We Hack Purple Podcast Episode 13

Kim Crawley


In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Kim Crawley an independent cyber security writer and researcher to learn what it's like to write, find contracts, make a name for yourself, and more! We also talked about her conference, Disinfosec .
Kim Crawley can be found here: Twitter, her book the Penetration Tester's Blueprint , her conference she founded Disinfosec , and you can read many writing samples here

Sponsored by Ubiq Security!

Watch THIS episode on YouTube!

Transcript:
welcome to the we hack purple podcast where each week we interview a different member of the information security industry to talk about what it's like to do their job there are so many different possibilities for a career in information security and cyber security and we at wehack purple want you to know about all of them also tanya is a curious cat this week we have a fellow canadian app kim crawley who is a security researcher and writer and she just wrote a book and there is a lot of awesomeness happening with kim our sponsor this week is ubiq security and they do api security and we're going to learn a bit more about them in a bit but for now i want to welcome kim to the podcast and i'm going to click the button where we reveal her wait no i clicked it too many times and i hit you i'm sorry there we go okay so here is kim and me we're both here awesome yay thank you for coming on the show kim i really thank you for inviting me yes thank you um i definitely appreciate having you here i am adding like a little logo to the top corner and i'm adding it in the wrong place i'm learning about adding stuff on the screen so thank you so much for coming and will you tell us what your job title is and it's okay if you don't have an official title but you know what i mean and just tell us a little bit about what you do my job relative to other jobs in our industry is very weird because seldom do i ever engage in security practitioner work although these days is starting to look like a bit of an exception we can get into that later but my job is to write about stories often about cyber attacks um often about you know timeless matters like how to configure a firewall and static issues like that that aren't like necessarily timely but more relevant in the long term and uh i have worked for so many big tech corporate blogs uh blackberry silence uh sofo snaked security venify's blog i've worked for them in the past i've contributed content to a t cyber securities blog for the past several years that's one ongoing gig that i still have and uh i think i'm like writing content for like several different companies now and i can hardly keep track of them all to be quite honest with you but so yeah so it's a weird job no but it there are so many rare jobs in infosec and that kind of means there's a place for most people if that makes sense yeah so a thing that i'll oh vicky says hi to both of us vicki gateway hi vicky thank you for coming um so i want to ask a whole bunch of questions because i want to know what it is like to do your job and when i say job i mean kind of like about your career because there are other people who are writers or journalists or researchers that enjoy writing and enjoy basically like researching the crap out of something and then putting it into like an amazing format so others can you know absorb all of that information what is a day like in the life of an independent security researcher and writer it is very unpredictable i mean to be able to do it for a living because most people who do what i do and they write content for corporate blogs and stuff like that they have a day job as some sort of security practitioner like they're a malware researcher or something like that this is my day job so it's very hectic i used to work for like the same few companies long term for a few years and then the pandemic kind of shook things up so my job basically is i have a certain reputation sometimes i get work based on my reputation now but it's a lot of like just checking my inbox seeing the five editors emailing me saying hey can we want you to write about this that and the other sometimes it's i have to remind myself to email an editor who hasn't emailed me for a few weeks and say hey i can write something for you i've got this great idea please say yes to it i like money please pay me so uh i you know i i didn't really choose self-employment i think self-employment chose me i'm not anywhere near as adventurous or risk-taking as you are like you started your own company you took on a lot of risk to fulfill your dreams and to have independence in your career if it were completely up to me i would be an employee i would be an employee who knew which hours they worked knew that they were going to be paid x amount of money every two weeks etc etc but life didn't work out that way for me in a sense there's a kind of strength in the precariousness or the unpredictable predictability of my work because if a company lays me off that's not my entire income or career yeah so there's flexibility and not having all of your eggs in one basket for sure but yeah the instability can be a little stressful at times to be completely honest but i've kept this going like just doing this as a career for several years now so i think i've i've found my groove awesome so what i heard from all of this is that companies need to snap up kim immediately thank you no like for real she's a really good writer that's why i'm not like i'm going to invite someone that's crappy at their job on i invite people that are awesome so like yeah okay so this is good so i'm going to keep this in mind because watch it people are going to be like oh i heard kim was um this is good and this brings me to a question that is totally unrelated but i just really want to tell everyone is kim has a book and i just heard one and it's not in the me i was really hoping it would arrive so that i could show it to you and i'm like kind of sad but i know it's on the way i am going to be ordering your book but to be completely honest with you i really prefer e-books i prefer e-books because my favorite place to read when it's not related to an article that i'm researching or something like that is to lay in bed in the dark after 9 00 pm and so my smartphone the screen glows and i can just fall asleep and my phone slips under my pillow afterward oh i like that idea so i have this like massive set of bookcases but really an ebook is much more likely to be read by me they're all in physical yeah i respect that absolutely most of my books are actually audio books because i like to garden and also listen to sci-fi at the same time but i bought a physical copy of your book because i feature books in a lot of my videos and i was like well obviously i have to feature her book so i'm gonna have to sit my butt down and then read it which is hard for me so i hope you understand like that's my dedication level i'm really honored and i'm looking i'm looking forward to reading your book i was really impressed by what the art department did with your cover quite honestly that is a beautiful cover i'm just gonna show it because i can't help myself it's beautiful so pretty so they're like what do you want on the front i'm like i want alice and bob and i've decided alice is an indian woman because there's so much tech coming out of india and i'm like and i want bob to be like this middle-aged white dude i kind of wanted him to be chubby but sometimes you have to take what you can get and then like and obviously it must be purple but i really like pink so can we work that in there and they're like this and i was like like we went back and forth so many times and finally they're just like it's this one i'm like yes like wiley is such a big publisher when it comes to the kind of stuff that we write their art department is amazing like i was impressed by what they did with our book too yes what if we talked about your book because i'm putting it on the screen underneath you for people that are watching a link to kim's book that is a co-production with philip wiley so the book is titled the pentester blueprint the reason why it's titled the pentester blueprint is because it's based on phil wiley's series of pentester blueprint talks which he has given at so many different cybersecurity events and the curriculum of the pentastic blueprint is basically what's the hacker mindset what is were the correct steps to take in order to be successful as a penetration tester and phil is one of the best pen testers in our industry like bar none and he got the deal with wiley to write the book and then he found that he was so busy with his pawn school with his day job as a red teamer he now has a different day job as a red teamer for point three and then he's got he's got a wife you know he's got family and he found that he didn't have the time with all his other professional responsibilities to finish the book according to wiley's schedule so he approached me on the blue in april april of this year and he said kim would you like to to co-write my book and and and finish it help me finish my book and i was i was honored i was so honored i was like yeah in a heartbeat like i didn't hesitate to say yes so a few days later i was sent a revised contract and i signed it and they said kim you and phil have until november to finish the draft and i said forget about november i can i can finish this up by july oh my god i did so phil had written half of the manuscript at that point um all scattered across all the various chapters and he gave me the book plan and everything that he had written thus far and i had several meetings with him over zoom to make sure that you know because obviously even though we're both co-authors this is based on his vision and so after chatting with him a little bit and looking at his plan and looking at all the great content he had written so far i just finished it and there were a few chapters especially towards the end of the book where i wrote 90 of the chapter and it took me a while to think about how am i gonna fulfill that chapter like the one on the skills inventory for instance i had to think about that one for a while but i did it and i promised them i could do it way ahead of schedule and i did so i was actually telling someone i'm like phillip is genius bites are super super super smart talented person who's a kick-ass writer to help him finish the book i'm like maybe my book wouldn't have been like half a year late if i had had kim on my team and i was like phil's brilliant that was a smart move but but you know what you tanya you are super productive i could not keep up with your schedule honestly i would be terrified to start my own business for instance and you're doing great and uh it's i've been telling people that it's much easier for me to finish a book because when writing is 90 or 100 of your work it's much easier to write if you are designing application security courses or running a security operation center or whatever it's a lot more difficult to finish a book do you do you love so like the thing i liked the best about writing a book was where you do the deep work and you just get into it and you write for hours yeah there there was one chapter that i wrote 90 percent of it and i did it just like all in one day because it was just like a spark of inspiration oh my god and that was chapter 2 i believe which um is basically prerequisites what you should understand before you start your pancetta journey and i figured the best thing for this chapter would be to go over all the fundamentals of cyber security 101 so i had it was like about 10 a.m and i had already had two of these and she's tracking she's showing a rock star energy drink folks because there's an audio only version too and by the way in the show notes we're sharing links to everything we talk about her book you can get it there sorry so i cracked open another one and i sat down at my word processor and i just i let everything out of my brain that i believed uh constituted a foundational understanding of cyber security in general including like the cia triad the different types of malware the different types of security controls the different types of uh of access systems like role based etc etc and i figured get this all out now and then we can fact check afterward before we send this to the editor that's right and i there wasn't much that i had to change in the fact-check checking process and then i just submitted it some of those other chapters were 90 percent written by phil okay so we very much go back and forth okay so that's amazing that you didn't have to do that much editing because i found two thirds maybe even three quarters of the time that i spent on the book was technical edits my technical editors really were very strict with me which is good because i i need that um and they made me make a million references like i'm used to just writing a blog where i'm like this is the way and they're like you can't just say that tanya you have to prove it with like other people's references i was like darn it um so for everyone that is listening on the line i'm really sorry about the latency issues because i am not having any latency issues uh on our side and so that means it's the live stream and i'm really sorry the recording will sound fantastic because it's local to my computer so kim you look fantastic and sound fantastic but i'm really sorry to those that are tuning in live but i would like to ask that you'll click the thumbs up button anyway okay kim i have way more questions for you though i just i really wanted to talk about your book and how every single person ever should buy kim's book and then they should buy my book and then maybe they should get a second copy of kim's book but after you're done doing that remember like a couple of weeks ago i tweeted if someone wants to become an application pentester which is one of the most high demand types of pen testing they should definitely buy your book and buy our book at the same time because the two are complementary and that would be all the application pen testing 101 to start you on your way oh yeah oh my gosh definitely that would be yeah those would be really good complimentary and i am actually indeed planning to read your book and may or may not get into trouble as a result so i i want i wanted to ask you about like what types of what types of personality traits you think someone needs to be good at rating and good at because you have to do a lot more than writing in your job you have to chase contracts and get contracts and then you have to do a certain amount of promotion and all these other things and like you basically have to manage your own reputation as a writer and that takes a lot of effort like people might not realize it so what types of personality traits are maybe like aptitudes i don't know what the word is i was kind of like an aerodyne know-it-all when i was like six years old wow um i i'm just fascinated by knowledge and i was i was a very early reader i was very uh my curiosity was insatiable i would constantly be asking my dad questions why is the sky blue why why are i think i i think when i was five years old i asked my dad once why why are we older women so insecure about their age i like asked about it's a civilian freaking questions and obviously like obviously you have a lot of those same traits like an insatiable urge to fill your brain with knowledge so that helps a lot um i on one hand i'm confident that i'm good at what i do on the other hand i know that i have this as a career because i totally suck at most other things i couldn't like last at mcdonald's i managed to do tech support for a while before i got into cyber security full time but tech support is hard as hell not technically really but the demands of having to close like 30 plus tickets a day and deal with customers who are unreasonable and stuff like that um there are so many different jobs that i would totally suck at even within our own industry and i have found the job that i actually have natural talent for so i feel that kim is underselling herself a bit but i actually know that feeling like when you're saying i don't think i would cut it at tech support or mcdonald's i don't i actually did tech support briefly for like six weeks and it was at night and i did not cut it i was just like i can't handle this like someone's being rude and i can't be polite to them or they're at like one guy was like playboy.com is down i'm like i don't that's not my fault like i don't know what to tell you dude like try again later like is the rest of your internet working he's like i don't want to go the rest of the internet i was doing remote support like around 2008 2009 so a lot of people had ie6 and it would be like i'd open their web browser and it would literally without exaggeration be three quarters toolbars and they'd be like why am i getting mal why no that a lot of end users don't know the word malware why am i getting viruses all the time right and well you have three different versions of the ask jeeves toolbar you have weatherbug weatherbug has always been malware oh wow you keep uh you keep you get pop-ups that say you won this contest and you click on them you're like no no now that you're speaking about technical stuff what types of technical skills do you think someone needs to be a security researcher or security writer um i think cyber security is a certain way of thinking you have to think there's this technology how can people use it to do bad things but also how can there be mistakes with this technology that aren't necessarily malicious like bugs for instance and so if you always think about how can people do bad or how can this go wrong it's a way of thinking so you you can learn the technical knowledge but the mindset cannot be taught i hear you for sure so if you only need a certain level of technical skills what type of training would someone need to be good at your job because they have to be a really good writer and good at explaining like really complex abstract concepts my dad was a novelist he's not around anymore but i think i mean this is not something that a person can make a conscious decision about but i was raised by a professional writer um it was it always seemed like a very normal thing to me to to write and get paid for it so my dad was giving me lectures about what do editors want what do publishers want when i was like four years old i am not even joking so i had kind of an unfair advantage there but my dad kind of tainted my thinking about writing too because my dad taught me that the only valuable writing is the writing that you can get a publisher to publish and pay you for um and so i do have writing that will deliberately never get published like i keep a whole lot of embarrassing poetry in google keep but i feel so guilty about it i feel so guilty about any writing that doesn't translate into a paycheck because that was my dad's attitude oh wow and so on an intellectual level i believe that writing has value whether or not it's commercial or you get paid for it but emotionally i can't feel that like i hear people talk about self-publishing books for instance yeah and i try not to be rude like my dad would be but i think you're self-publishing like you can't even get a commercial publisher to publish this you're going to pay to get this published who pays to have their own writing published that's the thought process i have and then i but i know that that's rude and that's not a good way to think and i try to buy my top did you have so i had many many people suggest that i self-publish my book instead of going with wiley and i was like but they're awesome at publishing books and i know zero about publishing books and so i wanna have experts behind me and like project managing me and like hurting me like the cat i am do you know what i mean like did people suggest that to you too uh no um phil was considering self-publishing the pencester blueprint um if he couldn't deliver a full manuscript by the time while he wanted it but then he changed his mind he decided to finish it by co-authoring with me i think i mean self-publishing is an expense it's an expense that you take on yourself if you're willing to spend a couple of thousand dollars with the knowledge that you might never see that money back if that's a risk that you want to take to get your writing out there it's a it's a lot easier to self-publish these days because amazon will sub we'll sell or at least distribute self-published ebooks and the like um but you are taking on a risk whereas our publisher took on that financial risk and our publisher has a massive distribution network gets our books into like barnes and noble and indigo and gets a placement in amazon's website not like our books probably place a little bit higher than if we had self-published it and tried to distribute on amazon for sure for sure so someone is asking where is the podcast oh our all sorry someone's asking in the chat where is the podcast and i am assuming that they mean this podcast so this audi this podcast is available audio only version off of all the major um podcast platform so like apple itunes um the new amazon one podcast addict like all of those places you should be able to get it sorry to interrupt you kim i was just no it's okay no but i was like kim didn't say anything about podcasts i'm so confused because i was like i just get like so enthralled in the conversation and i was like oh i should probably actually answer that i i love podcasts i i use podcast addict i have like about 40 different podcasts i subscribe to and i recently added the wehack purple podcast to that list thank you but i only subscribed to about five cybersecurity related podcasts the other like 35-40 podcasts i've subscribed to have nothing to do with our area of study whatsoever because a lot of the time when i'm not working i just don't want to think about work and thinking about anything cyber security related makes me feel like i'm i'm on the job right now it's work mode time i agree i agree so much yeah we need breaks including brain breaks i have more questions for you though but first i want to thank our sponsor ubik security encryption made simple for developers they have a free tier starter available for all developers on the internet and you can use it to encrypt your apis and much more if you sign up today it's free and you also get free stickers of spikey who's like their super cute mascotti guy so i'm going to share the link in the chat but it's just dashboard.ubicsecurity.com so ubik is ub i and so i'm going to share that in the chat but going back to how could someone become a cyber security researcher and writer what type of work experience would they need or like type of learning path maybe so like let's say someone's like i want kim's job not like your actual job but i want to i want to be like ken how are you yeah i would recommend like dust tech support is really really hard but unfortunately or fortunately it's one of the easiest types of jobs to get if you just have some very basic i.t certifications like a comptia a plus whatnot so everyone's path is different my path was about 13 years ago i had a cop cia plus and then i got like a network plus and a security plus i got my first tech support job based on my a plus uh i started to realize that out of the 30 tickets i would close in a day 20 of them would be malware related and i was like removing malware all the time on other people's windows machines and then like occasionally there would be malware that was destructive enough that it would mess up all the lnk files on the windows desktop i'd have to like write new windows registry keys sometimes that was a great way to at least get my foot in the door and it made me interested in cyber security just because i could see constantly frequently every day what malware could do and there's a lot of different ways that a computer can be cyber attacked not just by malware infection but it made me catch the bug basically like the cyber security bug um there were several years that i would just write posts like on medium for instance about cyber security and i would just tweet about them and it took me i would say four or five years until i got to a point where i could make a living doing this stuff it wasn't it's good to just get out there i would recommend that people just start writing on a platform that is free like medium or wordpress or sub stack or whatever get active on twitter because not only is the tech community most active on twitter but also the writing community and it might take several years but just like tweet tweet tweet tweet what you've been writing about get people's attention and then eventually what might happen is what happened to me and like tripwire state of security and jobety he was the first guy who who gave me a real chance nice but once i was on a corporate blog i got a lot more efforts to write for different corporate blogs and it just all kind of snowballed from there that's awesome i have done work with joe petit too actually that dude's great hi joe hi joe thanks for uh giving me a big break right that's awesome so the next question i have is a sensitive question does your line of work pay really well that varies greatly i'm at a point i'm going to be completely honest about my pay because i want writers and prospective writers to know so that they can insist that they're paid decently good that's why companies don't like employees to talk about their salaries and whatnot because they don't want them to gang together and try and insist on higher pay if one of your colleagues is making more money yes only the company wins when we don't communicate so i get paid anywhere between in canadian dollars i'm usually paid in u.s dollars but me too um me too yeah but by the time it hits my bank account it becomes canadian dollars it's anywhere from four hundred to six hundred dollars per thousand words a thousand words is on average like two pages full of text in your word processor cool that's that's awesome it's it's hard to know how much people get paid for things because someone was asking me to write a blog for them and i was like okay and they're like we'll pay you how much do you want i was like i have no idea so i should have asked you i would say to up-and-coming writers um if it's if the company wants you to write for them don't work for free um you might have companies saying oh but i can give you great exposure yeah but the more people who do what we do for the exposure bugs which you can't pay your rent with it drives down how much all of us get paid so i would say even if it's a small company asking you to write for them demand at least like 300 like 30 cents a word like 300 bucks per thousand words don't accept anything less than that because i can get like 60 70 sometimes 80 cents per word sometimes so that's good to know because like the same thing goes with all sorts of different types of work so when i was a musician i would be paid to perform music and then there would be these newbies that are like 19 years old and they're like i'll just do it for free and i was like then a bar will book you instead of me even though like your music sucks and you're not actually skilled yet because you haven't been doing this for very much time i'm just like ah yes i actually um this year had a conference organizer pressure me to give free training so that i could get exposure and you know what i did kim i showed him i'm like oh i don't know if you know but i'm an industry influencer and i and then i actually showed him stats i'm like i'm actually 10 000 or i'm 10 times more famous than your conference so you have exposure from me and i was like and i don't work for free and trying to pressure me to work for free so then he's like i'm going to remove you from our roster and i was like did you want to meet my lawyer yeah yeah and then suddenly i was on the roster and everything was fine that is good but like there are all sorts of people that get bullied all the time like to do like well if you just write this thing for us for free kim blah blah blah we'll promise you the moon later right no no like if someone is giving why buy the cow if you get the milk for free yes yes so speaking of which because i feel like this perfectly goes into the next question which is are there a lot of opportunities to do the type of work that you do in our industry to be quite honest with you there are fewer now than there were this time last year when the pandemic hit a lot of tech companies were like our marketing budget for our corporate blog is an unnecessary extra expense and either they got rid of their blog altogether like blackberry and silence or they decided the people who are working for us as malware researchers or whatever they're gonna they're they're gonna write all of our content and we don't pay them anything extra to do it because we already paid them a salary or whatever yeah so i have had to get really creative with my career i still write for att cybersecurity's blog and i've got like an absolutely wonderful editor there uh kate brew so shout out to her oh i know at security brew on twitter i'm just sharing uh the link to your blog right now underneath you on the screen i've i'm doing a lot of work for a lot of smaller companies like sanayu for instance um i was talking about how i've started to get closer to doing some stuff as vaguely practitioner work i got this interesting gig out of the blue a week and a half ago i was emailed saying kim we want you to do malware research well not really malware research it's more antivirus research like a malware researcher will look at malware samples and try to understand how it behaves i'm not testing malware like that i am testing the antivirus software oh cool cool so i have a windows 10 virtual machine because you don't infect other people's computers that's illegal so i have a windows 10 virtual machine it's sandboxes the malware that i execute in it i i'm trying all kinds of different antivirus software i tested norton a few days ago i'm on to testing total av and i will see with the same sample of 997 malicious items using the same sample for each antivirus application so i look at how much of that malware did the antivirus software detect based on its latest signatures and this isn't like writing for the general public so if it feels like new territory to me and i feel like i'm doing more like the people i used to write about what they used to do so it's kind of it's kind of weird and interesting but it is a job that people work for a v test do that full-time so but that that's really cool and we need someone that can write that up in a way where one like they actually understand the results but two where you can actually communicate the results because sometimes people are brilliant technical at this or that but they're not so great at communicating and so you have that magic where you can kind of speak both languages and i'm allowed to tell you the specific details that i'm telling you which is i am doing financial security research for one of canada's major banks according to the nda i may not name which bank but i can say it is one of canada's major banks we only have five yeah it's one of the five so that so basically this is what i'm allowed to say i am writing reports based on what i think are the most pertinent cyber threats specific to that bank oh wow so that that's an interesting new gig so it's very difficult it's it's it's a different kind of work because the reports i would be writing would be internal and classified to only be read by employees of the bank and corporate executives of the bank so it's not publicly available writing like i'm used to doing and like from late 2016 to early 2020 90 of my work was publicly accessible for corporate tech blogs and no paywalls and now my career is starting to look very different because i've had to be adaptive because of the way uh our industry has changed this year i i have actually found the exact same thing so now that because we were talking before we went on about what it's like to be independent and then you end up doing all sorts of work where like maybe you didn't even realize that was work so i actually do like private talks all the time now and i you see me speak at conferences but i do like private events a bunch of times per week and turns out that pays really well and you can have like a very intimate conversation where it's you can be a lot more open with what you're saying and so like if you're giving this report inside of a bank like you can be very very clear about exactly what they are facing and very specific in a way that you never could if it was going to be public so how does that feel like being able to be like brutally honest i they the bank asked we want your ideas for four reports for the 2021 year and i pitched them my four ideas which i could not explain what those ideas are and they're like we love that that's exactly what we want so it's looking good so far that is awesome so that brings me to another question which is what do you like best about the type of work that you do um there's in some ways my job is easier than being a security practitioner in the sense of if you're a network administrator or if your job is to develop security patches for applications or stuff like that you make a mistake it directly affects businesses and people's lives i get to play with ideas about you know the theory of cyber security uh without having to worry that if i'm not doing my best in the security operations center that day we could be taken over by a major data breach or whatever so but in the other sense in some ways it's more difficult because i think a lot of i mean there are so many different areas of security practice i mean red team blue team purple team a lot of different teams but in other sense it might be more difficult because a lot of the things that you could be doing in your everyday life as a security practitioner could be habit and routine whereas i do i have to explain everything i can't have an idea without explaining it and then and then there's the unpredictability as i explained from like not being an employee so yes i have to say that not being an employee is equally uh we had we had someone on the podcast last week tyrone e wilson and so he said it better than anyone else ever when he said it's terrifyingly motivating he was he was really good okay so i went upside down websites yeah when i i only work as long as i have to work in order to produce the work that people want to pay me to do if you work in an office chances are you're spending a lot of hours looking busy but with nothing actually productive to do but you could be spending those hours of your life doing better things than sitting in the cubicle wasting your time but you have to be there because you have to be in the office for low specific hours oh my gosh that is a huge bonus i just like go on a walk sometimes i'm like oh my brain's not working i don't think i can work right now and i'm like i'm gonna go exercise or quite often i just go into my garden and like play with my plants and stuff isn't it great that when you're working you're actually working so when you don't have work to do you can just engage in leisure uh relax at home because you're working from home yeah i feel like with my work i am 100 present and that is nice to not just like because when i had programs sometimes i would just lose time if that makes sense and or like oh those big employee meetings where they would just say so many things to you and you're like no one cares when will this all staff be over and you're just like yeah meetings are annoying but quite frankly all the zoom meetings can be kind of annoying too i have had so many zoom meetings since the pandemic started oh yeah and oh honestly a lot of the time i would love to say to a client this could have been explained in an email oh my gosh yes yes yes well you can tell me what you want me to write for you in an email yeah yeah yes a thing that they did at microsoft that i really liked is they would go through the agenda and they would say does anyone else have anything else to add and if no one did they would go great gonna give you back seven minutes everyone have a good day and they just end the meeting and in the canadian government where i'd worked before it's like oh the meeting goes till this time it's like someone was like i'll just waste time until then i'm like no i can get a lot done in seven minutes like i could walk down to the cafe and get a nice cappuccino come back to my desk and get a little bit exercise and also have delicious delicious caffeine like i'm like why are you messing with me there's so much stuff we could get done the seven minutes and seven minutes times like 10 people in a meeting that's a lot i i have more questions for you but first i want to ask everyone that's listening please subscribe to our podcast and if you are already subscribed and you've listened before please write us a review if you write a review and you send it to our twitter handle which is at we hack purple we will send you stickers i kid you not we are not bribery here like uh like perfectly legal bribery um of sending stickers for review results and so i'm gonna read one of the reviews at the end and thank the person but just please subscribe and then immediately buy kim's book and my book at the same time okay uh i feel like yeah i have like a i don't know if you can see but i have like a lot of books behind me now it's like pretty awesome okay so i want i i wanted to like think of a super clever way to bring it up but i was wondering if you could briefly tell people about dis infosec because i thought that was a really cool thing you did this year yeah i started to see a lot of people in our industry run their own online cyber security events when the pen once the pandemic got serious in in march and i there were a couple of events that i tried to attend and i couldn't because they were close to like the first 300 registrants or whatever and i don't like starting things a lot of the time but i thought damn it i let me try to do something my own uh so it was a great honor to host this infosec in july and the reason why the reason why the the event was for exclusively disabled people to speak about cyber security is because i knew that with all the other online cyber security events i needed something to differentiate and so it it was a great honor to have you speak you speak everywhere though but it was a great honor you you your talk had the highest attendance and views of all the talks quite honestly i had like an annoyingly beeping fire sorry like smoke detector but that's been fixed okay so i think there's going to be another disinfosec i think uh july 2021 so yeah i mean you don't have to have a medical diagnosis if you self-identify as disabled and you have something to say about cyber security um i would recommend visiting this infosec dot tech sign up for the email list probably around april i'll start tweeting asking if people want to submit proposals and i think next year i'm going to do a much better job than i did this year because i learned so much i had like zero experience yeah uh using video conferencing software and stuff like that but i learned i learned from my mistakes so inevitably 2021 should be a lot smoother than 20 20. i realized that it wasn't smooth my part was good like you were great during my part i'm going to spell out disinfosec for the people that are listening because it is not a real word so it's d-i-s like dis and then as in disability and then info sec so i-n-f-o-s-e-c dot tech so t-e-c-h and i really liked that you put on an event where every single talk was accessible so you had to be able to describe what you were talking about so if someone could not see they could still understand your entire talk and i really really liked that accessibility and inclusion is a big value at my company and so we have closed captioning on all of our training and i remember one of my staff was saying like you know we're not going we're not going to have that many hearing impaired people take our courses and i was explaining okay so if someone english is their second or third language them being able to read the words in english has value and also even if we sell it to one person that's a huge win for that person who probably doesn't get this option from other training and i'm like accessibility matters so that we can include every single person not so if you already if you are a deaf person and you want to learn application security and there's no reason why a deaf person couldn't do greater application security you might not contact you know uh we hack purple and be like hey could you make your videos have closed captioning please yeah you would just like give up and move on like when it comes to like people who use wheelchairs for instance um if they can't enter your store by pushing a button to make the automatic door open yeah with a ramp already there they're not going to get their uh walking friend to go into the store and be like hey can you uh open the door and like get the ramp up so that my friend can can uh move their wheelchair into the store and shop they'll just like move on and they'll keep moving on until they find a store that they as a wheelchair user can enter without having any friction but i feel like making things accessible from the start seems like a human right do you know what i mean like as a person who is dyslexic when i went to school a lot of that did not make sense to me and so when i was an adult and i wanted to learn french i had to go to a special school for dyslexic people and it was awesome i learned very quickly and it was great but like if those things aren't available if accommodations aren't available then we're not all on an even playing field and that's just crap so like um yesterday i did so that we hack purple has a community online and we do stuff together and so yesterday we were doing this github actions thing and um only one person showed up so there's supposed to be seven or eight of us but only one showed up which is totally fine and we're streaming and i'm showing him some stuff and we're talking and i guess i do this thing naturally where i always just explain what's happening and i said oh is the text big enough for you and he's like oh i had no idea and he's like yeah it's never come up before but he's like i've i've always been able to just participate because you explained so well and i was like oh that's so great i'm so happy to hear that and i'm like so you can't help me with if the text size is big enough for the recording we're making and he's like ha good luck um but it's like when we do these small efforts like to me it's not a giant effort to do that um and i feel like it includes so many more people and we don't even like i had no idea and like he's been coming to lots of events with us and i was like oh okay i was like cool and so then later i was like do you see here and i was like okay let me explain right and just like that small amount of sensitivity that we can add so everyone gets to be on the same playing field and as like score and there's the curve kind of effect sometimes uh disability accommodations also benefit non-disabled people like curb cuts make it possible for people in wheelchairs to uh cross the street for instance because you don't want to drive your wheelchair over a harsh bump no no but it also benefits abled people because if you're rollerblading or you're pushing a baby stroller or whatever you also benefit from that curb cut yes one thing that i was thinking about is like not only am i autistic i also i'm adhd and i can read hundreds of pages at a time if i'm hyper focused but a lot of the time if i see a wall of text this might benefit you being dyslexic as well yeah if i see a wall of text a lot of the times i'll be discouraged like oh that looks tedious and i would move on to like reading something else that didn't look overwhelming and tedious so i write breaking my writing down into lots of different paragraphs so there's space between the paragraphs the same amount of writing seems much less overwhelming to read when it's broken down into separate paragraphs i've been writing articles with bullet points more often lately you'll notice that most obviously on a tnt's blog cool and i phil and i both tried to do that and widely as well make the formatting so you never hit a wall of text same with my book excellent and that benefits dyslexics and it benefits people with adhd but it has the curb cut effect of even if you're neurotypical you might not want to read a tedious blog wall of text you may want everything broken down into smaller more manageable pieces yes yes exactly i agree so much also someone named deep eddie says hi kim hi tanya hi eddie thanks for coming um and johnny says that he is stuck in tech support purgatory i'm sorry johnny i feel you and i feel like kim and i both feel you if you want to do what i do uh start a blog on like medium or wordpress or whatever uh write about what interests you write about where you have knowledge maybe also see what other people are writing to get a sense of what people want to read and as i said it might take three four five years vigilantly just sharing your writing on twitter or wherever and then as soon as you got a few companies paying you for your work after a few years of writing for nothing and having to continue your day job then stop writing for free yeah because now people are paying you for your work and writing for free just lowers your pay rate yes yes okay so i feel like you can read my mind kim because literally my next question was could you please give us some actionable advice so that you could become a writer that's like i i was like she's actually answering the question that was in my brain and i mean our a lot of our writing is free for people to read if they want to like without a paywall but a company is paying you to do that writing exactly now now the downside might be like for example a t cyber securities blog is not going to publish anything that's not in their corporate marketing interests so and that's the same with like any tech company their corporate blog any company whatsoever uh yeah they want to draw people to their site and they have specific marketing objectives so being paid for your writing means you don't necessarily just write whatever you feel like writing you have to write what they want you to write you got to compromise yeah but i enjoy i enjoy the challenge um if i didn't have people giving me ideas about what to write sometimes i would be a little overwhelmed because when someone else is providing you some sort of structure like this is what i want you to write it's easier to be creative than if you're left completely true on devices yeah looking at a blank page can be intimidating like i'm gonna write today so my last question is if someone wants to know more about kim crawley besides following you on twitter at kim underscore crawley so c r a w l e y on twitter where else could they find more information about you i believe there's a link about you on the atnt blog which i could share yeah and that is an archive of every single thing i've ever written for a t cyber securities blog and anything new that i write for them is going to be linked on that page as well um i do have just like you i have now an author page on amazon but that's just going to link to like whatever books are published under our names obviously i the one of the reasons why i don't have like my own personal website is because i really wanted to use the kimcrawley.com domain and i had registered it many many years ago when i was much younger and i lost control over like it you stop renewing it and then someone else buys the domain and they don't even use it but they're like sitting on your domain now wanting you to pay them like fifty thousand dollars to get it back or whatever if you don't wait a year or two uh that usually goes away so i used it on tanyajanka.com and ca because i was a professional musician and then i let it go intentionally and then someone was cyber squatting on it and i was like jokes on you i don't give a crap and so now it's like available for like 12 bucks because no one's named tanya janka in the whole world except me because my name is spelled quote unquote incorrectly compared to the polish spelling and so no one has this weird like anglo polish smashed together name and i'm just like yeah i don't need it now i have she hacks purple.ca i'm just like you're very lucky you're very lucky to have a unique name that at the same time people can spell and pronounce because my boyfriend his name is jason smith do you have any idea there are probably literally like several thousand jason smiths in this country if not like tens of thousands or more maybe even hundreds of thousands of jason smith in canada alone yeah like j my boyfriend went to school with other jason smiths oh my gosh and then his dad is joe smith if only he was john smith that would be even worse oh my god so there is no freaking way that my boyfriend is ever gonna have jasonsmith.com or even jasonsmith.mt being the top level domain for malta like your name is that freaking comment oh wow that must be annoying see he he should come up with a hacker name like like i did which was not on purpose at all but worked out really well in in the long run well as a black metal slash digital hardcore musician his name is schizoid or j schizoid so that's his hacker name nice i like it no but then you can have your own unique identity online and it's my yeah i like it well kim thank you so much for being on the show this has been awesome thank you so much for being such a great host and it was a great honor to be on your podcast thank you so much okay so we do like a little wave and then we disappear and then i tell everyone who's on next week bye thank you bye everyone okay so thank you very much to everyone who came this week and streamed in if you are listening to the we hack purple podcast thank you please subscribe on youtube or whatever podcast platform you download your podcast from we would love for you to rate our podcast we would love you to rate it so much that we actually go so far as to bribe people so if you send us a picture of your podcast review that you wrote on itunes and a mailing address to at wehackpurple on twitter we will ship you off some stickers to say thank you so i'm going to read you one right now so thank you for this podcast it's really helpful with seeing who's in the industry and learning about what they do the personalities are funny and the advice about actionable steps books to pick up and community resources are gems and that's by jyku3 from the united states thank you i want to thank kim so much for being on the podcast i want to thank ubic security for being our sponsor yet again they were our first sponsor ever of the podcast and we really really appreciate it and i hope to talk to a lot of you next week when we will be talking to shira shamban of soul which is an israeli startup and i really like startups so you're going to hear lots and lots about shira thank you again and this i gotta tune in yeah absolutely bye everyone