#278 Coleen Shane is a bad-cop security-expert with a tinfoil hat
In this enlightening podcast episode, we embark on a tech odyssey with Coleen Shane, a trans woman who has made her mark in the realm of information security. From her humble beginnings of tinkering with a Texas Instruments TI-99 in the 80s, Coleen's journey takes us through the evolution of technology, the importance of security, and the delicate balance between convenience and safety in the digital landscape.
Coleen's passion for security is evident in her career trajectory, which took her from being a tech enthusiast to a respected security expert at the VA hospital in Indianapolis. Her rich experience lends a wealth of knowledge on the subject of information security, emphasizing its growing importance as our digital landscape evolves.
One of the key challenges discussed in this episode is striking the right balance between ease of use and ensuring our digital world is secure. This balance is critical, as the more convenient a system is, the less secure it often becomes. Coleen shares insights from her professional experience, shedding light on how to navigate this complex issue.
Phishing attempts are a prevalent risk in the digital world. In this episode, we delve into this murky issue, exploring how to identify and mitigate such threats. Coleen shares valuable tips and strategies to avoid falling victim to these increasingly sophisticated attacks.
In the wake of the AI boom, concerns about privacy and security are more significant than ever. The podcast episode explores the potential of AI, its benefits, and the inherent security risks that come with it. The conversation emphasizes the importance of maintaining a balance between convenience and security, and the potential of AI to be a friend rather than just a tool.
The importance of prioritizing security in software development is also discussed in the episode. Coleen highlights the value of certifications like Security+ and the need to have a security expert on the development team. Social media can be a valuable resource for staying up-to-date on security trends, and the need to be aware of physical security risks is also stressed.
The episode wraps up with an insightful comparison of Apple and Google's differing approaches to security and privacy. While Apple is often seen as one of the most secure and private companies, there is always room for improvement. The discussion explores the potential of hacks and the need for secure systems that are also convenient to use.
This episode serves as a reminder of the complexities of the digital world and the importance of security. By shedding light on these pertinent issues and offering expert insights, listeners are left with a fresh perspective and valuable knowledge to navigate their digital lives securely.
Enjoyed the Podcast?If you did, make sure to subscribe and share it with your friends!
Post a review and share it! If you enjoyed tuning in, leave us a review. You can also share this podcast with your friends and family and share lessons on software development.
Become a supporter of the show. Head over to Patreon or on Buzzsprout.
Got any questions? You can connect with me, Timothée (Tim) Bourguignon, on LinkedIn, per email, or via my homepage.
Thank you for tuning in!
⚠ The following transcript was automatically generated. ❤ Help us out, Submit a pull-request to correct potential mistakes
Coleen Shane: 0:00
So I would recommend you know anybody like that to try to get on social media. Try to find as many people like that, as diverse a group of people as you can find, to get exposure, because that's like real time. You know as things change to pop up, you know a book is going to get stale and it gets more stale as it sits there, whereas you know a social media thing or even a security blog or something like that is going to be a little bit more updated and a little bit more fresh than you know, and it's going to bring some of those like the MGM hack. Right, that was totally a fishing thing. You wouldn't imagine a company that big, you know, falling as hard as they did because you know somebody fished them. But it happens and, like I said, it's a matter of time. Right, it's not if, but when.
Hello and welcome to Devilburst Journey, the podcast bringing you the making of stories of successful software developers to help you on your upcoming journey. I'm your host, tim Bognio. On this episode, I receive Colleen Shane. Colleen is a 49 years old trans woman living happily in San Diego near her two adult children and their partners. After many twists and turns, it's in her mid 30s that she found her way to information security and networking. Since then, colleen has worked for values, institutions like the US federal government, healthcare and education in IT and information security. Colleen, a warm welcome to have you. Good morning, it's going to be here. Thank you very much. Oh, it's my pleasure, or our pleasure, but before we come to your story, I want to thank the terrific listeners who support the show. Every month, you are keeping the Dev journey lights up. If you would like to join this fine crew and help me spend more time on finding phenomenal guests than editing audio tracks, please go to our website, devjourneyinfo and click on the support me on Patreon button. Even the smallest contributions are giant steps toward a sustainable Dev journey journey. Thank you, and now back to today's guest. So, colleen, as you know, the show exists to help the listeners understand what your story looked like and imagine how to shape their own future. So, as is usual on the show, let's go back to your beginnings. Where would you place the start of your tech journey?
My tech journey definitely started when I was little, back in the 80s. In IT I guess I would say that I started with the Texas Instruments TI-99. One mother bought one for us. I think it was used because we got it a few years after it came out. But I did a little bit of programming on that. That was probably the beginning of my programming Badly, but I just copied what from the book and typed it out on it. And then there was actually a cassette recorder, a magnetic tape recorder that recorded all that code on. And that first program I did was Mr Bojangles and it was to make a little guy dance on the screen like an 8-bit. I was pretty proud of myself for that. But after that I always was into tech. I grew up pretty much tearing things apart. That was always my thing. I always had to understand how things worked. So if I could take it apart I took it apart and a lot of times that upset my parents taking things apart. It took me probably until I was about 12 to figure out how to put things back together again and then after that it was on. So I had children pretty young, so I went into air conditioning, school of refrigeration. I did that for many years to raise the family, because it was something that I could do at night, and I eventually got up to service manager, operations manager. I was a maintenance supervisor for a while but I kept hitting what's called the paper ceiling, where I got high enough but I couldn't go any higher because they said I didn't have a college degree and nobody seemed to care what my college degree was in. They just wanted me to have one. So my ex-wife at the time graduated with her master's degree. We both were together very young, so she also didn't graduate high school. She went back to school herself and once she graduated with her master's degree I decided I'm going back to school. And I decided I'm going back to school for computers, because I always loved computers and I've been playing with them forever. So I went and got my associate's degree in networking and part of that networking excited me. But part of my degree was security classes and I thought that was really great that they were including that in the degree there to expose you to security from the beginning. But the security really spoke to me like the risk aversion, mitigating risk. I just fell in love with it. So I switched over to security and then just kept networking as a minor, Eventually got my associate's degree and this is all in my mid 30s, so my kids are in high school themselves and my goal was to graduate before my son did, before he was ready to go into college. I finished my associate's degree and I was really enjoying that and I thought why stop here? So I enrolled and did my degree online for my bachelor's degree in information security and kept networking as my minor in that as well. And then while I was doing that, I worked at the VA hospital in Indianapolis in tech support. So it was kind of like an internship, what they call it a student trainee. I was a 579 student trainee, so I started out as a GS5 and then worked my way up to a nine as I got those degrees and I learned so much at the VA hospital. It was a Windows environment. I learned a lot about active directory and everything managing printers and networking. So much about security. They required everybody on staff to have a security plus. It was just a local directive that they had there that was part of mine, if I may.
Va is for veteran affairs, isn't it Correct? Okay, so that was part of the military, probably, or?
governed the Department of Veterans Affairs, yep, and then the VA hospital was the sub department of that, because they also have the Veterans Benefits Association. So, yeah, I worked actually at the hospital there in Indianapolis. And they're considered what's like a 1A hospital. So you know they had the helipad there, it was like trauma center and you know it was like a regional hospital. So people came from all around to Indianapolis to have procedures done and be seen there.
Okay, yeah, and we imagine it's quite security, affine if it's a part of the military and 1A etc. Absolutely.
Yeah, not only from the healthcare but because they were veterans. Veterans could still be called back to active duty. So you know, our computer system was linked with the DOD. So our specifications, our requirements were that strict and it was almost to the level of paranoid because, like you know, we would receive a skid of a pallet of printers and you know, printers all come with a CD drive there with the drivers on it. The directive there was that no media left that hospital unshredded. So the disks that came brand new with those, as soon as we took them out of the box, they had to go straight in the shred bin and that was just to basically ensure that no media left that hospital intact. And we, you know, shredded everything, hard drives, you know the little, whether it was micro fish films, you name it, anything that was a media that had patient data on it or not. We destroyed it. And then of course we maintained the chain of custody and all that stuff. So for me, I love that and I love that that level of paranoia, that tinfoil, what I call the tinfoil hats, was great for me. It taught me a lot about security that I pretty much took. I've held throughout my life since then and I try to bring that to all my other orgs and you know I've gone to work at like universities and universities are like some of the most open places that you could work. They don't really care about I mean, they do care about security, but it's not their priority. You know access is their priority. They want convenience, they want their students and everybody to be able to access everything from everywhere, which was completely counter to me, you know, having to lock it down and make sure that you were actually authorized to get that data or have that connection, you know. So you know I worked for them, developed my security posture. And then you know I worked for a lot of other healthcare organizations, like Radiology. Of course that's HIPAA requirements there, so it's not quite as strict as what we had going on at the VA hospital, but it was a little bit better than the universities. And then a lot of the private works that I've gone to. I take that level of security to them and sometimes we get into a little bit of a battle because you know people want convenience, they want to be able to do their things without much hassle, and I'm not sure if you're familiar with the concept that convenience and security are pretty much opposite one another right. The more convenient it is, the less secure it is, and the more secure it is, the less convenient it is. So I try to find that balance, but I always try to err on the side of security.
So this must make for very interesting discussions.
So many times and you know sometimes it gets we get into heated discussions because, you know, some people just they don't care about the security, they just want it to work, they want to be able to connect to their printer, or they want to build a scan, or they want, you know, to be able to just connect their laptop and go right, or they want to be able to bring their Mac, Mac laptop from home and connect it and just work on that. So trying to, you know, educate people and security or why those practices aren't, you know, acceptable, it sometimes causes me a little bit of static, but you know, that's part of my job and I always kind of consider myself the bad cop in insecurity because I'm the one that wants to lock everything down. I want everything secure as I can make it, and then it's up to others on my team to try to find that balance and, you know, find the convenience but also the security.
You always have to have different poles and different roles and I guess in a team you always need someone to really be the bad cop, as you said, and really push things forward and even further, so that somebody at some point say okay, that's enough, but if you don't have this person, then you might not reach this, that's enough, you might stop.
Well, and that's my thing is like it takes a diverse perspective of people and the experiences to build the security posture or security team, and you know I try to be as far as towards security. On the secure side, opposite convenience right, you know I like a little bit convenience myself, but you know I would rather have something secure than convenient. We got to take steps or that, you know, like multi factor. You got to break out an app and put in the code that's in there. I mean that's another step, it's less convenient but it's more secure.
Is there some such thing as searching where you're, you feel convenient, and then this having this as a hint for probably a security weakness Not sure that's the right word but everywhere you feel confident and convenient, then that might be a hint that there's something here, right?
Yeah, yeah. The more convenient it feels to you, the easier it is to you, the less secure it is and unfortunately, that must be a fun way to look at the world. Like I say, I always tell everybody I have a tinfoil hat right. It's like I'm so paranoid and like I think I was always like that before. But you know, when I spent five years at the VA, I just got that much more paranoid you name it right Like port security or, you know, wireless security or any of that stuff. It was just like it was almost to the level of paranoia there and I just really dug that. But unfortunately at the VA people don't, you know, they don't move on from there, they retire from there. So it's like it was really hard for me to move up from that five, seven, nine into, like you know, a GS 11 position or something that paid like what was paying out in the private sector. So I kind of wish I had stayed because you know I would still be with all those great benefits and you know, still be working in that paranoid environment. But I moved on for the money because I figured, hey, I spent all this time getting my degree, I deserve that kind of money. So you know I love chasing the money.
Unfortunately, Did you? That's okay. I mean, at some point you have to pay your bills, did you find? Did you find companies in the private sector that are close to that level of paranoia Only the ones that worked for the government.
So if I worked for a company that had government contracts, they required us to be secure to that level, so that I really did dig that, because then I actually got the pay that I kind of felt like I deserved and also still had to, you know, make sure that their networks and the systems were as secure as what the government would consider Okay, yeah. And then of course, I had like top secret clearance and all that. So that's something that the companies really enjoyed. You know, they were like they didn't have to pay for me to get the clearance. I was allowed to work on those networks.
So yeah, it makes sense. Makes sense the way I picture big fang companies etc would be this way or this level of paranoia. But the way you put it is not, not, not really.
Yeah, a lot of them. It's, yeah, I mean, if you look at some of the hacks and stuff that happened, I mean it's, people are going to fall for fishing, that's a given. Eventually, somebody's going to fall for something. Something's going to seem credible enough and you're going to click on a link. I mean I don't know if you remember how paranoid I was to click on your link when you yes, you were Right.
I waited for a few months and the last iPhone came out, and so I am an Apple guy, so I ordered one and a legitimate delay entered the system and so, until I received it, there was multiple SMSs from DHL, the postal office here in Germany, telling me, hey, and they were legitimate, and at some point there was one phishing attempt in between oh no, and thanks for me went, password, blocked it and realized that there was something, but it was so legitimate in between, two other notifications that were exactly linked to this that I've been looking at my hardware since and rebooting stuff and crunching stuff, saying this cannot be a coincidence, but I think it is. But still, yeah, you will fall for it. I did a couple days ago.
Right, that's the thing is like they get the people who are phishing. They get craftier and craftier and you know I'm work or we're shopping around those companies that delete your data online, that you do all the search that goes to find all these data brokers with all your information. And you know, because I have such a big online presence, social media presence, I volunteered. I said, you know, sign me up for this. And then you know, let them see what they, what they can find online for me and what they can delete. And they gave a report back and we're going to use my report that they gave to give to the C suite the executives that are company, for them to decide do they want to go with this company or not. And I was amazed at the brokers, the, how many of them had had my information and the level of information that each one of them had Hundreds, hundreds of brokers. It was ridiculous. I had no idea that there were that many. And you know they were telling us that it was like a $3 billion a year or something you know multi billion dollar. I guess you know what's the word I'm looking for. Yeah, these brokers make billions of dollars a year. You know buying and selling our data and transferring around and you know, like the videos that you've watched on YouTube or you know the stuff that you've bought on Amazon all of that stuff's up for sale, right. They scrape that and then they use that to build profiles on you and then somebody that's wants to fish you they're going to go try to find all that data, right, and then that helps them build even more credible things to help fish that you believe You're like. Well, only these companies could know that much about me, when really that's not it. These dated brokers knew all that much about you.
I'm putting my team for that as well. Right now. It is scary, and how do you live with it, knowing the level of insecurity that we deal with every day and having seen the other world.
Yeah, it drives me nuts, but there's only so much I can do, right. There's only so many people I can educate. There's only so many paranoid screams I can cry out into the abyss here for people to listen, but, you know, eventually I get to the point where people are like you know, she's just a mad woman on a box there screaming about the sky is falling or whatever, right? So I try to find balance in that as well. I want people to educate them. I want them to understand that you know this is out there and this is a harm to them or it's a risk to them, versus just kind of blindly going through the world with your iPhone or whatever and hoping that whatever link you click on was legitimate. Yes, you'll see a charge, but don't you know, don't feel bad about it, because, like, no matter what the way I say it is, like with fishing, it's not a matter of if, but when. Right, somebody's going to get something credible enough about you that you're going to eventually fall for something.
So yeah, we did an experiment in the company I worked for added a bot to Slack and the bot was asking questions regularly about fishing, so trying to educate people. And at the same time we started campaign sending fake fishing emails to the company and seeing who felt for it. And that was appalling at the beginning and at the end of the education program way better, but still not zero.
and never get it to zero, right, because it's something is going to be credible enough or somebody is going to be flustered enough, or they're not just going to be, they're going to be too busy, they're going to be. I mean, because that's the thing about fishing is it's like the urgency, right. They make it seem like it's important. You got to get on it right now. And if you're what busy in your life, or if you're upset or you know whatever, it's easy to just click on something to go, because you just have to get on to the next thing or whatever.
So yep our CTO was driving this and he was Machiavelli about it really, really having a look at what people are doing, knowing. Okay, it's the end of the month, everybody is going to log in on tour or travel expenses system, so let's send some links about that right now and see what happens. It was gorgeous seeing from the, from the sidelines, but well, we had a bunch of education to do after that.
Right. Well, and I'm ashamed to admit that I've fallen for the fishing work, the work, fishing tests as well. Right, because it seemed legit, and I almost think that that's almost unfair at work. Because they've got a little bit more of an advantage there. Right, they can craft things that are going to seem a little bit more legit than what somebody on the outside would. But maybe not right. I mean, they're getting better and better every day, so they are.
There would be the you mentioned one. When I were to send you this email saying, hey, you can click on this, on this link, and schedule an appointment with me, he said, well, I don't really do clicking on links. What would be the top three, top five things that you do to try and stay on the side of security, that that people should know about, I guess passwords not reuse, using hard and complicated passwords, etc. I hope everybody know about that by now. I know it's not the case, but I hope they do with are the more I wouldn't say as far as password stuff goes, I would say make sure you set up multi factor.
You know, use an authenticator app or, you know it, one of the key tokens or something like that, because you know if your account is compromised then you know they might have your password and username but they're going to also need that other factor there to barely get into the account so that I can't speak high enough again. That's not convenient for most people but it's getting better because you know you've got an app on your phone now and you know, like my authenticator app, I've got I don't know, probably 12 or 15 different things in there that I scroll through to find the one that I'm looking for. But to me that's more convenient than carrying around, like you know, one of these little authenticator keys. This is great if I've got my key chain with me, but you know, if I'm sitting in my computer I don't want to have this, like you know, half pound key chain that I've got with all my keys right, because otherwise I'm not going to have this with me every day. I'm not going to remember to put it in my pocket when I go in the morning. So you know, we all have our phone with us.
So I always speak highly of using the authenticator app because it's about as convenient as you can get it is anything else that you do, and people look at you with gogli eyes when you say you do that.
Oh my gosh. Well, like on your case, like I checked you out just make sure that you were legit, right that you weren't keeping me, and then, like the links that you sent me, I went ahead and checked those out to make sure that they weren't malicious. So you know, I run stuff like that through tests before you know I'll actually click on it. Yeah. The test you mean software that load the link and check the error is stuff like this Well, like there's a website called virus total that you could put links into or you could drop files into and it'll actually scan it. And you know, that's kind of a double-edged sword, because it's pretty good about finding malicious stuff, but then again the really bad people understand that that's out there, so they try to make their you know viruses or their links or their systems pass. That that's like the bar they're trying to get over. Right, if they can get past that that's the standard that everybody uses then most likely people are going to click on it.
So that's the Swiss cheese approach. Yes, you know there will be some holes and you have to have a different layer behind it where you know the hole is going to be at a different place and with multiple layers at some point you might catch everything.
Right Now you want, but most occasionally two holes might line up, but most of the time not. Yeah, exactly, exactly. But you know it's unfortunate that we have to be like cyber sleuths nowadays. Like you know that I had to go check you out to make sure that you were legit and that you know the blink was legit and it's not convenient, we're getting into a whole different discussions, but let's get there.
I'm really worried about the future. I mean I grew up in the Aces as well and I could pretty much trust everything I could see. When it was a picture, I could trust pretty much everything I could see. When it was a video, text was already already gone, but that was a given. And for my kids nowadays, when they will be adults I mean 10 years from now, deep faking and all this technology will be completely running on every kind of hardware they won't be able to trust anything they see. Right, I'm really worried that what that will do to them and to the approach of seeing the world and to our communities. It's a revolution coming.
Right, I also have AI to consider now. So it's just like you've got something that can think faster than a human that might be used against you, but on the same side, you know, that's a tool that could also be used to help, you know, to help keep us secure. You know, I hear a lot of people talk about AI and I'm kind of weird about AI. Talk about AI is like they want to use AI for this and they want to use AI for that, and I'm like, well, I kind of want to befriend AI. I want, you know AI to be like a conversation like you and I have. Like I want to be my friend, like you know, kind of like I see my cat or my robot that cleans my floor, right, it's like I appreciate these things in my life. They're helpful to me. I don't just see them as just tools to be used or whatever, but like, as far as AI goes, I would like to befriend it. You know, to know that it's like working with me, right, that I'm. Why would I want to use something that's like somewhat sentient, right? That seems like, hey, I want to use you. You're just going to always be my security person that's always going to do all this stuff for me and that's all good that you have. I mean, I don't know, that seems kind of selfish, I think.
I can relate to it so much. I say thank you to Siri when my kids are around because I want them to understand that.
Why not? And you know, in the future, you know, I think Siri will appreciate the fact that you said thank you, right? I hope so. I think eventually, ai will get to the point where it realizes that some people are jerks and some people are not.
It can go. It could go so many places, good and bad, it's all for the best.
Well, I'm really hopeful there and it's kind of surprising, with my tinfoil hat, that I'm as hopeful about AI as I am. But you know it's coming whether we want it or not. So I want to try to stay positive about it, upbeat about it and, you know, hope that we can use it for good.
What about security and AI? I mean, what's the name of the chat GPT from Google? Is it Bard Bard? I think Bard is not rolled out in the EU, I think still because of data protection, because it could scrape the web and just find anything and everything and just bring it out. I mean, from a security standpoint, this is nightmare. Have you had to deal with this before, professionally or personally?
Not yet. No, it's coming right. I mean, I know my stuff is getting scraped because I live in the United States, so, excuse me, I kind of wish that we had the same protections that you did, but on the same side of the token or the opposite side of the token that the AI has to be trained somehow. It has to have data there to learn from right. So you would kind of equate that as to us reading books or us going through the web to try to educate ourselves on that too. It's just, this thing can do it on a mass scale at a much faster speed than we can. So that's where I hope that it's used for good. But that's the problem, and I'll go up railing on capitalism. That's the problem with capitalism is like if we're all just always worried about money and that's all we care about, then that's kind of the outcomes we're going to have, right.
Yeah, that would really feel philosophical.
Yeah, I mean, if we were not always chasing money, I think that AI would probably go in a little bit of a different direction than just going to scrape everybody's stuff to try to figure out a way to make money off of it.
A lot of things would go this way. Does it feel like you're playing or no? Let me roll back that question. One of the cliches of being a security is really playing a catch, with bad actors in in air quotes and really having to always be on the lookout for what's new. What's new, what's new, what's new, because You're always, always late. Basically, is it the case, first of all, and, and how do you feel about the future Still doing this if it's still the case?
Yes, we are always late. That's the thing. And security, we're always behind. We're always a step behind the attackers. Right, defenders will always be behind the attackers because you know they've got the advantage of they can strike at any time, right, and we're only working nine to five or whatever. And the other factor is is that we have to get it right every single time. They only have to get it right once right to be able to get in, you know, behind the doors or in the walls or you know, however you want to, whatever analogy you want to use on that. So we're always at a disadvantage on security and for me, I always looked at that as, like that's much more of a challenge. It's that's a draw to me, right, because I'm like, I'm on the losing side, but I'm still here fighting, right, do you have it? Knock me down, I'm not gonna stop, even though I know that you know the, the other opponent's bigger than me. I'm not gonna stop fighting against them, but, like with the AI factor, that's gonna be, you know, another thing, like we discussed, and I'm hoping to have the tools on my side to help, you know, defend against that as well.
Oh, Are you taking part in creating those tools as well?
I Think, probably Unknowingly, yes, just by having my data out there, but I'm not actually, you know okay.
No, this is something you've considered at some point. I.
Haven't really know, but that's something that, now that you bring it up, that does seem kind of interesting. Right, because that's, in my opinion, like the next big technology there. So that does seem kind of interesting. Bring my tin foil hat to that.
When you think about, about software development, what is your tin foil hat saying oh, my gosh.
So much. Well, software developments. I I wish they would spend more time on security, have some more security classes and I know a lot of developers don't actually go to college or whatever and get a degree to where they're required to take some kind of security course. But I wish that whatever companies they worked for would pay for them to get, like a security plus or some kind of security Exposure to where they understood the importance of it. For me it's much easier to build security in from the beginning. It works better than to try to go back and bolt it on later. Right, that's always been a problem, you know, the thing is to get that code out fast and make sure it works, because we've got to make profit off of it. We've got to recoup our investment to our time that we've put into it. We'll figure security out later. Well, in that thinking You've just left big giant holes open that somebody's going to exploit and now you've got an active system out in the world that you're counting on for production, that you have to go to figure out how to fix it. So for me, the software developments, for them to have a little bit more exposure to security and understand that maybe not the tin foil hat, like I do, but some degree of it, to where they understand that maybe we should think about Securely coding this before we, you know, just roll it out. Or we should have somebody on our development team that is a security Experts or exposed to security that can kind of bounce ideas off of or, you know, give feedback on hey, maybe that's not the best way to do that. Or, you know, we shouldn't really be hard coding these passwords in here. You know something like that. I mean, that's a little bit of a stretch, but I don't think that's really much of a problem anymore, but you still find things like that these days. I hope so but never know.
I Mean I still heard recently from people Excopying files on an FTP as a Versioning measure.
So yes, right, it's still out there well, and you know, like everybody uses GitHub and stuff like that, so it's just like you kind of they fall into this sense of complacency, like it's secure by default, like that code to them You're gonna download from that somebody uploaded there secure, right, that may not be the case, but like, if it's unique code, who do you, who do you have checked that to see what? You know what security risk it poses to you or it's gonna pose to the system you're gonna introduce it to whatever.
So when would you send People who are we're still still fresh and still interested in all this to Gain more knowledge? Maybe not a, not as a training from a training perspective, but getting more, more, more. How do you call that Time being being confronted with the subject?
Oh my gosh. Well, that's a good question. You know I'm big on the security plus because it's like a wide domain.
That's a certification, isn't it? Yeah, okay.
And it's not overly expensive. You know I got mine. Well, it's been a few years. I got mine back in like 2009. So it, you know, didn't take me more than a month or so of studying. I just read the book and then I went and started taking the tests. So it's not like it's a you know CCNA, security or CISSP, where it's you know a giant telephone book of you know material that you have to go over and learn, but it's it's vendor neutral. It's kind of wide ranging there on like password security and physical security, right, all kinds of aspects of security, and that's a thing that you know like you wouldn't expect your coders to really care about. But you know, like, physical security is important, right, not leaving things laying about on the desk that you know could be used. Somebody from the cleaning crew could take and use against them, or you know, because you know there's industrial espionage out there. There's people that go looking for that kind of stuff. That'll get a job as a janitor just to go get into that company to try to find information that they can you know against their competitors or whatever. So again, this is my tinfoil hat popping that's. That's why physical security is important, right, not to say that there's always bad guys around every corner, but there are bad guys out there. So, yeah, I'm not really sure as far as security for the developers, but you know, for me I tried to speak highly of security plus because it's just kind of a general, general thing and even if you don't get the certification, just kind of reading the book and understanding those topics makes a big difference, I think.
Yeah, being confronted with the idea, even having to think about it and reflect about your own experience and see what you did in the past and say, oh, okay, right maybe not the best, that's already coming Exactly.
And then, like you know, like social media is great, you know I have a bunch of people that follow me that are not in security. They do different jobs right so but I'm continuously exposing them to security topics and security ideas. So, you know, I'd like to think that they're learning things from me by doing that and not to say that everybody has to follow me. But there's a lot of people in information security online on social media that have really great ideas that know way more than I do that you know they're. They're constantly like tweeting or you know they're putting something out on mastodon or now blue sky or whatever, about something they found or experiences that they've had, and a lot of them actually came from like software development worlds and stuff like that. So they're a little bit more focused on you know security coding and you know how a developer would actually want to kind of face the world of security. So I would recommend you know anybody like that to try to get on social media, try to find as many people like that, as diverse a group of people as you can find, to get exposure, because that's like real time, you know, as things change to pop up. You know, a book is going to get stale and it gets more stale as it sits there, whereas you know a social media thing, or even a security blog or something like that, is going to be a little bit more updated and a little bit more fresh than you know, and it's going to bring some of those like the MGM hack. Right, that was totally a fishing thing. You wouldn't imagine a company that big, you know, falling as hard as they did because you know somebody fished them. But it happens and, like I said, it's a matter of time.
Right, it's not if, but when, as you said you're playing catch, so it's always evolving, always, always changing, so you have to stand up.
So that's the thing is, you can never be 100% secure, but the idea is to try to inoculate yourself from as much of it as possible. Like you know segmenting your systems, or you know doing backups, secure backups, offline, things like that. It's just like you've got to take these things that are not convenient and put them in place because they pay off in the end. Right, they have a big payoff. I'm the like an ounce of prevention is worth a pound of cure, right, it's true, it really is. And people don't want to spend the money right now because it's a cost center. It's cost money to do this this way. And I'm like you know, if we don't do this, how much money is this going to cost us in the future? And you know, they kind of weigh the risk. It's like well, is this a risk high? Is it a risk low? Right, is it's? What's the impact? So that's that whole risk matrix of like how big of an impact or how likely it is to happen.
So that's the place where I usually ask for an advice, but I want to twist it for you. I spoke a little bit about Apple before and I want to bring it in a different light. So Apple has a. We can put Google on top of it, you want, but let's use Apple for the sake of the exercise. Really, here's at the forefront of a lot of people using their devices, at their primary devices for getting online and and and seeing the world, the digital world. Is there something that you wish a company with such an outreach would do to really increase security for everyone and really help everyone get to the next level? Is there something like this on top of your mind? Oh my gosh.
Well, as far as Apple goes, they they are one of the ones that I really admire for their security posture and their privacy kind of outlook A little more so than Google, right, it seems like Google's a little bit more on the convenient side than Apple is with the privacy and the level of security, because you know, with an iPhone they're patching that thing regularly. You know your phone is patched and kept up to date by Apple until it's reaches the end of its service life, which I still have a little bit of problem with. I think they could extend the service life on some of that hardware, but that's capitalism stepping in right, forcing you to buy a new device. But they're much better about that than most Android products. You know you get a Samsung or HTC or I don't even know why. I use Pixel myself and specifically because Pixel is updated. It's kept up to date for that service life, just like the iPhone. But all the other Android devices you require you're relying on that carrier to keep your device patch. So I think Apple is definitely on the better side of security. There's always things that they could be doing better, of course, like you know, requiring multi factor authentication, those kinds of things yeah, not really an iPhone user, so I'm not all good.
I was wondering if there is, if there is some, some security measures that we could really bring more into the forefront. I mean, google, by having their own authenticator, which is now pretty much the one everybody uses, I guess is already helping in this. In this regard, the one thing I remember is the, the iPhone suddenly picking up on on SMSes with with a two FA code so you can really stay on the form that you're filling and really get the SMS and right away bring it in the form. Not having to switch back and forth is Good and bad. I mean it's great because it makes it more convenient to use 2FA, but against this convenience, you could be first or you could get the different dismissive this time, I don't know. But those kind of hacks really help people set up 2FA and really use it and jump over the fence on that. So I don't know, I'm still searching.
Right. So you've got to find the balance. You've got to make it convenient enough and secure enough to where the people will actually adopt it and use it. Right, or you just be draconian and you force it upon them because you've seen that people are being fished through SMS or whatever. Eventually you stop doing that. You do not allow those kinds of systems in there. You require them to do like an authenticator. I wish Apple would have one too, so if iPhone users didn't feel like they had to install the Google product or whatever.
Yeah, indeed, I guess they're going the key chain way and the Face ID stuff. So that's their kind of 2FA.
Well that's right. All of that stuff can be tricked too, right? I mean, it's just like you can, yeah, and fingerprints I mean, I don't know if you saw the Mythbusters episode years ago where they basically took a photocopy and they went in there and drew it out to where it was like a little bit more crisp in their detail, shrunk it back down and bam, they were, you know. So every system has its flaws and weaknesses and eventually somebody will find them. But that's part of security is that you need to have a team that's actually actively looking for those kinds of things, what they call the white hat hackers and I hate that term like white hat and black hat. But you've got to have the good hackers versus the bad hackers. I hate to say bad hackers because hackers get a bad name. Right, because a hacker is somebody that makes something, do something that it really wasn't intended to do, and that's not always malicious. But the media and the news portrays the hacker as like the hooded evil person that's here to try to steal all your stuff, and that's not the case. I'm a hacker. I know a ton of other hackers that they're on security. We would consider on the good side that they're actually out there trying to help people.
So and we're glad you're there Because we can stay on the side of convenience.
No, that's not the right thing to say Well, you need somebody like me on the opposite side of the spectrum. That's like saying wait a minute now. Wait a minute now. That's not secure, you're going to get hacked. And did you check that link? And blah, blah, blah, right. So you need to find that balance, something that's you know, because my system would be completely unusable, or it would be so unusable that it took you 20 minutes to get logged into it. You had to go through all these steps to get into it, and then you know where's your productivity for the day. So you've got to try to find that balance in the middle.
Yes, we do. Yes, we do, Colin. It's been a fantastic ride with you and we're already at the end of our time box. Oh gosh, when would be the best place to continue this discussion with you?
Well, I'm on a number of social medias. I was big on Twitter. I still am on Twitter, but it's not my least. It's my least favorite platform now I still have the most followers there. But I'm at Colleen's underscore on Twitter, and then the same thing on Mastodon and then on Blue Sky. I'm at ColleenShanecom, which is my website, so that's probably the easiest way to get in contact with me is ColleenShanecom. Just go to my website, and I've gone out of my way to make that look as turn of the millennia as possible. I put the little barrier of the under construction down there and the little site counter and everything. That's something I do. Code was HTML. I started doing that back in the day, like making websites for video games that I played, so I tried to make that my website look as crappy late 90s, early 2000s as I've remembered all the old ones that I made back in the day, so it's flashy.
It's in very colorful palette. And it's in your face.
That's great you got to have an under construction barrier there, for sure.
Yes, you do, yes, you do Fantastic. I had links to all this in the show notes. Anything else you want to plug in before we call it today?
No, I just want to say thanks for having me on. I love doing this. This is, you know, me sharing my story and me sharing like my tin foil hat on the security side of the spectrum here is great right. It helps people find balance and like at least it's in their mind. So I appreciate the opportunity to do this and I also want to say I love your ISS space station, regular space station behind you, because I don't know if you can see mines up there. Yes, I do.
It's up there I love it. Yeah, I've got some more. There's curiosity up there and there's the Apollo lander there.
Right, curiosity is on my list to get to go.
So that's the one I could save from my son saying okay, we build them together, but then they're not going into your room, they're going in my office. Colleen, thank you so much. It's been delightful hearing the story with you. All right, thank you so much. Have a great day and this has been another episode of their first journey. I will see each other next week. Bye, bye. Thanks a lot for tuning in. I hope you have enjoyed this week's episode. If you like the show, please share, rate and review. It helps more listeners discover those stories. You can find the links to all the platforms the show appears on on our website devjourneyinfo slash subscribe. Creating the show every week takes a lot of time, energy and, of course, money. Will you please help me continue bringing out those inspiring stories every week by pledging a small monthly donation. You'll find our Patreon link at devjourneyinfo slash donate. And finally, don't hesitate to reach out and tell me how this week's story is shaping your future. You can find me on Twitter and at teamathabtimothep, or per email info at devjourneyinfo. Talk to you soon.