Leanpub Podcast Interview #40: Peter Yaworski

by Len Epp

published Nov 29, 2016

Peter Yaworski

Peter Yaworski is the author of Web Hacking 101: How to Make Money Hacking Ethically. In this interview, Leanpub co-founder Len Epp talks with Peter about his career, his book, and his experience self-publishing on Leanpub.

This interview was recorded on August 9, 2016.

The full audio for the interview is here. You can subscribe to this podcast in iTunes or add the following podcast URL directly: http://leanpub.com/podcast.xml.

This interview has been edited for conciseness and clarity.

Peter Yaworski

Len: Hi, I’m Len Epp from Leanpub, and in this Leanpub podcast, I’ll be interviewing Pete Yaworski. Pete is a self-taught developer with experience in Rails and Android, and has a specific interest in software security. Pete enjoys passing on what he’s learnt to others in his published YouTube tutorials, and he is currently the lead developer at Dailylearns.com. You can follow him on Twitter @yaworsk, and you can check out his website at www.torontowebsitedelveloper.com.

Web Hacking 101: How to Make Money Hacking Ethically by Peter Yaworski

Pete is the author of the Leanpub book, Web Hacking 101: How to Make Money Hacking Ethically. His book is focused on demonstrating real-world examples of security vulnerability reports that resulted in bug bounties, and specifically on becoming an ethical hacker, and using the skills you learn to do good in the world, making the internet safe both for users and for companies.

In this interview, we’re going to talk about Pete’s professional interests, his book, his experience using Leanpub, and ways we can improve Leanpub for him and other authors at the very end. So thank you, Pete, for being on the Leanpub podcast.

Pete: No worries. Thanks very much for having me.

Len: It’s our pleasure. I always start these interviews by asking people for their origin story, so I was wondering if you could tell me how you got into web development in the first place, and how you made your way into the security scene?

Pete: I guess in terms of web development, I’ve always like programming, I’ve always liked computers. I kind of I fell out of it in high school, and went on to university and got a master’s degree. When I got out, I was working in the public sector and government here in Ontario. One of the projects that we had was a web development for - I guess what they were calling at the time, “Web 2.0”. It was kind of ground-breaking for government to do this, so I was working on the policy side of that. Qe developed this project, and it was my first introduction to Drupal. From there, I just kind of go into Drupal and realized what the world of web development looked like, and started trying to learn as much as I could.

From there I started developing sites on the side. One thing led to another, and I took a leave of absence from the government for a gig at a startup in Toronto. Then with a baby on the way, looking for a little bit more stability, I went back to government. When I did that, I happened to read at the same time a book about Anonymous and what they had done. I’ve always had an interest in security, especially from the developer standpoint. And at the time, I was also taking a look at Coursera sites, and there happened to be one on security, and things just kind of fell into place.

One thing led to another where I took the course, read the book, started looking around, and I came across Bugcrowd, which is a platform for hackers essentially. They have a forum there, and I was going through the forum, and somebody had referenced the HackerOne platform, which is another bug bounty platform. HackerOne keeps what they call a “hacktivity”; it’s a list of all these public disclosures of people who have found vulnerabilities on websites. And for me, it was just a treasure chest of information, and that was my first step into hacking. I kind of learned what SQL injections were, cross-site scripting, all that kind of stuff. I execute them, find them, and it took off from there.

Len: What was your master’s degree in?

Pete: Public Administration.

Len: Did you do that at the University of Ottawa?

Pete: University of Queens.

Len: That’s a really cool path. I’ve interviewed lots of people who make their way into web development from something completely different, but never from the world of public policy, so that’s really fascinating.

I was wondering - there’s a lot that we can talk about, of course - ethical hacking, hacking, security and stuff like that, but I was wondering if you could explain a little bit maybe about what a bounty is?

Pete: A bounty, for lack of a better term, is a payment for finding a bug on a website. And that bug is typically security-related. So big sites, little sites, all shapes and sizes will either offer their own platform, which typically you don’t see unless it’s a big site like Google. PayPal offers their own as well. But then you have other sites that will use a platform like HackerOne or Bugcrowd. I guess there’s also a couple other - I should be fair. Cobalt, and the fourth one is escaping me.

But anyways, they’ll use these platforms, set up a program and they’ll have a defined scope. So it’ll tell you, “We want you to hack on maybe our core website, or any domain that we have.” And they’ll kind of open the door and say, “Hackers, come check us out.” Sometimes it’s a private program, where you get invited based on your previous experience. And sometimes it’s not. Some pay, some don’t. But the whole idea is if you find something and they pay you get what’s referred to as a bug bounty.

Len: And what’s the biggest bug bounty that you’ve ever earned?

Pete: I think my biggest payment was 25K - oh sorry, not 25K, that sounds a lot worse, or a lot bigger. $2500. And I happened to get that from the HackerOne platform itself.

Len: I’ve got a question about that. Is it ethical for someone - if you discover a vulnerability, say on a website - to email like the administrator of the website and say, “Hey, I found something. Pay me.”

Pete: I would say, I would leave out the “Pay me” part. And even the question of finding stuff is, again, for lack of a better term, questionable. I can tell you, I’ve done it, and it’s not always– Sometimes I’m a little bit hesitant to do it, just because there have been experiences where people have gone and hacked on a site and companies don’t take it well. Especially if there happened to be kind of the malicious people that are out there at the same time. So if you happen to be looking at something, and you happen to do something that a malicious person is doing, it could be misinterpreted as you doing what they’ve done. So I guess to answer your question, I wouldn’t necessarily recommend it. I definitely wouldn’t recommend, “Hey, I found a bug. Pay me.”

Len: That’s a really clear answer, and one I’m glad to hear. It’s funny, when I was looking at your book, I was reminded for some reason of one of my favorite shows from the 80s, which was Magnum PI. I don’t know how many of our listeners will remember that. But at the very beginning of the very first episode of Magnum PI, he’s breaking into the compound. And you don’t learn until afterwards that he’s been paid to break in, to discover security vulnerabilities. And he actually, in the show, gets into computers a little bit, as well, eventually.

But there’s this great scene when he’s trying to break into the Ferrari, his iconic Ferrari. And Higgins, the sort of majordomo, has sent the dogs after him. And Magnum has this moment where he’s like, “Don’t look at the dogs. Don’t look at the dogs. Don’t look at the dogs.” And he’s just got to focus on getting into the car. I was wondering if web hacking has any analogies to that? Where you’ve got to really stay focused on one part of what you’re doing, when something might be coming at you from another direction?

Pete: That’s a really cool analogy. It kind of resonates - I don’t know if every necessarily been chased by the dogs. But I can tell you from what I refer to as the ethical, the white hat perspective - that focus is definitely there. I’ve been lucky enough to see some hackers working on sites, and one of the things that I’ve recognized that I need to focus on is that - lack of a better term, again - that focus. That kind of resiliency.

Especially when you see something that you know that isn’t right, and that could potentially be a vulnerability. For me at least - when I’m working on a site, sometimes it’s tough. You put in 30 minutes, an hour, hour and a half, two hours and you don’t see anything that looks like it could be potentially exploitable. And so then you start thinking about, “Well, what am I doing with my time?” And at least for me, I can’t speak for others - it starts really becoming a mind game.

Where it’s, “Should I keep going? Should I not keep going? What’s going on? Should I do this? Should I change targets?” Whereas some guys who are very successful, I just see them - they sit down, an hour, two hours, three hours, four hours. They might not find anything, and then all of a sudden something clicks and they do find something. So I don’t know if it entirely answers the question, but yeah.

Len: That’s really interesting. It was a question about the internal workings of what it’s like when you’re in the midst of this. And that’s a really good answer.

I was wondering if you wouldn’t mind talking about what the worst vulnerability is that you’ve ever found? I mean, worst can be interpreted in various ways, but I guess most potentially damaging to the company?

Pete: Yeah, I definitely don’t mind. I guess the one that comes to mind is actually really recent. Unfortunately I can’t name the program, because it’s a private program - and they still haven’t fixed it. But I mean once [they go public] I’ll probably disclose it, because I want to include it in my book.

But I found a couple things. One, I was able to [assess their] registration process. When you register, and you verify your account, they have this login process which eventually redirects you to a URL that includes a user ID in it. As I was watching this traffic, I decided to try and change that user ID. So let’s say I was User 123, I used a proxy - which is something that can intercept your traffic. So I stopped the request before it actually got to the site. And I said, “Instead of being User 123, I want to be User 122.” And I passed it forward to the website - and sure enough I was logged in automatically as User 122, and had access to their full account.

Len: Oh my.

Pete: Yeah, so that’s what’s called an Insecure Direct Object Reference, an IDOR. Those are kind of fun to find, because they can be pretty devastating. Other vulnerabilities I’ve found - actually on that same site, I was able to delete all images from the site. And I’ve also found - some fun ones are when you find information disclosure. So on another site, I happened to find a user object. So with that, rather than just return say a username, and a first name/last name, it would actually take the full object. So you might have a whole bunch of properties on there - 10, 20 properties. And they would return that in the response. So you wouldn’t see it on the website, but if you looked at the traffic you would see their account information. You would see their phone number. You would see all kinds of personal information.

Len: Oh my. Those sound pretty bad.

Pete: Those are fun.

Len: I wanted to ask you a little bit about what the white hat hacker community is like. You were mentioning to me before we started the interview that you were at something called DEF CON last week in Las Vegas. I should mention, it’s probably implicit in one or two of the questions that I’ve asked, but Pete is in - you’re based in Toronto that’s right? In Canada?

Pete. Yeah.

Len: And he was in Vegas last week for this DEF CON conference. I was wondering if you could tell us a little bit about that.

Pete: I guess it’s kind of a shameless plug, but I’m going to be writing up a blog post on it as well, because it was an incredible experience. I was lucky enough to be sponsored to go by a company who offered to bring me out, as kind of like a new and upcoming hacker. I wasn’t one of their top hackers. But I guess they saw some potential in what I had reported so they offered to bring me out.

And so I got out there, and I had known - I guess I know a fair number of people in the community. I had never met anybody face to face, and when we did - honestly it was such a tight-knit community, everyone was welcoming. Everyone’s really cool. Everyone is insanely smart. I can’t speak highly enough of the people that I met. Really, I didn’t have a bad experience with anybody there. It’s actually a really tight-knit community, but at the same time somebody new could walk in tomorrow.

A shout out to my friend Kev, who was in Vegas. He and I had never met, but he kind of started bug bounties when I started them. And we had chatted back and forth, talking about different vulnerabilities and stuff that we worked on. When I got out to Vegas, he came to the hotel right away. We hit it off, and we went to the HackerOne party together, and he just absolutely killed it when he was there. There were a couple events that HackerOne threw for hacking, and he walked in as kind of an unknown. I think he came in 2nd place in the hacking that we did there. So all that is to say, it’s not like it’s a closed community. I’m relatively new, Kev was new. If you’re good you share what you know, you’re kind of open. Everybody seems to reciprocate that type of atmosphere.

Len: And if you’re thinking of joining this community, where would you go as a first step?

Pete: As I mentioned there’s HackerOne and then there’s Bugcrowd. I’m not as active on Bugcrowd as I probably should be or want to be. But those two platforms are probably the best place to go. You can check out the programs that are there, and start reading through what people have found. So HackerOne has the hacktivity, and then Bugcrowd has their forums which also have some disclosures there as well. Those are great places to start because it’s open information about what people have found.

And then from there - I mean, I guess as bad as it sounds - Twitter is actually a great space for it. When you start seeing the people that are disclosing vulnerabilities on say, HackerOne, they typically have their Twitter profile associated with that on HackerOne, so you can check them out and start following them. You’ll start to see the conversation that goes in and around the community on different things - people posting blogs about stuff that they’ve found, explaining bugs that they’ve found. That’s probably the best. And then, shameless plug - you want to check out my book.

Len: Go ahead, plug away, Web Hacking 101 at Leanpub.

I was wondering specifically - I mean obviously people in the community get together for conferences and things like that, and collaborate around things online. But do people ever work in pairs, or in teams, to exploit vulnerabilities - or to discover vulnerabilities, I should probably say?

Pete: Yeah, they definitely do. I don’t have as much experience with it. It’s definitely something that I want to do, and actually coming to DEF CON I made a few good friends - we’ve stayed in contact and we’ve opened up our own chat, so that we can do that. We can stay together and we can work through things. But I know two of them, out of the four that we are now, they submitted stuff together when they were at DEF CON. And they’re working through - because the company’s asked for a more concrete proof of concept of a hack to be actually exploitable. But I know of a whole bunch of other guys that do hack together and have found vulnerabilities together. It definitely happens.

Len: I only know about this subject mostly from the tech press and things like that, but I was wondering if there was any discussion at the conference, or if you have a particular opinion of your own about the future of passwords? Are we going to be using passwords still in 10 years? Or will there be some kind of facial recognition or some other - or two-factor authentication everywhere, or some sort of addition to or alternative to password use?

Pete: That’s a good question. I mean, if I was completely honest, I probably haven’t given it much thought. I can tell you that I think 2FA, two-factor authentication, can definitely be improved by a lot of sites. I tend to like to look at it, and try to hack on it. I’m actually working through a proof of concept for it now, that I’ll be finishing up after this interview. So I mean, to answer the question, I think OAuth might be the way to go, where maybe you have a couple sites that are considered locked down and you use them, and you log in through them.

There’s also the idea of the 1Password, [where you use a] single password, and that service happens to store all of your passwords and kind of be locked down as well. But I guess recently, before DEF CON - there was a couple hackers looking at those, and finding vulnerabilities. So I really don’t know what the answer is, I don’t know what the future holds. It’ll be interesting for sure. Either way, I’m sure someone will find a way to break into whatever it is that comes along.

Len: That’s kind of the thing, right? I have a friend who’s got a very strong opinion about, for example, online voting for like federal government elections. And his opinion is that we should never do it, because anything can be exploited. If it’s an electronic voting machine - or at least if it’s done over computers and the internet and that kind of thing. Have you thought about that? Do you have an opinion? Is there a threat to democracy there? Or is the risk outdone, potentially, by the reward of having more people vote more often?

Pete: I like to think that technology offers us a lot of solutions, a lot of convenience. I don’t know that I would necessarily - I guess there’s a broader scale if you open up the technology that there’s potential for exploitation. But at the same time, there’s also quite a number of means to track that and monitor that. There’s also a lot of smart people that work with technology, right? So I think either way, systems can always be broken, whether they’re manual or electronic.

In terms of putting it online, I would be a proponent of that. I would say I like the use of digital services. And in terms of that - it could always be exploited, or someone will be out there. Open it up to us ethical guys, and let us take a look and see what’s there and report it. That’s a good way to plug some holes.

Len: One thing I’m curious about is what your setup is like? As a hacker, do you have a special type of computer? Or do you use special types of instruments of any kind?

Pete: I really wish I had a cool answer for that, but no. No, when I was doing web development, one of the things that I liked to do was record video tutorials, because I found that teaching others - and this is actually why I got into the book, was teaching others helped me solidify what I was learning. And so when I was doing that, one of the things that I invested in early was a computer that I could do video editing and that kind of thing on.

So it’s nothing special, but I think I have - which doesn’t sound as crazy now as it did when I bought it - but like 32 gigs of RAM, a great video card, two monitors. Again, and it all kind of sounds very standard now - but that’s pretty much it, just that. And then I typically, in terms of software - I use Burp Suite, which is a proxy which allows us to intercept traffic, take a look at it. I usually have a virtual desktop set up so I can run Linux while I’m using Windows. And then on my laptop it’s typically the same idea. I think I run Ubuntu on it, and I have Burp on there. I actually need a better laptop, but no, nothing overly special.

Len: There’s obviously a lot of Hollywood around people’s views about hackers. One particular narrative that people might have is of someone who, when they’re very young, does something they very much should not have done. And then later on, turns to the good side and puts on the white hat. Have you ever met anyone who’s gone through that? Or is that much rarer than people might think it is?

Pete: No, actually coming from DEF CON, there were quite a number of people who have that story.

I’ve done some pro-tip interviews as well. As I’ve tried to learn, I’ve been picking the brains of other hackers. And I think recently, I did one with Jason Haddix from Bugcrowd. And if memory serves, he’s the technical director of Bugcrowd, and he’s an awesome guy. He did a presentation at DEF CON 23, which was last year, on, he called it “How to Shot Web”. And so it was, how you become a successful hacker. And if memory serves from that interview, he started out doing some questionable things, and turned it around. And if I’m mixing that up, Jason - I apologize.

And then there’s some other hackers that I talked to, some that I met at DEF CON, who had that experience. One or two of them had some run-ins with law enforcement, and it really opened their eyes and they quickly stopped that. But at the same time, I’ve talked to other guys who are very successful, who I think started hacking because their parents would lock them out of the internet after an hour or so - and so they wanted to get around that. So, not everybody starts off on the dark side and comes over.

Len: That’s funny. I know a guy who ended up in design, not in hacking. But his first experience with technology was his parents trying to prevent him from watching cable. He had this kind of running game - but it wasn’t really a game - with his dad where he’d figure out little hardware hacks to get the cable working. And then his dad would see what he’d done and try and prevent that, and he’d have to come back and try a new workaround. It’s interesting that that experience of being young and being blocked from something that you want to do, can inspire this kind of desire to get through.

Pete: Exactly.

Len: On that note, I guess I would be remiss if I didn’t ask you something you probably are bored of being asked at the pub, but how accurate is Mr. Robot, the TV show?

Pete: You know what? I wish I was asked that more. So, this is going to sound bad, but I actually haven’t watched it. I’ve followed some conversations on Twitter, and I can’t think of who it is now, but the technical advice from that is provided by a hacker. From what I understand it is very accurate. That’s something I have to get into. I have a little one, so I don’t have as much time to watch TV as I would have liked. I meant to watch it on the flight to DEF CON, but things didn’t work out the way that I wanted them to.

Len: Oh well, fair enough. You’ll really enjoy it when you get to it. Thanks for the expert opinion coming from people who would know, that’s really good to hear, because it is just an amazing show.

Moving onto your book, shameless plug, Web Hacking 101: How to Make Money Hacking Ethically. I was wondering if you could explain a little bit about what the book is about and who it’s for?

Pete: Absolutely. As I mentioned, I started it off as a learning experience for me. As I was learning to hack, there’s a lot of technical stuff that’s out there and so I’ve written it for people who are brand new to the scene, who are kind of coming in and want to learn more. As I was working through that, I was reading reports. And I would recommend everyone check out Egor Homakov’s blog, because he does awesome work.

He was writing about some complex stuff, and I couldn’t follow it. I didn’t know what was going on. And someone in the comments had said, “I’ve written a plain language explanation of what he’s talking about.” And that to me was a light bulb that went off, and I was like, “If I’m having this trouble, and somebody else is having this trouble, and they’ve written an explanation of this, maybe there are more people out there that want that.”

So that was my first step into writing the book. Originally what I had tried to do was just take 30 vulnerabilities, and explain them in plain language. So if somebody was brand new to hacking they could understand what was going on. Like, what are the typical types of vulnerabilities that you find on a site? What’s cross-site scripting? What’s SQL injection? What are HTTP or HTML parameter pollution? Those kinds of things.

And in doing that, actually, HackerOne reached out to me. They had found the book, and I think Michiel from HackerOne, one of the co-founders, was the first customer that I had. He bought it within - I think - an hour of it going live. And then their CEO reached out to me and was really interested. He kind of kept poking and prodding me, and getting me to improve the book. And so it took off from there.

And really, the first half of the book is just explaining what the vulnerabilities are, and then after HackerOne pushed, poked, prodded, and also contributed to the book, we expanded it. I wrote about what a good report would look like if you’re getting started and you’re going to be reporting to a company, what that interaction should look like. What are terms you should know? What are tools you should use? And how you actually get started - I have a chapter there that I’ll probably continue to improve as I improve, on what it looks like to get started, how you get started, and where you look, and how to be successful.

Len: I really enjoyed that story that you tell at the beginning of your book, about how you had a kind of a couple of “oh shit” moments, when you had, in a way, both the best, but kind of scariest thing that could happen. Where you publish your book, and you get a customer which is awesome, and then they’re reaching out to you - and it’s an authority figure in the area that you’re writing about.

Pete: Yeah. It’s not as bad now, but I definitely struggle a lot with the impostor syndrome, especially as you join a new community, something that’s established. The hacker community is obviously well-established. And so to step in there and start writing a book was a little bit nerve wracking for me. When Michiel bought the book, I think he said, “Great work. Keep me updated”, that type of thing. And then Jobert, another co-founder there, he had written a post on Quora, and I was following up with an answer, and then I thought, “Oh man. Should I really do this?” And so I did that.

And then Martin’s email to me was like, “Hey. I saw you’re writing a book. I’d love to know more.” It was just like, “Oh man.” I was using content from their websites so I thought for sure it was going to be some kind of trouble. But no, it turned out he was a complete fan, and wanted to really support it and support the community - which was awesome. And he did a lot. He actually paid for the cover. I should mention that because before - and he called me out on it at DEF CON - it was not good. I think it was white with like a purple, or white - something like that.

Len: That’s a fantastic story.

Actually on that note I was wondering - how far along would you say the book was when you published the first version?

Pete: Oh, from where I am now comparatively, it was really early stages. I think my first publication of it maybe had 20 vulnerabilities? And originally all I wanted to do was just plain language, 30 vulnerabilities. So if you’d bought the book, you would have an idea of kind of what those key vulnerability types were. So if I was putting it into perspective, it was maybe 20% done from where it is now.

Len: Right now it says, I think, 97% complete on the website. Does that mean you have a few edits to make? Or another chapter? Or some more - you’d mentioned at least maybe one more vulnerability that you want to add.

Pete: To be honest, the 97% a bit of a misnomer, I really don’t have - and that’s one of the great things that I like about Leanpub is, I don’t really have any plans to finish the book. Because I’m still learning, there’s still new vulnerabilities out there. There’s lots of stuff that I don’t cover in there. I plan to keep contributing to the book. And so really it should just say kind of “indefinite”, because I’m just going to keep adding to it. I think that’s one of the benefits that the guys - or I shouldn’t say guys - but the people that have purchased the book like about it, in that, they get the lifetime updates. So they make their one-time purchase, and then they get notified whenever I make the changes. To me it’s kind of, I don’t know, I guess I see it as at least in the short term, a lifetime endeavor.

Len: That’s really fascinating. We refer to that sort of as a “living book”. We don’t refer to it formally anywhere like that, but that’s how we think of it internally.

I noticed also that you include your email address in the introduction to your book, which is something that a lot of Leanpub authors do, asking for feedback. I wanted to ask, is that something that people have been taking advantage of?

Pete: Yeah, absolutely. I was originally pretty hesitant about it. But I’ve been pretty open in terms of my video tutorials, and my website, and people getting in contact with me. I threw it out there because I really want to hear from people. And I do. I hear from a good number of people, and it’s really interesting to hear their stories.

Like when I was at DEF CON, I got an email from a 37-year-old single mother who thanked me for the book, and said it was awesome. She’s learned a lot. Another guy reached out to me - a developer of 12, 13 years, who didn’t know where to start with hacking, and has picked up the book and is now working away. It’s always awesome to get those kind of emails. I really appreciate when people do. And I do get a lot of people reaching out on Twitter, as well.

Len: That’s great. I noticed also that there are already two translations of your book on Leanpub - one in Russian and one in Arabic. [There is now also a Spanish translation - eds.] I wanted to ask how that happened - did the translators reach out to you?

Pete: They did, actually. So the first one, Eugene who did the Russian translation, he had worked with another author on a Rails book. He translated for him, and he just said, “Hey, I’m really interested. I’m a big fan of the book. I’d be interested in doing a translation if you wanted to. Here’s my experience.” We ran with that, and it’s been awesome. He’s a phenomenal guy - a ton of great work. And so that was kind of our first step.

And then same thing happened with the Arabic. Someone reached out to me on Twitter and said, “Big fan. I’d love to do some translation.” And so he did the sample book, got it done quickly, and the work was good, so we just took it from there and now we’re working through the full Arabic version.

Len: And how did you find working with Leanpub? I imagine this is your first self-published book, and I wanted to know a little bit about what the experience was like.

Pete: It’s going to sound like I’m just kind of pumping your tires, but I really enjoy working with the platform. It was a bit rocky for me at the beginning, because I wasn’t familiar with Markdown. And so when I started writing, I was also - I don’t know why, but I guess I wasn’t technically inclined. And so I started using the online editor. Which I mean, if anybody’s going to be listening to this and wanting to write a book, I would say, I would recommend, take the hour, take the two hours. Get familiar with Markdown, and get familiar with linking up with GitHub. Actually, I use Bitbucket, so not GitHub. I think you guys may or may not interact with GitHub?

Len: We do. But it’s not free for private repositories and Bitbucket is.

Pete: So I would say get a repo set up, get familiar with Markdown, and do it that way, because it is so much easier. It’s so convenient. With me, I can, with the laptop, having access to the repo, I can go to the coffee shop, pump out a chapter, push it to the repo - and then the preview’s automatically done, and I can see what it looks like in the PDF, in the EPUB. So yeah, that would be my advice.

And it was the same thing with the translators. Eugene had experience with it, but the author doing the Arabic version - he was asking me if he could do it in Dropbox. And I was fine with that, I was open to it. But when you’re doing translations - at least for Eugene and I, him more so - when you can grab the repo and you can check the changes between what you’ve done the last time, or what’s happened in a quick version check through it, I think it just makes things so much easier. Obviously you can do that with kind of Word and all the rest of that kind of stuff. But if you’re a developer and you have experience developing, I just find it easier to do it from that perspective.

Len: I was going to ask about that. It’s interesting, the challenge of translating an in-progress, living book. How do you deal with that? Do you write something, publish the new version of the English book, and then pass on that change to your translators?

Pete: Yeah. So, they have read access to the repo for the English version. And then they obviously have write access to the translated version. I’m pretty sure they’re both customers. They can pull the changes from the English version, read them, and then check the version history, and then do whatever they need to translate, make it to their specific repo, and then push those changes up.

Len: Is there anything around community that you wish we had built that we have not, that you can think of?

Pete: That’s a good question. It would be kind of cool to reach out to other authors. Recently, I’ve reached out and man - the Rails developer - his name escapes me now, of course. But it was his book that introduced me. It’s on multitenancy Rails.

Len: Ryan Bigg.

Pete: Yeah, exactly. Ryan’s book introduced me to Leanpub. I think it was the first book - it might be the only book that I’ve purchased off of Leanpub. And so I reached out to him on Twitter, because somebody was talking in a feed about e-publishing versus physical publishing, and there was kind of a conversation going on around there. There were some big names that were actually responding to that.

It was cool to see that communication going on, but that was just on Twitter. So if there was something along that line, that would kind of bring the community together, I think that would be pretty valuable. Hear what’s worked for other people, what hasn’t. Even in terms of like, if you’re doing self-publishing, you obviously don’t have a big marketing budget, or I wouldn’t assume you did. So it’d just be cool to hear what worked and what didn’t for other authors.

Len: That’s really interesting that you say that. Thanks. Actually, we were talking internally about something along those lines just recently. And it’s very early stage, just ideas right now. But one of the things we’re thinking of was - how can we help get authors who have succeeded at self-publishing together with each other, so that they can exchange their war stories and strategies?

And the thing that we’re working through that’s difficult is like - we’re nice guys, right? So the idea of making a kind of exclusive club is something that we would want to manage very carefully. But at the same time, if you can have a group where you can go where you know everybody there is working hard, and good at what they’re doing, and not just dropping in without any real commitment to the process, and just kind of asking - it’s the classic forum problem, right?

That’s something we’re going to think hard about, because we were wondering if there wasn’t a desire out there for authors who - I mean, you’ve got 420 readers for your book right now, which is really good, you’ve got two translations. We can see from our end, that’s definitely somebody who’s taking it seriously. And we were thinking of some way of helping people get together around that. So this will give us some extra impetus to go ahead and see what we can figure out about that.

Just before we go, I was wondering if you had any questions you wanted to ask me?

Pete: Well that’s - I’m going to put you on the spot. I can’t think of the developer’s name - you asked me about hacking on sites that don’t necessarily let you hack on them. And so - this is completely unrelated to the platform, whatsoever - but I had decided to take a look at Leanpub to see how stable it was - if I was going to be selling my book on there. And I noticed a couple vulnerabilities. And Pete had emailed me back and said that the fixes were supposed to be pushed. But I don’t know if they ever did, and I haven’t gone back to test them. So I was curious.

Len: We are working on them right now. Thank you very much for the help. We really appreciate it.

Pete: Okay.

Len: Alright, well thanks very much, Pete for taking the time to do this. I had a great time chatting. And thanks for being a Leanpub author. Good luck with your book. And if you ever have any questions, please just reach out and let us know.

Pete: That’s awesome. I really appreciate it. Thanks very much; the feeling is definitely mutual. It was awesome to chat.

Len: Thanks.

blog comments powered by Disqus