Daniel Miessler's Blog, page 64

Anxiety—as we’ve all seen throughout 2020—can be extremely debilitating. I’ve been thinking about how it relates to other types of mental stress.

Anxiety


/’ang ZIE eh tee’/


noun
Stress and fear about what’s to come.

I need to be cautious not to beg the question here.

Fear of what’s coming is a good definition, but I’m speaking more specifically about a type of stress that relatively well-off people face when they are inactive.

Suffering, or exhaustion, seem quite different from anxiety and depression because—while they are unpleasant and traumatic—they are often faced during periods of extreme struggle, while anxiety and depression seem less likely in those situations.

It seems that someone with a major drive to do something, and who seems intent on that purpose, is not often anxious or depressed. Or perhaps they’re depression takes the hue of disappointment and discouragement. There’s no question that driven people can be unhappy, but the color of that unhappiness does not seem to match what we see today.

Perhaps I speak of existential depression when I describe what I see today—especially in the US. It’s the anxiety that comes from not knowing what one should do.

This seems to require two things:

Freedom to do multiple things.
A lack of driving purpose.

Freedom is required because if you are restricted from action in some way, by some sort of physical bondage or harsh life circumstance, you essentially get a driving purpose for free. That purpose is to gain freedom. Anyone without it tends to want it badly, and that desire becomes a furnace of purpose and drive. But when someone has freedom but no purpose, the very presence of options can become a ray of paralysis.

People with ideas and plans tend to cherish time alone and time with nothing else to do. It gives them time to explore and articulate their craft or their calling. People without purpose tend to see solitude as torture. Because they have nothing driving them internally, a lack of external stimulation means a lack of any stimulation. To be alone is to spend time with someone who is boring. And to someone who is not driven, being boring is the worst of insults.

The easiest way for this to be solved is not pleasant, which is to have an undeniable force applied to you. Like losing a job if you’re determined to work. Or struggling with a serious health issue. Those situations remove this type of existential anxiety because they create a path for you—the only path—that gets you out of survival mode.

The other option is to cultivate a life purpose that pulls you towards it even if you have 1,000 other options. A life mission of sorts. Or even something smaller, like a project to better yourself or to help other people.

People in the distant past, and even as recently as 50 or 100 years ago—were naturally forced into either survival mode or a career path that forced them forward. So while they might not have been happy, or fulfilled, they were at least not burdened with freedom.

Today is different. There are many mechanisms available today that allow people to be sedentary without starving or being subjected to the elements. Many go on disability and/or live with their parents and family indefinitely. They are able to live in a perpetual state of not being forced to survive and not being forced to choose a path.

Major depression rates rose 63% from 8.1% in 2009 to 13.2% in 2017 among U.S. adults ages 18 to 25.

I think it is that state—more than anything—that is causing the increases in anxiety and depression today.

It’s the poisonous combination of a lack of danger and a lack of drive that I call Soul Rot.

I don’t have the answer, obviously. But I do know that we should identify this as the problem—or at least as one model of it. We need to emphasize to our youth that having a deep purpose in life is the best possible thing one can have for their health and happiness. And that people without such a purpose can want for nothing but still pray for death.

This is one of the most important lessons that nobody ever teaches explicitly. Not most parents, not most schools. Nobody. We hear that it’s nice to have a purpose, but we don’t hear that it’s essential.

We should.

Notes


Helicopter parenting creates a different kind of stress I think, which isn’t anxiety around not knowing what to do, but rather the stress of needing to do something that you may not care about. I have no interest in comparing different types of hardship and stress here. I only wish to say that the stress of getting a Masters degree and great job in some area that doesn’t bring you joy is not quite the same as not doing anything.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Shoshana Zuboff came out with a brilliant work called Surveillance Capitalism a while back, which I reviewed here. It talked about not just the threat of the tech itself but how that tech could be used to control the behavior of populations.

I highly recommend it.

Cory Doctorow, of Down and Out in the Magic Kingdom and Little Brother fame just came out with a rebuttal, essentially saying no—it’s not the tech that’s the problem, but rather that the companies wielding the tech are monopolies.

I personally think they’re both looking for the enemy in the wrong place. It’s not tech that’s the problem, and it’s not capitalism’s final bosses, i.e. monopolies.

The problem is much worse—human desire combined with progress.

I want to convince you of this in two ways:

Showing you that human desire and progress ultimately lead to Surveillance Capitalism, and…
Showing that you can have Monopolies without the problem, and the problem without Monopolies.

My first point is that evolution drives us to win. As individuals, as groups, as governments, as cities, as countries. It’s ultimately the reason we get up in the morning. To be better. To win. To have better kids. Kids that are happier, more successful, and more attractive. So they can have more kids. Who can do the same thing.

This is not our game. It was a game that was given to us all. Against our will. Yet we claim it’s our idea.

So that’s evolution. And that’s what it makes us do.

Next is progress. Progress is like the drunk man named Stok struggling home after the bar. You might not be able to predict where his next step will be, but you can predict that he’s likely to end up at home.

We’re not going to slow progress because progress feeds on itself, and combined with evolution constantly pushing for improvements—we end up stumbling into constant advances that eventually arrive at superior technology.

It’s less predictable than the sunrise, but it’s just as inevitable.

So we can’t stop our desire to win as humans, and we can’t stop the advancement of technology because it’s driven by time plus that desire. Unfortunately, that is all that’s needed to get to Surveillance Capitalism and a serious threat to human privacy and freedom.

You don’t need monopolies. That’s a side effect. A detail. A triviality. Like the color of a sword that’s been passed through your bowels. Here Doctorow talks about one scary thing about the tech:

The Neighbors app allows you to form a neighborhood-wide surveillance grid with your fellow Ring owners through which you can share clips of “suspicious characters.” If you’re thinking that this sounds like a recipe for letting curtain-twitching racists supercharge their suspicions of people with brown skin who walk down their blocks, you’re right. Ring has become a de facto, off-the-books arm of the police without any of the pesky oversight or rules.

Cory Doctorow

This is, of course, correct. But it has nothing to do with monopolies. Ring was doing a lot of this before it was bought by Amazon, and it could have continued doing so even if it weren’t.

Again, the thing that made it possible is 1) the human desire to be safe, and 2) the advancement of technology. Those are the vehicles at play.

Capitalism is simply a racetrack that these vehicles can use to move at high speeds, and monopolies—if anything—are an obstacle to that progress.

A good example of this is Clearview AI, which advanced one of the biggest attacks on human privacy in history by aggregating Google images and tying them to profiles through facial recognition. One person built that, which is the polar opposite of a monopoly. The reason it thrived is because it’s deeply empowering to be able to see someone and know everything about them.

So, big tech can be a problem if it’s not encouraged to follow a liberal and progressive spirit. Without a positive drive that’s consistently monitored and checked, it can become malignant. And monopolies can have many negative effects, from stifling innovation to providing increasing amounts of the world’s data to steal in one place.

But while it’s true that evil monopolies could stop benign competitors through anti-competitive practices, and big tech might branch into larger societal functions like education and healthcare once it gets big enough (see Amazon), the ultimate problem is not the size of companies or whether they’re monopolistic.

The problem is humans wanting to win, combined with the inevitable march of technological progress.

These are the forces that will create the tech companies. These are the forces that will make them large. These are the forces that will make their leaders want to control others. And these are the forces that will make them anti-competitive.

It’s ok to look for danger in particular manifestations of these core problems, such as certain types of company or certain types of government. But we shouldn’t make the mistake of thinking those things are the problem.

The problem is that evolution drives us to survive, to be safe, and to win. Constantly. And forever. Until we stop those forces, and the progress that comes with them, we will continue to see these mechanisms for controlling others spring into existence.

The path forward is not to stop symptoms of evolution-imbued drives, but rather to find ways to build a society where those tendencies can be exercised in a healthy way.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Greetings, you have reached a piece of subscriber-only content…

If you’re already a subscriber you can sign in here, and if you’re not you can subscribe below to get immediate access.

Thank you!

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

InfoSec Creator Monetization, Initiating Contact with a Mentor, The Dark Side of Bounty/Creator Life, Facebook Election Threat Scenarios, Uber CISO Arrested, Spy HR Review Goes Bad, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…

Discovery, Creation, and Ideas…

I spend 5-20 hours a week consuming books, articles, and podcasts about security, technology, and society—and every Monday morning I send a summary of my best finds.

Why InfoSec Creators Should Move to Direct Support Monetization More



How to Initiate Contact With a Mentor More



What They Don’t Tell You About Being a Bounty Hunter or Content Creator More



Algorithmic vs. Faith-based Learning More



SECURITY NEWS



Facebook is threat modeling various scenarios where the current administration attempts to dispute or spread disinformation regarding the 2020 election results. They’ve even discussed a “kill switch” that can turn off all political ads on election day. More



Joe Sullivan, the former CISO of Uber, has been arrested for trying to cover up the 2016 data breach that exposed 57 million drivers’ and customers’ data. Regardless of the details of the case, I like what this sets as a precedent regarding the responsibility to report. More



California’s DMV is selling data to 98,000 different groups, including private investigators, bail bondsmen, and insurance companies. It’s one thing to have a privacy problem for voluntary services like Facebook and Google, but what do you do when the government forces you to surrender your data, which they then use to make a profit? More



The US Army says many North Korean hackers attack from outside North Korea. More



A naturalized US citizen, born in Hong Kong and who worked for the CIA and FBI, was arrested Friday for selling secrets to China. The best part is how he got caught. The FBI impersonated his Chinese spy HR department, basically, and asked him what all he had done and what his goals were. He told them everything, including that he wanted “the Motherland to succeed”. More



Soundarya Ramesh and her team have found a way to recreate a key by listening to it open a lock. And all you need is a smartphone recording. More Demo



Alexei Navalny, an outspoken Russian opposition leader, was poisoned on a flight and is now on a ventilator. It’s remarkable to me that everyone knows Putin kills his political opponents using poison. It’s common knowledge and the international community seems uninterested. More 

 

An AI beat a human in an F-16 dogfight again. More



Vulnerabilities: 

Microsoft issued out-of-band fixes for Windows 8.1 and Server 2020 R2. More
A Jenkins Server vulnerability (CVSS 9.4) could result in data disclosure. More

Breaches:

Experian reported a breach that exposed data on around 24 million South Africans and 800,000 businesses. More
240,000 records were stolen from the Utah Gun Exchange, including emails, usernames, and passwords. More

Ransomware:

Jack Daniels says they repelled a ransomware attack, but REvil has posted data they say they took from them. More
The University of Utah paid almost $500K in ransom to get back its student and employee data. More
Konika Minolta was hit in July, but they said it didn’t affect their All Covered MSP. More

Disinformation:

Facebook has removed 790 QAnon groups. More

Companies:

Palantir’s S-1 leaked last week and it reveals some truly strange numbers, including the fact that they’ve been in business for decades yet only have 125 customers. They also lost almost half a billion dollars in 2019, and almost a third of their revenue comes from its top 3 customers. More
Cobalt.io secured a $29 million dollar Series B. Way to go, Caroline Wong and team!
SenseTime is China’s largest facial recognition startup, and it got banned by Trump in 2019. But now it’s now thriving (projecting 80% revenue growth in 2020) due to sales to local governments in China for COVID monitoring. More

TECHNOLOGY NEWS



A company called Hour One has raised $5 million to use AI to generate synthetic characters from real humans. They can be programmed to say anything as that person. This is massive. This is basically the creation of peoples’ digital avatars, and the actual manifestation of Deepfakes that everyone has been waiting for. More Demo



Tesla wants to use radar to detect kids inside hot cars. More



QR Codes are making a serious comeback amid COVID. More



A UC Berkeley student used GPT-3 to generate some blog posts, and one of them got to the front page of Hacker News because people thought it was 1) real, and 2) great. More



Oracle is now one of the companies trying to buy TikTok’s US operations. More



Amazon is adding 3,500 tech and corporate jobs across 6 US cities. More



HUMAN NEWS



Finland showed the results of a 2-year basic income experiment, and unemployed people who received the guaranteed income reported being happier and actually worked more days per year than those who did not. More



Japan’s GDP fell by almost 8% in Q2. More



IDEAS, TRENDS, & ANALYSIS



How China Surveils the World — A brilliant interview-style discussion of how China sees big data and what they’re doing with it. Read this and then remember that they have Equifax data, OPM data, Marriott data, and countless other similar datasets. They’re playing the long game here of deeply knowing targets, even if they won’t actually be targets for decades to come (see TikTok). More



I had a particularly nasty idea for a ransomware tactic: present your findings as a bounty report, where you’re asking for payment for the legitimate issue you’ve discovered. In other words, don’t use any “compromise” language so that the leadership of the company can plausibly deny that anything bad happened. Then, if that doesn’t work, they switch to the normal language of, “We’ve got your stuff. Pay us.” This is such a good idea I can guarantee lots of groups are doing it already.



The TikTok Ban is Overdue More



Thinking of yourself as a separate entity (like inside and outside of work) can reduce anxiety and improve your confidence and determination. More



Blockchain, the Amazing Solution for Almost Nothing More



UPDATES



Here’s the DEFCON video of my talk, Mechanizing the Methodology, including a link to the slides. More



The length of the show has been growing again. Not only have I had many stories lately, but some of the comments have been fairly long-form, i.e., large paragraphs as opposed to 1-3 sentences. I think I’m going to try to adjust that back a little so the show remains easy to get through, and highly curated. Especially in the newsletter form. I mean, it’s already curated from thousands of articles to a few dozen, but I think I can do better. My main thing is I don’t want to feel like I’m giving someone a ton of work when they read the newsletter. Please reply with your preference if you feel strongly about this in either direction.



I really want to create a list of every book I’ve read that gets auto-updated using Amazon Kindle/Goodreads. It looks like this will be the path. I might outsource it just to save time, or I might just do it myself in Python 3 this week. API



DISCOVERY  



There’s a new coffee brewer called the Ratio Eight. I kind of want one, but I already have like 9 ways to make coffee, and it’s like $500. It’s an intelligent Chemex machine, basically. Intriguing. I’m very happy they’re out of stock right now. More



@hakluke posted a great tutorial on OWASP Amass. More



Log and Time Series data are not the same. More



Kapow — Turn a shell command into an API. Cool! Also, yikes. More



Intel Owl — Threat Intelligence on a file, IP, or domain. More



SpaceSiren — A honey token manager and alert system for AWS. More



MITRE Shield — A mapping for ATT&CK to defenses. More



Draw — A collaborative whiteboard. More



A really nice collection of online tools for various tasks. More



RECOMMENDATIONS



I really enjoyed this podcast series by Kevin Roose, called Rabbit Hole. It’s all about the effect of the internet on people. Specifically, how it can pull people in increasingly extreme directions via algorithmic recommendations. It covers PewtiePie, QAnon, and other major events in internet history. More



APHORISMS



“The tyranny of a prince in an oligarchy is not so dangerous to the public welfare as the apathy of a citizen in a democracy.”



~ Charles de Montesquieu

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’m on a personal mission to get the creators in our InfoSec community to do two things:

Centralize all their creation around their own domain
Set up a Direct Support mechanism

This piece is about the second of those, but let’s take them one at a time.

Why do creators need their own domain?

I covered this extensively here, but the TL;DR is that all platforms are 1) ephemeral, and 2) will always place their needs over yours over the longterm—because…Capitalism.

Respect the Highlander quote.

Content platforms like Medium represent the timeless Faustian exchange of benefits now and suffering later, and as someone who’s seen this cycle play out dozens of times since 1999, I would spare you that pain.

Sure, but why do I need to monetize at all?

This is a great question that hopefully everyone asks in the beginning. If you’re thinking about money from the start, your content and audience size might reflect that.

But even people who love what they do eventually end up stressing themselves mentally and financially. The costs start adding up: Hosting fees, software licenses, computer and recording hardware, etc. At some point you start asking yourself how long you can maintain this without getting paid for it.

The costs of being a creator accelerate with time and quality of content.

So that’s the practical side—you’re going to have costs, and it’d be nice to recuperate them. But the real reason you should start charging at some point is that it’s your art form. It’s what you do. And you put a lot of effort into it. You value other peoples’ work, so why shouldn’t they value yours?

Plus, there is the consideration that people don’t value what comes freely nearly as much as something they pay for—even if they’re not paying much.

Ok, but why do I need a direct support model?

So that’s why you should eventually charge for your creative fruit. But what’s this Direct Support model, and why is it better?

Well, before I answer that, let me describe the evolution of being a creator. The motion basically goes from Experimental –> Casual –> Serious –> Professional, as we see below.

We can talk about all these dimensions another time, but people usually get into monetization through something like Twitch Subscriptions or Medium. In other words, through a third party where your audience is interacting with your content.

That’s fine, but again—when you use a front-end platform like this, they’re the ones getting all the traffic. They’re going to Medium, not to you. They’re going to Twitch, not to you. So if they decide to change their business model, or they decide they don’t like your content, they can mess up your entire world.

Direct still has some abstraction just because you still need tech to accept money.

The way to get around this is to move to a Direct Support model. Direct Support means your audience is giving you the money as directly as possible, given the limitations of technology. Here are some examples of platforms along with their associated directness levels.

Bad


Medium : They get the money, and you get a slice
Twitch : They have the traffic, they get the money, and you get a slice


Decent

Substack’s Sign-up Interface

Patreon : They have the traffic, you get the money, they take a slice
Substack : They have the traffic, you get the money, they take a slice


Best

Memberful’s popup

Memberful : You have the traffic, you get the money, they make service fees
Ghost : You have the traffic, you get the money, they make service fees

With Medium and Twitch, the relationship is between the platform and them. With something like Patreon, they still go to patreon.com to see the content. And with something like Memberful you can interact with your audience on yoursite.com, and if someone subscribes the money comes to you directly.

Basically, the more invisible the platform, the better.

The way you should think about direct monetization—in my opinion—is Appreciation Infrastructure from one human to another.

We all strive to provide value to the world, and we also understand paying for things that have value.

Art continues to suffer from a Capitalism in the Middle Attack.

There’s a mechanism for selling books, but publishers still make way too much of the money. Same with selling music. Traditional journalism—selling your writing—is the process of dying, and getting paid for blogging is like milking a pebble.

In most of these cases, the problem is abstraction—someone getting between the artist and the audience.

That’s what Direct Support does. It unclutters that pipeline. It makes it about the only two people who matter—you and someone who appreciates what you do.

So whether you’re putting out hacking videos, or live programming, or showing how to make the best sandwich—you are blasting your essence into the universe and asking, “Can anyone hear me?”

If someone subscribes, they have answered back, “Yes, please continue.”

Setting up direct support

Ok, well hopefully I’ve convinced you. Assuming I have, here’s how to get started.

If you’re on YouTube you obviously can’t “move” your content.

Get your own domain.
Move as much of your content there as possible, e.g., blog posts, etc.
Sign up with Memberful or Substack. I recommend Memberful if you want a longer-term, more flexible platform for monetization. It’s agnostic to what type of creator you are: maker, makeup, woodworking, fashion, hacking, knife-making—it doesn’t care. Substack is very focused on newsletter monetization.
Create a subscription page on your site, like yoursite.com/subscribe.
Create an easy navigation path from your main project—like your newsletter or your podcast or whatever—to your subscription site.
Link to your main project in all your social media profiles, e.g., yoursite.com/podcast, or yoursite.com/newsletter.

I honestly hope to see you out there in the internet bazaar, selling your wares to anyone who finds them beautiful.

Paying for art is among the highest forms of human exchange, and I can’t wait for you to participate.

Notes


I am a subscriber to over a dozen creators in this way, spread across Patreon, Memberful, and other direct methods.
Both Memberful and Ghost use Stripe for processing.
Memberful is actually owned by Patreon.
I recommend WordPress, Ghost, and Hugo for blogging platforms, in order of how much you want to think about the platform vs. the content. I prefer WordPress because it’s the most out of your way and content-focused. And yes, I’m a security person recommending WordPress. It’s actually decently secure these days—as long as you’re careful with plugins.
I want to give my thanks to Sam Harris for so many aspects of this. It was he who woke me to the option of going direct, and I continue to learn from his implementations as this space evolves.
You will need some moderate technical skills to do a few of these steps, from the blogging platform stuff to connecting the payment platforms. You can either hack that out yourself or you’ll need to hire someone.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’m on a personal mission to get the creators in our InfoSec community to do two things:

Centralize all their creation around their own domain
Set up a Direct Support mechanism

This piece is about the second of those, but let’s take them one at a time.

Why do creators need their own domain?

I covered this extensively here, but the TL;DR is that all platforms are 1) ephemeral, and 2) will always place their needs over yours over the longterm—because…Capitalism.

Respect the Highlander quote.

Content platforms like Medium represent the timeless Faustian exchange of benefits now and suffering later, and as someone who’s seen this cycle play out dozens of times since 1999, I would spare you that pain.

Sure, but why do I need to monetize at all?

This is a great question that hopefully everyone asks in the beginning. If you’re thinking about money from the start, your content and audience size might reflect that.

But even people who love what they do eventually end up stressing themselves mentally and financially. The costs start adding up: Hosting fees, software licenses, computer and recording hardware, etc. At some point you start asking yourself how long you can maintain this without getting paid for it.

The costs of being a creator accelerate with time and quality of content.

So that’s the practical side—you’re going to have costs, and it’d be nice to recuperate them. But the real reason you should start charging at some point is that it’s your art form. It’s what you do. And you put a lot of effort into it. You value other peoples’ work, so why shouldn’t they value yours?

Plus, there is the consideration that people don’t value what comes freely nearly as much as something they pay for—even if they’re not paying much.

Ok, but why do I need a direct support model?

So that’s why you should eventually charge for your creative fruit. But what’s this Direct Support model, and why is it better?

Well, before I answer that, let me describe the evolution of being a creator. The motion basically goes from Experimental –> Casual –> Serious –> Professional, as we see below.

We can talk about all these dimensions another time, but people usually get into monetization through something like Twitch Subscriptions or Medium. In other words, through a third party where your audience is interacting with your content.

That’s fine, but again—when you use a front-end platform like this, they’re the ones getting all the traffic. They’re going to Medium, not to you. They’re going to Twitch, not to you. So if they decide to change their business model, or they decide they don’t like your content, they can mess up your entire world.

Direct still has some abstraction just because you still need tech to accept money.

The way to get around this is to move to a Direct Support model. Direct Support means your audience is giving you the money as directly as possible, given the limitations of technology. Here are some examples of platforms along with their associated directness levels.

Bad


Medium : They get the money, and you get a slice
Twitch : They have the traffic, they get the money, and you get a slice


Decent

Substack’s Sign-up Interface

Patreon : They have the traffic, you get the money, they take a slice
Substack : They have the traffic, you get the money, they take a slice


Best

Memberful’s popup

Memberful : You have the traffic, you get the money, they make service fees
Ghost : You have the traffic, you get the money, they make service fees

With Medium and Twitch, the relationship is between the platform and them. With something like Patreon, they still go to patreon.com to see the content. And with something like Memberful you can interact with your audience on yoursite.com, and if someone subscribes the money comes to you directly.

Basically, the more invisible the platform, the better.

The way you should think about direct monetization—in my opinion—is Appreciation Infrastructure from one human to another.

We all strive to provide value to the world, and we also understand paying for things that have value.

Art continues to suffer from a Capitalism in the Middle Attack.

There’s a mechanism for selling books, but publishers still make way too much of the money. Same with selling music. Traditional journalism—selling your writing—is the process of dying, and getting paid for blogging is like milking a pebble.

In most of these cases, the problem is abstraction—someone getting between the artist and the audience.

That’s what Direct Support does. It unclutters that pipeline. It makes it about the only two people who matter—you and someone who appreciates what you do.

So whether you’re putting out hacking videos, or live programming, or showing how to make the best sandwich—you are blasting your essence into the universe and asking, “Can anyone hear me?”

If someone subscribes, they have answered back, “Yes, please continue.”

Setting up direct support

Ok, well hopefully I’ve convinced you. Assuming I have, here’s how to get started.

If you’re on YouTube you obviously can’t “move” your content.

Get your own domain.
Move as much of your content there as possible, e.g., blog posts, etc.
Sign up with Memberful or Substack. I recommend Memberful if you want a longer-term, more flexible platform for monetization. It’s agnostic to what type of creator you are: maker, makeup, woodworking, fashion, hacking, knife-making—it doesn’t care. Substack is very focused on newsletter monetization.
Create a subscription page on your site, like yoursite.com/subscribe.
Create an easy navigation path from your main project—like your newsletter or your podcast or whatever—to your subscription site.
Link to your main project in all your social media profiles, e.g., yoursite.com/podcast, or yoursite.com/newsletter.

I honestly hope to see you out there in the internet bazaar, selling your wares to anyone who finds them beautiful.

Paying for art is among the highest forms of human exchange, and I can’t wait for you to participate.

Notes


I am a subscriber to over a dozen creators in this way, spread across Patreon, Memberful, and other direct methods.
Both Memberful and Ghost use Stripe for processing.
Memberful is actually owned by Patreon.
I recommend WordPress, Ghost, and Hugo for blogging platforms, in order of how much you want to think about the platform vs. the content. I prefer WordPress because it’s the most out of your way and content-focused. And yes, I’m a security person recommending WordPress. It’s actually decently secure these days—as long as you’re careful with plugins.
I want to give my thanks to Sam Harris for so many aspects of this. It was he who woke me to the option of going direct, and I continue to learn from his implementations as this space evolves.
You will need some moderate technical skills to do a few of these steps, from the blogging platform stuff to connecting the payment platforms. You can either hack that out yourself or you’ll need to hire someone.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I think there are two primary ways to learn something. You can expose yourself to some knowledge and hope it sticks, or you can use that new information to tangibly update the methodology you have for doing something.

I call the first, Faith-Based Learning. It’s where you read a book about nutrition, or dieting, or good habits, and you get this feeling of accomplishment. But then a few weeks later you haven’t changed anything about your behavior. And over the next few months and years, you will barely remember what you read.

I am an advocate of what I call Algorithmic Learning, which is where you have methodologies for doing things—like a daily routine—or managing your finances, and when you learn something you adjust your methodology.

Faith-based Learning Example: You currently don’t do any exercise in the morning, and you have far too little fiber in your diet. But then you read a book that says exercise is best in the morning, and that grains are really good for you. You Tweet about it, but you don’t actually make any changes, and a few months later you can’t remember what that book actually said.

“Most people” too often includes me.

That’s what most people do with what they learn. Nothing.

Faith-based Learning Example: You currently don’t do any exercise in the morning, and you have far too little fiber in your diet. But then you read a book that says exercise is best in the morning, and that grains are really good for you. So you go and buy 5 cylinders of Quaker oats and commit to eating oatmeal breakfast every single morning. You also update your morning_routine.md file on Github to reflect the change.

Another example is what I talk about in my recent DEFCON/Red Team Village talk on security automation. Rather than just looking at a bunch of security talks, you can use what I talk about in there to create new modules based on new techniques, which keeps your methodology evergreen.

Not all activities have activities that can or should be captured into text files, but many do. And making a change to a list of steps—an algorithm—is a tangible way to convert new knowledge into new behavior.

This is not a fix for having low self-discipline. You still have to actually do what’s in your algorithm. But it is a way to concretely benefit from the time you spend on learning.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Google has a problem with not parsing updated content dates in search results.

The page above is my Difference Between URLs and URIs post, which I originally wrote in 2005—yes—but I’ve massively updated it several times. And just recently I updated it again, including with a new primary image.

Yet Google insists on putting other posts higher in search rankings because they were created or updated more recently—according to them.

Here’s the problem: I’m being too honest.

I currently show two dates for all my posts: the original creation date, and the updated date. And I keep hoping that Google will pick up the updated date.

Other sites don’t do this. They cheat (sort of) by just listing the updated date.

I did that for a while because I thought it was the proper way, and my search rankings went way up!

Wow, so now everything is brand new content! Yay! Except, no. It’s not. I want to show the evolution of my thinking on certain things, and it’s useful to see that your first thoughts on it were back in the internet’s infancy.

So Google is basically making me choose between truth and accuracy on one side, and good search placement on the other.

That’s not how the internet should work.

If anyone knows a solution to this, or someone at Google who can help fix it. Please let me know.

Notes


Ok, thanks to my SEO guru friend Thomas Zickell, I found out the way to do this is by updating the schema.org code to include dateModified, and I’ve now done that via a plugin. We’ll see if that works!

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Download the Slides.

I presented at DEFCON’s Red Team Village on August 8th, and the topic was the automation of common Recon and Security activities. More specifically, it was about how to do those things with common tools like Linux, Bash, Cron, Email, and Slack.

My friend Clint Gibler of TL;DR Sec fame graciously created one of his brilliant summaries of the talk, which you can find here.

The central concepts in the talk are the following:

Turn security tasks into small, granular questions that have answers
Each answer should be a simple output that can become the input for another process
Chain these questions and answers together into workflows
Schedule them with cron
Alert using Amazon SES
Iterate as you learn new techniques.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’ve been in security for over 20 years now and have received thousands of emails asking for help or mentorship. And throughout that time I’ve also reached out to hundreds of people asking for something similar.

I’ve had a mix of success and failure on both ends of that equation, and I think I might have deciphered what was going wrong.

This can still work with some people, if it’s authentic.

I used to think it was all about the formal intro—like an old martial arts movie where a student seeks out the monk on the mountain. In that model, you start by talking about how you’re an unworthy worm, and how you could only hope to learn 1% of what they have to teach, and that would be more than enough…

Dear Dr. So and So,

I have admired your brilliant career for many years now and I am just starting on my journey. I would be honored if you could help me on my path by becoming my teacher… etc, etc.

That sounds humble and professional, and you’d think it’d be successful. But it’s actually a bad way to get a mentor, or even a response.

Rule #1 is to never give work to the customer.

The problem is that it violates several rules—most important of which is that if you’re asking a favor of someone, don’t give them work. Or at the very least, do as much of the work as possible and ask them if they’d be willing to do the final step.

Starstruck Padawan is not a strategy.

Here are some techniques that are likely get you a response, and maybe even a mentor, listed as a set of rules or guidelines.

1. Don’t overuse flattery

If you’re reaching out to someone to be your mentor there’s a chance they get a lot of email and a lot of pings on Twitter. And if that’s the case then they’ve probably had many people telling them how great they are as well.

Flattery tends to work best when it’s genuine and unexpected, not when the recipient hears it all the time from most everyone.

2. Ask something specific

The next thing to avoid is just saying hello and then not really saying anything. Once again, if you do that, you’re then putting the burden on them to start a conversation. They probably won’t. They’ll just ignore your email.

BAD: Hey I really respect your music career? Can you help me have a career like yours?
BETTER: Hello, I’ve always admired how you built your career over time. Is there a specific book that you’d recommend to yourself 20 years ago?

This is good because you’re limiting the work they have to do. If they have a book in mind, they might just respond and give you the title. But they’re not going to build you a custom career plan in response to the first option.

3. Behave like a future peer

The next thing to try to do is present yourself as an equal—albeit a very junior one. You can say things like, “I am building a career like yours”, or, “I have the same passion for plants that you do, so I intend to base my life around them the way you have.”

Don’t be discouraged if you get a very short email from someone. Even that is hard to do when you get hundreds a week.

And then follow that up with a specific observation, or insight, or question. This way they’re helping someone who is already on a path, not signing up to adopt someone. Far more people will respond to the former than the latter.

4. Show that you’ve done work already

This one does two things: it shows that you’re respectful of their time, and also that you’re willing to do work on your own. Nothing scares a mentor away faster than someone who wants the mentor to do all the work, and is waiting to have something handed to them.

You’d be surprised how many emails a person known in their field might get.

So instead of asking what books they recommend, ask,

I see in your interview on TechCrunch that you liked these 5 books. I read all of those, and I’m wondering what you think of this one as well. Do you think it represents the industry accurately?

This gives them the freedom to respond with anything ranging from, “No, I don’t.”, to “I haven’t read it yet.”, to a long response telling you why they hated it. And now you’re having a conversation.

5. Ask for an opinion on something you’ve created

The next level up (these are kind of getting more advanced as we go along) is to show them something you’ve made in your field, and ask for their opinion. Notice that this includes and builds upon several of the other points we’ve already made.

It starts with business, not flattery
It’s specific
You’re behaving like a peer by showing work in the field
And you’ve already created something

So that might start with something like:

Hello Dr. Hanna,

I’m a huge fan of your work, and I have been following your research on vulnerabilities in SAP’s administrative functions.

I created this tool that automatically parses an installation and checks for everything you talk about on page 412 of your SAP Assessments book, and I’d love if you could give me your thoughts on it.

This is golden. You’ve respected them without going off into flattery. You’ve acknowledged their work and the fact that you’ve put the work in to read it. And you’ve created something in the field like a future peer.

And even though you’ve asked something of an open-ended question of “thoughts around it”, you’ve earned that a bit by all the previous points. Plus, they can respond with anything from an emoticon to an essay. This is a wonderful way to start a professional relationship.

6. Offer an improvement or adjustment to something they’ve made

And that brings us to the final level of communication to someone ahead of you in your craft—value add.

It’s one thing to make it easy for them to help you. And it’s another thing to show them something interesting. But what will really get their attention is if you help them in some way.

Greetings Dr. Simmi,

In your latest podcast you mentioned using nmap with the T5 option to do your scanning at maximum speed, but I think you might want to look into masscan if speed is what you’re looking for.

I did a benchmark on the exact target you talked about in the episode and using the following command I got an 89% reduction in scan time. Just thought you’d want to know, and please keep up the great work!

This hits all the previous points plus helps them actually improve! And if they respond they’re likely to move right into a peer-like relationship with you, even if you’re far more junior. This will make it easier to formally ask later for a mentorship, or to just maintain the relationship as is.

Summary

This isn’t about manipulation or trickery—it’s about respecting peoples’ time and attention. If you’re trying to manipulate someone, they will feel it.

Avoid flattery.
Be specific.
Behave like a peer.
Indicate that you put the work in.
Show them something you’ve built.
Provide some kind of value to their craft.

If you can do any of these—and avoid their opposites—you’ll significantly raise your chances of getting a response from your potential mentor. And if you can do all six you’ve maximized those chances.

Happy hunting!

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.