Sponsorship Notes on “TLS Mastery”

Here’s the heap of TLS Mastery sponsorship gifts, awaiting my poor postman.

43 packages on my front porch

I get asked about how sponsorships work, so I’m going to record a few notes here.

37 print sponsors at $100 each, plus 55 ebook sponsors at $25 each? In traditional publishing, we would call that an “advance.”

Except that I have to pay to purchase and mail the rewards. When I first tried sponsorships back in 2016, I calculated I’d have to pay about $10 for shipping for each print sponsor. Surely most of my sponsors would be in the US, not overseas.

I was so. Very. Wrong.

Over half of my sponsors are outside the US. Average shipping is $19. The print sponsorship is profitable, but I spend just under 40% of the sponsorship on fulfillment. I’m pondering if I want to go to the trouble of adding shipping costs to print sponsorships. The most expensive places to ship are Australia (for obvious reasons) and Israel (for inexplicable reasons, it’s right next to Europe, what the heck). Plus, there are occasional predictable failures.

I could raise the price. Going over $100 feels like it would be excessive, though.

I could integrate a shipping API, get an estimated cost, and charge $90 plus shipping. I’m not sure how such APIs react to “get a quote now and fulfill six months later,” however. I suspect Woocommerce would throw a wobbler. One reason I do sponsorships is because they’re pretty easy. This makes sponsorships more fragile. Also, my readers were voted “Most Likely To Habitually Evade Geolocation And Not Even Think About It” four years running.

I could add a note to the checkout that says “If you’re from outside the US, I’d appreciate a few extra bucks for shipping.” But I’m already asking for money for no good reason.

So, for now, things stay the same. If Australia develops Mad Lucas Disease and starts sponsoring like fiends, that might well change.

About 10% of sponsorships require a second contact. I have to drop the sponsor a note saying “Hey, USPS says your address doesn’t exist and Google Earth shows it’s an empty field in Wyoming, can you confirm?” Most often the answer is “yes, I live in a giant empty field, use my PO Box instead.” Clearly, anyone who sponsors me is probably unusual in more than one way.

I occasionally get someone who sponsored a book twice and I didn’t catch it, so I have to find out how to satisfy them. It might be a refund, perhaps another book stuffed in the envelope, whatever.

Each book gets more sponsors than the one before. I attribute this to the sponsors mailing list.

If you’re thinking of doing this: set up a real shipping operation. Buy waterproof bubble mailers. Get a tape gun. Get an online postage account (I use Shippo). Set aside a bunch of time. When I hit 50 print sponsors, I’m hiring a neighbor kid to package stuff as I sign and investigating a mailing label printer.

Sponsorships on DNSSEC Mastery, 2nd Edition will probably open in June.

TLS Mastery Release, Sponsor Gifts, and Acknowledgements

As if 2020 wasn’t sufficiently rough, I spent it writing about TLS.

Now, I’m done.

TLS Mastery has escaped.

TLS Mastery Beastie Edition
Beastie Edition
TLS Mastery cover
Tux Edition

Transport Layer Security, or TLS, makes ecommerce and online banking possible. It protects your passwords and your privacy. Let’s Encrypt transformed TLS from an expensive tool to a free one. TLS understanding and debugging is an essential sysadmin skill you must have.

TLS Mastery takes you through:

  • How TLS works
  • What TLS provides, and what it doesn’t
  • Wrapping unencrypted connections inside TLS
  • Assessing TLS configurations
  • The Automated Certificate Management Environment (ACME) protocol
  • Using Let’s Encrypt to automatically maintain TLS certificates
  • Online Certificate Status Protocol
  • Certificate Revocation
  • CAA, HSTS, and Certificate Transparency
  • Why you shouldn’t run your own CA, and how to do it anyway
  • and more!

Stop wandering blindly around TLS. Master the protocol with TLS Mastery!

Available in the Beastie Edition and the Tux Edition. The only difference is the cover. Hardcover has both covers.

Get the two-cover hardcover at any of the print bookstores below, or direct from my bookstore.

Get the combined editions at:

Get the Beastie edition at:

Get the Tux edition at:

If you’re a sponsor: your gifts are on order. I have enough on hand for my Patronizers, so I’ll be shipping those first. As soon as yours arrive, I’ll get them to you.

This was a rough book to write, so I want to share the acknowledgements.

TLS is perhaps the most complicated topic I’ve ever written about. Writing this book would have been impossible without outside help.

This book would not exist if the Internet Security Research Group hadn’t deployed ACME and organized Let’s Encrypt. TLS certificates are not only free for most people, their maintenance and renewal is highly automatable. They’ve changed the whole Internet, and deserve our thanks for that.

It doesn’t matter how many RFCs I study and how many technical mailing list archives I read: I lack the expertise and context to best illuminate an arcane topic like TLS. The folks who read this manuscript’s early stages and pointed out my innumerable errors deserve special thanks. James Allen, Xavier Belanger, Trix Farrar, Loganaden Velvindron, Jan-Piet Mens, Mike O’Connor, Fred Schlechter, Grant Taylor, Gordon Tetlow, and Fraser Tweedale, here’s to you.

Lilith Saintcrow convinced me that The Princess Bride could be a useful motif for a serious technology book. This book was written during the 2020 pandemic, so I must also thank The Princess Bride for providing me a desperately needed sense of hope.

Dan Langille gracefully submitted to the pillaging of his blog for useful hints and guidance. I am grateful that JP Mens, Evan Hunt, and John-Mark Gurney provoked him into updating that blog and saving me a bunch of work.

I am unsure if I should profusely thank Bob Beck for his time and patience in revealing the innards of TLS, or profoundly curse him and his spawn unto the seventh generation. I must acknowledge the usefulness of “Happy Bob’s Test CA,” however, so I’ll raise a glass to that while waffling over whether or not the bottle of fair-to-middlin’ wine I owe him should be laced with iocane powder.

For Liz.

Again, to all the tech reviewers and Patronizers and sponsors: thank you. This book would not exist without you.

“Only Footnotes” Now Available

My newest nonfiction release, Only Footnotes, is now in stores.

More than one person over on the Fediverse has informed me that this makes this book and/or my ouvre Pratchett-complete. Which I gather is something like Turing-complete, but cooler.

In case you missed it, or doubted that it was a real thing, here’s the release announcement–now with store links.

Only Footnotes. Because that’s why you read his books.

Academics hate footnotes. Michael W Lucas loves them. What he does with them wouldn’t pass academic muster, but that doesn’t mean the reader should skip them. The footnotes are the best part! Why not read only the footnotes, and skip all that other junk?

After literal minutes of effort, Only Footnotes collects every single footnote from all of Lucas’ books to date.* Recycle those cumbersome treatises stuffed with irrelevant facts! No more flipping through pages and pages of actual technical knowledge looking for the offhand movie reference or half-formed joke. This slender, elegant volume contains everything the man ever passed off as his dubious, malformed “wisdom.”

Smart books have footnotes. Smarter books are only footnotes.

*plus additional annotations from the author. Because sometimes even a footnote needs a footnote.

Available from:

  • my print bookstore
  • Barnes & Noble
  • Amazon US, Amazon AU, Amazon UK, Amazon CA, Amazon DE, Amazon FR, Amazon ES
  • New Book: Only Footnotes

    I know perfectly well why you people read my books. It’s for the footnotes.

    Some of you buy the Mastery books for the cover art, but those few who open the things do so for the footnotes.

    My conscience has been at me again, the filthy bastard. Charging everyone exorbitant rates for a handful of footnotes is robbery. I should produce books that people want to read. I have therefore gathered all of the footnotes from all of my books in a handsome collectible hardcover edition.

    Announcing: Only Footnotes.

    Only Footnotes. Because that’s why you read his books.

    Academics hate footnotes. Michael W Lucas loves them. What he does with them wouldn’t pass academic muster, but that doesn’t mean the reader should skip them. The footnotes are the best part! Why not read only the footnotes, and skip all that other junk?

    After literal minutes of effort, Only Footnotes collects every single footnote from all of Lucas’ books to date.* Recycle those cumbersome treatises stuffed with irrelevant facts! No more flipping through pages and pages of actual technical knowledge looking for the offhand movie reference or half-formed joke. This slender, elegant volume contains everything the man ever passed off as his dubious, malformed “wisdom.”

    Smart books have footnotes. Smarter books are only footnotes.

    *plus additional annotations from the author. Because sometimes even a footnote needs a footnote.

    Yes, it’s 1 April. April Fool’s day. This has got to be a joke, right? Am I the sort of person who would release an entire book as a gag? Might I even release a special edition of a book for those unable to accept feminine pronouns in their tech books?

    Yep. A good 1 April post has meat on the bone.

    It is absolutely real. ISBN 9781642350548. $24.99 USD, because hardcovers cost a bunch to manufacture.

    Unfortunately, IngramSpark has delayed production. You can’t buy it yet. (Insert one of those sobbing emojis, except he’s also enraged and flinging a Molotov.) (EDIT: It is now available, see https://mwl.io/nonfiction/wtf )

    Only Footnotes will exist only in hardcover, to be show off the lovely interior illustrations by OpenBSD’s Ayaka Koshibe. There’s no ebook, it’s a collectible. Specifically, it’s another step in my quest to make a career out of publishing the least useful nonfiction books known to humanity.

    “TLS Mastery” pre-order on my web store

    Publishers have researched the best book release strategy for decades. Even the indie folks have done lots of number-crunching to determine the best day to release a book, and how to optimize that release. Me? My indie book release strategy is “trebuchet this mess into the cold world as soon as it’s done.”

    Running a pre-order through Kobo or Apple or one of the little, less relevant retailers requires knowing the release date. My release date is “day back from copyedit + days to lay out in print + day to index + day to produce final print and ebook versions” = “usually 10PM on a Saturday, but sometimes bite me o’clock Sunday morning.”

    These constraints don’t apply to my bookstore, though. I can have a release date of “when it’s done.”

    TLS Mastery Beastie Edition
    Beastie Edition
    TLS Mastery cover
    Tux Edition

    TLS Mastery is due back from copyedit 1 April. I should have ebook out about a week later. Print should be in stores a couple days after that, more or less, kind of sort of.

    The book will come in two versions, the Beastie Edition and the Tux Edition. The only difference is the cover. Buy the ebook or paperback anywhere else, you’ll need to pick which version you want. Only in my bookstore will you get both ebooks in one purchase. The hardcover dust jacket will have both, of course.

    This release will let me achieve a personal goal. Here’s a picture of me with one copy of everything I’ve published, including translations.

    The author, next to a nose-high stack of one copy of everything he's published
    One copy of everything I’ve published

    The paperback and hardcover will push the stack over the top of my nose, officially achieving “drowning height.” I could argue that I achieved this some time ago, as I don’t own a copy of the Korean translation of Absolute OpenBSD. My Platonic Ideal Pile is a couple inches taller.

    But drowning’s digital. Either you’re drowning or you’re not. Either the stack would kill me or it wouldn’t. And until now, I could breathe.

    I’m planning a stack taller than me before the end of 2022. And with that, I’m off to make some $ git sync murder.

    My books on Google Play, for now

    Google has been actively hostile to authors for years. That has changed, somewhat. You can now find much of my fiction and nonfiction on Google Play, for now. I rather expect Google to reverse their less-hostile stance without warning, so these might come down as quickly as they appeared.

    What do I mean when I say that Google has been hostile to authors? Forget the bit where they scan millions of in-copyright books and make the text available. That’s a separate problem.

    Google Play offers separate terms for traditional publishers than individual authors. I own my own publishing company, but I don’t produce books quickly enough to get access to the publisher terms. Fine.

    Since its inception, Google Play has let individual authors put a suggested retail price on their books. Until recently, they reserved the right to cut the price for their customers. If they cut the price, they would pay the author their cut based on the suggested retail price. Google used this to boost their platform. They could take, say, SSH Mastery, and make it free for the next thousand downloads. I would make my $6 or so on each download. I get paid, so what could I possibly object to?

    I object to it destroying my business, that’s what.

    Modern publishing is an ecosystem. Changes in one distributor affect how other distributors behave. Other major ebook distributor either respects the suggested retail price I set on their platform (e.g., Gumroad) or they have a Most Favored Nation clause in their terms where they can match competitor prices. Apple had this for years, but I’m not certain of its status after the antitrust lawsuits. Amazon still has this MFN clause, and it actively monitors competitors for prices to match.

    Here’s how this goes horribly wrong.

    • Google makes one of my best-selling books free.
    • Amazon sees it and price matches.
    • A few thousand people download the book on Google Play. I get paid for those.
    • Tens of thousands of people download the book on KDP. I do not get paid for those.
    • Google restores the suggested retail price.
    • I spend days begging Amazon to restore the normal price.
    • Everybody I might sell that book to got it for free.

    That book is dead. I made a few thousand dollars in a month but that book brings in nothing more, forever.

    Writing is a passive income game. I count on each live book to bring in a few hundred bucks a month. Some, I’m delighted if they bring in fifty bucks a month. I count on last year’s books to pay this year’s bills. If you want to know more about how this works, check out Cash Flow for Creators.

    Free books are a valid promotion strategy. (I’ll be announcing a free novel soon, to suck people into the Montague Portal omnibus.) I need to control their use, however.

    I half-expect Google to reassert their previous model at any time. Google is spectacularly indifferent to their users. When Google blinks, I’ll be turning them off.

    Mind you, I’ll keep the books set up in their publisher dashboard. When they twitch back, I’ll turn them back on.

    “TLS Mastery” first draft done!

    I’ve completed a rough cut of TLS Mastery, and am now looking for tech reviewers who know TLS. If you know more about TLS than the above average sysadmin and would like to review the manuscript, please drop me a note at mwl at mwl dot io with the subject “TLS Reviewer” or use the contact form. I’ll be collecting feedback until 28 February. Then I integrate everything and make a real book.

    I’ve given the manuscript to sponsors, plus the Digital Reader and above Patronizers. (Thus proving you don’t need blockchain for “proof of work.”) If you’re a sponsor it’s in your account. There’s three PDFs: the one for Windows and Mac, the one with everything embedded, and the one that’s printed to PDF. One of them should work for your combination of PDF viewer and OS.

    Next up, I start hammering on $ git sync murder. Plus I fix some annoying web site issues, get the Montague Portal omnibus in production, and maybe even clean my office.

    Direct Print Book Sale


    I write too dang much. And every time I have a new book out, I grab a few extra copies. An author always has a use for extra copies. He can sell them to avid readers at conferences. He can hand them to reviewers. He can level furniture and clog the plumbing. When a reader asks if I’ll sign a book, I say “catch me at a conference.” It’s all good.

    Provided that said author ever leaves the house. Which is not the case for 2020.

    Every single one of my 2020 events was cancelled. No AsiaBSDCon, no Penguicon, no BSDCan. I’m all home, all the time. I don’t expect any of these events to take place in 2021, either. Which means that I have extra books. So I’m doing something I swore I would never do. For the next two weeks I’m selling them, direct to readers, by mail order. Yes, I’ll sign them.

    No, you can’t order via the web. This sale only runs through 9 December. It’s about getting rid of the books in my house. I’m not restocking; once they’re gone, they’re gone. So I won’t reconfigure my bookstore to handle direct print sales. Undoing such changes would burn up my time and threaten the stability of my site.

    Go check the list of books I have on hand. Decide what you want. The numbers give my current inventory of not-yet-paid-for books and the price. If it is not on the list, I do not have it. If the cell is blank, I ran out of it.

    Send an email to me at REDACTED, SALE IS OVER with:

    • The titles you want
    • Your shipping address
    • A recipient phone number
    • The subject BOOKS

    I will send you a quote for shipping, using whatever goshippo says is cheapest. Assuming you’ve given a phone number, that is. (Cheap shippers all want a recipient phone number, while the pricey USPS doesn’t.)

    Pay me. Use the tip jar for credit cards, or my business PayPal accounts at tiltedwindmillpress.com using the same email address you used to get your quote.

    If you ask for a quote, I’ll hold the books until the next day. The books are sent first paid, first serve. This means I might need a day or two to get back to you with a quote; if someone asks for a quote but doesn’t pay, it’ll go to the next person.

    Yes, it’s possible this could go horribly wrong. I could get flooded with demands for print books. I doubt it. I don’t have that many fans. But I am dedicated to clearing out this crap these magnificent tomes, and will work through everything as quickly as possible.

    translationsI even have some extra copies of translations. When you’ve written close to forty books and have been translated into nine languages, and you get two copies of each translation, well… it gets ugly. If anything in here tickles your fancy, drop me a line. Going cheap.

    If you’re a completist, there’s some rarities in here. First edition Absolute BSD, Absolute OpenBSD, and Cisco Routers for the Desperate. The PGP book. They’re half off, and I could be talked down further.

    If you’re a true hard-core completist, I unearthed a few copies of the Gatecrasher books. Those I can’t be talked down on, mind you, but the fact that they exist at all is nearly a miracle.

    I do not anticipate doing this again. I’m not saying I never will, but it’s gonna take me being stuck with extra books and being unable to leave the house. Perhaps during COVID-25 or COVID-33; I’ll have a bunch of new clutter books built up by then.

    “TLS Mastery” Covers Reveal, with T-shirts and Posters

    No, that’s not a typo. TLS Mastery will have two covers. Eddie Sharam outdid himself this time, in more ways than one, parodying an artistic masterpiece that folks have requested for years.

    Munch’s The Scream could not be used for just any book, mind you. It demands a topic of particular notoriety. A subject that drives even seasoned systems administrators to desperate shrieks for aid. Something that makes the world whirl around us all. With its classic combination X.509, ASN.1, ITU and IETF standards, and more, I’m pleased to say TLS fits this more than any other general topic.

    The book will appear in two versions: the Beastie Edition, and the Tux Edition.

    The hardcover dust jacket will have both.

    As a unique touch, Eddie painted the Beastie version. By hand. With oil paint. You know, like real art. And if you should ever be unlucky enough to enter my office, you’ll see this.

    Every day as I work, I’ll be looking at this.

    That old beat-up bookcase? Once we can safely go to IKEA, that’ll be replaced by a new bookcase for my brag shelf. My current brag shelf is overflowing.

    Real authors have the cover art for their books hanging on their wall. I guess I’m a real author now. It’s been a long time since one of my books had a painted cover. How long, you might ask? Well, the wall behind my desk has the previous paintings.

    Those are Tom Dow’s cover paintings for the two Gatecrasher books, plus a Bradley K McDevitt original from the interior. They’re roughly 1992. Getting those paintings converted to a form suitable for printing involved going to an industrial photographer and having a photograph separated into four CMYK transparencies. Each cost several hundred dollars, and had to be shipped to the printer. If any of the transparencies got damaged, the whole set was ruined. Dealing with the interior art involved high-grade photoduplication, a light table, and a wax roller.

    To prepare the Beastie Scream oil painting for printing, Eddie got out his camera. No, not the cellphone camera, a good camera.

    This is truly the best time in history to be a creator. Other than, you know, plagues and long-overdue racial reckonings and political upheaval and such.

    I’m gonna be self-indulgent here and show off the BKM interior illo as well. Like I need an excuse, it’s my blog.

    This was one of the very first pieces Brad did for me, but once I saw the book titles I knew we were going to get along famously.

    If you’re interested, you can get T-shirts and small posters with the Tux Scream and Beastie Scream at my shop. The book itself is still open for sponsorship.

    TLS Mastery updates, August 2020

    Solar systems form out of vast clouds of particles and gas. Motes of dust aggregate, drawn together by their own minuscule gravity over innumerable aeons. Those aggregates creep near other aggregates, eventually colliding into heavier masses, and their combined gravity draws yet more matter. A cosmic observer with a really compressed sense of time would see nothing happen for millennia, then there would be a huge rush as all this matter sucks itself together and becomes so heavy that the innermost atoms are compressed into involuntary thermonuclear fusion. It looks quick, but most of the progress is invisible.

    Writing this book is a lot like that.

    I’ve used TLS and SSL for decades. I have debugged errors and battled bogus certificate chains. I have screamed the vilest obscenities at SSL Labs for daring to expose my weaknesses and, like every other sysadmin, have doused browser developers in kerosine as they slept and set them on fire. I had a good working knowledge of TLS, but writing about it demanded a deep plunge.

    So: the book is about a quarter written.

    Most of my time has been spent aggregating tiny details into facts, building those facts into knowledge, and fitting my experience into that knowledge. I’m not going to jinx myself by publicly declaring that I expect the mere writing to go quickly, of course, but I feel I have some decent aggregate chunks and am ready to start throwing them together.

    The Princess Bride motif I was considering seems to be a natural fit. Which is good, because if a motif doesn’t fit naturally it’s the wrong motif. My subconscious brain recognized the suitability before my conscious mind did. (Weirdly, John Carpenter films would have also fit well. I did cosmic horror for the SNMP book, however, so my beloved Carpenter must wait for another suitable title.)

    Some bits, of course, won’t fit. A stray comment from Ray Percival reminded me that this book doesn’t mention my personal favorite Great Evil: Oracle. You might not have noticed, but Oracle has exerted great efforts to earn my personal loathing. The conversation ed1conf and I had on the Great Beast is irrelevant to TLS.

    “You’ve heard of Informix? DB/2? SQL Server 2019?”



    “In that case I challenge you to a battle of integrity.”

    “For the database?”


    “To the death?”


    “I accept!”

    “Good. Then open your console. Read this, but do not click «agree».”

    “I comprehend nothing.”

    “What you do not comprehend is called a EULA. It is odorless, tasteless, devolves instantly into legalese, and is among the more deadlier poisons known to man.”

    (deploys system)

    “All right: where is the liability? The battle of wits has begun. It ends when you decide and we both click «agree», and find out who is right and who is sued.”

    (much later)

    “They all had a EULA. I spent the last several years building up a mastery of Postgres.”

    You can still sponsor TLS Mastery either at the print level or ebook level. Don’t wait too long if you’re interested. The dust cloud is coming together faster and faster, and once fusion hits it’s all over.