I am very online, and get contacted by a lot of people about, frankly, a lot of different things. These have historically ranged from people looking to break into or move up in the cybersecurity field, reporters inquiring about my research or looking for help analyzing other research, etc. I like to think that I’m pretty reasonable about being contacted, because I:

  • don’t care what platform you use to reach me (with one exception),
  • read all incoming messages/mail and respond where it’d be mutually beneficial, and
  • will even read vendor pitches, take demos, etc. if they’re relevant to what I’m doing.

So what’s the catch?

No Unsolicited Calls/Texts

I explicitly do not allow sudden interruptions in my life, and in my opinion, neither should you (outside emergencies)! We’ve grown accustomed to the slew or notifications from our devices, the social media platforms we use, etc. - anything to get us pay attention to them. This wastes the most valuable resources we have in our life: our time and energy.

I’ve decided that I want to be in control of my focus and attention by weeding out notifications of many kinds. Due to this - also due to rampant spam issues, and poor security overall, and low quality - I don’t take calls or texts.

I’m so adamant about this that I’m willfully posting a fake phone number online under “how to contact me” sections on social media, so that prospecting databases (which sell contact information to vendors/recruiters/etc.) aren’t selling my actual contact information. Instead, they’re selling a phone number I purchased through Twilio and programmed to automatically tell people how I prefer to be contacted.

So if you’re here because you contacted +1 (267) 627-8463 (rewritten: COS NAP-TIME), I’m both glad that you are interested in contacting me, and sorry to have tricked you. It’s just not a mode of communication I will use, and this was an easier way to make sure you did get a prompt response saying why. If you’re interested in how COS NAP-TIME works behind the scenes - from creating the automated responses to what worked best to ensure prospecting companies marked it as the “best” phone number to use to contact me - you can read more about in a brief article I wrote about creating it.

Instead, You Can Try …

Note: Please contact me with only one method to reduce clutter, unless we mutually agree to switch to a different method/platform/etc.

I maintain a robust social media presence where I can be contacted asynchronously and normally expect to read (and reply if it’d be beneficial) within one week. Listed in order of preference, I can be contacted at:

For secure communciations, I recommend contacting me via Keybase, which is provably associated with this domain and several of the above accounts (denoted by the 🔒 emoji) if that’s something you care about. If requested, I may voluntarily disclose my Signal, but generally only do so for known InfoSec community members or reporters. For both E2E encrypted messaging options, feel free to set a message retention limit to whatever you feel is approriate (I usually prefer a couple months).

Please remember that secure messaging does not guarantee privacy. I can be compelled by legal orders as well as $5 wrenches, and while I obviously won’t go out of my way to publish 1:1 conversations (unless you’re trolling/scamming/etc.), it’s worth keeping in mind when discussing sensitive topics.