Laravel Hacker
Cyber Security Resources for Laravel PHP Programmers
With more and more news stories finally illuminating all of the cyber security failings, the Laravel community needs a place to go for reference, education and help.
It's sort of bittersweet. Laravel Hacker is going to be no more. But I am merging my content in with masteringlaravel.io - which is a great feeling. It's a website that my business partner and I have been working on for a long while. It's fitting that I should put my content there as well.
I came to a realization that there's just too many hills that I need to climb - most of them with marketing and education - for Laravel Hacker.
My plan was to do the following:
- Build a small audience
- Continue educating and growing them
- Get some consulting gigs and learn what the hard problems to be solved are - either that or the low-hanging fruit
- Build a SaaS based on that information
What I found was that because Laravel is pretty secure by default - and has a good reputation as a secure platform builder - it was very difficult to get people interested (or excited) about learning these skills.
You learn something from all of these things, though. I've learned that I just want to build products or a SaaS - and I want a partner to do the sales and marketing. I used to think that's a failure of my part - but I don't think so anymore. I've spent a considerable amount of time refining my skill - so it's not like I'm missing something. I just doubled down on one specific niche - whether that's good or bad, I guess we'll tell. So far it's been ok.
Anyway, that's the end of Laravel Hacker. Not like it got a lot of traction on IH anyway ;)
A couple months ago, I worked with a company called the Infosec Institute to create a secure programming in Laravel course. They're supposed to make a marketing page for individual courses (I created the marketing content) but they still haven't.
So, I've decided to launch my own landing page for now. You can find this on laravelhacker.com/video
The video course is more than 4 hours of education, slides, code, and demonstrations. I like seeing things in practice, so I made sure to make many demos of things going wrong - ie - getting hacked.
Infosec Institute hosts the video as part of their Skills platform which is subscription service. I hope they make this whole navigation thing better - because right now it's really hard to point people directly to my content.
But anyway, if you use the coupon code LARAVELHACKER you get 50% off your first year sub or your first monthly sub. With that, you get access to my video and 1200 other videos, courses, and workshops/labs. It's a pretty sweet deal for just my own course - but it's even better when you learn you can get all the other stuff as well.
I've been wanting to get a Youtube channel together for Laravel Hacker - and I finally did it today. That's a whole lot of other things to promote - but I'm going to wait until I have a few more videos.
My first video I created was this one: https://youtu.be/pTk4es96JeQ - it's about using the roave/security-advisories package to secure your Laravel app. This is great because this means my next month newsletter I have new stuff to share with my audience.
One of the things I've been doing is working slowly but surely on things. I realize that I can't run at this as fast as I can because I'm busy with other things. But slow and steady will win - a lot of people give up. :)
I've launched my first package: Project Secure. This is a Composer package for Laravel projects that watches for file changes during installation and updates of third-party packages. You can find out more on its Github page: https://github.com/laravelhacker/project-secure
I was initially a little scared to launch it immediately because it only really does one thing. But you have to start somewhere. I guess I have to really listen to and live by my mantra of defense in depth.
I think the thing it checks for is pretty sinister and not something that I've seen happen (yet) but that's not to say it won't.
I also launched an article about it: https://laravelhacker.com/articles/project-secure/
So a couple things since last time:
First, I moved from just plain html pages to a site generated with Hugo. This is in preparation for launching some articles. I will have a newsletter in October starting, so I want some things to be able to share.
Second, I have been following my quiz progress. I've had over 1000 people submit with 300 subscriptions to my email newsletter / course. So far people are still going through the course - so we'll see how many stay on the final newsletter.
Next, I have to start writing an article and creating my first monthly newsletter. Then after that, hopefully my Infosec course will be launched and I can share that as well.
I've only had one negative review of my 7day newsletter so far - and it was around "if you just write better code you won't need to have a bug tracking software" - which - oh sweet summer child programmer... let me tell you, that will NEVER happen :)
Things are going good - and I can't wait till the next thing. Whatever that is though, I'm not sure. I have a bunch of ideas, but I think once I have my article(s) written and my first newsletter put together, I need to re-think about the next steps.
Today, I officially launched the laravelhacker.com website! It has a 7 question quiz at /quiz to see if your Laravel app is secure. Let's talk about:
So, first of all, the landing page currently tries to make the case for taking the quiz. Then it has a link that takes you to the quiz. The quiz link has a parameter that tells the quiz Vue app to skip its landing page. The quiz has its own landing page / screen just in case. The idea is that the home page will probably change as I offer more educational products. And right now if someone lands there, they don't need another prompt on the quiz page telling them to get going.
Then, I offer 7 questions in a quiz format. Some are checkboxes to add up - some are radio. They ask about specific questions about your configuration or code. Then, at the end, it gives you a score and the option to sign up for a 7 day bootcamp email sorta thing.
The answers are captured anonymously and not linked to the email system. The email is in Drip, the answers are scored by a Cloudflare worker - and stored in a Google form. The idea is after a while I can make a white paper based on the current year and the average security of a Laravel app.
This is exciting, though, as I've finally launched this. I'm going to then drop people into a mailing list that is monthly. This will include new things I think of and some upsells.
Today is a good day!
So I've thought a lot about this "building in public" thing. I think it's great for those who really want to share. If you're already sharing on Facebook or tweeting on twitter, why not use that energy for something good? And, if you're building something that you can give little quick wins along the way, that's great too - share all you want. But what if you're not that communicative? What if you're not a marketer at heart?
I know that people would say get over that - do it anyway, you need to build in public - it's the best way to get more users, it's the new hotness. But you know, a lot of things have been built not in public, too. (I mean a lot of failed, as well).
The whole build in public thing seems like a cycle that I've seen on the internet. Every decade there's a resurgence of show what you're doing, explain what you want, who you are - and then that slowly slides as people realize it can be a cauldron for narcissists. Then it goes even further way. Then the next decade an over-correction happens again. I think that over-correction happened a few years ago. I think we're in the middle of people following the "wise" advice and seeing if it makes sense for them.
I don't think it makes sense for me.
Let me tell you about the good things:
First, I think building in public can be a good marketing tool. I think it also helps validate your project along the way - if people aren't interested in the wins you can share while building, are they really going to be interested in the project when you're done?
Another good thing is it helps people stay accountable. I know a lot of people have a problem staying on track. Whether it's doing what they started out to, launching something, etc...
But I don't have that problem.
Let me shift to the bad things for building in public for me.
I don't need anyone to hold me accountable. I hold myself and others to a pretty high standard. Anyone who joins my team - even if I'm not their boss- they find themselves trying to show me that they can live up to the level that I expect from them.
I expect the same from myself. I've done a lot of work, I continue to work on myself and my craft. I have launched many, many things. I've failed more times than people have dreamt of trying (I'm not upset by this - this is just part of my journey -and it took me a while to get to the part where I'm ok with all of this).
But for me, staying "accountable" to others makes me in constant fear I'll let them down. It's not a driver for me for good - it's a builder of anxiety and stress. I drive myself, I don't need to beholden to others that frankly I don't even know - or might even be made up in my head.
I also think that attempting to find ways to promote my content while I'm building it - through writing about it - is making me not want to even build the content. I'm already drained from trying to think of things to say about what I'm making that I don't want to make what I'm making. I get it - that could be tough when I'm finished and then I have to figure out how to market it - but I am a firm believer in marketing after a product is built is half sales work, filling needs, etc - and half the product being good enough to produce word of mouth without your hand on it.
Oh one other thing - I should say that Indie Hacker is probably a great place to get involved and have people help you - but again, this is a social exercise, and the thought of this - without having something I'm even remotely proud of yet - seems tiring. I've seen too many people share and take and take and take and never actually produce anything. I'm not saying I need to have something complete 100%, but I need to have the first MVP done for me to feel more comfortable interacting with the community. Yeah, there are places for "idea people" but I think we need 1/10th of them compared to implementation people (like me).
Anyway, because of all this, I'm removing my reminder to blog on Indie hacker once a week. (I had set it for every friday). I had missed this last friday and it's been weighing on my mind. Even worse than the fact I didn't get stuff done on Laravel Hacker that I wanted to. This was even worse, and I don't like that.
So because of all this, I'm going to only write updates on here and get involved when I have actual milestones completed. I don't think anyone would really care to hear I'm 10% there, I'm 20% there, etc...
Already I feel a weight lifted off of my shoulders and I'm more excited now to work on my content again.
I was able to get to work on Tuesday for some of these tasks. It's funny, if I were coaching me I would have yelled at me for taking too much time on a trivial challenge. Let me explain...
So I was having a problem deploying the Laravel Hacker quiz page onto Cloudflare Pages. For some reason, it couldn't find its node dependencies - yet locally the compile always worked. I have some thought that maybe it doesn't understand that the directories aren't at the top level. Maybe? Maybe not.
At any rate, I ended up spinning up thinking maybe I should make the vue app on its own subdomain. Or maybe I should make the whole thing a vue app instead. I was concerned that the home page would take time to load the vue app - but in all reality, for a long time, I'll only have a vue app. Then I thought maybe I can commit the dist folder, even though I tend to not want to do that. But this isn't a huge project, so I should stop worrying.
I spent way too much time worrying about that. In the end, I ended up committing the dist directory - and now I have a new coming-soon page with the actual app distributed.
I then started working with wrangler and local cloud functions to answer the quiz. That's about as far as I made it. I made a list of things that I need to get done in order to launch. Those include writing the cloud workers item, storing data in the key/value store, setting up Drip with the email course, writing the course, and implementing fathom analytics.
So I have some work to do.
In addition, I've started again recording videos for the infosec course this week. It took almost 8 hours to record 22 mins of video - but that was editing, recording, waiting for the storm to pass, creating slides, writing a script, and generating 3 demos using brand new code. So it does take a while, but they're coming together nicely. I'm still pretty far behind my due date goal, and they seem a little upset, but it is what it is.
It's feast and famine for contract work - this week its crazy busy - so I'm just going to have to focus on that. All these people who talk about side projects and just give it your all, I wonder if they're just working standard 9 to 5 that let them leave. Self employment is harder - its easier because you can work on these projects when you want - but its harder because you have to generate your work and then do it when it arrives. But I'm getting there.
I've decided that yes - I do deserve to give myself a little credit and give myself a break. There are a lot of stories that we tell ourselves and things that happen in our brain as founders / programmers / entrepreneurs. One of those is "you're not working [hard] enough." You see all these great stories and you wonder - man - what if I just worked harder. And I've had that get to me a little bit.
But in reality, I'm working full-time, I'm working on my health and developing an exercise routine, I'm developing on Laravel Hacker, and I'm creating security programming videos for Infosec Institute. And when I was thinking about this all earlier today, that's when it hit me.
I'm actually working in parallel, too!
Infosec gives you royalties on your videos - but they also have a great partner/affiliate program. Part of the offer I want to offer my Laravel Hacker community members will be coupons for my videos - which technically are an extension (if slightly different) version of what I plan on teaching them along the way. So this works! I've actually been working harder than I thought. ;)
Anyway, today is a short day - have some vacation time this weekend and so I'm trying to close up everything. I will be focusing on swapping out to a new coming soon page in my current repo so I can learn to deploy entirely with the Cloudflare Pages. I have a mailchimp landing page up currently - and 2 people have signed up to get notified. It's not going to be such a big deal if I don't have that.
Last week I had quite a lot of slow progress and took a lot of time to think about my progress, life, balance, etc.
I'm slowing down on this project, but that's OK. I have a lot going on currently. And no side project or even regular project is worth destroying your mental health. I think I'm slowly getting to be ok with that. It's still a struggle not to beat down on myself, though.
I made landing page for LH home page that pitched the quiz with a link to the app skipping past its first step. That means that now if someone shares the main website, that's great - and they get pitched the quiz. If someone shares the quiz page, since its not directly coming from a special start link, it will have its own splash page.
Next steps are to write the cloud flare workers code, create a drip account, and write up the 7 or 8 emails I need in order to make use. Then I'm ready for launch. I thought I was going to be done with that by now - but now I'm going to set myself a goal to be ready to launch more around the first of July. This is "OK" - I am fine with this (he says to himself)...