Personal offensive manoeuvres

I’ve been lucky enough to work and have many conversations with John Romkey, someone who knows what it means to be online and who understands the risks and advantages of such a position. Amongst the many things I have learnt from him, there is one that, lately, I’ve been coming back to: the different types of cyber-attacks an individual or an organisation may have to weather. The 2×2 below lists four possible types:

ambient active

Type 1 (ambient, intelligent) attacks could be scripts written to continuously target specific individuals or organisations, or a small subset of a population and their devices. For example, a bot that scours the web for potential botnet army recruits (read: vulnerable IoT devices). Type 2 (active, intelligent) attacks typically manifest as real-time, co-ordinated action against a specific entity. For example, when Anonymous or some other group goes after an individual or org with the aim of humiliation or dissipation of political power. Type 3 (ambient, dumb) attacks that are amateur and simplistic attempts at large scale action. If you run a WordPress site and see that someone (or something) has tried one thousand times to login to your account, chances are it’s a bot trying to brute-force its way in by trying every conceivable password. Type 4 (active, dumb) attacks are what you get when some teen sees an exploit or methodology on the net and tries to emulate it on a random person.

My understanding of these things is, admittedly, shallow and not exactly subtle. But I think it’s worth making preliminary excavations towards the roots of these ideas so that you’re not caught completely off-guard by unforeseen events. However, this matrix of online attacks (and the common defences deployed against them) has another use.


A while ago, Naval Ravikant—entrepreneur, investor, and startup sage—compiled a thread entitled, How to Get Rich (without getting lucky). In the thread he talked about the “permissionless leverage” that code and media creates. He said:

“Fortunes require leverage. Business leverage comes from capital, people, and products with no marginal cost of replication (code and media).

Capital means money. To raise money, apply your specific knowledge, with accountability, and show resulting good judgment.

Labor means people working for you. It’s the oldest and most fought-over form of leverage. Labor leverage will impress your parents, but don’t waste your life chasing it.

Capital and labor are permissioned leverage. Everyone is chasing capital, but someone has to give it to you. Everyone is trying to lead, but someone has to follow you.

Code and media are permissionless leverage. They’re the leverage behind the newly rich. You can create software and media that works for you while you sleep.

An army of robots is freely available – it’s just packed in data centers for heat and space efficiency. Use it.

If you can’t code, write books and blogs, record videos and podcasts.”

Where does the creation and circulation of “permissionless leverage” fit into the matrix above? Let’s switch the emphasis from a malicious actor attacking a person or entity with desirable assets (like wealth or specific intellectual property) to an individual playing offence to enhance his or her interests. What are his options for creating wealth? Again, there are four:

Type 1 manoeuvres (ambient, intelligent) involve one of two things. First, the creation of code and media, Naval’s “permissionless leverage”. Or, second, the creation of low-touch automated systems that generate value and capture it. In the latter case think of a lifestyle entrepreneur setting up a dropshipping business that requires minimal oversight each week, and only moderate intervention every month or two. Or think of a fullstack freelancer who creates a system that pulls leads to an info-product, sells it, upsells after the fact, and catapults the converted lead into a community of individuals united by a mutual interest.

Type 2 manoeuvres (active, intelligent) are one-offs, as opposed to recurring. The cultivation of relationships with people whose skillset you admire; forays into complex topics and domains; the negotiation of contracts and options; that sort of thing.

Type 3 manoeuvres (ambient, dumb) are recurring and easy to set up. For example, creating an automated email sequence for subscribers to a newsletter, or certain IFTTT formulas. They can also be particularly ineffective—think spam, brazen popups, auto-follows and obviously-scripted cold emails.

Type 4 manoeuvres (active, dumb) are mostly in the class of “showing up”. For example—and this is kind of cynical—I’ve been witness to people’s ability to gain influence in an organisation just by being in the right place all the time. Via presence, not contribution. Think of Grima Wormtongue in Lord of the Rings. It is not his ability, insight, or power which gets him his stature, but his determined proximity to those things. Power via association, if you will. A remix of this is showing up for a friend. Not offering insightful observations or delivering wise counsel; just being there.


I used to read more about personal finance and financial independence (PF-FI as I dub it in my commons) than I do now, but one of the consistent themes I came across is that those who are wealthy—millionaires, for example—become so because they have multiple income streams. They get paid a salary, and they accrue speaking fees, and they get book royalties, and they collect share dividends, and they sit on a board of directors.

But with the above matrix in mind, I now see multiple income streams as a distribution amongst the four possible offensive manoeuvre types. But I don’t want to just say, “Spread your efforts amongst them”, and leave at it that. I want to look a bit closer,


In my reckoning, there are five ways to evaluate the value of the four types of manoeuvres…

– Ease of creation (investment required to get it going).
– Ease of maintenance (a.k.a. high touch or low touch).
– Short-term ROI.
– Long-term ROI.
– Risk (chance of irreversible negative consequences).

Let me give you an example. Let’s say I want to write a comprehensive introduction to the fundamentals of cryptocurrencies. Such a guide would be classed as media, as permissionless leverage, so I am seeking to create something that is ambient and intelligent. Such a guide would not be easy to create: it would require a deep knowledge of fiat monetary systems and a fingertip feel of the cryptocurrency ecosystem and its technical foundations, as well as the ability to communicate that knowledge. But once created, it would require little maintenance. In terms of ROI, over the short-term it would be neglible (unless I had a previously established platform to release it to, that is), but over the long-term it could create relationships that have significant future value. It could lead to my gaining a seat at the table when new cryptocurrencies are evaluated—it could lead to a lot of things, actually. And how risky is it? Not very. I lose the time, attention, energy and money invested to create, publish and push it, but that’s about it. The downsides of such a project are pretty bounded.

Which leads to my final method of evaluation. There are four types of personal offensive manoeuvres, and there are five ways to go about evaluating them. But, their relative value is also modified by whether you are a Have or a Have-Not. I don’t mean this in the Marxist sense. My distinction is simpler than that. Haves have time, attention and energy to spare; Have-Nots, uh, don’t. The distinction between Have and Have-Not can be made in terms of monetary power, but I feel that is a bit crude. I prefer to focus on intangible assets.

An example. A Have-Not—someone with next to no time, attention, energy or money to spend—may stand to benefit immensely from the creation of permissionless leverage; but his status as a Have-Not makes the pursuit of that strategy unfeasible. So perhaps he would benefit more from an active-dumb approach that will pay off down the line?


The edifice of the framework above has cracks. The cultivation of a relationship with a maven is something I classify as an intelligent-active manoeuvre, but once it is cemented it becomes ambient—friends look out for friends, and professional acquaintances look out for opportunities to give those around them a leg up. After a while, it gives credit without requiring debits. Alongside that, keep in mind that “intelligent” and “dumb” are not synonymous with “effective” and “ineffective”. Recall that, in John Robb’s terms, complex systems are vulnerable to primitive attacks. Want to precipitate the collapse of an economy? A few determined individuals with several kilos of explosives can cause billions of dollars of disruption if their aim is true. The same goes for personal offensive manoeuvres. Sophisticated systems that generate immense value and capture a slice of it are great, but they’re not always feasible and/or necessary.