<!-- You can't know whether I'm exploiting a bias in the crappy JS -->
<!-- RNG to make my name first more often. Hah-hah. -->
document.addEventListener("DOMContentLoaded", function(event) {
var names = ["Erin Ptacek", "Thomas Ptacek", "Jeremy Rauch"].
sort(function(x, y) { return 1 - Math.ceil(Math.random() * 100) % 3; });
for(var i = 0; i < 3; i++) {
document.getElementById("n_" + i).textContent = names[i];
}
});
It isn't scientific in the slightest, but I ran the function a hundred million times, and Erin seems to appear first about 60% of the time, in Google Chrome.
Good luck with the company, I hope you can also beat the RNG that makes or breaks a startup :)
Ah, I think I've figured it out (nothing to do with JS's RNG, sadly). It's simpler when you ignore Jeremy (sorry). For this case, we can assume `Math.random()` will output uniformly random numbers. `Array.prototype.sort` works as so:
If the function returns > 0, the first param should be sorted to a higher index than the second.
If the function returns < 0, the first param should be sorted to a lower index than the second.
If the function returns exactly zero, the parameters are left as they are.
So what we've got is a 1/3 of Erin 'winning', 1/3 of Thomas 'winning' and a 1/3 chance of a tie which leaves Erin ahead. So she's got a 2/3 chance of being first.
Additionally (but not in any consequential fashion), generating a random number between 1 and 100 (inclusive) gives you 100 possibilities (duh). With three outcomes:
100 / 3 = 33.333333333333336
The first option has slightly more chance to be picked. If Erin wanted to be fair(er), she'd multiply by 99.
Here's a Python solution showing it's not just JS:
This implicitly assumes that Array.sort is stable: that is, if the comparison function returns 0 then sorting leaves the array elements in their original relative positions. That's not guaranteed by the JavaScript specification, see e.g. https://bugs.chromium.org/p/v8/issues/detail?id=90
It just so happens that in V8, the built-in sort uses an unstable quicksort for large arrays but a stable insertion sort for small ones, so the rest of your analysis is correct.
The output of Math.random also doesn't seem to be very uniform. With the original code, I'm consistently seeing Erin appear first 60% of the time, and Thomas first 30% of the time. Jeremy is left with 10%.
Even after changing the code to multiply by 99 instead of 100, the results don't change very much at all.
The random return used in the comparison passed into an Array.sort() function would depend on the sort algorithm used by the JavaScript engine, since the comparisons being returned aren't "honest". Is it a merge sort, for example? Plus, it's kinda broken because if X > Y for one permutation, it should follow that Y < X if those same values are passed back in, and in this case, they' really not.
MS took advantage of this when selecting a random browser for the browser ballot years ago.
> compareFunction(a, b) must always return the same value when given a specific pair of elements a and b as its two arguments. If inconsistent results are returned then the sort order is undefined.
It doesn't really matter what Math.random() is producing when the sort algorithm is undefined.
This is great. Someone needed to do one of these, I dabbled in this market with my little one person shop because it seemed so critically underserved, but my constraints were a bit different.
Some of the challenges I faced in trying to help startups: I needed to be paid in real money, which is tough for a startup. I didn't market myself at all (not even a webpage) which is just neglectful. And finally, surprisingly: frankly I found startups to have the worst legal advice and contracts. All of them went to their lawyers and came back with contracts that looked like employment agreements and frankly included worse terms than most employment agreements. I had my own agreement, but it didn't help much. I had a surprising number of deals fall through because of this. Part of it is I clearly allowed incorrect expectations, and part of it is, I think is if people haven't heard of you they just assume you'll be unrepresented and shocked when you don't just sign their standard "we put whatever we thought would be best for our client" contract and instead asked for a version for a lawyer to redline.
So frustrating. And for real, most startups didn't need that much of my time, so it became not worth it.
Instead I had a much better experience with a lot less pain (and frankly more interesting work) working on multibillion dollar public infrastructure contracts (train systems mostly) and focused on those instead. Go figure.
You'd expect startups to do better in this area than larger companies.
Thankfully Thomas is well known on the Internet, which I think will help a lot with startups. And it's a better model than what I was doing.
Anyway! Thanks for doing this! It's a huge unfilled area. Someone needed to and I hope it works well!
That part seems really compelling for some startups. But I'll be curious to see if at the end of the day it turns out to be compelling for you all. (FWIW, the few times I tried that approach people weren't used to it. It probably is far enough away from everything else that it also squarely removes you from the usual "we'll hand you a contract for a contractor" situation too. I am guessing you'll have more luck with it than I did.) You might find pushback from folks who don't want to add another row to their cap table. It seems like it shouldn't be a big deal, but different people have the strangest dealbreakers.
I am also curious: do you plan to value options when you accept those at whatever valuation is current and let other investors determine the rate? Or do you plan to try and determine option valuation yourself? How VC-like do you intend to get here? :)
For the most part, we're really just going to exploit every lever we can find for making our payment structure flexible. I wouldn't say we're hoping to become investors.
We spent a few years working with lots of young startups at Matasano and we had the obvious learning experience: none of them, even the ones with traction, can afford the kind of security work that larger companies get. That's a problem we're hoping to address, at least for a small number of clients.
So you're actually investing in startups, but instead of your money, you invest your time/expertise?
I don't know anything about Matasano, apart from seeing the name on HN frequently, but I was wondering if you already had a successful security consultancy and sold it, why set up another one? I guess this answers that question.
Ha, I guess a management role is the natural progression from technical consulting. I love the idea of a middle ground between "we have things people would want to hack" and "we have a dedicated security team." It's great when you can hire security conscious developers, but startups generally aren't know for seeking out nor emphasizing those skills. AFAIK nobody has adopted "Move carefully and write secure code with minimal technical debt."
A seasoned security team would also be able to effectively avoid snake oil security consultants (no, you really don't need to encrypt the user's password with JavaScript before transmitting it to the server), which are all the more tempting to hire as they're generally cheap (run Nessus, print and deliver report...).
Thanks. But to be clear: we very much want to keep our hands dirty. Part of the attraction of this idea is that it's an opportunity for us to build stuff.
I guess if people are interested and have questions I can try to take a stab at them, but really you'll be having a conversation with three people who have only a faint idea of exactly how this is going to work, since we're still in learning mode. :)
The next thing I'm actually shipping is the first batch of post-Starfighter challenges.
The next thing I'm actually writing is "what happened with Starfighter".
Suppose I ran a small company with a small dev and ops team of 3-4 people, running a Rails app with a MySQL database, typical setup say, Nginx front end proxy to servers running mod_passenger, a separate staging and QA environment. What services would you provide to me if I paid you what I would pay a well qualified security person?
Just asking out of curiosity, I've been dabbling in web/app security for the past couple years and know it's a very broad and deep field. I know about protecting against XSS, CSRF, SQL injection, and the basics of OWASP Top 10, but not sure what you'd be doing and how you would provide me service. Would it be an ongoing contract or a one time or as-needed service?
A decent short answer for this is that we'd work it out the same way you'd work it out in the hiring process for a Director of Security: by discussing your needs and determining what we were able, as "one entity", to do. The website gives a sort of sweeping idea of what things we're capable of tackling.
I should add, though, that I think a lot, maybe even most, startups don't need this, or dedicated security of any kind.
This seems quite useful. Will you help find/place the right first hire for when companies outgrow you?
That's the critical final selling point for me. Great, you've taken security off my plate in a small business. But now I'm disengaged from the security side of things when it comes time to find the first full time security hire.
Yes, we will. We want to be the bridge --- for maybe, I don't know, 9-18 months? --- between "we've reached the point where we think we need a security team" and "we've been doing security long enough as a team that we know what we need for a full-time lead security person".
There's a weird adolescence that happens between those two points where we see people struggling to staff effectively.
We think we can get companies to a point where they've built a solid security program and run it for months before hiring for security --- and that the net result is that you're hiring that role more like how Jason Fried from Basecamp would say you should hire: when you understand the role so well that you know exactly why and how you should hire for it.
MSSPs manage firewalls, watch IDS alerts, and run periodic Nessus scans. They're a way of outsourcing secops teams. We can do those things (we'd recommend against some of them), but the ambit of what we're doing is much broader.
This couldn't have come at a better time for us. You shall be receiving an email on Monday as we're having to negotiate the waters of SOC compliance in order to serve certain customers of ours.
Apart from helping with better code practices may I know what other areas of expertise one can hire you for? Genuine question. Oh and all the best by the ways.
I suggested this exact thing on Schneier's blog to keep security from being an afterthought or too expensive. Great to see a group think of and actually do the same thing.
Good team for this. The prior experience will help them iterate more effectively into a model that works. Then others can copy it. Or they might even franchise it.
Every strong engineering team needs someone with real security chops.. not just someone who can fix SQLi after it's been pointed out, but someone who gets security at the infrastructure level. Someone who gets the why, not just the how. Not every team has that person or that person can't devote the time to play that role.
With a few good references and strong VC/Accelerator connections, this boutique consulting business should do fine. The question for me is how much pain is there on the board/founder (the key influencers/buyers of the service) compared to the cost of the services... or the risk of doing nothing.
Most startups don't need a dedicated security person and don't need a service like ours to bridge them to a full-time internal security team. So I think you're right: boards and founders are going to question whether they want something like this.
On the flip side: we have the bandwidth for only a few clients (we're doing a lot of work here), so mutual selectivity is a win. :)
Preamble :a lot of agencies (Im thinking postlight) act as "hire us for three months to get the idea off the ground" - they try to take away the headache of not having actually hired a good team yet.
Question: Are you part of a fracturing of this? That people could hire you for security, postlight for front end, someone else for ecommerce / payments etc. I think I am asking is the postlight model distrusted, is hiring your style of team easier to fit around a growing team. What is the gap in the market you are seeing?
I am working with a small startup as their "technical advisory board" - clearly not as security minded as here, but the goal is the same, to take a brain dump from me and use it as a framework for the next couple of months of work.
I like this idea, and hopefully it's self selecting. People who won't listen to good advice won't hire you in the first place !
A qualified pentester can work with, audit, and break code in any language. There are a few that I have not heard of anyone actively pentesting them, and they include RPG III, and the family of Bliss languages.
Good luck with the company, I hope you can also beat the RNG that makes or breaks a startup :)