Daniel Miessler's Blog, page 64

Greetings, you have reached a piece of subscriber-only content…

If you’re already a subscriber you can sign in here, and if you’re not you can subscribe below to get immediate access.

Thank you!

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

InfoSec Creator Monetization, Initiating Contact with a Mentor, The Dark Side of Bounty/Creator Life, Facebook Election Threat Scenarios, Uber CISO Arrested, Spy HR Review Goes Bad, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…

Discovery, Creation, and Ideas…

I spend 5-20 hours a week consuming books, articles, and podcasts about security, technology, and society—and every Monday morning I send a summary of my best finds.

Why InfoSec Creators Should Move to Direct Support Monetization More



How to Initiate Contact With a Mentor More



What They Don’t Tell You About Being a Bounty Hunter or Content Creator More



Algorithmic vs. Faith-based Learning More



SECURITY NEWS



Facebook is threat modeling various scenarios where the current administration attempts to dispute or spread disinformation regarding the 2020 election results. They’ve even discussed a “kill switch” that can turn off all political ads on election day. More



Joe Sullivan, the former CISO of Uber, has been arrested for trying to cover up the 2016 data breach that exposed 57 million drivers’ and customers’ data. Regardless of the details of the case, I like what this sets as a precedent regarding the responsibility to report. More



California’s DMV is selling data to 98,000 different groups, including private investigators, bail bondsmen, and insurance companies. It’s one thing to have a privacy problem for voluntary services like Facebook and Google, but what do you do when the government forces you to surrender your data, which they then use to make a profit? More



The US Army says many North Korean hackers attack from outside North Korea. More



A naturalized US citizen, born in Hong Kong and who worked for the CIA and FBI, was arrested Friday for selling secrets to China. The best part is how he got caught. The FBI impersonated his Chinese spy HR department, basically, and asked him what all he had done and what his goals were. He told them everything, including that he wanted “the Motherland to succeed”. More



Soundarya Ramesh and her team have found a way to recreate a key by listening to it open a lock. And all you need is a smartphone recording. More Demo



Alexei Navalny, an outspoken Russian opposition leader, was poisoned on a flight and is now on a ventilator. It’s remarkable to me that everyone knows Putin kills his political opponents using poison. It’s common knowledge and the international community seems uninterested. More 

 

An AI beat a human in an F-16 dogfight again. More



Vulnerabilities: 

Microsoft issued out-of-band fixes for Windows 8.1 and Server 2020 R2. More
A Jenkins Server vulnerability (CVSS 9.4) could result in data disclosure. More

Breaches:

Experian reported a breach that exposed data on around 24 million South Africans and 800,000 businesses. More
240,000 records were stolen from the Utah Gun Exchange, including emails, usernames, and passwords. More

Ransomware:

Jack Daniels says they repelled a ransomware attack, but REvil has posted data they say they took from them. More
The University of Utah paid almost $500K in ransom to get back its student and employee data. More
Konika Minolta was hit in July, but they said it didn’t affect their All Covered MSP. More

Disinformation:

Facebook has removed 790 QAnon groups. More

Companies:

Palantir’s S-1 leaked last week and it reveals some truly strange numbers, including the fact that they’ve been in business for decades yet only have 125 customers. They also lost almost half a billion dollars in 2019, and almost a third of their revenue comes from its top 3 customers. More
Cobalt.io secured a $29 million dollar Series B. Way to go, Caroline Wong and team!
SenseTime is China’s largest facial recognition startup, and it got banned by Trump in 2019. But now it’s now thriving (projecting 80% revenue growth in 2020) due to sales to local governments in China for COVID monitoring. More

TECHNOLOGY NEWS



A company called Hour One has raised $5 million to use AI to generate synthetic characters from real humans. They can be programmed to say anything as that person. This is massive. This is basically the creation of peoples’ digital avatars, and the actual manifestation of Deepfakes that everyone has been waiting for. More Demo



Tesla wants to use radar to detect kids inside hot cars. More



QR Codes are making a serious comeback amid COVID. More



A UC Berkeley student used GPT-3 to generate some blog posts, and one of them got to the front page of Hacker News because people thought it was 1) real, and 2) great. More



Oracle is now one of the companies trying to buy TikTok’s US operations. More



Amazon is adding 3,500 tech and corporate jobs across 6 US cities. More



HUMAN NEWS



Finland showed the results of a 2-year basic income experiment, and unemployed people who received the guaranteed income reported being happier and actually worked more days per year than those who did not. More



Japan’s GDP fell by almost 8% in Q2. More



IDEAS, TRENDS, & ANALYSIS



How China Surveils the World — A brilliant interview-style discussion of how China sees big data and what they’re doing with it. Read this and then remember that they have Equifax data, OPM data, Marriott data, and countless other similar datasets. They’re playing the long game here of deeply knowing targets, even if they won’t actually be targets for decades to come (see TikTok). More



I had a particularly nasty idea for a ransomware tactic: present your findings as a bounty report, where you’re asking for payment for the legitimate issue you’ve discovered. In other words, don’t use any “compromise” language so that the leadership of the company can plausibly deny that anything bad happened. Then, if that doesn’t work, they switch to the normal language of, “We’ve got your stuff. Pay us.” This is such a good idea I can guarantee lots of groups are doing it already.



The TikTok Ban is Overdue More



Thinking of yourself as a separate entity (like inside and outside of work) can reduce anxiety and improve your confidence and determination. More



Blockchain, the Amazing Solution for Almost Nothing More



UPDATES



Here’s the DEFCON video of my talk, Mechanizing the Methodology, including a link to the slides. More



The length of the show has been growing again. Not only have I had many stories lately, but some of the comments have been fairly long-form, i.e., large paragraphs as opposed to 1-3 sentences. I think I’m going to try to adjust that back a little so the show remains easy to get through, and highly curated. Especially in the newsletter form. I mean, it’s already curated from thousands of articles to a few dozen, but I think I can do better. My main thing is I don’t want to feel like I’m giving someone a ton of work when they read the newsletter. Please reply with your preference if you feel strongly about this in either direction.



I really want to create a list of every book I’ve read that gets auto-updated using Amazon Kindle/Goodreads. It looks like this will be the path. I might outsource it just to save time, or I might just do it myself in Python 3 this week. API



DISCOVERY  



There’s a new coffee brewer called the Ratio Eight. I kind of want one, but I already have like 9 ways to make coffee, and it’s like $500. It’s an intelligent Chemex machine, basically. Intriguing. I’m very happy they’re out of stock right now. More



@hakluke posted a great tutorial on OWASP Amass. More



Log and Time Series data are not the same. More



Kapow — Turn a shell command into an API. Cool! Also, yikes. More



Intel Owl — Threat Intelligence on a file, IP, or domain. More



SpaceSiren — A honey token manager and alert system for AWS. More



MITRE Shield — A mapping for ATT&CK to defenses. More



Draw — A collaborative whiteboard. More



A really nice collection of online tools for various tasks. More



RECOMMENDATIONS



I really enjoyed this podcast series by Kevin Roose, called Rabbit Hole. It’s all about the effect of the internet on people. Specifically, how it can pull people in increasingly extreme directions via algorithmic recommendations. It covers PewtiePie, QAnon, and other major events in internet history. More



APHORISMS



“The tyranny of a prince in an oligarchy is not so dangerous to the public welfare as the apathy of a citizen in a democracy.”



~ Charles de Montesquieu

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’m on a personal mission to get the creators in our InfoSec community to do two things:

Centralize all their creation around their own domain
Set up a Direct Support mechanism

This piece is about the second of those, but let’s take them one at a time.

Why do creators need their own domain?

I covered this extensively here, but the TL;DR is that all platforms are 1) ephemeral, and 2) will always place their needs over yours over the longterm—because…Capitalism.

Respect the Highlander quote.

Content platforms like Medium represent the timeless Faustian exchange of benefits now and suffering later, and as someone who’s seen this cycle play out dozens of times since 1999, I would spare you that pain.

Sure, but why do I need to monetize at all?

This is a great question that hopefully everyone asks in the beginning. If you’re thinking about money from the start, your content and audience size might reflect that.

But even people who love what they do eventually end up stressing themselves mentally and financially. The costs start adding up: Hosting fees, software licenses, computer and recording hardware, etc. At some point you start asking yourself how long you can maintain this without getting paid for it.

The costs of being a creator accelerate with time and quality of content.

So that’s the practical side—you’re going to have costs, and it’d be nice to recuperate them. But the real reason you should start charging at some point is that it’s your art form. It’s what you do. And you put a lot of effort into it. You value other peoples’ work, so why shouldn’t they value yours?

Plus, there is the consideration that people don’t value what comes freely nearly as much as something they pay for—even if they’re not paying much.

Ok, but why do I need a direct support model?

So that’s why you should eventually charge for your creative fruit. But what’s this Direct Support model, and why is it better?

Well, before I answer that, let me describe the evolution of being a creator. The motion basically goes from Experimental –> Casual –> Serious –> Professional, as we see below.

We can talk about all these dimensions another time, but people usually get into monetization through something like Twitch Subscriptions or Medium. In other words, through a third party where your audience is interacting with your content.

That’s fine, but again—when you use a front-end platform like this, they’re the ones getting all the traffic. They’re going to Medium, not to you. They’re going to Twitch, not to you. So if they decide to change their business model, or they decide they don’t like your content, they can mess up your entire world.

Direct still has some abstraction just because you still need tech to accept money.

The way to get around this is to move to a Direct Support model. Direct Support means your audience is giving you the money as directly as possible, given the limitations of technology. Here are some examples of platforms along with their associated directness levels.

Bad


Medium : They get the money, and you get a slice
Twitch : They have the traffic, they get the money, and you get a slice


Decent

Substack’s Sign-up Interface

Patreon : They have the traffic, you get the money, they take a slice
Substack : They have the traffic, you get the money, they take a slice


Best

Memberful’s popup

Memberful : You have the traffic, you get the money, they make service fees
Ghost : You have the traffic, you get the money, they make service fees

With Medium and Twitch, the relationship is between the platform and them. With something like Patreon, they still go to patreon.com to see the content. And with something like Memberful you can interact with your audience on yoursite.com, and if someone subscribes the money comes to you directly.

Basically, the more invisible the platform, the better.

The way you should think about direct monetization—in my opinion—is Appreciation Infrastructure from one human to another.

We all strive to provide value to the world, and we also understand paying for things that have value.

Art continues to suffer from a Capitalism in the Middle Attack.

There’s a mechanism for selling books, but publishers still make way too much of the money. Same with selling music. Traditional journalism—selling your writing—is the process of dying, and getting paid for blogging is like milking a pebble.

In most of these cases, the problem is abstraction—someone getting between the artist and the audience.

That’s what Direct Support does. It unclutters that pipeline. It makes it about the only two people who matter—you and someone who appreciates what you do.

So whether you’re putting out hacking videos, or live programming, or showing how to make the best sandwich—you are blasting your essence into the universe and asking, “Can anyone hear me?”

If someone subscribes, they have answered back, “Yes, please continue.”

Setting up direct support

Ok, well hopefully I’ve convinced you. Assuming I have, here’s how to get started.

If you’re on YouTube you obviously can’t “move” your content.

Get your own domain.
Move as much of your content there as possible, e.g., blog posts, etc.
Sign up with Memberful or Substack. I recommend Memberful if you want a longer-term, more flexible platform for monetization. It’s agnostic to what type of creator you are: maker, makeup, woodworking, fashion, hacking, knife-making—it doesn’t care. Substack is very focused on newsletter monetization.
Create a subscription page on your site, like yoursite.com/subscribe.
Create an easy navigation path from your main project—like your newsletter or your podcast or whatever—to your subscription site.
Link to your main project in all your social media profiles, e.g., yoursite.com/podcast, or yoursite.com/newsletter.

I honestly hope to see you out there in the internet bazaar, selling your wares to anyone who finds them beautiful.

Paying for art is among the highest forms of human exchange, and I can’t wait for you to participate.

Notes


I am a subscriber to over a dozen creators in this way, spread across Patreon, Memberful, and other direct methods.
Both Memberful and Ghost use Stripe for processing.
Memberful is actually owned by Patreon.
I recommend WordPress, Ghost, and Hugo for blogging platforms, in order of how much you want to think about the platform vs. the content. I prefer WordPress because it’s the most out of your way and content-focused. And yes, I’m a security person recommending WordPress. It’s actually decently secure these days—as long as you’re careful with plugins.
I want to give my thanks to Sam Harris for so many aspects of this. It was he who woke me to the option of going direct, and I continue to learn from his implementations as this space evolves.
You will need some moderate technical skills to do a few of these steps, from the blogging platform stuff to connecting the payment platforms. You can either hack that out yourself or you’ll need to hire someone.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’m on a personal mission to get the creators in our InfoSec community to do two things:

Centralize all their creation around their own domain
Set up a Direct Support mechanism

This piece is about the second of those, but let’s take them one at a time.

Why do creators need their own domain?

I covered this extensively here, but the TL;DR is that all platforms are 1) ephemeral, and 2) will always place their needs over yours over the longterm—because…Capitalism.

Respect the Highlander quote.

Content platforms like Medium represent the timeless Faustian exchange of benefits now and suffering later, and as someone who’s seen this cycle play out dozens of times since 1999, I would spare you that pain.

Sure, but why do I need to monetize at all?

This is a great question that hopefully everyone asks in the beginning. If you’re thinking about money from the start, your content and audience size might reflect that.

But even people who love what they do eventually end up stressing themselves mentally and financially. The costs start adding up: Hosting fees, software licenses, computer and recording hardware, etc. At some point you start asking yourself how long you can maintain this without getting paid for it.

The costs of being a creator accelerate with time and quality of content.

So that’s the practical side—you’re going to have costs, and it’d be nice to recuperate them. But the real reason you should start charging at some point is that it’s your art form. It’s what you do. And you put a lot of effort into it. You value other peoples’ work, so why shouldn’t they value yours?

Plus, there is the consideration that people don’t value what comes freely nearly as much as something they pay for—even if they’re not paying much.

Ok, but why do I need a direct support model?

So that’s why you should eventually charge for your creative fruit. But what’s this Direct Support model, and why is it better?

Well, before I answer that, let me describe the evolution of being a creator. The motion basically goes from Experimental –> Casual –> Serious –> Professional, as we see below.

We can talk about all these dimensions another time, but people usually get into monetization through something like Twitch Subscriptions or Medium. In other words, through a third party where your audience is interacting with your content.

That’s fine, but again—when you use a front-end platform like this, they’re the ones getting all the traffic. They’re going to Medium, not to you. They’re going to Twitch, not to you. So if they decide to change their business model, or they decide they don’t like your content, they can mess up your entire world.

Direct still has some abstraction just because you still need tech to accept money.

The way to get around this is to move to a Direct Support model. Direct Support means your audience is giving you the money as directly as possible, given the limitations of technology. Here are some examples of platforms along with their associated directness levels.

Bad


Medium : They get the money, and you get a slice
Twitch : They have the traffic, they get the money, and you get a slice


Decent

Substack’s Sign-up Interface

Patreon : They have the traffic, you get the money, they take a slice
Substack : They have the traffic, you get the money, they take a slice


Best

Memberful’s popup

Memberful : You have the traffic, you get the money, they make service fees
Ghost : You have the traffic, you get the money, they make service fees

With Medium and Twitch, the relationship is between the platform and them. With something like Patreon, they still go to patreon.com to see the content. And with something like Memberful you can interact with your audience on yoursite.com, and if someone subscribes the money comes to you directly.

Basically, the more invisible the platform, the better.

The way you should think about direct monetization—in my opinion—is Appreciation Infrastructure from one human to another.

We all strive to provide value to the world, and we also understand paying for things that have value.

Art continues to suffer from a Capitalism in the Middle Attack.

There’s a mechanism for selling books, but publishers still make way too much of the money. Same with selling music. Traditional journalism—selling your writing—is the process of dying, and getting paid for blogging is like milking a pebble.

In most of these cases, the problem is abstraction—someone getting between the artist and the audience.

That’s what Direct Support does. It unclutters that pipeline. It makes it about the only two people who matter—you and someone who appreciates what you do.

So whether you’re putting out hacking videos, or live programming, or showing how to make the best sandwich—you are blasting your essence into the universe and asking, “Can anyone hear me?”

If someone subscribes, they have answered back, “Yes, please continue.”

Setting up direct support

Ok, well hopefully I’ve convinced you. Assuming I have, here’s how to get started.

If you’re on YouTube you obviously can’t “move” your content.

Get your own domain.
Move as much of your content there as possible, e.g., blog posts, etc.
Sign up with Memberful or Substack. I recommend Memberful if you want a longer-term, more flexible platform for monetization. It’s agnostic to what type of creator you are: maker, makeup, woodworking, fashion, hacking, knife-making—it doesn’t care. Substack is very focused on newsletter monetization.
Create a subscription page on your site, like yoursite.com/subscribe.
Create an easy navigation path from your main project—like your newsletter or your podcast or whatever—to your subscription site.
Link to your main project in all your social media profiles, e.g., yoursite.com/podcast, or yoursite.com/newsletter.

I honestly hope to see you out there in the internet bazaar, selling your wares to anyone who finds them beautiful.

Paying for art is among the highest forms of human exchange, and I can’t wait for you to participate.

Notes


I am a subscriber to over a dozen creators in this way, spread across Patreon, Memberful, and other direct methods.
Both Memberful and Ghost use Stripe for processing.
Memberful is actually owned by Patreon.
I recommend WordPress, Ghost, and Hugo for blogging platforms, in order of how much you want to think about the platform vs. the content. I prefer WordPress because it’s the most out of your way and content-focused. And yes, I’m a security person recommending WordPress. It’s actually decently secure these days—as long as you’re careful with plugins.
I want to give my thanks to Sam Harris for so many aspects of this. It was he who woke me to the option of going direct, and I continue to learn from his implementations as this space evolves.
You will need some moderate technical skills to do a few of these steps, from the blogging platform stuff to connecting the payment platforms. You can either hack that out yourself or you’ll need to hire someone.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I think there are two primary ways to learn something. You can expose yourself to some knowledge and hope it sticks, or you can use that new information to tangibly update the methodology you have for doing something.

I call the first, Faith-Based Learning. It’s where you read a book about nutrition, or dieting, or good habits, and you get this feeling of accomplishment. But then a few weeks later you haven’t changed anything about your behavior. And over the next few months and years, you will barely remember what you read.

I am an advocate of what I call Algorithmic Learning, which is where you have methodologies for doing things—like a daily routine—or managing your finances, and when you learn something you adjust your methodology.

Faith-based Learning Example: You currently don’t do any exercise in the morning, and you have far too little fiber in your diet. But then you read a book that says exercise is best in the morning, and that grains are really good for you. You Tweet about it, but you don’t actually make any changes, and a few months later you can’t remember what that book actually said.

“Most people” too often includes me.

That’s what most people do with what they learn. Nothing.

Faith-based Learning Example: You currently don’t do any exercise in the morning, and you have far too little fiber in your diet. But then you read a book that says exercise is best in the morning, and that grains are really good for you. So you go and buy 5 cylinders of Quaker oats and commit to eating oatmeal breakfast every single morning. You also update your morning_routine.md file on Github to reflect the change.

Another example is what I talk about in my recent DEFCON/Red Team Village talk on security automation. Rather than just looking at a bunch of security talks, you can use what I talk about in there to create new modules based on new techniques, which keeps your methodology evergreen.

Not all activities have activities that can or should be captured into text files, but many do. And making a change to a list of steps—an algorithm—is a tangible way to convert new knowledge into new behavior.

This is not a fix for having low self-discipline. You still have to actually do what’s in your algorithm. But it is a way to concretely benefit from the time you spend on learning.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Google has a problem with not parsing updated content dates in search results.

The page above is my Difference Between URLs and URIs post, which I originally wrote in 2005—yes—but I’ve massively updated it several times. And just recently I updated it again, including with a new primary image.

Yet Google insists on putting other posts higher in search rankings because they were created or updated more recently—according to them.

Here’s the problem: I’m being too honest.

I currently show two dates for all my posts: the original creation date, and the updated date. And I keep hoping that Google will pick up the updated date.

Other sites don’t do this. They cheat (sort of) by just listing the updated date.

I did that for a while because I thought it was the proper way, and my search rankings went way up!

Wow, so now everything is brand new content! Yay! Except, no. It’s not. I want to show the evolution of my thinking on certain things, and it’s useful to see that your first thoughts on it were back in the internet’s infancy.

So Google is basically making me choose between truth and accuracy on one side, and good search placement on the other.

That’s not how the internet should work.

If anyone knows a solution to this, or someone at Google who can help fix it. Please let me know.

Notes


Ok, thanks to my SEO guru friend Thomas Zickell, I found out the way to do this is by updating the schema.org code to include dateModified, and I’ve now done that via a plugin. We’ll see if that works!

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Download the Slides.

I presented at DEFCON’s Red Team Village on August 8th, and the topic was the automation of common Recon and Security activities. More specifically, it was about how to do those things with common tools like Linux, Bash, Cron, Email, and Slack.

My friend Clint Gibler of TL;DR Sec fame graciously created one of his brilliant summaries of the talk, which you can find here.

The central concepts in the talk are the following:

Turn security tasks into small, granular questions that have answers
Each answer should be a simple output that can become the input for another process
Chain these questions and answers together into workflows
Schedule them with cron
Alert using Amazon SES
Iterate as you learn new techniques.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’ve been in security for over 20 years now and have received thousands of emails asking for help or mentorship. And throughout that time I’ve also reached out to hundreds of people asking for something similar.

I’ve had a mix of success and failure on both ends of that equation, and I think I might have deciphered what was going wrong.

This can still work with some people, if it’s authentic.

I used to think it was all about the formal intro—like an old martial arts movie where a student seeks out the monk on the mountain. In that model, you start by talking about how you’re an unworthy worm, and how you could only hope to learn 1% of what they have to teach, and that would be more than enough…

Dear Dr. So and So,

I have admired your brilliant career for many years now and I am just starting on my journey. I would be honored if you could help me on my path by becoming my teacher… etc, etc.

That sounds humble and professional, and you’d think it’d be successful. But it’s actually a bad way to get a mentor, or even a response.

Rule #1 is to never give work to the customer.

The problem is that it violates several rules—most important of which is that if you’re asking a favor of someone, don’t give them work. Or at the very least, do as much of the work as possible and ask them if they’d be willing to do the final step.

Starstruck Padawan is not a strategy.

Here are some techniques that are likely get you a response, and maybe even a mentor, listed as a set of rules or guidelines.

1. Don’t overuse flattery

If you’re reaching out to someone to be your mentor there’s a chance they get a lot of email and a lot of pings on Twitter. And if that’s the case then they’ve probably had many people telling them how great they are as well.

Flattery tends to work best when it’s genuine and unexpected, not when the recipient hears it all the time from most everyone.

2. Ask something specific

The next thing to avoid is just saying hello and then not really saying anything. Once again, if you do that, you’re then putting the burden on them to start a conversation. They probably won’t. They’ll just ignore your email.

BAD: Hey I really respect your music career? Can you help me have a career like yours?
BETTER: Hello, I’ve always admired how you built your career over time. Is there a specific book that you’d recommend to yourself 20 years ago?

This is good because you’re limiting the work they have to do. If they have a book in mind, they might just respond and give you the title. But they’re not going to build you a custom career plan in response to the first option.

3. Behave like a future peer

The next thing to try to do is present yourself as an equal—albeit a very junior one. You can say things like, “I am building a career like yours”, or, “I have the same passion for plants that you do, so I intend to base my life around them the way you have.”

Don’t be discouraged if you get a very short email from someone. Even that is hard to do when you get hundreds a week.

And then follow that up with a specific observation, or insight, or question. This way they’re helping someone who is already on a path, not signing up to adopt someone. Far more people will respond to the former than the latter.

4. Show that you’ve done work already

This one does two things: it shows that you’re respectful of their time, and also that you’re willing to do work on your own. Nothing scares a mentor away faster than someone who wants the mentor to do all the work, and is waiting to have something handed to them.

You’d be surprised how many emails a person known in their field might get.

So instead of asking what books they recommend, ask,

I see in your interview on TechCrunch that you liked these 5 books. I read all of those, and I’m wondering what you think of this one as well. Do you think it represents the industry accurately?

This gives them the freedom to respond with anything ranging from, “No, I don’t.”, to “I haven’t read it yet.”, to a long response telling you why they hated it. And now you’re having a conversation.

5. Ask for an opinion on something you’ve created

The next level up (these are kind of getting more advanced as we go along) is to show them something you’ve made in your field, and ask for their opinion. Notice that this includes and builds upon several of the other points we’ve already made.

It starts with business, not flattery
It’s specific
You’re behaving like a peer by showing work in the field
And you’ve already created something

So that might start with something like:

Hello Dr. Hanna,

I’m a huge fan of your work, and I have been following your research on vulnerabilities in SAP’s administrative functions.

I created this tool that automatically parses an installation and checks for everything you talk about on page 412 of your SAP Assessments book, and I’d love if you could give me your thoughts on it.

This is golden. You’ve respected them without going off into flattery. You’ve acknowledged their work and the fact that you’ve put the work in to read it. And you’ve created something in the field like a future peer.

And even though you’ve asked something of an open-ended question of “thoughts around it”, you’ve earned that a bit by all the previous points. Plus, they can respond with anything from an emoticon to an essay. This is a wonderful way to start a professional relationship.

6. Offer an improvement or adjustment to something they’ve made

And that brings us to the final level of communication to someone ahead of you in your craft—value add.

It’s one thing to make it easy for them to help you. And it’s another thing to show them something interesting. But what will really get their attention is if you help them in some way.

Greetings Dr. Simmi,

In your latest podcast you mentioned using nmap with the T5 option to do your scanning at maximum speed, but I think you might want to look into masscan if speed is what you’re looking for.

I did a benchmark on the exact target you talked about in the episode and using the following command I got an 89% reduction in scan time. Just thought you’d want to know, and please keep up the great work!

This hits all the previous points plus helps them actually improve! And if they respond they’re likely to move right into a peer-like relationship with you, even if you’re far more junior. This will make it easier to formally ask later for a mentorship, or to just maintain the relationship as is.

Summary

This isn’t about manipulation or trickery—it’s about respecting peoples’ time and attention. If you’re trying to manipulate someone, they will feel it.

Avoid flattery.
Be specific.
Behave like a peer.
Indicate that you put the work in.
Show them something you’ve built.
Provide some kind of value to their craft.

If you can do any of these—and avoid their opposites—you’ll significantly raise your chances of getting a response from your potential mentor. And if you can do all six you’ve maximized those chances.

Happy hunting!

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I have been following the bug bounty and security creator/influencer scenes since they started. And as someone in security who also creates content, I feel very close to it all. What I’ve seen in the last year has been troubling.

I keep seeing friends and associates—both in conversations and in social media—crumble under the relentless pressure to produce.

I might see someone publicly emote positivity and energy, and then ten minutes later—somewhere else on the internet—see them describe how unhappy they are.

What people don’t realize when they get into bounty and/or content creation is that the very reason you’re participating is also the thing that causes the suffering. Namely—the squirt of happiness and validation that comes when someone likes your bug, when you get paid for a bug, or when someone enjoys a piece of content you just released.

The rush starts wearing off immediately, and you start looking for the next one.

Spending too much time on Twitter is almost always a sign of unhealth.

People in the bounty and content creation games are deeply embedded in the community, so they’re constantly seeing the work of others. If they got a cool bug yesterday, and got praise from the community, then today they’ll see three of their colleagues get a new bug. And they’ll see them be praised for that.

Now their win from yesterday is gone, and they feel deflated and unloved.

Now they have to hurry up! What’s the next video they can make? What’s the next blog they can write? What’s the next bug they can find?

This takes the things they love most—hacking and sharing content—and turns them into weapons of self-harm.

Soon they’re finding themselves avoiding creating content at all, or looking for bugs, because the whole cycle of idea, creation, publish, and wait for praise has been tainted with negativity.

My advice to people considering a full-time job in content creation or bounty hunting is this: don’t just leap into it. You need to be sure that you’re so good at it that you can do it easily, and that you won’t be stressed for money when doing so.

Even if you are good enough, you still need to monitor your mental state.

If you are not sure you’re good enough yet…if you’re still learning…if your finances are precarious—I would say keep your day job and keep doing what you love on the side. Don’t let the jump to full-time turn the thing you love against you. Don’t let stress poison your favorite activities.

If you’re not having fun doing your favorite activities, it’s time to make changes.

And if you see someone struggling on this treadmill, try to help them. Remind them that these things should be fun, and that if they’re not they should make adjustments so that they are again.

Summary and practical takeaways

This doesn’t mean it’s not possible; it’s just not easy.

TL;DR: It’s essential to your happiness that you maintain a healthy relationship with your hobbies, and converting them to a full-time job is one of the fastest ways to mess that up.

Here’s what I recommend.

Monitor your mental state closely, week to week and month to month. Consider journaling to accomplish this, so you can see what you were actually feeling vs. what you remember after the fact, and be honest with yourself when you write.
Think about what is forcing you to hunt/create. If it’s stress around money, consider getting at least a part-time gig that can alleviate that financial burden. And if it’s feeling inadequate from watching all the other great hunters/creators out there, stop paying so much attention to what they’re doing and focus more on your own work and craft. Set a time limit for time on Twitter per day, say, 15 minutes to respond to direct queries and give some high-fives.
Explore books and articles that are related to your space but not part of the scene. So if you’re into OSINT or Recon, learn about threading options in Go, or take a course on Python 3. Or get on YouTube and follow some people talking about Python, Bash, and Vim. In other words, do a deep dive on subjects that will enhance your craft without directly being part of it.

No matter what, make sure that you’re having fun. Never forget that your enjoyment of the activity is the true source of both your skill and your happiness.

Much love to you all, and thank you for doing what you do.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I have been following the bug bounty and security creator/influencer scenes since they started. And as someone in security who also creates content, I feel very close to it all. What I’ve been seeing over the last year or two has been troubling.

I keep seeing friends and associates—both in conversations and in social media—crumble under the relentless pressure to produce.

I might see someone publicly emote positivity and happiness, and then ten minutes later—on another part of the internet—see them describe how they’re falling apart.

What people don’t realize when they get into bounty and/or content creation is that the very reason you’re participating is also the thing that causes the suffering. Namely—the squirt of happiness and validation that comes when someone likes your bug, when you get paid for a bug, or when someone enjoys a piece of content you just released.

The rush starts wearing off immediately, and you start looking for the next one.

People in the bounty and content creation games are deeply embedded in the community, so they’re constantly seeing the work of others. If they got a cool bug yesterday, and got praise from the community, then today they’ll see three of their colleagues get a new bug. And they’ll see them be praised for that.

Now their win from yesterday is gone, and they feel deflated and unloved.

Now they have to hurry up! What’s the next video they can make? What’s the next blog they can write? What’s the next bug they can find?

This takes the things they love most—hacking and sharing content—and turns them into weapons of self-harm.

Soon they’re finding themselves avoiding creating content at all, or looking for bugs, because the whole cycle of idea, creation, publish, and wait for praise has been tainted with negativity.

My advice to people considering a full-time job in content creation or bounty hunting is this: don’t just leap into it. You need to be sure that you’re so good at it that you can do it easily, and that you won’t be stressed for money when doing so.

Even if you are good enough, you still need to monitor your mental state.

If you are not sure you’re good enough yet…if you’re still learning…if your finances are precarious—I would say keep your day job and keep doing what you love on the side. Don’t let the jump to full-time turn the thing you love against you. Don’t let stress poison your favorite activities.

If you’re not having fun doing your favorite activities, it’s time to make changes.

And if you see someone struggling on this treadmill, try to help them. Remind them that these things should be fun, and that if they’re not they should make adjustments so that they are again.

Summary and practical takeaways

TL;DR: It’s essential to your happiness that you maintain a healthy relationship with your hobbies, and converting them to a full-time job is one of the fastest ways to mess that up.

Here’s what I recommend.

Monitor your mental state closely, week to week and month to month. Consider journaling to accomplish this, so you can see what you were actually feeling vs. what you remember after the fact, and be honest with yourself when you write.
Think about what is forcing you to hunt/create. If it’s stress around money, consider getting at least a part-time gig that can alleviate that financial burden. And if it’s feeling inadequate from watching all the other great hunters/creators out there, stop paying so much attention to what they’re doing and focus more on your own work and craft. Set a time limit for time on Twitter per day, say, 15 minutes to respond to direct queries and give some high-fives.
Explore books and articles that are related to your space but not part of the scene. So if you’re into OSINT or Recon, learn about threading options in Go, or take a course on Python 3. Or get on YouTube and follow some people talking about Python, Bash, and Vim. In other words, do a deep dive on subjects that will enhance your craft without directly being part of it.

No matter what, make sure that you’re having fun. Never forget that your enjoyment of the activity is the true source of both your skill and your happiness.

Much love to you all, and thank you for doing what you do.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.