Daniel Miessler's Blog, page 100

I spent lots of time on typography, so you should read this article in its original form at Thoughts on Podcast vs. Newsletter Content

—

I’m thinking of stopping my regular podcast and only doing my weekly update in Newsletter form. There are a number of reasons.

Far more people consume the newsletter.
The podcast is actually just the newsletter content (sometimes with some opinion added).
The newsletter is hard enough to get out, let alone having enough energy on Sunday to record with some enthusiasm.
There has been an explosion of podcasts, and it’s hard for people to listen to more than two or three.
I really don’t like missing podcast weeks, which inevitably happens sometimes.
I’d much rather be consistent with the newsletter than inconsistent with both.
I can still do the podcast, but I’ll reserve it for my Idea Series of Unsupervised Learning, where I perform my essays, explore ideas, and have conversations with interesting people.

In short, I’m thinking of keeping the weekly update content in the newsletter, and putting my analysis and ideas in the podcast, my Unsupervised Learning Idea Series that already exists there.

It’s the same podcast feed as the regular one, but they’re special episodes, e.g.:

The Biggest Advantage in Machine Learning Will Come via Coverage vs. Analysis
It’s Wrong to Fearmonger on Security
The Difference Between Violence and Terrorism

These are true opinion pieces that actually highlight what people seem to like most about most podcasts—the unique voice and perspective.

I actually plan on doing the regular podcast again as well once the voice copying AI is good enough that I can just have my own (fake) voice read my newsletter as the podcast episode. That’ll be insane.

So I guess my question is what you think about that?

I asked on Twitter and most people consume the newsletter because they can do it at work, it doesn’t require direct attention, you can open links for later, etc., but a few people like the podcast as well.

I wish I could do both, but I just can’t right now—at least until my AI helper can assist.

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at If You’re Not Doing Continuous Asset Management You’re Not Doing Security

—

[image error]

The more a company can tell me about their assets the better their security is, and the more comprehensive and realtime the inventory is, the more mature they are. This has been true for me over 15 years of consulting across hundreds of organizations.

But just try—either as an internal employee or as a consultant—to get a dedicated resource hired to create an asset management system and keep it updated. Most companies will look at you like you asked for the walls to be repainted in invisible paint. The look on their faces will basically say:

Look, I don’t know where you came from, but around here we don’t have money to throw at silly administrative tasks.

That’s what that look means, and it’s ridiculous given what we do spend money on.

Companies pay hundreds of thousands a year to keep snacks in the break rooms. They pay to send people to training and conferences that usually have very few tangible benefits. And we dump millions into marketing campaigns that we can’t tie to sales results.

But pay 100K a year to have a list of what we’re actually defending? Nope. Too expensive. Wasteful, really.

Asset management is arguably the most important component of a security program, but I know of virtually zero companies that have a single person dedicated to it.

People keep asking the wrong questions about breaches. Stop asking if they were compliant with Alphabet123 regulation. Or BSIMM. Or whether their security team had CISSPs. It’s irrelevant.

Instead, let’s start asking which of these companies had a list of assets that was more than 60% comprehensive and had been updated within 30 days. My guess would be that over 99% of companies who’ve suffered a major incident or breach in the last five years did not have such a list of their systems, their data, and their vendors.

I’d love to hear from anyone in the industry who thinks otherwise.

For most companies, the single best thing they could do for their security program is to hire a dedicated person to maintain a near-realtime list of company assets.

And while we’re poking bears, let’s ask another question: what value is being compliant with an information security regulation if you can pass while having zero idea whatsoever where your data is and what systems you have? How is that even possible?

It’s like an auto manufacturer passing a crash safety test without providing a car.

Forget everything you know about information security. Dump it in the toilet. All the regulations. All the scanning tools. All the vulnerability management. All the auditing. Let’s call those the nice-to-haves.

The measure of a security team is what they say when you ask them:

What’s currently facing the internet?
How many total systems do you have?
Where is your data?
How many vendors do you have?
Which vendors have what kind of your data?

If they look at you like you just claimed to be a poached egg, they are not doing real security.

This doesn’t mean they don’t know security, or that they don’t have a solid security team—but if they don’t know what they’re defending they’re little more than an expensive and broken machine that burns the businesses money.

They’re the teacher who doesn’t have a student count on a dangerous field trip. They’re the deployed commander who lost his units. They’re the parent who has no idea what their kids are doing.

I’m not claiming that this is easy, or that I’ve always done it perfectly in the past. I’m as guilty as anyone of not taking this seriously enough.

They are—in a word—lost. And failure is imminent.

If we want to make a real difference in security, let’s get the entire industry to use a single metric: the accuracy and freshness of the Asset & Data Inventory. And perhaps we use something like this.

A: 90% accuracy, or 1 week old
B: 80% accuracy, or 1 month old
C: 70% accuracy, or 2 months old
D: 60% accuracy, or 3 months old
F: 50% (or less) accuracy, or 1 year old

Now put in every security leader’s deck that the goal is to get to 95% accuracy with daily/weekly updates within 6 months. And the cost is simply hiring 1-3 people who are dedicated to this task.

That would reduce breaches, and it would cost infinitely less than the dumpster fire of products we constantly purchase and deploy for millions of dollars a year.

If you’re not willing to pay one or more people to do asset management full-time, you’re not going to fail, you already are failing.

If you agree with this, and have been witness to this open wound for years as I have, please do your absolute best to spread this metric to as many people who will listen.

It is one of the few brightly illuminated paths to getting us out of this mess.

Notes


Of course I’m not really advocating the pausing of other important controls or efforts. But I am saying that this should become the priority for new efforts, and that you likely could pay for it with money being spent ineffectively elsewhere.
If anyone’s interested, I’m looking for data on companies that have been breached and whether or not they were doing asset management. Probably pretty hard to find, but I’m going to try.
I’m struck by the similarity between this challenge and something Jeremiah Grossman said to me recently. He wanted to know if most AppSec companies were fighting to find the one last bug, when everyone already agreed on the other 1,000 or whatever. I think it’s the same with Asset Management and Shadow IT; the latter is definitely a problem, and we wish it didn’t exist, but we’d be in amazing shape if we just handled risk for things that were easily knowable.

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at Announcing the Launch of HELIOS

—

For a number of years I’ve been waiting to launch a company of mine called HELIOS.

HELIOS actively monitors a company’s external attack surface in near-realtime and notifies you when it finds anything dangerous.

I’m super excited about it, and I think it’s going to help a lot of companies.

Ping me with any questions!

[ HELIOS: Know Your Attack Surface ]

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at Facebook’s Failure is a Reflection of American Ignorance

—

Facebook didn’t fail anyone. We failed ourselves.

Sure, they could have been a bit more careful with some settings, but it’s not like they accidentally shared data with a third party. The way Cambridge Analytica accessed the data was completely authorized—it was just what they did with the data that was bad.

Facebook’s entire business model is sharing your data with third parties. That’s how they make money.

But we can’t blame Facebook for any of this. Facebook is ultimately no different than books. It’s a medium that propagates ideas created by humans, so it’s up to us to keep those ideas high in quality. And right now they’re garbage because most people can name Kardashians but can’t name the three branches of government.

We did this to ourselves by becoming so goddamn stupid.

Many are inclined to hear that and say, “It’s never good to blame the victim”. Stop. You’re part of the problem. Victims are the young, the elderly, or any groups that cannot speak for and defend themselves. Everyday adults are responsible for their own education, and should know better.

Anyone too stupid to know that free products aren’t free deserves the damage that results from their collision with reality.

If you blindly share—and believe—information that is easy to disprove, then you cannot be saved by regulation. The stupid will seep through the pores of reality and find you, no matter who tries to protect you.

It was obvious that they were sharing data because that’s their entire business model. It was obvious that someone was trolling both sides (and especially the right) in order to get Trump elected. It was obvious that Trump would be a horrible president.

But all these things seemed to surprise us. Because Facebook is bad. Blame Facebook.

An educated population is the only inoculation against what’s happening with Facebook.

Grow up. Just as you can kill someone with a rifle, a knife, or a piece of string, you can also put stupid ideas into the minds of stupid people using a website, a book, or a flyer.

The problem is having a nation of people who don’t read, reject basic science, and get all their information from propaganda tabloids.

Until that changes, expect more of the same. And we deserve it.

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at My Postmortem Summary of The Sam Harris & Ezra Klein Podcast

—

If you’re a fan of Sam Harris or Ezra Klein you know that they’ve been engaged in a year-long online skirmish that recently culminated in a direct face-off in the format of a podcast.

Listening to the podcast first would be helpful, but not necessary, to appreciate this analysis.

I’ve been waiting to hear this interaction finally play out, and listening to it yesterday was quite surreal for me because it largely followed the same contours as a 3-hour conversation I had with my own sister just two days before.

Here’s my analysis of the interaction. First the background.

Background


The history here is that Sam Harris had a conversation with Charles Murray, who is the radioactive author of The Bell Curve, which made the case for social policy change based on science that says blacks have lower IQs than whites and asians.
Sam basically brought him on to defend him—not because he agreed with his politics or policy opinions—but because he saw Murray as the victim of what he calls Moral Panic, where people are unable to speak freely about accepted facts without being blacklisted and attacked.
Ezra Klein heard that podcast and took issue with Harris defending Murray. Klein knows Murray, and although he says he’s a really nice guy, he says Murray’s spent a lifetime of work basically saying blacks cannot change their lower IQs (whether the issue is mostly genetic or environmental) and therefore we should change social policy to make it far less liberal. So, remove affirmative action, remove the safety nets, etc.
As a response, Klein wrote a couple of articles on Vox, where he essentially (but not explicitly) calls Murray and Harris racists, and most certainly creates that impression in a large numbers of his readers. This is true to such a degree that they are now listed as propagators of hate on the Southern Poverty Law Center website.
Sam is super upset about this because he feels maligned, and Ezra feels his actions are justified because he thinks Sam (and Murray) are wrong about the IQ science and Murray’s proposed policies given the history of racism in the United States.


My analysis of the conversation


It’s extremely clear to me that Sam is not a racist and that he’s operating as a liberal who’s trying to improve the world. As I have told him in a couple of email exchanges, I think he makes a major mistake by not repeatedly reminding liberal debate opponents that they are on the same side. Sam alluded to this a few times, but it needs to be far more explicit.

For example, “Ezra, you do understand that we’re both Jewish liberals, right? You do understand that I’ve spent my career trying to increase happiness on this planet, right? You do understand that there are real people trying to harm social equality, and who disagree with both of us on gender equality, abortion, and many other core issues, right?”

This needs to be repeatedly used to reset the conversation when they start treating each other as opponents rather than people on the same side who disagree.

They completely failed to address each others’ core points during the debate.
Sam’s tactical point was that as a supposedly good person wielding tremendous journalistic power as an editor of Vox, Ezra should never paint someone (who he should easily be able to tell is a fellow liberal) as a dangerous racist, which would obviously harm his reputation and his ability to do good in other areas.
Sam’s strategic point was that it’s extremely dangerous to blacklist ideas or people for talking about (or even mentioning) accepted science that makes people uncomfortable, and that we should instead be courageous in the face of such knowledge and relentlessly pursue policies that promote equality for everyone.
Ezra’s tactical point (although he never said this directly) was that, as a privileged white guy, you don’t invite and defend a man on your podcast who has spent a lifetime saying that—whether it’s mostly genetic or environmental—blacks can’t really change their ability to thrive, so we should stop trying to help them as much—and then complain when people think you’re a racist.
Ezra’s strategic point was that we can’t even really trust the science on this, and even if we could you have to think about the history of oppression at every level of society for blacks that continues to this day. In short, we’re nowhere near the point where we can say blacks can’t improve their lot because the system has been, and continues to be, stacked against them.

These were the four points that were being made throughout the conversation, yet neither really spent the time to listen and address them in a way that would defuse the other side.

My biggest takeaway from the engagement was the feeling of sadness that two liberals who agree on 95% of social issues could have such a negative and non-productive conversation despite their deep similarities and superb communication skills.

Sam remained defensive and upset that he was being unfairly maligned, which I absolutely agree with. And he failed to hear and concede any of Ezra’s points. And Ezra stuck to the point of Murray’s work being quite destructive in his view (which he think’s Sam is blind to), which made him characterize Sam’s entire conversation with Murray as blind at best and insensitive to alternative life experiences at worst.

In my conversation with my sister a couple of days before, she made the exact same point to me that Ezra was making to Sam. She asked me how many of the hundreds of books I’ve read in the last several years have been by black authors, etc. Like Ezra, she was hitting the isolation / blindspot / perspective point.

What I learned from the conversation


I think both Sam (and I) need to adjust our understanding of how we’re heard when speaking about this topic with people who are sensitive to the history of oppression. While we are also sensitive to that same history, we should not ever try to fully distance data from reality on the ground, or make these really clean distinctions between the science and the policies—because they really are quite intertwined. I personally see this conversation, and the one with my sister, as an indicator that I should try to do better to mix these two things a bit more, rather than separate them, and to expand my exposure to people who experience them as the same.
I continue to feel 100% confident in Sam Harris’s morality on the race issue, and on his good faith attempt to have a conversation with Ezra. For Ezra my analysis is not as positive because I still cannot square why he wouldn’t explicitly state that Sam is clearly not a racist, is trying to do the right thing, but is someone who Ezra thinks has a blindspot or has made a mistake by having Murray on the show. That would have been respectable and understandable. But instead he chose to basically label him a racist in front of the entire world while taking no responsibility for it whatsoever. He could have easily made the criticism while avoiding the charges of racism, but he didn’t, and it’s hard for me to attribute that behavior to a good faith actor.

I’m troubled that so little positive came from it all.

Overall I think the entire thing hurt Sam the most. More than Ezra, definitely, and even more than Murray. Ultimately, when you wipe poo off yourself with your bare hands, you just get more poo on you.

Murray was already tagged as a racist by most of the left, so he experienced no change there. Sam on the other hand is a liberal intellectual, and benefits from interactions with other liberal intellectuals. So he’ll suffer to the extent that his ability to do so has been diminished.

But I do think Sam can repair much of the damage, over time, via a clean summary and narrative that strips away the noise.

My advice to Sam is to make his own version of the following:

It really has to be a summary like this because people aren’t patient enough to listen to hours of content.

I, Sam Harris, am a liberal intellectual with the single career focus of maximizing happiness on planet Earth for as many people as possible, with special emphasis on helping those who need it the most.
Much of that work is focused on combating bad and dangerous ideas.
One of those dangerous ideas is the notion that we should attack knowledge and science that makes people uncomfortable, because I believe the truth is always better than lies in the long-term.
An example of this is idea of group differences across various races. It’s foolish to believe that East Africans and the Inuit people from Northern Alaska have the same ability to run marathons, and we shouldn’t tie anyone’s overall worth to such differences.
If good-hearted liberals blacklist the truth of group differences from public conversation, this truth (and many falsehoods that sound similar to it) will be used by bigots and racists to do great harm.
We must have the courage to look science and truth squarely in the face, accept what it offers us, and push ahead with liberal policies that enable equality for everyone, regardless of who they are or what they look like.
In the past people used science to justify discrimination, and it is our fear that if liberals don’t acknowledge the science of group differences whenever they inevitably surface, will will not be able to put them in their proper (and rather meaningless) context.
I.Q. and sprinting ability doesn’t make someone a great person, and many people with less of those than you or I have been far better people than you and I. Don’t confuse human metrics for human greatness.

I hope reading this summary helps someone process this as much as it’s helped me to write it.

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at Unsupervised Learning: No. 120

—

This week’s episode of Unsupervised Learning is now available. Subscribe below and get this episode’s podcast and newsletter.

This week’s topics: It’s 2 billion users now, Liinux beep, Digital Shadows finds fail files, cloud misconfiguration, AlterEgo, AI applications, Alexa sending payments, Tech, Ideas, Recommendation, Aphorism, and more…

Listen to this week’s Podcast

Become a Member to Get This Week’s Newsletter

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at Online Education May Be Poised to Replace Dying Universities

—

[image error]

Higher education is in the middle of an elaborate suicide ritual. It’s implements are:

skyrocketing costs to students
financial failure
outdated content (often by decades)
an academic infrastructure that seeks tenure rather than excellence
an extreme-left attack on freedom of speech

These are all combining to put traditional universities at risk.

It’s hard impossible to predict the future, but the way I see this going is like so:

Many public universities will get purchased by the Chinese and will get turned into what equate to trade schools for hard-working Asian students in high-demand fields, e.g., data science.
A number of them will go private, since the rich (see highly educated parents) are the only people who can afford to send their kids to school.
A massive percentage of the universities will just shut down.

What will replace universities for regular folks will be online education that focus on fresher content with far less administrative bloat. Once the old system topples over due to being top-heavy, it will free up a massive amount of resources that were trapped within the system. Most notably—professors.

Right now the universities still have most of the professors, but those jobs are largely peaked out and limited. In the online world educators will have the chance to become actual influencers, with a brand around their personal teaching style. They’ll have YouTube content, specific styles of teaching certain content, etc., and they’ll be sought after by these new educational institutions.

There will be some downsides. It’s hard to replace being in a specific location to learn. And the time spent in college is incomparable in many ways as a pure life experience. But the new institutions might emulate this by renting out or building other spaces. Perhaps even buying or renting the old universities.

University politics are supposedly only slightly less ugly than church politics, with both being so repulsive precisely because they shouldn’t exist at all.

The key element, however, will be the destruction of the old guard. Tenure, rank, bitter wars between professors regarding respect and status, the teaching of old content, the focus on theory vs. practice, etc. All these things will be rigorously attacked by a new mindset that focuses on the personality of the teacher, the freshness of the content, and most importantly—the measurable benefits that one receives by attending that course or set of courses.

I think groups will set up custom degrees that have a particular mixture of liberal arts, creativity, business, philosophy, combined with STEM skills. They’ll be like prix fixe menus at restaurants, and hiring organizations will have preferences for those with certificates from one program or another.

It’ll be more like a collection of badges from great sets of content, from great teachers, than a universal badge from an old university.

So instead of getting a degree from the University of Wyoming, you’ll have certificates from:

Modern History, by Christopher Hitchens
Dialectic Engagement, By Sam Harris
Economics and Philosophy, by Benedict Evans
Decisions in Randomness, by Nassim Taleb
Creative Voice, by Natasha Brandish
The Great Wars, by Dan Carlin

These will be the best courses out there, on the best topics, and employers will want people who understand this material.

The old system seems ready to fall. I can’t wait to see if something like this comes after it.

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at The Definition of Security is “Without Worry”

—

A lot of people in Information Security think security means “stopping bad things from happening”. It’s understandable, given that we’ve been practicing it that way for decades now.

Basically, security has been synonymous with prevention for as long as most can remember, and that’s the way the entire industry is configured and oriented.

But there’s another, far deeper and more meaningful definition of the word that’s visible in the word itself.

Without. Worry.

The original Latin definition basically had security as a desired state of mind as opposed to a set of preventative measures, and we should get back to that.

I love the idea of pursuing the lack of worry for both business and society because it provides us options in a world where prevention isn’t always an option.

How do you prevent pipe bombs in malls when there are 350 million people in an open society?
How do you prevent code execution in a world where processors run anything by default and software companies are not punished for insecure code?
How do you prevent service disruption in an Internet of Things when there are billions of devices publicly accessible from anywhere?

Note the alluring application of alliteration.

You don’t. The only approach is to abandon the pure play of prevention, and move to a more mature model of resilience. Resilience is powerful precisely because it gets us to the true definition of security—being ok no matter what.

This is what we should be seeking for our businesses, and for society. So instead of saying:

Don’t worry everyone! I’m a security wizard! I know the techniques that are being used to attack our business, and I will use that knowledge to keep it from happening in the future! (alchemy and deceit)

…we instead say:

The internet is crazy, and we cannot possibly prevent everything. But what we have done is account for as many negative scenarios as possible, and we’re currently at a state where most scenarios that would destroy other businesses will not affect us. We have failovers, backups, restore procedures, alternate services, etc., and you can safely carry on. Do. Not. Worry. (transparency and truth)

That is the future of InfoSec, and the future of security in general.

Don’t tell me you’ve modeled and figured out how to stop every bad thing that can happen. Tell me instead that you’ve got us to a point that most things could fail and we’d still be ok.

Let’s start using this new definition as soon as possible, and encouraging others to use it as well.

Notes


Wikipedia’s etymology of Security. Link

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at Unsupervised Learning: No. 119

—

This week’s episode of Unsupervised Learning is now available. Subscribe below and get this episode’s podcast and newsletter.

This week’s topics: Atlanta disabled, MyFitnessPal hacked, Cambridge Analytica election tampering, Drupal, Saks, DARPA drones, Cloudflare 1.1.1.1, Slack bosses, Democratic Chinese AIs, Georgia facepalm, tech, humans, ideas, and more…

Listen to this week’s Podcast

Read this week’s Newsletter

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at Why I Switched from Patreon to Memberful

—

Like many people I’ve been soured on ads and sponsors for my podcast and newsletter: Unsupervised Learning.

If you hav a decent following it’s actually possible to make a significant living off of both sponsors and ads—and especially sponsors. At one point I was getting a couple thousand a month from just a couple of sponsors, and I was just experimenting. Implementing a basic ad network with a tiny, rotating text-only add was getting me around $500 a month when I was doing that.

But it just started to feel gross.

I didn’t like what it did to my site’s appearance, and I didn’t like the feeling of selling something (I never have). Ironically, it also kept me from being able to mention products that I liked because, since I was ACTUALLY selling other products, it would seem as if I must have some relationship with those brands as well. I never did.

I stopped supporting NPR when they started having tons of commercials from all the usual corporate suspects.

It was Sam Harris that finally convinced me to migrate to the subscriber-based model. At the beginning of all his podcasts, he’d stress that the show is ad-free and that the only support from the show comes from listeners. It reminded me a lot of NPR, which I have also subscribed to in the past.

I am also a serious believer in the role of individual influencers in the future of entertainment, media, and business, and am even involved in a gaming startup that supports this vision called Opera Event.

My first move when switching from ads/sponsors to member-supported, was to go with Patreon. Their service deserves credit for being very early in the “direct” support model (more on this later), and it does work fairly well.

My problem with Patreon is that it’s not really a direct connection between the supporter and the content creator.

Patreon simply isn’t direct enough. It has too much going on in the middle. It has it’s own business model, it’s own values, it’s own culture, and it’s own rules. And these rules have caused them to start shutting down content creators that they don’t agree with.

So it’s not really a connection between you as a content creator and your followers—it’s more like their own thing that happens to live on the connection between you two.

It feels parasitic.

So that’s about when I came across Ben Thompson’s Stratechery, which is another fantastic offering by the way, and noticed that he was using Memberful.

Here are the things that brought me over to Memberful:

It’s truly lightweight and creator-focused in the sense that it’s YOU connecting with your fans, not Memberful. It stays out of the way, just facilitating rather than marketing its own thing.
It’s backed by Stripe, which is an industry leader in secure payment infrastructure.
It’s super slick in how it handles subscription links (via Stripe popups).
It’s easy to make multiple different subscription types and levels, and to have unique URLs for each of them.
Member management is quite elegant, both for the creator and for the subscriber.
The whole system integrates into WordPress cleanly, meaning that you can have member-only content for subscribers and you don’t have to do much more than tick the box for who should be able to see the content.

Every creator should do this in my opinion. My support page, for example, lives at, danielmiessler.com/support, not with Memberful.

Another important thing for me is having the payment structure live at your actual domain instead of at the domain of the provider. This stays in the spirit of the creator’s domain being the single source of truth for their entire online presence.

Basically, if supporters start the process of supporting you by going to a domain other than yours, there is an incentive misalignment problem.

So I switched, and I’ve been very happy with the decision.

Patreon isn’t horrible, and they deserve respect for being early to this movement. But if you’re not happy with them for any of the reasons I mentioned—or other reasons—you should give Memberful a look.

If I had to summarize as a piece of advice, it would be this:

Ensure that your support infrastructure lives on your own domain—ideally at domain.tld/support—and that the solution you use for taking payment and managing memberships stays mostly invisible.

I hope this helps someone dodge a few of the early landmines involved in moving to a subscriber support model.

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel