Kat Sweet

Now with a catchy tagline!

From A2 to ATX

(Before you ask: I’m not switching jobs, just going closer to the office that has the tacos.)

“It just started quietly and grew”

You know how sometimes when you start to fall for someone, everyone around you knows it before you do? Your conversation constantly drifts toward them; you can barely contain your excitement at the mention of their name. I’ve lost count of how many times that’s happened to me with people, but this time, to my complete surprise, it happened with a city.

The signs were all there: my phone started autocorrecting “talk” to “y’all”. I found myself searching for excuses to take trips there and always came back feeling energized. And at some point, the amount of time I spent singing the praises of Wisconsin cheese curds and ice cream was overtaken by my apparently not so subtle cravings for barbecue and breakfast tacos.

2018 is the year I fell in love with Austin.

“I don’t feel all turned-on and starry-eyed”

I’ve been in Ann Arbor for about a year and a half, and I have zero regrets about having made the move. Coming to a city where I had never been before my interview and didn’t know anyone was a gamble, but it was absolutely worth it for my personal growth. I survived the move despite difficult circumstances and a crazy tight timeline (protip: don’t take a SANS course that runs till the day before moving). I had previously only lived away from Madison during college in Illinois and my study abroad in Mexico; coming to Ann Arbor proved to me that even when I love my hometown of Madison, I’m capable of living in other places and enjoying them too.

Ann Arbor broadened my horizons. Living here, I discovered my love of Korean food and session mead, rediscovered my love of craft beers and a high-quality cup of tea, and took up cardio drumming and pole dancing. I have a coffee shop and tea shop where I walk in and they know my name. Above all, I got to have a job that it feels like I’ve been in for far longer than a year and a half just by the sheer amount that I’ve learned and gotten to accomplish. I’ve met so many amazing friends and discovered new passions through the job that brought me to Ann Arbor.

But I’ve also struggled to find my stride here, in a very “it’s not you, it’s me” way. Living here has always felt strangely temporary, like I’ve just been away at college again. There are things that I’ve missed more than I thought I would, like walking out of my apartment into a vibrant neighborhood, going to concerts, and riding my bike (I haven’t even bought a bike in A2 because the bike infrastructure leaves much to be desired). Being on the edge of multiple lake effect weather regions means way more cloud cover than I expected, which takes a toll on my mood in the fall and winter. Outside of my coworkers, I’ve had trouble figuring out how to insert myself into what feels like a very insular community. Weekends can get pretty lonely. Plus, some of the friends I made in Ann Arbor have since moved away - including a few who’ve landed in Austin.

Ann Arbor has a lot going for it and I wouldn’t rule out coming back someday. But this year, as I worked on trying to establish routines and figure out where I fit in here, my attention started to shift.

Lady Bird Wildflower Center. My first time seeing bluebonnets.

Lady Bird Wildflower Center. My first time seeing bluebonnets.

“I just feel a sweet contentment deep inside”

In March, I spent a week working from our southernmost office - my second Austin trip of the year, and my fourth time in Austin overall. The first couple days of the trip coincided with the culmination of the tragic serial bombings. While I was upset by what was happening, I also didn’t want to leave. I felt a connection to the community that was refusing to let hate win.

In spite of the turbulent situation, you still couldn’t wipe the smile off my face at the end of the week… a friend later referred to it as my “happy Austin glow”. Getting up early every day to take a leisurely walk across Lady Bird Lake into the office with Jo’s Coffee in hand and the sun on my face just felt natural. (I even saved the punch card from Jo’s just in case I came back.) I didn’t have a name for those feelings at the time; I just chalked them up to my love of travel and excitement over spending time with my Austin coworkers.

Terry Black’s. Why yes, I am happy to be in Texas eating BBQ.

Terry Black’s. Why yes, I am happy to be in Texas eating BBQ.

“Growing stronger”

As my team had its first Austin hire in April, and then as three people in my life, including another teammate, prepared to move to Austin in June and September, I found myself having more conversations about Austin. Apparently I have a terrible poker face because I’m told that I would light up whenever I talked about it. It wasn’t until I went back down to speak at LASCON in October that it dawned on me: being in Austin didn’t feel like being away from home. Did I mention that you literally couldn’t drink the water that week? That should’ve made any sane person want to nope right out of Texas, but I stood in the rain, snapped a photo of the disgusting chocolate river, and knew that this too would pass.

In the two weeks between LASCON and my next Austin trip to onboard a new teammate, I had tea with a very wise work friend and got the question I’d been wanting to hear but had been afraid to pose to myself: “You talk about Austin a lot - have you ever considered moving there?” Boom. Clocked.

Throughout my week in Austin in November, I started reaching out to various coworkers asking about the city, both those who’d been there for a while and recent transplants. I also consulted with my relatives who’d been in Austin since Lady Bird Lake was Town Lake. I think that I was searching for permission… having only ever moved for school and work, I didn’t know how to navigate moving for myself. As I was enumerating all of my reasons for being intrigued by Austin to a close friend, she put into words exactly what I’d been feeling: “You’ve already made up your mind.”

When I returned to Ann Arbor, I told my manager and director that I was considering moving to Austin. Neither one of them was the slightest bit surprised.



“Warm and wilder”

So what am I excited about? ALL THE THINGS! The abundance of live music, biking, walks along the river, a thriving tech community… actual taco trucks on every corner. The list goes on. Even before I left Madison, I found myself wanting the pace of a bigger city - and Madison is more than twice the size of Ann Arbor. There are elements of Madison that I’ve missed that Austin has, like lots of green space even in urban areas, and that infamous “weird” vibe; at the same time there are things that Austin has to offer that I lacked even while living in Madison, like more diversity and any kind of cohesive infosec scene. Austin seems to strike a good balance for me of being big enough to satisfy my needs without me feeling like I’ll be swallowed up. There’s something remarkable about a big city where you can still see the stars at night (and yes they are indeed big and bright… clap clap clap clap). I nearly teared up in November when I saw the Leonid meteor shower from downtown.

I’m looking forward to more sunlight and milder winters. For someone who has to work significantly harder during cold cloudy winters to maintain the same baseline mood and energy level, having the shortest days of the year be the ones where I can be the most active outdoors might do me some good. This may sound trivial, but I also can’t wait to be back near water. I noticed that I missed it during college too, when suddenly I went from an isthmus to the Illinois cornfields. In the nine years that I spent in Madison after college, I never lived more than two blocks from a lake (in other news, my older cat is now really good at killing spiders)… bodies of water were always woven into my routine and my identity in many ways.

I recognize that there’s no perfect city. Austin has some of the worst traffic in the country, summers hotter than the ninth circle of Hell, and significantly creepier bugs than the Midwest. It has all of the growing pains you’d expect from a city undergoing a population explosion. I’m open to the possibility that living in Austin will feel very different from visiting, as well as the possibility that I’ll grow apart from it one day. Yet I find myself drawn there right now… just as with any job or any relationship, compatibility is largely a matter of finding the imperfections that you can accept. To quote Rent, “I’m looking for baggage that goes with mine.”

That brings me to the biggest reason of all for moving to Austin, and the hardest to quantify: I feel a sense of belonging. That’s worth listening to.

“Getting better everyday”

I won’t have an exact timeline until I have a place to live, but I’m aiming toward sometime in the spring - after SxSW and before the weather gets to “punched in the face by an angry flamethrower” levels of heat. I’m hoping that giving myself a few months - instead of the few weeks that I had last time - will ease at least some of the inevitable moving stress. While I’ll miss my Ann Arbor team, my Austin coworkers have already been incredibly welcoming. I feel very lucky that I’ll able to move to a city that I’ve been gravitating toward for a long time without having to look for a new job in order to get there. I’m grateful for my time in Ann Arbor and now I can’t wait to embark on my new adventure.

Hold onto your ten-gallon hats, ATX - I’m coming home.

(Song lyrics: Mama Cass, “It’s Getting Better”)

Jo’s Coffee

Jo’s Coffee

How I Track Presentations

People occasionally ask me how I keep track of CFPs, talk ideas, and past presentations. Your mileage may vary, of course, so I want to share what’s currently working for me and why, with the caveat that, as they say, the best project management tool is the one that you will actually use.

Most of my public speaking tracking lives in a spread in my bullet journal. I used to use a kanban board for tracking conference talks, but found that that didn’t offer a good way for me to properly capture things that weren’t directly in scope of the project of writing and delivering a single talk (such as my higher-level speaking goals or upcoming CFP dates). Starting from a blank page lets me strike a balance of structure and flexibility, and having everything in one place helps with attention management. Plus, it gives me an excuse to play with fancy fountain pens. The fields in my current spread are as follows:

Strategic goals

These aren’t specific talk ideas, but rather values that drive why I speak: what I want to get out of the speaking experience for myself, what I want to share with others, what I want to accomplish. Spelling all of this out helps keep me focused when I have too many disparate ideas bouncing around in my head, and also helps recenter me when I feel like I have no ideas. When speaking on behalf of work, it can also be helpful to figure out how to align some of these with the mission of your team or the larger organization. I try to keep in mind my various audiences too - what problems am I trying to solve when I build a presentation for a room full of security professionals vs a non-security audience, or for a group of colleagues vs a non-work setting?

Idea backlog

Occasionally, in a wave of ADHD hyperfocus I get an idea for a talk, grab a pen and churn out a draft immediately. But more often than not, talk ideas take a while to percolate. I needed a place to store the half-baked talk ideas that came to me in the shower or on a long walk that I haven’t yet had time to fully flesh out. As with any good backlog, it gets groomed regularly - if something’s been sitting in there for a while, eventually I evaluate whether it’s still interesting or relevant to me and decide whether to drop it or try to develop it into a talk proposal.


Potential venues

Mapping a talk idea to the right venue is one of those topics that only seems to come up in the wake of a talk being rejected (I’m currently drafting another CFP-related post on finding a venue when writing a talk proposal). So as I attend various security cons and hear about others from friends, coworkers, and the Twitterverse, I try to make a note of which ones look intriguing based on my strategic goals and idea backlog, as well as what time of year they typically run so that I’ll know when to keep an eye out for their CFP opening. Also on the list: some non-security conference venues that might be open to security content - tech meetups, developer cons, libraries, even some sci-fi cons (I was on a security 101 panel at the feminist sci-fi convention WisCon in 2017!).

CFPs in flight

When I hit “submit” on a talk proposal, I don’t want to lose track of its state. So I record the talk title, the conference I submitted it to, and an empty checkbox, to be filled when I know whether I’ve been accepted. This can be particularly useful for proactively balancing your workload when you feel inclined to apply to a large number of conferences… I’ve seen too many people lose sight of how many proposals they’ve submitted, only to have every single one of them accepted. And, as I advised a friend this summer, when you’re prepping multiple talks, the stress is multiplicative, not additive.

One addition here that I plan to put into future iterations: the date when applicants will be notified of acceptance or rejection. Not all conferences list this, and not all meet their deadlines, but it never hurts to have a general sense of when you can expect to hear back - it frees up mental bandwidth till then to worry about other things!

Speaking logs - work and external

This is where I write down every time I speak. I track the talk I gave as well as the date(s); for external presentations I also list the venue. Even though the presentations that I give at work are almost never public-facing beyond my coworkers, they’re still time spent speaking in front of a crowd. I presented 50 (!!!) times this year, 43 of which were at work - logging all of that speaking time at work made me a much stronger presenter.

Writing down all of the times I’ve presented also helps combat the ever-present impostor syndrome. Much of the work that I find most fulfilling - teaching, mentoring, communicating security - is work whose impact is often hard to measure; when I worry that I haven’t been doing enough, it helps to have evidence to the contrary written in the notebook that I carry around every day.


For a future version: milestones and timelines

Every talk, from the initial idea to the live presentation, is a project with predictable milestones, such as writing an outline, building a slide deck, checking the A/V setup with the venue, and doing dry runs. While I currently capture some of this ad-hoc when writing out weekly tasks, it will become more of a repeatable process in my next bullet journal. I also want to work in some timing; everyone has varying opinions on how far out to prepare for talks, but I can say with certainty that hitting all of the milestones 24 hours before you go live is never a good idea. (Not that I would know anything about that, of course…)

Make it your own

My system of tracking public speaking is always a work in progress, but this is its current state. If you do a fair amount of public speaking - or would like to - definitely consider exploring tactics to organize it all in a way that works for you. Happy writing!

The Building Blocks of Infosec CFPs

Between gearing up to co-chair CircleCityCon’s CFP, and working on a panel submission with a couple of first-time CFP submitters, this month’s program has been brought to you by the letters C, F, and P. (CFP = call for papers or call for proposals, depending on who you ask. Applications for speaking at a con.)

In the two-ish years that I’ve been volunteering for infosec cons (in various capacities), I’ve come across many would-be presenters who feel intimidated by the process of developing a talk and submitting to a CFP. Often times, anxiety is fueled by uncertainty. So I want to do my part to try and demystify the CFP process. More posts will follow, but for now, let’s start with the absolute basics: defining the main components of a CFP submission.

(By the way, if you’re not yet convinced to speak, I recommend reading Snipe’s post “Why you should stop stalling and start presenting”. For a good panel talk that covers a broad range of CFP prep topics, watch “CFPs 101” from BSidesLV 2016.)

When I was developing my first talk ever for the BSidesLV Proving Ground track in 2013, my presentation mentor Javvad gave me advice that’s stuck with me in every subsequent CFP: “Create an engaging story.” The way you structure and deliver your content matters, whether your medium is comedy, thriller, sci-fi, or musical theatre. Your talk’s title, abstract, and outline are the building blocks of your story. (As are your slides, but that’s another show.) Your bio adds context for your perspective as the storyteller. Each conference may have slightly different expectations (follow their directions!), so tailor accordingly.


This isn’t academia -- keep it short and to-the-point. If the title isn’t descriptive, make damn sure your abstract is. Tying in humor or a pop culture reference is fine, but know that certain references have been done to death in presentation titles. Expect some reviewers to side-eye a talk titled “_____ for Fun and Profit” or “_____: How I Learned to Stop Worrying and Love _____”.


Of the four main components of a CFP, THIS IS THE ONLY PLACE WHERE YOUR NAME GOES. There’s usually a word limit of around 100 to 250 words. This can be a good place to include “cred” for why you’re qualified to speak on your topic; it’s how you introduce yourself to attendees who are unfamiliar with your work. However, because many CFP committees do blind reviews, don’t expect your bio to be the deciding factor in your acceptance -- your outline and abstract should demonstrate your credibility without referring to you by name.


This comes from academic papers; it’s the TL;DR of your talk. An abstract is a paragraph or two (usually less than 250 words) that sums up the main points of your talk and, more importantly, draws your audience in. I’d recommend doing at least a draft of your outline before tackling the abstract -- that way, you know what you’re summarizing. You’ll probably be word-limited, so find ways to be concise. “We are planning to have a discussion about” easily becomes “we discuss”. Remember that an abstract is supposed to be just that: abstract. Don’t go into specifics.

Detailed outline

The skeleton of your talk, in the form of a bulleted or numbered list with sub-sections. Four or five lines is not sufficient -- make it granular. While complete sentences aren’t usually necessary, one or two words per line doesn’t say much. Reviewers aren’t mind-readers; we should be able to look at an outline and get a good feel for how your talk will flow. Furthermore, since you probably have knowledge in an area that not all of your reviewers will be familiar with, someone who’s not a subject matter expert should still be able to understand what you’re saying.

Even if a CFP doesn’t ask for an outline, it’s good to have one drafted by the time you submit. Strategizing how you want to structure your talk is time-consuming, so do the hard work early on… your future self will thank you. Bonus points if you include a time estimate for each section.

Based on the CFP submissions I’ve reviewed in past years, people perennially struggle the most with the concept of the outline. It occurred to me that many people lack a frame of reference -- unlike the abstract and bio, which are published on conference websites, most people never see anyone else’s outlines. So as an appendix, below I’ve written up a sample outline of a very familiar story.

In conclusion

Being able to construct the basic components of a CFP doesn’t guarantee you acceptance (particularly in very established, competitive cons), but it will take you a great deal of the way there, and like anything else, it gets easier with practice.

Stay tuned for a sequel.

Soul Asset Management in Nihilistic Rock Suites

1) Introduction: Real life vs fantasy (1 minute)

-Overview of the problem

   -There is a landslide

   -Reality cannot be escaped

-Actions prior researchers have taken

   -Opened eyes

   -Looked toward skies

-My background

   -Poor boy

   -No sympathy needed

   -Easy come, easy go

   -Little high, little low

-Main points of this talk

   -Previous research assumed that wind direction was statistically significant

   -(Side note: See, for example, "Blowin' in the Wind" (R. Zimmerman, 1962), which posits that answers correlate with wind direction)

   -My findings reveal that nothing matters, regardless of wind direction

2) What happened in my research (2 minutes)

-Killed a man via cranial gunshot wound

   -Additional detail: discarded a life that had just begun

   -Unintended consequence: caused Mama to cry

   -Call to action restating main point: nothing matters; continue course of action

-Medical side effects of time coming

   -Spinal shivers

   -Constant body aches

-Next steps

   -Leaving the audience behind

   -Facing the truth

-Disclaimer: while I don't want to die, I occasionally wish to not have been born

-Live demo: Guitar solo (will provide a backup demo recording)

3) Dealing with the aftermath (1 minute)

-Key stakeholders bidding for soul

   -Scaramouche: a little sihouetto of a man

   -Fandango: thunderstorm conditions causing fright

   -Galileo: Galileo

   -Figaro: magnifico

-Soulholder rebuttal

   -As stated in the intro, I am merely a poor boy

   -Additional information: nobody loves me, and my family is poor

   -Rules of monstrosity state that life should be spared

-Introducing new stakeholders and their challenges

   -Bismillah: refuses to let go, despite soulholder requests

   -Beelzebub: handling allocation of devils

4) Limitations (1 minute)

-What you can't do


   -Ocular spitting

   -Loving and then leaving for dead

-Steps to overcome the limitations

   -Just get out

   -Get right out of here

5) Conclusion (1 minute)

-Reiteration of main takeaways

   -Nothing matters - by this point, audience should be able to see this

   -Wind direction also does not matter

 -Audience Q&A


Being an Infosec Latecomer, Part 2: Election Bugaloo

2016 was a milestone year for me: I landed my first job in infosec. A real live security internship. A new world opened up for me, and at the same time, as I started to settle into my brand new role, I couldn’t help but get the feeling, “Hey, I’ve done this before”.

As I mentioned in Part 1, and in my un-talk at CircleCityCon, broadcasting the fact that there are countless paths to a security career will help bring in more people with a wide variety of life experiences. This is glossed over way too much in the way hackers are presented to the world -- prevailing narratives frame us as having special l33t skillz that no one else has. Some of it I’m sure is internally-generated -- I think that some people who have only worked in one field perceive their job’s processes and learning curves to be unique to their industry. But those of us who started in other fields bring knowledge and skills from our “past lives” that are not only incredibly transferrable to infosec, but often lacking in the current infosec workforce.

So where did I come from? Hi, my name is Kat, and I’m a recovering political staffer.

When I graduated from college, I wanted to work in politics, having already put in a lot of thankless volunteer work during previous elections. I brought a solid writing background, a knack for doing independent research, and a healthy dose of cynicism -- plus, it was an election year and it seemed like a good idea at the time. Over the course of the next few years, I worked both on the campaign side (finance and fundraising, more specifically) and the legislative side, working my way from page to legislative aide. However, in addition to it not being a great fit for my personality, the job market was limited and incredibly volatile. After my and several others’ jobs disappeared as a result of an election, I decided that politics and I should see other people.

It was a couple more years before I got the idea to learn how to code (if you’re curious, it was Ruby, and there was a lot of nervous crying), which led me to “I’m not a dev, but this tech stuff is interesting. Hey, this security stuff is really interesting. But all of the security people have been hacking since childhood, so I guess maybe I’ll try to get a non-tech job at a tech company.” I had gone to a few security cons, speaking and volunteering but feeling like I didn’t have a real claim to be there. I was legitimately embarrassed by my resume. A turning point was watching Eve Adams’ and Johnny Xmas’ presentation at DerbyCon in 2014 -- all about how to break into infosec from other fields. As I re-watched that presentation, and as I started to meet more people in security, it started to sink in that I was not a blank slate.

Though most of my technical knowledge is a few years old at most, I -- without realizing it at the time -- built up an arsenal of skills during my days as a political staffer. Among them are:

Communication with diverse populations: I wrote a lot of words, and I spent a lot of time on the phone with strangers whose lives were vastly different than mine, many of whom hated everything I stood for. Being a legislative staffer is simultaneously behind-the-scenes and very public-facing: I made thousands of constituent contacts without having my name attached to any of the correspondence. Security work can be similarly invisible-yet-impactful, and the sheer amount of communication that security work requires can’t be overlooked. Whether you’re a pentester writing a report, an analyst responding to a user, or a manager justifying your budget to the C-suite, we are tasked with communicating security to those who are not in a security state of mind. The ability to understand the viewpoints and values of others and get our message across accordingly is a vital skill for promoting better security.

Staying current: This is a skill that often gets downplayed compared to other non-tech like writing, teamwork, time management, etc. I don't think it even fully occurred to me to label it a job skill until I started interviewing for tech positions, when the question of how I kept up with infosec news reliably came up. Political staffers would religiously read feeds like WisPolitics and the Wheeler Report the way security professionals would with threat intelligence feeds. Twitter wasn’t very big yet when I left, but I’d imagine that nowadays every legislative and campaign team has eyes trained on Twitter as much as any security team. Working in politics got me into the mindset of seeing a news release, evaluating how it affected our environment, and figuring out what actions to take as a result.

Working under pressure: I would invite anyone who thinks that “soft skills” come easily to spend a day answering the phones for democratic leadership in a conservative state during budget season. Or work on a campaign when you know that the political winds are not in your favor. Being able to keep a clear head and triage when it feels like everything is imploding is not an innate skill -- it takes practice, as well as a fair amount of desensitization. And it’s a vital infosec skill, particularly for those in areas like incident response. As they say, it’s not a matter of if your organization gets breached, it’s a matter of when. My political work wasn’t glamorous, but it prepared me well for keeping calm and carrying on in security. (Well, most of the time.)

Politics to infosec may seem an odd path, but many others have found ways to connect their past work to their practice of security. If we hope to move forward as an industry, we need to make more of these connections. Security affects everyone in the world, therefore we need to bring in perspectives from all kinds. Homogeneity does not serve us well.

Coming into security with a background in another industry doesn’t show that we’re indecisive or lacking dedication -- it shows that we’re adaptable, and that even if we didn’t get it quite right on the first try, we’ll keep hacking harder.

Getting Back Up

This is more motivational-speaker than I usually go, but for the sake of those who are new to being in front of an audience, I wanted to document this as a way of saying, "I survived, and so will you". 

I've been a performer for as long as I can remember. I grew up doing theatre, music, and occasionally (terrible) dance. Though I'm newer to public speaking than the performing arts, I've now presented seven times at security conferences, served on several panels at the sci-fi convention WisCon, and taught lockpicking to groups of strangers. I'm far from perfect at any of these, but I've had years to learn a thing or two about stage presence.

Last Friday at CypherCon, midway through my talk -- a talk I've successfully given before -- I had a panic attack onstage.

I'm no stranger to anxiety (though I manage it infinitely better than I used to); people who saw me earlier that day can tell you how shaky I was. The perfect storm had been building: I came to CypherCon having just taken three midterms that week. I was letting myself get psyched out by my timeslot (sandwiched right between the keynote address and Johnny Xmas and Lesley Carhart's talk). The room was loud, which made it hard to deliver a talk that had audience engagement built in. However, I was completely not expecting something of this magnitude to happen, so public. As I bolted from the room, guilt and fear of the consequences immediately overtook my original presentation anxiety... what if the organizers hated me for not finishing? What if people thought I was just doing this to grab attention? How was I supposed to be a BSidesLV Proving Ground mentor this summer if I couldn't even get through my own talk? Why were people coming out into the hallway and being nice to me? Panic became the loudest voice, and it took a while for me to calm down.

On Saturday, though, something else happened that I wasn't expecting: The feelings of suckitude pretty much went away. I didn't dwell on my failure the way I thought I would. I got up and enjoyed the rest of the con. Friends checked in on me to make sure I was okay, and I surprised myself that I actually was okay... once the panic died down, I knew logically that people had survived worse, and this didn't signify the end of my ability to present at future cons. When I got home I decided to submit the talk to the CFP for CircleCityCon so that I could maybe have another go at sharing it. 

This is where I think practice with being in front of an audience helps tremendously. It leads to more opportunities to fail, and more opportunities to practice recovering. I've survived (to name just a few) my video dying during my SkyTalks presentation, botching a Brandenburg Concerto in a solo/ensemble competition, and saying "fuck" onstage at a voice recital. Weathering those smaller public-facing setbacks made it easier to weather a large one.

We try to get all of our failures out of the way in a private, controlled environment so that we'll be flawless by the time we're presenting in public, but it doesn't always work that way. The way to build resilience is to fail forward and fail repeatedly until it becomes mundane. Whether the demo gods are smiting you, or your neurotransmitters pick that exact moment to kick you in the ass, whether you're a first-time presenter, or you've been onstage for the better part of three decades, things can go south in unanticipated ways. When that happens: Recognize that it happens to everyone. Cry. Have a drink and a hug. Then get back up. Rinse, spin, repeat. The world won't end.

Being An Infosec Latecomer, Part 1: Education

A few things prompted me to finish this post, which has been in draft form for months: 1) My presentation “Hacking Our Way Into Hacking”, about infosec latecomers, was accepted to CypherCon in Milwaukee (I originally presented it in BSidesLV’s Underground track); 2) Infoperspectives published an excellent, very comprehensive post on the state of women in infosec, which ended with an inspiring quote from Cheryl Biswas about mid-career women coming to infosec; and 3) I keep going to conferences and coming back with ideas, and I think I finally reached a critical mass of half-baked blog post drafts after GHC -- it was time to dust off the dormant blog.

An important part of getting new people into security is showing that there are many different paths to get here. Public perceptions have the power to bring people in or drive them away, regardless of the underlying reality. And as someone who didn’t start out in security or even in tech at all, I spent a long time fearing that I’d missed my chance to work in a technical job, thanks to the narrative that all good hackers started as kids. (It wasn’t entirely inside my own head -- various folks suggested that I should be an office manager or technical writer instead.) It is telling that just searching “too late” on the learnprogramming subreddit yields so many results. We need to change the narrative: there is no “too late”, and our pre-infosec pursuits were not wasted time. I want to elaborate on how I bring knowledge from my “past life” to infosec. I’m working on additional posts about my past employment. This one focuses on my undergraduate education.

(Side note: This is not about the value of formal education vs. other educational methods. There is plenty of good discussion on that topic, and it’s certainly a discussion worth having -- it’s just not germane to this particular post.)

While my BSidesLV iteration of “Hacking Our Way into Hacking” wasn’t recorded, I’ll share part of my introduction from that talk, where I describe my undergrad experience:

“I really started to tap into my passion for trying to solve fascinating and challenging problems, deconstructing things to see why they did what they did, taking time outside of class to self-teach, questioning authority, staying up late banging my head against my laptop. Pretty typical hacker story, right?

“Wrong. I majored in gender and women’s studies.”

At first glance, the jump from gender and women’s studies to security seems like a non sequitur. However, I love finding connections in unexpected places, and while I certainly didn’t declare my major thinking “when I grow up, I want to work in infosec!”, I owe a great deal of my security brain to my gender studies education. After all, deconstruction knows many forms. Here are a few common threads that I’ve brought with me from gender studies to my security education (and, if all goes well, my eventual security career).

Critical thinking: Asking questions and being willing to seek out information carried more value than knowing all the answers (a welcome change from high school!). This definitely mirrors security -- any degree of troubleshooting or researching requires being comfortable with open-endedness and willingness to be wrong. But more specifically, gender studies taught me how to think critically about systems and power structures. Understanding the players, their dependencies, and what they could gain or lose featured prominently in gender studies, and it features prominently even in my introductory-level security classes. Analysis of power structures seems particularly important for those going into security policy, compliance, or any kind of project management.

Breadth: One of the things that attracts me to security also attracted me to gender studies: the interdisciplinary nature. I like learning about many different things -- it gives me a fuller picture of the world around me. Gender studies, more than a discipline unto itself, is a lens through which to study anything from psychology to history. Similarly, security exists in every level of computing (networks, systems, applications, etc.), and even beyond the bounds of hardware and software (social engineering, anyone?). It’s important to understand the pieces of the puzzle and how they fit together, even if not all of the pieces are our particular domain. Which brings me to...

Empathy: Gender studies programs were developed to bring in perspectives that were missing from college curricula. My own program exposed me to viewpoints that I might not have otherwise come across; it also gave me the chance to discuss them with other students, further broadening our understanding. It wasn’t always easy. There were times throughout my gender studies coursework when I was genuinely uncomfortable because I had to confront my own privilege, and other times when I was uncomfortable simply because I had to question what I had always known to be true. Empathy breaks us out of taking things for granted, and when we move beyond a singular perspective, we become better problem-solvers. Security needs empathy. Since the systems being secured are used by so many different kinds of people, it’s vital for those designing, testing, and maintaining those systems to be able to recognize the validity of other worldviews.

I’m just one person, but I’m hardly the only person in infosec with a non-STEM degree. (I’m not even the only person in my netsec cohort at school with a non-STEM degree.) We’re everywhere. We all apply aspects of our past education to our security practice in different ways, and having a variety of foundations upon which we build our technical skills is absolutely a good thing.

If technologies are a reflection of the societies in which they’re developed and implemented, then there is merit to studying societal patterns. If our machines are only as secure as the people who use, build, break, and fix them, then there is merit in studying people. If technology is integrated into every facet of our lives, then there is merit in studying many different facets -- philosophy, music, literature, art history, sociology, and yes, gender studies.

Or put another way: until the robot overlords come and humans leave the equation, all majors have a place here.

Still Alive

2014 has been a year completely devoid of dull moments, to say the least, and as a result, this blog has been too long neglected. Stay tuned for updates within the next few weeks.

Closets Are For Clothes

I usually make some kind of comment about National Coming Out Day, though usually just a few sentences about bi invisibility, biphobia from the gay community, labels, legislation, or just pride and rainbows and glitter.  I thought I’d do something slightly longer than 140 characters today, though:  the coming out story.

It’s been about 12 years since I started coming out as bi.  (I say “started” because, as we too often perceive a person’s sexual orientation based on the relationship they’re currently in, bisexual visibility is difficult, and the coming out process seems to never really be finished.  That’s a whole other blog entry right there, though.)  As far as I can tell, I’m kind of a coming-out anomaly:  there really wasn’t much in the way of a long, drawn-out process of confusion, denial, self-loathing, fear… oh, I was plenty angsty as a teenager, just not for reasons of sexual orientation.  I was a sophomore in high school, and I had a crush on a guy and a girl.  Pretty straightforward.  (Biforward?)  My reaction upon realizing it was something along the lines of, “Hmmm.  Okay then.”  As soon as there was a closet, I felt no overwhelming need to stay in it… I had a pretty easy time of it, and I consider myself incredibly lucky for that.  Madison was and continues to be a very LGBTQ-friendly city, and saying “that’s so gay” at my high school would probably win you some dirty looks.  Had I experienced major harassment for coming out, the support network would’ve been right there.  So, I told my friends fairly nonchalantly, got involved with my school’s Gay-Straight Alliance (later as co-president) and Proud Theater, and went back to blowing off my English homework.    

Boring story, Kat.  It'd make a terrible after school special.  Where’s the drama?

For many people, the coming out process is experienced in extreme ways:  they may face ostracization, harassment, depression; they may risk losing their job or getting kicked out of their house.  (Don’t even get me started on Russia.)  Or, conversely, coming out may be a huge celebration filled with hugs and happy tears as they finally publicly embrace their identity.  So I wanted to post my own story as a reminder of the stories that tend not to get told -- the mundane.  My coming out wasn’t hugely positive or negative, it just… was.  And I wouldn’t have had it any other way.  I hope that as the world becomes a more accepting place to be LGBTQ, more people will be able to experience coming out as just a natural progression, not a nerve-racking, earth-shattering event, and the closet will start to be rendered obsolete.  (Though if you still want to have a big glittery coming out party, more power to ya.)

Happy National Coming Out Day!

FFF Friday: 3D Printing Resources for Beginners

Newbies, this one’s for you!

3D printing has been rising in popularity in the past few years.  It’s begun to show up in headlines ranging from “3D printing is OSSIM -- it makes prosthetics!” to “3D printing is EVIL -- it makes guns!”.  However, the practice of creating a 3-dimensional physical object from a digital model is still a new concept to many people.  Maybe you’ve vaguely heard of it but don’t necessarily understand the mechanics of it.  Maybe you’re interested in learning but don’t know where to start.  Or you know a little and want to take it further.  Whatever your background, we all have to start somewhere, so for today’s FFF Friday, I’ve put together a few resources for newcomers to the wide world of 3D printing.

This isn’t meant to be an exhaustive list by any means, just a brief roundup of links to point you in the right direction.  Oh, and just as a standard disclaimer:  nobody linked in this post -- or any others -- is paying or bribing me to promote them.  :-)

When I refer to 3D printing, I’m usually talking about fused filament fabrication (FFF), also called fused deposition modeling (FDM), though that’s a trademarked term.  This is the kind that involves squeezing filament through a heated nozzle and laying it down one layer at a time.  Other types of 3D printing deploy different methods of forming the 3D object, such as powder or [frickin’] lasers; FFF is the most widely used among hobbyists and the easiest to access.  If you have 15 minutes to spare, Lisa Harouni’s TED Talk gives a good intro to the different types of 3D printing and some of the amazing things it can do.  

The software:  One of the best places to start may be simply playing around with some of the software used in 3D printing.  3D modeling is typically done using a computer aided design (CAD) program like OpenSCAD or SolidWorks, or a computer graphics program like Blender or SketchUp (to name just a few of each).  Software costs run the gamut from free and open source to “you want me to pay HOW much?!”  Regardless of program, Teh Interwebs has many tutorials and docs for learning your way around the software.

The hardware:  It’s remarkable how much 3D printers have come down in price recently:  you can now buy one for as little as a few hundred dollars.  New printers are constantly being developed -- it seems like there are always a few on Kickstarter at any given time -- with various features, but they usually share the same core components:  nozzles for filament, a heated build platform, controls for temperature and alignment, connector to a computer, etc.  Some come plug-and-play, while others require some assembly.  One of the most innovative developments, IMHO, in 3D printing is the RepRap Project’s introduction of printers that are actually self-replicating:  you can print the parts to assemble your own printer!

The materials:  The most common types of 3D printer filament are ABS (made famous by Legos), PLA (corn plastic), nylons, and wood.  (“Wait, wood?” you say?  It’s not 100% wood, it’s wood pulp bound together by PLA.)  ABS and PLA come in several colors; nylon is just one color, but as I discussed last week, it can be dyed!  For all of your shopping-on-the-couch-in-your-skivvies needs, Amazon now has its very own 3D Printer Store with a huge filament selection, as well as some 3D printers and parts.

Want something made but don’t own a printer?  Shapeways will print it for you.  If you’re a student, some engineering schools may also have 3D printers available for use (in my hometown, the University of Wisconsin-Madison has a student print shop in their College of Engineering, though it’s fairly costly).  And if the reverse is true, and you own a printer but would rather use someone else’s designs?  Thingiverse lets people share all things 3D that they’ve designed, so while you can upload your own creations there, you can also grab other users’ files and print them.  

There are several ways to get your feet wet without having to buy a 3D printer right away.  Find out if there’s a makerspace or hackerspace in your area -- most will usually have at least one 3D printer, and they may even offer classes.  That’s how I first learned about 3D printing.  (Makerspace.com has a makerspace directory, although it appears to still be a work in progress.)  It’s also worth looking for a nearby Maker Faire, where 3D printing always features prominently.  There are half a dozen flagship Maker Faires each year, but in addition to those, there are a ton of smaller, regional Faires.  Come for the robots, stay for the Makerbots.

For further reading, Make magazine, the quarterly bible of the maker movement, has an Ultimate Guide to 3D Printing.

While I’ve barely scratched the surface of the resources out there, you can do some pretty cool things with even remedial knowledge of 3D printing, so I hope this has been a useful jumping off point if you’re new to it.  Go forth and print!

FFF Friday: Dyeing Nylon Filament

Welcome to the first installment of FFF Friday!

It’s widely known among 3D printing enthusiasts that nylon 3D printer filament can be dyed.  This stands to reason:  many fabrics are nylon-based, so the same dyes that work on nylon fabric will work on nylon filament.  You can dye nylon objects after printing them, or for a striking tie-dyed effect, you can dye the filament itself.  Today I’ll be chronicling my adventures in the latter.

While any nylon-compatible fabric dye will serve you well most of the time, I don’t necessarily know how safe the regular acid dyes are for my purposes (which, as I mentioned in a previous post, are not your typical print job, wink wink nudge nudge).  Would they make me immediately keel over from acute internal acid dye poisoning?  Probably not.  But I’d rather go for total biocompatibility if I can help it.  I wanted something that’s known to be nontoxic.  Something so safe, I can eat it.


 is the part where the Kool-Aid man dramatically busts through my front 
window on a motorcycle, spilling punch from the top of his head and 
guaranteeing that I can kiss my security deposit goodbye.

This is the part where the Kool-Aid man dramatically busts through my front window on a motorcycle, spilling punch from the top of his head and guaranteeing that I can kiss my security deposit goodbye.

Dyeing yarn with Kool-Aid is a common practice in the knitting/crocheting world; amid the many tutorials, there’s even a pallette with formulas for 135 Kool-Aid color combinations.  I didn’t find much information on using Kool-Aid to dye 3D printer filament, but by the Transitive Property it seemed feasible:  if we can dye nylon filament like yarn, and we can dye yarn with Kool-Aid, we can dye nylon filament with Kool-Aid.  So I basically combined the two techniques, which are fairly similar anyway.

No special equipment is required, just some packets of unsweetened Kool-Aid.  This may go without saying, but in the name of all that is holy, don’t use the pre-sweetened variety unless a sticky mess is what you’re aiming for.  Unlike some other dyes, there’s no need to mix in additional vinegar -- unsweetened Kool-Aid is plenty acidic on its own (as anyone who’s ever drunk the stuff on a dare in middle school knows... not that I’m speaking from experience or anything).


Taking the nylon filament off of the spool and tying it into coils will help expose more surface area and allow you to swish it around in the dye more.  Since I wanted to test small batches, each of the coils is roughly one ounce of Taulman 618 1.75mm filament.  (One step that I admittedly forgot was pre-soaking the filament in hot water for a few minutes.  In retrospect, that probably would have helped soften the filament and set the dye better.) 

9x5 loaf pans are good for holding up the dye bags.

9x5 loaf pans are good for holding up the dye bags.

I boiled water and dissolved the Kool-Aid powder at a ratio of 1 packet per quart of water, then added the filament and let it soak for 30-45 minutes.  Once it's done, rinse it in warm water and make sure it's completely dry before using.  You can dry filament in a cool oven, but since it was a warm day I simply left mine to air dry, then returned it to its container and let the desiccants finish the job.

I decided to make two solid colors using two packets apiece, which I soaked in a big pot, and two variegated color combos, which were done by propping the coils in Ziploc bags and dyeing one side at a time.

The resulting colors can best be described as... glowstick.

Is it soup yet? 

Is it soup yet? 

I combined lemon lime and mixed berry hoping to get a nice teal.  In the pot, it certainly looked teal.  However, the blue dye in the mixed berry must be weak, because the end product was decidedly lime green.  I noticed that most of the filament had a tendency to float up to the surface, and the only part of the coil that had taken any of the blue dye was right where I had tied it -- ie. the part that was denser and stayed near the bottom.  So I added a second tie to the next batch to keep it submerged.

I moved the tie over -- you can see on the left where the coil was tied and absorbed some of the blue.

I moved the tie over -- you can see on the left where the coil was tied and absorbed some of the blue.

As red is universally the strongest dye color, the solid cherry/lemonade mixture created a super-concentrated reddish pink.  The variegated black cherry and orange also fared well, although I didn’t dunk the filament in quite far enough for the second half, so there are a few blank spots.

Cherry and lemonade.  I found that lemonade Kool-Aid is practically colorless, so I wouldn't use it on its own for dyeing. 

Cherry and lemonade.  I found that lemonade Kool-Aid is practically colorless, so I wouldn't use it on its own for dyeing. 

Variegated filament: black cherry on the bottom and orange on top. 

Variegated filament: black cherry on the bottom and orange on top. 

Ice blue raspberry lemonade is quite a light blue to begin with -- think blue ice packs -- so I’m surprised the filament retained as much blue dye as it did.  The blue filament is actually pretty true to the color of the dye liquid.


By far the most surprising result, however, was the grape.  Yup, the other half of this coil is grape.  Grape Kool-Aid itself is definitely near the blue-violet end of the purple spectrum, but the nylon filament apparently found every last red molecule, sucked it up, and rejected everything else.  SCIENCE!

It reminds me of a rocket popsicle.

It reminds me of a rocket popsicle.

Just for teh lulz, I also dyed some Patons Classic Merino with black cherry and ice blue raspberry lemonade.  I’ve been knitting for years but this is the first time I’ve given my yarn a Kool-Aid dip.  It looked unnervingly like brains while it was soaking, but came out as a nice dusty rose color.

No, Mr. Bond... I expect you to dye. 

No, Mr. Bond... I expect you to dye. 

Yarny goodness. 

Yarny goodness. 

I haven’t yet had a chance to try printing anything with my newly neon nylon, but from what I’ve read on filament dyeing, dye retention after printing isn’t a problem, nor is warping.  Further research to be done:  increasing the ratio of Kool-Aid to filament; trying more color combinations; using Kool-Aid to dye already-printed objects; and dyeing filament with other natural and biocompatible dyes like beet juice, turmeric, and coffee.

Clockwise from top left: orange/black cherry, ice blue raspberry lemonade/grape, lemon lime/mixed berry, cherry/lemonade. 

Clockwise from top left: orange/black cherry, ice blue raspberry lemonade/grape, lemon lime/mixed berry, cherry/lemonade. 



While the filament colors aren’t quite as pronounced as they would be using acid dyes, Kool-Aid dye has the advantages of being readily available, dirt cheap, and completely safe.  All in all, a winner.

Ohhh yeaahhhh.

Introducing FFF Fridays!

BSidesLV is only 4 weeks away, and the final schedule is up!  I’ll be taking the stage at 6:30 pm on Wednesday, July 31st (you can read an overview of my presentation topic here).  PowerPoint slides are being prepared, implements of pleasure are being designed, and I’m sure somewhere a set of pearls is being clutched.  If you’re crazy enough (as I am) to be heading out to Vegas during the hottest part of the year, and may be interested in my talk, allow me to help you get into a 3D printing mindset with FFF Fridays!

Each Friday for the next 3-4 weeks leading up to the conference, I’ll be posting about a different 3D printing-related topic -- things that there won’t be time to cover in detail during my 50-minute talk.  (I can’t promise a post on the 26th, as I’ll be traveling starting at ass-o’clock in the morning, but I will try my damnedest.)  Stay tuned for the first installment this Friday, July 5th!

Wilkommen, bienvenu, welcome!

Welcome to the inside of my head! 

After much heel-dragging, I've finally joined the rest of the world and set up a blog and personal website.  (Let me apologize for the Spartan surroundings -- I'm still in the process of tweaking the page styles.)  While in the past I've been somewhat shy about having an online presence beyond Facebook and Twitter, this is a logical next step, and one that I'm very glad to be taking.

Now that the site is up and running, expect plenty of posts about life, work, and other random-ass things that I may be thinking about.  And, in a few days, an announcement most unusual... ;-)

Thanks for reading!