
Latacora: Security Programs For Startups - MattRogish
https://latacora.com
======
ShaneWilton
From the HTML source:

    
    
      <!-- You can't know whether I'm exploiting a bias in the crappy JS -->
      <!-- RNG to make my name first more often. Hah-hah. -->
      document.addEventListener("DOMContentLoaded", function(event) { 
        var names = ["Erin Ptacek", "Thomas Ptacek", "Jeremy Rauch"].
          sort(function(x, y) { return 1 - Math.ceil(Math.random() * 100) % 3; });
        for(var i = 0; i < 3; i++) { 
          document.getElementById("n_" + i).textContent = names[i];
        }
      });
    

It isn't scientific in the slightest, but I ran the function a hundred million
times, and Erin seems to appear first about 60% of the time, in Google Chrome.

Good luck with the company, I hope you can also beat the RNG that makes or
breaks a startup :)

~~~
RKoutnik
Ah, I think I've figured it out (nothing to do with JS's RNG, sadly). It's
simpler when you ignore Jeremy (sorry). For this case, we can assume
`Math.random()` will output uniformly random numbers. `Array.prototype.sort`
works as so:

If the function returns > 0, the first param should be sorted to a higher
index than the second.

If the function returns < 0, the first param should be sorted to a lower index
than the second.

 _If the function returns exactly zero, the parameters are left as they are._

So what we've got is a 1/3 of Erin 'winning', 1/3 of Thomas 'winning' and a
1/3 chance of a tie _which leaves Erin ahead_. So she's got a 2/3 chance of
being first.

Additionally (but not in any consequential fashion), generating a random
number between 1 and 100 (inclusive) gives you 100 possibilities (duh). With
three outcomes:

    
    
        100 / 3 = 33.333333333333336
    

The first option has slightly more chance to be picked. If Erin wanted to be
fair(er), she'd multiply by 99.

Here's a Python solution showing it's not just JS:

link: [http://paste.ubuntu.com/23222240/](http://paste.ubuntu.com/23222240/)

results:

    
    
        {
          'Erin Ptacek': 6523,
          'Thomas Ptacek': 1951,
          'Jeremy Rauch': 1526
        }
    

(with apologies to ShaneWilton, I've completely rewritten this comment so the
following comments are out of date)

~~~
ShaneWilton
The output of Math.random also doesn't seem to be very uniform. With the
original code, I'm consistently seeing Erin appear first 60% of the time, and
Thomas first 30% of the time. Jeremy is left with 10%.

Even after changing the code to multiply by 99 instead of 100, the results
don't change very much at all.

~~~
RKoutnik
Interesting, running just the number generation under node v6.5.0 gives:

    
    
         { '0': 340364, '1': 330093, '-1': 329543 }
    

So we see a slight bias for zero (elements are equal) there. ~Lemme try it in
Chrome and get back to you.~

AHA, repro'd in Chrome latest:
[http://jsbin.com/cefuqi/edit?js,console](http://jsbin.com/cefuqi/edit?js,console)

Also repros in node. Fascinating. There goes my afternoon...

~~~
thethirdone
The problem is in the sort function. It expects the comparison to be
deterministic and thus does not give the fully randomized list.

Instead giving each name a distinct value (between 0 and 1) and sort based on
those values.

------
djcapelis
This is great. Someone needed to do one of these, I dabbled in this market
with my little one person shop because it seemed so critically underserved,
but my constraints were a bit different.

Some of the challenges I faced in trying to help startups: I needed to be paid
in real money, which is tough for a startup. I didn't market myself at _all_
(not even a webpage) which is just neglectful. And finally, surprisingly:
frankly I found startups to have the worst legal advice and contracts. All of
them went to their lawyers and came back with contracts that looked like
employment agreements and frankly included worse terms than most employment
agreements. I had my own agreement, but it didn't help much. I had a
surprising number of deals fall through because of this. Part of it is I
clearly allowed incorrect expectations, and part of it is, I think is if
people haven't heard of you they just assume you'll be unrepresented and
shocked when you don't just sign their standard "we put whatever we thought
would be best for our client" contract and instead asked for a version for a
lawyer to redline.

So frustrating. And for real, most startups didn't need that much of my time,
so it became not worth it.

Instead I had a much better experience with a lot less pain (and frankly more
interesting work) working on multibillion dollar public infrastructure
contracts (train systems mostly) and focused on those instead. Go figure.

You'd expect startups to do better in this area than larger companies.

Thankfully Thomas is well known on the Internet, which I think will help a lot
with startups. And it's a better model than what I was doing.

Anyway! Thanks for doing this! It's a huge unfilled area. Someone needed to
and I hope it works well!

~~~
tptacek
Our one key advantage: after selling Matasano, we do _not_ require payment in
real money. :)

~~~
djcapelis
That part seems really compelling for some startups. But I'll be curious to
see if at the end of the day it turns out to be compelling for you all. (FWIW,
the few times I tried that approach people weren't used to it. It probably is
far enough away from everything else that it also squarely removes you from
the usual "we'll hand you a contract for a contractor" situation too. I am
guessing you'll have more luck with it than I did.) You might find pushback
from folks who don't want to add another row to their cap table. It seems like
it shouldn't be a big deal, but different people have the strangest
dealbreakers.

I am also curious: do you plan to value options when you accept those at
whatever valuation is current and let other investors determine the rate? Or
do you plan to try and determine option valuation yourself? How VC-like do you
intend to get here? :)

~~~
tptacek
For the most part, we're really just going to exploit every lever we can find
for making our payment structure flexible. I wouldn't say we're hoping to
become investors.

We spent a few years working with lots of young startups at Matasano and we
had the obvious learning experience: none of them, even the ones with
traction, can afford the kind of security work that larger companies get.
That's a problem we're hoping to address, at least for a small number of
clients.

~~~
djcapelis
Awesome. Curious to see how it goes! Hope you all have time to write it up as
it goes along. :)

------
tetrep
Ha, I guess a management role is the natural progression from technical
consulting. I love the idea of a middle ground between "we have things people
would want to hack" and "we have a dedicated security team." It's great when
you can hire security conscious developers, but startups generally aren't know
for seeking out nor emphasizing those skills. AFAIK nobody has adopted "Move
carefully and write secure code with minimal technical debt."

A seasoned security team would also be able to effectively avoid snake oil
security consultants (no, you really don't need to encrypt the user's password
with JavaScript before transmitting it to the server), which are all the more
tempting to hire as they're generally cheap (run Nessus, print and deliver
report...).

~~~
Normal_gaussian
Do you hang out in #HighAltitude or am I experiencing the Baader-Meinhof
Phenomenon?

------
tptacek
I guess if people are interested and have questions I can try to take a stab
at them, but really you'll be having a conversation with three people who have
only a faint idea of exactly how this is going to work, since we're still in
learning mode. :)

The next thing I'm actually _shipping_ is the first batch of post-Starfighter
challenges.

The next thing I'm actually _writing_ is "what happened with Starfighter".

~~~
splawn
Is it pronounced lata-cora or la-taco-ra?

~~~
tptacek
Dunno. What sounds better? La-TACO-ra hadn't even occurred to me.

~~~
splawn
lata-cora rolls off the tongue easier, imo. (I think i am just hungry)

------
richerlariviere
>Growing a business is exciting. We'd like to make it just a little less
exciting for you.

The second sentence sounds weird for me. Maybe I didn't understand because I
don't speak English natively and I missed some kind of humor.

~~~
anilgulecha
Double entendre, "exciting" here refers to the fun of a startup and to
security-issues and vulnerabilities in software.

------
nickpsecurity
I suggested this exact thing on Schneier's blog to keep security from being an
afterthought or too expensive. Great to see a group think of and actually do
the same thing.

Good team for this. The prior experience will help them iterate more
effectively into a model that works. Then others can copy it. Or they might
even franchise it.

------
briancl
Every strong engineering team needs someone with real security chops.. not
just someone who can fix SQLi after it's been pointed out, but someone who
gets security at the infrastructure level. Someone who gets the why, not just
the how. Not every team has that person or that person can't devote the time
to play that role.

With a few good references and strong VC/Accelerator connections, this
boutique consulting business should do fine. The question for me is how much
pain is there on the board/founder (the key influencers/buyers of the service)
compared to the cost of the services... or the risk of doing nothing.

~~~
tptacek
Most startups don't need a dedicated security person and don't need a service
like ours to bridge them to a full-time internal security team. So I think
you're right: boards and founders are going to question whether they want
something like this.

On the flip side: we have the bandwidth for only a few clients (we're doing a
_lot_ of work here), so mutual selectivity is a win. :)

------
lifeisstillgood
Preamble :a lot of agencies (Im thinking postlight) act as "hire us for three
months to get the idea off the ground" \- they try to take away the headache
of not having actually hired a good team yet.

Question: Are you part of a fracturing of this? That people could hire you for
security, postlight for front end, someone else for ecommerce / payments etc.
I think I am asking is the postlight model distrusted, is hiring your style of
team easier to fit around a growing team. What is the gap in the market you
are seeing?

~~~
tptacek
I don't think so. I think you need a solid, invested engineering team for us
to plug into in order to get any value out of what we're doing.

------
lifeisstillgood
I am working with a small startup as their "technical advisory board" \-
clearly not as security minded as here, but the goal is the same, to take a
brain dump from me and use it as a framework for the next couple of months of
work.

I like this idea, and hopefully it's self selecting. People who won't listen
to good advice won't hire you in the first place !

------
purpledragon
How does this business scale without affecting quality?

Why is the birth of this particular (small) security consulting firm more
newsworthy (in contrast to all of the others that have popped up)?

~~~
jeffmcjunkin
1\. tptacek answered this already.

2\.
[https://news.ycombinator.com/leaders](https://news.ycombinator.com/leaders)
(read #1)

~~~
tptacek
I mean, yes, (2) is why it's on the front page, but I too find it weird that
we're talking about this.

------
mxuribe
This sounds like a great idea! Kudos and best of luck!

------
vemv
Might be good to mention what programming languages do you work with, as
security is quite coupled with application code...

~~~
wglb
A qualified pentester can work with, audit, and break code in any language.
There are a few that I have not heard of anyone actively pentesting them, and
they include RPG III, and the family of Bliss languages.

