Daniel Stinson

Check out audit-logs.tax - we want to crowdsource a list of vendors who don't prioritize high quality, widely available audit logs. We started with a list of apps we're focused on but happy to take issues/PRs for logs you're focused on: github.com/shellcromancer…

@zeddotdev search in preview 🔎 github.com/zed-industries…

For those of you asking about copy/paste from preview, it's merged and will be on stable soon

> The refactor itself typechecks conceptually; Name that Agent!

Big day: toddler’s first data breach!

We at @cotoolai are stoked to announce our $7.4m fundraise from @a16z . Offensive cyber operations are now JIT code; we started Cotool to give defenders their leverage back. Grateful to everyone who took the bet early, especially @koomen @garrytan @MaikaThoughts @zanelackey.

Today we're introducing @usefiretiger. You and your AI agents write code. Firetiger makes sure it works. Our team and I have plenty of incident war stories building @Cloudflare, @segment, @Twitch. In the agentic coding era, the volume of code changes + quality issues in prod is ever increasing, but observability vendors aren't incentivized to close the gap. They make money when you write more data to them, not when your software actually works. Firetiger is the agentic operations layer for the agentic coding era. We combine production observability data, codebase understanding, and knowledge of your business to find problems before your customers do and fix them before they notice. We've raised $7.6 million led by @sequoia with participation from angels who believe in better software, including @eastdakota, @calvinfo, @NicoRosberg, @dok2001, @jeffawilke, and @alanaagoyal. You can sign up for @usefiretiger today, self serve. We charge for agents that directly make your software better and more reliable, not for observability data ingested, with plans starting at $599/month. Observability is dead. Long live outcome engineering.

Effective Cloudflare ad from whatever ai(.)com is

Using ChatGPT Pulse to read my newsletter inbox and show me cute card summaries is really nice. The intro name in today’s was a little off though…

Nice post from @arenamagdotcom with a contrarian bull-case for US rare earth independence 🐂🇺🇸 arenamag.com/articles/ameri…

Spec: #sctn-related-origins" target="_blank" rel="nofollow noopener">w3c.github.io/webauthn/#sctn… Docs: passkeys.dev/docs/advanced/… Nice blog with an example: goodsignin.com/blog/passkeys-…

X's WebAuthn forced migration seems like something that relatedOrigins should help with. I _think_ this would only work if the `/.well-known/webauth` list was populated during the registration ceremony but its unclear from reading the spec...

also moved them from the Wall of Shame, to the Friends of SSO on the fork 🚢 github.com/ssotax/ssotax/…

Happily made the PR remove Cloudflare from the sso.tax. What vendors are next?

How many apps have a shortcut to email their CEO? 👀 I’m guessing it’s a short list with only @matter

Some days I worry about AGI taking my job, other days I know I'm safe for a few years... Both gpt-5-codex high, and Claude Code both spun their wheels for 15+ minutes pointing to a compiler toolchain issues even given a git commit where the issue must be... this was the fix!

Got prompted to use a Passkey in the Costco app, it’s a good day 👌

Cursor is now using Open VSX to install code editor extensions from. You must understand the implications of this right now. There has been an attack campaign happening for more than a month with extensions that install ScreenConnect. Below is ANOTHER example.

🆕 YARA module this week: Chrome extension bundles! Would be pretty cool to add Mandiant's Permission Hash to the module's output for pivoting fun! @secureannex exposes Permhash's in their UI/API so this would be a nice CLI format

The latest OCSF release has some IAM goodies. It's almost as if identity is the new perimeter 💡 * Group Management: handles subgroups now! (I helped with this one 🎉) * new IAM Analysis Finding class, and many new dictionary items related to identities github.com/ocsf/ocsf-sche…

this might become a daily thread on how I'm absolutely right

didn't save me this time ☠️

LLMs are incredible for rubber-ducky debugging. As I type out my message to the homies Sonnet and Opus 4, explaining how things work, I often spot the bug and don’t have to waste tokens. 💡🦆 Saves me from the "You're absolutely right!" flattery

#id-provide-the-visibility-and-control-to-manage-and-harden-identities_id-1-allow-one-active-login-method-and-require-external-re-verification-to-change-to-another" target="_blank" rel="nofollow noopener">pushsecurity.com/blog/minimum-v… audit-logs.tax

Great to see @PushSecurity reference to the audit-logs[.]tax site in their Minimum Viable Identity Security post🤌 If you're paying the tax for a site that's not listed yet, lmk and we can get them on there