Learn what it's like to be a Principal IOT Security Engineer, with Tracie Martin! Check her out on Twitter!
Thank you to our sponsor: Ubic Security! – API security for all!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter!
Sponsorship info: info@wehackpurple.com
Learn what it's like to be a Principal IOT Security Engineer, with Tracie Martin! Check her out on Twitter!
Thank you to our sponsor: Ubic Security! – API security for all!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter!
Sponsorship info: info@wehackpurple.com
welcome to the we hack purple podcast
where each week
i get to welcome a really amazing guest
where we talk about what their career is
like in information security
what is their job like does their job
pay well what types of attitudes do you
need or
attributes or personality traits or
training or education in order to do
different types of jobs
and this week we are going to interview
tracie martin
who is a principal iot security engineer
this week we are also sponsored by ubiq
security and they do
api security and they make a cool
product to help with that
without further ado i'm going to welcome
our guests
i just have to do an intro oh and i'm
tanya janca i always forget i'm the host
hello
and now to reveal our guest tracy
hey how's it going good how are you
i'm doing pretty good we got a week of
uh
summer given back to us from all the
wildfires and everything else so we're
enjoying that
so where are you tracy approximately
i it depends on who's asking because
i used to get really mad at people who
would say they were from seattle when
they're secretly from a suburb because i
lived in seattle
but now i've sold out moved to the
suburbs so
if you're not from washington state i'm
from seattle if you're from washington
state i'm sorry i live in bothell okay
i'm in the sticks
that is fantastic so
will you please tell us your name and
your online handle tracy
sure my name is tracy martin my twitter
handle
is at dat security chick um no k because
i ran out of characters um
which actually uh people always ask
about that name and kind of where it
came from
i was the first woman hired to the
information security segment for
nato counter intelligence in the 50-year
history of the organization
and nobody ever knew my name like no i
don't think to this day i don't think
anyone there still knows my name but
there would always be somebody being
like i'm looking for um
that security chick uh you know the the
that security chick
and so it just when i got on twitter i
thought yep that's who i'm gonna be i'm
gonna be
that security chick but i didn't have
enough characters so i had to get i had
to get clever
right before we actually got ready to
get on
i i tweeted and i was like data security
check
data security check why can't you find
tracy
and i'm like typing and typing and i was
like that's it i'm just gonna put her
name and just go with it and i'm sure
it'll be fine
um and it appears to be fine
so yes there's a dat no a chip okay
yeah okay perfect so please tell us your
amazing new job title
yeah so i am a principal security
engineer
for a pretty large technology company
uh right now we run a lot of the cloud
infrastructure that backs iot
um for users in the cloud and so my job
is really just poking around it's been
actually great fun
poking around and saying if i were an
attacker how would i attack this and if
i was building something to stop an
attacker how would i stop an attacker
like
me from doing an attacky-like thing
that's pretty much what i do
an attacking thing perfect yes that's a
trademark you can't use that that's a
tacky-like thing
okay that's awesome and so you do
iot what does iot stand for tracy
so we were talking before this and i
think there's a couple different
versions of this the official one is the
internet of things
um but my favorite alternate version is
the internet of trash
um and it's kind of gotten this uh if
you look at my twitter bio you'll see
that uh
it says i put the s in iot and
it's like see you get the joke do you
know how many times i've had this joke
explained to me
there is no s in iot and i'm like bless
yes i know that's why it's funny yeah
i'm
i'm the s for security and iot because
there isn't any
exactly and so um the
that's kind of the the conundrum right
so you have a lot of these low power low
processing devices
everything from you know a 50 cent
microcontroller out in the middle of a
field monitoring water
to you know these insanely huge
industrial robots
you know manufacturing cars and
historically they just haven't been
secured as well
as you know our more traditional compute
models
um and so it's a really interesting
problem space to be in because you get
to do
a lot of you know fun and cool and
interesting new stuff
so would an iot device also
count as us a smart toaster
or a smart fridge it can yeah so that's
kind of that that
rock you know ride range right so you
have sort of i would put that in the
middle ish of that range right like
so it's not a 2 000 2 million robot
sitting in an auto factory but it's much
more common
and you have the consumer device space
where if you look around
you have security cameras in your home
and assistance in your home whether it's
alexa or google and
my you know your fridge is connected to
the internet your coffeeware now has
malware and you know you can't get your
coffee in the morning because it's been
infected with ransomware you know this
is the future we live in
i remember i did a security tabletop
exercise with the canadian government
once and i was like if any other country
wanted to attack
canada they would just attack the tim
hortons everywhere and then none of us
could get coffee and
everything would be screwed they're like
it's scary tanya the way you
it's think kind of crazy when you think
about it you know
just i mean i i i forget to get the
exact statement
but yeah unbelievable amount in the next
10 years
and we're talking we're talking you know
right correctly um because this is
just new this is new field fields right
we haven't been down this
road before i could not agree more
slash i don't have video cameras in my
house except for the ones i'm in control
of
like the ones in my studio or the one
pointed at me now but you would not
believe how many people
i know they're like oh it's just my
little dog camera so i can i'm like
ah you're surveilling me in your living
room
like
and i had a like a deep sort of moral um
quandary with this
for a long time right like as a as a
security professional
there's a bunch of risks
just don't use it right just don't use
it that's kind of been the the canonical
guidance for a lot of things not helpful
with your usb drives getting infected if
you just glued
all your usb
no problem totally
there are so many security teams that
are the number one threat to
availability
yes yes
i got negative points
you're going to see that i'm much
different than the security
practitioners that you've
dealt with in the past i said i'm an
engineer first and a security person
second
and i know what i mean by that is my job
is to make things go right
that is my job here my job is to make
things go
not to slow them down not to make it
hard like
my job is to make things function
yeah and what that means is that
i talk a lot about this when i talk
about devops
but we are not here to talk about me we
are here to talk about you
and so also i'm wearing my wosec women
of security shirt
because tracy has
a conference that she runs sometimes do
you want to tell them
about it because we already talked about
it on a previous episode two of us were
going on and on about how great it was
and that's how we had met was that yeah
yeah
kind enough i believe it was our third
year of defence
sort of the premise behind defence
the official talking point is that it's
a technical conference
for women and non-binary individuals in
the cyber sex space
uh the unofficial talking point for it
is it's like defcon with less groping
um and so that was kind of the
the the impetus behind it was a bunch of
uh female friends oh my cat is probably
going to make an appearance i apologize
i thought the door was shut but
that's a pro not a con
that basically a couple of female
friends and i were sitting around at
defcon and we started to share
you know sort of our defcon stories
which
ranged from you know sort of being
dismissed and told we weren't welcome in
certain spaces
all the way up to sexual assault on the
defcon
you know so we were like wouldn't it be
cool if we could just have this super
technical conference but in a safe space
where we wouldn't have to worry about
you know these types of incidents
occurring and that's basically what
what we made defendcon to be we have a
uh capture the flag village and we have
king village and a mental health hackers
village and it's very much
it feels like your traditional hacker
infosec con
but it's like 80 women and non-binary so
it's like it's kind of i think it's
super cool um tony mentioned that i do
it sometimes we used to do it annually
and then i had
a trash fire every year in 2019
uh with some health fire health issues
um
so i took a knee in 2020 saying well
we'll probably pick it up in 2021
and then coronavirus happened and it
ruined everything that was fun
and they ruined everything that was fun
which is why we can't have nice things
um
she's obnoxious and wants to be involved
in everything
um
and i just you know i'm still trying to
figure out if
it's worthwhile i don't want to recreate
things that have already existed in the
market space
you know i think diana initiative did a
great job this year of having a virtual
con um
uh it was good
virtual con um a lot of the local
b-sides are going virtual i think
are you speaking next week
i don't think so oh
some reason i never meant never mind
sometimes i'm wrong just to be clear but
i don't
think so okay okay well
yeah yes okay i'm gonna look that up and
put in the chat so people can find it
um you know i think there's a lot of
virtual con offerings out there right
now
and i want to see if there's a way to
meaningfully improve it um
because some of them are brutal
some of them are really bad i've been to
a lot of really bad
virtual cons lately like unforgivably
i this is such a waste of my time
attending and
i think a lot of people are are not
super
like some of them are going well but a
lot of them are not going well and so
i feel like i'm saying yes less
often yeah yeah unless
sorry again my cat is trying to assault
my computer um
that's that's one of the reasons that uh
i i struggle with
i don't i don't want to put on a con
that i don't want to attend
uh i'm a very selfish baker too i don't
bake things i don't eat
um it sounds like you're smart with
english spinach because
um so like i would never make that
because i don't want to consume it i
would never put on a con that i myself
would not want to go to
so that's kind of what i've been
noodling through on
you know how can i make this a
meaningful experience for everybody um
yeah i think that's really important
though and also
i feel like maybe it's okay to pause for
a year
and then pick it up when everyone's
ready yeah yeah does that make sense
but you know we never ever ever go back
to life
you know like in in arbitrarily 27 days
if there were to be a fundamental shift
in a very very large neighbor it
might impact how you know you know the
world is going
so no comment here
um i live in canada and i like it
um i've invited
a lot of people to move to canada and
i've been informed by the government i
don't have that authority
yeah they're like you're not allowed
granting visas
like you're great you're adorbs no okay
so
more what is a day in the life like
to do your job to be a principal iot
security engineer what
was your day like so i've
only been there for 43 days so i can
tell you sort of a brief synopsis of
those 43 days and the first
30 of them 7 000 names of services that
we produce
um because there are just so many um
but the rest of the time i kind of think
of it like uh
being a mad scientist right so i went to
my boss and i said hey
you know i've read a bunch of stuff on
this particular vulnerability path and
if i was going to attack our cloud
infrastructure i'd start
here i said but it's just a theory right
now because i need to do a bunch of
scans and
you know correlate a bunch of data and
kind of poke at things and see what i
can find and you should know that
this could take me two months and at the
end i very well could say to you
just kidding i was totally wrong that's
a terrible stupid idea
and he said to me but you'll have
learned he goes then you're
going to be able to come back and tell
me that particular you know kill chain
isn't something i have to worry about i
don't have to worry lose sleep on that
and that is
information that i can use to build a
better product
and so to me that's kind of fun you know
just being able to say i think that the
internet works like this let's go find
out um scan scan scan poke poke poke you
know
um and so that's that's pretty typical
and then a lot of meetings like so
so many meetings i'm not gonna lie so so
many meetings
no comment on meetings i had a lot of
meetings today
and you would think as the ceo you'd
have the right to have less meetings but
in one of them i got to build a ci cd so
that was super fun
oh that's cool yeah and then we smashed
things together
in the meeting some of my clients are
really fun
okay oh i so now i'm supposed to tell
people
that i have a book tracy did you know
that i wrote a book
i did and i pre-ordered it even i
pre-ordered it i think the first day you
sent out the pre-order link
thank you thank you it is called
alice and bob learn application security
and i'm going to put a link in the chat
and i'm sure that people are probably
not going to go to it but anyway i wrote
a book and it's about security and i
have now promoted it and i can check
that box
like people should go to the link
because it's going to be amazing
so they should definitely go to the link
and pre-order the book
okay i put the link on the screen and
into the chat which i feel is like
pretty good
and my marketing person is gonna be like
you need to be less awkward but at least
you did it
okay so i have more questions for you
sure
what types of personality traits or
aptitudes
would someone need do you think to be
good at your job like do they need to
have lots of thought leadership
do they need to be a good listener
um so the reason i laugh at thought
leadership is i've heard that so many
times in the last 43 days
and it's a little scary because it makes
me feel like the adult in the room and
that's like just
terrible terrible feeling for me like i
feel like i should never be the adult in
any room but here we are
um i think so there's there's two
questions there right like iot
security engineering overall and then
once you get to like the more senior
levels and so i think
for iot for any security engineering i
think
you have to have a deep-seated sense of
curiosity
um of being able to
look at a light bulb and say i wonder if
i could use that to take over a car
you know and like that's not a i've come
to
realize in my later life that that's not
how normal people
think right people look and see that's a
light bulb boring people it turns off
and on and gives me electricity
boring people tracy
i think there's that deeply in you know
embedded sense of curiosity
um i think they're um my therapist tells
me that security overall draws a lot of
people who want to protect other people
so
there's that tidbit of psychoanalysis
for you make up that what you will
um and then i think at the like higher
levels you know once you get into senior
and principal
it is kind of about that thought
leadership piece of you know the
industry is here today where is it going
to be in five years 10 years
um how can i meaningfully improve
customers lives
um not just today but tomorrow and you
know in the future
okay so i'm i'm putting that on the
screen because that's perfect
am i echoing for you all of a sudden i
am echoing on my side
uh i don't hear it but you're also on
like this weird
like half a second delay for me so our
connection may not be the best
okay good i'm gonna assume it's okay
until
someone tells me it's not so my husband
today sends me a is your internet broken
and i was like ah it's really slow i
think comcast has an outage and he's
like that's okay i'll reboot my computer
and i was like
okay reboot your shirt you're like i
love you honey
and then the best part was that he's
like it seems to have fixed it and i was
like
okay you know maybe there is a bunch of
things wrong
and that is a cascading set of failures
oh my gosh so for all the people
watching
if you are enjoying our conversation or
later if you're watching this video
please click the thumbs up
if you are not subscribed yet you should
definitely subscribe see our thumbs
up and also you should subscribe
to our podcast or youtube channel or
both
actually yeah you should probably do
both that sounds like an appropriate
pleasure double the fun right okay
so what types of technical skills does
someone need
to do your job and then at the at the
end i have if any
yeah so i think we've talked about this
before you and i
um that term technical skills really
just kind of puts ashes in my mouth um
because that implies that somebody out
there somewhere gets to decide what
technical skill and then use that word
as a weapon
yes and so um i will say
that skills overall that are useful to
have is basic
coding um so like i um this is my claim
to fame
i am a terrible software developer like
legitimately
one of the worst my claim to fame is i
have committed one piece of production
code
at microsoft and the code comment was
i don't know how this works but it was
the least efficient way to get there
so i should not be doing production code
that's like i've made that piece
um but you know i can i can do a little
bit of like python scripting and bash
scripting and you know i conclude things
together
there's a reason i don't write
production software i just break other
people's and
pretend like i can be superior in that
way by saying hey look this is broken
and i would have totally done the same
thing
because i too am a person um and so
i think that is an interesting thing is
that like coming from that
set of empathy i think a lot of security
practitioners overall
many in the past were ah i can't believe
you wrote this code so bad gosh you must
be dumb
and it's like no they're a person who
made the best choices they could
at the time they made them with the
information and time available to them
um
and so i think that's being a bad coder
myself has given me a lot of
empathy for people to make those
mistakes do you feel like
um being a jerk to software developers
helps them write better code
no no i actually so this is it's weird
because
it's a technique people seem to use a
lot though
i have this theory that security
practitioners and keep in mind i'm one
of the old people right like i started
in the department of defense and we are
like oh geez security people right like
that was the first sort of disciplined
cyber security
job that there was that wasn't just you
know hacking on things
in a basement somewhere um and that very
much was
the thought right we had this almighty
power invested in us from generals and
laws
and you know and that's very much the
culture i grew up in
um and i sort of had this epiphany in my
later
um later life i think a lot of the old
school security practitioners
are like the um the oracle of delphi
um where they sort of dispense this
wisdom into the universe
and they will tell you how to do it and
they won't tell you why it's important
to do it and they won't answer questions
about why
you know why you should do it a certain
way versus another way and if you screw
it up then that's on you
right right they gave you the wisdom
from the high mountain and
if you didn't understand it that's your
problem and i think
our industry has needed to shift for a
while
and is slowly doing it with you know i
think devops or devsecops is a large
part of that
like sort of cultural shift of
we should all understand
at least in commercial space that we are
building something
and our job is to build software that
makes customers lives better
and building no software at all does not
make customers lives better
i agree so much it's
it's like my words are coming out of
tracy's mouth
we've talked about this we're kind of
like the same person in the long ways
it's true the venn diagram is pretty
close to a circle
it's true and we both have purple in our
hair
or is yours because i haven't been in my
hairdresser in like since
march because it's scary because i have
a heart conditioner
like some kind of hear crazy reckless
saying
i have three people in my personal life
that are immune compromised so i have to
act as though i am as well
yeah because it's not cool to kill the
people you love
by training right
like it's not just to be clear it's not
cool to kill anyone
but it's especially extra not gonna make
you
any friends to bring home that
and honestly i thought about doing that
like a permanent die right before this
and i thought that's going to end in
tragedy and i'm just going to wait and
like ride this out for you know things
go horribly wrong right before a
recorded podcast
so yeah it's like tracy your hair
is so many colors
so what types of training or work
experience would someone
want to do if they wanted to get into
iot security and especially if
eventually they want to be able to call
themselves a principal security engineer
because that is a feat that is a feat i
have never been called principal
um i will be the first one to tell you
that i
probably came into this job from a very
non-standard background
i think the more traditional way is to
have been a software developer a
software security engineer for your
entire career
um and then sort of laterally move into
iot
um i have been an engineer early in my
career and then i went through this
like we were talking about this you know
finding my place i went through this
program manager phase of my life where
i came out of the military and microsoft
said well
you're a program manager and i was like
i don't really know what that means but
i didn't know what pm meant when i
worked there i thought everyone was a
project manager
manager a program manager and and
they're like we hired a lot of pms i'm
like
what are they gonna do yeah so that's
the funny thing is that i
have this theory that especially the
technical program managers which i was
for a long time
i used to say we're engineers who can
talk to people um and in
really high functioning orgs i think
that is true
in really poorly functioning orgs i
think what you have
is a bunch of people with sort of
medium to low tech skills that are
getting buried under doing project
planning
um and that is not really functional in
a lot of places i don't think
um i think project management is a
incredibly important and
essential discipline to get software
shipped like that is by no means a dig
on project management
but i think it it can be really
challenging to match people either to
doing
project plans and project implementation
or technical implementation and
technical judgment
like i think that can be a tricky mix to
get right
i totally agree i totally agree
so like can someone take
training on iot security or could they
or is there like a way that they
could try to learn about it that you
might say absolutely
um so i kind of you know me i get off on
tangents but
what i was going to say that's why i
like you
is so i came from a very apsecy
time kind of background right like my
time at microsoft was spent doing
um msrc work and uh my time in office
was spent doing
appsec feature work and so iot is not my
native habitat so when i took this
over i really did have to start sort of
at the bottom right like i
as if i were day one um and so
i bought a couple arduino knock-off
boards
and a book called the arduino workshop
and i started building little blinky
light things
um so that i could kind of understand
how that worked uh then i got a
raspberry pi
and um i started you know experimenting
with some raspberry pi builds
and then i'm starting to branch into um
the like the secure chipset
implementations for raspberry pi
and there's a bunch of like cool like
fringe projects that increase
security i'm so lucky that i get to work
with
people who have been doing iot for
forever
and so it's kind of a nice like marriage
right like they know more about iot than
i probably will ever know in my entire
life
and i know more about security than they
might you know know
right now especially so it's kind of a
nice thing because i get to think of it
as if it were a computer and then they
get to explain to me why don't worry
about that that's not how iot works
and then eventually i'll be able to say
ah but this is how iot works and this is
how security works
and then you and then you do this yes
and then you smash the things just for
those that are listening and can't see
the video of both of us um smashing our
fists together
rapidly
i am going to take this moment to thank
our sponsor ubiq security
who creates an api security tool to help
you
ensure that you are creating secure apis
and i think we can all agree
especially when it comes to iot we want
those
things those apis that they are calling
to actually be safe and secure
and not be at the hands of malicious
actors definitely
okay so let's say i'm totally obsessed
uh
after listening to this and i think i
want to do a job similar to tracy's
someday
could someone make a learning path that
they could get there
do you know what i mean like should they
learn some apsec and learn a little iot
or what kind of path can we potentially
draw
out for listeners so i'll tell you how i
started and then i would tell you what i
would do differently you know if i were
20 years old today
um so i started out in server
maintenance right i did i did old school
like active directory management and
then i got pulled into this security
thing in the air force and it was like
what in the world i don't even know what
this is and so i got my a plus and then
i got my network plus and then i got my
security plus and then i got my cssp
and that allowed me to get a bunch of
jobs in the government where you know i
got to do
kind of security things and that was
cool and then i decided i was done with
certifications and
so i went to work for commercial and
while i was there i
uh my first interview actually with
microsoft was a disaster i failed it i
failed it so hard like i
have never cried after an interview i
cried after that one it was embarrassing
but you know what i did i i went to the
guy that interviewed me and i said let's
be honest
that was pretty but give me two weeks
and tell me what i need to learn and
i'll learn it and i basically memorize
the windows internal book
that's amazing i know right if that
thing is
huge uh i don't remember any of it by
the way like it's totally ram-based
memory it's gone forever but um
i was able to pass the interview and you
know to spend a lot of time learning
from people who
are a lot smarter than me and then i got
involved in the con the con
scene and i spent time at defcon um we
were actually just laughing a guy who
just started at amazon
a couple weeks ago we were comparing
like you know phone directories
and he goes oh you know this person i
said oh yeah i do know this person and
he goes oh well
how do you know him i said he taught me
to hack my first box at def con
he goes oh that's amazing and so you
know just going to come
meeting with people and hanging out with
the villages and you know just
and now we have this iot village that's
crazy like that didn't exist when i was
coming up that wasn't a thing
um just yeah just going out and making
those connections and being curious
joining your online communities
um i'm in one right now for veterans
that is a veterans security
uh community and it's they've got an
entire channel
data dedicated to scada and ics systems
because they're scary
yeah i think i think that's how i would
learn if i were starting over again
i think that's brilliant and i'm also
sharing
your website internet of tracey
and that's tracy with ie not a y as i
found out
when i typed it in wrong just now
so it's internet of tracing ie.com
in the internet well actually first i
put that security check
because that is your twitter handle and
then
that was that was incorrect so there's
no website.securitychick.com so just so
you know
all people that want to run out and jump
on that and
url squad oh my gosh also i should
apologize because my actual website is a
bit of a trash fire and i haven't had
time to actually put me a lot of
meaningful content but it does have at
least two of my talks up there so
well mine doesn't have that at all i
have shexpurple.ca and it's just like
some pictures of me and then it's like
please buy my book
that's like facebook i have to write a
book in order to sell a book and that's
a lot of work
oh it is so much work if i had
known how much work it is i don't know
if i would have done it because
you know how they say women they've had
a baby they like forget
it like flushes out of their mind how
painful it is and then they go and they
have another baby they're like what was
i
thinking this is awful giving birth
is no fun yes that that was me last year
i was like that was if i would have
known how hard it was i don't know if
i'd do it now this year i'm like hmm
he really needs a brother or sister my
husband's like are you stupid like what
happened to you
i've heard i've heard scientists say
that there's actually like a chemical
thing that like flushes
out that memory for women so that they
don't get you know
birth ptsd yeah probably
and so that we can have more offspring
because otherwise imagine if every woman
she gave birth once and she's like i
don't think so and then what if she told
her friends and they're like
yeah uh yeah it's uh
but yeah so that's actually been a
non-zero investment of my time over the
last year has been
getting into this whole motherhood thing
they take a lot of work
man they like a lot of work i have heard
that rumor
and believe it to be very true yes
so okay so now i have the super
sensitive question
does being a principal iot security
engineer pay well
uh i think it does um
so i guess you'd have to ask yourself
what yeah what does being paid well
mean to you yeah we talk about cheese a
lot on this podcast so i like cheese
and i figured out i really made it and i
was definitely middle class when i went
to the grocery store and i was like
humming and hawing between two different
types of super delicious
cheese and then i realized i'm like
tanya you're rich enough you could just
get both
cheese and then now sometimes i get two
cheese just like for nothing at the
grocery store and i'm like i'm doing
great
but so tanya and i have had this
discussion so i came up
um in uh not financially well off
um and you know there were times when we
were not sure we were going to be able
to pay our mortgage and get you know
and get groceries that month so i still
have a little bit of that economic uh
ptsd where i go and i was the other day
it was something stupid it was like a 35
purchase right 35 and i agonized over i
mean
literally agonized for weeks over this
purchase and it's like wait it's okay
it's it's okay now you know you can you
can relax a little
um but that being said i think it also
helps me be very aware of
the privilege you have um i've been
able to you know donate and support
political causes that i care about about
very much
um we did a fundraising matter on
defence twitter handle for black lives
matter
um i've supported a bunch of you know
children's charities and stuff through
you know and so i think that has been
the coolest thing for me personally is
being able to do those kind of
civic activities that i couldn't have
done growing up
where i grew up that's awesome
also kim is watching and she says cheese
money
yes so she is agreeing
that's stupidly expensive but it's so
good i love
cheese and i shouldn't talk about it so
often on the product
like how many minutes per episode are
dedicated to cheese i'm like under
five under five
well it's like how you know that you've
made it if that makes sense like for
instance
i have a fridge and it makes its own ice
and that was my next level i'm like i am
now
upper middle class my fridge makes its
own i love ice
like i'll fill a cup completely to the
top and then pour my beverage around it
and people are like would you like some
you know cola with that i'm like no
and so having air conditioning being
able to have the central air
conditioning
turn to whatever temperature i want it
was a big
like because we were like we were in
arizona and it's
hotter like very hot and my mom
would not turn air conditioning on until
our house was practically on fire
and so like now knowing like now
you'll be like my house is at 75 degrees
rain sun
no i don't care that is the temperature
of my home it's like a big
moment for me i
love it and feel you so much
okay so i have i have more things that i
want to know
so are there lots of opportunities for
people that want to work
in security related to iot
like yes iot general
and security specifically so i looked up
the stats
before we got on and have promptly
forgotten them
but um
the iot market is expected to grow i
want to say it's roughly 30 percent
in the next five years and it's billions
of
devices that are adding and billions of
people
and all of that data has to be secured
all of those devices need
a secure way to connect to the other
devices and to the internet
um this is not going away anytime
soon we're becoming more connected not
less connected
um i was reading a thing the other day
on the connected cow
i'm not making this up tanya this is an
actual thing that actually exists in our
world
they have put sensor internet connected
sensors
in cows stomachs i'm not making this is
that cruel
does it like hurt them i haven't
level in their stomach so they can tell
if they're like digesting
food properly wow
to take care of
so this is very good this is very good
news for
listeners who are suddenly thinking
that they want to hack their fridge
so what do you like best about your job
and your work
like what is your favorite thing um i
think my favorite thing
is i feel a little bit like a kid i get
to just go play with things
um and my boss is super cool and i'll
say hey
um i saw this thing and i think i can
make it do this thing to this other
thing
can i go buy a couple and see if that's
true and for the most part he's been
really okay he has said no a couple
times when
the thing i wanted was a very expensive
exercise bike apparently
it's not okay to hack those because
they're like 12 grand
um so i support his rationale on that
but um for the most part you know it's
been really cool to just be able to
tinker around with stuff and see how
things work and just spend my
day like a five-year-old going why but
why
but why awesome that sounds so fun
so the the following question what is
the least favorite thing about
it um i think and again i'm still kind
of
new um so i don't know if i've found an
official least favorite i think there's
two for me so
far um i think we mentioned me being the
adult in the room has been a tremendous
um and i mean if you really think about
it i've been the adult in many rooms
in my career but i think i felt the most
adulty at this particular room
um because when you get to the principal
level for some reason people imbue you
with these like
mystic you know powers of discernment
and judgment it's like well you're a
principal engineer you should know and
i'm i spend a lot of my time going i'm a
principal engineer and i should know
i've been frantically trying to learn
the thing that i should probably already
know
um so i think that's been good and bad
right like it forces me to be
um always curious and it forces me to
learn a lot
uh but it's also terrifying which is
usually the sign of a good job if it's
you know
two-thirds interesting and one-third
terrifying i think that's about the
right mix
um and then i think
i think the other thing i don't love is
that i
so here's a weird fact about me that you
probably don't know i'm incredibly
dyslexic
i'm dyslexic too
and so coding is really hard for me
not because i don't understand how i
spent
a good six minutes this morning because
the the tweet that i tagged you in for
some unreason that i still don't know
because one of my lines of code had a
backslash instead of a forward slash
and i was like i have no idea why this
doesn't work this should work
and that was five minutes of my life
i'll never get back um i used to tell
people that
my version of hell is looking for a
misplaced semicolon for all eternity
um
the type of coder i am and it's you know
it's a it's a language thing right and
it's a
it's an ability thing so i think that's
those two things are probably
challenging for me
i totally empathize with you however for
whatever reason
coding clicked in my brain and then it
it was just easy
i'm really lucky it was unlike learning
to play guitar that took forever i was
like
why why why don't i sound like pearl jam
yet
and i'd like to note i still don't sound
like pearl jam
i also have this really terrible
personality trait where if i can't be
like the best at something
then i just don't want to do it like
i was number two in our swimming um
competition league for like
ten years as a kid and i finally quit
because i realized i was never going to
be number one
i think this is stupid i don't want to
do it anymore i mean it would be way
worse if you would drown the other kid
so i feel like
like there could have been much worse
endings
oh my gosh okay so what makes you feel
the most pride
in the work that you do
i think for me um
it's being able to go
to customers who maybe don't
have a mature engineering process on
security
right now and you know they're out there
doing the thing that they do right and
maybe they're a coffee maker company
or they make exercise bikes or they have
a fleet of you know vehicle management
software security is not their job right
that's not
what they want to do with their lives
and i get to be like
come use our product and look all of
this is taken care of for you
ta-da and that's really cool because i
i think it helps enable people to do
really cool things that i can't do like
i'm not that imaginative i don't know
how to make a new fleet management
system for trucks i don't know that i
care that much but somebody out there
does and they're the best at it and
that's exciting you know like that
that's exciting for the world so
i love it i love it i think that's
really positive too
okay so now i have i have two questions
but i'm kind of going to mash them
together because they're really similar
so what advice would you want to give to
someone
who's hoping to get into a role like
yours and maybe like actionable steps
that they could take so this is a hard
question so i'm gonna like
uh stall for a little bit but then i
then i'm going to stop talking and then
you have to answer
that was the stalling that's fine so
um i think that's a broad question right
and it's a different answer for someone
who
is you know right now in college or
maybe
you know returning to the workforce from
a non-technical field
versus maybe someone who's you know a
developer right now
who is looking to transition into
security so i'll try and answer
kind of as much of the use case as i can
uh without boring everyone
um sorry i have cat hair stuck to my
mascara it's the whole day well she
does want to be in the show and i can
list her as a co-star for you if you
should she's you know everyone at work
has seen her but so
it's either she's basically a co-worker
of mine
anyhow um so for somebody who's new to
technical endeavors all together
i would say learn your basics right
because
all computers whether it's a
microcontroller
in a sensor or a bajillion dollar server
in a data center
share a lot of common uh threads right
you can you can apply a lot of the same
core knowledge so
for me i think security plus and i don't
want to wade into the certification
discussion but security plus has a
really good body of knowledge to give
you sort of that foundational layer of
understanding
whether you take or use the cert or not
as a completely different discussion
um but doing things like that doing um
mit i think has an
intro to security course uh that's free
uh get a 30 day subscription to linkedin
learning like they've got some decent
material on there for
you know introduction to coding
introduction security the fundamentals
don't change
um so i think that would be a start if
you're trying to transition
into a technical field from a
non-technical one
if you're sitting out there and you're a
software developer and you're already
pretty technical
um i think the same can apply
of learning the security basics but i
think you might
want to figure out a technology area
that you want to specialize in and maybe
it's you know
routing traffic and you go and get a
cisco uh
you know security cert or you go and
take a degree path
in you know security for securing
routers um
i think you don't have to do it on the
education route
my biggest thing that i tell people is
just show up to your local events this
is pre-covered but
not don't show up to your local event
um you know show up to your local events
go um i have a friend of mine who
she was a bartender and she said you
know i'm kind of thinking of tech but i
think i i don't think i'm smart enough
to do it
which first of all is crap like if i'm
smart enough to do it
everyone's smart enough to do it but i
said just come to defend con just hang
out
and even if you don't understand
anything
figure out what's interesting to you
you're gonna go to a talk
that says wow i never knew that the
smart grid needed to be secured
and i don't understand any of the
protocols you just said or any of the
trend like i don't understand any of the
hacks you just did but that's an
interesting problem space for me to read
up on
and that's kind of what i would i would
tell people to do and then you can do
that online too
youtube is your friend right like i
learned a new tool from youtube this
week
go to youtube and type how do i do this
thing
and you'll come back with a bunch of you
know videos that you can learn from and
go play go
get a test subscription to aws or azure
and you know get yourself a box and
hack all the things yeah legally
and with permission and definitely not
without permission
because that's bad tanya and tracy
feel we should obey the law and so
should you
yes no law breaking no
so those are all my questions
about your career and now i have two
very difficult questions for you
okay they're not um do you do things
outside of information security and
would you like to share one of them with
the audience
uh sure so i don't know with outside
information security because it's
actually really insecurity
but the most the most least
thing i do that's the weird sense um
i have like i do landscape photography
and obviously i take lots of pictures of
my son
um actually something that most people
don't know
my office is actually my photo studio so
if you're ever wondering why there is
like
lighting equipment um no i do not make
um
films of any sort of nature as has been
suggested by certain people
um it is strictly lighting for
photographic shoots of my small child um
so that's probably the most
least video and then i also snowboard
really badly
um yeah that's pretty much it are you
used to anyway
i don't know i haven't been back since
my heart went bomb on me so we'll see
um yeah i've only snowboarded once and
it kind of looked
like this like just flapping over like
tumbling and tumbling and tumbling and
lots of swearing in both official
canadian languages
and then me saying where's the bar so if
you've done it more than once i feel
like you're doing pretty good
yeah i actually was a mountain for a
whole season which is basically
where you go and like give people
directions
and make sure that they're not you know
stuck in a tree well somewhere and
you know like things like that so so you
would have saved me that's good
no but i would have made the radio call
to the search and rescue people
and you would have said this way to the
bar
that i would have done okay so the last
and final question that i have for you
is if people want to know more about
tracy where should they go
uh twitter's probably my most
the first channel of information so at
that
uh feel free to connect with me on
linkedin and it's my real name so tracy
martin
you know on linkedin um those are
probably the two
best ways to contact me uh
i do reply to messages i try to
most of the time
nice i'm not that great at it either
i am putting your twitter handle under
your face right now so people can see it
thank you so much for being on the show
oh vogue nice
to my twitter thank you so much for
being on the show it was such a pleasure
and also if someone wants to send tracy
a really expensive bike
contact her like an electronic iot
connected interconnected bike contact
her on twitter at that
security check or maybe other really
expensive devices sure you're like
lots of i'll hack on it i can't
guarantee i'll find anything but
you know i'll do my best and if not i'll
use it
seems like a good deal to me i mean free
security testing slash
maybe destruction okay
okay i'm gonna behave myself i am
supposed to be wrapping up i am doing
okay
i've knocked on over an hour i'm doing
great okay
thank you so much and with that
i'm going to do the thing where you
disappear and then say the outro credits
thank you tracy martin
thanks tanya thank you for coming to the
we hack purple podcast we really
really appreciate you listening and
watching and subscribing and clicking
the like button
thank you so much to our sponsor ubiq
security who makes an awesome
api security tool please
write a review for us if you write a
review for us you might be like
mary liz c who wrote an awesome review
for us that i'm going to read for you
right now
it has everything from funny stories to
great career advice
keep up the great work thank you mary
um so if you write us a review and then
you message
us a picture of the review on our
twitter account at we hack purple
we will send you stickers yes that's
right bribery from we hack purple
academy
um we have new courses out we have a
brand new one coming out the day after
halloween
about application security you might
have guessed and we have a whole bunch
of awesome guests
coming up after tracy including
but not limited to i'm i'm trying
not to just go on and on and on but up
next week we have
katie paxton fear and she's going to
talk all about what it's like to be
a bug hunter and a phd student which are
very different it turns out
we're going to have dominique west on
the week after that to talk about being
a senior cloud engineer
and consultant stephanie black on to
talk about being a cyber security
account manager
because someone needs to manage all
those customers we're going to have
tyrone wilson on to talk about what it's
like to be the ceo of a cyber security
company
and after that we're going to have kim
crawley on and you might have read her
articles all over the place and not
realized it was her
she is an amazing cyber security
journalist who has been writing for many
many publications for a long time
and so we're going to find out about all
those types of careers and what those
people are up to and so thank you
so so much for listening and joining us
today i am tanya janca your host
of the we hack purple podcast