Host Tanya Janca learns what it's like to be a PhD student, Bug Hunter & Educational Youtuber, with Katie Paxton-Fear! She is a full time PhD student, part time educational youtube and occasional bug bounty hunter. You can follow Katie on Twitter, subscribe to her amazing YouTube Channel, or visit her awesome website!
This episode sponsored by Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter here: https://newsletter.wehackpurple.com/
For corporate virtual training contact info@wehackpurple.com
Host Tanya Janca learns what it's like to be a PhD student, Bug Hunter & Educational Youtuber, with Katie Paxton-Fear! She is a full time PhD student, part time educational youtube and occasional bug bounty hunter. You can follow Katie on Twitter, subscribe to her amazing YouTube Channel, or visit her awesome website!
This episode sponsored by Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter here: https://newsletter.wehackpurple.com/
For corporate virtual training contact info@wehackpurple.com
welcome to the we hack purple podcast
where each week we talk to different
people doing completely different types
of jobs and having very amazing and
interesting careers
in the field of information security
this week we are hosting katie paxton
fear
a phd student occasional bug bounty
hunter
and part-time educational youtuber this
week is sponsored by
threadfix and i am your host tanya janka
also known as she hacks purple and
without further ado
let's meet katie hi katie how are you
doing
i'm good how are you i am good it is
a lot earlier for me in the evening than
it is for you
i'm bringing that that uh 5 p.m energy
into 2 a.m you're amazing thank you so
much for staying up so late to be on the
show oh and someone in the
chat says hi katie so i guess someone's
really happy to see you
so could you please tell us your name
and your handle
and your job titles
my name is katie paxton fair uh that's
paxton fear not
taxed and ser which does happen and my
handle is
inside a phd now that's not inside
a phd but insider as an insider threat
and phd as in the academic qualification
not the php i picked very very
difficult handles that pit that kind of
match my very difficult name
um which is confusing but in my youtube
tags i just change it so p
inside of php will get caught too um and
i am
a phd student full time that's my actual
job
oh wait wait wait when phds don't one
second katie it seems that the audience
is having trouble hearing us
can you hear us audience so someone just
said is there sound and i'm like
well i hear sound and i heard the sound
all of my stuff looks like there is
sound
um okay so it appears that we're
actually absolutely fine
so j a please turn on your sound
someone else can hear us which and we
can hear each other i'm so sorry katie
to interrupt you
let me ask you again please tell me
about your multiple
impressive job titles
so my full-time job my nine to five is
as a phd student
and i do work from nine to five
people think students spend a lot of
time asleep
um i don't i do actually have a regular
job
um and then i'm also an occasional bug
bounty hunter
and a kind of part-time youtuber now i
am still waiting for the nobel prize
committee to get back to me because
obviously i do deserve the nobel prize
for
more hours in the day an invention i
think is going to be beloved by
everybody
and quite frankly the fact that it's not
currently
i don't have a nobel prize yet is the
most disappointing part of 2020. not
acceptable
it's not acceptable it's ridiculous um
but yeah so i have quite a lot of jobs i
spend
i like to say that i spend quite a lot
of time working but it's down to a t
of organizational systems um but yeah so
i have a lot of jobs and i do a lot of
things online
[Laughter]
and someone has um commented nobel prize
obviously right
can you could you describe each one of
your jobs
for us because a lot of people have
never done a phd
or been a bounty hunter or an
educational or youtube
person oh i'll start with i'll start
with bug bounty hunter i'll work my way
down to from
most time to least time sorry at least
time to most time
um so being a bug bounty hunter is
basically being like
you know you have your freelance web
developers you have your freelance
software engineers and you have your
freelance security analysts
and being a bug bounty hunter is that
it's finding bugs in this case we don't
really mean software bugs we mean
like software bugs with a security
impact
and quite a lot of that is hacking
companies legally
not illegally hacking companies legally
um
they ask you to that's what being a bug
bounty hunter is it takes up the least
amount of my time because
it's something which i kind of do for a
little bit i get some bounties
you do get paid for it you get paid per
vulnerability on severity
um i do it for a little bit then i kind
of stop for a little bit and i do it for
a bit and i stop for a bit
um it just depends my interest level so
that takes up the least amount of time
educational youtuber i make videos on
the internet
and i have to admit to people that i
make youtube videos
uh when they tell me what i do for a
living because
youtuber people seem to think i have
some kind of gaming youtube channel
and they don't realize i make lectures
online and i've tricked all of my
viewers
into thinking they are entertaining
videos when actually
they're lectures and i'm tricking them
into a university education
and my videos are like their lectures
they're like i talk
through people how to um do bug bounty
hunting but it can apply to all kinds of
um
web security mobile security jobs not
just bounty hunting it's just got that
particular focus
um and i've got 18 000 subscribers which
is
kind of crazy to me i looked it up on
like
like how what how big of a venue i could
have
um and the venue that would fit all of
my subscribers was a
field because you can't get an indoor
venue for that many people
um so it could be socially distance i
suppose
like if you had used a whole country or
like a state or a province within a
country
you could socially distance your 18 000
people
yeah um but yeah if uh
inside a phd con 2022
ever gets off we're going to be sitting
in a field somewhere
um that actually sounds so yeah
it does doesn't it like hacking in a
field like it's like um
uh electromagnetic field and
that'd be called camping think about it
of course
extension how many extension cables you
would need
oh god the i used to run hackathons when
i was at university
and the problem of an extension lead
becomes
like the most difficult thing on the
planet because you need so many of them
and they're never enough and you're
always getting people coming to i need
an extension
like oh my god just bring your own from
home
but yeah so that's being a youtuber i
make videos um
they're just lectures uh eighteen
thousand subscribers
and then well then i have my full-time
job what topics are your youtube
videos about so i made videos on finding
your first
bug so i've covered vulnerabilities i've
covered apis i've covered
mobile um i'm covering
authentication next uh next month
my videos really range in topics because
i want people to be able to go to my
youtube channel and kind of
find i like to think myself as a
university level
education without the university level
price tag
um because i like to think that my
videos offer
that kind of um style of education
because not it doesn't suit everybody
not everyone can listen to a lecturer
and absorb the information
but for those it does work for i hope
i'm giving people especially those
who you know maybe come from countries
that aren't as wealthy and you know the
oscp
is a lot of money that could be easily
somebody in a
like in a non-western country being an
entire year's salary
and that's just not affordable for
people
but something like my videos can give
people that same
not necessarily the same level because
you don't get the certificate
um but getting some of that knowledge
for free which is why i like doing them
cool that's awesome
so i have more questions as you might
have suspected
also i've been flashing uh your youtube
handle or your youtube link and your
twitter handle just on the screen
in case anyone needed to know how to
follow katie
okay so what is a day
like in the life of doing your jobs
oh okay so i practice
time blocking which sounds a bit insane
i record every minute of my day
um not many people do this so i could
tell you down to the minute what i did
i won't bother with that because that
would be quite boring um but i usually
wake up
about you know nine o'clock ish um and i
write my thesis
and that's currently what doing a phd
looks like
i'm in like the last few months my phd
so i literally spent all day writing
that's amazing to be right at the end
that's amazing
it's the scariest thing i was a bit
worried that i wouldn't be able to find
a new
job because of the pandemic but
thankfully i did actually manage to get
like a
a full-time lecturership at university
uh
and they cited my youtube channels one
of the reasons they hired me
congratulations
thank you um but yeah so
i kind of write my thesis i have lunch
um when i was doing research it would
literally be poke up my code until it
does something interesting
research is quite a lot of just poking
sowing and seeing if it works
um and then at five o'clock i then
switch over to youtube
i'll be making slides i'll be writing
notes i'll be researching like taking
notes about what i want to talk about
what resources i want to share
um and if it's like a youtube day it'll
be recording if it's not
it'll be i'm just doing slides or
editing
not particularly like the most
interesting part of making youtube
videos
but i'm sure as you probably know from
streaming this
uh there's a lot that goes behind the
scenes of youtube turns out you can't
just turn the camera on
and that that you've got a youtube video
yeah
uh yeah that's kind of what a day in my
life looks like i usually finish
like all of my work for about seven or
eight
and i spend the rest of my evening not
working
and that's very important i do not work
all day i have breaks and i
stop and i don't do work from 8 p.m
that's smart i should take lessons from
you also someone in the chat says way to
go katie hashtag
jobs i'm very uh
i'm very excited about my new job
excited and worried
um it's you don't usually get phd
students that go from phd to lecturer
it's like the equivalent of assistant
professor in the states
you usually have to go through a few
post docs but they were so impressed
with the enthusiasm i have for cyber
security
and my level of knowledge that they were
like yeah well
we'll give you a job that's much senior
than what you're doing at the moment
um don't panic
don't panic that's a great uh job
interview
last sentence sort of thing first day of
don't panic
you're going to be fine that's pretty
much what i'm telling myself
so i'm supposed to tell everyone to buy
my book and i'm supposed to be really
solving charming so if everyone could
pretend
that i was when i told them about alice
and bob
they're an application signature what's
your book about your new upcoming
amazing book about uh information
security that everyone should go ahead
and buy
see how she's charming it's good it's a
good pairing
uh my book is about how to create secure
software and it is about how to create a
secure system development life cycle
what all the main concepts are with
secure design and secure coding and
security requirements
and how to secure more modern systems
and
basically i don't think that so someone
that wants to defend
against a bug hunter that is very good
like katie would want to read my book
aha
see like like peanut butter and jelly
okay so that was pretty good for me for
trying to
awkwardly bring up myself i'm marketing
person's like stop telling everyone that
you're doing it it'll get better but
anyway
thank you you've got to say where you
can buy it where can you buy your book
oh you can buy it on amazon or the wiley
books
page and then i put a little link but if
you just look up alice and bob learn
application security
uh it will be the purple book
there's not a lot of like university
style textbooks that
are purple and pink can you can you
agree with me
i'm missing out here right yeah i just
i'm looking they're mostly blue
that's because blue is the world's
favorite color
it should be more colorful more engaging
i agree apparently if you ask people
on average 70 percent of people say blue
is their favorite color
and apparently over 50 will say seven is
their favorite number of one out of ten
and so that's interesting my favorite
color is purple
nice that's why all my branding is puff
mine too okay so i have real questions
though now i'm gonna stop talking about
my silly book
um so someone in the chat is an amazing
book
no everyone should have on their
bookshelves
i'm going to buy and i'm an influencer
you should trust my recommendation
she's influencing me
buy two copies of your own book now
someone is commenting in the chat
lol katie sells tanya's book better than
tanya does
yes okay but but back to
you oh hi rick my friend rick from
ottawa's on
okay so what types of personality traits
does someone
need to have to be good at your job and
you can say this for any of your jobs or
all your jobs this is totally up to you
like
i'm gonna go for i'm gonna go for all of
them
um for being a phd student the main
personality trait you need
surprisingly not is not to be smart it's
not to be clever it's not to have
like a really big brain um it's actually
to be really determined
and to hit your head against a brick
wall
and expect a different result other than
a concussion
because doing a phd it is not
a competition of who's the fastest it's
a marathon
and you know what usain bolt would not
be able to complete a marathon
he would not last that long what you
have to be is determined
dedicated you have to want a phd
so that's the first thing you'd have to
be smart to do a phd i proved that
i have no common sense oh that's not
true
but i've got a lot of knowledge about
about insider threat now i didn't start
that way
um but yeah then you've got doing a
youtube
and the kind of main personality trait
you need to
be doing youtube is to be really
open and to fake energy because
you have to have that on persona and i'm
sure anybody who does like a conference
talk realizes this that
you kind of put on not necessarily the
best version of yourself because it's
not really a fake version
it's that over-hyped version that really
happy that really excited
um like under all of this i do not talk
like this normally um
but i do because it makes people more
engaged
so the next so if that's really uh to be
a fraud is to be a youtuber
um to do bug bounty hunting you need
determination it's hard
you end up hitting so many brick walls
you end up
doing weeks of work for no bugs
and you've just got to be able to push
through those difficult weeks
to get to that sweet drug that is
finding a vulnerability
that was the i don't i've never taken
drugs i don't even drink alcohol
i am convinced that bug hunting is the
best drug you can buy
and you don't like all you need is a
computer
and they'll pay you for it and they'll
pay you for it yeah
so how often do you make money in vegas
right no i made money in vegas
oh my gosh katie someone someone posted
in the chat
so doing a phd is basically academic
rugby
yeah it's it's like academic marathon
running
academic marathon running is probably
high you never do anything like it like
even if you want to go into academia
you'll never do anything like a phd
you'll never write a massive book that
nobody will read
like you've written a book yeah people
will probably read your book
yeah after i have my viva no one's going
to read my phd
and you just don't accept this in any
other field
but doing a phd it's perfectly
acceptable to write a massive book no
one will ever read it collects dust on
some academic shelves
can you can you take parts of your phd
out and then publish them as
articles and white papers eventually
because people would read that
yeah that's how it gets done but you
still have to go through this entire
process of writing a thesis
you write a book no one will read only
to later on take that book and rewrite
sections of it
to write papers you could just go
straight to the papers and avoid the
book that collects dust but
only in only in academia world is that a
normal thing that people do
proof that academia is behind the times
what
well yes um
oh and someone's commenting you are so
honest and real thank you
that's a very good comment i agree
okay so oh if you are watching this
and you are enjoying it you should click
the thumbs up button and then click the
subscribe button and then
immediately run over to k but don't
don't leave here open another tab
and then go to katie's youtube and then
subscribe
there that's what you should do okay
good tanya did not tell them all
and be like don't leave don't leave okay
open it in a new tab and then pause my
pause my voice because
the first video you get is not very good
oh so what types of technical skills
does someone need to do your job
if any um
so i think when it comes to doing a phd
i think people think you need quite a
lot of technical skills it's gonna
really depend on what your phd is in
so my phd is in machine learning and
insider threat
um i didn't know anything about insider
threat i come from a data science
background
i'll be honest before i start my phd i
wasn't even interested in cyber security
i had a choice at university do you want
to do a cyber security course and i said
no that's too difficult i'll do my third
web development course that i know i can
ace um by putting in like a day's worth
of work
uh instead of doing the information that
seemed too hard
not for me i'll have the easy route uh
but i didn't do it until i start my phd
um
so for me the amount of technical skills
i had was zero and then i had to learn
the machine learning
now my colleague who also does a phd
it's kind of similar it's an agent-based
modeling um
for simulating hackers but that's her
phd so i won't talk about that
um but she had the knowledge of cyber
security
but not knowledge of agent-based
modeling so i learned information
security
she learned agent-based modeling you
just learn it within the three
if you're in the uk or five or six you
do in the states
you just learn the technical skills no
big deal
um youtube
does a lot to learn and it's not like
technical technical
um i've written a dozen like little
demos
for videos and and coded them and
obviously run the exploits
um i've had to learn video editing audio
editing
um how a camera works i didn't know that
before
um i have to keep reminding my viewers
i'm i'm i'm a phd student in machine
learning i can make
algorithms make models i
can't so watch out
don't mess with katie fix the black
the black screen at the end of my video
sometimes just
sometimes it happens i'm not a video
editor um
yeah you end up picking a lot of skills
up for youtube uh
marketing analytics branding
uh seo jesus um
then on the other side with bug bounty
hunting
you don't need any technical skills i
will tell the story of my first book
okay i was invited to a hackathon live
event
by one of my friends who said you should
come to this event it's amazing
and i said no thank you i don't like
hacking
and then they were like there's going to
be a bunch of people from university
there
that you've not seen in like two years
and i was like
okay fine i'll go see my friends geez
um so i ended up going there and
participating in a mentorship program
and i even said to my like i have i'm a
nerd i have internet friends i've talked
to my internet friends and i was like
you know i'm not really interested in
this i don't really care that much but
it'll be nice to see people again
no interest at all uh so i ended up
going i i'm a student i'm a phd student
i had an honest go at taking part um
so i listened to the first presentation
it was how to use burp suite
and um how to use it to find
vulnerabilities
um and i started hacking
and i found two bugs uh wow my very
first day
within five three to five hours i'd
found what fi
found one bug and i found another one
like an hour later
in a real piece of software in uber
in one of the core applications that's
out
like right now it's not like one of the
ones they're working on it's one that's
available that i'm sure you've used
before
i can't say which one but it's the core
application one you've definitely used
before
if you've used one of uber's apps um and
yeah i found two bugs
and one of them was really cool one of
them was being able to
change the amount that you could
pay from being a positive number so if
you think about it kind of like an
invoice you'd invoice someone for
uh like 10 quid um you could actually
make it minus
so uber would owe you money now you
could also
make it minus a million
and then you would wear you a lot of
money so then you would get to just
drive in cars everywhere all the time
yeah you could get every single one for
free um and it was also
an idol so not only could you uh change
your
own um uh
value you could change somebody else's
value as well
so i could make you pay a thousand
dollars
and i get a thousand dollars back those
are the two vulnerabilities
wow um
that is good katie that is a good find
and that's that was in my first day of
hacking and i thought from that
this is a fluke because i didn't know
anything about hacking i didn't even
like
the thing i knew was kind of developer
side
so i knew like sql injection bad
cross-site scripting bad
that's about all i knew like most
developers developers don't necessarily
know how to write secure code
and if they do they should probably read
your book so you they would learn more
about it
um see there you go marketing will be
very happy now
um so uh i didn't know that much about
like finding bugs finding
vulnerabilities or what vulnerabilities
were out there
so then i went to vegas um and i found
two more
and that was maybe my
second time hacking second and third my
first bug in that event i found in five
minutes
i literally opened up the target i was
hacking and immediately found a bug
um and then i found
even more i found bugs in verizon the
department of defense in the states
um uber um
oh what else uh oh i can't talk about
the other ones because they are
still they're still treat being triaged
and fixed but i found ones in
other applications that you've heard of
uh but yeah
so that's so awesome i like
technical skills i just uh
i'm uh i'm putting uh links to some of
katie's
papers on the screen and in the chat
in case anyone wants to read some
academic papers
about understanding inside a threat
[Music]
which is actually insider threats are
really cool do you want to tell the
audience just briefly what insider
threats are
so we when we think about threats to an
organization like
in terms of big picture view we often
think about hackers you know we're
thinking about people
hoods up in the dark um
i could turn off the light as well there
we go there we go
in the dark hacking away on a keyboard
which lights up and this is what a
hacker looks like
actually some of the biggest security
risk organizations are not in fact
me or um you know any malicious actor
it's actually the own
employees you know when a hacker has to
do recon
to get like understand the attack
perimeter and when they have to bypass
security protections we have to find
vulnerabilities
a insider knows the passwords
they know what assets what assets are
valuable and who they're valuable to
which gives them a lot more knowledge
and the problem is it's really hard to
detect insider threats because
they're just regular people they're just
regular employees how do you know
when your marketing department is about
to go rogue
like well they're going to leave
photoshop
um style ransom notes come here if you
want your creative cloud license right
they're going to do things that they
have really privileged access
to and they can kind of do it in the
course of their own job
so it's really hard my work is all about
instead of looking to try and detect it
to take reports and try and understand
those reports so
if you think about attack happens and
you have
50 reports from 50 different people you
know one person in marketing has gone
rogue
and actually the it department saw some
kind of um
suspicious network activity maybe
one other person heard them making a
ransom note in photoshop and saw
it maybe their boss realized that
the upcoming whatever book was
they didn't like the cover of it and
were complaining about it a lot
they were like to work these are all
like
little indicators which get lost in
these huge reports
so we use natural language processing
machine learning on text
to try and pull out all of the
interesting details
and kind of map it out visually that's
all my phd
that is so cool speaking of marketing
people going rogue
today someone was trying to hack the we
hack purple twitter or not twitter
account uh or instagram account
and someone was trying to post a monty
python sketch
that and so i got this thing popping up
on my phone saying did you want to post
this from your social media thing and i
was like
no this looks awful and so then i asked
the other person in marketing did you
put this and she said uh no i would not
post that that's gross
and so i'm like i think we have to
change our password
so very uh marketing people going rogue
i love your explanation katie it's
really good
we have a question in the chat for you
so i'm just gonna put up on the screen
were you invited to the first bug bounty
or are there places that post bounties
how does all of that work
so the way bud bounty hunting works is
kind of two streams there's like the
professional side
and the unprofessional side and i don't
mean professionalizing someone's
full-time job i mean it's the kind of
very
corporate side of it but i'll explain
them non-professional there are bug
bounty platforms which act as middlemen
which is really cool so they'll go find
customers and what they'll provide for
their customers is triage and support
and how to use the platform
and what they'll do is list all of these
companies they'll show the scope
and then what you can do as a hacker is
see a bunch of companies on one website
so like etsy department of defense
um uber they're all on different bug
bounty platforms and you don't have to
join one you join many
and they'll tell you exactly what the
rules are and they'll say
okay you do not hack this application
because
we don't have the um like
usually it's the staff to handle it
we're not interested in bugs in this
application if you do that we'll ban you
um and they'll say here is the exact
things you're allowed to hack
here are the exact rules here's the
credentials
and they have it all in one place and
the bug bounty platforms can then pay
you
they provide triage services
all that kind of thing is all managed by
the bug branch platform so you sign up
you see a bunch of platforms you decide
which one to hack and then you find a
bug
report it and then it goes back over to
the blog branch platform who will triage
it
who will speak to the customer and who
will pay your bounty
so then you have the professional side
where you start to have things like
live events so what hacka1 and bug crowd
do
is they get all of their top hackers and
put them in a room and then give them a
target and say okay
go hack go hack things so you have like
the people who make millions of dollars
a year who are like
these big big big bug bounty hunters
as well as people who make kind of more
a hundred thousand pounds a year
which is still by the way a lot of money
to people like me who are phd students
who make
a phd student salary which is not a lot
but it's okay because we don't pay tax
says the uk government
um you don't have to pay for decent
salaries if you don't pay tax uh
you know what they tell you
um but yeah so you get people in a room
you tell them to hack one target and
that's what i was
invited to by one of my friends and then
that ended up with me going to
so i've been to the one in london i've
been to london before
um i went to the one in vegas which was
during defcon
never been to defcon before um and that
was
my god i'd never been to vegas before
that was an experience
i've been to vancouver definitely one of
the favorite places i've gone
uh i loved vancouver a lot and i've
been to la and i hadn't been to la
either
cool i've went to the states once and
then in one year i went like
three times because during my trip to
vancouver hackathon flew me out to
seattle talk at a conference
so like i visited the states three times
in 2019.
wow that's uh that's a long way from
england oh god it was
exhausting i'm not a big fan of flying
um because the time difference really
messes me up when i get there
so that's why i'm quite happy now that
most events are virtual because i can do
one a day staying up late
but then several i'm just like oh my god
i'm so tired
i'm so tired i feel the same way there's
actually uh this book that helped me so
when i
start traveling all the time to speak at
conferences it's called
your circadian code and it's basically
like don't eat at this time do eat it
this time
and then it really helps with jet lag
it's
it's not like about losing weight it's
about like making sure that you
you know it's called breakfast it's
because we break our fast
and so yeah if you fast for certain
times you'll end up so for instance
tanya don't get drunk on the plane just
because you feel like it
um instead you should not eat anything
and then it'll set it kind of like
resets your your thing it's interesting
see that's smart thinking that's really
clever
yeah someone um someone else told me
about that who did a lot of traveling
and uh yeah she also told me always
bring a belt if you're gonna wear a
dress
because they never know where to put the
the mic
pack on you and then it's awkward
because the man just looks at you
what am i going to hook this on to
[Music]
oh no we didn't design this for the
dresses in mind
i know don't know wider about the cyber
security industry
yes it does speaking in general
so there's a question in the chat is
hacker one still doing internships
do you happen to know i i have no idea
but both hacker one and bug crowd have
like
open if you're an excellent person and
you want to join us
then contact careers at um i don't work
for one of the bug
any of the bug bounty platforms they
just promote me a lot
nice that's a good place i wish i wish i
got paid
happy nights well maybe you should ask
them ask them to sponsor
some of your videos i'm already i've got
sponsorships now
it's i'm very proud of it actually
because i've finally been able to make
investments into my channel i've got
like a proper microphone
didn't have a microphone before now i
have a microphone what kind of um
i have one of the so i had i have a
friend who's an audio engineer
and i was like fraser you gotta help me
i have a youtube channel i have no idea
what i'm doing
i'm so lost people keep complaining
about the audio dear god please help me
i'm so confused i don't understand this
terminology
and what he said was okay you buy this
you buy this cable and then you buy this
and now i have
a audio technica 2020 microphone
with a focus right solo
scarlett i have wings i have i have a
scarlett
and a yeti oh yeti
nice it was a gift
i i don't know if i want to move the
camera but yeah i have like a
a microphone i sound like i don't know
what i'm talking about i really don't
one of my friends just really helped me
with all of this
i have a person that helped me too and
you better believe it i also appreciate
it
but speaking of sponsors i would like to
thank our sponsor for this episode
threadfix the best vulnerability
management system in this part of the
galaxy
i told them i would say whatever they
wanted and i have to say i like saying
galaxy
a lot and also that vulnerability
management's actually way more important
than people give it credit for
so thank you very much to our sponsor so
i have more questions katie
so now i just want to know way more
stuff
also someone commented that a hundred
thousand dollars
you can buy quite a bit of cheese and so
one of the questions was we we talked
about how we talk about cheese too much
on this podcast but
do your various jobs pay well because
you briefly hinted at this like no taxes
not bad
but is it is it very did you just
make tons and tons of money being a phd
student
no
[Laughter]
um so compared to the us uk salaries are
quite a bit lower
um and there's some reasons for this and
it's some people will say oh it's
because the cost of living
isn't as high in uh isn't as as high as
they say to us amanda too and that's not
true
yeah it's not true they just don't want
to pay people um
the average salary for a software
engineer is about 30 grand um
let me find that in us dollars for
people because
i'm pretty sure most people will be
outraged by this
also someone is asking what your
favorite type of cheese is because
we disgust cheese too much on this show
lactose free cheese because i'm lactose
intolerant
and there's only one brand you can buy
okay and i don't like vegan cheese
but yeah you get paid on average about
40 000
in the uk that's kind of an average like
develop a salary
for like a mid-level developer so it
puts in context
um i can afford to buy my lactose-free
cheese
i probably couldn't afford to start
buying
several lactose free jesus i get paid
significantly less than that but
you know i don't really need a lot of
money um i think a lot of people getting
stuff like bounty hunting because
they're like i'm gonna be rich
um and i'm not rich and i don't want to
be rich um
i'm quite happy to live on what is
essentially a median salary
that lets me have a life i like i can
afford to buy
nice things occasionally i'm hoping next
year to buy a house
which is kind of exciting as someone
who's been renting for
like almost 10 years um
so i mean it's not a lot of money it
it's a stipend right the average is
quite low
um but yeah
it's enough it's enough and youtube like
right now i'm actually in the process of
moving
my partner doesn't have a job yet so
quite a lot of things like youtube is
helping me kind of bridge the gap
while my current salary before i start
kind of my
big big big boy job
where i actually get paid real salary um
which is like ends up being double what
i am at the moment um
but youtube helps kind of be a stop gap
in the next few months as we try and buy
things like
furniture and i can get a proper office
set up because right now
i'm in the spare bedroom think about how
nice it would be to not have christmas
tree lights as these kind
of decorations but instead to have
proper fairy lights right
or did you see on twitter someone
they're like they said uh
they bought this this light that shined
the galaxy
onto their room and i have to say that
it looked
so cool that would be so much cooler
so someone in the chat is asking are
there people who make a living from
bug bounty hunting those people aren't
me
very important to note i make very
little money from from bug hunting not
because
there's not earning potential there but
just because i don't do it enough
um i earn like
this year i went about five grand from
bug hunting
which is in the grand scheme of things
not really a lot there's people who earn
like over a hundred grand a year doing
bug bounties and also have a job
um wow so this is important to note that
most people who do
bug bounties also have a real job
usually in the bug bounty industry so
they do triage or they help manage
programs they like use their expertise
and there are people who just do it full
time and i'm in awe of them
because dear god i would get bored
really quick
i'm a bit i don't think i could hunt for
vulnerabilities all day
um i'd get really bored i'm writing my
fetus all day that's already boring i
can't imagine what it'd be like to
to turn a hobby into a job oh my gosh
katie
okay so what types of training does
someone
need to be good at your job or what
types of work experience do they need
and
since one of your jobs is being
a phd i mean i guess the training would
be a master's
for that i don't have a master's degree
i only have a bachelor's degree because
you can actually if you want to do
this is pro tips here there's a great
book called how to get a phd which kind
of goes over the pro tips of how to do a
phd
like life hacks phd um
but you don't need a master's degree to
do a phd in the uk
and in other usually in the anglophone
world in general you don't need it in
the states
what you do need is a drive to get a phd
which means doing things like taking on
research internships uh if you want
it means you know doing a dissertation
or a thesis for your undergraduate
degree
it means getting good grades so to do
a phd you do need a minimum of a
bachelor's degree but you don't need a
master's degree
which is good because that's quite a lot
of money and a phd is paid for i don't
pay any money to a phd i get paid for it
uh you have to pay for a master's degree
and it's like a lot of money
i've i'm already in like 60 grand of
student loans
um for my undergraduate degree so
that is a really really really good tip
katie
um okay so then what types of training
would someone need
then to be a bounty hunter or to be an
educational
youtuber to be a bounty hunter what you
need to do is watch my video
specifically my videos don't watch other
people only hers
only mine and make sure your ad blocker
is off because i'm sick of people
watching my videos for free
i'm just joking there's a lot of very
free resources my videos are one of them
um there's so many people coming up
doing videos on bug bounty hunting i
want to shout out pharah
who is a fellow uh women in security
we had her on the oau's dev slap show
this weekend she's amazing
she's really good um she's gonna
overtake me and subscribers soon i'm i'm
like betting on it well you should make
a video together so that you both get a
gazillion subscribers
you know there's the pro tips there
that's where marketing comes
um but yeah there's like uh i want to
shout out some of the smaller youtubers
as well hacksplain does amazing videos
the xss rap does amazing videos and he's
like your best friend and he does such
like
really cool casual but informative
videos there's the big boys like stark
um codingo is making really good videos
on tooling
like there's so many people coming up
now making amazing content on youtube
so you really don't need to take a
course
there's so much free content available
and obviously there's also blog posts
and disclosures and
so much more available and to be an
educational youtuber you wanna make
youtube videos just start
just don't don't tell yourself i need to
learn this i need to learn that i need
to get an editor
just make videos your first videos are
going to be awful
and you're going to look at them and go
that is the worst thing i've ever seen
you upload it anywhere you go
it's their own fault for clicking on it
it's so bad they shouldn't have bothered
clicking on it quite frankly they wasted
their own time and it's none of my
business
and then you slowly get better and
better and better and then in a year
after you've made videos every single
week you made 52 videos
you look back and you go i'll remake
that one now and then next year you
think about how terrible that remake was
and remake it again
so so that's how you do it
that's how you do it you just admit to
yourself that my first videos will be
awful
and terrible but i'll remake them in a
year so it'll be fine
it's really getting over that hump of
like my content is awful that's quite
difficult to do on youtube
it's so it's so true this is really
good advice from katie because so many
people i know they want to be
so perfect that perfect
is their enemy and then they never
release anything
and they're like how do you have so many
videos tanya i'm like low standards
yeah and they get better and better and
better and you learn from doing more and
more
right and you'll never get great if you
don't start off
at least as sort of crappy it doesn't
really matter and at the end of the day
when you first start out you've got two
subscribers
there's two people watching it doesn't
matter if your first video is bad
no one's watching it anyway and once you
kind of let go of that feeling of
my videos have to look like this
youtuber who's been making videos
daily for like since they were 16
and going steak and step back and go my
videos are terrible
it's fine it's their own fault for
watching it and that's what i tell
myself
whenever my videos do badly i'm like
it's their own fault for watching it if
it's a bad video
oh my gosh you're hilarious
okay so i want to know what you like
best about each of your three jobs what
are your favorite things
so i think doing a phd has honestly been
life-changing for me
um like actually life-changing like it's
completely changed the way i think about
the world and think about my place in
the world
and i think a lot of people will say
that about a phd
but it's i think people say and they're
like oh yeah it didn't really though
it absolutely did for me like i think
about
research in such a different way and
especially
when you start to look at how say a
organization looks at academic research
you can see hang on there's a big gap
here and
academics aren't reaching industry
and that knowledge isn't being shared
and
this is a huge problem it's not like
security because
academia might be one step ahead in one
part and then
two steps behind in another and industry
is struggling the same way and you kind
of take a step back and you realize
it's kind of like your your brain
expands that expanding brain meme where
it's like
you know you do research and then you
just realize once you do a phd
kind of how all the threads of research
come together
um and that's honestly been
life-changing for me the
like self-management the organization
i've had to do
has changed the way i work and the way i
think about work
and how i think about like doing things
like
setting strict boundaries how i think
about deep work versus shallow work
um how i think about what i can
contribute to the world
uh and with a phd you make a very small
contribution but that's a meaningful
small contribution
and that can mean a lot to people so a
phd has changed my life
um sorry an interrupt that's amazing
when i was 16 i had a tutor at um
school and he was like katie you should
do a phd
and i was 16 this is
a while ago and i was like no i don't i
want to go and be a developer
and he said no i really think you should
do a phd
um and it took me a while it took me
throughout i think i got to my second
year of my undergrad and i was like
i want a phd i'm going to do everything
in my power to gain a phd no matter what
and i still keep in contact with him and
i tell him everything that i'm doing and
he's really proud of me
and it's just sometimes with that like
i've known him since i was 16 now
and i bump into him at christmas when i
go see my parents
um but like being able to tell him hey i
got a job in academia
was just incredible and amazing and he's
so supportive of me
that's so wonderful i love i love that
story and the outcome and
gosh he is probably just like his heart
explodes when he hears from you
i bet i mean mentorship is so important
not just in cyber security but in just
any field having mentors is
incredible and don't forget your mentors
like people who help you want to know
you
you succeed and i'm sure you'll know if
you want a mentor you should do cyber
mentoring mondays
i literally just put it on the screen by
accident i put the at symbol instead of
the number sign cyber mentoring monday
every monday on twitter
we pair people with mentors
but yeah i definitely suggest even if
your mentor ends up being
somebody who doesn't necessarily help
you in the technical sense
but is just there for you and supportive
is
just so amazing but yeah i i always i
always give him an update and stuff like
that and he's really
like proud of where i've where i've
where i'm going um
i sent him my youtube channel as like a
very small
update and i was like oh here's
everything i've been doing here's my
website and then he was like he replied
back
i would like a longer update please
like please tell me more about what
you're doing
oh that's wonderful i
like this so yeah sorry what was the
original question
[Laughter]
it was what you it was um what you like
the best
about your jobs and i have to say i feel
like i really love your answer
but i have a more important question
than that one and that
is what are the actionable first steps
that someone could take towards trying
to work
in your field z
okay so i'm gonna be very very quick and
try and give them five for each ones
so if you want to do a phd step one
is to get at least a bachelor's degree
you need a bachelor's degree to start
step two is to make sure a phd is right
for you do some research experience get
to know people in the field
speak to phd students they're often kind
of stressed but they'll spend time to
speak to and tell you what their job is
like
um i'm quite happy to speak to people
and and tell people yes my job is very
stressful
but a phd has changed my life um if you
can getting research internships is
really useful
and they're often paid which is a plus
and it gives you that experience of
working with a supervisor
the next step is to apply for a phd
that interests you or work with a
professor that you think
is someone interesting and the fifth one
is to actually start your phd
that's kind of the process it's a lot
like applying for a job
okay bug bounty hunter five steps one is
to subscribe to my youtube channel
yes um number two same thing
number three pharah sorry stop i'll stop
interrupting
so the first one is to learn how the web
works like understand
what a request is what are responses
what parameters are
the difference why you have certain
architectures like client server
uh what's different between client-side
and server-side code
very basic stuff you don't need to be a
web developer it helps to be a web
developer because you completely
skip that step number two is to
understand how burp work so burp is the
tool that most people use
there's also obos app and it sits
between your computer and the website
and lets you
interact with those responses and
requests step three is to learn what
vulnerabilities are out there
that's where my videos come in that's
where pharah's videos come in that's
where
you tend to get quite a lot of content
here's a vulnerability
and then next one is where to find them
so what are the signs
what points you to certain
vulnerabilities it's getting
that um intuition and number five is to
practice
practice practice practice practice on a
real target don't just do a ctf
ctfs are very easy and they're designed
to be quite easy real targets
have a ton of requests so many requests
so many responses they have
your ad servers your analytics they have
so many different scopes that's bug
hunting youtube is
decide what you want your content to be
um whether that's going to be like
educational uh informative book kind of
casual
whatever the second one i recommend is
getting some branding to start with
having an idea of what you want your
videos to look like are you gonna be
in front of a camera are you gonna use
your face a lot
um are you gonna be like me and use more
of an avatar that looks a lot like you
and you get a lot of comments where
people are like wow
you look a lot like your avatar and i'm
not sure whether or not to say
thank you or are you sure
um then it's about
um making videos accepting your videos
are awful
and making them anyway and then five is
to push them out there you know use your
use um instagram
use tiktok whatever it takes to get your
content out there
and those are my five five top tips for
my
three different jobs thank you for
coming to my ted talk
seriously that was the best answer i
have ever gone to that
to that question katie oh my gosh you're
amazing
okay so i have one final question and
then we will end
the podcast and that means i go and i
thank my sponsor so
of course everyone needs to like and
subscribe to our channel and like this
video and then go to katie's channel
and just click like on every single
video because you know you're going to
watch them
but you can like them all now and then
tell your friends to like them too
icon yeah like subscribe hit the bell
icon
definitely um so the last question
is where can people find you
do you have a website or events coming
up or links that you'd like to share so
i've shared
your youtube channel and i've shared
your twitter it happens to be on the
screen underneath your face right now
where else could they find you
um you can find me i have a website
inside a phd.dev
which just kind of combines all of the
links in one so i don't have to remember
them
um i primarily use twitter and youtube i
have a discord server
which is linked in all my videos if you
want to be part of my community we have
a really good supportive community
of i've kicked out everybody i thought
was being rude so that way i've only
ended up with the good people
and the people who are the nicest and
most helpful um
which helps a lot it's quite a small
community but it's growing
um you can find me on patreon i have a
patreon
um you can pay me five pounds a month to
tell me i'm great
and you like my content and you get a
few perks and bonuses
um and then 10 pounds gets you my notes
if you want to see my
beautiful handwriting um and terrible
doodles
so are all those links available at ph
uh
insiderphd.dev
they're all on there so that way i don't
have to remember them all
uh but yeah i'm primarily on youtube um
i make videos
every single week yes that's also
stressful
i recommend if you're starting youtube
perhaps not doing videos every single
week
perhaps starting with two weeks video
every week is quite it's quite awful to
do
um but a video gets out every week uh
i'm currently
speaking gonna be speaking at ola santa
barbara
on halloween or halloween for me it's
not halloween in california
but it'll be really spooky because i'm
going to be hacking something live
cool oh my gosh that's amazing and also
well we all need to go bookmark
insiderphd.dev
for people that are listening that's
d-e-v like victor
yes thank you so much also don't hack my
website yeah don't
don't do that also don't hack my website
either if you don't have permission to
hack my website please leave it alone
oh my gosh there are so many people that
they're like i know what i'll do and
it's like no please please don't do that
please don't hack my website thank you
i taught you this to use it for good not
evil
yes not against me exactly what am i
teaching these
skills for it's like the part in star
wars where
um anakin goes after obi-wan it's like
what on earth i just i loved you like a
brother
i let you see my my links and my twitter
and my youtube and then you treat me so
bad
it's getting a static html page but
people still try and hack it i'm just
like what are you trying to hack on
there's nothing there
yeah yeah my webpage does nothing except
ask people very politely to buy my book
that's it and it also says you probably
don't want this page you probably want
to go to wehatpurple.com because that's
where the good stuff is
thank you so much katie for being on the
show you have been so
great it's been such a pleasure talking
to you i really appreciate you coming on
yeah thank you very much um every single
every single question has three answers
my three different jobs
but hopefully i i hope someone can
listen to this and
feel either inspired to start making
content if they don't already
or perhaps realize that actually you
don't have to be smart to do a phd you
just have to be really dedicated and
i think if a phd is what you want you
can go for it you don't need to be
really clever and if you keep telling
yourself i'm not smart enough
stop no one's partner yeah stop saying
ideas
right our content is awful we're all
done
no one seems to care yet someone
actually commented
in the chat that they're a fourth year
undergrad computer science
and they are looking to get started in
infosec so they're gonna take a look at
the cyber mentors next monday and that
is a great
way to start definitely yeah that is
i mean i i try and retweet it every
monday to my followers
um thank you cool so
thank you katie and i'm going to so you
can wave goodbye before i put the
amazing image on the screen if you
desire or you could not wave goodbye
it's up to you but i kind of am a fan of
waving
thank you for coming on the show well
thank you very much for having me
thank you everybody for listening to me
ramble for an hour
no you're great you're great so please
do tell us about the sponsor for this
video
i will you have been watching the we
hack purple podcast with sponsored
this week thread fix and our guest this
week was katie paxton fear
also known as insider phd and i'm tanya
jenker your host
thank you so much for watching i hope
that you subscribe and i hope you come
back next week every thursday at 6 p.m
pacific standard time
if you write a review for our podcast
on apple itunes and you send us a
screenshot on twitter
at we have purple and you send us a
mailing address we will mail you
stickers
yes that's right bribery from the
weehack purple folks
but while i have you the one last thing
i want to tell you
is who's coming on in the next couple
weeks so i hope that you will join us so
the next week
is dominic west and we're going to talk
about what's like to be a senior cloud
security consultant
the week after that stephanie black to
talk about
what it's like to be to do sales
basically in cyber what is it like to do
that
after that there's going to be tyrone e
wilson to talk about what it's like to
be a ceo
of a security company and then the week
after that we're going to have kim
crowley who's going to talk what it's
like to be
basically a reporter and a writer within
cyber security and what that looks like
thank you again so much for tuning in we
really
really appreciate you having us and with
that i am going to sign off and talk to
you all
next week