Today’s guest is Gabriela Voicu. She is a software engineer who comes to software through an interesting path. She went to a code camp and then transitioned to a full time coding job. She’s got lot’s of unique perspectives to provide us with, as well as a great story. Enjoy!
Online security and privacy aren't very sexy, but they are important. SpiderBytes is a podcast where normal people from many different fields discuss the tools and techniques they use to be more secure and maintain their privacy. Hosted by Adam Tervort. Guests from across the SpiderOak community.
Adam Tervort (00:04):
Hello, world. And welcome to another episode of SpiderBytes. I'm your host, Adam Tervort. Up front, I want to apologize. There's a little bit of background noise today. I am actually on a business trip, in Miami. And it seems like no matter where I go, I can't get away from the traffic, but hopefully that won't come through in this recording. Today, we've got a great episode for you today. I get to visit with Gabriela, who is a coding bootcamp graduate, meaning she started off in another industry, and then went to a specialized school so that she could learn to code.
Adam Tervort (00:39):
And now has a career as a software engineer. There's a great conversation that goes over quite a few different subjects, and I know you're going to enjoy it. So we'll get it, right into talking with Gabriela right after these messages.
Adam Tervort (00:54):
This podcast is sponsored by SpiderOak. At SpiderOak, we believe, privacy and security are important and it's our mission to secure the world's data. From secure data compartments, for collaboration and data storage, to protecting your backups with end-to-end encryption, or even protecting communications in space. We want to be part of your plan, to protect your most important data. Learn more at spideroak.com.
Adam Tervort (01:22):
Welcome back to SpiderBytes, the SpiderOak podcast. Today, I am very pleased, to be joined by Gabriela Voicu. Gabriela, welcome.
Gabriela Voicu (01:31):
Thank you, Adam. Hi, I'm Gabriela. I'm a software engineer from Chicago, Illinois. I am a bootcamp grad, and have been coding away for the past six and a half years.
Adam Tervort (01:46):
Awesome. So tell us a little bit about your background. Something interesting, maybe that some people don't know about you.
Gabriela Voicu (01:55):
I have thought about this because I've done a lot of these in the past, right? So now how do you come up with new things? But I realize that, the way you come up is by abandoning hobbies. So I can sew. I am very good at sewing by hand, which is a very useful skill to have. So as to not lose clothes, you care. And then I also have a sewing machine, that I've probably had at this point for a decade. And I still don't know how to use it. I've tried and failed a number of time. It is very hard.
Adam Tervort (02:29):
That's so funny. A few years back, my mother gave my wife, and my sister-in-law sewing machines for Christmas, and the people that ended up using them, were me and my brother. But I have to tell you, men don't use sewing machines, men use thread injectors.
Gabriela Voicu (02:46):
Oh, is that what you call them?
Adam Tervort (02:48):
That's right. It's much more manly than a sewing machine. It's a thread injector.
Gabriela Voicu (02:52):
It sounds very technical too. I'm going to start telling people I have a thread injector at home, that-
Adam Tervort (02:58):
Yes. Thread injector.
Gabriela Voicu (02:59):
... That probably needs oil and, a little love to work again.
Adam Tervort (03:06):
Oh, that's interesting. So tell us a little bit about in your professional life, what things do you do, and then in that capacity, what are the security and privacy concerns that, the problems in that area that you're worried about and some of the strategies, and tools you use to mitigate against those?
Gabriela Voicu (03:26):
Yeah. So I have been working mostly with startups my entire career. I was at a startup for two and a half years, and then I've been freelancing since then. So I end up, working on smaller teams. And obviously that means that the vast majority of the time we don't have a security team, right? So we need to implement at least the absolute, very basic safeguards to keep the website online, right? Protect from attacks, keep our users information secure, protect from malicious actors. It's happened and, where we've been, where access to a company account was compromised, that bad things happened.
Adam Tervort (04:17):
Right.
Gabriela Voicu (04:19):
Yeah. I mean, I think these are kind of the big ones that I've dealt with, but in terms, right, but that... You end up having to use a lot of things to, secure your client's website, right? So on the employee side, right? We make sure that everybody's using a password manager.
Adam Tervort (04:42):
Mm-hmm (affirmative).
Gabriela Voicu (04:43):
That we only, put passwords on there that we share it like that. Right. So that it's harder to, compromise this, the passwords like that. And then, I very recently I've learned that, even... I'm sorry. We were, okay. So we, I had a client and we were getting, hit every day. People were trying to access my pitch feed dot admin. And it's like, we're a Rails app on Heroku. So it's a very brute force kind of attack. It's almost kind of insulting, but, there is a very, pretty straightforward solution. There's a Ruby gem that, will block IPS. So, I didn't need to take a security course to figure that out. So that was, that was pretty exciting.
Gabriela Voicu (05:41):
Yeah. And then also, a tool that I didn't necessarily think of before, as being a security tool, is code reviews. Right. Reading the code to make sure that one, you're not putting, sensitive information on GitHub, but then also to that, you're not letting through, SQL injections and stuff like that, I think. Right. I think a big thing that I learned through this right. That it's not about necessarily the tool itself. Right. There's a variety of password managers out there. They're all really good. Right. But it's about the practice, right?
Adam Tervort (06:20):
Yeah. Yeah. The system-
Gabriela Voicu (06:21):
Getting-
Adam Tervort (06:22):
... Having the system in place. Right?
Gabriela Voicu (06:24):
... Yeah. And getting people to, change habits is extremely hard [inaudible 00:06:30].
Adam Tervort (06:32):
Yeah. It's interesting. You mentioned code review, that I've heard. Of course I'm not a software engineer, but I work with, software engineers all day long. And, that's an interesting practice because, I think not only do you improve the quality of code, but it's a lot like proofreading a document, with a second set of eyes, you never know what you're going to catch. And it just, it increases the security, as well quality of that thing that is reviewed.
Gabriela Voicu (07:04):
Yeah, exactly. And that goes back to the idea of it's a security practice. Right. It is very much a matter of thinking of, how could this be used maliciously, right? Have we left any opening for somebody to exploit this? And, sure. You can get like a checklist of things, but it's not, let me, I don't know, use this program and I'll make sure my code is fine. We don't. Yeah. There's no silver bullet for that.
Adam Tervort (07:30):
And, sometimes if you've spent, three days on a piece of, a bunch of code, in some ways you get to the point where you don't see it accurately yourself, because you're so close to it. And so having someone who's not that close, that can help catch a lot of things.
Gabriela Voicu (07:49):
Yeah, definitely. And I also know the feeling of working three days on a thing, and then just being so done with it, that even though perhaps, you know what the right thing to do is, you just don't have to bandwidth anymore.
Adam Tervort (08:02):
Mm-hmm (affirmative).
Gabriela Voicu (08:03):
So usually when that happens, I'll notice and then go talk to somebody, and be like, Hey, is it okay that I did this? And they're like, well, you really should X. And then I'm like, I know, I'll go do it.
Adam Tervort (08:18):
Oh, that's funny. It's interesting that you mentioned, a PHP attack on a stack that's running on, Ruby on Rails. Sometimes it feels like, the majority of security related attacks are kind of like that, they're looking for very low hanging fruit. And sometimes, that may be all you need to do, is make sure that all of your low hanging fruit is taken care of.
Gabriela Voicu (08:47):
Yeah. And, you have to right? Because, I guess what they're relying on is that somebody won't.
Adam Tervort (08:53):
Yeah.
Gabriela Voicu (08:53):
Right? And, if you take care of that, and I think you kind of end up, as you're building, right? As you're putting things in place that will fix that, and mitigate it and also kind of, perhaps warn you of other things. Right? Because I think another thing that I think about, with security is, you might not be able to necessarily stop the attack completely, but you want to find out as soon as possible.
Adam Tervort (09:24):
Mm-hmm (affirmative), Right.
Gabriela Voicu (09:25):
Right. To be able to, I don't know what, it will vary. Right? But I think that's, very important.
Adam Tervort (09:35):
Yeah. The security announcements you're always pleased to see are the ones that say, we found a security bug, as far as we know, there's been no impact, but we fixed it anyways.
Gabriela Voicu (09:46):
Yeah. Those are good emails to get.
Adam Tervort (09:49):
We, don't get enough of those.
Gabriela Voicu (09:51):
Yeah. No, you that's exactly what I was going to say. Usually it's like year and a half ago, somebody compromised your entire information. Good luck.
Adam Tervort (10:01):
Yeah. Well, tell me on the, professional side, you've mentioned a lot of really great things. How about on the, in your personal life, are there any additional things that you do for privacy, or security that are outside of the things that you do professionally?
Gabriela Voicu (10:22):
Yeah. So I think definitely being in this industry has opened my eyes to what is possible and, to go back to your point about low hanging fruit, right? If somebody wants to steal, somebody's credit card information to buy something, they don't care who they're doing it for. So then, it is reasonable to assume that I might be a target. Right?
Adam Tervort (10:45):
Right.
Gabriela Voicu (10:46):
And, so, I obviously do some of the same stuff. I have a password manager, I use one password. I have set up multifactor authentication on. A lot of my accounts. Not all of them, definitely email, absolutely most important, very strong password multifactor. I use an app for it. I use Google authenticator, SMS based authentication is no longer recommended. It is not very safe. And then, a thing that I realized a few years ago is that, I have so much sensitive information on my laptop.
Adam Tervort (11:26):
Mm-hmm (affirmative).
Gabriela Voicu (11:28):
Which can be very easily lost, or stolen. Right? Unlike a lot of other things that are in our digital lives, somebody could physically pick up my laptop and walk away. Right? And even though, I have a strong password, it's encrypted, I need the information on it. So, I've been using, so I have a physical drive at home that where, I back everything up encrypted. And then I also use SpiderOaks. One cloud based solution. So I have at least two copies, to make sure that I, have all of my documents if I need to. Yeah.
Adam Tervort (12:14):
Yeah. Well and, that's the rule of three, it's very flattering that you use our backup, for your cloud backup. But I think the important thing is that, you have, you've covered the what's on your laptop. You've got another local copy, and you've got a copy stored somewhere else, in this case in the cloud. Following that rule of three, that is so important, for all kinds of reasons. If, heaven forbid, there's a fire. Well, you need to have that offsite backup. And it's definitely, always more convenient to restore from a local backup in case something happens to your laptop, and you get a new. So, yeah that is, so important to take care of files that way.
Gabriela Voicu (13:01):
Yeah. I, isn't the rule of three that I'm supposed to have three backups. Because, I feel like, I'm quote-unquote, failing at that. Because, I have two backups technically.
Adam Tervort (13:11):
We have three, three total copies.
Gabriela Voicu (13:13):
Oh, three total copies. Okay. Okay, perfect.
Adam Tervort (13:15):
Yeah.
Gabriela Voicu (13:16):
I haven't had, yeah. I haven't had time to triple check this but, yeah, it's, it is extremely important-
Adam Tervort (13:25):
Yeah.
Gabriela Voicu (13:25):
... Think about all the things that you have on your machine that you would miss. And, I'm saying, important stuff, right? I'm thinking text documents, stuff like that. But it's like, what about photos of your spouse and children, right?
Adam Tervort (13:36):
Right.
Gabriela Voicu (13:38):
Those are things that are a hard, slash impossible to replace.
Adam Tervort (13:42):
Yeah. Years ago when my dad first started, my parents try hard on technology things. They're a little bit older and my dad got hit with a ransomware attack, and this was years back. But the thing he was most upset about were the photos on his hard drive.
Gabriela Voicu (14:02):
Right.
Adam Tervort (14:03):
Yeah. So those, sometimes that's more important than the documents.
Gabriela Voicu (14:09):
Right.
Adam Tervort (14:11):
How about for your phone, because, you made a great point about physical, you can physically lose your laptop. I think all of us have a lot of important stuff on our phones as well. So what do you do for that?
Gabriela Voicu (14:26):
Oh yeah. That is a very, very good point. And so for that, I have everything backed up in the cloud, Apple's cloud. And then, I have a passcode, I do have face ID.
Adam Tervort (14:41):
Mm-hmm (affirmative).
Gabriela Voicu (14:43):
That's, I go back and forth on it. It's very convenient. Everything is encrypted. So if, my phone does get stolen, right? People won't have access to the information on it. Right?
Adam Tervort (14:56):
Right.
Gabriela Voicu (14:58):
And yeah, the password manager I have on there too. That's also where I have my MFA app.
Adam Tervort (15:04):
Mm-hmm (affirmative).
Gabriela Voicu (15:06):
Yeah. And the photos I've gone back and forth on whether I want, Apple to have them, just for a variety of reasons. But yeah, I do have them backed up for, yeah.
Adam Tervort (15:20):
I, that's, something I struggle with too. I also have, I use Apple for my mobile devices, and I struggle with that too because, their photos softwares really good and backing it up with their stuff is awfully convenient.
Gabriela Voicu (15:37):
When I learned that you can search in the photos app by the content of an image. I can search for a chair and it'll show me photos of chairs, just mind boggling. Ooh. One thing I forgot to mention is, using encrypted messaging.
Adam Tervort (15:52):
Mm-hmm (affirmative).
Gabriela Voicu (15:55):
And, Apple's, iMessage is allegedly encrypted, but nobody has access to the code so.
Adam Tervort (16:00):
You're right.
Gabriela Voicu (16:02):
And also, if you're texting Android users, you're going over just straight up GSM networks. So I use Signal, for my messages. And it works very well because, so on iOS, you need to have a separate app. But with Android users, they can somehow integrate it with their messaging app. And it doesn't interfere with the experience that much.
Adam Tervort (16:25):
Right. Yeah. That's actually one of the things I like most about Android. My work phone is an Android and.
Gabriela Voicu (16:31):
Oh, okay.
Adam Tervort (16:32):
You just, Signal just replaces the default SMS app-
Gabriela Voicu (16:36):
Ah, interesting.
Adam Tervort (16:36):
... It's pretty slick.
Gabriela Voicu (16:38):
Yeah.
Adam Tervort (16:38):
Kind of wish we could do that on iPhone too.
Gabriela Voicu (16:41):
It would be nice.
Adam Tervort (16:44):
Well, Gabriela, you've given us a lot of really great insights, and I appreciate all the things that you've shared. We'd like to wrap these interviews up by asking you for a favorite quote. Do you have a quote you want to share with us?
Gabriela Voicu (16:57):
I do, I do, I've thought about this. I really, I like this question. So a quote that I've been thinking a lot about, especially in the past year and a half, has been, "If you get tired, learn to rest, not to quit." And this has been attributed to Banksy. I don't know if it's true, but I think it's very good in the context of privacy and security, but also, your life when you get, at work or even in personal life when we get so, tired that things start feeling hopeless-
Adam Tervort (17:31):
Yeah.
Gabriela Voicu (17:32):
... So, that's a, it's a good reminder to, slow down rest, and then pick up again tomorrow or in a month.
Adam Tervort (17:42):
Yeah. And after the craziness of the last year and a half, I think all of us need to learn how to rest. That's a great quote. I'd never heard that before.
Gabriela Voicu (17:51):
Oh, thank you. Yeah.
Adam Tervort (17:54):
Excellent. Well, Gabrielle again, thank you so much for joining us. And in the show notes, we'll have links to some of the things that Gabriela mentioned. So thank you again for your time.
Gabriela Voicu (18:06):
Absolutely. Thank you for having me on Adam-
Adam Tervort (18:08):
Yeah of course.
Gabriela Voicu (18:08):
... My pleasure.
Adam Tervort (18:10):
All right. Well, stay tuned in, a couple of days. We'll have another episode of SpiderBytes. Thanks again for listening, for all of us at SpiderOak. I'm Adam Tervort. We hope you enjoyed this episode. If you did, please consider subscribing. If you're interested in joining us as a guest on SpiderBytes, send me an email at podcast@spideroak-inc.com. We'd like to thank Milgridge for our theme music Ear Shot. We'd also like to extend a special thanks to our law firm, Dewey, Cheetham & Howe. Our crew's activity planner [inaudible 00:18:45] and our nutrition consultants, Eating Right, and Living Good. And our staffing agency, clicking clack. Thanks everyone.