Learning in public
The operating philosophy of this whole garden: publish the process, not just the conclusions.
Settled and durable. Revised rarely, referenced constantly.
This garden runs on one rule: publish at the moment of learning, not the moment of mastery.
Why this works, after enough months to trust it:
- Writing is a debugger for thinking. Half my “understood” ideas crash the moment I try to serialize them. Better to find out early.
- Visible drafts invite collaborators; polished posts invite audiences. I want the former. The growth stages on every note are an honesty mechanism: a seed makes no promises, an evergreen note stakes a reputation.
- The graph remembers what I forget. Six months from now, the link between two notes will be worth more than either note. Connection is the compounding asset.
The discipline costs something: it’s mildly embarrassing to be wrong in public, permanently, with timestamps. I’ve decided the embarrassment is the price of the feedback. Security culture makes this easier than most fields: the entire discipline runs on write-ups of things that went wrong. I won’t lie, the thought of a random dude on waybackmachine looking at silly notes and judging them does cross my head. But at the end of the day, I’m just an imperfect dude trying to combat my procrastination and perfectionism. The sense of being permanently behind is a separate beast, and I’ve made my peace with it elsewhere: in security you never know enough, so the not-knowing was never the thing to hide.
House rules for myself:
- A note may be wrong, but never dishonest about its confidence and that’s what stages are for.
- Tend before planting: revisiting an old note beats writing a new one.
- Every note links to at least one other. An unlinked idea is a seed dropped on concrete.
Paths that lead here
- The ADHD-HTB playbook: hacking the brain that hacks the box · Ten friction-bypassing study methods for grinding HackTheBox with an ADHD brain, plus the two of them I turned into real tools: a Swipe-to-Pwn Anki deck and an htb-operator shell.
- Cloud IAM: measure blast radius, not policy count · The security of a cloud account isn't the sum of its policies; it's the reachability graph they create.
- Not a Toaster: The Secret Superpower Called 'Why?' · A toaster never asks whether it should toast. Humans do, and that pause has a name. A tour of philosophy: first principles, the Socratic method, epistemology, and why the annoying 'Why?' game is a real superpower.
- Tasting life twice · I've been a bad writer since primary school, all mimicry and dread. Then a line from Anaïs Nin reframed the whole thing, and I decided to write every day, in public, badly at first.
Where this note points
- Kelly criterion for bug hunting? · A half-formed hunch: allocating research time across targets is a bankroll problem, and Kelly might be the right lens.
- You will never know enough, and that's the job · Imposter syndrome in security isn't a character flaw; it's an accurate readout of an unbounded field, misfiled as a personal deficiency. The fix is a traversal strategy, not more knowledge.
More from these beds
- Metacognition, Eileen Gu, and the Fear of Going Public · The thing elite performers and good thinkers share is not raw talent; it is metacognition, the skill of watching your own mind. Here is what it is, why putting yourself out there feels so irreversible, and why the spotlight effect means it matters less than you think.
- AI Slop and the Quiet Cost of Foraging · Maggie Appleton calls it jetspraying the web with AI slop. Here is why that cheap flood is so exhausting, told through Information Foraging Theory, and why your tiredness is a rational response, not a personal failing.
- Threat-modeling this garden · Eating my own dog food: a security person's website should survive its own methodology.