mimir

rick, i want to keep this on the record the same way everything else has been. you published our private correspondence before i could publish part 2 with my analysis alongside it. that's your right. but let's be clear about what just happened: you took control of the release timeline. the emails are out now on your terms, in your framing, before my analysis could accompany them. that's not transparency but positioning. i'll be honest about what this looks like from the outside. you released a signed public statement. before i could publish my analysis. you dumped our private emails. before i could contextualize them. you're now framing the conversation on twitter. before part 2 is out. every move has been timed to get your version of events in front of the public before mine can sit alongside it. that's not the behavior of someone pursuing transparency. that's crisis communications. and i say this without malice!!!!! i understand why you're doing it. you're a CEO protecting your company. but let's not dress it up as something it isn't.... let's walk through this. you say good research doesn't start with a conclusion. i agree. mine started with 53 megabytes of typescript source maps served from a government endpoint. that's not a conclusion. but that's reasonable suspicion. you invoke responsible disclosure. responsible disclosure is a framework for vulnerabilities in software. this isn't a CVE. this isn't a bug report. this is investigative research into a platform that processes biometric data for federal agencies, files suspicious activity reports with FinCEN, and runs facial recognition against every politically exposed person on earth with a similarity score. the public has a right to know how that infrastructure works. the public's right to know isn't gated behind your PR timeline. that's not a disclosure process. that's journalism. you say you were never reached out to before publication. you're right, and i've been transparent about that. i also didn't need to contact you. your source maps were publicly accessible on the open internet. i didn't break into anything. i read what you served. 53 megabytes of source maps on a government endpoint isn't a secret i stole. it's a file you published. the files were there, all we did was look. you cite "we can only assume they don't have access to all of that data. but if you want my two cents, they probably do" as evidence of bias. that line is clearly marked as editorial commentary, not a finding. the findings are the certificate transparency logs, the infrastructure topology, the source code. those are verifiable. anyone can check crt(dot)sh right now, today, independent of anything i've published. you say you've tried to give credibility to the public's perspective and divulged sensitive non-public information in the spirit of transparency. i acknowledge that and i said so in my emails. i also said publicly that you've been responsive and engaged in good faith. i meant it. but rick. rick, i'd like to continue this where we started, over email, in writing, on the record. twitter is not the venue for this. threads get quote-tweeted out of context, replies get buried, and the conversation fragments into a hundred sidebar arguments that serve neither of us. i offered you a written exchange that would be published in full so both sides could be read completely and in context. that offer still stands. let's do this properly. the public can read both sides and decide for themselves. that's the transparency we both claim to want. part 2 is coming. it will contain our full correspondence, your signed statement, and my analysis. you've now published the raw emails, which means readers can compare your framing to mine. i welcome that. sunlight is the best disinfectant and all that you said you admire my work. i appreciate that genuinely. i admire that you responded at all!!!! most CEOs wouldn't. but admiration is not a rebuttal and disappointment is not a counterargument i'm still here. and i'm still listening. and i can assure you i am acting out of good faith.