BSidesATL 2020 - Protect: Low Tech & Insecure

so I want to take a minute to thank our sponsors again we've got a bunch of really great sponsors who have been with us through this wild ride to a virtual conference at the diamond level we have Maurer media go level we have Kennesaw State University Cole's college and the KSU Department of Information Systems Bishop Fox coal fire genuine parts company and NCR crystal level is critical path and synopsis silver level is Erin's binary defense Black Hills core light and guide point security bronze level is NCC group our our in-kind sponsors are EC Council for online training and secure code warrior for the virtual CTF we'd also like to thank crosshair Information Technology Joe gray offensive security and pen

tester lab for contributions to the raffle prizes and if you haven't joined the raffle we have a few more really great prizes coming up so join the raffle giveaways channel and make sure to fill out the form to get signed up for the raffle also make sure to drop your pin on our mat so we can see where everybody is coming from I'll post a link in the track protect channel right now and subscribe to our youtube channel that's where all of these talks are going to be posted so you can watch them later and catch the talks that you missed on the other tracks so without further ado I will hand this over to

Carlota who will be taking it from here can you hear me now yes we can wait thank you let me see if I can share come on all right hello c-come on here technology all right hey thank you very much Patrick and to all of the sponsors I really appreciated a big shout out to the organizers you guys did an amazing guys and ladies ladies and gentlemen did an amazing job pulling this together is a virtual piece and I really appreciate the level of professionalism and communication so thank you also for inviting me to talk about low tech and insecure building healthy boundaries and defeating imposter syndrome hopefully this is not a technical talk this is a talk about

being a human in tech that is something I've had 20 plus years of experience with and I want to set a couple of expectations here whenever I've been submitting this talk to besides different V sides all over the country for about a year now and I get two pieces of feedback one piece of feedback is this is natura talk it doesn't belong at Abby sides and the other piece of feedback I get is imposter syndrome isn't a real thing so I want to address those in case those are already in your mind this is not an HR HR it's probably a good thing I own my own company right now because I don't think that HR would

really like what I'm about to say number two impostor syndrome whether that is real or not I am NOT going to wait for the American Medical Association or for the Mental Health God folks to declare that an actual issue or label it a a mental health issue people who are use experiencing this anxiety feel like impostor syndrome describes their experience very well and I'm going to not be dismissive of that experience for them I do not have that experience I am very fortunate in that regard so let me tell you a little bit about why I feel like I don't have that I am Curtis age you can find me on LinkedIn you can find

me on Twitter I've worked at a lot of big companies and in tech in Silicon Valley mostly in IT and support operations I ended up on a six-week contract in 2013 at a little company called fireEye that went from 300 people when I started in April - almost 1,200 people including contractors by December of that year so that was a wild ride I ended up taking a role a long-term role with them and four and a half years later when I left it was like wow that was amazing I really loved the company but more than that I really love this industry and what information security and and cybersecurity are trying to do from that

perspective it's easy to look at my career and say I've been very successful now there have been a lot of failures that have gone into that success and some of those for educational failures I dropped out of Auburn before I could fail out I started back to school at Durham Tech shout out to our community colleges and I did finally graduate with a bachelor's degree in textile chemistry of all things from and some states so shout out to our public schools and then I did a master's at an Ivy League university which was essentially fortunately for me out of pocket from all of my Netflix stock when I went to work there now I'm broke so but I tell

you these things to give you context of my path into security and through technology has a human being and as a woman has been very diverse it's been all over the place and I don't want anyone to be discouraged if you have career concerns I am always happy to help or listen to you talk about those things but let's get on talking about being low tech and insecure boundaries for me or what I feel like really defined and helped me be successful or more successful it has I've grown older in technology and InfoSec we don't all start out this amazing human being who's full of confidence who knows what they're doing and and we look at other people and when

we see that and try to compare ourselves to that that's really unfair comparison we don't all start out with mentally healthy families who are supportive of our decisions we don't start in the right body sometime there is a lot of pieces that go into this that when you're looking from the outside at somebody you're not seeing their evolution through through into their success or into their person played so part of it for me is just helping people who either don't come from that healthy background find that healthy level playing field and also helping people who do you that hope the background understand you bridge that gap how can you help it folks who need when we're coaching on

the emotional or the human side I think it's incredibly important has technologists we want to solve everything with a widget or an application or a platform but the pieces that we're securing the data that we secure it's created by humans it's acted on by humans it's stolen by humans rate this is a human problem we are we are in a technology field that solves human problems and that's the piece that I I feel like gets lost in translation sometimes I love that I'm seeing more and more b-sides and other regional conferences focus more on the given piece I think it's very important I don't think you can be as successful as you could be in technology if you

walk away from that human piece I'm gonna start with some physical boundaries the me to movement you hear from a lot of folks I'm not sure what I can and can't do I think coronavirus right now coded 19 and the shelter in place is going to change how we think about our physical boundaries so this slide may get updated in the next few weeks and that how you impact other people's space is very important when you're very tall or very broad physically big person who takes up a lot of space you want to be a little bit further back from people right when when you close in on them we has humans we as animals fundamentally find that to be a

very aggressive move and we're going to move back in terms of touching it becomes that's a very cultural piece almost there's a lot of pieces around where can I touch somebody how long a very brief touches acceptable touching on the arms is usually acceptable historically shoulders have been acceptable I think they're moving maybe more more towards and maybe but the front of anyone torso male or female or unidentified that's just not acceptable never you should never be touching somebody's body torso breasts chest upper thighs unless you know them and have consent right when you're taking pictures if you look at the backside on the right there is a little sliver of maybe if you're taking

pictures and you're sliding your arm around somebody to gather people in for a picture that's acceptable that's a context specific incident right or it's context specific moment but your hand should stay up it should not slide down to the hip it should definitely not slide down to the rear these these are very common-sense pieces most people know this but not everyone does especially if you come from a very touchy-feely family and you're surrounded by people who aren't as comfortable being touched it's easy for misinterpretation or discomfort to be generated if you're much more physical and I tend to be a very huggy physical person and I've had to learn over the years to kind of pull back make sure

when I go to see somebody I haven't seen in a long time are you a hugger or a handshake er asking is never a bad idea people usually really appreciate it especially when you're dealing with a lot of introverts who aren't getting out especially right now right who aren't getting out and they're not seeing people understanding physical boundaries becomes very important and if you're not sure it's totally fine to ask I don't think anyone should ridicule you for asking and if they do that's I want you to remember that song them and not on you you were right to ask where those boundaries are verbal boundaries words can kill and I mean that both literally

we see a lot of cases where bullying has led to a suicide families are pursuing that prosecutors are pursuing that but more importantly in a even more broad context the words that you choose can kill morale they can kill your credibility the tone that you use and it and this is a tough one because there are people who have very flat effects and very flat tones you need to give you need to get people room for cultural differences for single you know English as a second language it's important that we let people fill a little and then offer to help them if needed if you have a very flat expectation and that's a part of who you

are and there's not a lot that you can do about that it doesn't hurt to say I know that this sounds very flat because this is how I am let me give you a little more context people are going to be much more forgiving if you can try to bridge that gap upfront right so I know that we don't have a lot of time together and they're probably going to be some questions about this so I'm gonna hold questions off to the end if you have in the workplace we get very comfortable with each other we like to talk smack we like to put each other down sometimes and we can get some of us

can get very aggressive is with that if we're very comfortable with it but you have to be very aware of the people around you and how they interpret that give people an opt-out right if if you're very casual and comfortable talking about terrible things in the office and somebody says hey guys could you not ladies could you not could you take us somewhere else be respectful and thank them excuse yourselves to another room and have that conversation somewhere else we're in a profession where there's a lot of pressure on us and especially anyone who is involved in defending human lives and one of those outlets that we have is to express things and very horrible and socially

unacceptable ways which can be very funny but don't necessarily belong somewhere where other people can hear it be aware of your situation be aware of your surroundings be aware of how you look to other people you don't want to kill your credibility because you're trying to blow off some steam so I would very much caution around there's a lot that you can do around training for this and there's also a lot that you can do to step in if you feel like somebody is being verbally aggressive and and in a not good way it's okay to step in absolutely or if they've said something really truly horrible and I I don't want to give you examples right

now because I've heard some really terrible things but I'll give you an example of how I respond to those things and one of the responses I use is I want you to hold that thought because I want you to think about what you've said and reflect on it later but I want you to take this moment right now and say anything else just say anything else right and that kind of puts people an alert that they have said something egregiously wrong and gives them a chance to self correct and that's worked very well for me and in the organizations I've worked in you may need to sit down if you are a hiring manager especially or or a leader in

your organization it does not hurt to sit down and pattern at it and actually write down an etiquette an etiquette that you expect people to follow because fundamentally we still have to work together and we want to be respectful of each other in the best way possible right so if you have situations where people have said something to you or about you that you weren't sure how to respond throw those in the in the slack channel and we'll talk about those I would love to get some examples and see how people handle different things maybe we can build a kind of a pool of experience that people can share emotional that is one of the biggest

gray areas because we as human beings the first 20 years of our lives why are us in very wildly different ways and our emotional response may or may not be appropriate to certain situations what I really like people to remember is that your your boundaries anything that makes you uncomfortable has pushed on a boundary and that boundary may be perfectly reasonable or it may not your boundaries are your own other people don't have to understand them or agree with them but hopefully they do respect them if you are terrified of dogs your friend bringing a dog around is not going to make you not terrify the dogs and it's it's a little disrespectful of your phobia hey dogs

great I love dogs they're fantastic but if you don't like dogs if you had a traumatic experience with a dog and you're half in your past my bringing a dog around is not going to solve that it's not going to defuse that it's going to push that and it's gonna make you upset be more aware if you can when people say oh I have a phobia about that or no I'm really scared of that or people just react very defensively to something that's going on see if you can break that down with them and if you can understand what's going on maybe you can work around it your boundaries are also flexible you may be more forgiving of

being touched or being pushed verbally by others in a given situation but not by but not by a certain group right that's up to you that's up to you and you need to be very clear on why you're more flexible with some people than others maybe you just trust some more but mostly your boundaries whatever you develop from an emotional standpoint they should help you navigate the world in the personal interactions that you have with confidence if your boundaries are too restrictive you're going to have trouble with that and there's a given take they're the it could be that you just accept that as part of who you are it could be that you find a therapist

who works with you through those those problems if you were madly in love with someone and they have a dog and you're you have a dog phobia you're gonna have to figure out where that boundary is and how you want to work around it and I I don't I don't have any easy answers here as I said a lot of us don't come from a motion Elyse table supportive home and so this piece becomes very critical and learning how you're reacting to your workplace and to the people you work with and the trust and the relationships that you build if you have and right now especially with most of us working from home this becomes very very stressed

because you are now even if you work from home all the time now remain or your spouse or your kids are home all the time as well and that changes your dynamic very much and that puts a lot of pressure on your emotional boundaries so I would really encourage you if you're struggling right now don't beat yourself up about it things are crazy right now your life has been very much impacted by something that you have a zero control over and that's that's very stressful whether or not you've been working from home for years so but if you have questions that you think I can help you with take them to the channel we'll go to them there now

I'm gonna get to the stuff that HR really doesn't like to talk about and that's sexuality sexuality in the workplace in the industry at conferences it happens we are fundamentally animals we have attraction we have both emotional attraction we have physical attraction my biggest and simplest advice is when it comes to sexuality in the workplace and relationships in the workplace taking them beyond co-worker environment don't do it just do it it's just a bad idea and I have seen it work out very well for people I have seen it go very badly as well I have seen people quit jobs and leave industries over it it is it is a tough line to walk if you are spending a lot

of time with someone though you do you you're spending eight hours 10 hours a day sometimes working with that person and you're creating those bonds maybe you're responding to that you also have to remember that maybe they're not responding to it the best thing that you can do is be extremely clear in your communication if you think there is no hope that this personality has a committed relationship don't just don't even go there just drop it it hurts it sucks to work around but you do you get over it eventually I promise I promise I've been in this situation I've been the target of this situation it is it's tough I I won't lie it will stretch your

new boundaries you'll learn you'll learn to grow the other piece of this though is even if you do start a relationship it can get very dicey because if people don't know that you're in a relationship and they see you getting a little bit more cozy that can raise questions of your credibility and and that becomes a risk for you and for your career if that person is already in a relationship even if that relationship is an open relationship and your relationship is consensual not everyone office may know that right if if you are going to do an office romance take it out of the office and be very clear upfront if this seems to be

working out you know does one of us need to leave the company does one of us need to leave the organization I have seen it where and of course some of the really large companies I believe in Silicon Valley have dating services so they can match their own employees up if you're working in totally different places that is not a problem but if you're in a smaller organization that it becomes a huge problem and you need to be very aware of that before you make any move on anyone but for the most part just don't that's my best advice I have had workplace relationships there are people that I would would work with again in a heartbeat with the

understanding that that was the past and won't ever happen again and I know that they know that and I know that and we can work together fine I've had workplace relationship where where that's not a case so it can be very dicey if you are in this situation and you're looking for some guidance I'm happy to talk to you about that but more importantly there there are other pieces here that I'm just going to jump to a should send this person a dick pic like if you're on that point I'm really into this person yeah male or female whoever you're your target is really did they specifically ask for that because if they didn't don't do it just understand

just don't do it it's a bad idea if they specifically ask for it that's a different thing and what I don't go into here is also there there's so many topics that we can talk about here revenge porn if you are surfing than that and you come across porn of a co-worker that puts you in a very interesting place because if you tell that person that you have found porn of them did they already know is this going to be crushing or they are you putting them in a very emotionally vulnerable place for the most part I would try to be very circumspect about that it's unfortunate unfortunate truth in our industry we're very familiar there

are a lot of women in our industry or in tech in general in the world in general who've been victims of revenge porn and it's a very sensitive subject how you would approach somebody about that I would be very careful I would not I would certainly not send that link around and say hey is this so-and-so that is not okay if you think it's so and so make the assumption that it is delete it from your hard drive never look at it again and make if you think they don't know it's out there and and you think they trust you enough and you're willing to help them in whatever way you can maybe approach it but if

it's not someone that you know well you may do more damage than good and that's something that you'll want to consider and in terms of sending images of yourself whether you're male or female if they have not been requested don't do it because it's it's a very dicey thing that you that you're really you're really putting your credibility out there and some potentially very negative ways right so I know if kind of step through very quickly a lot of things about pushing boundaries and but I want I want to get spend a little more time around the concept of boundaries and abuse pushing boundaries can be a good thing they take you out of your comfort zone and they give you a

chance to grow but if somebody's pushing your boundaries repeatedly to the point where you ask them to stop with that's a problem and you see that a lot with more control of use of a more less so in the workplace with physical abuse although I have I have seen witnessed that as well but if if you are to the point where you've asked somebody to stop that's that you're getting some some great very yellow orange areas and if they continue doing it after you've stopped ask them to stop especially if you ask them repeatedly to stop now now we're getting to abuse territory obviously anything that is illegal a sexual or physical assault that's obviously an abuse you

know call the police but in the workplace that can be harder you know it's a lot harder to recognize abuse especially if you either came from an abusive family so this looks like normal kind of behavior to you and it's really not acceptable or you come from a normal family and you've never encountered this before sometimes it can be very very subtle excessive negativity belittling nothing you do is good enough the obvious ones of course yelling name-calling that kind of thing but those are very obvious it can be very subtle gaslighting is a term that we use a lot in relationships it comes from an old movie I think in the 1940s or 50s where basically they're turning lights

and on and off and telling this woman she's crazy when in reality they're trying to drive her crazy it can be that malicious a lot of that is about control and the desire for control if you are if you're questioning whether or not your box is abusive I would definitely seek a third party to bounce some ideas off of because it can be it can be tough to see it it can be very tough to see it making you feel like nothing you ever do at work is is good enough is a big red flag to me at moving goals like oh if you do this project then I'll give you this title oh well

you didn't do that project as well as I thought you would but they don't have any constructive feedback but the goal was moved that's that's pretty shady being in a work environment can be very emotionally devastating with the wrong box and if you're a new if you're new to the work field you don't necessarily know what a good boss versus a bad boss it looks like if you're not sure go and ask someone come you know hit me in Twitter I'll give you my phone number we'll talk about it there there are times when it really is clear that that your boss is just emotionally not healthy and they're creating a very toxic environment for you over then and

work in and there's only so many things that you can do there HR usually is invested and not rocking the boat they don't want your complaints because now they have to do something about them and because you're the low person on the totem pole or you're not the director or whatever you know they have invested in sometimes that solution is to make you go away and that's not pretty but that is a reality of corporate America that I want you to be aware of HR is not your friend HR is there to cover the company as long as keeping you happy does serve the company they're going to keep you happy but when your situation becomes a risk

you were just as likely to be the person to go or more likely to be the person to go especially if there's a power imbalance if it's a director or a manager it's a problem right and and you're the easier problem to solve sweeping the problem under the rug is usually easier to solve so be very careful when you're when you're traversing this route how you handle those discussions with HR if it's anything that can be absolutely recorded and is knew and acted on legally then you need to record it act on legally not through your HR department you need to engage outside counsel or go ahead and call the police and do it that way because a lot of

times I knew a woman who came from a large corporation that had essentially a whisper network where one director in particular would hit his co-workers or his his peers and other groups at conferences with a day drug rape drug and that company had probably 10 or 12 complaints about that person and he was no it was always easier to sweep it under the rug for them so once you'd be very aware if you're at an industry conference even with your own team keep an eye out for each other it's super important that we be as ethical as possible in our industry and there were people who abused that and I can't I can't underscore the seriousness of that

enough so I know that we don't have a lot of time together and and this is a I got into some pretty heavy stuff pretty quick and we're coming up on two minutes before I need to hand this over so I want to give you some resources if you feel like you have grown up in an abusive or traumatic environment if you have been incredibly depressed and are feeling suicidal if you have been sexually assaulted there are a lot of resources out there please never be afraid to ask for help whether it's a small thing and saying to a co-worker I'm really drowning right now can you help me out and just take a little load

off of me and being willing to step and step up and do the same when they're drowning or if it's something much more serious please reach out for help I can't I cannot express that enough for me learning to ask for help was the biggest piece of making this all all possible so with that I know we're reaching 30 minutes I am Carlotta sage I am a human in tech I hope that you have found this helpful I hope that you hit me with some experiences of your own so that we can all grow and learn from them and I'm going to give this back to Patrick thanks guys and gals things folks