welcome to the we hack purple podcast where each week we talk to different people doing completely different types of jobs and having very amazing and interesting careers in the field of information security this week we are hosting katie paxton fear a phd student occasional bug bounty hunter and part-time educational youtuber this week is sponsored by threadfix and i am your host tanya janca also known as she hacks purple and without further ado let’s meet katie hi katie how are you doing i’m good how are you i am good it is a lot earlier for me in the evening than it is for you i’m bringing that that uh 5 p.m energy into 2 a.m you’re amazing thank you so much for staying up so late to be on the show oh and someone in the chat says hi katie so i guess someone’s really happy to see you so could you please tell us your name and your handle and your job titles my name is katie paxton fair uh that’s paxton fear not taxed and ser which does happen and my handle is inside a phd now that’s not inside a phd but insider as an insider threat and phd as in the academic qualification not the php i picked very very difficult handles that pit that kind of match my very difficult name um which is confusing but in my youtube tags i just change it so p inside of php will get caught too um and i am a phd student full time that’s my actual job oh wait wait wait when phds don’t one second katie it seems that the audience is having trouble hearing us can you hear us audience so someone just said is there sound and i’m like well i hear sound and i heard the sound all of my stuff looks like there is sound um okay so it appears that we’re actually absolutely fine so j a please turn on your sound someone else can hear us which and we can hear each other i’m so sorry katie to interrupt you let me ask you again please tell me about your multiple impressive job titles so my full-time job my nine to five is as a phd student and i do work from nine to five people think students spend a lot of time asleep um i don’t i do actually have a regular job um and then i’m also an occasional bug bounty hunter and a kind of part-time youtuber now i am still waiting for the nobel prize committee to get back to me because obviously i do deserve the nobel prize for more hours in the day an invention i think is going to be beloved by everybody and quite frankly the fact that it’s not currently i don’t have a nobel prize yet is the most disappointing part of 2020. not acceptable it’s not acceptable it’s ridiculous um but yeah so i have quite a lot of jobs i spend i like to say that i spend quite a lot of time working but it’s down to a t of organizational systems um but yeah so i have a lot of jobs and i do a lot of things online [Laughter] and someone has um commented nobel prize obviously right can you could you describe each one of your jobs for us because a lot of people have never done a phd or been a bounty hunter or an educational or youtube person oh i’ll start with i’ll start with bug bounty hunter i’ll work my way down to from most time to least time sorry at least time to most time um so being a bug bounty hunter is basically being like you know you have your freelance web developers you have your freelance software engineers and you have your freelance security analysts and being a bug bounty hunter is that it’s finding bugs in this case we don’t really mean software bugs we mean like software bugs with a security impact and quite a lot of that is hacking companies legally not illegally hacking companies legally um they ask you to that’s what being a bug bounty hunter is it takes up the least amount of my time because it’s something which i kind of do for a little bit i get some bounties you do get paid for it you get paid per vulnerability on severity um i do it for a little bit then i kind of stop for a little bit and i do it for a bit and i stop for a bit um it just depends my interest level so that takes up the least amount of time educational youtuber i make videos on the internet and i have to admit to people that i make youtube videos uh when they tell me what i do for a living because youtuber people seem to think i have some kind of gaming youtube channel and they don’t realize i make lectures online and i’ve tricked all of my viewers into thinking they are entertaining videos when actually they’re lectures and i’m tricking them into a university education and my videos are like their lectures they’re like i talk through people how to um do bug bounty hunting but it can apply to all kinds of um web security mobile security jobs not just bounty hunting it’s just got that particular focus um and i’ve got 18 000 subscribers which is kind of crazy to me i looked it up on like like how what how big of a venue i could have um and the venue that would fit all of my subscribers was a field because you can’t get an indoor venue for that many people um so it could be socially distance i suppose like if you had used a whole country or like a state or a province within a country you could socially distance your 18 000 people yeah um but yeah if uh inside a phd con 2022 ever gets off we’re going to be sitting in a field somewhere um that actually sounds so yeah it does doesn’t it like hacking in a field like it’s like um uh electromagnetic field and that’d be called camping think about it of course extension how many extension cables you would need oh god the i used to run hackathons when i was at university and the problem of an extension lead becomes like the most difficult thing on the planet because you need so many of them and they’re never enough and you’re always getting people coming to i need an extension like oh my god just bring your own from home but yeah so that’s being a youtuber i make videos um they’re just lectures uh eighteen thousand subscribers and then well then i have my full-time job what topics are your youtube videos about so i made videos on finding your first bug so i’ve covered vulnerabilities i’ve covered apis i’ve covered mobile um i’m covering authentication next uh next month my videos really range in topics because i want people to be able to go to my youtube channel and kind of find i like to think myself as a university level education without the university level price tag um because i like to think that my videos offer that kind of um style of education because not it doesn’t suit everybody not everyone can listen to a lecturer and absorb the information but for those it does work for i hope i’m giving people especially those who you know maybe come from countries that aren’t as wealthy and you know the oscp is a lot of money that could be easily somebody in a like in a non-western country being an entire year’s salary and that’s just not affordable for people but something like my videos can give people that same not necessarily the same level because you don’t get the certificate um but getting some of that knowledge for free which is why i like doing them cool that’s awesome so i have more questions as you might have suspected also i’ve been flashing uh your youtube handle or your youtube link and your twitter handle just on the screen in case anyone needed to know how to follow katie okay so what is a day like in the life of doing your jobs oh okay so i practice time blocking which sounds a bit insane i record every minute of my day um not many people do this so i could tell you down to the minute what i did i won’t bother with that because that would be quite boring um but i usually wake up about you know nine o’clock ish um and i write my thesis and that’s currently what doing a phd looks like i’m in like the last few months my phd so i literally spent all day writing that’s amazing to be right at the end that’s amazing it’s the scariest thing i was a bit worried that i wouldn’t be able to find a new job because of the pandemic but thankfully i did actually manage to get like a a full-time lecturership at university uh and they cited my youtube channels one of the reasons they hired me congratulations thank you um but yeah so i kind of write my thesis i have lunch um when i was doing research it would literally be poke up my code until it does something interesting research is quite a lot of just poking sowing and seeing if it works um and then at five o’clock i then switch over to youtube i’ll be making slides i’ll be writing notes i’ll be researching like taking notes about what i want to talk about what resources i want to share um and if it’s like a youtube day it’ll be recording if it’s not it’ll be i’m just doing slides or editing not particularly like the most interesting part of making youtube videos but i’m sure as you probably know from streaming this uh there’s a lot that goes behind the scenes of youtube turns out you can’t just turn the camera on and that that you’ve got a youtube video yeah uh yeah that’s kind of what a day in my life looks like i usually finish like all of my work for about seven or eight and i spend the rest of my evening not working and that’s very important i do not work all day i have breaks and i stop and i don’t do work from 8 p.m that’s smart i should take lessons from you also someone in the chat says way to go katie hashtag jobs i’m very uh i’m very excited about my new job excited and worried um it’s you don’t usually get phd students that go from phd to lecturer it’s like the equivalent of assistant professor in the states you usually have to go through a few post docs but they were so impressed with the enthusiasm i have for cyber security and my level of knowledge that they were like yeah well we’ll give you a job that’s much senior than what you’re doing at the moment um don’t panic don’t panic that’s a great uh job interview last sentence sort of thing first day of don’t panic you’re going to be fine that’s pretty much what i’m telling myself so i’m supposed to tell everyone to buy my book and i’m supposed to be really solving charming so if everyone could pretend that i was when i told them about alice and bob they’re an application signature what’s your book about your new upcoming amazing book about uh information security that everyone should go ahead and buy see how she’s charming it’s good it’s a good pairing uh my book is about how to create secure software and it is about how to create a secure system development life cycle what all the main concepts are with secure design and secure coding and security requirements and how to secure more modern systems and basically i don’t think that so someone that wants to defend against a bug hunter that is very good like katie would want to read my book aha see like like peanut butter and jelly okay so that was pretty good for me for trying to awkwardly bring up myself i’m marketing person’s like stop telling everyone that you’re doing it it’ll get better but anyway thank you you’ve got to say where you can buy it where can you buy your book oh you can buy it on amazon or the wiley books page and then i put a little link but if you just look up alice and bob learn application security uh it will be the purple book there’s not a lot of like university style textbooks that are purple and pink can you can you agree with me i’m missing out here right yeah i just i’m looking they’re mostly blue that’s because blue is the world’s favorite color it should be more colorful more engaging i agree apparently if you ask people on average 70 percent of people say blue is their favorite color and apparently over 50 will say seven is their favorite number of one out of ten and so that’s interesting my favorite color is purple nice that’s why all my branding is puff mine too okay so i have real questions though now i’m gonna stop talking about my silly book um so someone in the chat is an amazing book no everyone should have on their bookshelves i’m going to buy and i’m an influencer you should trust my recommendation she’s influencing me buy two copies of your own book now someone is commenting in the chat lol katie sells tanya’s book better than tanya does yes okay but but back to you oh hi rick my friend rick from ottawa’s on okay so what types of personality traits does someone need to have to be good at your job and you can say this for any of your jobs or all your jobs this is totally up to you like i’m gonna go for i’m gonna go for all of them um for being a phd student the main personality trait you need surprisingly not is not to be smart it’s not to be clever it’s not to have like a really big brain um it’s actually to be really determined and to hit your head against a brick wall and expect a different result other than a concussion because doing a phd it is not a competition of who’s the fastest it’s a marathon and you know what usain bolt would not be able to complete a marathon he would not last that long what you have to be is determined dedicated you have to want a phd so that’s the first thing you’d have to be smart to do a phd i proved that i have no common sense oh that’s not true but i’ve got a lot of knowledge about about insider threat now i didn’t start that way um but yeah then you’ve got doing a youtube and the kind of main personality trait you need to be doing youtube is to be really open and to fake energy because you have to have that on persona and i’m sure anybody who does like a conference talk realizes this that you kind of put on not necessarily the best version of yourself because it’s not really a fake version it’s that over-hyped version that really happy that really excited um like under all of this i do not talk like this normally um but i do because it makes people more engaged so the next so if that’s really uh to be a fraud is to be a youtuber um to do bug bounty hunting you need determination it’s hard you end up hitting so many brick walls you end up doing weeks of work for no bugs and you’ve just got to be able to push through those difficult weeks to get to that sweet drug that is finding a vulnerability that was the i don’t i’ve never taken drugs i don’t even drink alcohol i am convinced that bug hunting is the best drug you can buy and you don’t like all you need is a computer and they’ll pay you for it and they’ll pay you for it yeah so how often do you make money in vegas right no i made money in vegas oh my gosh katie someone someone posted in the chat so doing a phd is basically academic rugby yeah it’s it’s like academic marathon running academic marathon running is probably high you never do anything like it like even if you want to go into academia you’ll never do anything like a phd you’ll never write a massive book that nobody will read like you’ve written a book yeah people will probably read your book yeah after i have my viva no one’s going to read my phd and you just don’t accept this in any other field but doing a phd it’s perfectly acceptable to write a massive book no one will ever read it collects dust on some academic shelves can you can you take parts of your phd out and then publish them as articles and white papers eventually because people would read that yeah that’s how it gets done but you still have to go through this entire process of writing a thesis you write a book no one will read only to later on take that book and rewrite sections of it to write papers you could just go straight to the papers and avoid the book that collects dust but only in only in academia world is that a normal thing that people do proof that academia is behind the times what well yes um oh and someone’s commenting you are so honest and real thank you that’s a very good comment i agree okay so oh if you are watching this and you are enjoying it you should click the thumbs up button and then click the subscribe button and then immediately run over to k but don’t don’t leave here open another tab and then go to katie’s youtube and then subscribe there that’s what you should do okay good tanya did not tell them all and be like don’t leave don’t leave okay open it in a new tab and then pause my pause my voice because the first video you get is not very good oh so what types of technical skills does someone need to do your job if any um so i think when it comes to doing a phd i think people think you need quite a lot of technical skills it’s gonna really depend on what your phd is in so my phd is in machine learning and insider threat um i didn’t know anything about insider threat i come from a data science background i’ll be honest before i start my phd i wasn’t even interested in cyber security i had a choice at university do you want to do a cyber security course and i said no that’s too difficult i’ll do my third web development course that i know i can ace um by putting in like a day’s worth of work uh instead of doing the information that seemed too hard not for me i’ll have the easy route uh but i didn’t do it until i start my phd um so for me the amount of technical skills i had was zero and then i had to learn the machine learning now my colleague who also does a phd it’s kind of similar it’s an agent-based modeling um for simulating hackers but that’s her phd so i won’t talk about that um but she had the knowledge of cyber security but not knowledge of agent-based modeling so i learned information security she learned agent-based modeling you just learn it within the three if you’re in the uk or five or six you do in the states you just learn the technical skills no big deal um youtube does a lot to learn and it’s not like technical technical um i’ve written a dozen like little demos for videos and and coded them and obviously run the exploits um i’ve had to learn video editing audio editing um how a camera works i didn’t know that before um i have to keep reminding my viewers i’m i’m i’m a phd student in machine learning i can make algorithms make models i can’t so watch out don’t mess with katie fix the black the black screen at the end of my video sometimes just sometimes it happens i’m not a video editor um yeah you end up picking a lot of skills up for youtube uh marketing analytics branding uh seo jesus um then on the other side with bug bounty hunting you don’t need any technical skills i will tell the story of my first book okay i was invited to a hackathon live event by one of my friends who said you should come to this event it’s amazing and i said no thank you i don’t like hacking and then they were like there’s going to be a bunch of people from university there that you’ve not seen in like two years and i was like okay fine i’ll go see my friends geez um so i ended up going there and participating in a mentorship program and i even said to my like i have i’m a nerd i have internet friends i’ve talked to my internet friends and i was like you know i’m not really interested in this i don’t really care that much but it’ll be nice to see people again no interest at all uh so i ended up going i i’m a student i’m a phd student i had an honest go at taking part um so i listened to the first presentation it was how to use burp suite and um how to use it to find vulnerabilities um and i started hacking and i found two bugs uh wow my very first day within five three to five hours i’d found what fi found one bug and i found another one like an hour later in a real piece of software in uber in one of the core applications that’s out like right now it’s not like one of the ones they’re working on it’s one that’s available that i’m sure you’ve used before i can’t say which one but it’s the core application one you’ve definitely used before if you’ve used one of uber’s apps um and yeah i found two bugs and one of them was really cool one of them was being able to change the amount that you could pay from being a positive number so if you think about it kind of like an invoice you’d invoice someone for uh like 10 quid um you could actually make it minus so uber would owe you money now you could also make it minus a million and then you would wear you a lot of money so then you would get to just drive in cars everywhere all the time yeah you could get every single one for free um and it was also an idol so not only could you uh change your own um uh value you could change somebody else’s value as well so i could make you pay a thousand dollars and i get a thousand dollars back those are the two vulnerabilities wow um that is good katie that is a good find and that’s that was in my first day of hacking and i thought from that this is a fluke because i didn’t know anything about hacking i didn’t even like the thing i knew was kind of developer side so i knew like sql injection bad cross-site scripting bad that’s about all i knew like most developers developers don’t necessarily know how to write secure code and if they do they should probably read your book so you they would learn more about it um see there you go marketing will be very happy now um so uh i didn’t know that much about like finding bugs finding vulnerabilities or what vulnerabilities were out there so then i went to vegas um and i found two more and that was maybe my second time hacking second and third my first bug in that event i found in five minutes i literally opened up the target i was hacking and immediately found a bug um and then i found even more i found bugs in verizon the department of defense in the states um uber um oh what else uh oh i can’t talk about the other ones because they are still they’re still treat being triaged and fixed but i found ones in other applications that you’ve heard of uh but yeah so that’s so awesome i like technical skills i just uh i’m uh i’m putting uh links to some of katie’s papers on the screen and in the chat in case anyone wants to read some academic papers about understanding inside a threat [Music] which is actually insider threats are really cool do you want to tell the audience just briefly what insider threats are so we when we think about threats to an organization like in terms of big picture view we often think about hackers you know we’re thinking about people hoods up in the dark um i could turn off the light as well there we go there we go in the dark hacking away on a keyboard which lights up and this is what a hacker looks like actually some of the biggest security risk organizations are not in fact me or um you know any malicious actor it’s actually the own employees you know when a hacker has to do recon to get like understand the attack perimeter and when they have to bypass security protections we have to find vulnerabilities a insider knows the passwords they know what assets what assets are valuable and who they’re valuable to which gives them a lot more knowledge and the problem is it’s really hard to detect insider threats because they’re just regular people they’re just regular employees how do you know when your marketing department is about to go rogue like well they’re going to leave photoshop um style ransom notes come here if you want your creative cloud license right they’re going to do things that they have really privileged access to and they can kind of do it in the course of their own job so it’s really hard my work is all about instead of looking to try and detect it to take reports and try and understand those reports so if you think about attack happens and you have 50 reports from 50 different people you know one person in marketing has gone rogue and actually the it department saw some kind of um suspicious network activity maybe one other person heard them making a ransom note in photoshop and saw it maybe their boss realized that the upcoming whatever book was they didn’t like the cover of it and were complaining about it a lot they were like to work these are all like little indicators which get lost in these huge reports so we use natural language processing machine learning on text to try and pull out all of the interesting details and kind of map it out visually that’s all my phd that is so cool speaking of marketing people going rogue today someone was trying to hack the we hack purple twitter or not twitter account uh or instagram account and someone was trying to post a monty python sketch that and so i got this thing popping up on my phone saying did you want to post this from your social media thing and i was like no this looks awful and so then i asked the other person in marketing did you put this and she said uh no i would not post that that’s gross and so i’m like i think we have to change our password so very uh marketing people going rogue i love your explanation katie it’s really good we have a question in the chat for you so i’m just gonna put up on the screen were you invited to the first bug bounty or are there places that post bounties how does all of that work so the way bud bounty hunting works is kind of two streams there’s like the professional side and the unprofessional side and i don’t mean professionalizing someone’s full-time job i mean it’s the kind of very corporate side of it but i’ll explain them non-professional there are bug bounty platforms which act as middlemen which is really cool so they’ll go find customers and what they’ll provide for their customers is triage and support and how to use the platform and what they’ll do is list all of these companies they’ll show the scope and then what you can do as a hacker is see a bunch of companies on one website so like etsy department of defense um uber they’re all on different bug bounty platforms and you don’t have to join one you join many and they’ll tell you exactly what the rules are and they’ll say okay you do not hack this application because we don’t have the um like usually it’s the staff to handle it we’re not interested in bugs in this application if you do that we’ll ban you um and they’ll say here is the exact things you’re allowed to hack here are the exact rules here’s the credentials and they have it all in one place and the bug bounty platforms can then pay you they provide triage services all that kind of thing is all managed by the bug branch platform so you sign up you see a bunch of platforms you decide which one to hack and then you find a bug report it and then it goes back over to the blog branch platform who will triage it who will speak to the customer and who will pay your bounty so then you have the professional side where you start to have things like live events so what hacka1 and bug crowd do is they get all of their top hackers and put them in a room and then give them a target and say okay go hack go hack things so you have like the people who make millions of dollars a year who are like these big big big bug bounty hunters as well as people who make kind of more a hundred thousand pounds a year which is still by the way a lot of money to people like me who are phd students who make a phd student salary which is not a lot but it’s okay because we don’t pay tax says the uk government um you don’t have to pay for decent salaries if you don’t pay tax uh you know what they tell you um but yeah so you get people in a room you tell them to hack one target and that’s what i was invited to by one of my friends and then that ended up with me going to so i’ve been to the one in london i’ve been to london before um i went to the one in vegas which was during defcon never been to defcon before um and that was my god i’d never been to vegas before that was an experience i’ve been to vancouver definitely one of the favorite places i’ve gone uh i loved vancouver a lot and i’ve been to la and i hadn’t been to la either cool i’ve went to the states once and then in one year i went like three times because during my trip to vancouver hackathon flew me out to seattle talk at a conference so like i visited the states three times in 2019. wow that’s uh that’s a long way from england oh god it was exhausting i’m not a big fan of flying um because the time difference really messes me up when i get there so that’s why i’m quite happy now that most events are virtual because i can do one a day staying up late but then several i’m just like oh my god i’m so tired i’m so tired i feel the same way there’s actually uh this book that helped me so when i start traveling all the time to speak at conferences it’s called your circadian code and it’s basically like don’t eat at this time do eat it this time and then it really helps with jet lag it’s it’s not like about losing weight it’s about like making sure that you you know it’s called breakfast it’s because we break our fast and so yeah if you fast for certain times you’ll end up so for instance tanya don’t get drunk on the plane just because you feel like it um instead you should not eat anything and then it’ll set it kind of like resets your your thing it’s interesting see that’s smart thinking that’s really clever yeah someone um someone else told me about that who did a lot of traveling and uh yeah she also told me always bring a belt if you’re gonna wear a dress because they never know where to put the the mic pack on you and then it’s awkward because the man just looks at you what am i going to hook this on to [Music] oh no we didn’t design this for the dresses in mind i know don’t know wider about the cyber security industry yes it does speaking in general so there’s a question in the chat is hacker one still doing internships do you happen to know i i have no idea but both hacker one and bug crowd have like open if you’re an excellent person and you want to join us then contact careers at um i don’t work for one of the bug any of the bug bounty platforms they just promote me a lot nice that’s a good place i wish i wish i got paid happy nights well maybe you should ask them ask them to sponsor some of your videos i’m already i’ve got sponsorships now it’s i’m very proud of it actually because i’ve finally been able to make investments into my channel i’ve got like a proper microphone didn’t have a microphone before now i have a microphone what kind of um i have one of the so i had i have a friend who’s an audio engineer and i was like fraser you gotta help me i have a youtube channel i have no idea what i’m doing i’m so lost people keep complaining about the audio dear god please help me i’m so confused i don’t understand this terminology and what he said was okay you buy this you buy this cable and then you buy this and now i have a audio technica 2020 microphone with a focus right solo scarlett i have wings i have i have a scarlett and a yeti oh yeti nice it was a gift i i don’t know if i want to move the camera but yeah i have like a a microphone i sound like i don’t know what i’m talking about i really don’t one of my friends just really helped me with all of this i have a person that helped me too and you better believe it i also appreciate it but speaking of sponsors i would like to thank our sponsor for this episode threadfix the best vulnerability management system in this part of the galaxy i told them i would say whatever they wanted and i have to say i like saying galaxy a lot and also that vulnerability management’s actually way more important than people give it credit for so thank you very much to our sponsor so i have more questions katie so now i just want to know way more stuff also someone commented that a hundred thousand dollars you can buy quite a bit of cheese and so one of the questions was we we talked about how we talk about cheese too much on this podcast but do your various jobs pay well because you briefly hinted at this like no taxes not bad but is it is it very did you just make tons and tons of money being a phd student no [Laughter] um so compared to the us uk salaries are quite a bit lower um and there’s some reasons for this and it’s some people will say oh it’s because the cost of living isn’t as high in uh isn’t as as high as they say to us amanda too and that’s not true yeah it’s not true they just don’t want to pay people um the average salary for a software engineer is about 30 grand um let me find that in us dollars for people because i’m pretty sure most people will be outraged by this also someone is asking what your favorite type of cheese is because we disgust cheese too much on this show lactose free cheese because i’m lactose intolerant and there’s only one brand you can buy okay and i don’t like vegan cheese but yeah you get paid on average about 40 000 in the uk that’s kind of an average like develop a salary for like a mid-level developer so it puts in context um i can afford to buy my lactose-free cheese i probably couldn’t afford to start buying several lactose free jesus i get paid significantly less than that but you know i don’t really need a lot of money um i think a lot of people getting stuff like bounty hunting because they’re like i’m gonna be rich um and i’m not rich and i don’t want to be rich um i’m quite happy to live on what is essentially a median salary that lets me have a life i like i can afford to buy nice things occasionally i’m hoping next year to buy a house which is kind of exciting as someone who’s been renting for like almost 10 years um so i mean it’s not a lot of money it it’s a stipend right the average is quite low um but yeah it’s enough it’s enough and youtube like right now i’m actually in the process of moving my partner doesn’t have a job yet so quite a lot of things like youtube is helping me kind of bridge the gap while my current salary before i start kind of my big big big boy job where i actually get paid real salary um which is like ends up being double what i am at the moment um but youtube helps kind of be a stop gap in the next few months as we try and buy things like furniture and i can get a proper office set up because right now i’m in the spare bedroom think about how nice it would be to not have christmas tree lights as these kind of decorations but instead to have proper fairy lights right or did you see on twitter someone they’re like they said uh they bought this this light that shined the galaxy onto their room and i have to say that it looked so cool that would be so much cooler so someone in the chat is asking are there people who make a living from bug bounty hunting those people aren’t me very important to note i make very little money from from bug hunting not because there’s not earning potential there but just because i don’t do it enough um i earn like this year i went about five grand from bug hunting which is in the grand scheme of things not really a lot there’s people who earn like over a hundred grand a year doing bug bounties and also have a job um wow so this is important to note that most people who do bug bounties also have a real job usually in the bug bounty industry so they do triage or they help manage programs they like use their expertise and there are people who just do it full time and i’m in awe of them because dear god i would get bored really quick i’m a bit i don’t think i could hunt for vulnerabilities all day um i’d get really bored i’m writing my fetus all day that’s already boring i can’t imagine what it’d be like to to turn a hobby into a job oh my gosh katie okay so what types of training does someone need to be good at your job or what types of work experience do they need and since one of your jobs is being a phd i mean i guess the training would be a master’s for that i don’t have a master’s degree i only have a bachelor’s degree because you can actually if you want to do this is pro tips here there’s a great book called how to get a phd which kind of goes over the pro tips of how to do a phd like life hacks phd um but you don’t need a master’s degree to do a phd in the uk and in other usually in the anglophone world in general you don’t need it in the states what you do need is a drive to get a phd which means doing things like taking on research internships uh if you want it means you know doing a dissertation or a thesis for your undergraduate degree it means getting good grades so to do a phd you do need a minimum of a bachelor’s degree but you don’t need a master’s degree which is good because that’s quite a lot of money and a phd is paid for i don’t pay any money to a phd i get paid for it uh you have to pay for a master’s degree and it’s like a lot of money i’ve i’m already in like 60 grand of student loans um for my undergraduate degree so that is a really really really good tip katie um okay so then what types of training would someone need then to be a bounty hunter or to be an educational youtuber to be a bounty hunter what you need to do is watch my video specifically my videos don’t watch other people only hers only mine and make sure your ad blocker is off because i’m sick of people watching my videos for free i’m just joking there’s a lot of very free resources my videos are one of them um there’s so many people coming up doing videos on bug bounty hunting i want to shout out pharah who is a fellow uh women in security we had her on the oau’s dev slap show this weekend she’s amazing she’s really good um she’s gonna overtake me and subscribers soon i’m i’m like betting on it well you should make a video together so that you both get a gazillion subscribers you know there’s the pro tips there that’s where marketing comes um but yeah there’s like uh i want to shout out some of the smaller youtubers as well hacksplain does amazing videos the xss rap does amazing videos and he’s like your best friend and he does such like really cool casual but informative videos there’s the big boys like stark um codingo is making really good videos on tooling like there’s so many people coming up now making amazing content on youtube so you really don’t need to take a course there’s so much free content available and obviously there’s also blog posts and disclosures and so much more available and to be an educational youtuber you wanna make youtube videos just start just don’t don’t tell yourself i need to learn this i need to learn that i need to get an editor just make videos your first videos are going to be awful and you’re going to look at them and go that is the worst thing i’ve ever seen you upload it anywhere you go it’s their own fault for clicking on it it’s so bad they shouldn’t have bothered clicking on it quite frankly they wasted their own time and it’s none of my business and then you slowly get better and better and better and then in a year after you’ve made videos every single week you made 52 videos you look back and you go i’ll remake that one now and then next year you think about how terrible that remake was and remake it again so so that’s how you do it that’s how you do it you just admit to yourself that my first videos will be awful and terrible but i’ll remake them in a year so it’ll be fine it’s really getting over that hump of like my content is awful that’s quite difficult to do on youtube it’s so it’s so true this is really good advice from katie because so many people i know they want to be so perfect that perfect is their enemy and then they never release anything and they’re like how do you have so many videos tanya i’m like low standards yeah and they get better and better and better and you learn from doing more and more right and you’ll never get great if you don’t start off at least as sort of crappy it doesn’t really matter and at the end of the day when you first start out you’ve got two subscribers there’s two people watching it doesn’t matter if your first video is bad no one’s watching it anyway and once you kind of let go of that feeling of my videos have to look like this youtuber who’s been making videos daily for like since they were 16 and going steak and step back and go my videos are terrible it’s fine it’s their own fault for watching it and that’s what i tell myself whenever my videos do badly i’m like it’s their own fault for watching it if it’s a bad video oh my gosh you’re hilarious okay so i want to know what you like best about each of your three jobs what are your favorite things so i think doing a phd has honestly been life-changing for me um like actually life-changing like it’s completely changed the way i think about the world and think about my place in the world and i think a lot of people will say that about a phd but it’s i think people say and they’re like oh yeah it didn’t really though it absolutely did for me like i think about research in such a different way and especially when you start to look at how say a organization looks at academic research you can see hang on there’s a big gap here and academics aren’t reaching industry and that knowledge isn’t being shared and this is a huge problem it’s not like security because academia might be one step ahead in one part and then two steps behind in another and industry is struggling the same way and you kind of take a step back and you realize it’s kind of like your your brain expands that expanding brain meme where it’s like you know you do research and then you just realize once you do a phd kind of how all the threads of research come together um and that’s honestly been life-changing for me the like self-management the organization i’ve had to do has changed the way i work and the way i think about work and how i think about like doing things like setting strict boundaries how i think about deep work versus shallow work um how i think about what i can contribute to the world uh and with a phd you make a very small contribution but that’s a meaningful small contribution and that can mean a lot to people so a phd has changed my life um sorry an interrupt that’s amazing when i was 16 i had a tutor at um school and he was like katie you should do a phd and i was 16 this is a while ago and i was like no i don’t i want to go and be a developer and he said no i really think you should do a phd um and it took me a while it took me throughout i think i got to my second year of my undergrad and i was like i want a phd i’m going to do everything in my power to gain a phd no matter what and i still keep in contact with him and i tell him everything that i’m doing and he’s really proud of me and it’s just sometimes with that like i’ve known him since i was 16 now and i bump into him at christmas when i go see my parents um but like being able to tell him hey i got a job in academia was just incredible and amazing and he’s so supportive of me that’s so wonderful i love i love that story and the outcome and gosh he is probably just like his heart explodes when he hears from you i bet i mean mentorship is so important not just in cyber security but in just any field having mentors is incredible and don’t forget your mentors like people who help you want to know you you succeed and i’m sure you’ll know if you want a mentor you should do cyber mentoring mondays i literally just put it on the screen by accident i put the at symbol instead of the number sign cyber mentoring monday every monday on twitter we pair people with mentors but yeah i definitely suggest even if your mentor ends up being somebody who doesn’t necessarily help you in the technical sense but is just there for you and supportive is just so amazing but yeah i i always i always give him an update and stuff like that and he’s really like proud of where i’ve where i’ve where i’m going um i sent him my youtube channel as like a very small update and i was like oh here’s everything i’ve been doing here’s my website and then he was like he replied back i would like a longer update please like please tell me more about what you’re doing oh that’s wonderful i like this so yeah sorry what was the original question [Laughter] it was what you it was um what you like the best about your jobs and i have to say i feel like i really love your answer but i have a more important question than that one and that is what are the actionable first steps that someone could take towards trying to work in your field z okay so i’m gonna be very very quick and try and give them five for each ones so if you want to do a phd step one is to get at least a bachelor’s degree you need a bachelor’s degree to start step two is to make sure a phd is right for you do some research experience get to know people in the field speak to phd students they’re often kind of stressed but they’ll spend time to speak to and tell you what their job is like um i’m quite happy to speak to people and and tell people yes my job is very stressful but a phd has changed my life um if you can getting research internships is really useful and they’re often paid which is a plus and it gives you that experience of working with a supervisor the next step is to apply for a phd that interests you or work with a professor that you think is someone interesting and the fifth one is to actually start your phd that’s kind of the process it’s a lot like applying for a job okay bug bounty hunter five steps one is to subscribe to my youtube channel yes um number two same thing number three pharah sorry stop i’ll stop interrupting so the first one is to learn how the web works like understand what a request is what are responses what parameters are the difference why you have certain architectures like client server uh what’s different between client-side and server-side code very basic stuff you don’t need to be a web developer it helps to be a web developer because you completely skip that step number two is to understand how burp work so burp is the tool that most people use there’s also obos app and it sits between your computer and the website and lets you interact with those responses and requests step three is to learn what vulnerabilities are out there that’s where my videos come in that’s where pharah’s videos come in that’s where you tend to get quite a lot of content here’s a vulnerability and then next one is where to find them so what are the signs what points you to certain vulnerabilities it’s getting that um intuition and number five is to practice practice practice practice practice on a real target don’t just do a ctf ctfs are very easy and they’re designed to be quite easy real targets have a ton of requests so many requests so many responses they have your ad servers your analytics they have so many different scopes that’s bug hunting youtube is decide what you want your content to be um whether that’s going to be like educational uh informative book kind of casual whatever the second one i recommend is getting some branding to start with having an idea of what you want your videos to look like are you gonna be in front of a camera are you gonna use your face a lot um are you gonna be like me and use more of an avatar that looks a lot like you and you get a lot of comments where people are like wow you look a lot like your avatar and i’m not sure whether or not to say thank you or are you sure um then it’s about um making videos accepting your videos are awful and making them anyway and then five is to push them out there you know use your twitter use um instagram use tiktok whatever it takes to get your content out there and those are my five five top tips for my three different jobs thank you for coming to my ted talk seriously that was the best answer i have ever gone to that to that question katie oh my gosh you’re amazing okay so i have one final question and then we will end the podcast and that means i go and i thank my sponsor so of course everyone needs to like and subscribe to our channel and like this video and then go to katie’s channel and just click like on every single video because you know you’re going to watch them but you can like them all now and then tell your friends to like them too icon yeah like subscribe hit the bell icon definitely um so the last question is where can people find you do you have a website or events coming up or links that you’d like to share so i’ve shared your youtube channel and i’ve shared your twitter it happens to be on the screen underneath your face right now where else could they find you um you can find me i have a website inside a phd.dev which just kind of combines all of the links in one so i don’t have to remember them um i primarily use twitter and youtube i have a discord server which is linked in all my videos if you want to be part of my community we have a really good supportive community of i’ve kicked out everybody i thought was being rude so that way i’ve only ended up with the good people and the people who are the nicest and most helpful um which helps a lot it’s quite a small community but it’s growing um you can find me on patreon i have a patreon um you can pay me five pounds a month to tell me i’m great and you like my content and you get a few perks and bonuses um and then 10 pounds gets you my notes if you want to see my beautiful handwriting um and terrible doodles so are all those links available at ph uh insiderphd.dev they’re all on there so that way i don’t have to remember them all uh but yeah i’m primarily on youtube um i make videos every single week yes that’s also stressful i recommend if you’re starting youtube perhaps not doing videos every single week perhaps starting with two weeks video every week is quite it’s quite awful to do um but a video gets out every week uh i’m currently speaking gonna be speaking at ola santa barbara on halloween or halloween for me it’s not halloween in california but it’ll be really spooky because i’m going to be hacking something live cool oh my gosh that’s amazing and also well we all need to go bookmark insiderphd.dev for people that are listening that’s d-e-v like victor yes thank you so much also don’t hack my website yeah don’t don’t do that also don’t hack my website either if you don’t have permission to hack my website please leave it alone oh my gosh there are so many people that they’re like i know what i’ll do and it’s like no please please don’t do that please don’t hack my website thank you i taught you this to use it for good not evil yes not against me exactly what am i teaching these skills for it’s like the part in star wars where um anakin goes after obi-wan it’s like what on earth i just i loved you like a brother i let you see my my links and my twitter and my youtube and then you treat me so bad it’s getting a static html page but people still try and hack it i’m just like what are you trying to hack on there’s nothing there yeah yeah my webpage does nothing except ask people very politely to buy my book that’s it and it also says you probably don’t want this page you probably want to go to wehatpurple.com because that’s where the good stuff is thank you so much katie for being on the show you have been so great it’s been such a pleasure talking to you i really appreciate you coming on yeah thank you very much um every single every single question has three answers my three different jobs but hopefully i i hope someone can listen to this and feel either inspired to start making content if they don’t already or perhaps realize that actually you don’t have to be smart to do a phd you just have to be really dedicated and i think if a phd is what you want you can go for it you don’t need to be really clever and if you keep telling yourself i’m not smart enough stop no one’s partner yeah stop saying ideas right our content is awful we’re all done no one seems to care yet someone actually commented in the chat that they’re a fourth year undergrad computer science and they are looking to get started in infosec so they’re gonna take a look at the cyber mentors next monday and that is a great way to start definitely yeah that is i mean i i try and retweet it every monday to my followers um thank you cool so thank you katie and i’m going to so you can wave goodbye before i put the amazing image on the screen if you desire or you could not wave goodbye it’s up to you but i kind of am a fan of waving thank you for coming on the show well thank you very much for having me thank you everybody for listening to me ramble for an hour no you’re great you’re great so please do tell us about the sponsor for this video i will you have been watching the we hack purple podcast with sponsored this week thread fix and our guest this week was katie paxton fear also known as insider phd and i’m tanya jenker your host thank you so much for watching i hope that you subscribe and i hope you come back next week every thursday at 6 p.m pacific standard time if you write a review for our podcast on apple itunes and you send us a screenshot on twitter at we have purple and you send us a mailing address we will mail you stickers yes that’s right bribery from the weehack purple folks but while i have you the one last thing i want to tell you is who’s coming on in the next couple weeks so i hope that you will join us so the next week is dominic west and we’re going to talk about what’s like to be a senior cloud security consultant the week after that stephanie black to talk about what it’s like to be to do sales basically in cyber what is it like to do that after that there’s going to be tyrone e wilson to talk about what it’s like to be a ceo of a security company and then the week after that we’re going to have kim crowley who’s going to talk what it’s like to be basically a reporter and a writer within cyber security and what that looks like thank you again so much for tuning in we really really appreciate you having us and with that i am going to sign off and talk to you all next week