Take Control of What you Read, Redux
In 2026, it’s more important than ever to take control of what you read
Back in 2023, I talked about taking control of what you read via RSS, and I want to update and enhance that advice.
Take control of what you read so your reading best serves you.
When you read on the big corporate platforms (the five sites that mostly consist of screenshots of the others), you're reading micro-thinking, lacking in nuance, not grappling with complexity, and selected for outrage and engagement. And look, maybe you want a quick hit of reinforcement, a simplification of the world’s complexities, or something else which the format gives you? Cool. I encourage you to express what that is, and what fraction of your time you want that.
Joan Westenberg has a good piece Blogging in the Ruins, about the value that blogging brings. One of the points she makes is “Their authors accept that most posts won't go viral, and that's fine.” Not only is that fine, but I don’t want to write for going viral. It’s at odds with why I hope people come here, which is to get intelligent perspective on security engineering and appsec. (We also include company news.) I focus more on quality than I do on scale, because I believe that quality will bring in the readers who want to read. (I also aim for conciseness, and often miss.)
Part of that aim is that I don’t focus on reader metrics, and part of not focusing on reader metrics is that they lie and those lies would distort what I write. They lie because opens, scrolls to the bottom, and the rest of it are correlates, not effects, of thoughtful attention. If I make my point in the opener (as I sometimes manage to do), people get value without scrolling to the bottom. If we track that with javascript, it’s easy to start writing to the metric and waste your time.
Another part of that is I don’t focus on viewer metrics when accepting podcast invitations. The person who screens those looks for thoughtful, interesting questions, and so I’ve discovered that some were very small podcasts, but often by dedicated folks who were thoughtful about what they were doing. I can get behind that.
Reader metrics are also a reason that everyone wants you to sign up for their email. If I demonstrably have X readers, I can charge Y for an ad, or get onto this podcast or that. Do those email newsletters get delivered? (Probably not.) Are they read carefully? Who knows. As Goodhart told us, “When a measure becomes a target, it ceases to be a good measure."
So there’s no
catalog of our top ten posts last year. I haven’t looked, and plan
not to. Similarly, I’m going to reduce my engagement with gated
material this year. There’s a blog Medium post that I’m
seeing get a lot of references, and the author has set it to
Medium customers only. A fine choice, and I’m not going to bother
to login. Similarly, someone cited my work, and I might even have
an institutional login to AIAA. But the chain of redirects through
“OpenAthens” or “Institutional Login” or go to the UW library and
enter the DOI consumes a minute or more when you include
searching, temporarily allowing the tracking websites, the MFA
refreshes and the “checking that you’re logged into Cloudflare and Google”
captchas... All to push those metrics, all to feed the attention
machines.
Take control of what you read: Use RSS. If you prefer email, use a mail provider who’ll give you consistent control of what makes it to your inbox. Stop doomscrolling.
And if you publish, take control of how you publish. Make it easier for readers to engage with your content. Syndicate through platforms that give you valuable engagement. Be thoughtful about what you value.
Your time is your most precious resource. Spend it wisely in 2026.
As I went through to edit this post, I got to the line about “those lies would distort what I write.” I thought about making that a pull quote to make the post more fun to read. It’s insidious. (I also thought about removing the parentheticals.)