Lea Kissner
@leak.bsky.social
Security, privacy, respect. Was the Twitter CISO until it was terrible. Now LinkedIn CISO. they/them
A security vendor sent me a pile of paper with many statistics where [citation needed]. For instance.... Why does automating IAM reduce the likelihood of a breach to 5%? From what? And how is that independent from, say, use of passkeys or auto-escaping templates?
January 14, 2026 at 1:19 AM
A security vendor sent me a pile of paper with many statistics where [citation needed]. For instance.... Why does automating IAM reduce the likelihood of a breach to 5%? From what? And how is that independent from, say, use of passkeys or auto-escaping templates?
Progress in my ongoing effort to decorate the wall behind me with something other than stacks of books. 🧵 for the fun stuff
The round thing is the Incident Hat/Bad News hat. I can't remember if I've told this story here, but basically I trained several companies to be scared of a hat instead of me
The round thing is the Incident Hat/Bad News hat. I can't remember if I've told this story here, but basically I trained several companies to be scared of a hat instead of me
January 12, 2026 at 4:27 PM
Progress in my ongoing effort to decorate the wall behind me with something other than stacks of books. 🧵 for the fun stuff
The round thing is the Incident Hat/Bad News hat. I can't remember if I've told this story here, but basically I trained several companies to be scared of a hat instead of me
The round thing is the Incident Hat/Bad News hat. I can't remember if I've told this story here, but basically I trained several companies to be scared of a hat instead of me
Folks in privacy engineering and related fields, it's PEPR time again -- submit talk proposals about topics related to designing, building, and understanding products and systems which foster privacy and respect. I'm looking forward to seeing your talks!
www.usenix.org/conference/p...
www.usenix.org/conference/p...
PEPR '26
The 2026 USENIX Conference on Privacy Engineering Practice and Respect (PEPR '26) will take place on June 1–2, 2026. PEPR is focused on designing and building products and systems with privacy and res...
www.usenix.org
January 7, 2026 at 10:58 PM
Folks in privacy engineering and related fields, it's PEPR time again -- submit talk proposals about topics related to designing, building, and understanding products and systems which foster privacy and respect. I'm looking forward to seeing your talks!
www.usenix.org/conference/p...
www.usenix.org/conference/p...
I know perfectly well there are bilingual people at Google, so what were they thinking by having YouTube automatically translate videos with no way to turn it off? Thank goodness they haven't managed to translate every language yet, so I can coherently watch at least some non-English videos
January 4, 2026 at 4:00 PM
I know perfectly well there are bilingual people at Google, so what were they thinking by having YouTube automatically translate videos with no way to turn it off? Thank goodness they haven't managed to translate every language yet, so I can coherently watch at least some non-English videos
This is one of the nightmares of modern security. We need to know where every single one of those is, what we're trusting it to do and not do, and how to make it stop *immediately*.
And every time someone wants to use a new one we need to figure out whether we can trust it as far as we can throw it
And every time someone wants to use a new one we need to figure out whether we can trust it as far as we can throw it
I worked at a 4,000-person event tech company for about five years. At one of the annual team all-hands, our CEO shared a PowerPoint slide that contained every SaaS vendor logo that enabled our daily work.
Uncountable. Hundreds. Names you’ve never seen. A universe of invisible workers.
Uncountable. Hundreds. Names you’ve never seen. A universe of invisible workers.
You have no idea how many Software as a Service products are out there that you don’t think about but would basically shut down wherever you work if they stopped working
January 1, 2026 at 6:35 PM
This is one of the nightmares of modern security. We need to know where every single one of those is, what we're trusting it to do and not do, and how to make it stop *immediately*.
And every time someone wants to use a new one we need to figure out whether we can trust it as far as we can throw it
And every time someone wants to use a new one we need to figure out whether we can trust it as far as we can throw it
Bluesky buddies, I now have a 3D printer in my house, a relatively simple design little counter design I've had sketched out for several years, and a complete inability to 3D model.
Does anyone know someone who could work with me to get this together? Happy to pay the going rate, whatever that is.
Does anyone know someone who could work with me to get this together? Happy to pay the going rate, whatever that is.
December 26, 2025 at 6:05 PM
Bluesky buddies, I now have a 3D printer in my house, a relatively simple design little counter design I've had sketched out for several years, and a complete inability to 3D model.
Does anyone know someone who could work with me to get this together? Happy to pay the going rate, whatever that is.
Does anyone know someone who could work with me to get this together? Happy to pay the going rate, whatever that is.
Prop 13 has had some wild effects on schools in California. Even back when I was in high school in Palo Alto, which is the well-off and education-focused town where Stanford is, they made the chemistry classes enter competitions so people would send us lab equipment.
I love this quote from Time Magazine published on June 19, 1978 after Prop 13 passed
“Ignoring warnings that schools may not be able to educate, libraries may close and crime rates may climb, the voters”
It’s funny how long timers love to at how things were better 40-50 years ago… because it was!
“Ignoring warnings that schools may not be able to educate, libraries may close and crime rates may climb, the voters”
It’s funny how long timers love to at how things were better 40-50 years ago… because it was!
December 21, 2025 at 3:26 PM
Prop 13 has had some wild effects on schools in California. Even back when I was in high school in Palo Alto, which is the well-off and education-focused town where Stanford is, they made the chemistry classes enter competitions so people would send us lab equipment.
Reposted by Lea Kissner
As a security person, I SO appreciate great bits like this open letter around bad security advice ( www.hacklore.org/letter), especially given that it's got reputable people like @leak.bsky.social signed on.
I agree that outdated advice and half-truths are just as bad as giving wrong advice.
I agree that outdated advice and half-truths are just as bad as giving wrong advice.
The Letter — Stop Hacklore!
www.hacklore.org
December 5, 2025 at 3:52 PM
As a security person, I SO appreciate great bits like this open letter around bad security advice ( www.hacklore.org/letter), especially given that it's got reputable people like @leak.bsky.social signed on.
I agree that outdated advice and half-truths are just as bad as giving wrong advice.
I agree that outdated advice and half-truths are just as bad as giving wrong advice.
I considered adding a picture of my study but the piles of books are sprouting piles of books.
And I just ordered some more books.
And I just ordered some more books.
Twitter accounts are based in Russia. BlueSky accounts are based in homes with, frankly, too many books, plants, obsolete cables, and pieces of rustic pottery, that could do with a bit of a tidying up, to be honest.
November 25, 2025 at 6:35 AM
I considered adding a picture of my study but the piles of books are sprouting piles of books.
And I just ordered some more books.
And I just ordered some more books.
The comment thread here is the embodiment of :lolsob:
There is legitimate promise to LLM-assisted coding, but there are also legitimate risks. Like this. And no one here is malicious!
There is legitimate promise to LLM-assisted coding, but there are also legitimate risks. Like this. And no one here is malicious!
One of the many joys of using AI for programming is the creation of huge PRs on complex topics that the authors barely understand, but still suggest "because they work". Here's a great example from #OCaml github.com/ocaml/ocaml/...
Kudos to OCaml's maintainers for handling this so gracefully.
Kudos to OCaml's maintainers for handling this so gracefully.
DWARF support for macOS and Linux by joelreymont · Pull Request #14369 · ocaml/ocaml
DWARF v5 Debugging Support for OCaml Native Compiler
This PR adds DWARF v5 debug information to the OCaml native compiler, allowing proper source-level debugging in GDB and LLDB.
What's Impleme...
github.com
November 24, 2025 at 9:25 PM
The comment thread here is the embodiment of :lolsob:
There is legitimate promise to LLM-assisted coding, but there are also legitimate risks. Like this. And no one here is malicious!
There is legitimate promise to LLM-assisted coding, but there are also legitimate risks. Like this. And no one here is malicious!
Reposted by Lea Kissner
now everyone together quote @leak.bsky.social
November 22, 2025 at 3:38 AM
now everyone together quote @leak.bsky.social
The "Gear" series on the Articles of Interest podcast has convinced me that if for some reason I was in the armed forces (and I wasn't doing the obvious things for me to do) I would want to be in the quartermaster corps. The complexity in clothing alone 🤯
www.articlesofinterest.co/podcast
www.articlesofinterest.co/podcast
EPISODES | Articles Of Interest
www.articlesofinterest.co
November 21, 2025 at 2:40 AM
The "Gear" series on the Articles of Interest podcast has convinced me that if for some reason I was in the armed forces (and I wasn't doing the obvious things for me to do) I would want to be in the quartermaster corps. The complexity in clothing alone 🤯
www.articlesofinterest.co/podcast
www.articlesofinterest.co/podcast
If my emails ever get leaked, just know that I'm not sub-literate, I'm lazy.
November 13, 2025 at 3:43 AM
If my emails ever get leaked, just know that I'm not sub-literate, I'm lazy.
A performance plan (PIP) is incredibly hard on everyone involved. The person going through it, the manager, and *the entire team*.
When I'm running one, I deeply want to help the person going through it find whatever's missing so that they do an awesome job and we can keep working together.
1/🧵
When I'm running one, I deeply want to help the person going through it find whatever's missing so that they do an awesome job and we can keep working together.
1/🧵
November 10, 2025 at 7:25 PM
A performance plan (PIP) is incredibly hard on everyone involved. The person going through it, the manager, and *the entire team*.
When I'm running one, I deeply want to help the person going through it find whatever's missing so that they do an awesome job and we can keep working together.
1/🧵
When I'm running one, I deeply want to help the person going through it find whatever's missing so that they do an awesome job and we can keep working together.
1/🧵
Up until a few weeks ago, the conversation virtually always went like this:
Them: "why are you wearing a mask?"
Me: "because I don't want to accidentally kill my mom. Plus I hear COVID is no fun."
Them: *vivid story of how terrible COVID is*
It sounds less fun than wearing a mask, y'all 🤷
Them: "why are you wearing a mask?"
Me: "because I don't want to accidentally kill my mom. Plus I hear COVID is no fun."
Them: *vivid story of how terrible COVID is*
It sounds less fun than wearing a mask, y'all 🤷
Sometimes when people ask me why I’m wearing a mask I say I’m traveling or have some important thing soon and can’t afford to get sick and miss it and that’s pretty much always true but I think it would be nice if it were more normalized to just say “I don’t want to get sick” and leave it at that
November 9, 2025 at 4:53 PM
Up until a few weeks ago, the conversation virtually always went like this:
Them: "why are you wearing a mask?"
Me: "because I don't want to accidentally kill my mom. Plus I hear COVID is no fun."
Them: *vivid story of how terrible COVID is*
It sounds less fun than wearing a mask, y'all 🤷
Them: "why are you wearing a mask?"
Me: "because I don't want to accidentally kill my mom. Plus I hear COVID is no fun."
Them: *vivid story of how terrible COVID is*
It sounds less fun than wearing a mask, y'all 🤷
New life goal unlocked
Loving today's news that the mysterious "fedora man" outside the Louvre heist was actually a 15-year-old museum visitor who dresses like a 1940s French detective all the time, just because. apnews.com/article/louv...
Fedora man unmasked: Meet the teen behind the Louvre mystery photo
Fifteen-year-old Pedro Elias Garzon Delvaux has become an internet sensation after an Associated Press photo captured him outside the Louvre on the day of a crown jewels heist.
apnews.com
November 9, 2025 at 4:40 PM
New life goal unlocked
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
November 7, 2025 at 4:57 PM
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
"Betteridge's law of headlines is an adage that states: "Any headline that ends in a question mark can be answered by the word no.""
en.wikipedia.org/wiki/Betteri...
en.wikipedia.org/wiki/Betteri...
November 6, 2025 at 5:30 PM
"Betteridge's law of headlines is an adage that states: "Any headline that ends in a question mark can be answered by the word no.""
en.wikipedia.org/wiki/Betteri...
en.wikipedia.org/wiki/Betteri...
"Worked for" is an exaggeration here -- while there may be actual staff in this group, these scan centers are mostly operated by victims of human trafficking.
This is one of the many reasons we need stronger online security across the board: to break the incentives behind this horror.
This is one of the many reasons we need stronger online security across the board: to break the incentives behind this horror.
India is repatriating on Thursday the first batch of hundreds of its nationals who last month fled to Thailand from Myanmar, where most had been working at a notorious center for online scams.
Indians who fled a Myanmar cyberscam center are being flown home from Thailand
India is repatriating the first batch of hundreds of its nationals who last month fled to Thailand from Myanmar, where most had been working at a notorious center for online scams.
bit.ly
November 6, 2025 at 1:33 PM
"Worked for" is an exaggeration here -- while there may be actual staff in this group, these scan centers are mostly operated by victims of human trafficking.
This is one of the many reasons we need stronger online security across the board: to break the incentives behind this horror.
This is one of the many reasons we need stronger online security across the board: to break the incentives behind this horror.
Would you like to work on LinkedIn? InfoSec is hiring! We have both manager and IC roles -- and more coming.
I'm here because I want to help protect people and not work with jerks. If that's what you like, then I hope you'll join us.
Jobs in 🧵
I'm here because I want to help protect people and not work with jerks. If that's what you like, then I hope you'll join us.
Jobs in 🧵
November 5, 2025 at 11:27 PM
Would you like to work on LinkedIn? InfoSec is hiring! We have both manager and IC roles -- and more coming.
I'm here because I want to help protect people and not work with jerks. If that's what you like, then I hope you'll join us.
Jobs in 🧵
I'm here because I want to help protect people and not work with jerks. If that's what you like, then I hope you'll join us.
Jobs in 🧵
Encryption without key rotation is just sparkling obfuscation
October 23, 2025 at 7:11 PM
Encryption without key rotation is just sparkling obfuscation
Not being a jerk is a shockingly underrated hiring strategy.
look, one reason workplaces started making us all go to HR's "be polite to others" class is because you alienate people when you're a bigoted asshole, and that can lose you both talent and business www.ft.com/content/8e6d...
Sequoia COO quit over Shaun Maguire’s comments about Islamism
Sumaiya Balbale left the venture firm after it decided not to discipline outspoken investor for posts about Zohran Mamdani
www.ft.com
October 22, 2025 at 1:11 PM
Not being a jerk is a shockingly underrated hiring strategy.
Reposted by Lea Kissner
pleasures of the flesh fade, other people however much you love each other will sometimes let you down, the world is filled with sorrows. but from today until the last day of your life, wherever you are if you pay attention there is something new to learn. it's a great comfort.
October 13, 2025 at 6:30 PM
pleasures of the flesh fade, other people however much you love each other will sometimes let you down, the world is filled with sorrows. but from today until the last day of your life, wherever you are if you pay attention there is something new to learn. it's a great comfort.
The number of people who don't seem to realize that people in the same field, even in the same team, talk to each other is astonishing.
A security vendor invited me to a dinner with featured guest the "VP of IAM at LinkedIn". There is no such person. I'm so curious who; the vendor wouldn't answer.
A security vendor invited me to a dinner with featured guest the "VP of IAM at LinkedIn". There is no such person. I'm so curious who; the vendor wouldn't answer.
This morning's spam from a scammer claiming to be Andy Weir, asking me to send a link to my own work and maybe he'll check it out (aka the opening salvo to sending the scammer money) and I'm all, look pal, I know Andy's read my stuff already, he said so WHEN WE WERE DOING A FUCKING EVENT TOGETHER
September 22, 2025 at 1:36 PM
The number of people who don't seem to realize that people in the same field, even in the same team, talk to each other is astonishing.
A security vendor invited me to a dinner with featured guest the "VP of IAM at LinkedIn". There is no such person. I'm so curious who; the vendor wouldn't answer.
A security vendor invited me to a dinner with featured guest the "VP of IAM at LinkedIn". There is no such person. I'm so curious who; the vendor wouldn't answer.
TIL that setting LESSSECURE makes you more secure
September 15, 2025 at 9:24 PM
TIL that setting LESSSECURE makes you more secure