Allan
@allanfriedman.bsky.social
SBOM Champion. Full service technocrat. Now at @CISAgov, formerly NTIA. Lapsed{engineer, academic, author}. Personal Account. Food, drink, dogs, SBOM
Reposted by Allan
Hell yes! Many of us have been following this story from the beginning, and I'm SO glad to see it resolved finally...
arstechnica.com/security/202...
arstechnica.com/security/202...
January 29, 2026 at 8:49 PM
Hell yes! Many of us have been following this story from the beginning, and I'm SO glad to see it resolved finally...
arstechnica.com/security/202...
arstechnica.com/security/202...
Reposted by Allan
With Trump admin scrapping requirement for software vendors to attest to their products' security, agencies must now decide how (or even whether) to require those assurances. My new story looks at what that could mean for software security in govt & beyond: www.cybersecuritydive.com/news/white-h...
January 28, 2026 at 10:20 PM
With Trump admin scrapping requirement for software vendors to attest to their products' security, agencies must now decide how (or even whether) to require those assurances. My new story looks at what that could mean for software security in govt & beyond: www.cybersecuritydive.com/news/white-h...
Reposted by Allan
People of DC: This is a great, frequently updated, zoomable map of where the snow plows are, and how recently they've been on any given street.
Based on our experience, it's accurate. We saw a truck, and then the map status of our street changed. Check it out
citizeninsights.geotab.com#/dcsnowgov
Based on our experience, it's accurate. We saw a truck, and then the map status of our street changed. Check it out
citizeninsights.geotab.com#/dcsnowgov
Citizen Insights
citizeninsights.geotab.com
January 26, 2026 at 4:26 PM
People of DC: This is a great, frequently updated, zoomable map of where the snow plows are, and how recently they've been on any given street.
Based on our experience, it's accurate. We saw a truck, and then the map status of our street changed. Check it out
citizeninsights.geotab.com#/dcsnowgov
Based on our experience, it's accurate. We saw a truck, and then the map status of our street changed. Check it out
citizeninsights.geotab.com#/dcsnowgov
A gorgeous 2 mile walk across DC and the National Mall to make it to Day 2 of @districtcon.bsky.social and the entertaining keynote by Daniel Ridge.
Feels pretty special… “hackers now a-bed Shall think themselves accursed they were not here,”
Feels pretty special… “hackers now a-bed Shall think themselves accursed they were not here,”
January 25, 2026 at 3:25 PM
A gorgeous 2 mile walk across DC and the National Mall to make it to Day 2 of @districtcon.bsky.social and the entertaining keynote by Daniel Ridge.
Feels pretty special… “hackers now a-bed Shall think themselves accursed they were not here,”
Feels pretty special… “hackers now a-bed Shall think themselves accursed they were not here,”
If anyone is making the hard choice not to attend @districtcon.bsky.social because of the weather, I will happily buy your badge.
January 23, 2026 at 7:14 PM
If anyone is making the hard choice not to attend @districtcon.bsky.social because of the weather, I will happily buy your badge.
Reposted by Allan
"Prompt Engineering" is starting to feel a lot like just... engineering.
It’s less about finding magic words and more about managing state, memory, and flow control.
We’re back to building state machines, just with fuzzier logic.
It’s less about finding magic words and more about managing state, memory, and flow control.
We’re back to building state machines, just with fuzzier logic.
January 21, 2026 at 8:59 PM
"Prompt Engineering" is starting to feel a lot like just... engineering.
It’s less about finding magic words and more about managing state, memory, and flow control.
We’re back to building state machines, just with fuzzier logic.
It’s less about finding magic words and more about managing state, memory, and flow control.
We’re back to building state machines, just with fuzzier logic.
Good summary of yesterday’s hearing on Cyber Offense and Deterrence. Testimony seemed good and hit important points, but it’s still not clear to me “public private partnerships” look like for offensive-oriented deterrence.
industrialcyber.co/critical-inf...
industrialcyber.co/critical-inf...
House subcommittee hearing examines offensive cyber operations, limits of cyber deterrence - Industrial Cyber
U.S. House subcommittee hearing examines offensive cyber operations and the limits of cyber deterrence in national security strategy.
industrialcyber.co
January 14, 2026 at 12:48 PM
Good summary of yesterday’s hearing on Cyber Offense and Deterrence. Testimony seemed good and hit important points, but it’s still not clear to me “public private partnerships” look like for offensive-oriented deterrence.
industrialcyber.co/critical-inf...
industrialcyber.co/critical-inf...
Non-deterministic additions to amateur-drafted contracts seems like a bad idea…
January 13, 2026 at 8:57 PM
Non-deterministic additions to amateur-drafted contracts seems like a bad idea…
Reposted by Allan
look upon my works, ye mighty, and let me know what you think
January 12, 2026 at 7:37 PM
look upon my works, ye mighty, and let me know what you think
Spending a Sunday defrosting a freezer and replacing the door gasket. Also discovering some fun things tucked away in the depths: really good butter, duck quarters, bags of pitted tart cherries.
January 11, 2026 at 6:07 PM
Spending a Sunday defrosting a freezer and replacing the door gasket. Also discovering some fun things tucked away in the depths: really good butter, duck quarters, bags of pitted tart cherries.
Reposted by Allan
The spirit of Ea-nāṣir lives on ;)
londondaily.com/trader-buys-...
londondaily.com/trader-buys-...
Trader buys $36 million of copper and gets painted rocks instead - London Daily
Commodities trader Mercuria says it is the victim of fraud. Thieves in Turkey switched painted paving stones for copper
londondaily.com
January 3, 2026 at 2:23 PM
The spirit of Ea-nāṣir lives on ;)
londondaily.com/trader-buys-...
londondaily.com/trader-buys-...
Reposted by Allan
The first two hours this morning
January 5, 2026 at 11:21 AM
The first two hours this morning
When you’ve stayed up later than your bed time to celebrate properly with good people. Happy New Year, friends.
January 1, 2026 at 6:29 AM
When you’ve stayed up later than your bed time to celebrate properly with good people. Happy New Year, friends.
Reposted by Allan
Holy shit, I didn't think I could love Brandi Carlile more, but this is -amazing-.
youtu.be/VnstFOTGJgc?...
youtu.be/VnstFOTGJgc?...
Brandi Carlile - Fairytale of New York (Holiday Livestream 2025)
YouTube video by Brandi Carlile
youtu.be
December 24, 2025 at 3:30 AM
Holy shit, I didn't think I could love Brandi Carlile more, but this is -amazing-.
youtu.be/VnstFOTGJgc?...
youtu.be/VnstFOTGJgc?...
Reposted by Allan
The world needs more songs about how the lead-up to Christmas is just kind of chaotic.
Dropkick Murphys - "The Season's Upon Us" (Video)
YouTube video by Dropkick Murphys
youtu.be
December 23, 2025 at 3:36 PM
The world needs more songs about how the lead-up to Christmas is just kind of chaotic.
They say “It's better to stay silent and let people think you're a fool than to speak and prove you are one,” but I’m an empiricist…
December 23, 2025 at 2:50 AM
They say “It's better to stay silent and let people think you're a fool than to speak and prove you are one,” but I’m an empiricist…
Reposted by Allan
It’s the “season of love and giving”…but this year, doesn’t it seem more like a “season of fear and taking”? Like many of you, I’ve been saddened by the human impact of draconian government budget cuts and how angry many housed Americans are at unhoused Americans.
🧵 1 of 9
🧵 1 of 9
December 21, 2025 at 2:51 AM
It’s the “season of love and giving”…but this year, doesn’t it seem more like a “season of fear and taking”? Like many of you, I’ve been saddened by the human impact of draconian government budget cuts and how angry many housed Americans are at unhoused Americans.
🧵 1 of 9
🧵 1 of 9
How many sleeps until Christmas is very much a function of how ambitious your nap agenda is.
December 20, 2025 at 9:03 PM
How many sleeps until Christmas is very much a function of how ambitious your nap agenda is.
Tour de Tacos Twenty-five is commencing.
December 20, 2025 at 6:12 PM
Tour de Tacos Twenty-five is commencing.
Reposted by Allan
this is a good reminder of how things that are shitty but have been accepted as normal and inevitable can actually turn out to be abnormal and evitable with some science, time, education and political will
December 19, 2025 at 8:44 PM
this is a good reminder of how things that are shitty but have been accepted as normal and inevitable can actually turn out to be abnormal and evitable with some science, time, education and political will
Why am I spending time trying to drive more transparency into the semiconductor and manufacturing supply chain? Because inventory is Step Zero in dealing with risk. We need HBOM now.
"The discovery highlights the fragility of “black box” components in automotive supply chains."
"The discovery highlights the fragility of “black box” components in automotive supply chains."
Hackers Could Take Control of Car Dashboard by Hacking Its Modem
Hackers Could Take Control of Car Dashboard by Hacking Its Modem
Connected cars using Unisoc UIS7862A chips face serious risks, allowing attackers to hijack dashboards and vehicle systems remotely.
cybersecuritynews.com
December 17, 2025 at 5:44 PM
Why am I spending time trying to drive more transparency into the semiconductor and manufacturing supply chain? Because inventory is Step Zero in dealing with risk. We need HBOM now.
"The discovery highlights the fragility of “black box” components in automotive supply chains."
"The discovery highlights the fragility of “black box” components in automotive supply chains."
It’s almost impressive that we still have to explain this.
Yes, OSS is a critical part of supply chains, but the responsibility is on the downstream user to understand the risks. Want more? Join the project and/or directly support it.
Yes, OSS is a critical part of supply chains, but the responsibility is on the downstream user to understand the risks. Want more? Join the project and/or directly support it.
People releasing open source software DO NOT OWE YOU ANYTHING. They do not owe you their time nor their explanations, and they CERTAINLY do not owe you a window into the most intimate details of their life. This goes for projects with zero downloads or millions.
December 17, 2025 at 5:37 PM
It’s almost impressive that we still have to explain this.
Yes, OSS is a critical part of supply chains, but the responsibility is on the downstream user to understand the risks. Want more? Join the project and/or directly support it.
Yes, OSS is a critical part of supply chains, but the responsibility is on the downstream user to understand the risks. Want more? Join the project and/or directly support it.
Reposted by Allan
you, uh, do not crowdsource investigate a potential security incident in public. least of all when it pertains to peoples' offline identities and real-world locations.
this could have been handled with a private group of maintainers, but was not.
this could have been handled with a private group of maintainers, but was not.
December 16, 2025 at 11:11 PM
you, uh, do not crowdsource investigate a potential security incident in public. least of all when it pertains to peoples' offline identities and real-world locations.
this could have been handled with a private group of maintainers, but was not.
this could have been handled with a private group of maintainers, but was not.
Reposted by Allan
speaking of reminders: I think open source authors should have the absolute right to withdraw their work and personal information from circulation, and no argument about "supply chain security" overrides this bsky.app/profile/stev...
December 16, 2025 at 9:01 PM
speaking of reminders: I think open source authors should have the absolute right to withdraw their work and personal information from circulation, and no argument about "supply chain security" overrides this bsky.app/profile/stev...