Karen miller

Karen Miller

Associate Cyber Security Engineer Software Engineering Institute

Karen Miller is a Carnegie Mellon University graduate from the Information Security, M.S. program and currently works full-time as an Associate Cyber Security Engineer at the Software Engineering Institute. Although introverted and still early in her career, Karen is passionate about making tech and security accessible to people of all backgrounds and helping others learn new skills that align with their goals.

Description

In this episode, we're talking about how to hack legally with Karen Miller, associate cyber security engineer at the Software Engineering Institute. Karen talks about getting into cyber security through forensic and security competitions, reliable and safe resources to learn how to hack, and how to do it legally.

Show Notes

Transcript

Printer Friendly Version

[00:00:05] SY: Welcome to the CodeNewbie Podcast where we talk to people on their coding journey in hopes of helping you on yours. I’m your host Saron, and today we’re talking about how to hack legally with Karen Miller, Associate Cybersecurity Engineer at the Software Engineering Institute.

[00:00:21] KM: Malicious tools and exploits are out there and they might be designed to compromise your own system or maybe even publicly humiliate you if you run it and you don’t know when it does.

[00:00:31] SY: Karen talks about getting into cybersecurity through forensic and security competitions, reliable and safe resources to learn how to hack and how to do it legally after this.

[00:00:49] Heroku is a platform that enables developers to build, run, and operate applications entirely in the cloud. It streamlines development, allowing you to focus on your code, not your infrastructure. It also lets you use the most popular open source languages to build web apps. Also, you’re not locked in to the service. So why not start building your apps today with Heroku?

[00:01:12] TwilioQuest is a desktop roleplaying game for Mac, Windows, and Linux to teach you real world developer skills. The TwilioQuest Program was created in secret to train an elite group of leaders to combat a shadowy organization known only as the Legacy Systems. Take up the tools of software development, become an operator, save the cloud. Download and play TwilioQuest for free at twilio.com/quest.

[00:01:40] DigitalOcean offers the simplest, most developer-friendly cloud platform. It’s optimized to make managing and scaling apps easy with an intuitive API, multiple storage options, integrated firewalls, load balancers, and more. Get started on DigitalOcean for free with the free $100 credit at DO.co/codenewbie. That’s DO.co/codenewbie.

[00:02:04] When you need to focus on building, do you want to get bogged down by your database? MongoDB is an intuitive, flexible document database that lets you get to building. Mongo DB’s document model is a natural way to represent data so you can focus on what matters. MongoDB Atlas is the best way to use MongoDB. It’s a global cloud database service that gives you all of the developer productivity of MongoDB, plus the added simplicity of a fully managed database service. You can get started free with MongoDB Atlas at mongodb.com/atlas.

[00:02:42] SY: Thank you so much for being here.

[00:02:43] KM: Thank you for having me.

[00:02:44] SY: So let’s start at the beginning of your journey. What got you into coding?

[00:02:48] KM: Really it started with computer games. I think the oldest video that we have of me, I’m on a computer, I was about three or four playing some Toy Story game and my face is all scrunched up because I was really serious about rescuing Buzz or whatever I was doing. And then that kind of evolved over the next few years into a love of Neopets, which for those of you who don’t know, Neopets is a virtual pet website.

[00:03:17] SY: So for people who don’t know what Neopets is, explain it to them. Explain to us how it works.

[00:03:21] KM: Sure. It’s a virtual pet website. So basically your goal is to collect valuable Neopets. They’re all painted a certain way. So some paints are more rare than other paints.

[00:03:37] SY: So how did this game lead you to coding?

[00:03:41] KM: In Neopets, you can modify your profile or your pet’s profile, or even like this fully customizable pet page or a Guild page to basically look sleek and that’s what drove me to learn HTML and CSS because I wanted to have a fancy looking profile and I wanted to spruce up my pet’s pages. I think that some people even put their pets up for adoption. So to win over those pixels, you had to have the best looking application, basically sell yourself to the owner of these pets.

[00:04:19] SY: Yeah. Do you remember what your website looked like?

[00:04:23] KM: It changed all the time because I’m sure it started out very basic, and then as I learned more HTML and CSS, I think that I started making like full-on layouts and pretty sure I’d tried to like set up a page to allow other people to use my code if they wanted to make their profile with a certain way.

[00:04:43] SY: Oh, cool. A little GitHub, a little [inaudible 00:04:45].

[00:04:46] KM: Yeah.

[00:04:47] SY: So how old were you when you were doing all this?

[00:04:49] KM: Probably about seven or eight.

[00:04:53] SY: So did you end up continuing to code through middle school and high school?

[00:04:58] KM: In HTML and CSS, yeah. I mean, I don’t feel like I got interested in coding beyond that until around high school.

[00:05:07] SY: What happened then?

[00:05:08] KM: I started being exposed more to like Java and C and C++ because I was taking classes at Southern Utah University.

[00:05:19] SY: Wow! Good for you. Did you then know that you were going to get a CS degree?

[00:05:24] KM: I think I knew pretty early on because I was getting involved in like Cyber Corps at high school, and also in my early college program, there was a Cyber Corps Club and I was participating in this forensics competition. And so I knew that my interest lied in tech, and given that I wanted to stay at Southern Utah University, I figured their computer science program is probably what I was going to end up doing.

[00:05:50] SY: Okay. So you mentioned Cyber Corps. What is that?

[00:05:54] KM: It was a club that was focused on, I mean, for me it was focused on forensics because at that time we were trying to compete.

[00:06:04] SY: So I’m trying to imagine one of forensics competition looks like. Yeah. What were you competing? How does that work? What is the competition?

[00:06:13] KM: So they would send us a bunch of files, some images of a cell phone, I want to say, and it was our job to sort of investigate these files and try to determine based on some scenario that they provided to us what happened using these files. So I remember there was some steganography involved in steganography is basically hiding information or data in an image, like a picture. And there are a number of ways that you can do that, but I remember we had to use like specific tools to detect that the steganography existed and to extract the information from that picture as well as figure out how to get into this image of an Android phone, I believe, and try to see what was on there, see if there were any clues. This was all driven again by that scenario that they provided to us.

[00:07:10] SY: When you say figure out, what does that look like? Are you like coding? Are you building an app? You know what I mean? Like what are you doing to find that photo or figure out that scenario?

[00:07:23] KM: For the steganography, it’s kind of just identifying what tools are out there that might’ve been used to hide this information and can I use that same tool combined maybe with a password that I found and one of the other files to extract that information. So it kind of involves a level of creativity, research, and just being willing to try different things.

[00:07:52] SY: Interesting. So are you ever coding as part of the competition?

[00:07:55] KM: As part of that competition, no, but I have been in similar cybersecurity-related competitions where coding has been helpful for automating things using Bash scripts to basically execute a series of commands or repeat a function in a way that is helpful to whatever you’re trying to achieve.

[00:08:18] SY: So is that, for example, if I’m trying to guess a password and I wanted to do different combinations, and instead of me manually doing that, you’d write a script to come up with different combinations and try it, like that kind of thing?

[00:08:30] KM: So you could set up a four loop that maybe takes a word list as its input and just loops through those and it attempts to run a command that is trying out those different passwords on whatever your target is.

[00:08:43] SY: Very cool. Did you know that you wanted to get into cybersecurity or at what point did that come into play as a career option for you?

[00:08:54] KM: I don’t think I knew in high school, even though I was participating in that forensics competition, it didn’t really occur to me that I might step into security until during my second semester of college when I was working on my computer science degree. I started participating in a Cyber Defense Competitions Club and started getting familiar with the types of tools and processes that are used by hackers and how I could apply those in a competition context. But it led me to think, “How can I actually turn this into a career? How can I take my computer science degree and combine it with my interest in cybersecurity and maybe even pursue a second degree that’s more related to security?” So I added a forensic science emphasis to my computer science degree so that I could take a few more forensics and cybersecurity courses while I was working on my bachelor’s. And that is kind of what introduced me more into those cybersecurity topics.

[00:10:00] SY: So when you added that forensics focus to your CS degree, what additional things did you have to learn besides programming languages and operating systems? What are the forensic stuff that you had to add?

[00:10:12] KM: We learned how to use tools to analyze images of computers without actually modifying any of the data because a big thing in forensics is you don’t want to tamper with that data. You want to have a clean copy, but you also want to be able to look at what’s on the target that might be malicious or related to whatever you’re investigating. I took some security classes that focused on tools like Wireshark, which is used to analyze network traffic and focus in on individual packets that contain data that’s being sent over the network. Kali Linux, which is a forensics and penetration testing Linux distribution, and it comes with a full suite of tools, kind of an overwhelming number of tools actually to either conduct a penetration test or to do more of the forensics type of stuff.

[00:11:12] SY: So you mentioned penetration test, and I know that’s a popular idea in security, and I’m not really sure I know what it is. Can you explain to me what a penetration test is?

[00:11:22] KM: Basically, it’s ethical hacking. So you are acting as a malicious adversary in order to identify vulnerabilities in your target’s network and you want to identify these vulnerabilities before a real malicious adversary does, so that you can tell the customer, you can provide recommendations on how to correct that vulnerability, how to prevent a real attacker from getting into their network if the attacker was able to exploit that vulnerability.

[00:11:54] SY: So now that you do cybersecurity professionally, I’m wondering, when you think back to those competitions that you used to do, do they accurately mirror the real world or was it kind of very contrived?

[00:12:06] KM: Some of them definitely do a better job of it. It’s tough because I want to say that it was a good introduction to some of the tools that I still use now, but I wouldn’t say that it’s really prepared me for the processes and like the specific processes and tools I use now are pretty different.

[00:12:28] SY: I’m curious to hear about the languages that you’ve used in your field.

[00:12:34] KM: It’s tough. I think that almost any language can be helpful and even just understanding one language can help you understand how to interpret another one in some ways. So I see a lot of Python, a lot of Ruby, Pearl, C, C#, Visual Basic, pretty much any language you can imagine is probably helpful in some capacity because these exploits, which are commands or code or some entity that we throw at the target to try to take advantage of a bug or a vulnerability. They’re written in different ways and it’s helpful to know more than one language, yes, because different code might be more successful in different environments. Well, I guess you could start with something like Python or Ruby and then take your experience with that language and see if it helps you understand the other languages, not necessarily be able to code in them, but be able to read them and be able to kind of understand what an exploit is doing so that you’re not just blindly throwing attacks at your target without really knowing what it’s doing. An example that comes to mind is I found an exploit on the internet and it claimed to exploit some service. I can’t remember the name right now, but if you really focus in on the shell code that was in that exploit and kind of reverse engineer it, you’ll see that it actually just recursively removes all of the files on the system that it’s run on. So you want to avoid things like that. You want to know what the code is doing, and in some cases, you want to be able to develop your own exploits.

[00:14:19] SY: I want to take a moment to just define what hacking is, because if you ask the non-technical kind of general population, they’ll tell you that hacking is this awful, terrible, scary thing. You get hacked, my Twitter got hacked, that sort of thing. But I feel like in the tech community, hacking can be used a totally different way. Like, “Oh, I spent the weekend hacking on an app.” You know what I mean? Like it’s a super benign casual way of speaking as a cybersecurity engineer, as a cybersecurity expert, how do you think about the word hacking?

[00:14:51] KM: So I agree when people hear hacking, it’s usually in a negative context. Like, “Oh, someone is trying to use hacking to benefit themselves and in some way maybe gain money.” I mean, any number of things, and it can be malicious. Of course, it can be malicious, but there is also the ethical hacking side of things where we’re trying to beat the more evil type of hackers to discovering different vulnerabilities that they might leverage for their own benefit. And what that is, is using tools, using code, using any resources that you can to, again, identify vulnerabilities and take advantage of these vulnerabilities. And in the context of ethical hacking, you’re trying to do it the right way, the safe way and make sure that that vulnerability is no longer there for the more malicious hackers.

[00:15:54] SY: Yeah, and it reminds me, I think I’ve heard of the term white hat hacker. Is that kind of what we’re talking about?

[00:16:00] KM: Yeah. Same idea, ethical hacking, white hat hacking, and then black hat hacking would be like the more malicious type of hacker.

[00:16:24] SY: TwilioQuest is a desktop roleplaying game for Mac, Windows, and Linux to teach you real world developer skills. Explore the Mysteries of the Pythonic Temple, the JavaScript Test Lab, and more all while learning the tools of software development with TwilioQuest. Become an operator, save the cloud. Download and play TwilioQuest for free at twilio.com/quest.

[00:16:49] No one wants to manage databases if they can avoid it. That’s why MongoDB made a MongoDB Atlas, a global cloud database service that runs on AWS, GCP, and Azure. You can deploy a fully managed MongoDB database in minutes with just a few clicks or API calls. MongoDB Atlas automates deployment, updates, scaling, and more so that you can focus on your application instead of taking care of your database. You can get started free at mongodb.com/atlas. If you’re already managing a MongoDB deployment, Atlas has a live migration service so you can migrate it easily and with minimal downtime then get back to what matters. Stop managing your database and start using MongoDB Atlas.

[00:17:37] So if I am a developer, I’m a Code Newbie, I want to get into hacking, but I want to do the good kind of hacking, how do I start on that journey? So what I have done is I’ve tried to compile a whole bunch of trustworthy resources because that’s something that kind of hard to establish as a beginner is, “What resources can I trust? What should I be using? How do I stay within legal boundaries?” The idea behind HackHub is to instill that the right balance of competence and caution and people who are interested in any capacity in getting into ethical hacking because it’s really intimidating entering this world of hacking where you just imagine all the bad that hacking is resulted in and you imagine all the legal trouble that you could get into if something goes wrong because, in a lot of ways, it is illegal. If you don’t have the right permissions, if you’re not doing it in the right environment, it can be harmful as well. So on HackHub, I provide those trustworthy resources. They can be used by all levels of learners to learn and practice hacking in a safe and controlled environment because I also provide seven guidelines in the form of an acrostic, which spells out the word “trusted”.

[00:19:02] SY: Can you share those guidelines with us?

[00:19:04] KM: So the first guideline of the trusted acrostic, take your time when you’re learning and when you’re hacking. There’s a lot of important stuff that you really need to nail down and you need to constantly consider what repercussions might happen if I do this or how can I avoid damaging a system or potentially facing legal consequences? You don’t want to do anything impulsively. So take your time. The second guideline is to refrain from touching systems that you don’t own unless you have some sort of legal agreement that gives you permission to. So to avoid that, you should set up your own environment or you should use an environment that’s explicitly designed for practicing your hacking techniques and there are a lot out there. I listed a few on HackHub. And then the third guideline, use tools, exploits, and guides from trusted sources. Malicious tools and exploits are out there and they might be designed to compromise your own system or maybe even publicly humiliate you if you run it and you don’t know what it does. It might send a message to some public forum, basically saying, “This person ran this code and they didn’t even check to see what it does.” Things like that do exist and they’re falsely advertised. So pay attention. Use trusted resources. Fourth guideline is to segregate and segment your environment to make sure that data and systems that you don’t want to touch are separate from your test environment and you should have a test environment when you’re doing this because you don’t want to be running tools and code that you maybe aren’t fully familiar with on a production system. The next guideline is to test exploits and tools. Again, in a safe and controlled environment, make sure that they work as expected. Make sure you know what the tool does, what artifacts it might generate, because if it’s generating those artifacts on your customer’s network, you want to be able to tell them that this file was left by me. It wasn’t necessarily left by a real attacker. So it’s helpful to know what impact the tool is having on logs or what files it’s dropping to a system. The next guideline is exploit smartly. Don’t exploit blindly. Understand how an exploit works and what it does before you try it. And if you have experience coding, then even better because there are times when you’ll probably need to modify some code to suit it more for your target or suit it more for your purposes depending on what you’re trying to accomplish with that exploit. And then the last guideline is don’t use your skills maliciously. And that’s a big one because it might be tempting when you see these hackers who are out there trying to get money or trying to be famous. It’s not worth it to do this in a malicious way. There are so many good ways that you can use hacking. And if you stay ethical, then you don’t have to worry about paying an absurd amount of money or prison time if you’re caught when you’re caught.

[00:22:22] SY: So of those guidelines, which one would you say is the hardest to follow, especially if you’re new to hacking?

[00:22:29] KM: I would say the one that gets a lot of people is refraining from touching systems they don’t own. I think that a lot of people, they’re so tempted, they’re so curious. Maybe they just want to test their own skills and that curiosity and that drive to learn and test your abilities, it’s really important, but that’s why there are environments that exist for that purpose. So spend that energy pursuing a certification or doing a competition. Don’t spend that energy risking being caught because you decided to hack into your roommate’s laptop.

[00:23:10] SY: You mentioned certifications, which I think is really interesting. I’ve heard of certifications for server administration and cloud services and all kinds of things, but I would not have guessed that there’s a certification for hacking. Can you talk a little more about that?

[00:23:25] KM: Sure. There are a lot of them. I’m still like discovering new ones all the time because there are a lot of them out there. And I think back when I started, there were only a few, but I have some listed on my website. It seems like OSCP, which is the Offensive Security Certified Professional is the biggest one. It’s very highly regarded in the pen testing world, and I only recently got mine few months ago. It’s very challenging. The exam is a 24-hour exam where you’re put into an environment with five targets and your goal is to compromise these five targets or some combination of them as well as elevate your privileges to make sure, if there is an administrator or a root account on your target, you have that elevated access to a target once you get your initial access. So sort of a combination of all of this will result in a number of points to achieve the certification and the threshold is 70 out of 100 points.

[00:24:33] SY: So what are the benefits of getting certified? What do I get out of that?

[00:24:38] KM: The OSCP is a good example of not just getting a piece of paper because it really does force you to learn so much to actually get that piece of paper. You’re not just sitting there and looking through slides or a manual and then taking a quick exam. You’re actually doing hands on work to achieve this certification, and they even have this very extensive lab environment with just a whole bunch of targets that you can practice your hacking skills on. You’re actually getting this hands-on experience in order to earn the certification. And in addition to that, that makes you stand out because, OSCP is, like I said, highly regarded in this industry. So if you’re applying for a pen testing role or some sort of offensive security role, it’s going to look good on your resume.

[00:25:30] SY: And that’s exactly what I wanted to get into next. When we talk about certifications, usually we’re talking about getting certified so I can increase my chances of getting a particular job. So what are the jobs that I might get if I’m interested in hacking?

[00:25:46] KM: Penetration testing, of course, is the first one that comes to mind. I mean, talking about this whole time, but if you want to think about more coding-related offensive security type positions or just security in general type positions, malware analysis and reverse engineering also come to mind and those are pretty big deal right now. This would require you to understand how some malicious code that you or your organization found is working and what is it doing. And this is helpful to identify who the attacker is, what they were after, how can we protect from this in the future, and maybe determine if that code was executed and did it cause any harm to the target or targets, maybe even how to mitigate whatever harm it might have caused, which is also a lot in the machine learning realm. The direction that we’re going is machine learning can be used from both an attacker and a defender standpoint to carry out more smart, automated attacks or potentially detect malicious activity from the defender’s side. So we could probably think of ways to apply knowledge of coding to just about any area of cybersecurity because it’s so valuable, it’s so versatile. And even in pen testing, I mean, I’ve mentioned a few ways it could be valuable.

[00:27:18] SY: Coming up next, Karen talks about good resources to participate in cybersecurity competitions and what the day in the life of a penetration tester looks like after this. Over nine million apps have been created and ran on Heroku’s cloud service. It scales and grows with you from free apps to enterprise apps, supporting things at enterprise scale. It also manages over two million data stores and makes over 175 add-on services available. Also, make sure to check out their podcast, Code[ish], which explores code, technology, tools, tips, and the life of the developer. Find it at heroku.com/podcast.

[00:28:13] With DigitalOcean’s cloud infrastructure, you’ll be able to build faster and scale easier from predictable pricing to flexible configurations, to world-class customer support. You’ll get access to all the infrastructure services you need to grow. Plus, DigitalOcean’s community provides over 2,000 tutorials to help you stay up to date with the latest open source software, languages and frameworks. Get started on DigitalOcean for free with a free $100 credit at DO.co/codenewbie. That’s DO.co/codenewbie.

[00:28:51] So we talked about how competitions were a big part of your educational experience and getting exposed to some of these topics. Are competitions only for college or are there competitions that adults that some of our audience members might be able to participate in? So there are a lot for college students, but I mean, there’s some for high school, there’s some that are just open in general to anyone, and a lot of these happen at conferences, but some of them just take place online. And a great resource for keeping track of cybersecurity competitions is CTFtime.org and it’s sort of a centralized location that tracks those competitions and gives you an idea of what the audience is and of course when the competition is, and picoCTF is a great one that’s open year round. I want to say it takes place in the fall, but they leave the competition materials open year round so that anyone can try it out, and it’s a great beginner way to ease into these competitions because it’s designed for high schoolers, but it gives you an idea of the types of challenges that you would face even in more complicated type of competitions.

[00:30:07] SY: So I want to dig a little bit more into your jobs. So you do penetration testing, which would we’ve talked about a little bit already, but I want to know what does a day in your life look like, especially in the context of penetration testing? What does that look like? What is your day?

[00:30:23] KM: It can vary pretty wildly day to day, but I would say most days are spent just trying to keep up with the relevant news, like new vulnerabilities, new attacks that might’ve been seen in the wild, learning new things. I do a lot of digging deeper into some of the things I already know or that I already know at a high level so I can get a better understanding of what are the tools that I’m using, doing, and what is this exploit code actually running. I want to better understand why certain things work the way that they do, why the tools behave the way that they do, and then of course, learning new things completely, new tools and processes to help me be a more effective penetration tester. And there’s just an overwhelming number of things to learn, but it’s amazing that really you can never run out of things to learn when you’re coding or when you’re in cybersecurity. There’s just no shortage. So I like to compare pen testing to a puzzle that’s just constantly changing and no two pen tests are the same. Then in addition to learning, you also have the pen testing engagement itself. So a lot of times the penetration test will last one or two weeks. It can kind of vary and something you have to keep in mind is an attacker could have as much time as they need to sort of try to figure out how to conduct their attack and you have this small timeframe. So cooperation with the customers is really important. If you need to access something more quickly, then sometimes you can take shortcuts to get that access, again, because an attacker would have so much more time, but you only have that small window. So from the start, an agreement is established with the customer giving you that legal permission to access their systems and outlining sort of the scope of your penetration tests. So what systems are you targeting, but also how are you targeting them and what are you not allowed to touch on their network. Those types of things are established from the start. And then once you start getting into the assessment itself, it starts with a lot of research on the target. You want to use open source resources to learn as much as possible, not only about the organization, but about its employees and the technology that they might use, anything that could be useful when you’re launching your attack. And I don’t like to think of penetration testing as a chronological step by step process because really you’ll go back and forth between a lot of the steps as many times as you need based on what you’re finding along the way. And I mean you might be carrying out multiple steps at once even, but I guess a good starting point for a lot of assessments is a phishing campaign on the target. So you’re testing the user’s awareness by sending out a series of emails to all the employees that you have addresses for and it could be a very targeted phishing campaign or a spear phishing campaign, which is just another word for a targeted phishing campaign. And in that email, you have a malicious payload, so that if the user clicks a link or downloads a file, it actually is just a malicious payload that gives you access to their system. And this is a good way to also get your initial foothold because I mean, people, they always click, someone always clicks. And so if you are struggling to get into a network, that is a good way, not only to test the user awareness, but to get that initial access that allows you to explore the network further for other vulnerabilities.

[00:34:25] SY: So we mentioned a couple of times how important it is to do hacking, but do it legally, and we don’t want to knowingly or unknowingly end up breaking the wall and getting into trouble. We don’t want to go to jail, any of that stuff. So I’m wondering, how do you legally try out some of these tools to do penetration testing and to do some of the other forensic cybersecurity stuff we talked about?

[00:34:47] KM: So you could do this number of ways. You could set up an environment on your own system using virtual machines. There are a lot of prebuilt vulnerable virtual machines out there that you can download for free. VulnHub is a great resource for that and just host them on your own systems, and there’s walkthroughs if you’re not comfortable trying out some of these hacking techniques on your own or if you just want to start with the basics, it’s still good to have some of these targets set up on your machine so that you can try out some tools, try scanning them, seeing what you can find out about them, and then doing some research to figure out what do I do next. If you don’t want to take that approach, some people have already built vulnerable environments that you can VPN into, like hackthebox.eu is a great one. They are constantly cycling new vulnerable machines in there and then retiring them. So you do have to pay to access the retired boxes, but the cool thing about the retired boxes is that people are allowed to create walkthroughs either through video or through their website. They can release these walkthroughs for the retired boxes so that if you’re a beginner and you’re not comfortable using the tools and the procedures, then you have those resources to follow. Otherwise, you can try out their active boxes, which are going to be less documented because they don’t like for people to release walkthroughs of active machines, but it’s a great way to be testing whatever you’re learning, the tools that you’re learning, the processes that you’re learning in a controlled environment and not go to jail.

[00:36:44] SY: Now at the end of every episode, we ask our guests to fill in the blanks of some very important questions. Karen, are you ready to fill in the blanks?

[00:36:51] KM: I’m ready.

[00:36:52] SY: Number one, worst advice I’ve ever received is?

[00:36:56] KM: Can I cheat and combine the worst advice with the best advice?

[00:37:00] SY: Okay. Just for you.

[00:37:02] KM: Thank you. I think that the worst and best advice I’ve ever received is care less.

[00:37:09] SY: Oh.

[00:37:10] KM: Sometimes when I get stressed, I kind of let myself spiral and I get really worked up and so people frequently tell me, “Karen, you need to care less.” And it’s not said in a malicious way, and I don’t take it offensively, but I’ve thought about it a lot since I’ve heard it a lot. And I’ve thought about, “When should I care less and why should I care more? How do I transform these two words into a more positive and meaningful form of advice?” So I’ve thought about how I should care less about the things that are out of my control, I should care more about the positive changes that we can make as individuals, and I should care less about close-minded expectations that people might have of me and more about what goals can I set for myself and what goals can I achieve for myself. Care less about what people think about us and care more about how we can be kind to ourselves, how we can be kind to others. Care less about comparing ourselves to others and more about focusing on what we personally accomplish and how we can individually better ourselves. Care less about the mistakes that we make and more about how we can learn from those mistakes.

[00:38:30] SY: Yeah.

[00:38:31] KM: I just find that when I get caught up in worrying what others think about me or if I’ll make a mistake, it sort of restricts my creativity and my performance. And on my most recent pen testing engagement, I kind of let those feelings go. I mean, it only took me 24 years to start to care a little less, but that confidence drove me to have a much bigger role in this engagement and to learn so much more than when I was hesitant and self-conscious. So that’s just a really long drawn out way of me explaining that the worst advice I’ve ever received was just those two words on their own, care less, but the best advice that I’ve ever received was the more positive variation of those words, which is care less about the wrong things and care more about the right things.

[00:39:24] SY: Yeah. Oh, I love that. That was beautiful. I’m really glad you cheated. That was very good. Number three, my first coding project was about?

[00:39:33] KM: So my first coding project was that CSS and HTML that I did to spruce up my Neopets pages when I was seven or eight.

[00:39:44] SY: Number four, one thing I wish I knew when I first started to code is?

[00:39:49] KM: There isn’t just one right way to learn, which might sound obvious, but what I mean is that when I started learning, I thought, “In order to be good at coding, I need to know every fancy term and every piece,” and I felt like I was just forcing these pieces together. I’m trying to make them make sense and work in whatever I was building because that’s kind of how I learned Java was through this formal process of stacking more and more jargon on until I was just overwhelmed and I was discouraged and I thought, “I’m never going to learn to code,” super dramatic, but this method, I mean it works for some people, but we all learn differently and I think if that method feels wrong, if reading about and repeatedly implementing algorithms and data structures feels wrong, you should try a different approach. For example, find something you’re passionate about or at least somewhat interested in and start working on developing a program that you’re actually invested in, either by yourself or with a team, and then from there you can find ways to improve and expand on it as you’re learning these new things, these new concepts. In a lot of cases, I feel like the pieces fall into place more easily when you’re not forcing them and it becomes more clear how they work together. But I got so caught up in the terminology that was being thrown at me and I don’t believe that made me a better coder because I think it held me back in a way.

[00:41:25] SY: Well, thank you so much for joining us, Karen.

[00:41:26] KM: Yup. Thank you again for having me.

[00:41:35] SY: This show is produced and mixed by Levi Sharpe. You can reach out to us on Twitter at CodeNewbies or send me an email, hello@codenewbie.org. Join us for our weekly Twitter chats. We’ve got our Wednesday chats at 9 P.M. Eastern Time and our weekly coding check-in every Sunday at 2 P.M. Eastern Time. For more info on the podcast, check out www.codenewbie.org/podcast. Thanks for listening. See you next week.


Thank you to these sponsors for supporting the show!

Thank you to these sponsors for supporting the show!