We Hack Purple Podcast

We Hack Purple Podcast 13 with Kim Crawley

November 13, 2020 We Hack Purple! Season 1 Episode 13
We Hack Purple Podcast
We Hack Purple Podcast 13 with Kim Crawley
Show Notes Transcript

In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Kim Crawley an independent  cyber security writer and researcher to learn what it's like to write, find contracts, make a name for yourself, and more! We also talked about her conference, Disinfosec .

Kim Crawley can be found here: Twitter, her book the Penetration Tester's Blueprint , her conference she founded Disinfosec , and you can read many writing samples here.

Sponsored by  Ubiq Security!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Also, check out Tanya's book, Alice and Bob Learn Application Security!

Subscribe to our newsletter here: https://newsletter.wehackpurple.com/
For corporate virtual training contact info@wehackpurple.com

welcome to the we hack purple podcast
where each week we interview
a different member of the information
security industry
to talk about what it's like to do their
job
there are so many different
possibilities for a career in
information security and cyber security
and we at wehack purple want you to know
about all of them
also tanya is a curious cat this week
we have a fellow canadian app kim
crawley who is a security researcher
and writer and she just wrote a book and
there is a lot of awesomeness happening
with kim
our sponsor this week is ubiq security
and they do api security
and we're going to learn a bit more
about them in a bit but for now
i want to welcome kim to the podcast and
i'm going to click the button where we
reveal her
wait no i clicked it too many times and
i hit you i'm sorry there we go
okay so here is kim and me we're both
here awesome
yay thank you for coming on the show kim
i really thank you for inviting me yes
thank you
um i definitely appreciate having you
here i am adding like a little logo to
the top corner and i'm adding it in the
wrong place
i'm learning about adding stuff on the
screen
so thank you so much for coming and
will you tell us what your job title
is and it's okay if you don't have an
official title but you know what i mean
and just tell us a little bit about what
you
do my job
relative to other jobs in our industry
is very weird
because seldom do i ever engage in
security practitioner work
although these days is starting to look
like a bit of an exception
we can get into that later but my job
is to write about stories
often about cyber attacks um often about
you know timeless matters like
how to configure a firewall and static
issues like that that aren't like
necessarily timely
but more relevant in the long term
and uh i have worked for
so many big tech corporate blogs uh
blackberry silence uh sofo snaked
security
venify's blog i've worked for them in
the past
i've contributed content to a t
cyber securities blog for the past
several years
that's one ongoing gig that i still have
and uh i think i'm like writing content
for like several different companies
now and i can hardly keep track of them
all to be quite honest with you but
so yeah so it's a weird job no but it
there are so many rare jobs in infosec
and
that kind of means there's a place for
most people if that makes sense
yeah so a thing that i'll oh
vicky says hi to both of us vicki
gateway hi vicky
thank you for coming um so i want to
ask a whole bunch of questions because i
want to know what it is like to do
your job and when i say job i mean kind
of like
about your career because there are
other people who
are writers or journalists or
researchers
that enjoy writing and enjoy basically
like researching the crap out of
something and then putting it into like
an amazing format so others can
you know absorb all of that information
what is a day like in the life
of an independent security researcher
and writer
it is very unpredictable
i mean to be able to do it for a living
because most people who
do what i do and they write content for
corporate blogs and stuff like that
they have a day job as some sort of
security practitioner like they're a
malware researcher
or something like that
this is my day job so it's very hectic
i used to work for like the same few
companies long term for a few years
and then the pandemic kind of shook
things up
so my job basically
is i have a certain reputation sometimes
i get
work based on my reputation now but
it's a lot of like just checking my
inbox
seeing the five editors emailing me
saying hey can we want you to write
about
this that and the other sometimes it's
i have to remind myself to email an
editor who hasn't emailed me for a few
weeks and say
hey i can write something for you i've
got this great idea
please say yes to it i like money please
pay me
so uh i you know i
i didn't really choose self-employment i
think
self-employment chose me i'm
not anywhere near as adventurous or
risk-taking as you are
like you started your own company you
took on a lot of risk to fulfill your
dreams
and to have independence in your career
if it were completely up to me i would
be
an employee i would be an employee who
knew which hours they worked
knew that they were going to be paid x
amount of money every two weeks
etc etc but life didn't work out that
way for me
in a sense there's a kind of strength in
the precariousness or the unpredictable
predictability of my work because
if a company lays me off that's not my
entire income or career
yeah so there's flexibility and not
having all of your eggs in one basket
for sure but yeah the instability can be
a little
stressful at times to be completely
honest
but i've kept this going like just doing
this as a career for
several years now so i think i've i've
found my groove
awesome so what i heard from all of this
is that companies need to snap up kim
immediately thank you
no like for real she's a really good
writer that's why i'm not like i'm going
to invite someone that's crappy at their
job on i invite people that are awesome
so like yeah okay so this is good so i'm
going to keep this in mind because
watch it people are going to be like oh
i heard kim was
um this is good and this brings me to a
question
that is totally unrelated but i just
really want to tell everyone is
kim has a book and i just
heard one and it's not in the me i was
really hoping it would arrive so that i
could show
it to you and i'm like kind of sad but i
know it's on the way
i am going to be ordering your book but
to be completely honest with you
i really prefer e-books i prefer e-books
because my favorite place to read when
it's not
related to an article that i'm
researching or something like that
is to lay in bed in the dark
after 9 00 pm and so my smartphone the
screen glows
and i can just fall asleep and my phone
slips under my pillow afterward
oh i like that idea so i have this like
massive set of bookcases
but really an ebook is much more likely
to be read by me
they're all in physical yeah
i respect that absolutely most of my
books are actually audio books
because i like to garden and also
listen to sci-fi at the same time but i
bought a physical
copy of your book because i feature
books in a lot of my videos and i was
like well obviously i have to feature
her book so i'm gonna have to sit my
butt down
and then read it which is hard for me so
i hope you understand like that's my
dedication level
i'm really honored and i'm looking i'm
looking forward to reading your book
i was really impressed by what the art
department did
with your cover quite honestly that is a
beautiful
cover i'm just gonna show it because i
can't help
myself it's beautiful so pretty so
they're like what do you want on the
front i'm like i want alice and bob
and i've decided alice is an indian
woman because there's so much tech
coming out of india
and i'm like and i want bob to be like
this middle-aged white dude
i kind of wanted him to be chubby but
sometimes you have to take what you can
get
and then like and obviously it must be
purple but i really like pink so can we
work that in there and they're like
this and i was like like we went back
and forth so many times
and finally they're just like it's this
one i'm like
yes like wiley is such a big
publisher when it comes to the kind of
stuff that we write
their art department is amazing like i
was impressed by what they did with our
book too
yes what if we talked about your book
because i'm putting it on the screen
underneath you for people that are
watching a link to kim's book
that is a co-production with philip
wiley
so the book is titled the pentester
blueprint
the reason why it's titled the pentester
blueprint is because it's based
on phil wiley's series of pentester
blueprint talks which he has given at
so many different cybersecurity events
and the curriculum of
the pentastic blueprint is basically
what's the hacker mindset what is
were the correct steps to take in order
to be successful
as a penetration tester
and phil is one of the best pen testers
in our industry
like bar none and he got the deal with
wiley to write the book
and then he found that he was so busy
with his pawn school
with his day job as a red teamer he now
has a different
day job as a red teamer for point three
and then he's got he's got a wife you
know he's got family
and he found that he didn't have the
time with all his other professional
responsibilities
to finish the book according to wiley's
schedule
so he approached me on the blue in april
april of this year and he said kim
would you like to to co-write my book
and
and and finish it help me finish my book
and i was i was honored i was so honored
i was like
yeah in a heartbeat like i didn't
hesitate to say yes
so a few days later i was sent a revised
contract and i signed it
and they said kim you and phil
have until november to finish the draft
and i said forget about november i can
i can finish this up by july oh my god i
did
so phil had written half of the
manuscript at that point
um all scattered across all the various
chapters
and he gave me the book plan and
everything that he had written thus far
and i had several meetings with him over
zoom
to make sure that you know because
obviously even though
we're both co-authors this is based on
his vision
and so after chatting with him a little
bit and looking at his plan and looking
at
all the great content he had written so
far
i just finished it and there were a few
chapters especially towards the end of
the book where i wrote
90 of the chapter and
it took me a while to think about how am
i gonna
fulfill that chapter like the one on the
skills inventory for instance i had to
think about that one for a while but i
did it and i
promised them i could do it way ahead of
schedule and i did
so i was actually telling someone i'm
like phillip is
genius bites
are super super super smart talented
person who's a kick-ass writer
to help him finish the book i'm like
maybe my book wouldn't have been like
half a year late
if i had had kim on my team and i was
like
phil's brilliant that was a smart move
but but you know what you tanya you are
super productive i could not keep up
with your schedule honestly
i would be terrified to start my own
business for instance and you're doing
great
and uh it's i've been telling people
that it's much
easier for me to finish a book because
when writing is 90 or 100
of your work it's much easier to write
if you are designing application
security courses
or running a security operation center
or whatever it's a lot more difficult to
finish a book
do you do you love so like the thing i
liked the best about
writing a book was where you do the deep
work and you just get into it and you
write for hours
yeah there there was one chapter
that i wrote 90 percent of it
and i did it just like all in one day
because
it was just like a spark of inspiration
oh my god and that was
chapter 2 i believe which um
is basically prerequisites what you
should understand
before you start your pancetta journey
and i figured the best thing for this
chapter would be
to go over all the fundamentals of cyber
security 101
so i had it was like about
10 a.m and i had already had two of
these
and she's tracking she's showing a rock
star energy drink folks because there's
an audio only version too
and by the way in the show notes we're
sharing links to everything we talk
about
her book you can get it there sorry
so i cracked open another one and i sat
down at my word processor
and i just i let everything out of my
brain that i believed uh constituted a
foundational understanding of cyber
security in general
including like the cia triad the
different types of malware
the different types of security controls
the different types of uh
of access systems like role based etc
etc
and i figured get this all out now
and then we can fact check afterward
before we send this to the editor that's
right
and i there wasn't much that i had to
change in the fact-check
checking process and then i just
submitted it
some of those other chapters were 90
percent written by phil
okay so we very much go back and forth
okay so that's amazing that you didn't
have to do that much editing because
i found two thirds maybe even three
quarters of the time that i spent
on the book was technical edits my
technical editors really were very
strict with me which is good because i
i need that um and they made me make a
million references like i'm used to just
writing a blog where i'm like this is
the way
and they're like you can't just say that
tanya you have to prove
it with like other people's references i
was like darn it
um so for everyone that is listening on
the line
i'm really sorry about the latency
issues because
i am not having any latency issues
uh on our side and so that means it's
the live stream and i'm really sorry
the recording will sound fantastic
because it's local to my computer so
kim you look fantastic and sound
fantastic
but i'm really sorry to those that are
tuning in live but i would like to ask
that you'll click the thumbs up button
anyway
okay kim i have way more questions for
you though i just i really wanted to
talk about your book and
how every single person ever should buy
kim's book and then they should buy my
book and then maybe they should get a
second copy of kim's book
but after you're done doing that
remember like a couple of weeks ago i
tweeted if someone wants to become
an application pentester which is one of
the most
high demand types of pen testing
they should definitely buy your book and
buy our book at the same time
because the two are complementary and
that would be
all the application pen testing 101
to start you on your way oh yeah oh my
gosh
definitely that would be
yeah those would be really good
complimentary and i am
actually indeed planning to read your
book and may or may not
get into trouble as a result
so i i want i wanted to ask you about
like what types of
what types of personality traits you
think someone needs to be good
at rating and good at because you have
to do a lot more than writing in your
job you have to chase contracts and get
contracts and then you have to do a
certain amount of promotion and all
these other things and like
you basically have to manage your own
reputation as a writer
and that takes a lot of effort like
people might not realize it
so what types of personality traits are
maybe like
aptitudes i don't know what the word is
i was kind of like an aerodyne
know-it-all when i was like six years
old
wow um i i'm just fascinated by
knowledge
and i was i was a very early reader i
was very
uh my curiosity was insatiable i would
constantly be asking my
dad questions why is the sky blue
why why are i think i i think when i was
five years old i asked my dad once
why why are we older women so insecure
about their age
i like asked about it's a civilian
freaking questions
and obviously like obviously you have
a lot of those same traits like an
insatiable
urge to fill your brain with knowledge
so that helps a lot
um i on one hand
i'm confident that i'm good at what i do
on the other hand i know that
i have this as a career because i
totally
suck at most other things i couldn't
like last at mcdonald's
i managed to do tech support for a while
before i got into cyber security full
time
but tech support is hard as hell
not technically really but the demands
of having to close like 30 plus tickets
a day
and deal with customers who are
unreasonable
and stuff like that um
there are so many different jobs that i
would totally suck at
even within our own industry and i have
found
the job that i actually have natural
talent for
so i feel that kim is underselling
herself a bit
but i actually
know that feeling like when you're
saying i don't think i would cut it
at tech support or mcdonald's i don't
i actually did tech support briefly for
like six weeks and it was
at night and i did not cut it i was just
like i can't handle this like
someone's being rude and i can't be
polite to them
or they're at like one guy was like
playboy.com is down i'm like i don't
that's not my fault like i don't know
what to tell you dude like try again
later
like is the rest of your internet
working he's like i don't want to go the
rest of the internet
i was doing remote support like around
2008 2009 so a lot of people had ie6
and it would be like i'd open their web
browser and it would
literally without exaggeration be three
quarters
toolbars
and they'd be like why am i getting mal
why no that
a lot of end users don't know the word
malware why am i getting viruses all the
time
right and well you have three different
versions of the ask jeeves toolbar you
have weatherbug
weatherbug has always been malware oh
wow
you keep uh you keep you get pop-ups
that say you
won this contest and you click on them
you're like no no
now that you're speaking about technical
stuff what types of technical
skills do you think someone needs to be
a security researcher or security writer
um i think cyber security is a certain
way of
thinking you have to think there's this
technology
how can people use it to do bad things
but also how can there be mistakes with
this technology that aren't necessarily
malicious
like bugs for instance
and so if you always think about how can
people do bad
or how can this go wrong it's a way of
thinking so you you can learn the
technical knowledge
but the mindset cannot be taught
i hear you for sure so
if you only need a certain level of
technical skills
what type of training would someone need
to be good at your job because they have
to be
a really good writer and good at
explaining like really complex
abstract concepts my dad
was a novelist he's not around anymore
but i think i mean this is not something
that
a person can make a conscious decision
about
but i was raised by a professional
writer
um it was it always seemed like a very
normal thing to me to
to write and get paid for it so
my dad was giving me lectures about what
do editors want what do publishers
want when i was like four years old i am
not even joking
so i had kind of an unfair advantage
there
but my dad kind of tainted my thinking
about writing too
because my dad taught me that the only
valuable writing is the writing that you
can get a publisher to publish and pay
you for
um and so
i do have writing that will deliberately
never get published like
i keep a whole lot of embarrassing
poetry in
google keep but i feel so guilty about
it i feel so guilty about
any writing that doesn't translate into
a paycheck
because that was my dad's attitude oh
wow
and so on an intellectual level i
believe that writing has
value whether or not it's commercial or
you get paid for it
but emotionally i can't feel that
like i hear people talk about
self-publishing
books for instance yeah and i try not to
be rude like my dad would be
but i think you're self-publishing like
you can't even get
a commercial publisher to publish this
you're going to pay
to get this published who pays to
have their own writing published that's
the thought process i have and then i
but i know that that's rude and that's
not a good way to think
and i try to buy my top did you have
so i had many many people suggest that i
self-publish my book instead of going
with wiley
and i was like but they're awesome at
publishing books
and i know zero about publishing books
and so i wanna have experts behind me
and like project managing me and like
hurting me like the cat i am do you know
what i mean like did people suggest that
to you too
uh no um phil was considering
self-publishing the pencester blueprint
um if he couldn't deliver a full
manuscript
by the time while he wanted it but then
he changed his mind he decided to
finish it by co-authoring with me i
think
i mean self-publishing is an expense
it's an expense that you take on
yourself if you're willing to spend a
couple of thousand dollars
with the knowledge that you might never
see that money back
if that's a risk that you want to take
to get your writing out there it's a
it's a lot easier to self-publish these
days because amazon
will sub we'll sell or at least
distribute
self-published ebooks and the like
um but you are taking on a risk whereas
our publisher
took on that financial risk and our
publisher
has a massive distribution network gets
our books into like
barnes and noble and indigo and gets a
placement in
amazon's website not like our books
probably place a little
bit higher than if we had self-published
it and tried to distribute on amazon
for sure for sure so
someone is asking where is the podcast
oh our all sorry someone's asking in the
chat where is the podcast and i am
assuming that they mean
this podcast so this audi this podcast
is available audio only version
off of all the major um podcast
platform so like apple itunes
um the new amazon one podcast addict
like all of those places you should be
able to get it sorry to interrupt you
kim i was just no it's okay
no but i was like kim didn't say
anything about podcasts i'm so confused
because i was like i just get like so
enthralled in the conversation and i was
like oh i should probably actually
answer that
i i love podcasts i i use podcast addict
i have like about 40 different podcasts
i subscribe to
and i recently added the wehack purple
podcast to that list
thank you but i only subscribed to about
five cybersecurity related podcasts
the other like 35-40 podcasts i've
subscribed to have
nothing to do with our area of study
whatsoever
because a lot of the time when i'm not
working i just
don't want to think about work and
thinking about anything
cyber security related makes me feel
like
i'm i'm on the job right now it's work
mode time
i agree i agree so much yeah we need
breaks
including brain breaks
i have more questions for you though but
first
i want to thank our sponsor ubik
security encryption made simple for
developers
they have a free tier starter
available for all developers on the
internet and you can use it to encrypt
your apis
and much more if you sign up today
it's free and you also get free stickers
of spikey
who's like their super cute mascotti guy
so i'm going to share the link in the
chat but it's just
dashboard.ubicsecurity.com
so ubik is ub i
and so i'm going to share that in the
chat but going back to
how could someone become a cyber
security researcher and writer
what type of work experience would they
need or like type of learning path maybe
so like let's say someone's like i want
kim's job
not like your actual job but i want to i
want to be like ken
how are you yeah i would recommend
like dust tech support is
really really hard but unfortunately
or fortunately it's one of the easiest
types of jobs to get if you just have
some very basic i.t certifications like
a comptia a plus
whatnot so everyone's path is different
my path was about
13 years ago i had a cop cia plus
and then i got like a network plus and a
security plus
i got my first tech support job based on
my a plus
uh i started to realize that out of the
30 tickets i would close in a day 20 of
them
would be malware related and i was like
removing malware
all the time on other people's windows
machines
and then like occasionally there would
be malware that was destructive enough
that it would mess up all the lnk files
on the windows desktop
i'd have to like write new windows
registry keys sometimes
that was a great way to at least get my
foot in the door and it made me
interested in cyber security just
because i could see
constantly frequently every day what
malware could do
and there's a lot of different ways that
a computer can be
cyber attacked not just by malware
infection
but it made me catch the bug basically
like the cyber security bug
um there were several years that
i would just write posts like on
medium for instance about cyber security
and i would just tweet about them
and it took me i would say four or five
years until i got to a point where
i could make a living doing this stuff
it wasn't
it's good to just get out there i would
recommend
that people just start writing on a
platform
that is free like medium or wordpress
or sub stack or whatever
get active on twitter because not only
is the tech community most active on
twitter but also the writing community
and it might take several years but just
like
tweet tweet tweet tweet what you've been
writing about
get people's attention and then
eventually
what might happen is what happened to me
and
like tripwire state of security
and jobety he was the first guy
who who gave me a real chance
nice but once i was on a corporate blog
i got a lot more efforts to write for
different corporate blogs
and it just all kind of snowballed from
there that's awesome i have done work
with joe petit too actually that dude's
great
hi joe hi joe thanks for uh
giving me a big break right that's
awesome
so the next question i have is a
sensitive question
does your line of work pay really well
that varies greatly i'm at a point i'm
going to be completely honest about
my pay because i want
writers and prospective writers to know
so that they can insist that they're
paid decently
good that's why companies don't like
employees to talk about their salaries
and whatnot because they don't want them
to gang together and
try and insist on higher pay if one of
your colleagues is making more money
yes only the company wins when we don't
communicate
so i get paid anywhere between
in canadian dollars i'm usually paid in
u.s dollars but
me too um me too yeah but by the time it
hits my bank account it becomes canadian
dollars it's anywhere from
four hundred to six hundred dollars per
thousand words
a thousand words is on average like two
pages full of text in your word
processor
cool that's that's awesome it's
it's hard to know how much people
get paid for things because someone was
asking me to write
a blog for them and i was like okay and
they're like we'll pay you how much do
you want i was like i have no
idea so
i should have asked you
i would say to up-and-coming writers um
if it's if the company wants you to
write for them
don't work for free um you might have
companies saying oh but i can give you
great exposure
yeah but the more people who do what we
do
for the exposure bugs which you can't
pay your rent with
it drives down how much all of us get
paid
so i would say even if it's a small
company asking you to write for them
demand at least like 300 like 30 cents a
word
like 300 bucks per thousand words don't
accept anything less than that
because i can get like 60 70 sometimes
80 cents per word sometimes
so that's good to know because
like the same thing goes with all sorts
of different types of work so when i was
a musician
i would be paid to perform music and
then there would be these newbies that
are like 19 years old and they're like
i'll just do it for free and i was like
then a bar will book you instead of me
even though like
your music sucks and you're not actually
skilled yet because you haven't been
doing this for very much time i'm just
like ah
yes i actually um this year had a
conference organizer pressure me to give
free training so that i could get
exposure
and you know what i did kim i showed him
i'm like oh
i don't know if you know but i'm an
industry influencer and i
and then i actually showed him stats i'm
like i'm actually 10 000
or i'm 10 times more famous than your
conference
so you have exposure from me
and i was like and i don't work for free
and trying to pressure me to work for
free
so then he's like i'm going to remove
you from our roster and i was like did
you want to meet my lawyer
yeah yeah and then suddenly i was on the
roster and everything was fine
that is good but like
there are all sorts of people that get
bullied all the time like to do
like well if you just write this thing
for us for free kim blah blah blah
we'll promise you the moon later right
no no like if someone is giving
why buy the cow if you get the milk for
free
yes yes
so speaking of which because i feel like
this perfectly goes into the next
question which is are there a lot of
opportunities to do the type of work
that you do
in our industry to be quite honest with
you
there are fewer now than there were this
time last year when the pandemic hit
a lot of tech companies were like
our marketing budget for our corporate
blog
is an unnecessary extra expense
and either they got rid of their blog
altogether like
blackberry and silence or they decided
the people who are working
for us as malware researchers or
whatever
they're gonna they're they're gonna
write all of our content
and we don't pay them anything extra to
do it because we already paid them a
salary or whatever
yeah so i have had to get really
creative with my
career i still write for att
cybersecurity's blog
and i've got like an absolutely
wonderful editor there
uh kate brew so shout out to her oh i
know at security brew on twitter
i'm just sharing uh the link to your
blog right now underneath you
on the screen i've i'm doing a lot of
work for a lot of
smaller companies like sanayu for
instance
um i was talking about how i've started
to get
closer to doing some stuff as vaguely
practitioner work i got this interesting
gig
out of the blue a week and a half ago i
was emailed
saying kim we want you to do malware
research well not really malware
research it's more
antivirus research like a malware
researcher will look at malware samples
and
try to understand how it behaves i'm not
testing malware like that i am testing
the antivirus software
oh cool cool so
i have a windows 10 virtual machine
because you don't infect other people's
computers that's illegal
so i have a windows 10 virtual machine
it's sandboxes the malware that i
execute in it i i'm trying all kinds of
different antivirus software i tested
norton a few days ago i'm on to testing
total av
and i will see with the same sample of
997 malicious items
using the same sample for each antivirus
application so i
look at how much of that malware did
the antivirus software detect based on
its latest signatures
and this isn't like writing for the
general public
so if it feels like new territory to me
and i feel like i'm doing more
like the people i used to write about
what they used to do
so it's kind of it's kind of weird and
interesting but it is a job that people
work for a v
test do that full-time so
but that that's really cool and we need
someone that
can write that up in a way where one
like they actually understand the
results but two
where you can actually communicate the
results
because sometimes people are brilliant
technical
at this or that but they're not so great
at communicating and so you have that
magic where you can
kind of speak both languages
and i'm allowed to tell you
the specific details that i'm telling
you which is
i am doing financial security research
for one of canada's major banks
according to the nda i may not name
which bank but i can say it is one of
canada's major banks we only have five
yeah it's one of the five so
that so basically this is what i'm
allowed to say
i am writing reports based on what i
think are the most pertinent cyber
threats
specific to that bank
oh wow so that that's an interesting new
gig
so it's very difficult it's it's
it's a different kind of work because
the reports i would be writing
would be internal and classified
to only be read by employees of the bank
and corporate executives of the bank
so it's not publicly available writing
like i'm used to doing
and like from
late 2016 to early 2020
90 of my work was publicly accessible
for
corporate tech blogs and no paywalls
and now my career is starting to look
very different because i've had to be
adaptive because of the way
uh our industry has changed this year
i i have actually found the exact same
thing so
now that because we were talking before
we went on about what it's like to be
independent
and then you end up doing all sorts of
work where like maybe you didn't even
realize
that was work so i actually do like
private talks
all the time now and i you see me speak
at conferences but i do like private
events
a bunch of times per week and turns out
that pays
really well and you can have like a very
intimate conversation where it's
you can be a lot more open with what
you're saying and so like if you're
giving this report inside of a bank like
you can be
very very clear about exactly what they
are facing
and very specific in a way that you
never could if it was going to be
public so how does that feel like being
able to be like brutally honest
i they the bank asked we want
your ideas for four reports for the
2021 year and i pitched them my four
ideas which i could not
explain what those ideas are and they're
like we
love that that's exactly what we want
so it's looking good so far
that is awesome so that brings me to
another question
which is what do you like best about the
type of work that you do
um there's in some ways
my job is easier than being a security
practitioner in the sense of
if you're a network administrator or
if your job is to develop security
patches for applications
or stuff like that you make a mistake it
directly affects businesses and people's
lives
i get to play with ideas about you know
the theory of cyber security
uh without having to worry that
if i'm not doing my best in the security
operations center that day
we could be taken over by a major data
breach or whatever
so but in the other sense in some ways
it's more
difficult because i think a lot of
i mean there are so many different areas
of
security practice i mean red team blue
team
purple team a lot of different teams
but in other sense it might be more
difficult because
a lot of the things that you could be
doing in your everyday life as a
security practitioner
could be habit and routine whereas i do
i have to explain everything i can't
have
an idea without
explaining it and then
and then there's the unpredictability as
i explained from like not being an
employee
so yes i have to say that not being an
employee is equally uh we had we had
someone on the podcast last week
tyrone e wilson and so he said it better
than anyone else ever when he said
it's terrifyingly motivating
he was he was really good okay so i went
upside
down websites yeah
when i i only work as long as i have to
work in order to produce the work
that people want to pay me to do
if you work in an office
chances are you're spending a lot of
hours looking busy
but with nothing actually productive to
do but you could be spending those hours
of your life
doing better things than sitting in the
cubicle
wasting your time but you have to be
there because you have to be in the
office for low specific hours
oh my gosh that is a huge bonus i just
like go on a walk sometimes
i'm like oh my brain's not working i
don't think i can work right now and i'm
like
i'm gonna go exercise or quite often i
just go into my garden
and like play with my plants and stuff
isn't it great that when you're working
you're actually working
so when you don't have work to do you
can just
engage in leisure uh relax at home
because you're working from home
yeah i feel like with my work i am 100
present and that is nice to not just
like
because when i had programs sometimes i
would just lose time
if that makes sense and or like oh those
big employee meetings where they would
just say so many things to you
and you're like no one cares when will
this all staff be over
and you're just like yeah
meetings are annoying but quite frankly
all the zoom meetings can be
kind of annoying too i have had so many
zoom meetings since the pandemic started
oh yeah
and oh honestly a lot of the time
i would love to say to a client this
could have been explained in an email
oh my gosh yes yes yes
well you can tell me what you want me to
write for you in an email
yeah yeah
yes a thing that they did at microsoft
that i really liked
is they would go through the agenda and
they would say does anyone else have
anything else to add
and if no one did they would go great
gonna give you back seven minutes
everyone have a good day and they just
end the meeting and in the canadian
government where i'd worked before
it's like oh the meeting goes till this
time it's like someone was like i'll
just waste
time until then i'm like no i can get a
lot done in seven minutes
like i could walk down to the cafe and
get a nice cappuccino come back to my
desk and get a little bit exercise
and also have delicious delicious
caffeine like i'm like
why are you messing with me there's so
much stuff we could get done the seven
minutes and seven minutes times like
10 people in a meeting that's a lot
i i have more questions for you but
first i want to ask everyone that's
listening
please subscribe to our podcast and if
you are already subscribed and you've
listened before
please write us a review if you write a
review
and you send it to our twitter handle
which is at
we hack purple we will send you stickers
i kid you not we are not bribery here
like uh like perfectly legal bribery
um of sending stickers for review
results and so i'm gonna read one of the
reviews at the end and thank the person
but just
please subscribe and then immediately
buy kim's book and my book at the same
time
okay uh
i feel like yeah i have like a i don't
know if you can see but i have like a
lot of books behind me now it's like
pretty awesome
okay so i want
i i wanted to like think of a super
clever way to bring it up but i was
wondering if you could briefly tell
people about dis infosec because i
thought that was a really cool thing you
did this year
yeah i started to see a lot of people in
our industry
run their own online cyber security
events
when the pen once the pandemic got
serious in
in march and i
there were a couple of events that i
tried to attend and i couldn't because
they were close to like the first 300
registrants or whatever
and i don't like starting things a lot
of the time but i thought
damn it i let me try to do something my
own
uh so it was a great honor to host
this infosec in july and the reason why
the reason why the the event was for
exclusively disabled people to speak
about
cyber security is because i knew that
with all the other online cyber security
events
i needed something to differentiate
and so it it was a great honor to have
you speak you speak everywhere though
but it was a great honor you
you your talk had the highest attendance
and views of all the talks quite
honestly
i had like an annoyingly beeping
fire sorry like smoke detector
but that's been fixed okay so i think
there's going to be another disinfosec i
think uh july
2021 so
yeah i mean you don't have to have
a medical diagnosis if you self-identify
as disabled and you have something to
say about
cyber security um
i would recommend visiting this infosec
dot
tech sign up for the email list
probably around april i'll start
tweeting asking if
people want to submit proposals
and i think next year
i'm going to do a much better job than i
did this year because i learned so much
i had like
zero experience yeah uh using video
conferencing software and stuff like
that
but i learned i learned from my mistakes
so inevitably 2021
should be a lot smoother than 20 20. i
realized that
it wasn't smooth my part was good like
you were great during my part i'm going
to spell out disinfosec for the people
that are listening because it is not a
real word so it's d-i-s
like dis and then as in disability
and then info sec so i-n-f-o-s-e-c
dot tech so t-e-c-h
and i really liked that you put on an
event
where every single talk was accessible
so you had to be able to describe
what you were talking about so if
someone could not see
they could still understand your entire
talk
and i really really liked that
accessibility and inclusion is a big
value at my company
and so we have closed captioning on all
of our training and i remember one of my
staff was saying
like you know we're not going we're not
going to have that many hearing impaired
people take our courses and i was
explaining
okay so if someone english is their
second or third language
them being able to read the words in
english has value and also
even if we sell it to one person that's
a huge win for that person who probably
doesn't get this option from other
training and i'm like
accessibility matters so that we can
include every single
person not so if you already
if you are a deaf person and you want to
learn application security
and there's no reason why a deaf person
couldn't do
greater application security you might
not contact you know uh we hack purple
and be like hey could you make your
videos
have closed captioning please yeah you
would just like
give up and move on like when it comes
to
like people who use wheelchairs for
instance
um if they can't enter your store by
pushing a button to make the automatic
door open
yeah with a ramp already there they're
not going to get
their uh walking friend
to go into the store and be like hey can
you uh open the door and like get the
ramp
up so that my friend can can uh
move their wheelchair into the store and
shop
they'll just like move on and they'll
keep moving on until they find a store
that they as a wheelchair user can enter
without having any friction
but i feel like making things accessible
from the start seems like a human right
do you know what i mean like as a person
who is dyslexic
when i went to school a lot of that did
not make sense to me
and so when i was an adult and i wanted
to learn french i had to go to a special
school for dyslexic people and it was
awesome i learned very quickly and it
was great
but like if those things aren't
available if accommodations aren't
available then we're not all on an even
playing field and that's just crap
so like um yesterday i did so that we
hack purple has a community
online and we do stuff together and so
yesterday we were doing this github
actions
thing and um only one person showed up
so there's supposed to be seven or eight
of us but only one showed up which is
totally fine
and we're streaming and i'm showing him
some stuff and we're talking
and i guess i do this thing naturally
where i always just explain what's
happening
and i said oh is the text big enough for
you and he's like oh
i had no idea and he's like yeah it's
never come up before but he's like i've
i've always been able to just
participate because you explained so
well and i was like
oh that's so great i'm so happy to hear
that and i'm like so you can't help me
with if the text size is big enough for
the recording we're making and he's like
ha
good luck um but it's
like when we do these small efforts like
to me it's not a giant effort to do that
um and i feel like it includes so many
more people and
we don't even like i had no idea and
like he's been coming to lots of events
with us
and i was like oh okay i was like cool
and so then later i was like
do you see here and i was like okay let
me explain
right and just like that small amount of
sensitivity that we can add so everyone
gets to
be on the same playing field and as like
score
and there's the curve kind of effect
sometimes
uh disability accommodations also
benefit non-disabled people
like curb cuts make it possible for
people in wheelchairs
to uh cross the street for instance
because you don't want to drive your
wheelchair over a harsh bump
no no but it also benefits
abled people because if you're
rollerblading
or you're pushing a baby stroller or
whatever
you also benefit from that curb cut yes
one thing that i was thinking about is
like not only am i autistic i also i'm
adhd
and i can read hundreds of pages at a
time if i'm
hyper focused but a lot of the time
if i see a wall of text this might
benefit you being dyslexic as well
yeah if i see a wall of text
a lot of the times i'll be discouraged
like oh that looks tedious and i would
move on to
like reading something else that didn't
look overwhelming and tedious
so i write breaking
my writing down into lots of different
paragraphs
so there's space between the paragraphs
the same amount of writing
seems much less overwhelming to read
when it's broken down into
separate paragraphs i've been
writing articles with bullet points more
often lately you'll notice that
most obviously on a tnt's blog cool
and i phil and i both
tried to do that and widely as well make
the formatting
so you never hit a wall of text same
with my book
excellent and that benefits dyslexics
and it benefits people with
adhd but it has the curb cut effect of
even if you're neurotypical you might
not
want to read a tedious blog
wall of text you may want everything
broken down
into smaller more manageable pieces yes
yes exactly i agree so much
also someone named deep eddie says hi
kim hi tanya hi eddie
thanks for coming um and
johnny says that he is stuck in tech
support purgatory
i'm sorry johnny i feel you and
i feel like kim and i both feel you
if you want to do what i do uh
start a blog on like medium or wordpress
or whatever
uh write about what interests you write
about
where you have knowledge maybe also see
what other people are writing to get a
sense of what people want to read
and as i said it might take three four
five years vigilantly just sharing your
writing on twitter or wherever
and then as soon as you got a few
companies paying you for your work
after a few years of writing for nothing
and having to continue your day job
then stop writing for free yeah
because now people are paying you for
your work
and writing for free just lowers your
pay rate
yes yes okay so i feel like you can read
my mind kim because literally my next
question was could you please give us
some actionable advice so that you could
become a writer that's like i i was like
she's actually answering the question
that was in my brain
and i mean our a lot of our writing is
free for people to read
if they want to like without a paywall
but a company is paying you to do that
writing
exactly now now the downside might be
like for example a t
cyber securities blog is not going to
publish anything that's not in their
corporate marketing interests so
and that's the same with like any tech
company their corporate blog any company
whatsoever
uh yeah they want to draw people to
their site and they have specific
marketing objectives
so being paid for your writing means you
don't necessarily just
write whatever you feel like writing you
have to write what they want you to
write you got to compromise
yeah but i enjoy i enjoy the challenge
um if
i didn't have people giving me ideas
about what to write
sometimes i would be a little
overwhelmed because when someone else is
providing you some sort of structure
like this is what i want
you to write it's easier to be creative
than if you're left completely true on
devices
yeah looking at a blank page can be
intimidating like i'm gonna write today
so my last question is
if someone wants to know more about kim
crawley
besides following you on twitter at kim
underscore
crawley so c r a w l e
y on twitter where else could they
find more information about you i
believe
there's a link about you on the atnt
blog
which i could share yeah and that is
an archive of every single thing i've
ever written for a t
cyber securities blog and anything new
that i write for them is going to be
linked
on that page as well um i do
have just like you i have now an author
page on amazon
but that's just going to link to like
whatever
books are published under our names
obviously
i the one of the reasons why i don't
have like my own personal website
is because i really wanted to use the
kimcrawley.com domain and i had
registered it
many many years ago when i was much
younger and i lost control over
like it you stop renewing it and then
someone else buys the domain
and they don't even use it but they're
like sitting on your domain
now wanting you to pay them like fifty
thousand dollars to get it back or
whatever
if you don't wait a year or two uh that
usually goes away so i
used it on tanyajanka.com and ca because
i was a professional musician
and then i let it go intentionally and
then someone was cyber squatting on it
and i was like jokes on you i don't give
a crap
and so now it's like available for like
12 bucks because no one's named tanya
janka in the whole world except
me because my name is spelled quote
unquote incorrectly compared to the
polish spelling
and so no one has this weird like anglo
polish smashed together name and
i'm just like yeah i don't need it now i
have she hacks purple.ca
i'm just like you're very lucky you're
very lucky to have a unique
name that at the same time people can
spell and pronounce
because my boyfriend his name is jason
smith
do you have any idea there are probably
literally
like several thousand jason smiths in
this country if not like tens of
thousands or more
maybe even hundreds of thousands of
jason smith in canada alone yeah
like j my boyfriend went to school with
other jason smiths
oh my gosh and then his dad
is joe smith
if only he was john smith that would be
even worse
oh my god so there is no freaking way
that my boyfriend is ever gonna have
jasonsmith.com
or even jasonsmith.mt
being the top level domain for malta
like your name is that freaking comment
oh wow
that must be annoying see he he should
come up with a hacker name like
like i did which was not on purpose at
all
but worked out really well in in the
long run
well as a black metal slash digital
hardcore musician his name is schizoid
or j
schizoid so that's his hacker name nice
i like it no but then you can have your
own unique identity online
and it's my yeah i like it
well kim thank you so much for being on
the show
this has been awesome thank you so much
for being such a great host and it was a
great honor to be on your podcast thank
you so much
okay so we do like a little wave and
then we disappear and then i
tell everyone who's on next week bye
thank you
bye everyone okay so
thank you very much to everyone who came
this week and streamed in if you are
listening to the we
hack purple podcast thank you please
subscribe on youtube
or whatever podcast platform you
download your podcast
from we would love for you to rate our
podcast we would love you to rate it so
much
that we actually go so far as to bribe
people so if you send us
a picture of your podcast review that
you wrote
on itunes and a mailing address
to at wehackpurple on twitter we will
ship you off some stickers to say thank
you so i'm going to read you
one right now so thank you for this
podcast
it's really helpful with seeing who's in
the industry and learning about what
they do the personalities are funny
and the advice about actionable steps
books to pick up and community resources
are gems and that's by jyku3 from the
united states thank you
i want to thank kim so much for being on
the podcast
i want to thank ubic security for being
our sponsor yet again they were our
first sponsor ever of the podcast and we
really
really appreciate it and i hope to talk
to a lot of you next week when we will
be talking to shira
shamban of soul which is an israeli
startup
and i really like startups so you're
going to hear lots and lots about shira
thank you again and this i gotta tune in
yeah absolutely
bye everyone