
Cybersecurity Mentors Podcast
In this podcast we discuss mentoring in cybersecurity, information for those that are looking to get into cybersecurity, and tips for those that are looking to advance their careers.
Cybersecurity Mentors Podcast
Interview with Dr. TJ O'Connor: Enthusiasm is common, endurance is rare.
In this episode of the Cybersecurity Mentors Podcast, Dr. TJ O'Connor shares his journey from West Point to a retired U.S. Army Lieutenant Colonel and cybersecurity educator. He discusses his experiences at West Point, his military career, and the importance of hands-on learning in cybersecurity. Dr. O'Connor emphasizes the value of competitions in fostering growth and resilience, and he offers advice for aspiring cybersecurity professionals, highlighting the significance of endurance and continuous learning in the field.
Violent Python - Book: https://a.co/d/0L4nJIi
Dr. TJ O’Connor’s LinkedIn: https://www.linkedin.com/in/tj-oconnor/
Check out our Networking is King Course: How to Build a Career Through Real Connections
Angela Duckworth has a quote. She's the author of a book called Grit that talks about how you persist in hard things and she has a quote that I just love that sums up kind of how I think you need to approach things and that's enthusiasm is common. Endurance is rare.
Speaker 2:Could you teach me First learn stand, then learn fly. Nature rules on your son, not the mine. Could you teach me?
Speaker 3:I know what you're trying to do. I'm trying to free your mind Neo, but I can only show you the door.
Speaker 1:You're the one that has to walk through it.
Speaker 2:What is the most inspiring thing I ever said to you Don't be an idiot Changed my life.
Speaker 3:Today we're excited to bring you Dr TJ O'Connor, a retired US Army Lieutenant Colonel, cybersecurity educator, author and coach of some of the top cyber defense teams in the country, and we're just happy to have you here, tj, and thanks for joining us.
Speaker 1:I'm really glad to be here.
Speaker 3:We're going to talk about different things and really and you feel free to share wisdom from your many years in cyber security and it's been great to get to know you through CCDC as we're going to talk about and in different ways on the offensive side, when you were attacking my teams to now you know, helping facilitate SCCCDC. But before we get there, tell us about. You know we're going to get into your military career, but how did but? How did you land in the military? How did that become a path for you?
Speaker 1:Yeah, so the path to joining the military and the path to becoming good at computers travels through the same road, and that was middle school or elementary school soccer. It's kind of a funny story, uh, uh. I probably would have never gotten good with computers except for the fact that in the fourth grade and in the middle of a soccer game, I, I think, I had a slide tackle and I broke my leg, and so I was out for six months, and when you're, you know, nine years old or however long I was at the time, with nothing to do, my parents were gracious enough to go buy an Apple II computer and put it in the house and I tore that thing apart and learned everything possible. Nice. When the leg healed back up and I got back into soccer or whatever, I had an experience where an opportunity to try out for, like everyone remembers, like the travel team, squads or whatever, and I had an opportunity to try out for the travel team and all my friends were on it, so why not go for it? And uh, but no one knew I was really bad at soccer and so I tried out. I'm sure I did miserable and uh, and I didn't make the team, uh, which was kind of a little odd thing, cause my best friend at the time, his dad, was the coach and I still didn't make the team. Uh and um, I'll never forget what happened.
Speaker 1:I, you know, I don't know if my parents called or someone called and talk to the coach, but the next thing, you know, the coach came over and talked to me and and he, he said, look, basically, you know you're, you have a skill deficit. Uh, you're not good enough to make the team. Um, but we can correct a skill deficit. So what we're going to do is we're going to take this soccer ball, we're going to stand against a rock and every day after school you're going to kick this thing and just control it. Kick me, put your hands on the rock, kick it against the rock, control it, and it's just this one drill for ball control. So, like, you're gonna do it, for like you know it's, it's been 40 years, you know. So I don't know if it was, it was an hour or 30 minutes, but for some period of time and um, your parents are gonna make sure you do that, and if you do it for whatever time period was a month or two months then you're on the team If you can, if you can wholeheartedly commit to this and do only this every single day for the next two months, your parents tell me that you're on the team and that lesson. You know like?
Speaker 1:I'm still bad at soccer, by the way, but that lesson just taught me about kind of this deterministic mindset to just drive after something and commit wholeheartedly to it and do it. And so it turned out that my coach had had attended West Point, which is the United States Military Academy, and you know, I think that's that imparted a little bit of that mindset into him that he then imparted us as soccer players. And so when I was, you know, at that point and some other experiences, my grandfather took me up to West Point when I was a kid, kind of set the course that I wanted to attend the United States Military Academy, which opened the door for me studying computer science there after I had that experience tearing apart a computer when my leg was broken. So soccer, soccer, which I'm still terrible at directed both those paths.
Speaker 3:Very cool. No, I mean, there is something to that, because if having kids and trying to get them to understand that you've got to put the work in, you have to get the reps in, you have to put the, you have to put the work in, you have to get the reps in, you have to put the, you have to put the time in and it's boring. This is it can be like kicking the rock, kicking against a rock and just doing ball handling skills. That's boring, but like that, like you said, the discipline, the determination, like sometimes it's tough to teach that People really want to. You know, do that over and over and over, right.
Speaker 1:Right, and you know it has to be. It's a commitment to something bigger, right? Like I didn't necessarily want to be a great soccer player, I wanted to be on the team with my friends.
Speaker 3:Yeah, because all my friends were.
Speaker 1:I could care less whether or not I got into the game, I just wanted to. Like all my friends were going on weekends to tournaments and playing soccer and swapping patches and doing everything. I wanted to be in that group, and the only way into that group or that only you know was to commit to this thing of kicking a ball against a rock, and so I was willing to do it.
Speaker 1:I think when we, when we talk about goals and we talk about achievements that we're driving after. There has to be something that you want that makes you, that wakes you up at four o'clock in the morning to do it, to try harder. That's more than just the individual thing.
Speaker 3:Yeah, that's a great point. So West Point, I mean, that's sounds like a great opportunity, a great experience. Depending on who you are, you know, some people might be thinking that, man, that's not, I'm not down for that.
Speaker 1:But tell us a little bit about your experience at west point. Yeah, so I mean I uh, absolute, um, uh, drink by the fire hose there. Um, the academics push me, the, the, the physical fitness pushed me. At any given point I felt like I was always behind um, which is a wonderful thing. When you're done with it and you learn to like calm the storms and the chaos and be comfortable in the uncomfortable. When you're going through it, it's absolutely miserable, and so I have these very fond memories of West Point now, which I'm absolutely positive weren't the case when I was there. Yeah, but, uh, you know, uh, uh, you know, I think one of the first experiences with you know, we're talking about computers and stuff but one of the first experiences at West Point that was really fascinating was, uh, there was this thing called, there was a and I might get the specifics wrong, but there was an exploit or a denial of service in around 1998 called WinNuke and it dealt with the way the Windows TCP stack rearranged fragmented packets.
Speaker 1:That sounds right and so if they, if they overlapped in such a way that the stack didn't properly handle it, the reassembly would actually crash the entire windows kernel.
Speaker 2:Wow.
Speaker 1:So, and it was, it was this, like you know someone, someone downloaded the tool and said, like watch this, you can fire a packet, a couple packets, on a machine and then the blue screen of death comes open. And you know, I was in the computer science and so all all the students in computer science were like testing it out and seeing how it worked, and I remember spending like days trying to understand how that worked, like had to download the.
Speaker 1:RFC for TCP and IP and understand what a fragment is and understand how fragments overlap and understand how to create a raw socket. It kind of ties back to that thing with soccer. I didn't necessarily want to know what the TCP stack was. I didn't necessarily want to know all the TCP stack was. I didn't necessarily want to know you know all of the fields in the IP in an IP frame. I just wanted to know how I can make someone's screen turn blue by sending a couple, like it was, you know, and it was just really a fun experience.
Speaker 1:And then I think that was, like you know, the beginning of my senior year at West Point, when that happened, the beginning of my senior year at West Point when that happened. And after that, you know, I had a wonderful professor that allowed me to kind of do a I don't know if it'd be like called an honors thesis or independent study on different types of denial of service attacks, and you know. So I that kind of pivoted off of that one to they gave me an entire lab to just throw things at and make the machines stop. And they were all Solaris machines too, like Spark 5s.
Speaker 3:Wow.
Speaker 1:And I think they had like 20 Spark 5s that I was allowed to for my independent study see if I could make them stop, and it was super cool. Independent study, see if I could make them stop, and it was super cool. You know, just going through these different kind of attacks that were out there, some were theoretical, some were like proof of concept programs, and just you know, that was a really. And you know I never thanked that guy enough for like being the willingness to do that, because obviously I'm sure that there was a lot of infrastructure that went in place to allow a 20 year old kid to just start attacking machines at the military academy, um, but like it developed a passion in for me for like how do these things work? How do you stop them?
Speaker 1:You know what are the fundamental flaws that exist that allow these kind of denial of service attacks to occur. And this was at a time where denial of service was not necessarily a big thing. But then, shortly a year later, was when all of the massive DDoS attacks started happening, and so I was just in front of that and there wasn't a lot of knowledge out there about it, and it was a wonderful experience to have someone be willing to put infrastructure in place and probably shepherd the project and make sure that I was doing it but the right way, and and then just be able to present it Um and uh. You know, there was a really fun experience from a, you know, from a learning standpoint, of having the autonomy to do that.
Speaker 3:No, that's cool. And, um, having worked with students and being able to help them specifically with DDoS research a little bit that although they didn't go as well as it sounds like your experience with, we brought down the entire network for Clemson twice, um, so that was a learning experience for me. But, um, but no, it was it's, you know it. That is that sounds like a great opportunity, right, like not everybody gets that chance to, to be able to do that kind of time and effort and energy to research those, those things. So from there, um, transitioning you know I guess you were, you were planning and already planning to join the army, or how did that?
Speaker 1:yeah, so every every student that goes to west point uh commissions as a second lieutenant in the active duty army and with a five-year commitment, and so I left west point. I went to training in georgia, uh, and then I uh followed up, uh being assigned in texas for for about a year, uh, working, and my first assignment was to set up these kind of essentially the IT for the United States Army. I would set up these battlefield communications that were housed in a series of trucks that you would drive across the battlefield and they would establish different types of radio and cellular networks to allow the commanders to pass information. Um I went from there to korea where I assisted with the communications of a of an attack helicopter battalion, and then, when I came back, was the the really fun stuff started happening. I I became uh.
Speaker 1:I I had the privilege to get assigned with the special forces, um as their kind of embedded tech, and um I was a support element to them, and I'll tell you what a wonderful mindset of creativity I lived in for those years. Um, just, everyone on that team thinks differently. Uh, problems are not problems, they're challenges. Um, you know they're opportunities. Um, you know there's always a path. If you can, you can outthink the problem. Uh, I love the mindset of being there. I love the um creativity that was praised there, and and people are. Despite all of the accomplishments of the men I served for there, they were incredibly humble, um, and that, uh, was something that I was just so impressed with when I was uh, and so for the remainder of my career, I tried to only find special forces assignments.
Speaker 1:Uh, I got a brief stint going back to West Point to teach which we talk about, and then I ended up going back to the headquarters or out to another special forces group and then back to the special forces headquarters and I just love the opportunity to work for teams that just valued initiative and creativity and you know we're solving really fun problems for them.
Speaker 3:Yeah, so when you're as a support element because I'm ignorant of this how does that work? If they're deployed, you're alongside them and make sure you know their technology, their communications and everything's functioning as it's supposed to Like. What does that look like?
Speaker 1:Yeah it all. It all depends on the size of the element that deploys.
Speaker 1:Um and so I, you know, when I was at uh at Fort Bragg, I was, I was the battalion communications officer. So if the battalion commander, if it was a battalion size element, deployed, I deployed in support of them. So we deployed to Afghanistan and in 2004, when I was out at Fort Carson in and I was leading the, I was the senior communications officer for the group. Then it had to be the. You know, the next level up the group level commander would have to deploy for for me to deploy.
Speaker 1:But at every kind of echelon there were individual teams that deployed in support of that and so it wasn't just kind of the communications or tech folks, there were intelligence packages that deployed and there were supply packages and everything else to make those teams work together. And I wish I had it in front of me right now. But the special forces have a thing called the soft truths and, like the fifth soft truth is something like you know, all special operations require the support of non-special operations, like soldiers or something like that, meaning like every, to play on the team and achieve high level things. It's going to require a whole package.
Speaker 1:And and just having that in their kind of truth, their five truths, was something that was really cool to think of. You know, you just felt instantly valued on the team. I'm good at this one thing and I'll bring it to the team and that will make the team stronger team.
Speaker 3:I'm good at this one thing and I'll bring it to the team and that will make the team stronger. Yeah, so during that time is that where security and information security became like something that was developed, because it was still early days for that kind of you know being baked into IT, right? So how did that come out? I mean, out.
Speaker 1:I mean, yeah, kind of during those, those early days, right, and two decades ago or so, um, it wasn't an independent, um, uh, endeavor. You know, like if you were the it, you were also the security uh, the you know there wasn't a ciso and a, you know, a cio.
Speaker 1:It was just one person that established and secured the communications, which, you know well enough. Are two competing towers sometimes Right, and so you had to kind of weigh both of the. How do I make communications as accessible and functional as possible and reliable for a team with? How do I keep them secure, and especially in types of environments that we were in? How do I keep them secure, and especially in types of environments where we were in?
Speaker 3:how do we keep them secure from our adversaries, so yeah, so how did cybersecurity become like this is the thing that I love and want to do, other than your experience at West Point like were you able to really hone it while you're doing?
Speaker 1:those other roles. Yeah, so you know, I think I started seeing. You know, like Lee, you know I, I would, the the research I did at West Point really set a fire. That was kind of slowly churning in the background and I was learning things and I, you know, I'd get home from work and I download a tool and I try to understand how this, this new thing called N map, worked, or I try to understand I would. It was slowly, it was slowly burning right. And then I had my day job where I had to make sure that the communications reliably worked and were secured and I was slowly seeing kind of the emergence of like we're putting stronger protections on our networks and understanding all of how, how we understand them. But it wasn't until, like, we got back from Afghanistan and I got picked up to go go teach at the military academy. I got uh as part of that process. The army does this wonderful thing where they pay for your fully funded uh graduate school.
Speaker 1:So, here I am like a year back from Afghanistan and I get the opportunity to go to grad school, and only grad school, like I. During that time the army pays my salary. I think I was a senior captain promoted to major when I was at grad school but during that time they pay your salary, they pay your tuition and the only thing you have to do is go to grad school and like. What a wonderful experience, because I doubled down on every single class I could take and I started taking things, not because I necessarily wanted to understand that thing, but because I wanted to understand how to break that thing.
Speaker 1:I remember taking wireless networks and understanding that the control level frames in 802.11 aren't secured. And I'm like you know, you could just like, you could just send a deauthentication, like my instructor's like, but why would you do that? And I was like well, if you wanted to kick someone off the network and they're like, but why would you want to kick someone off the network?
Speaker 1:And I'm like I don't know but I do know it's possible and like you could. You know you could force this generation of new packets. You know the chop-chop technique was coming out for, like WEP, right. So the entire wireless class I spent like figuring out, like not necessarily, how you can make wireless work, but like what are the things that would make it break? Like, while I'm learning this concept and the instructor's explaining that the control frames aren frames aren't secured, like I'm like my mind is churning and going, well, why aren't they secured? And and like what's the? What does that look like? And I think you know like it'll. There's something like 802.11q now that allows for enabling, but like no, why does no one use it for legacy support? I had this wonderful experience of like taking classes.
Speaker 1:I took a class on file systems, which sounds like the most boring class ever, but it was taught by a former army Ranger who was like passionate about what he did and I ended up like absolutely loving it was like one of my favorite classes when I was a grad school student because, like, I started looking at oh my, absolutely loving it was like one of my favorite classes when I was a grad school student because, like, I started looking at oh my, like all of this metadata that the file system leaves laying around and how does it choose where to write and how do you reassemble. And you know, I took that and ended up making a class at the the military academy, uh, on just forensic recovery of different types of file systems and which file systems are more supportive of this and how do they work and what is contiguous and non-contiguous data and how does it look different on the file system versus in memory, in volatile memory, just from the things I took away from that class. And so I think when I had the opportunity in downtime as a graduate student to just dig really deep, I had this. You know that's when the fire really got lit. I walked into assignment at the academy to teach and there was a wonderful department head at the time that just really embraced creativity and he allowed me make you know again. You know I understand.
Speaker 1:Now I'm a little bit older, I understand all of the kind of permissions and things that people probably had to ask for me to make like an offensive security class, and I'm really much more grateful now that they allowed me to do that, knowing kind of what was at risk and everything, but I was allowed to go in and build some really offensive classes and make things that you know how do we break things and why are they? Why are they breakable and what would the developers of this file system or this wireless network or this, how this compilation technique, what would have been done better to make sure that this, this venue doesn't, or this particular approach doesn't break it?
Speaker 3:no, that sounds like a great opportunity. If I, if I could just go teach classes, that I would be so happy. You know, I don't really get to teach. I mean, every now and then I'll help with a class, and that's actually how I got started with the CCDC is. There was a professor who was doing a little bit of cybersecurity and and we connected, I don't even remember how now his name was Dr Sebastian Goaskin and, and so I was like, hey, I'll come help. You know, can I come help? He's like, yeah, come in. And so his first class was ethical hacking, and I was just in there with him and and he didn't really know the practical side of it. He was just, you know, he'd not really done it before. So he kind of let me have some free reign to share some things. And that was so fun, I really enjoyed it. But, yeah, so transitioning. So how did that? Steve, you want to talk about his transition? What questions you got?
Speaker 2:Yeah, so before we move into that, you were mentioning that you went to Korea. So how was that? How was you being in Korea?
Speaker 1:my mid-20s. At the time, my wife, who was a nurse and still is a nurse, came and she was my fiancée at the time and she got a small apartment in town, but this. So I left for Korea in September of 2001. In fact, I think my original flight was something like September 13th 2001,. And it ended up being shuffled a little bit later to the later in the month. So it was a very weird time to be outside the United States for like a year and it was also, you know, at the time when I left for Korea or when I was getting ready to leave for Korea.
Speaker 1:Korea was like the tip of the spear of the United States Army. In fact, I remember my like you get these officer evaluation reports or something like that, and they, they, they flowingly described like your role in an organization or something, and I remember that like it used to read something like you know, uh, supports the, the most forward deployed Apache battalion in the free world, or something like that. And like suddenly, you know, by like November of 2001,. That was no longer an accurate statement. And you know, being in the army and being an officer when your teammates are at, you know, at war, it was a weird experience to be in Korea, where you know it is a very important mission, but wasn't the primary effort at that point. So I was just, I was racing to get back home.
Speaker 1:But you know, one of the things that was interesting about Korea in 2001 was how much more advanced the networks were for, like, I think back home in 2000, I had like a DSL modem and that was like the fastest you could get, right, I think I started off with like two separate phone lines in my house, each drawing 64 K, and then I upgraded to like a DSL modem, you know. So, like I think I think I was getting like 128 K and like I showed up in Korea and everyone had, like you know, full, like T1 bandwidth in their homes and it was like this is this is crazy, the amount of uh, uh, you know, connectivity exists, um, and so that was really fascinating, um, and I think I'm sure that you know it was just kind of like a timing thing, you know, cause by the time I got back to the United States, it was the same thing, you know, uh, a year later all of a sudden. So it was a weird switch to have access to so much information. It was good, though, because I got to watch what was going on and video teleconference with friends around the world, which was like a new thing.
Speaker 1:I skyped with my parents, which, in 2001, was like. It maybe wasn't skype, it was some, I think it was a different program, but uh, I I don't think I got Skype to like 2004 or something, but it was different programs that allowed.
Speaker 1:Yeah, and it was you know the internet. Been in the military. You've been in the military for a while.
Speaker 2:How long actually, how long were you in the military before you kind of retired, I guess?
Speaker 1:Yes, I was in the military for 20 years. I retired in 2019. And then, immediately following, I became a college professor.
Speaker 2:Was that for West Point?
Speaker 1:No at Florida Tech in Melbourne, florida.
Speaker 2:Okay, okay. So then, when you transitioned out of the military, you were a professor for a while. Were you doing any security work as well, or were you just teaching?
Speaker 1:I was teaching. The modern professor does a lot. I was teaching, I was servicing research grants and then I was coaching our competitive cyber team. It was a full-blown push among those three efforts, which simultaneously got balanced.
Speaker 1:The teaching efforts we supported. We had an NSA Center, academic excellence and research, and I built a curriculum on uh that was focused on cyber operations, uh, heavily kind of focused on reverse engineering and vulnerability research, because that was the industry demand here in Melbourne. Um, uh, the uh, the research efforts. I did a lot of work and kind of two, two efforts. The first was on the security of internet of things, devices. So I had this wonderful experience when I got there, uh, one of the kind of uh senior professors, slash administrators, uh gave me kind of an in-house grant to go build a lab, and so I went to Walmart and Target and Amazon and I purchased every single possible IoT device I could purchase. I just threw them all in a lab and hooked them up and that became such a fun thing to do because anytime we'd learn something new.
Speaker 1:You know, I teach students how to reverse engineer firmware or dump firmware from a chipset, or we would then go in the lab and then practice it against real, actual devices. And so I remember this one day I was teaching was it the 2019 or 2020 NDA that came out and said that a particular vendor, overseas vendor, had backdoored camera systems. And so, you know, in the 2020 NDA, I think, they banned that vendor and a couple of their subsidiaries from doing business inside the United States, of their subsidiaries from doing business inside the United States. And someone put a tutorial up of that exact firmware online and reverse engineered it and I showed it to the students. I said, like you know, here we fire it up and we look at it. Here's exactly what he's talking about. It is backdoor, you know, and getting that hands-on experience.
Speaker 1:I had this kid, dan, and Dan's like that's pretty neat, and he walked to the lab literally the day after that class, ripped the plastic off. It was a Genie camera system. I think we had five of them total. There was like Genie, I think and I might get this wrong. One name is like the US name and the other name is like the international brand name but they get sold at Walmart. It's like Genie slash Mercury or whatever.
Speaker 1:And he ripped the plastic off five of those devices and jumped their chipsets and by like, like, within 48 hours we have like five CVEs for those camera systems. One had like a hard-coded password in the firmware, another had, and it was like it didn't seem like it was malicious in nature. To be fair, it was like maybe a developer left it in I don't know, or they had repurposed some other firmware and not realized it was in there, like it was a kind of one of these turnkey frameworks that maybe they had used and um, another was like there was an api that was exposed that allowed unauthenticated calls to it and you know, dan fired these things up and and one, the hardest thing about it was like chipping, like to. To dump a chip, you have to like either solder to it or take this like pringles, like thing, and clip on it, and that that might have taken him like an hour to it. Or take this like Pringles like thing and clip on it, and that that might've taken him like an hour to align those, the pins just perfectly and dump the chip.
Speaker 1:The reverse engineering aspect of it was like he fired it up in binary. Ninja looked at it and immediately saw the paths that something were vulnerable and like almost didn't believe what he was seeing. He kind of called me over and was like hey, is this like a hard code? This looks like a hard code password. That's not, that's not what it is Right. Like like I don't know, like do we have another one of the devices?
Speaker 3:Try to log into it Use that password.
Speaker 1:That is exactly what it is and, uh, you know. So it was a really fun experience as a professor to um. You know, take lessons, um, and really make them applied. I love theory. I'm a computer scientist at heart and I think theory is absolutely important to build a base, but I think the passion develops when we're doing something that's applied. And so for Dan, just tearing apart those kids, that opened up a world for him. And he went on and tore the rest of the lab apart and did his thesis on flaws in IoT systems. And you know, when we get our hands on things, we get to take that theoretical understanding of how things work and just really break it and learn more about it. So I had a fun experience doing that. And then you know, those two efforts the teaching efforts and the classes in that domain and the practice in the lab doing that stuff started turning out. Students that kind of got a passion for this and started looking for opportunities to compete, and so we developed a competitive cybersecurity team as well.
Speaker 2:So how was that like and how did it go Like the first competitions that y'all attended, like, what did you do to prepare to train? Was it like CCDC was, or was it completely different?
Speaker 1:It was a wonderful experience. So it just so happened in like small worlds right, that at the same time I was kind of getting on board, there was a student at the college who had been stationed as a young non-commissioned officer out at Fort Carson with me and he was just as passionate as I was about cybersecurity and so he started leading this effort to build a team and you know I would, to be fair, I would provide him with a lot of resources. You know I would, to be fair, I would provide him with a lot of resources. But his leadership and his passion really guided that team. I remember the first competition we went to as a team the college was really excited to send us and they sent us up to Augusta, georgia, and we competed in I think it was CPTC, georgia, and we competed in I think it was CPTC and we got utterly destroyed Like didn't you know? I mean it's the type of like and you know I was kind of, I was kind of having, you know, a moment there where I was like you know I like winning. I am a very competitive person but I have to role model like this is good, good effort. And you know we, you know we had a rule on the team that we were just going to say thank you and be real respectful of the competition organizers because we do. But, man, it was a long ride home and you know, I think Josh, who is the, the student, is just as competitive as I am, just as uh.
Speaker 1:Uh, you know he'd been a non-commissioned officer and he was a communications officer supporting the special forces, but you know, he just as so, he's just as competitive and driven as I. As you know, I don't think he liked that either. Uh, a week or so later, uh, there's a guy in town, alex Taylor, and he does, I think he works for Binary Ninja now he does a lot or Vector35, the company that owns Binary Ninja, and he had been a multiple kind of finalist for DEF, con, ctf, which is the top, the best of the best, you know, world championships of binary exploitation and reverse engineering, and so just Alex was a good friend of a friend of mine, and so we we reached out to Alex and we asked him to come in and give a talk to all the students. We thought this might be an opportunity for him to tell us how to, how to really get good at this Like he was going to come in and he was going to tell us all the tools, and, and so Josh pitched this big thing and we brought everyone, we'd advertised it to all the students and on that day, another professor scheduled some massive exam and literally no one showed up.
Speaker 1:Wow, just filled with knowledge shows up to a room of Josh and I and I'm like oh, God, this is the worst, this is so embarrassing, you know.
Speaker 1:We asked him would you like to? And I think there was like one freshman there too, it was just you had made it there somehow. And so we turned to Josh, or we turned to Alex, and we say you know, can, can we just take you out to dinner at least? And we went and he's like absolutely. And at dinner he just told the most wonderful story, right? So he says that when he was first starting out he had been placed on a DEF CON CTF team.
Speaker 1:And if you're on a DEF CON CTF team, there's a team, there's guys and gals that play on the conference floor, and I forget what that's limited to, but there's only like 10 or so that can go on the conference floor. But then you buy out several hotel rooms that you wire the rest of the team into and so, like, you have this unlimited capacity outside the outside the conference floor of like people that are competing. And so Alex was like one of those, those those backup players or whatever, and he's and he'd done his best to build some tooling. That helped, and and I, I forget, I think he said he built tooling and I might get the story a little bit off, but he built a part of their throwing infrastructure to throw exploits. But he hadn't necessarily solved any of the the vulnerabilities or, in his mind and his, his telling the story, he hadn't made the contribution that he wanted to make. And so he's on the way back, way back, and the captain of the team turns to him and said you know, how are?
Speaker 1:you excited about doing so well? And he said not really. You know, I really don't feel like I made a very strong effort. And the captain of the team turns to him and goes well, what were you doing in like 1985? He's like well, 1985, I was, like you know, three years old or whatever. I forget how old he was. He goes well in 1985, I was doing this. So in 20 years, come back and tell me that you're miserable at this and I'll accept your woe is me story, but right now you're still in the learning phase, so you can't be upset that. You're in the process of learning.
Speaker 1:And so Alex tells this story to us.
Speaker 1:You know, and it was a wonderful way of like, you know, it's okay that you're not the best when you start at something In fact, that's kind of where you want to be is the worst, otherwise don't do the thing that, don't attempt to learn the thing that you already know how to do. And so he tells this story and he gives Josh some other great lessons about how to build a team, how to give classes, and we have this wonderful dinner Within a year of that dinner. So Josh had captained the team all the way to winning the National Cyber League Championships, cyber League Championships. So they took on every other college at the NCL, which is like a CTF-based competition. That's got you know networking analysis, binary exploitation, reverse engineering, forensics, challenges, and you have to solve all of them and whoever has the highest score wins. Josh championed a team that I think solved, or captained a team that solved every single challenge and correctly on the first time, beating, just knocked out every other team for possibly winning Within a year of kind of that discussion of Alex.
Speaker 1:And you know that to me was like the story of how you get good at this. You know there was a lot of work between that dinner and when he won and the team won. They, they all kind of committed to the same goal, and there were five other students that really dug in with him and learned Um, but uh, it was you know it was kind of indicative of that story.
Speaker 1:Like, come back in a year and tell me after an effort, if you're not proud of where you are, you can't be sad when you start.
Speaker 2:Yeah, no, I think that's great advice, and I do some mentoring of students, of individuals who are trying to either transition into cybersecurity or get started, and that's like a topic of conversation, right. You just have to commit, you have to give it your best try. You may seem like you're failing or you may seem like you're not moving the needle when it comes to where you're starting and where you want to go, but you just got to keep going after it. So, yeah, I think that's great advice. So, moving a little bit towards some of your publications and educational contributions you've written some books, right, you've got some stuff out there. Do you want to kind of talk about it a little bit?
Speaker 1:Yeah, sure, so I. I I've written several academic publications, um, and then, uh, I think around 2010, I wrote a book called violent Python. Um, uh and um. That book was, you know I was, as I came out of teaching and I was doing some applied research, I started realizing that, you know, I didn't necessarily want to write beautiful code anymore, like when I was like a young undergraduate student and I would write the most eloquent code possible. I just wanted to write code that worked.
Speaker 3:And.
Speaker 1:I started suddenly realizing that you know this language called Python, which now is obvious to everyone but isn't necessarily obvious to me. In 2009 or whenever I started this, python was amazing at delivering just kind of rapid results, and so I wrote a book on using Python too so don't go out and buy it because it's no longer important but on how you could use a Python to do different types of tasks. And so we in the book I think I used it to take over a Wi-Fi drone and crash it. I used it to forensically analyze an iPhone, show how you could dump all the SQL databases out of it, showed it how you run a basic exploit or analyze a network connection, and so that was kind of a gift back of writing a book is fun, but also it was a good experience to say here's how you kind of approach it. A couple of different problems start with the problem, figure out how to write some code to solve the problem, and so at the time that was kind of a wonderful thing.
Speaker 1:I think everyone nowadays is so blessed to have like large language models because you know, even when I was writing the book or I was solving problems back in the day, I would spend. You know, if I wanted to figure out how do I do X, I would spend a day or two going through different APIs or stack overflows to, like figure out what's the library. I need to do this, what's the tool Google doesn't necessarily always get you there what's the tool that will be most beneficial to shortcutting this problem? And with large language models, I think people that are approaching complex learning now are so much more benefited from that because you can kind of get past that initial jump.
Speaker 1:You know, how do I? You know how do I? You know craft wireless packets, like maybe it took me a little bit of time to figure out that Skapie was the best tool for that. And for Bluetooth there's a specific Skapie plugin. You know. Two seconds into a large language model question. Now you're going to know that's it. How do I send a deauth frame? It's going to help you figure that out. So I think there's this wonderful benefit of having kind of a person that exists in a large language model that you can ask questions to. That you might be embarrassed to ask a mentor or someone else.
Speaker 3:Yeah, I agree, and you may, you know, back then you may drop that into a forum and hope and pray that you don't get blown up or flamed out, um, and that you you did your homework and and that they were going to be nice enough to answer your question. Right, if you could find a forum to ask your question to. No, I mean, that's cool, I think I remember I have a vivid memory of being at the SECCDC and we're sitting in the big auditorium and they're talking about the organizers are talking about the, I think the wrap up for the competition, and there's this TJ guy over over here. Who's this tj guy? Yeah, he wrote violent python. I was like, okay, that sounds cool. But, um, one thing I remember specifically, uh, but it's the first time I'd heard of violent python and the first time I'd kind of I didn't meet you, but I'd seen you there and um, the the organizer was talking about how it's way easier for the red team, way easier for the offensive team to do what they do, like it's way harder on the blue team side, and I remember you scoffing at his comment. He's over here like snickering. He's like this guy doesn't know what he's talking about, but that was kind of my first time hearing about Viol python and uh, and I do, I do love python too.
Speaker 3:Um, I'm I'm playing with python. I'm playing with, uh, large language language models to write python. Help me write python, because I don't have the time. I'm not gonna go through and spend all that work now. I gotta make sure it's doing what I want it to do. But it's a lot of work to do, like what you did, to like find this library or find this thing, and man, it is, it is nice, I will say it is nice. But yeah, so, um, from there I guess let's kind of talk about um, you know what our target audience and what they're, what you might give advice, and talking about CCDC and us, you and I, and coming down to Florida, I guess let's pause there and talk about that a little bit. How did you get involved and tell us how you got to where it was hosted at Kennesaw, and then you guys decided to take up the mantle of hosting CCDC, seccdc.
Speaker 1:Yeah, so I started with CCDC up in the Northeast region when I was at West Point and I had a wonderful experience there. The organizers of the Northeast region just at the time, I think, was up at RIT. They did an awesome job and somehow, even though I wasn't very good and this isn't just me being humble, I was not very good got stuck on the red team and the first year I did terrible as a red team. I don't think I owned any machines, and this is in the days of MS. I think this was 2008, right, so MS-08067 had just come out and I still couldn't remotely exploit the blocks.
Speaker 1:But I went back and I knew the following year I was going to have to be really good, and so I, uh I, I wrote a whole bunch of tooling and infrastructure for it, and the team that came back that year, the red team, was even better. Uh, rathmudge was like our captain and and you know uh, the, the, you know the the tool at the time he developed for that event was Armitage, and I remember telling him that no one likes to hack in GUIs.
Speaker 1:This is stupid, you know, other than telling students not to buy Bitcoin in 2010,. That might've been the worst statement I ever made, um, but I you know, I had a wonderful experience up at uh N neccdc? Um being a member of the red team. I grew uh quite a bit and learned from my fellow red team members um, even, like you know, I don't think there's this uh uh adversarial uh between the red and blue. I remember silas cutter was one of the blue guys. I think he he's at Google Zero now. We learned from each other so much and it was a wonderful experience. I moved to Florida in 2015. I reached out to Kennesaw and they were happy to have me join their red team, which was really nice. Again, the red team for SECC was great.
Speaker 1:I think one of the things that kind of happened early on was there were some concerns about, you know, if you have this red team of eight individuals attacking eight schools you know, do all schools get attacked equally, and so if you assign one red team member to one school, then that attack is is there might be a skill deficit between two of the attackers, and so we started working as best as possible during that time to automate all the attacks. And so I stayed there from 2015 to 2019-ish or sorry, 18-ish, I think. I did three years on Red Team and so, with Evilmog, dustin and I really dug in deep and built out a lot of automation framework, and then Frack, the following year, really turned it up and put everything into Ansible. And now the red team I mean, it's the fairest thing in the competition, even if it doesn't sound like that you've got this adversarial group whose entire job it is is to take ownership of the, the, the students machines. Because it's automated and because it's kind of coming into the central platform, it ensures that everyone gets triaged exactly the same, and so that was you know that was a big around.
Speaker 1:Was it 2000?, was it?
Speaker 1:was it 23 was the last year that Kennesaw hosted it and Mike and Herb had been hosting it for quite a few years and you know it was time for it to move and they had other things that they needed to accomplish. And so, as a competitor, I got to know, you know, so I'd kind of fallen away. I wasn't I wasn't red teaming anymore because I was, I was teaching and it kind of fallen away and gotten a note that they were looking for a new opportunity to have someone host the SECDC. I reached out to the students. I said what do you think about this as a learning experience? We, you know, our students were primarily competing in competitions that were CTF based, so a lot more reverse engineering, vulnerability research and not necessarily SOC based network defense. And all the students said you know, this would be great.
Speaker 1:And so I had the opportunity to kind of make the call up to Dwayne, the national director, and ask him hey, you know, florida Tech would be happy to host it and we've got this wonderful venue at the Kennedy Space Center. And so he went all in and at the same time Chris Fisher, who had won, I think, two national championships at UCF, graduated from school and he was working nearby and I reached out to Chris and said you know, chris, there's no way we can do this without you. And, to be fair to Chris, chris is you know he doesn't like to get a lot of praise in public, but Chris and now Jake Smith are really the primary efforts behind that competition. They do the heavy lifting of building it, and so we hosted up at the Kennedy Space Center the first year and then last year, after I left Florida Tech, we partnered with Cyber Florida.
Speaker 3:They did a wonderful job to host our USF and there's a lot of work that goes on to obviously building a competition yeah, no, I mean, uh, our experience these both these past years have been really been great and um, and I know we've told you guys that that just you guys do a very, uh, well done job and a professional job of hosting it and and and we learn a ton right, and that's what we've always done when we've done these competitions. But just the way you guys organize it, the way you guys uh facilitate it, you know, has been really good, great, and I really appreciate it.
Speaker 1:That means a lot. Thanks, I know that. Uh, it's, it's a massive lift, uh, not necessarily on my part, but on the part of Chris and Jake and Jack McKenna's whole team. Yeah, red Team builds, odeh, builds novel techniques that they could sell for thousands of dollars. Right, that like they could sell for thousands of dollars, right, like the.
Speaker 1:This is why we you know, this is one of the reasons why we don't allow capturing stuff outside the environment is because, like you know, it's like stuff that escapes modern. You know, malware detection, uh, just so that they can get onto machines and and and simulate a real world threat. Uh, the amount of creativity in that red team is unbelievable and they spend I mean literally, they're writing tools now for next year's competition and they're coming off of it and they're saying like, oh yeah, we need this new. And I'm not even gonna pretend to say what they're gonna do, but just the ways in which they persist on machines, the ways in which they get that initial access, the ways in which they persist on machines, the ways in which they get that initial access, the ways in which they evade detection. Some of it is just purposely unfair and makes for great gameplay.
Speaker 2:Yeah, so how do you, I guess, select your people? How do you make your red team? Can people just volunteer, or is there kind of like a trial, or how does that work?
Speaker 1:Yeah, so I trust Jack. So Jack McKenna leads our red team and Jack does a wonderful job in the public sector, defending targets, networks, and he's a graduate of RIT. He was a national champion himself in CCDC. He was a national champion himself in CCDC. You know, in terms of who goes on the, who supports the red team versus who supports other efforts. When we have volunteers and they express an interest and they, you know, jack talks to them and figures out where they might best be positioned on that team. I think the last time, you know, I asked Jack this question or something like we had had, uh, nearly half of the red team had participated in CCDC previously, so they had kind of taken these efforts, uh, lessons, and then they just they wanted to give back. Most of them fly out, um, on their own dime. They stay out on their own dime. They, they, you know they make a contribution to the uh, uh, the students. You know it's it's very selfless, uh, the volunteers that do that.
Speaker 3:Yeah, um, it was funny. We were wrapping up day two um this year and I'm walking around and'm like there's much over there, what's much doing. And I went and talked to him. I was like, what are you doing here? He's, oh yeah, I was on the red team, you know, and I'm you know he's kind of more free time now and he was beating up. I told my team I was like, listen, this guy who's over here this is one of the reasons you're getting beat up is because mudge was on the red team, you know, on on the window side, and he's like, oh, okay, and they, they don't know right, like, you know, okay, you've heard of Cobalt Strike, you've heard maybe they had not heard of Armitage, but um, but he was very gracious, I brought him over and he talked to them. But I was like, yeah, that's the kind of caliber of people you guys are getting beat.
Speaker 1:You know, I uh uh. Raf is a wonderful person.
Speaker 1:Uh you know, just a wonderful guy. In fact, when I wrote the book, he wrote one of those things on the back of the book that says this is a great book, or testimonials, and uh, you know, I really appreciated that and people respect his opinion. So for him to do that, and uh, so I've been friends with him for years and obviously he was our captain for any CCDC and he, you know, was developing and I was learning from him then. So I think the first day of like the or the day we were setting up, I get a text message that says like hey, are you still involved in SCCCDC?
Speaker 1:You know like I'm the competition organizer now this year, like it's a director, right, and Ralph's like are you involved in it? I'm like yeahph's, like are you involved? And I'm like, yeah, he's like I think, I think I'm gonna come this year. And I was like, well, dude, it's today. You know like, and he goes, I'm in the lobby and I look over and like he's texting me from like 10 feet away, you know, and I'm like, what? Like does anyone know? Does anyone even know you're here?
Speaker 1:and he, he's like nope, in true Raph form. He completely evaded detection showed up at the conference I think he had talked to Jack in advance to get on the platform and everything and Jack kind of kept his secret. But what a wonderful experience. He's got two decades of hands-on experience and a lot of people don't know this about Raf, but he was also an Air Force officer for several years and had a lot of experience in the public space doing this. So you know. So for him to show up and I'm really glad you took advantage of pulling him over introducing him to the students that you know, when we get old we love giving advice and I'm sure that meant a lot to him too.
Speaker 3:It was good. I think he really appreciated it for sure. So let's land this plane. Speaking of air force, so what advice would you give and have given to, as students and you know, folks that are like, all right, I'm listening to tj, he's got an amazing career. He's been doing this a long time, um, but I'm new and I want to do this, I want to pursue this, um, and maybe we go back to hey, you got to go kick the ball against the rock and start over.
Speaker 1:Yeah, right you know, full circle, right, kick the ball, it's the rock. And Angela Duckworth has a quote. She's the author of a book called Grit that talks about how you persist in hard things, and she has a quote that I just love. That sums up kind of how I think you need to approach things and that's enthusiasm is common, endurance is rare. Enthusiasm is common, endurance is rare. And, uh, I think when we start out.
Speaker 1:Everyone generally starts out with a mindset of, hey, I want to be really good at cyber or I want to be really good at network defense, I really want to get a vulnerability research and and I don't think I think, given kind of the nature and opportunities there are in this field, I don't think anyone struggles with the enthusiasm. Yeah, we all have it when we start, but then that enthusiasm slowly starts getting broken. You know, we meet someone like Alex Taylor. That's just worlds better than us and we start judging ourselves, we run into a wall or a problem we can't solve and we just crumble. We have to feed that enthusiasm constantly by by having endurance and so, and we have to feed that endurance, uh, by doing the things, uh, that feed it.
Speaker 1:So, um, I particularly like um competitions, um, uh because they are an opportunity to encapsulate learning as fast as possible. And I also understand that, um, uh, I'm a little bit older now and I don't mind failing as much. Uh, you know, if I do a ctf on a weekend and I don't solve it, it doesn't, doesn't wreck me the way it would when I was younger. Um, and I I think that's a benefit of kind of age is I've learned this thing that failing is okay. I would compete as much as possible and take as many L's as possible that I right now, if I were young, I would, I would do a, I would, I would enter a competition, I would fail, I would learn from that what I didn't understand and then I would, you know, grow.
Speaker 1:One of the things I like to tell my students when I was teaching was so there's this website called CTF time. This is kind of unique to vulnerability research and reverse engineering, but the same concept kind of applies. Ctf time advertises all of the competitions weekly and you can go and sign up for them and the majority of them are free. But I tell students, go on CTF time, sign up for a competition on the weekend, go compete, find a problem, spend an hour on it Like just an hour.
Speaker 1:If you've made progress, continue. If you've run into a wall where the skill deficit exists such that you can't progress, you're just spinning, stop. But as long as you're continuing to make progress, every 30 minutes or so, stay on that problem as long as you want, because that progress is indicative of growth. But once you've hit a wall, stop, because at the end of the weekend the authors of the competition are going to post the solutions up to CTF time and you can go back and figure out where that skill deficit exists and then next weekend start the challenge again on a different competition and grow.
Speaker 1:And so this is why I love competition so much because, it quickly identifies where our skill deficits exist but it also gives us the mechanics to repair that skill deficit. And that's how I don't allow the heartbreak that occurs when you fail at something. I think this can be a very crippling field with a lot of gatekeeping where knowledge is. But competition doesn't necessarily act like that. Competition, at least if it's done correctly, challenges people to learn or grow to solve a problem. In fact really well, competitions kind of feed, hints to that knowledge so you can continue to grow during the individual challenge. So I don't think there's a better venue that allows for that exponential rapid growth than competition.
Speaker 1:As a student it's going to give you that hands-on. But that's also to say don't undercut your education. Go learn the fundamentals, go get a degree in mathematics or computer science or electrical engineering, it. Understand what's going to feed and build that knowledge base so you can go apply it. And those two things powerhouse together make a wonderful student that can go out and enter the workforce. And competition is absolutely free. If you're paying a lot for competitions then you're probably at the wrong competition, depending on the resources that are out there. Private industry and public puts out a lot of great competitions every year that are open to all.
Speaker 3:Yeah, no, that's great. I know, when you win and you were successful or you beat the challenge, you it it's. You actually learn less, I feel like because you, you didn't fail. So you don't go back and rethink what you, what you failed at right, oh I, I totally lost at this or I totally failed at this.
Speaker 3:I'm gonna go back and replay this for the next, you know opportunity to compete and I not going to have that happen again. I'm going to try my best to not have that fail. You know, I'm going to replay it in my head. Okay, what can I do differently? Especially, we're talking about martial arts earlier, and when I get tapped, I'm like, all right, I need to learn. I'm going to learn so this can happen again, or at least less likely happen again, right, if I win. But if I were to tap somebody, then I'm not doing that, I'm not doing that same thing over and over again, right, because I, I did it, I did the thing. So I think that's a great point with the martial arts metaphor, uh, and this may be a little bit more of a legend than actually true.
Speaker 1:Uh, I remember, uh, when the kids were little, uh, they would compete in a lot of tournaments and, and I think, a couple of times when they lost we would say like you can get two scoops of ice cream. And when you win, you get one. I'm like why do I get two scoops when I lose? Because you tried a hard enough? Problem, right? Like if you're always winning, then you're not trying, you're not competing at the right division, right?
Speaker 1:Maybe, it was time to step up from the novice division to the intermediate division, or it's time to step from the intermediate to advanced division. If you're losing, it means you're probably at the right division and now it's time for growth. If you're winning too consistently, then you're just kind of staying in that novice division and you're always winning and you're championing yourself, but you're not growing. And so be comfortable with the L, be comfortable with the loss. Don't, you know, don't accept it, continue to grow, but you understand that it's part of the process.
Speaker 3:Yeah, awesome, well, excellent, well. Tj, thank you so much. This has been a great conversation.
Speaker 2:Yeah, lots of insight.
Speaker 3:Yeah, really Thank you for taking your time to spend with us. And I'm excited to when this is going to come out. I'll be excited, we'll keep you informed. We'll share a lot of the links that we talked about with our audience and just appreciate it, man, sure thing.
Speaker 2:See you, thank you. Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.
Speaker 3:Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.
Speaker 2:Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast, and follow us on LinkedIn. We'd love to hear from you. Until next time. I'm John Hoyt and I'm Steve Higuretta.
Speaker 3:Thank you for listening.