Hacker Time
Join Evan Johnson as he speaks with security professionals about recent security news!
Transcript (Beta)
All right, we are live with Hacker Time, a very spooky episode for Halloween, and I'm joined with many of my friends here at Cloudflare who are also members of the security team.
And we are here to talk to you about the very important subject of how universities are preparing the next generation of security engineers.
And I think it's really, really important topic because not only is security getting more important, just in the past week, we've had all of these cyber attacks at hospitals around the United States and all sorts of other, it's constantly in the news.
And so it's getting more and more important. And also the industry, every industry is slowly becoming a tech industry.
So the need for top-notch security engineers who understand how systems work as well as how good security fundamentals is just critically important.
And with me are a bunch of people who are no longer at university, they're here at Cloudflare and they, but we all used to be at a university.
And so I can start about to drill into like my experience at a university and then kick it off to somebody else.
I studied security at a school called James Madison University.
I like to call it the Harvard of the Shenandoah Valley, but it is not, it was more known as a party school.
And I got a good security education there because there's a lot of really good professors there who ran some clubs like cyber defense club who did, got me involved coaching a cyber Patriot high school nearby in a different city.
And I learned a lot from those professors and getting my hands on the keyboard, competing in these competitions.
And I spent a couple of years doing that. They have like a specific program for security.
And I studied that all the way through my master's in computer science with a focus in security.
And we're going to get, we're going to drill in more to everybody's background, but for now, like I'd love to hear an intro from Nadine.
Sure. Hi, I'm Nadine. Like Evan said, I am a part of the security team here at Cloudflare.
I'm a security engineer. And I went to Stanford and did a math undergrad there.
And then while I was studying math, started to like learn about computer science that everybody was talking about and really liked it and took a bunch of classes in that and ended up doing a master's in computer science.
I actually didn't do it with a focus on security, even though that track existed.
Instead, I did like a focus on systems. And that's mostly because the security one was just all the systems classes with a few security classes that I'd taken already.
So yeah, that's a little bit about me. And I guess I'll pass it off to Maddie.
Hi, I'm Maddie. I'm also on the security team here at Cloudflare. I went to Baylor University.
I actually studied bioinformatics. We didn't have an official security track.
Bioinformatics is like biology and computer science kind of combined.
We did have a cybersecurity team, which is how I got involved in it. I was just run by professors.
So yeah, just through competitions and things like that, I kind of found my love for cybersecurity.
So yeah, I'll pass it off to David. Hi, my name is David.
I'm also a security engineer at Cloudflare. I, in my undergrad, so I went to George Mason University, which is the real Harvard of the South.
And I took part in the university's bachelor of science program in cybersecurity engineering, which was something that they had just launched a year or two prior to me coming in.
So we were, so really we were like the first generation of people in this like from the ground up program, focused on security engineering and got to do a whole bunch of things in a whole bunch of different areas that I found really interesting.
I did a few internships in security and yeah, just that overall, my entire undergraduate education was like in the security realm, which I thought was kind of unique.
I'll pass it off to Josephine. Hi, my name is Josephine.
I'm also a security engineer at Cloudflare. I went to University of Maryland, College Park.
And I actually, there actually is a cybersecurity track at Maryland, but I didn't end up doing it, but I just took a few classes I was actually interested in.
And I started security by actually doing some security research with a professor at Maryland.
And we have a little community of students doing research together and we get together every single week, talk about it and just do it together.
And we try to break little different devices every single week.
So that's kind of how we got started with security or how I got started.
So I am fascinated. I didn't know all of this about that. There was such a broad range of things that you all had focused on in school from bioinformatics to like math and not security.
I'm curious to in reverse order, starting with Josephine, like if there was a security track, why didn't you pick it?
What was the reasoning about not picking it?
Because I actually also majored in math as well.
So I did data science track, this data science track thinking that I was going to go into like the AI stuff.
I didn't realize I was interested in security until like probably junior year of college.
And at that point I already started and almost finished my math degree and my data science track.
So yeah. Nice. That makes sense.
Yeah. Maddie. We didn't have, I'm not in the reverse order, but it's fine.
We didn't have a cyber security track officially.
We're actually starting one I think this year or next year.
So I missed it by a year. But so I just kind of did the club and then they had like classes you could take.
It was just like an unofficial track. So, I mean, I took the classes, but yeah.
Okay. Nadine. Yeah.
So for me, I guess I started with math because honestly, I didn't know anything about computer science when I first got to college.
Like I just had no idea what that was.
And I liked math in high school and everything. And eventually, I guess, like I said, I, when I decided to do a master's, I was like sort of going back and forth between systems and security.
And I think, like I said, I think like they were pretty similar programs, except I think in the security one, like I wouldn't have gotten to take like operating systems and a few other classes that I really wanted to take.
And so that's sort of how I chose systems.
And I think that generally like I wanted to have a little bit of like a broader scope than just security.
And I think that that's been kind of like the right move also, like it helps me in my job today to sort of like know about systems.
And like when I talk to other engineers at Cloudflare, like having sort of that broader knowledge.
Yeah. Knowing about operating systems, that seems like kind of a critical base knowledge to be a security engineer at a company like Cloudflare.
And so for me, when I went to school, we didn't for our undergrad, we had a like a club and I don't believe we had an actual track, but we did have a couple of focus.
There was like a couple of classes in the 400 range, like CS 457 and 458 that were security focused.
And I made sure to take those. And I have to imagine that that the schools, most schools are like thinking about making a security track at this point, because it's such a big industry.
It's growing so fast. It's so important that universities want to prepare people for careers in that area.
But I'm curious, one thing that I heard from a bunch of you is that you are pretty broad in learning a lot of things.
It feels like to me that it helps to be broad rather than be really deep and you have to be really technical in a lot of different areas.
And I'm curious if anybody else has noticed that, or if there's a, anybody has an example of something where it, they learned something in one area that they were able to apply to security, or maybe not, maybe that's too, too hard.
I think I can comment on just the idea of structuring a security undergraduate program in the sense of making it as broad as possible.
I think that one of the reasons I was drawn to security was because it seemed like computer science programs typically are very deep and like talking about like algorithms and data structures and all of these mathy type things about programming.
While security is very like hands-on, let's solve some problems.
Let's learn about why systems are designed in these particular ways that cause them to be particularly vulnerable in different ways.
And so what I really appreciated about my university's program in the sense of it touching things from, I took multiple cryptography courses.
I took courses in radio frequency protocols. I took classes in industrial control systems, in transportation systems, like all these different things I thought were interesting because it helped me better define not only what I was interested in, but also I still will pull things from different knowledge areas because I think security in one area is very much like some of the same principles you can apply in many different fields.
So that's what I liked about the idea of going broad versus deep, which I think not a lot of other programs, like I think it's unique to security.
Love it. That makes sense. So I always have a hot take basically every episode and my hot take here in this topic is I don't think schools do a very good job preparing people for what it's like in the industry.
And like I don't think that's specific to security. I think one of the knocks on schools that you hear a lot is like, I'm an adult and I never learned how to pay my taxes.
Like somebody probably should have taught that in school.
What do you all think is a worthy, do you think schools are doing a good job now?
And what do you think is missing? How could it be better? And my two cents is like, I think people should be programming more and being in security classes rather than learning about the CIA triad and the, all of these like kind of slideshow, PowerPoint security.
And I think that's really important to get people's hands dirty.
But I'm curious what Nadine, what you think? That's interesting.
I never learned about the CIA triad, so I'm not sure. It's confidentiality, integrity, and availability.
And it's like a very synergy security slide.
Wow. That sounds interesting. It sounds like a good diagram or something, but yeah, I think actually like, that's interesting that you mentioned that.
I think some of the classes that I took in security, we had like a cryptography class and there was a computer and network security class.
And actually like, I think they did a good balance of theoretical and like practical in those classes.
So we definitely had like some, you know, problem sets where you would have to like prove that some cipher was like insecure or something, which like realistically no one's doing that except cryptographers.
But there were also other assignments that we would have that were a lot more practical.
And so we actually, I remember one assignment was just like a website and it was like find all the vulnerabilities and like exploit them.
And you just had to like, the more you found, the better you would do on that assignment.
So that was kind of cool. And we also did like a man in the middle attack that we like faked with an HTTP website or something like that using like Wireshark and like learning about that.
So I think like they did a good job of balancing that.
For me, like when I came into like the security industry, I think some of the things that I had like never heard about where I guess some of the things that like industry tends to care about, but maybe like you wouldn't learn in school, like for example, learning about risk management or like vulnerability scanners or things like that, where those are like central to any security team and learning how to like deal with those.
And what are some of the requirements? Like we never learned any of that.
It was sort of more focused on the computer science class, computer science, like scope.
Yeah. That was a great answer. Yeah. I guess it makes sense that you do want a balance of theoretical and practical.
And I never thought about how actually, yeah, even on the less technical side of security, like the risk management stuff and all of the, that really important stuff.
You don't really learn much about that in security classes either.
So that would be helpful to know too.
Maddie, what do you think having done the CDC and all of that, where you do get your hands dirty?
Yeah. I mean, I definitely feel like I learned the most doing those just because it's very like hands-on and like you're touching a lot of different like operating systems, also setting up different firewalls.
You could just really getting like a broad range of kind of like all this different knowledge.
But I also think like the information you learn in class is for like imperative because like, if you don't know what a firewall is, it doesn't really matter if you know how to set it up or not.
So I kind of see like both sides of it. My, like the cybersecurity classes that we took, it did have a lot, like our like final project was like, we had to set up web servers and then try to hack each other's.
So, I mean, it was kind of fun. We ended up like hacking the other teams and like ransomware them with like doing dumb like tasks around campus to give them access back.
But I don't know. It was really fun. And like, but I definitely think like the hands-on learning of it is like super important.
And also the CIA, CIA triad, I missed the A on the final because I said accessibility, not availability.
So I will never forget what that is. Oh my gosh. Accessibility is so important, but you should just add another A to it.
I think so. The CIA triad. Yeah. And David, I'm really interested to hear from you, especially because your program was like very security centric and- Well, I have a hot take to share on this.
Let's see it.
I have a hot take to bounce off your hot take, which is I think most teachers, and this is from my experience, right?
I'm not trying to make a blanket statement here against all university professors.
I think a lot of people who either they're teaching their first class or, you know, starting, like I had a lot of adjunct professors in my security program because like, it was very challenging to bring people in.
And I think a lot of them, like, I think it's really hard to teach a security class right.
I think it's really hard because finding that balance of the practical with the theoretical, it's so easy to tip too far into one and not enough into the other.
And like, I think the students are never going to be happy, right?
Like, I think you're going to have a portion of people where it's like, I only want to hack things.
And then there's going to be a portion of people that are like, I don't understand what I'm doing, but I'm just going to fumble around, right?
So I think we're going to see some really interesting, like, innovation in the space where teachers will try and find different ways to convey, like, lessons and whatnot.
I definitely, like, in my experience, had some rocky classes where, like, the content, like, stripping away the way it was being presented to me, the content was good, but it was just, like, so all over the place with, like, really bad projects or, like, really bad PowerPoint presentations or, like, sometimes it would be a good project.
Sometimes it would be a good presentation.
I just think there's a lot of space right now for people to kind of, like, figure out how the heck to, like, teach this stuff because it's so new.
Yeah, that's true, too. Like, the way you learn today is probably going to be super different than the way you learn in five years.
And also, none of the professors that we had had security classes, they all, it's, like, didn't exist when they went to school, which is also really interesting.
It might have only been textbooks or, like, might have probably was more cryptography focused, where if security might have only meant cryptography back then or who knows.
Yeah, Maddy, Josephine, what about you?
The Maryland is, College Park especially, they used to destroy us every year in CDC, and they had a really good security program, from my understanding.
What did you kind of observe with the good professors there?
Yeah, actually, I think I actually got a pretty good education from Maryland for, like, I think they actually did prepare me fairly well.
They're not the best at advertising what they have. They have, like, a living learning honors program, where a bunch of people who are into security live together.
And so, it made, like, having events that are security -related very, very easy to access.
They had a career fair focused on security. It's, like, a bunch of companies just looking for security engineers, and they would come to our dorms, and all we had to do was to downstairs to try and connect with people in the industry.
And they had, they even had, like, etiquette classes on how to have business dinners, just, like, also downstairs.
And they had a bunch of classes catered to us that are security -focused.
So, they have some very beginner's level, like, forensics classes, or, like, puzzles classes, or, like, penetration testing classes.
They had a minor, where if after the two years, if you like the living learning community, you can apply to go to do the minors as well.
And then, they have some slightly more difficult forensics classes. They have some slightly more difficult penetration testing classes, which were very, very hands-on.
So, those are really, really great. And in the program, they also specify that you have to either do research or a security-related internship in order to stay in the program.
So, those are also very good ways of getting yourself started as well, just, like, forcing yourself to do it.
So, yeah. So, that was actually really good.
That sounds actually amazing. I'm also interested what you learned at the business dinner etiquette class.
What do they teach at that?
Is it, like, this is your soup knife, or your soup knife?
Yeah. Yeah, they did. But I did not remember they had actual food to talk about, like, how, like, yeah, I don't know, how to use your fork and knife and stuff.
Wow. I don't know. Yeah. Wow. It was just one of, like, it was very, like, I feel like they were very, like, basic things.
Like, don't be late. Don't take the last bite.
Don't eat too fast, too quickly. Like, cut down your food, like, this size, and, like, that kind of thing.
I probably should have taken that class. I do all of those things wrong.
I take huge bites. I'm always late, and I eat too fast.
Yeah, they teach you, like, what salad forks. Yeah, they teach you what, which salad forks are, and which ones are, like, the dessert fork, and, like, which ones are, like, the main course fork.
So, I don't know. That is comprehensive. Okay. So, we have about seven minutes left on air.
My, I have another hot take that, that it's not, it's probably the most lukewarm take after the conversations we've had so far, but since we were talking about being so broad, I also think that, like, a lot of non-security classes benefit just, like, being a well-rounded individual.
That was one thing that the school I went to did really, really well, where they forced everybody to take, like, a literature class and history classes and stuff like that.
I think a lot of schools do that, but we were pretty intense about it, where it was more than half of your, your program.
And so, I guess, I'm curious what classes you all look back on that were non-computer science and security that you really enjoyed, and non-math for Nadine, since that was her major, but my, my personal two favorite classes that I took were junior year, I took a literature class, where I didn't read any of the books, but the, but the, I, I got really good grades on the papers, but the discussions in the class were really good, talking about the books, and I really enjoyed that.
And then an astronomy class, we had a big, we had a big dome, what's it called, thing, and we would just look at the stars and planetarium, in the planetarium, every single day, and that one was awesome.
So, starting with David. So, I always tried to take the most eccentric classes I could possibly take, because all of my friends did, like, the boring, like, oh, I'm going to take a 100 -level, you know, geology class or something.
You know, I wanted to take something fun, so I took a 300-level anthropology course on Chinese literature.
I knew nothing about anthropology, I knew nothing about Chinese literature, but I just did it, and it was, like, a ton of fun, because not only was, like, the literature really interesting, and just, like, I don't know, just, like, different perspectives on different things.
The teacher made different dishes every week.
It was a 7 to 10 p.m. class in the evenings during the summer, so I got free dinner out of it every week, and I really enjoyed that, and then I also took a 400 -level theater class with my friend, and it was about basically studying film to see what we can learn about actors' performances, and then at the end of the semester, we had to make a film ourselves, like, a 10-minute film, and so it was really fun.
We were, like, my friend and I were basically, like, two nerds in the class filled with theater majors who all knew each other and had all these inside jokes, but it was a lot of fun, honestly.
I really enjoyed doing classes like that.
That sounds so cool. What about you, Josephine?
What other classes did you take that you really enjoyed? I actually took a class on American Sign Language, and where we got to learn a little bit of sign language.
I've forgotten most of it, but, I mean, one day, eventually, I hope I get back into it.
That's awesome. I don't know. I've seen people signing recently, and I was thinking, like, I should, like, learn the basics of that, because that seems like it'd be fun to learn and also important, too.
Maddie, what about you? So, I took a lot of, like, the biology chemistry classes, and I have not found a use for organic chemistry in cybersecurity, but if I ever find one, I will definitely let you know, but I did really like them.
Like, my favorite, I loved genetics, and I really liked biochem, and I don't know.
I liked it because it's, like, different parts of your brain, I think, or at least I thought I was using, than, like, computer science, because computer science is, like, learning things and, like, applying them, where it's a lot of, like, memorizing and studying and reading.
So, like, I don't know. It kept it interesting and fun, but, yeah, definitely not super applicable in cybersecurity field, but interesting.
Organic chemistry is a class a lot that I knew failed because it was hard.
I took both of them, and I can attest, very hard.
Yikes. Nadine, how about yourself? I also took an astronomy class, and it was awesome.
Like, we got to, like, take pictures of stars with a telescope and, like, analyze them and figure out the brightness of stars, and it was, like, super humbling to realize that, like, just by observing something, you can, like, figure out all this stuff about it.
It's, like, really cool.
But the other, another class I took outside of, sort of, like, the STEM world was a, I also, I play violin, like, generally in life, and so I took a class about symphonies and, like, learned a ton about how symphonies are structured and listened to many of them and, like, wrote essays about, I don't know, what was it?
It was, like, postmodern, like, music and stuff like that.
So, you just, like, it's fun to, like, be in a different world and have to think about something, like, completely different, and writing essays is very difficult for me, so it's always a good challenge.
Yikes. You're not an essay person?
Definitely not. No? Oh, wow. I'll remember that next time I ask you to write a functional spec or something about it, or a technical document.
We'll, I'll keep that in mind.
Well, we have about a minute left, and we can't get too deep into anything, but I appreciate everybody coming on.
This has been really cool to hear about, kind of, all the different programs that you all went through, and security is, I think, the, going to be a huge industry in the future.
If it's x many dollars today, it's going to be 10x that down the road 10 years from now, because it's just so important, and especially the technical side of it, where all of these industries are slowly becoming tech industries.
You see it in finance.
You see it in software. You see it in oil and gas. You see it everywhere. Maybe not oil and gas.
Well, maybe, like, Tesla is a tech company, so I think we're going to see a lot of change in the different programs that people teach, because right now, there's a lot that's good.
There's a lot that's bad, but overall, a lot of new people getting into the industry, and thank you for joining us.
It just cut out, and so I didn't get to actually wrap it up, but that was great.
Thanks, everybody, for joining. Thanks, all.