Katelyn Bowden: The Cyberattack That Changed My Life

The cybersecurity industry is full of people who took IT classes at community college, or Computer Science courses at a major university. The usual career path in our field is presumed to be a spark of computer genius in childhood or adolescence, technical studies after high school, and then getting hired by a tech company based on specific technical credentials.

But life doesn’t always work out that way, nor do all cybersecurity careers. I spoke to two women in our industry who have had absolutely fascinating IT career trajectories.

In part two of this interview series on inspirational women in cybersecurty, I spoke with Katelyn Bowden, who was working as a bartender when an abusive ex-partner distributed her very private photos without her consent.

“Revenge pwn” is a nasty and growing cybersecurity problem that can destroy lives. But Bowden proceeded with courage, studied cybersecurity, and founded a non-profit organization called BADASS to help other victims of private photo theft and online sexual harassment. In just its first year of operation, BASASS has helped over 1,000 victims across 16 countries.

Private Photo Theft: a Growing Epidemic

Bowden is not alone in her experience of having her private photos distributed online without her knowledge or consent. Newsweek recently reported that:

“…in January 2017 alone, Facebook received more than 51,000 reports of revenge pwn, according to data seen by The Guardian. That was mirrored by a 2017 survey of more than 3,000 Facebook users for the Cyber Civil Rights Initiative: It showed that one in 20 users admitted to sharing an explicit image without the subject's consent. Meanwhile, a 2016 survey of 3,000 Internet users by the Data & Society Research Institute showed that one in 25 Americans reported either having someone share an intimate image of them online or receiving a threat.”

It’s 2019, and now computers and the Internet have saturated pretty much every facet of our lives. Cybersecurity education is now important for everyone. Talented women and their unique perspectives fill a badly needed void in our industry. I reached out to Bowden to give us her perspective on how she got here and what she sees in the future of cybersecurity.

Interview with Katelyn Bowden: The Courage to Make a Difference

I asked Bowden:

Tell me about the cyberattack that changed your life.

Well, at the time I had just fled an unhealthy relationship, and was living at my Mom’s while figuring my situation out. I received a message from an acquaintance, letting me know that my private photos had leaked on a website dedicated to trading such pictures without consent. My friend had seen me on the site because her own pictures had been shared there.

I was absolutely mortified, and stunned that someone had done this to me. I thought at first it was my ex, but I know that for all his faults, he wouldn’t share those pictures. Plus, he wasn’t Internet savvy enough to even find websites like these.

What action did you take when you discovered your private photos online?

After the panic subsided, I called a friend of mine, who was a photographer as well as a sysadmin for a local startup. I knew if anyone could help, he could. He helped me track down the original posting of the images, and taught me how to send DMCA notices to remove them from the sites they had been shared on.

The first time the images had been shared, whoever had uploaded them had to create an account with a username. That username was the same as a different acquaintances Xbox live username. So I found my poster. I had no idea how he acquired the pics, so I texted him, explaining that he had been caught.

He confessed to stealing the phone in the hopes pictures were on it. He was part of the trading subculture, and couldn’t explain why he did this to me, but he felt awful for getting caught. I had a text message confession, had tied the username to the account, and I figured the next step was going to the police.

Turns out, this was all completely legal in the state of Ohio. Outside of the cell phone theft, no crime had been committed. I was incredibly angry, and felt like this was unfair and needed to change.

Were you very adept with computer technology before you were victimized?

Not really. I knew how to use Google, Instagram, and Facebook. That’s about it. I was decent at Google-Fu. I had been using Google Dorks without knowing it, and had been doing open-source intelligence (OSINT) stuff long before knowing there was a name for it, but without any specific tools outside of social media and Google.

What was your endpoint security like before the attack?

I didn’t have a computer. I only had my phone for a very long time, even for almost eight months after starting BADASS. So I didn’t think much about antivirus protection. And I don’t want to admit how bad my security was. I was very lucky to have not been pwned. But it was bad. Same passwords for most accounts for years, not long enough passwords, I didn’t know my 2FA from my VPN.

Back then, did you think cybersecurity was a lot more complicated than it actually is?

I remember the first time I learned about exif data. It was at a higher education class for people working with stalking victims, about two months after BADASS started. My mind was blown that I had no idea about this. And that’s probably the moment I realized that I needed to get more knowledge on the tech side of things.

I honestly had zero idea about cybersecurity - it wasn’t something I thought about. Without having any credit cards or bank accounts (being a bartender means working in cash), I figured I wasn’t going to be a target. I had zero idea about how valuable data itself was. I was incredibly naive.

How are you learning more about cybersecurity now?

Mostly through talking to people in the industry. With BADASS, we got extremely lucky from the start. I knew tech was my weakness, so I started reaching out to people who could bring that knowledge to the table.

And most responded positively and have been allies from the start. They have seen how far I’ve come, and I’m not afraid to ask them questions for fear of sounding stupid, because I know that I asked some incredibly obvious questions and needed taught some basic concepts at first.

Outside of my ‘tutors,’ I’ve been reading some online tutorials, and keeping myself immersed in the culture of private picture trading groups - they often share methods used to steal the photos, and problems encountered in their search, so I recommend things that I know they have issues circumventing.

Right now, there are massive problems with sexual harassment and digital violations online. Why do you think that is?

Aside from computer technicalities, it doesn't seem to me like criminal courts in the United States and Canada (where I'm from) care very much about sexual harassment. I don't think criminal codes and courts were designed to help vulnerable people.

I write about computer technology, but cybersecurity and information security has a human element to it, how humans interface with machines. I find sociology and psychology to be as relevant to cybersecurity as cryptographic math is.

I think all people, especially those of us who aren't straight cisgender men, are vulnerable to having their private photos exploited.

Did you hear about what Whoopi Goldberg said about Bella Thorne when Thorne was subject to a similar cyber attack? (Goldberg victim-blamed Thorne for having her own private photos exploited online.) “Even cis white men deal with this too - there are a ton of extortion schemes that target them.”

It’s sad to think that she would victim blame on such a huge platform, but that line of victim blaming though is sadly very common. I don't think male exploitation victims will be taken seriously until female victims are.

Have you been able to help a lot of people through BADASS so far?

Yes. We get messages daily from victims, seeking help, advice, or just someone to talk to who understands their trauma. I know I’ve personally removed over 10k images and videos from various websites, and that’s not counting the rest of the team’s numbers, or people that have removed their own images using our walkthroughs and tools.

BADASS has assisted in over fifty arrests, even more lawsuits, and our members and team have testified in front of both state and federal lawmakers to help get laws criminalizing this put into place. We’ve helped get laws passed in Ohio and Montana, and are helping to get the SHIELD act - a federal criminalization - passed.

We’ve also built tools to assist victims, and have helped create some strong deterrent for both posters and the owners of websites dedicated to NCP (non-consensual ‘private photos’). It’s amazing to see how much we’ve accomplished in less than two years, with almost no funding, a small team, and a lot of dedication.

Are you familiar with Zoe Quinn and the Crash Override network? The Crash Override network was similar to BADASS, and I think it disbanded this year.

I know about Zoe Quinn from the Gamergate articles I’ve read, but I haven’t been able to make contact with her, and don’t know about the Crash Override network.

 Seems like they shut down around the time we were starting up. Sounds like an awesome organization, and we would love to see their work continue. When my pictures were first shared, I had zero idea about any of the amazing orgs fighting this stuff - Google searches didn’t take me to any helpful resources.

I started BADASS not knowing that similar organizations existed. Luckily, most have ended up working with us, as our approach was unique.

How have you been promoting and fundraising for BADASS?

Social media, mostly. We’re on every site, and we rely on word of mouth, and page shares to get our message out there. We also do some guerrilla marketing with stickers. Our GoFundMe is the best place for ongoing donations. Or there’s a link on our website to donate.

Do you have any advice for infosec n00bs on how to protect their intimate photos?

Use secure passphrases, and two-factor authentication (2FA) whenever available. Keep all intimate images in a secondary app, rather than the camera roll. And don’t send pictures to anyone who has bad cybersecurity habits!

How do you see BADASS growing and evolving in the future?

I see us partnering with tech platforms to help prevent pictures from being shared without consent. I also see us being a free and approachable resource for victims for the future. I’m also seeing lawmakers take a stronger stand against online harassment, and BADASS being a part of that. I see great things for the future with BADASS, and I can’t wait.

There are many paths to cybersecurity careers; expect the unexpected! In Part 1 of this interview series featuring inspirational women in cybersecurity, I spoke with Jelena Milosevic, who was working as a nurse when she found an alarming security vulnerability in the hospital she was working at. Her altruistic drive to make things better led her to study cybersecurity and travel the world to give talks at information security events.

You can read Jelena’s interview
here.

About BADASS

Founded in August of 2017, BADASS is a nonprofit organization dedicated to providing support to victims of revenge porn/image abuse, and eradicating the practice through education, advocacy, and legislation. Their goal is to arm victims with the tools they need to become their own advocates for justice, and provide the resources they need to regain control of their images, empower themselves, and get justice. Follow The BADASS Army on FacebookInstagram, and Twitter.

About Katelyn Bowden

Katelyn Bowden is the head of BADASS - a group of revenge pwn victims and advocates working to end the sharing of explicit images without consent. The group has introduced legislation in Ohio criminalizing the practice, and has helped hundreds of victims get their pictures taken down and given them the tools they need (tech, legal, and emotional support) to fight back. The group’s website is: www.badassarmy.org.