Breaking Boundaries with Cybersecurity with Yan Shoshitaishvili

“The innovator needs to align the mission and show how this can move forward. You need to either have an institution or an organization that will meet you in the middle or you need to make that place within your organization.” – Yan Shoshitaishvili, assistant professor at Arizona State University

Why do stories matter to the innovation process? What values can be instilled in innovators who share stories? How do innovation leaders inspire creators to tell and share their success and failure stories?

We speak with Yan Shoshitaishvili, assistant professor at Arizona State University and co-creator of a fully autonomous hacking system, angr. He is part of the Order of the Overflow, organizers of the hacking conference DEF CON CTF. Yan has created a website for people interested in learning about cybersecurity through code-breaker games, https://pwn.college/. PWN is described as helpful for beginners to learn the very basics of hacking. Now, not only is there a website for cybersecurity beginners, but Arizona State University has a six-month program where one is paid as a grad student, to better understand what graduate-level cybersecurity study entails. Then, the chosen individual will better understand cybersecurity research, allowing them to make an informed decision on pursuing a graduate degree. If you want to learn more, contact Yan at yans@asu.edu. You can also connect with him on social media: Twitter and LinkedIn.

Yan Shoshitaishvili is an assistant professor at Arizona State University, where he pursues research in automated program analysis and vulnerability identification techniques. As part of this, Yan led Shellphish and participation in the DARPA Cyber Grand Challenge, applying his research to the creation of a fully autonomous hacking system that won third place in the competition. Underpinning this system is angr, an open-source binary analysis project created by Yan (and others!) over the years. When he is not doing research, Yan is pushing the area of cybersecurity competitions into the future from his position on the Order of the Overflow, the organizers of DEF CON CTF.

Listen to the Podcast

TRANSCRIPT

This episode is powered by Untold Content’s innovation storytelling training. Increase buy in for your best ideas in this immersive and interactive, story-driven experience. Where your teams refine storytelling techniques for their latest projects, prototypes and pitches—and get inspired by 25 epic examples of impactful innovation stories. Learn more at https://untoldcontent.com/innovationstorytellingtraining-2/.

Katie: [00:00:00] Our guest today is Yan Shoshitiashvili. He is an assistant professor at Arizona State University in Cyber Security. He is one of the world’s best hackers. He is a previous team captain of Shellphish, one of the highest-ranked hacking groups in the world. He is also founder of The Order of the Overflow, a mysterious entity that hosts Def Con CTF: stands for Capture the Flag. And it is something we’re gonna dive into quite a bit in our conversation. Thank you so much, Yan, for being here on the podcast.

Yan: [00:00:32] Happy to be here, Katie.

Katie: [00:00:34] How did you get into this world of hacking?

Yan: [00:00:37] I got in pretty early, so when I was about six years old or so, my grandmother gave me a book called Professor Fortran’s Encyclopedia, this was a book, back in Russia, it was published for kids to learn about computing and it just took kids through what is a computer. Various concepts in this comic book fashion. Had a professor Fortran. Of course, Fortran is also the name of a programming language, and that was the kind of pun there. That had a cat named X and caterpillar named Caterpillar and a bird named Bird. And so they kind of explored the computing world together. And then they culminated in learning how to code and in basic. And this is all on a book. There weren’t really personal computers around and definitely not in Russia. And so for a while, I would just ditch class, you know, in elementary school, early elementary school, and I would ditch class and I’d hide in the stairwell. And I would just read this book over and over a cover to cover. And then eventually I got a chance to write some simple programs on the mainframe at my mom’s work.

Katie: [00:01:56] What did your mom do?

Yan: [00:01:58] My mom did – Basically, what is now would be seen as like database programming. Back then, it was a branch of math.

Katie: [00:02:07] OK. Was that is that oh. Was at the time a well respected role for women? Or was it sort of a gender divide? Was it only women who were doing the computing in that space at the time in Russia?

Yan: [00:02:21] From what I remember, her department was largely women. But I don’t know if there was a gender divide. I don’t know enough about that to answer, really.

Katie: [00:02:31] Sure, sure. There’s some more visibility around that trend in, at least in American history, around NASA and a lot of women of color who were really the ones computing in the background for a lot of those base flights.

Yan: [00:02:47] Oh, absolutely. Yeah. You know, the early – I gave a talk yesterday to the university here to their cyber security club.

Katie: [00:02:56] University of Cincinnati?

Yan: [00:02:57] Yeah. Yes. I visited their cybersecurity club and I start I like to put a historical basis for my talks. And I was introducing the concept of program analysis, which I guess we’ll get to later. But in introducing this concept, you know, you start with like Charles Babbage and so forth. The creator of the Babbage Analytical Engine. And this was in the 1800s. And as one of the first things that’s kind of recognizable as modern computer, you know, on the way to a modern computer, and then you very quickly start talking about Ada Lovelace and the first, you know, computer programmer, someone who wrote programs for four Babbage’s computer, she’s also the first computer program analyzer.

Katie: [00:03:46] Yes!

Yan: [00:03:46] So she had this amazing analysis of computer software as it ran, or as it would hypothetically run on a hypothetical analytical engine.

Katie: [00:03:56] Speaking of favorite children’s books, I have three little kids and they love Ada Twist, Scientist, which is based on Ada Lovelace. 

Yan: [00:04:05] Oh, that’s great.

Katie: [00:04:06] Yeah. “Ada Marie, Ada Marie said not a word till the day she turned three.” And she and it’s all about how she has a scientific mind, not necessarily a literary mind, and how she explores her world. Anyway, since when we started with children’s books. So. So. Yeah. Okay. So when you’re introducing students to some of these concepts, you’re walking them through the history and the different sort of perhaps untold or unseen voices.

Yan: [00:04:31] Yeah, it’s important to have that grounding. I mean, it’s that early history is peppered with names that, you know, while we recognize Ada Lovelace, I think people recognize Grace Hopper. You know, they don’t quite realize how impactful these people were. And it’s important to surface that so that. When students learn about cyber security, they understand that they are not just jumping in, in a specific instance in time… 

Katie: [00:05:09] Yes.

Yan: [00:05:09] They’re really participating in a long continuum of people getting at the very heart of computing. And that’s, at its core, what cybersecurity is, it’s digging into the very, very fundamentals of computer science, of computing, of, you know, programs, of our dependence on our societal dependence on software and on technology.

Katie: [00:05:38] Absolutely. It’s incredible how important and applicable the research that you’re doing and the programs that you’re building are to the industry, to academia, to our government. Can you fast forward us now to what you do now? I mean, you have an insane number of publications for a very young assistant professor. You’ve been in the game for two and a half years now out of your PhD. I assume maybe you did a postdoc in between or? [00:06:07][29.2]

Yan: [00:06:08] The way that the the state of the field is right now. There’s a huge demand for cybersecurity for very clear reasons. As you know, security issues keep popping up.

Katie: [00:06:21] And the speed of creation of technology is rapid.

Yan: [00:06:24] Yeah.

Katie: [00:06:24] Security concerns increase alongside that speed.

Yan: [00:06:27] And actually, you know, an interesting thing there is… the lack of security is a source of friction in the creation of technology, so there’s only so fast that you can develop technology without thinking about security because eventually there will be massive security issues that start hampering adoption. Things like, you know, credit cards being leaked constantly. And what you see there is, you know, a couple years ago, everyone switched over from swiping to putting the chip in to the card reader. Right. For. For making purchases. And that has some cost. It took real resources to replace all these machines, etc, etc. And that was a security issue that drove behavior change as well.

Katie: [00:07:12] Behavior and a willingness to adopt. 

Yan: [00:07:14] And so what we saw very clearly is kind of a stumble, like a rock in the road that our progress hit because we didn’t think things through and make them secure from beginning. At the same time, it’s impossible to make them secure from the beginning. You can’t foresee all the issues, et cetera, et cetera. So the pace of society and the pace of technology kind of builds off of cybersecurity or builds into a demand for cyber security. And that’s why right now, the way the market, the market and here I say like the demand for cybersecurity professionals and educational professionals and so forth, is it’s possible to go straight from a PhD to a professorship. That’s what I did.

Katie: [00:08:04] Sure, sure. Oh, absolutely. And you published a ton as a PhD student. You’ve published an amazing amount of research as a professor. Tell us about some of the work that you do and some of your favorite sort of innovation stories around your work.

Yan: [00:08:22] Sure. So we do a wide range of research with a very clear kind of area of specialty. Our lab at Arizona State really does research in almost every aspect of cybersecurity. To start with something that, you know, is… Was not traditionally an area of focus for me. We had a paper come out in October where we interviewed security engineers and security managers at companies and understood the contradictions between their view of the priorities for actual, you know, companies and academic institutions and government and so forth in ensuring security. Right? So this is kind of an important thing to understand, because as we develop secure technology, developing it is in some sense the easy part. You also have to get it adopted. You have to, you know, deploy all the chip readers, et cetera, et cetera, and convince people that this is important. And so that’s an area that traditionally I haven’t done and that we’ve been getting into. My area of strong focus has been binary analysis.

Katie: [00:09:41] Yes. 

Yan: [00:09:42] And the idea of course, is as… 

Katie: [00:09:45] Yeah. Break down binary analysis. 

Yan: [00:09:46] Yes.

Katie: [00:09:46] Because I think of several of the podcast listeners might be familiar with your field. I think especially folks tuning in from Def Con or other audiences. But I think there’s a large majority of people in the innovation community who maybe don’t really know the inner workings of what happens in cybersecurity. [00:10:04][17.1]

Yan: [00:10:04] Sure.

Katie: [00:10:05] So, yeah. Tell us about binary analysis. 

Yan: [00:10:07] So let’s say I read a computer program. I sit down and I open up my development environment, or you don’t need the development environment to write software. You can open up a notepad and write software. A notepad. You don’t even necessarily need something that advanced. But I sit down and I write a computer program. Traditionally in the early 90s, let’s say when I was writing my first programs, when you write this source code, you know, you type up a file that represents what a program should do and then you use what is called a compiler to translate that into machine code. Ones and zeros that a computer understands.

Katie: [00:10:54] So much of what you do takes… I mean, the amount of knowledge, not just historical knowledge, but mathematical knowledge, understanding of computers in terms of their infrastructure as a methodologies to approach them. How do you translate the critical importance of your research to funding entities, to industry partners, to people who may not have that same expertise? Yeah, I’d love to know more about the kind of storytelling tactics you find yourself using. I love some of the metaphors you used when you were just describing it to me as, you know, PhD in English, you’re in a PhD in computer science. We sort of speak different languages, but. But, yeah, what what storytelling techniques you find yourself using, what you think is most important?

Yan: [00:11:44] So for me, the important thing is to convey how I feel about the subject. So when my grandma gave me that book. It wasn’t just informational, it was like opening a whole world. Right? So you’re reading about a world with very simple rules. Right? C.P.U works in extraordinarily simple ways. I mean, there are a lot of complexities, especially in a modern processor: out-of-order execution, a lot of memory caching, etc, etc. But really from a very high level, it’s extraordinarily simple. It pulls in bits and interprets some of them as what to do and some of them as what to what data to use while doing it. And then it does it. But somewhere at some point between the physical components that a CPU is made up: of logic gates and wires and et cetera. And the computer program, there’s some magical shift that happens, at which point we say, ‘that is a computer.” Because you don’t say that about a calculator.

Katie: [00:12:58] Yeah. Right.

Yan: [00:12:59] You don’t say that about. I mean, modern calculators, of course, are computers, but you don’t say that about like a simple circuit that will add two numbers. You don’t say that’s a computer, but at some point you say this is a computer. And then that point is when the computer can execute algorithms, arbitrary algorithms that you can express in code. It’s kind of – the concept was really explored academically by Alan Turing back in, you know, the middle of the last century. And there’s this kind of Turing barrier that a computer – that essentially defines when something that’s not a computer becomes a computer, that’s how I think of it. That barrier is magical. You don’t really understand, philosophically speaking, what suddenly changes. To have a machine start being able to execute algorithms. Right? We understand mathematically what a Turing machine is. And the difference between a Turing machine and other forms of automaton, so forth, other computational models. But philosophically, deep down inside, I feel there’s a similar divide between that, between a non computer and a computer, as there is between a computer and human, right? So in the push for AI, we are also facing this concept of: at what point does a very, very smart machine become sentient? And there’s no real answer, even philosophically, that we have. In a smaller way, there’s a similar question in the step from not computing into computing. To me, that point, that threshold is there’s some magic there. And the reason I do binary analysis is that it is as close as you can get to that threshold.

Katie: [00:14:57] Hmm.

Yan: [00:14:58] From the other side. From the computing side. 

Katie: [00:15:02] Yeah.

Yan: [00:15:02] That’s like the very core of computing is what is happening in your CPU, right on that level where if you go any further, it’s just a bunch of logic gates. There’s no magic there to me. And then but when you step back across the threshold and suddenly you’re talking about a machine that can emulate entire worlds where people spend, you know, dozens of hours playing or something like that.

Katie: [00:15:29] Yeah, yeah.

Yan: [00:15:32] So I try to convey that, in fact, I teach my courses from a very – from that very base level like bases and the very underpinnings, the foundations. That’s why I talk about the history of this and that’s why one of my classes… So I teach this kind of hacking course, essentially, where I teach students the various specific security issues that can occur at the binary level. And I start out with: this is what the binary level is. And we kind of go back into this is a logic gate and then we step across that threshold. And at some point, there’s this magic. So from the student perspective, one, I try to imbue this… appreciation for this area, for computability, for computing, right? And then. You have to go further, you have to make them passionate about hacking as well. About cybersecurity. So then from a certain perspective, you could view it for a very long time. Society did view hackers purely, let’s say, a nuisance or, you know, renegades or something.

Katie: [00:17:00] Yeah, right.

Yan: [00:17:03] And you see saw this. And as we established our early cybersecurity laws, the first Def Con I was at actually there was a security researcher that was talking about a flaw that he found in a certain document protection method. And he gave his talk on stage, of course, and to, whatever, the crowd at Def Con. And then he stepped down and he was arrested right there.

Katie: [00:17:30] I was. So this is a burning question that I have about your field, your work. How do you make the decision on what to share, what to publish, what not to share, whether to reveal your identity or not if you’re doing this kind of work?

Yan: [00:17:46] Right. There definitely are anonymous security researchers, for example. Right? There are even anonymous security researchers in that show up in academic work. I’ve read a paper….

Katie: [00:17:58] Fascinating.

Yan: [00:17:59] That word author list, of course, you have. You know, in academia, authorship is our our kind of currency, essentially. So…

Katie: [00:18:08] Yes.

Yan: [00:18:09] So you have your author list, and one of the names is Anonymous. And that’s really interesting because there’s you know, as you said in the beginning, you looked at my publications and those publications are my Google scholar profile or whatever, because I’m an author on there and then and that.

Katie: [00:18:29] Do you have any anonymous publications? 

Yan: [00:18:33] I wouldn’t – I wouldn’t admit to that. And then the media has to work both ways in order to not be able to tell from the publications the person, but also from the person to the publication. But…

Katie: [00:18:47] Well, yeah, tell us how this term, this hacking, you know, today, I think hackathons are very popular inside innovation communities. I see them, we see them all the time. It’s an expectation. It’s a playful kind of invitation to solve big problems, to sort of use the power of hacking for good.

Yan: [00:19:07] Yeah.

Katie: [00:19:08] How has that transformed? And I mean, I’m sure there are still connotations of fear around it as well.

Yan: [00:19:14] So hacking has two meanings. Right? And there are actually two kind of competing meanings. One meaning of hacking is hackathon, right? And that is. The more the meaning that you hack something together, right? You grab something that was meant for one purpose. You grab something else that was meant for purpose B and you put this thing for purpose A, thing for purpose B together to accomplish C. Right? And that is what generally hackathons do.

Katie: [00:19:49] Gotcha. Computer and art and computer science. Right. It’s still inside the world that you live in?

Yan: [00:19:56] But you. Well…

Katie: [00:19:57] I’ve seen other people do it in playful ways. Yeah. Just like sort of with art.

Yan: [00:20:01] Right. Exactly.

Katie: [00:20:02] Creation…

Yan: [00:20:03] In that perspective, you could have a hackathon of engineering. Right?

Katie: [00:20:06] Mmhm.

Yan: [00:20:06] You can have a hackathon of dance. Yeah. Yeah. Or for sure… you can have a hackathon of film. You take two, or you know, some number of films together and you hack them together.

Katie: [00:20:18] Gotcha.

Yan: [00:20:18] You sploosh them and end up with some interesting result. Right?

Katie: [00:20:23] Is the term hackathon used in your world? 

Yan: [00:20:25] No. 

Katie: [00:20:26] OK. OK.

Yan: [00:20:27] So we operate on the second level of hacking… or, the second meaning of hacking and that is you know. When you hack into something, right? That is.. You take, yeah, you take something that is meant for a purpose A, and by approaching it in a way that it was even possibly explicitly intended not to be used. You turn it to purpose B. That is a much more… That’s the cybersecurity meaning of hacking. It’s breaking into computer systems or breaking a system in a way that you kind of realign it to a different purpose. That could be, you know, breaking into, you know, some large companies credit card processing system to turn it into a credit card harvesting system. Right? And so forth.

Katie: [00:21:33] Again, the powers of good or evil. 

Yan: [00:21:35] Right.

Katie: [00:21:36] Do you teach ethics in your program? 

Yan: [00:21:38] Yeah. We… every class has to have at least an ethical component or really should have an ethical component. Right. These are kids we’re teaching and sometimes they don’t think things through. So you have to be very explicit. [00:21:57][18.7]

Katie: [00:21:58] Cause you know, our pathways are still deepening.

Yan: [00:22:00] Yeah, you have to be extremely explicit. I’ve seen in the area like of CS, not necessarily ASU, kids do something stupid and get expelled and really set back their success like that.

Katie: [00:22:18] And even some of the most famous founders now like Zuckerberg, sort of got off to what’s the word? I don’t want to say a rough start because it’s also kind of the thing that proved his capability. But, you know, hacking into Harvard’s system at the time.

Yan: [00:22:38] Right. 

Katie: [00:22:38] So… 

Yan: [00:22:38] Yeah, it’s a balance, right? You want to. You need a net to kind of catch these kids and make sure that, you know, they don’t get thrown in jail. It’s the same reason. Like you have universities running their own police departments. Right. And when I was a college student, I was outraged that the university is somehow I felt this was an oppressive thing. Right. But then I realized that the university police departments in part exist so that they can kind of slap you on the wrist without this being a bigger problem. And we have something like that in academic cybersecurity. Right? You have you know, you have the kid that breaks into your grading system. And…

Katie: [00:23:29] Has this happened to you personally as well?

Yan: [00:23:32] Well, yes, actually. So I recently created a platform for cyber security…

Katie: [00:23:37] Did that student get an A? 

Yan: [00:23:38] Yeah. So here’s what I do, actually in part to teach this ethical hacking lesson, I created a system that kind of underpins my course. It is a practice makes perfect based concept where as I teach concepts of binary security, it generates program specific to the student and like customized, so no two problems are the same, utilizing these concepts so that people have to exercise what they learned in practice.

Katie: [00:24:20] OK.

Yan: [00:24:21] And we know that the course I teach right now, my main course has like eight or nine modules going from: this is how you use the command line on a modern computer to this is how you break into what’s called the kernels. The very core of your operating system, you know, and all the steps in between. And it’s run on this cloud-based system where students can connect that a lot or generate a challenge for them, they can solve the challenge. When you solve the challenge by hacking the system, you get access to a file that you don’t have access to when you just connect up before solving the challenge. And then that file has a password for you to redeem for grades.

Katie: [00:25:07] OK.

Yan: [00:25:08] So that’s the standard.

Katie: [00:25:11] That’s incredibly fun.

Yan: [00:25:13] Yeah, it’s and it’s really “capture the flag” applied very clearly to education is exactly the format actually that cyber security competitions take. So when we create prompts for DEFCON, it’s the same concept. You have a complex, much more complex, of course, computer system that runs that that we deploy and run and competitors have to break into it and steal information and exchange that information for points.

Katie: [00:25:43] Well, one of my most vivid and favorite memories as a kid was being at summer camp in the middle of the woods, breaking up into teams and playing capture the flag and hiding your flag so that no one could find it, creating a jail, you know, trying to break through without anyone seeing you cross the perimeter or grab the flag and run back. So tell us about how that game style or that gaming sort of method is used inside the world of hacking. So this is why I would ask you tell us about the order of the overflow.

Yan: [00:26:15] Right.

Katie: [00:26:16] If you can. 

Yan: [00:26:18] So…. So. 

Katie: [00:26:18] How mysterious is this organization? 

Yan: [00:26:20] I think it’s fairly… 

Katie: [00:26:22] I am just teasing you!

Yan: [00:26:22] Exactly. We have some anonymous people on it, not Anonymous, the hacking group, but anonymous, you know, not publicly identifiable. So we have – we started out, you know, I started out playing with Shellphish and so forth during my PhD. And then I became, just through sheer enthusiasm for CTF, I became the captain of the team and then I graduated. And this is graduation is kind of a very traumatic experience. Right. So you spend all this time in a lab. You live in the lab. Right? If you… You can do your PhD ride in two ways. One, you can maintain a good work-life balance. I have a friend that at 5 p.m. he gets up from his desk and he goes home and he does his PhD like a good employee at a good at a job. He shows up at 8:00, he leaves at 5:00 and he does the PhD. But while he’s there he’s doing the PhD.

Katie: [00:27:31] Yes.

Yan: [00:27:31] Or you can. And that’s a good way to do it. Another good way to do it is you just live in the lab. [00:27:38][7.0]

Katie: [00:27:39] Mm hmm.

Yan: [00:27:39] And what this means is you work in the lab, but you also don’t work in the lab. Right? And so that’s what I did. And when you do it that way, graduating is great because you’ve accomplished something amazing. You have you know, you have a PhD and everyone start calling you doctor and so forth. But it’s also extremely traumatic. Suddenly, you’re essentially kicked out of your home. You know, I lived in that lab for seven years. There were times when especially during the cybercrime challenge, when I would just be in the lab 20 hours a day, literally, and I would go home and I’d sleep for four.

Katie: [00:28:16] Yeah.

Yan: [00:28:18] And, you know, I passed on the torch of captaincy and Shellphish. And I was at Arizona State trying to kind of train people up and hacking there, along with my awesome colleagues, of course. And then this opportunity came around and that the organizers of Def Con CTF, retired. Organizers retire roughly every five years or so. It takes a lot to run and you really want to maintain freshness, right? So you get fresh, enthusiastic people every five years. That’s great. So the organizers are retired and there was a search for organizers. And I thought, “I want to do this.”.

Katie: [00:29:07] This is what my life has been working towards, at this point.

Yan: [00:29:09] Exactly. Exactly. This is incredible. So there was this joy within, you know, just continuing to play with Shellphish, operate at the height of the hacking world as a participant or move into that role of an organizer of the person pushing and guiding the field. Yeah. And I felt that that was a very good role from an academic perspective.

Katie: [00:29:40] Yes, absolutely. It really models how you’ve described the way that you learn to embed values and teach students and mentor students into this field. So it’s kind of neat to see your transition from PhD student into professor also kind of transformed how you engage at Def Con and the impact you make there.

Yan: [00:30:01] Yeah. Yeah, exactly. 

Katie: [00:30:02] These competitions are fierce. I’ve watched – I watched some YouTube videos. It’s really fun to go on YouTube and look at Def Con CTF and see some of the ways that it works and some of the strategies, just like it’s neat to see. It’s a lot of like young people talking about what it’s like. And I think they’re still kind of a hush hush-ness even on those videos to not reveal too much. You don’t want to reveal too much about your strategy, because then someone else might hack that next year. So… 

Yan: [00:30:33] Yeah. And then not even next year. I mean, we’ve had… There have been social engineering attacks during a game. We had teammates that, for whatever reason, didn’t look like hackers and they would just walk around and they would, you know, oh, what are you working on? You know, they would sit down and start, you know, talking to the other teams and other teams would be like, oh, yeah, we’re doing blah, blah, blah. 

Katie: [00:31:00] Oh, my. Oh, human hacking? 

Yan: [00:31:03] Human hacking. Absolutely. I mean, no other. 

Katie: [00:31:05] It’s an old archaic art form. 

Yan: [00:31:08] Exactly. It’s always the weakest link. There are teams that did even crazier things. I’ve heard of people like cutting network cables and splicing in to… 

Katie: [00:31:19] Analog hacking! 

Yan: [00:31:19] Analog hacking. It happens a lot. One year when it was still legal. Now, this is illegal. We had a – we had a little robot that would spin around the wireless antenna. And as it spun the wireless antenna, it would perform what’s called a De-authentication attack. So it would talk to your wireless card and it would pretend to be the access point that, your wireless access point, to say, “oh, shit, you’re disconnected now” and then your computer would lose Internet. Right. And so every three seconds, we would disconnect every single person around except for us. 

Katie: [00:31:57] Oh, my gosh.

Yan: [00:31:58] From wireless. And there were teams that were relying on wireless Internet. And we would, you know, the next day we walk around and there is one specific team that they had all brand new matching wired network cables because they just they couldn’t deal with that disconnection anymore. 

Katie: [00:32:16] So frustrating. 

Yan: [00:32:17] Yeah. And so actually the next year …. So that was the last year that was legal. Now, do these De-authentication attacks count as jamming, which is not legal in America. 

Katie: [00:32:28] OK.

Yan: [00:32:29] So yes, it did. There are all of these hacking things. But anyways. We decided to go for it. Me, my colleague Adam at ASU, a fellow professor. We sat down and we were like, “All right, we’re going to do this. There’s gonna be an awesome way to contribute to the community, an awesome way to also evangelize to people that, hey, ASU is serious about cyber security.” Right? And then I can actually elaborate on that because we wouldn’t be able to do this without the support of a lot of entities inside Arizona State University.

Katie: [00:33:11] I was going to ask you. You know, so. So the heart and soul of this podcast is to think about the role that storytelling plays in the speed of innovation. How did you get buy-in at an academic institution for leading the world’s most competitive hacking game? 

Data Storytelling Training Ad

Yan: [00:33:33] So, our roles as professors is education, but it’s also the development of the future of the field and the way you do that is through research and through what’s called, lumped under service. What you do is you form committees that decide the proceedings of conferences. Right. So the publication process is actually fairly grueling. You write your paper, you submit it, and then some double-blind. So anonymous group of reviewers say your paper is crap and then. 

Katie: [00:34:13] You revise and resubmit. And you do that again, then a year later it’s out.

Yan: [00:34:16] Exactly. And so it’s so that anonymous group of reviewers that they’re typically professors in the field. And we presented this in a very similar way. The university said, look, we want to. Push forward the state of the art of applied cybersecurity. And we want to do this because it will demonstrate that what we are doing here at ASU is really leading the field. 

Katie: [00:34:41] Yeah. 

Yan: [00:34:41] Right? And so suddenly you have not just publications coming out of it, which is awesome. Not just real-world applicable prototypes and tooling, which we also try to focus on at ASU, which is awesome. But you also have this event, this very unique thing that is kind of the world championship of hacking. And ASU can help make this a reality. And the amazing thing about ASU is, it’s… So ASU starts off as the new American University and this originally meant a difference in approach to admission. Right. So ASU actually tries to admit as many people as possible. We are, I think, the only university whose demographics exactly match the demographics of the state of Arizona. Right. So minorities and so forth… 

Katie: [00:35:41] Prioritize inclusivity. 

Yan: [00:35:43] Yes, exactly. Extreme inclusively. There are students that I have they’re brilliant that could only go to college because. Because of ASU. Right. Which is just super cool. And it’s challenging on the face of it. A typical university. They actually want to be exclusive. Right. Because also part of the measure of university rankings is how few people you admit. How low your admission rate is. So it’s… The lower the admission rate. It’s not the only measure, of course, but it is a measure… 

Katie: [00:36:16] It impacts your overall score. 

Yan: [00:36:18] Yeah, yeah. Yeah. And so so it’s a different approach. But but as part of this reevaluation of what it means to be a university. ASU also has looked at, what is the place of a university in its society? Right. And this is, I think, a perfect opportunity to show what place a university can take in a society by helping lead this event. And the event is, I mean, incredibly complex to organize. I mean… 

Katie: [00:36:51] I can’t even imagine. It’s…. 

Yan: [00:36:52] And not just… 

Katie: [00:36:53] Even deciding how to structure the game itself. But yeah. Yeah. 

Yan: [00:36:57] Yeah. I mean, everything. So you have just insane amounts of complexity. I think DEFCON CTF, just the CTF takes something like one hundred fifty thousand dollars a year to run and def con the conference… 

Katie: [00:37:12] How many hours, do you think, collectively, for the organizers? 

Yan: [00:37:14] And that’s not counting the hours…collectively for the organizers, we basically don’t exist for the month of July, June and May. Right. It’s just, just we don’t exist. 

Katie: [00:37:28] Yeah, yeah. 

Yan: [00:37:29] If we take April kind of off at the beginning of April is the qualifying event. Right now we don’t exist. We just preparing the qualifying event. Right. Like, it’s and there’s about a dozen people on the order of the overflow. And they’re not all ASU. It’s just… Me and my colleague, we have a couple of students at ASU and then there are these kind of mysterious other individuals… 

Katie: [00:38:02] How do you collaborate virtually on something so important without the fear of getting hacked? 

Yan: [00:38:07] Yeah, it’s I mean, what I like to tell people, which is completely false. And then just it’s just bravado is as “we are the people that people should fear.” You know? So I have students that are nervous to go to Def Con like “Yan, and I don’t know if I should take my laptop. I don’t know if I should ahhh.” No, don’t worry. You are who they should be afraid of. But it’s just kind of… 

Katie: [00:38:31] That should be the slogan for today. Exactly. It should be right. 

Yan: [00:38:34] Exactly. At some point you, you just, just say, you know you only live once yolo it all the way to Def Con. So that’s, that’s how you collaborate. 

Katie: [00:38:45] Yeah. Yeah. It’s really, it’s so incredible. I’m thinking, you know, just a couple of takeaways as we wrap up. Are: you got buy-In from the university by aligning that work with the overall mission of the organization. That is applicable to innovators or hackers within industry, within academia, within… Anyone who’s operating inside of any kind of culture organization, figuring out what the mission is and making sure there’s alignment in how you’re pitching that possibility and that idea.

Yan: [00:39:16] But you also need the institution. So there are two parts of that. There’s the kind of innovator. So to say, like the person that is making the pitch to the institution. But there’s also the institutional part. And we got really lucky again at ASU. We had the institutional part, and so many different parts of ASU helped out. The kind of core one is what’s called the Global Security Initiative – GSI. And it’s a part of ASU whose goal is to increase the real world cybersecurity, security in general, but this and this, of course, cyber security impact of our research and our work at the university. I mentioned Def Con CTF takes about one hundred fifty thousand dollars a year to run. Over half of that, Def Con the conference, actually provides. So, you know, things like hotel rooms, admission to the conference, that adds up quite a lot. But there’s things like servers, things like food, or the organizers, et cetera, that cost quite a lot as well. And ASU managed to, you know, somehow find funding for this so that, that’s been incredible. 

Katie: [00:40:36] Yeah. Definitely. 

Yan: [00:40:37] What I would say to that comment, that innovator takes two to tango, kind of. Right. So you have the innovator needs to align the mission and show how this can move forward. But you need. To either have an institution that or an organization that will meet you in the middle or you need to make that place within your organization.

Katie: [00:41:08] I love that. I love that advice. Do you have any other advice for, you know, for professionals or young professionals? Or students who want to become hackers. Do you have advice in terms of how they can communicate that desire? How….? Yeah, I guess I’m just curious if you have advice for them as they also figure out not just the art form of hacking, but the communication that’s involved in doing that well. 

Yan: [00:41:39] Yeah, that is a very good question. There are three things I would say. One is to keep in mind that the world isn’t just cyberspace. One of the biggest limiting factors I would say that I see is: people that focus 100 percent on the virtual and forget that they live in meet-space. Right. And with, you know, with other people. Shellphish wouldn’t have been the biggest, you know, the longest running the coolest CTF team. If it wasn’t for a collection of individuals that weren’t just proficient hackers. But were also proficient human beings. Right. So, you know, my advisor is a great example of this. He’s super capable of creating this social environment that allows Shellphish to thrive as well. And other teams don’t. You have teams, and I’ve seen them come and go, that, you know, a collection of super good hackers who never talk to each other and never talk to other people who never, you know, propagate their skills. And then when they stop hacking, the team is gone. And that’s also fine. Right. Maybe, you know, this coming and going….

Katie: [00:43:05] But it could kind of slow down the industry overall.

Yan: [00:43:08] Exactly.

Katie: [00:43:08] Like the community overall and the progress of innovation.

Yan: [00:43:11] And so there are people.

Katie: [00:43:11] Memory gets lost, then if you don’t… 

Yan: [00:43:13] The memory gets lost. There’s no … there are people that have that went to UCSB because of Shellphish. Right? And that’s how you start, you know, pushing forward the community. And I hope there are people that in fact, there are people that have come to ASU because of the order of the overflow. And that have gone to. I mean, like I said the Order of the Overflow is not just ASU. We just happen. We created there. But I mean, I have colleagues, fellow professors, that are also on the Order of the Overflow as far as [unclear wording] and France, right?

Katie: [00:43:49] Yeah yeah.

Yan: [00:43:50] And so forth. Two is that you can actually start hacking now. Right? You don’t need a formal education. And I’ll now give a caveat with number three. But you don’t need a formal education. I started hacking in high school, right?

Katie: [00:44:05] Yeah.

Yan: [00:44:05] You can look up enormous amounts of material online. One thing that’s coming down the pipeline is this class that I described earlier. I’m actually making it available for free online, including already the exercises are online, but the lectures are just in slide form. So I need to record lectures and put it. But that’ll be like a turnkey resource to just roll forward with binary security.

Katie: [00:44:36] I’m happy to share a link to that course in the Show Notes.

Yan: [00:44:39] Oh, sure. Absolutely. It’s also very easy to remember it’s so there’s a term for exploiting something, PWNing. And that’s P.W.N. from I think “owning” you know, “I own that server.” So I PWNed it. So PWN.college – PWN dot college. Super easy to remember, too. 

Katie: [00:45:03] Awesome. And sort of like I said right now all the exercises are up but not the I mean and all the lecture notes. But, but that’s still hard to approach so, over this next semester, I’ll record everything. And put that online. But there, that’s just one thing. There are a million different resources on how to start hacking. 

Katie: [00:45:24] I think there’s an association that most hackers are guys.

Yan: [00:45:27] Mm hmm.

Katie: [00:45:29] Culturally. Your mother and your grandmother were the people who sort of introduced you to this world… I am really fascinated by that. So do you see that culture? Is that true of the hacking culture? Do you see that changing? What are your thoughts on some of the gender disparities?

Yan: [00:45:45] Right. So I would say, first off…. Also, to be fair to my dad, because he listens to this podcast, if he feels he is excluded. My dad really… 

Katie: [00:45:55] Shout out!

Yan: [00:45:56] Encouraged me to move in the direction of cybersecurity professionally, I… I didn’t actually believe that you could do it as a living and you know, back when I was graduating college in the mid 2000s. It wasn’t very clear that you could. Right?

Katie: [00:46:10] This was all forming.

Yan: [00:46:11] So he said, “this is the future. You should go for it.”. 

Katie: [00:46:13] How did he know that? 

Yan: [00:46:15] He was also in the computer science area. My dad’s a mathematician, but, you know, he drives within more applied and less applied math. And the more applied math tends to be computer science.

Katie: [00:46:30] And did you grow up in Russia and then move here?

Yan: [00:46:32] I moved here when I was eight. So I had my very early childhood in Russia. And then I grew up in Arizona. 

Katie: [00:46:38] Okay. 

Yan: [00:46:39] Yeah.

Katie: [00:46:40] We got the dad shout out in. 

Yan: [00:46:41] Exactly. We got a dad shout out. So you’re absolutely right about that perception. And it’s a major issue. So as a whole, computer science, I don’t have the exact numbers, but it’s something like 90 percent male. And cybersecurity specifically is the worst of the subfields. 

Katie: [00:47:01] Really? 

Yan: [00:47:01] It’s something like 95 to 98 percent male. In the entire competitive hacking community. Let’s say at Def Con CTF last year, there were probably. So there were 16 teams that made it to finals. Each team had, on average, let’s say, 12 people. Of that whole group, hundreds of people, there were probably four girls.

Katie: [00:47:37] Yeah. 

Yan: [00:47:39] And that’s pretty bad.

Katie: [00:47:42] Yeah. Yeah.

Yan: [00:47:44] So it’s something that the community is really struggling with. There are things individual people can do to make a difference. One thing is explicit outreach to underrepresented groups in computer science. And actually, it’s even worse than just a lack of women in computer science. There’s just a lack of… 

Katie: [00:48:11] Diversity?

Yan: [00:48:12] Diversity in general.

Katie: [00:48:14] Yeah. Is it mostly Caucasian? 

Yan: [00:48:18] I would say in every major area, it’s mostly that major area. Right. So in the U.S., the community is I would say it roughly follows the demographics of higher education. Minus for some reason, women, which is bizarre because most of the early names we talked about were women, Ada Lovelace, Grace Hopper, etc., they created this field and then the field became dominated by men somehow. And there are a lot of reasons for it. There are reasons that I see that are very, very clear, stupid reasons that are extremely frustrating that fall under this horrible category of, you know, boys will be boys or whatever. Right. Where you get a group of men. And so it’s unclear how that started. But now it’s propagated. You get a group of men together in a hacking team and there are, you know, non-inclusive jokes flying around and et cetera, et cetera. And it’s something that’s…. 

Katie: [00:49:26] Even the culture can be exclusive. 

Yan: [00:49:29] Even the culture. And so when I said that. You can’t ignore that you’re in a human space when you’re hacking. It’s not just a virtual space. That’s one of the things I mean. It takes work to make sure that your hacking team is not a team where, you know, inappropriate comments are…. Go lightly. Right.

Katie: [00:49:58] Absolutely.

Yan: [00:49:59] And it’s very easy to stumble into a place online where that is the case since if… Hacking teams really live online. There’s some. There’s some correlation between, you know, living mostly online and… 

Katie: [00:50:16] Trash talk.

Yan: [00:50:17] Trashed trash talk. There is OK trash talk, you know, but then there’s not OK trash talk. 

Katie: [00:50:24] Yeah.

Yan: [00:50:24] And the not OK trash talk is really, I think, what really harms inclusivity. And honestly, just that makes a big impact.

Katie: [00:50:34] Yeah. Absolutely. 

Yan: [00:50:35] I think at ASU in our group, and I should have these numbers, but I don’t have them off the top of my head, in a group of roughly 50 researchers, let’s say, we have something like eight or nine female computer scientists. Right. That is unheard of numbers in cybersecurity. Right. I would say out of the big labs that I know of and I don’t know the exact makeup of every big lab in the world, but out of the big labs I know of. We have probably the most gender balance, this eight or nine out of 50. I mean, that’s horrible. 

Katie: [00:51:09] Right.

Yan: [00:51:09] Right. But for computer science as a whole. 

Katie: [00:51:11] Yeah. 

Yan: [00:51:12] Yeah. Almost 20 percent. This is crazy high.

Katie: [00:51:15] So do you call yourself a hacker?

0:51:16][1.1]Yan: [00:51:17] Yeah, absolutely.

Katie: [00:51:18] Don’t wait for someone else to. 

Yan: [00:51:19] Yes.

Katie: [00:51:20] Put that badge on. [00:51:20][0.4]

Katie: [00:51:20] Yes.

Yan: [00:51:21] I think that’s true for all innovation. So for me as a writer too. Do call yourself a writer. If you sit around and wait to be awarded an award or be published in your perfect journal. That’s not… 

Yan: [00:51:34] Exactly. Yeah, I think it goes for everything and goes for hacking. Absolutely. I started hacking in high school with no real formal training or anything. I had an awesome high school computer science teacher who introduced me. 

Katie: [00:51:53] And your mom, too. 

Yan: [00:51:53] Yes. Yes. And my mom and then my grandma and so forth. In terms of your grandma was also. No, she gave me that book. My grandma is a mathematician. Katie: [00:52:03] Well, that’s pretty close. 

Yan: [00:52:04] But, yeah. Exactly. And. And, you know, I was, I just kind of rolled forward on my own, and you can totally do that. There’s some magic, but it’s magic that no one understands. Not even the experts. Right. So you just… 

Katie: [00:52:22] I love that. 

Yan: [00:52:22] So you just start pushing in. The third thing I would say. And you can kind of see it from my trajectory is I was able to start on my own, but I wasn’t able to finish the trajectory into a hacker on my own. For that, I needed to go to graduate school. And what I would say is, if you are out there and there was some excitement that you had about computing, about hacking, or even about just anything to do with computers. And this applies to any field, really. And you kind of lost that or you it’s a little elusive as you’re, you know, finishing up your undergrad and looking at the real world or you’re at the real world. And, you know, looking at your nine to five… Think about grad school, right. At ASU we’re always looking for students. In fact, with the demand in cybersecurity, everyone is always looking for students. But there are these. Institutions that are very committed to this real world applicable thing. Like ASU, right? One thing that we have, and I don’t mean this to be like a sales pitch. What I started at Arizona State is an apprenticeship program. So if you are interested, just shoot me an email. We have basically an open program where we bring promising people in for a research apprenticeship.

Katie: [00:54:07] Awesome.

Yan: [00:54:08] Someone reaches out and they say, hey, I want to know what it’s like to do cybersecurity research to compete in CTF with top hackers… My students still play every CTF. I play every CTF. That’s not a well, not every CTF, but I play CTF that aren’t Def Con qualifiers because that’s a conflict of interest otherwise. And so you can shoot that over this email. And we have a program where you basically come in for six months. You’re paid as a graduate student, but it’s low risk. You just try to understand what research is like and if it’s good for you and then if it is, then you can apply to grad school.

Katie: [00:54:49] So how can listeners get in touch with you?

Yan: [00:54:52] yans, Y A N S @asu.edu or.

Katie: [00:54:56] What social media are you on social media much? 

Yan: [00:54:59] Yeah, mostly Twitter.

Katie: [00:55:00] Yeah. 

Yan: [00:55:00] So if you want to get a hold of me, Zardus at Twitter, Z-A-R-D-U-S. 

Katie: [00:55:06] Awesome.

Yan: [00:55:07] That’s my hacker handle.

Katie: [00:55:09] Yan, I am so excited about everything we talked about. I think that the innovation community is hungry to know what’s going to happen next in cybersecurity. It’s a top innovation industry. I – it’s really cool to hear all the under workings and the sort of playful culture that exists within it. I think that’s a really unique aspect of that particular industry. And so thank you.

Yan: [00:55:34] Yeah, absolutely.

Katie: [00:55:34] For being on the podcast. 

Yan: [00:55:34] Happy to be here.

You can listen to more episodes of Untold Stories of Innovation Podcast.

*Interviews are not endorsements of individuals or businesses.

Leave a Reply

Your email address will not be published. Required fields are marked *