Interview with Leigh Anne Galloway

hi Leanne hello how you doing great how are you I'm good thank you very much enjoying besides very much so first I mean listen yes yes do you manage to explore a little a bit but as you know I have my eyes set on doing some gaming while I'm here as well that's a good well it's not too far off one up so you should be able to get there pretty easily I'm sure someone with some stuff will be able to take you there as well so first question I'll ask how was it like to deliver the lightning talk yesterday yeah it was unexpected you know I'm really familiar with the content so that helped I think that I'm glad everyone

sort of peer pressured me into doing that because what I think is I mean I know this is very much the subject of some of the talks or content that we've seen here today which is it's really important to share and I think b-sides is a community event and it is essential within security that we are very liberal with sharing our knowledge I think that's important it's a gift it's a gift not only to educate yourself but also take it back so I've been I've been really enjoying the event the weather's fantastic here as well which is a bonus obviously yeah also very light as usually well it depends it's it's pretty much somewhere all year

but it is it is but what do you was you're letting talk yesterday it was briefly on how I bought an ATM legally and then ways in which you can hack an ATM okay yeah so I guess to come back to that a bit it wasn't something I'm used to doing but I was familiar with the content I think you saw quickly I've put together some slides and I think it's an interesting topic cuz a lot of people would assume that you would have to attempt to buy that illegally or it's not feasible for someone to do or it's very expensive and hopefully people can see that you know if they have an idea just with a bit of enthusiasm I can

carry you through it can come you carry you quite far and you just have to be a bit persistent I think I think it actually happened yesterday because you know you weren't prepared in the sense you didn't know you were doing yeah you're liking taco totally the best lightning talk any my opinion you should have like submitted that talk as a full-on talk so okay actually my question is that why did he decide to attend but not submit at all okay that's a that's an interesting question so I actually just wanted to come and enjoy the event I've been traveling quite a lot over the last couple of weeks so I spoke activity which is in

Budapest and then I went straight to 8.8 in Chile which is also another great conference and then I've been sort of back in Europe for about a week so I plan to come to this event see some friends talk and for me I just wanted to go to a conference and really be able to appreciate the content for a bit because this year I I got to pick the keynote I mentioned he's doing Jawad's talk and actually before you know peaking Javad and JPL Amazon um I try to actually try and find women okay so I wanted to try and get one man one woman to do the talk I but I was just going to be coming for

the sake of it yeah I try to find two women that over this year gave interesting talks I spoke to both of them and they're are fully booked so you're actually not easy to try and find women to do talks yeah in terms of submissions we had 50 submissions and only one came from a women so Wow okay yeah so that's why we you invited me because of my long so it would be great you know if we actually got more women to submit as well because we do want to try and enable women to talk because you know they have as much or more technical skill than guys do it's not even a compression that should be put on the

table sure so I'll just try to understand if maybe there was something that you know maybe block to you in relation to the event that block you from submitting the topper she was just external you know I don't think there's anything specifically that blocked me and I think I would encourage a lot of people to have the confidence to submit and just give it a chance and I think at least from my experience as well and I think it is the case for a lot of people as they might be nervous about sharing information or not they might feel like they haven't got anything to say or it's not important that people don't want to

hear it but I would just say go for it so I don't think it's anything specifically to do with gender I think we have a lack of diversity in the industry which is obviously a very complex issue and we've got to encourage more diversity in the industry not just because we're lacking it but you know if you look at organizations they perform better financially when they have more diversity so there's a clear reason for doing that it was interesting for me because actually out of all the people that voted on the thoughts what was the only one that didn't know who the speakers were because essentially we get an excel sheet with all the talks and in

my case I delete the column with the names so I knew which stocks are being delivered that do you know who the speakers were because I thought about the names should I be exactly to try and remove that bias that I don't know if I have where I don't but at least that way I guarantee I don't have it so you quite interesting to me to arrive here yesterday and like oh so you're giving that talk or do you think that talk as a conference organizer is there more I can be doing to try and you know get more women to submit kept a link to even attend because even our attendance rates are quite low so is there more I can be

doing for this so I think that's a big problem across the industry again I've definitely seen some women around in this event I'm going to check the rate Thanks can you I I think you know one of the challenges is we're still dealing with like very old stereotypes of what it means to work in technology not even specifically in security right which is which is completely wrong I truly think all you need it's a curious mind and there is a place for you in this industry I really think that it's nothing to do with you know people have these ideas still that it's like you have to be maybe you have to be antisocial or you have to be a very

specific kind of personality or whatever and that's completely wrong so I think as long as you're curious there's a place for you here and you should definitely check it out and don't be deterred by the fact that there's a lot of guys at all I mean they can be your friends too have you had then I never had any complicated situations in terms of harassment or have you ever felt you know those situations affecting you as well um I think every woman probably in every industry has experienced things like that don't personally think it's unique to working in this particular industry if you look at unfortunately if you look at the statistics there's like one in four women will be you know

sexually assaulted in their lifetime so we're looking at like significant problems that are broader than a specific industry I've certainly encountered some issues I would say that as a woman working in security when I was much younger one of the challenges was I felt very much like I had to probably know 150 150 percent of something in order to feel like I was valid to sit at the table or in order to support my argument and there were many times when I know people pushed subjects are quite aggressive in terms of questioning my knowledge to be there and it takes a while as a young person of any gender or orientation to build up that confidence to say like I have a

right to be here I have an opinion I know enough but I've certainly experienced that and I don't I don't know exactly what we can do I think the the problem is very complex and the only way to deal with that is in a number of ways one is looking at education so looking at secondary schools we call it in the UK I don't know what you call it yes yes so when people are so when you're still a teenager okay well are there any ideas were reinforcing about specific industries because we have a problem in science and technology and engineering right so where is that coming from is it coming from like it must be coming from very early

developmental stages it must be coming from having specific ideas about oh well you know some of those very binary ideas about well you can only do physics if you're a guy or you can only and the other thing is you can only do security if you've got a degree in computer science that's wrong as well do you think that because if a few years ago I don't now remember how the the whole security thing started hearing in in Portugal it was pretty much the same so a few years ago we had a bunch of guys that that were working in the mobile industry yeah as you can imagine these quite close a few years ago 20

years ago and we pretty much easy and they had any kind of meetups and stuff like that security was pretty much the same right so everyone was just behind their own avatar their nickname on the channel or something and they weren't quite keen on going into this kind of conferences and expose themselves as well I'm the guy behind something that also just discovered is that is that the kind of feeling that you that you have all the perception that you have without in this kind of community I think sometimes yeah there's there's maybe an unwillingness to talk about certain things because it might put you in specific position sometimes we see as researchers one of the downsides of

talking about researchers people will have the broad opinion the public might have the opinion that in a way you're educating criminals on how to do this stuff that's obviously not the the purpose of talking about research is so so we can actually drive change not encourage criminals because there's quite a difference between being a criminal and being a regular person it's like would you steal a loaf of bread from a shop no most people wouldn't so that's the difference when people say what's the difference between being a hacker and like being a black hat well quite a big difference is your intentions right so there is a bit of that there is a bit of concern I think

for some people around not wanting to deal with the bad press because that is the downside is when you talk about your findings you do get a lot of that negative press as well I've certainly experienced it where other people will deny the the things that you've exposed and you have to deal with quite difficult journalists sometimes but that's the responsibility of talking about your research or you'll just deal with people that have quite direct kind of trolling against against you as well so I can completely understand why some people might never to expose themselves because as soon as you do that then you're in the public domain yeah and then people on the Internet

feel like because they have you know the privacy of the internet that they can say whatever they want then then if they go to conferences or somebody if you get you're gonna get more exposure nigut sure from Dacian or something or sure and that's certainly not for everyone right people have like family lives and yeah or even the fact that we know - US government and other governments obviously monitor yeah things like social here in the internet so there's all of that how do you see the whole Trump cyber us-russia hack thing playing along because there's a lot of well I see a lot of missing information and a lot of people denying that actually the

whole thing then took place we see the same thing in the UK so a lot what for the brexit stuff like that came in from russia we see that in europe probably see the whole cyber security playing along in the future um so I think it's really hard as a security professional to really comment on political motivations at all to be honest it's certainly not my experience but we are obviously seeing evidence of of that being used for applying you know kind of pushing policy that seems to be the suggestion right but I don't I don't particularly know I mean we're certainly moving towards towards a world where we're living with ideas of cyber warfare

whether they are at nation state level or so I personally can't comment I mean I don't know what your feelings are like it's very difficult to determine in any way like what is truth and what is fiction and what lies between and especially with things like the read the media room even even before social media became so prevalent in our lives if you look at the role of media historically some of it is propaganda so it's very difficult as a normal person to determine what is propaganda what is actually influence right everyone's got an agenda all of these organizations have agendas you don't know if they're influenced by government I have no idea but I certainly know that media

organizations they have their own personal agenda they're run by you know specific executives which are towing a line so that's got to influence the kind of content that's put out we're then told that that's truth but we don't really know how much about is truth and fiction they all attended Jevons lecture I'm sure edit any other image out there to try to transmit what you want so they learn from you Jovan okay my last question and this is actually something I want to get your opinion on because it's a concept I have with some of the organizers of the conference okay which is COCs right so we have a COC code of conduct for the conference because one

of our sponsors only said we'll leave your sponsorship if you guys have a COC okay I'm of the opinion that series actually don't work I don't I don't think that if someone is going to conference with myself to know all our asses a woman or all misbehave I don't think it's a piece of paper that's gonna stop them or deter them or really do much what what's your opinion there well I think that's probably driven by liability right which is someone somewhere needs needs that paperwork in order to say look we've dealt with this risk as much as possible so it's it's more about shifting liability sometimes that's legal issues so yeah if we look

at like how much does that work well it only really works if you check that it's working it's like oh you can say the law but but then you don't really need this you see right if this is a private event if I see someone misbehaving really I'm not gonna dress it so I'm just yeah if you want to be I'm gonna call the police that's like obvious human behavior right common sense common sense right so I don't you know a lot of people push for it for osseous we'll save conferences and you guys need to COC and all that I just don't see it that way I think it's also a challenge as a small conference as well it's a

community event right but it's more overhead on you as organizers which is a a bit of a challenge but I think that it just comes from the world that we live in now right and especially if you look at some parts of the worst like America that particularly driven by things like that as well so we just have to accept them but yeah in reality does it do that much no it doesn't actually I was a last week I was an Amazon event so it was the first Amazon event that I got the email of COC right right no whereas harassment a bunch of rules a social this is the first time I'm looking at something and they tell me

that actually I need to accept something to go to a conference okay it was the first time I got well this is getting really either other or really serious because yeah for me that's kind of common sense right so of course it's that it's the same with the analogy that I said right it depends on people's attend intentions right you're only gonna be someone who does those things and has that drive to do those things for whatever reason that those motivations or you're not many of those things are just the ethics that we carry with us naturally I'd like to say I'm not going to do that but I think it's probably just a liability thing and it

comes down to at the end of the day if you've agreed to that then they might be able to easily prosecute someone so sorry yeah okay well the end that's all for me thank you very much for coming to be sighs and hopefully we'll see you next year thank you thanks we did our submission all right okay great thank you very much very much Thanks