’t matter because computers are magic. And Trump has discovered an amazing new cost-free geopolitical strategy called ‘liberal interventionism’.

It should inform you what US thinks of Russia's might that it would never dare attempt such a thing

@cremieuxrecueil ur a legit retard

Knocking down Iran makes it much easier to contain China. It deprives them of an important partner and a lot of oil.

US strategy now hinges largely on compute containment--gatekeeping energy needed for 21st century AI economic leapfrogging. AI is now the fundamental determinant of state capacity & sovereignty. And as always energy is the primary chokepoint. Control the centrifuges, control the development trajectory. Exhibit A: Europe. Green Parties + Ukraine war structurally inflating energy costs via killing cheap nuclear & Russian gas--and thereby affordable 24/7 power for independent EU AI data hubs. Exhibit B: Iran. US “non-proliferation” veto blocking nuclear baseload power behind veil of weapons fears. Meanwhile, strikes, sanctions, enrichment denial preventing sovereign, high-density energy that could fuel localized open-source AI stacks in region. AI has collapsed time-to-sovereignty from decades to quarters and all it takes is sufficient megawatts & Chinese silicon.

it’s none of those things

@sailaunderscore it’s gonna be even funnier in 2028 when we have 24/7 trading on rtp/stable currency rails and ai flash crashes

Still so fucking funny how the US military has learned they are allowed to bomb whoever they want but it has to happen on a Friday night so the market cannot react until it’s over. They’re calling it the ‘sleepytime window of operations’.