And the champions just received their solid silver medals for solving the series.

I wrote a book called Women In Tech that came out in 2016 which has become one of the top books on Amazon in their Career Guides lists, floating between top 10 and top 100 much of the time and is the #1 bestseller right now.

Let’s look back to the middle of 2015. I’d just run the biggest anthology Kickstarter of all time according to the project manager there who’d reached out to me as the site featured it as the Project Of The Day. The level of hatred and anger I’d seen directed at me — and the women I’d asked to contribute vignettes to the book — was at an all-time high. My first marriage had started to suffer. All I heard from the Internet was how much the right wing hated me for helping women who didn’t deserve to be in tech or making “a man’s salary”, and the left wing hated me for giving practical advice like “don’t wear a skirt to a sysadmin interview” instead of burning down the system. Conspiracy theorists thought I’d had it ghostwritten (trust me, you can’t pay a ghostwriter to pun as badly as I did while suffering through that first draft), and my job, my home, my cats, and my life were endlessly threatened. …

When you have little to no budget, how do you start spending on information security in a startup to protect customer data and operations? I was asked to comment on this via email by Zack Whittaker for a story he was doing on TechCrunch, and in responding, I found myself getting writer-mad, so I knew I had something to say. Here’s his original article (it’s paywalled as an Extra Crunchy article).

And here are my original thoughts, slightly edited to remove unnecessary emoji and “I know, right???”s from the text.


This is a fascinating question, and in fact, my good friend and longtime collaborator Liz Dahlstrom and I did a talk on this at SOURCE Seattle 2013 on “Implementing Security In A Pre-Investment Startup.” …

(originally posted with thanks to Lesley “Hacks4Pancakes” Carhart)

Here’s why I know about this

My tech journey started in academia, where I spent my time writing math in Java. As I transitioned more and more to tech, I ended up as the de facto PKI manager for several projects. I handled certificate management while I was at Microsoft Game Studios working on Lips for Xbox and Halo for Xbox, and debugged the cert management process internally for two teams I worked on. On my own projects and for two startups, I used a 2009 Thawte initiative that provided certificates free to open source projects, and then rolled my own local CA out of that experience. I managed certs from Entrust for one startup. I handled part of certificate management at Silent Circle, the company founded by Phil Zimmermann and Jon Callas, the creators of PGP. I was Principal Security Advocate at Symantec, and Senior Director of Engineering in Website Security — the certificate authority that owns familiar words like VeriSign, Thawte, GeoTrust, and others. I was one of the Symantec representatives to the CA/B (Certification Authority/Browser) Forum, the international body that hosts fora on standards for certificates, adjudicates reliability/trustworthiness of certificate authorities, and provides a discussion ground for the appropriate issuance and implementation of certificates in browsers. Now, I use LetsEncrypt and Comodo certs for two WordPress servers. I have a varied and colorful, and fortunately broad experience with cert management, and it helped me get a perspective on the field and on good vs. …

Just a few minutes ago, Twitter enabled the option to protect accounts with 2FA (Two-Factor Authentication) without the user having to rely on SMS (Short Message Service, aka texting). Previously, you could choose between signing into your Twitter account with just a password or enabling 2FA with a six-digit SMS code texted to your phone.

It’s common knowledge that while 2FA with SMS is much, much better than using only a password, SMS can be spoofed easily, and a OTP (one-time pad) authentication such as that provided by Google Authenticator, Duo Mobile, or Authy is more secure. …

Tarah Wheeler, hacker, & Sandy Clark, Ph.D., University of Pennsylvania Computer and Information Science

***These are the opinions of Tarah and Sandy, and do not represent the opinions of Symantec or the University of Pennsylvania***


Let’s all calm down when it comes to spreading FUD on the Internet about this morning’s giant CIA leak. This information leak is a revelation of something we all knew: the CIA has 0-days (high-impact, previously undisclosed exploits) and purchases exploits from a number of researchers both in and out of the US in order to surveil individual devices.

What happened

This morning, WikiLeaks released a massive information dump including CIA exploits and rootkits for mobile device hacking among other tools. Information security specialists around the world woke up to a Twitter storm of commentary, most of which was absolute horsefeathers and which spread misinformation to people not trained to understand the impact of this information. WikiLeaks asserted…

Tarah Wheeler

New America Cybersecurity Policy Fellow, Principal Security Advisor at Red Queen Technologies, hacker, speaker, leader, incident response, author Women In Tech

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store