Freelancing tip: collecting your clips in one place

One of the best things that I ever did was put together a website that had links to all of my clips. Granted, this in 1995 when the Web was young, and many pubs didn’t have online versions. But now everyone is online and it is a lot easier to do.

Why should you build a clips site? Because you need a reference to your body of work. When you pitch a new editor, he or she wants to be able to quickly go someplace and review your clips and see how and what you write. If you have it all nicely arranged online, you make getting new work easier. All they have to do is look you up your website online and read your previous work.You can also use this website as a handy reference for what you should be pitching too. Finally, you also increase your Google juice and drive additional traffic to your work, which is helpful these days where everyone is counting page views.

What should you use? I use my own hosted WordPress site, and it is a good tool to learn anyway, since many sites now employ it themselves. You can take a look at my site here, and see that I have separate pages for each publisher, and then I also put up a new post whenever one of my articles is published. You can add keywords to make it easier to find particular subjects too and demonstrate your expertise in particular topic areas. I also add a short summary, or maybe the first paragraph of the piece, in my post. If you get a blog on, it is free of charge but then you are limited to their templates. If you want something fancier, you can run a WordPress site on your own domain for a few dollars a month, as i do.

But sometimes putting links to online stories isn’t enough. A lot of pubs have come and gone, and so for the articles that you really care about, take a moment after a piece is published and produce a PDF copy of the piece (If you have a Mac, this can be done easily through the print dialog box.  If you have Windows, there are utilities that can help too. Then put this pdf in a folder that you can retrieve later when the link dies, and post it to your website.

If you don’t want to build your own blog site, there are other alternatives that are free. Editorial-for-hire services such as Ebyline, Contently, and Skyword all offer this feature, and they also might notify you when a piece is posted so you can add it to your portfolio. Here are links to mine:

Note tthat you can create a custom URL in the Contently and Skyword portfolios, which is a nice touch. I went overboard with my page in Contently, putting more than 400 article links together.  I think they have the best of the three systems. Not sure that after you have more than 25 stories in your portfolio if it really matters, but if you are going to use one of these services for your actual portfolio, then you should maintain it. I still recommend you set up your own clips website outside of these systems for complete control and just in case one of the services goes out of business or changes things on you.

The hardest part about building your clips website is just getting started. Once you have it running, adding a new clip won’t take more than a few moments.

Ways to Watch Your Freelancing Rate

I have been in the freelancing business for 25 years and have seen a disturbing drop in per-word rates, especially in the past couple of years. I remember when $1 per word was considered the middle of the road for an established IT writer. Now it seems like the top of the heap, and in some cases almost unattainable. I frequently get asked to write for ten cents a word, or even less.

So my suggestion to freelancers is this: Try to work for the editors that you respect that will pay you the most per word.  In the long run, this will make you the most money.

In order to do that, you need to know how much work is involved in creating the kind of article that you will be asked to write. This means understanding how much research and reporting is needed; and for that you need to be careful about your own limitations and understand the process of how a story gets constructed.

These days research almost always means looking stuff up online and spending time clicking and reading various websites. That isn’t too hard, but it can get time consuming. The good news is that this research isn’t limited by anything other than your own curiosity and time. Sometimes you don’t understand something and really could talk to a live person to clear things up and you need to do some reporting.

Reporting is where the time can get away from you. I recently wrote a story where my editor asked me to get a quote from a source at IBM. I was working with the right PR person (which for a big company like IBM can be a challenge in and of itself) and she was doing a great job hooking me up with the right expert. Except it was taking too long. I couldn’t file my story until I had this quote: weeks went by before the stars were in alignment and I could do my interview. So, be prepared in some instances research can take far longer than expected, and you should account for this when you decide to accept an assignment. And don’t take your client’s word for how accessible a source could be: oftentimes they don’t realize what is involved in securing an interview and obtaining a quote.

Finally, don’t forget my advice about accounting for the number of edit cycles that a client may have in store for you. That should be reflected in your contracts and your rates. Don’t be shy about requesting a heavy surcharge for additional edit cycles, because that can eat up your time quickly.

How to Know When to Write

have been a freelance writer for more than 25 years, and before that, a professional trade journalist for another six years. Over the years my income has varied but always been very comfortable. I have written magazine articles for most of the major IT pubs, created dozens of websites, and written three books, two of which have been published (and let’s just say the results were less than stellar).  Over that period I learned a few important lessons about being a freelancer that I want to share with you. Here is one biggie:

Find your best time of day to write, and protect it.

I am a morning person, that is the way it is. I am most productive in the hours before 10 am. On all of my books, most of the major writing was done in the early morning hours. You need to listen to your body’s biorhythms and follow them. If you have an article to write and it is the wrong time of day, put it aside until tomorrow. Don’t try forcing the words on the page. You will be more productive.

Maybe you have never thought of your writing in this fashion. I know when I first began to do freelancing, I was a bit lost. What do I do first? How do I put together a pitch proposal for work? You have a lot of things competing for your time. So, structuring what you are planning on doing is critical.

For the next week, keep a short journal and note what you spend you time on during each day. Start paying attention to when you can write with the fewest distractions. Do you need to turn off your email, not answer your phone? Shut down a few windows on your computer? Whatever it takes, it is time to focus.

Finally, keep track of ideas. You can use a journal, or have a Word doc that you annotate. Your editors are always looking for new ideas, and it is helpful to have a ready supply of potential pitches.

Now make sure to schedule your “writing time” so that you don’t have other things going on that invade this important part of your day. Dentist or doctor appointments? Visits with friends? Keep them, certainly, but schedule them around your best and most productive moments.

Avoid Rewrite Nightmares: Keep the Edit Cycles to a Minimum

One secret every freelancer has to learn is the writing part of the job pales by comparison to time needed for work to be edited. I have worked for very good and very bad editors over the years. From the best editors, I have learned how to sharpen my writing and improve how I frame particular ideas. From the bad ones, I have learned patience and, well, read on.

There are some clients that just can’t seem to help themselves and have to rewrite almost everything from top to bottom. To avoid getting trapped in these situations, you need to be crystal clear about how your work will be treated once it leaves your computer. Some clients think they are better writers than you, others want to show to their bosses that they have added value to your work.

Now, my contracts are very explicit about this process. I put in language that exactly says I will perform one edit cycle: I write it, the client makes comments, and I submit the final version. If they want to go back and forth endlessly, I charge more.  In some cases, a lot more, such as two or three times my original rate. That usually gets my point across: the editing is almost more time consuming than the original writing. If you don’t have a standard contract, now is the time to look around onlineand modify one that will suit your purpose.

I am not saying that every word that I create is precious and needs to be in the final piece. Just that I enjoy writing, not fiddling with syntax and word usage.

It also helps to have a clear idea of who is going to be involved in the actual editing process itself. Sometimes you get stuck between two editors, one who undoes the changes of the other. Insist (and in writing too) on a single point of contact at your client and have them consolidate and filter all the requests for changes to you. Otherwise, you go nuts with this back-and-forth. And put that in your contract too.

With some writing projects that I have done, I wanted to get multiple comments from reviewers very quickly into my draft, almost happening in real-time. For these situations, I have used one of the real-time editing tools such as Google Docs or Both tools reflect requested changes with a scrolling chat window and different colors to represent each person’s changes. But you have to know your client very well to implement something like this.

If all else fails, then don’t work for these clients: They can make you work much harder  for an end product that isn’t always superior. In the end, you will be happier and enjoy the writing process more if you limit the number of edit cycles and approvals up front.

The Russians are coming! The Russians are coming!

There has been a great deal of misinformation about Russian hackers lately in the news. Let me try to set the record straight.

Earlier this week the Wall Street Journal reported on a briefing given by the Department of Homeland Security about attempts at compromising electric utility control rooms to bring down our power grid. These attempts were actually documented by another US government entity called CERT here back in March.

According to the WSJ piece, “Hackers compromised US power utility companies’ corporate networks with conventional approaches, such as spearphishing emails and watering-hole attacks. After gaining access to vendor networks, hackers turned their attention to stealing credentials.”

However, as this Twitter stream describes, the claims made in the WSJ article are somewhat misleading. The reporters claim the control centers operate with air gaps, meaning that their computers aren’t directly connected to the Internet. That isn’t quite true. DHS and CERT both learned about these hacks from private security firms.

But that isn’t the only hacking effort that the Russian government has been involved. Mueller’s GRU indictment was announced earlier this month, naming 12 individuals involved in the hacking of various political organizations’ networks. That document makes for interesting reading and shows the lengths that Russian spies went to penetrate the DNC and the Clinton campaign.

Here are just some of their techniques mentioned in the indictment:

  • Spearphishing and watering-hole emails using URL shorteners to hide malware webpages, in one case using a phony email account that differed by a single character that mimicked a Clinton staffer
  • Stealing account credentials to obtain emails from DNC and Clinton staffers
  • Entered the DNC network using open source tools to install various RATs and keyloggers to obtain additional credentials.

These three attacks were also used in compromising the utility networks too. But wait, there is more:

  • Spoofing Google security notification email messages
  • Using the malware-infested document hillaryclinton-favorable-rating.xlsx that linked to a GRU-created website
  • Coping and exfiltrating documents via encrypted connections to a GRU computer in Illinois
  • Using PowerShell scripting attacks on Exchange email servers
  • Deleting log files and other traces deliberately to hide their presence
  • Setting up various websites: some mimicked a typical political fundraising page, others that appeared to be news sites with negative stories on the DNC
  • Making cloud-based site backups and then used them to create their own accounts to steal additional DNC data
  • Creating fake Facebook and Twitter accounts to leak DNC data and promote the leakers websites

Some in our administration debate whether Russians were behind both of these attacks, but the evidence is pretty clear to me. If you want to see the data firsthand, you might want to first take a look at an analysis of the Russian Troll farm’s Tweets by academic researchers here and then download their data on GitHub if you want to do your own analysis,

The indicted members of the GRU were first seen in the political networks in June 2016, at which point the DNC hired CrowdStrike to investigate further. However, the GRU spies continued to operate their RAT tools and persist on the DNC network until October 2016.

These efforts have been known for some time: Motherboard ran a story in April 2016, and then came out in July with this piece from Thomas Rid that offered a detailed technical explanation, saying that the forensic evidence about Russia is very strong. And a December 2016 story in the New York Times actually shows one of the rack-mounted servers breached by the GRU, sitting in the DNC offices, shown above. The Times documents the “series of missed signals, slow responses and a continuing underestimation of the seriousness of the cyberattack.”

As many security analysts well know, you don’t remove the physical servers anymore. That is strictly old school. Instead, forensic investigators make digital copies of their hard drives and memory so that they can preserve their state and detect in-memory exploits that would be gone if the machines are unplugged. This is called imaging and has been around for decades.

It is time to get more serious about protecting your email

Did you get a strange email last week from someone that you didn’t know, including one of your old passwords in the subject line? I did, and I heard many others were part of this criminal ransomware activity. Clearly, they were sent out with some kind of automated mailing list that made use of a huge list of hacked passwords. (You can check if your email has been leaked on this list.) It really annoyed me, and I got a few calls from friends wanting to know how this criminal got ahold of their passwords. (BTW: you shouldn’t respond to this email, because then you become more of a target.)

But the question that I asked my friends was this: Do you still have logins that make use of that password? You probably do.

Email is inherently insecure. Sorry, it has been that way since its invention, and still is. All of us don’t give its security the attention it needs and deserves. So if you got one of these messages, or if you are worried about your exposure to a future one, I have a few suggestions.

First, you need to read this piece by David Koff on rethinking email and security. It brought to mind the many things that folks today have to do to protect themselves. I would urge you to review it carefully. Medium calculates it will take you 17 minutes, but my guess is that you need to budget more time. There is a lot to unpack in his post, so I won’t repeat it here.

Now Koff suggests a lot of tools that you can use to become more secure. I am going to just give you four of them, listed from most to least importance.

  1. Set up a password manager and start protecting your passwords. This is probably the biggest thing that you can do to protect yourself. It will make it easier to use stronger and unique passwords. I use, which is $2 per month. For many of my accounts, I don’t even know my passwords anymore because they are just some combination of random letters and symbols. If you don’t want to pay, there are many others that I reviewed at that link here that are free for personal accounts.
  2. Create disposable email accounts for all your mailing lists. Koff suggests using, but there are many other services including,, and They all work similarly. The hard part is unsubscribing from mailing lists with your current address, and adding the new disposable addresses.
  3. Even with a password manager, you need to make use of some additional authentication mechanism for your most sensitive logins. Use this for as many accounts as you can.
  4. Finally, if you are still looking for something to do, at least try encrypted email. is free for low-end accounts and very easy to use.

There is a lot more you can to make yourself more secure. Please take the time to do the above, before you get someone else trying to steal your money, your identity, or both.

Cyber Security Threat Actions This Week (podcast)

If your organization is not using the MITRE ATT&CK framework yet, it’s time to start. Katie Nickels from MITRE, Travis Farral from Anomali and I join host David Senf from Cyverity to talk about ATT&CK tactics, techniques and tools. You can listen to this 45-minute podcast here.  We discuss what ATT&CK is and isn’t, how it can be used to help defenders learn more about how exploits work and how to become better at protecting their enterprises, what some of the third-party tools (such as Mitre’s own Caldera shown here) that leverage ATT&CK and what are some of the common scenarios that this framework can be used for.

I did two stories for CSOonline about ATT&CK earlier this year:


How to market your book in the social media age

(This article originally appeared in the newsletter of the St. Louis Publishers Assn. It is part of a speech that I gave in July 2018 about marketing books by self-publishers.)

The most important phase of writing your book has nothing to do with the actual act of writing. It is in finding the right people who will promote the book to the world and turn potential readers into your buyers.

Back in the old days, before the Internet became popular, book authors hired publicists to promote authors, get them booked on talk shows and for book tours. They still exist, but there are other paths towards promotions. And what is good is that you can largely do much of this work on your own, if you have some self-promotional skills. The biggest part of that is in understanding how social media influencers work. (Here is a link to start your research.)

These influencers are the people that have the right kinds of followers in their networks. And they can become very powerful allies in your book marketing plan, and the cost to use them is pretty much just your time, and tenacity.

So how do you find these folks? The first thing is looking at your own social media networks, and making a list of the people that would be relevant to the topic of your book. What, you don’t have many friends on your networks? Now is the time to get busy friending people, and seeking out folks that could become pathways to promotion. You don’t need thousands of names, but you do need to approach this task on a regular basis, and friend new people every day. For those of us who are introverts, this can be painful, and can run counter to our instincts to hide behind our computer screens. Try to fight this, and reach out to people across your neighbors, your work colleagues, your church or other social organizations, and so forth.

One thing you don’t want to do is to buy lists of names. While this is certainly possible, you don’t know the quality of the names you are getting, and chances are many of these names aren’t going to be helpful to your book promotion anyway. Save your money.

Next, figure out the keywords that describe your audience, topic, focus, and what they are interested in and why they would buy your book. This means using these keywords to do many Google searches. Many means hundreds. Sometimes, you want to combine two or three keywords to be more effective.

Next, pick your social media network where your audience will hang out. If your book has a visual component, then stick with Pinterest or Instagram. If you have news-related content, Twitter. If it is general interest fiction, Facebook. Business-related topics, LinkedIn. These aren’t hard and fast choices, and feel free to experiment with more than one social network if you have the time. This doesn’t mean you need to craft a separate collection of Tweets, Pinterest Pins, etc. In fact, you can share announcements across multiple social networks. A good tool to do this is Hootsuite (shown here).

While you are doing all of this, you should settle on your book title and domain name for your book’s website. Yes, you need a website. Part of that website should be an email newsletter, where you tell your potential readers what is going on with your book, so they can get involved in its writing and production. You should commit to writing one post every week in the months leading up to your book launch on your website. After all, you are a writer!

Next, start collecting email addresses from your social media connections and use them to populate an email list. There are plenty of low-cost web hosting providers out there, and plenty of choices with email server companies such as MailChimp, ConstantContact, SendGrid, and others. Many of these services have free plans if your list is small, so take advantage of them. You can send out a new email with a copy of each blog post to save time if you wish.

Finally, start thinking about collecting reviewers. There is an entire universe of Amazon influencers, but I won’t get into that here.Look at NetGalley, especially if you want to join the IBPA. This is a website that is used to promote new books to a list of active readers and reviewers. Good luck with your marketing!


This week we take a trip down memory lane to discuss the highlights of our 60-some odd collective years of working as B2B journalists in the technology field. There are some great stories, such as Meeting Bill Gates (Paul at a press junket, David at an industry conference) and working with Greg Gianforte, now a member of Congress from Montana after making several fortunes starting technology businesses. Being a tech journalist has its risks: Charles Wang, when he was chairman of Computer Associates, campaigned to get Paul fired from Computerworld, but the two later became friends. David’s parody of Miss Manners got him a cease-and-desist letter from the columnist’s lawyers. We both recall what the introduction of the web did for our industry and our world back in 1994, and how quickly the publishing market changed as a result. David recalls with fondness his interaction with Bob Metcalfe, the inventor of Ethernet and now a professor at UT/Austin.

David remembers writing about a skunk works project from IBM to use spreadsheets as a front-end to their mainframe databases, and noted how the sole programmer behind the project, Oleg Vishnepolsky, later said his career was changed by the articles. Paul recalls the “old IBM,” which once IBM mistakenly put out a press release and then disavowed what it said.

We have lots of other memories, and hope you enjoy this episode.

Watch that keyboard!

We are using our mobile phones for more and more work-related tasks, and the bad guys know this and are getting sneakier about ways to compromise them. One way is to use a third-party keyboard that can be used to capture your keystrokes and send your login info to a criminal that then steals your accounts, your money, and your identity.

What are these third-party keyboards? You can get them for nearly everything – sending cute GIFs and emojis, AI-based text predictors, personalized suggestions, drawing and swiping instead of tapping and even to type in a variety of colored fonts. One of the most popular iOS apps from last year was Bitmoji, which allows you to create an avatar and adds an emoji-laden keyboard. Another popular Android app is Swiftkey. These apps have been downloaded by millions of users, and there are probably hundreds more that are available on the Play and iTunes stores.

Here is the thing. In order to install one of these keyboard apps, you have to grant it access to your phone. This seems like common sense, but sadly, this also grants the app access to pretty much everything you type, every piece of data on your phone, and every contact of yours too. Apple calls this full access, and they require these keyboards to ask explicitly for this permission after they are installed and before you use them for the first time. Many of us don’t read the fine print and just click yes and go about our merry way.

On Android phones, the permissions are a bit more granular, as you can see in this screenshot. This is actually just half of the overall permissions that are required.

An analysis of Bitmoji in particular can be found here, and it is illuminating.

Security analysts have known about this problem for quite some time. Back in July 2016, there was an accidental leak of data from millions of users of the ai.type third-party keyboard app. Analyst Lenny Zeltser looked at this leak and examined the privacy disclosures and configurations of several keyboard apps.

So what can you do? First, you probably shouldn’t use these apps, but trying telling that to your average millennial or teen. You can try banning the keyboards across your enterprise, which is what this 2015 post from Synopsys recommends. But many enterprises today no longer control what phones their users purchase or how they are configured.

You could try to educate your users and have them pay more attention to what permissions these apps require. We could try to get keyboard app developers to be more forthcoming about their requirements, and have some sort of trust or seal of approval for those that actually play by the rules and aren’t developing malware, which is what Zeltser suggests. But good luck with either strategy.

We could place our trust in Apple and Google to develop more protective mobile OSs. This is somewhat happening: Apple’s iOS will automatically switch back to the regular keyboard when it senses that you are typing in your user name or password or credit card data.

In the end though, users need to understand the implications of their actions, and particularly the security consequences of installing these keyboard replacement apps. The more paranoid and careful ones among you might want to forgo these apps entirely.