 All right. Well, welcome everybody. Thank you for joining our talk today. We want to give you some perspective on what it's like being a hacker, working in government, working for a corporation, working in the sense of getting academics and degrees, and all the goods and bads that go with it. So hopefully this is not your typical workforce talk, but give you some exposure with actual people who are doing things and have had those experiences and a diverse set of experiences internationally and the different backgrounds that they have. So we really appreciate you being here. My name is Steve Luzinski. I am the chairman of the board for the nonprofit side of the aerospace village, and I've been a part of the village for a while now. Previous life, I was an Air Force Fighter pilot, got into cybersecurity. I've thoroughly enjoyed that. And in the private sector, I was a Chief Information Security Officer and continuing to work with the village throughout that time. So very much enjoying all of those things. So what we'll do today is I'll let all of our panelists, I'll have them go around and introduce themselves and give you an idea of who they are and where they come from and then we'll jump right into our discussion. So Thomas, how about you lead us off? Okay, hi everyone. My name is Thomas Bristo. I'm currently a Cybersecurity Certification Specialist for the Civil Aviation Authority. I'm currently based in London. Awesome, Jenny? I am a current master's student at Royal Holloway University. I'm doing my master's in Information Security here in the UK. Awesome, and I know Jenny has a connection because your mom is also doing a talk with us in the village again this year. So thank you for that. Declan? Hi, yeah, so I'm Declan Sealy. I'm from the Northeast of England and I'm a Cybersecurity Specialist for the Aviation Isaac. Awesome, and Olivia? Hi, I'm Olivia Stella. I'm a Cybersecurity Engineer in the Intelligence and Space Research Division at Los Alamos National Laboratory. And previously, what aviation work? There's a connection there. I wanna make sure it gets out. Definitely. I used to work at Panasonic Avionics and American Airlines. Awesome, awesome. So good, again, diverse crowd, diverse backgrounds and going from there. So we'll jump right into it. Everybody's journey getting here. So I told you from my background, flying experience, cybersecurity, and then just being able to combine both of those with the village is something that I thoroughly enjoy. And I will say, we talked about this as a group, favorite superhero or superpower. I actually don't wanna just be the guy flying around. I like the Doctor Strange, different powers, teleport, time travel, and try to do interesting things with that knowledge in a good way. That is what I would say is my favorite superhero and superpower. Ginny, how about you? For superpowers, I'm a fan of like the Green Lantern. There's also the Blue Lantern, which is just a corgi that is such a good corgi that it makes everyone do amazing things. I've gotten into this because as you mentioned, my mom is involved in network analysis to the extreme where she tried to teach me the OSI model while I was nine and that didn't go very well, but I got into it eventually. I'm still struggling, so I may have to talk to both of you after this. What's your area of specialty in cybersecurity field or what you're studying right now? So I'm currently very deep into both DTN and also encrypted DNS. Those are my areas of interest. Nice, awesome. Thomas, how about you? Oh, I've gotta go for a fun obscure one. My personal favorite, I think, is Squirrel Girl, who somehow, despite having some of the silliest powers in Marvel, is able to beat some of the strongest supervillains out there. I think she beat Doctor Doom at one point. Nice. What got you into cybersecurity? It's quite funny, actually. So I started off at university and just randomly the university emailed about this bursary scheme called the cyber first bursary scheme. And I thought, oh, that looks quite good. It gives 4,000 pounds a year. I might as well try signing myself up for that. So as someone with dyslexia, I'm not very good at applications. So I got my mom to help me put in an application to them. And long story short, I got onto it and eventually got both internships and got my placement here. Nice. And is there a particular area that you focus in your work at CAA? Right now, I think it's threat modeling is my very, very key focus, but all of it's more on the governance level. So a few abstractions from most things. All right, gotcha. Olivia, how about you? My favorite superhero, I consider her a superhero, is Agent Scully from the X Files. That was my favorite TV show when I was growing up. And it actually was the reason why I got into cybersecurity in the STEM field. I wanted to be a part of the FBI. So the quickest way to do that was to have a degree in some sort of science field. So I was like, okay, I'm gonna do computer science. And I found a program at my local high school so I could do that. So I was just like laser focused on doing computer science. Nice, thank you. And Declan, how about you? So superhero superpower, I'm gonna have to go basic. I'm gonna have to go to fly. I'm trying to teach myself how to do at the moment. And it's just, yeah, it's getting, I've been into sort of flying in aviation since I was very young. So it's all like a logical progression. Sort of getting into sort of the cybersecurity stuff and this stuff. For me, it started off just before I joined university. We were teaching myself, I bought a bunch of like study guides for CEA, CISSP, a bunch of different ones. Taught myself those. And, you know, it was a good base. Eventually ended up dropping out of university doing some security research and then got into where I am now. And it sort of, that's led into sort of my key responsibilities. So at the ISAC, I did sort of specializing in vulnerability hunting and disclosure management to engaging with security researchers and things. So, good fun. Nice. And you have a talk about vulnerability disclosure in the village this year too, right? Yes. Awesome. Even better. I appreciate that. So we've alluded a little bit to your backgrounds personally but not where you are and what your organization is. So I'd like to open up the floor whoever would like to jump in. Where do you work right now? What are the, you know, what's the big picture of what that company, organization, whatever it is does and your role in that? Who'd like to start off? I'll start off. So currently I work from home. I've only been in the office three times just like everyone else. That's all right. But the CAA currently, I think they have an office right next to Gatwick. So I just drive down to there. But their main like mission, they always call it a mission is always to basically help keep aviation safe for the public as well as trying to make it cost effective. So that we aren't just putting in so many regulations that it's gonna cost an arm and a leg to fly somewhere or it's gonna cost an arm and a leg to buy a drone or something. So it's that balancing act. And I think the good analogy is that's the UK side and the UK version of the FAA here in the States for folks who are keeping up with that. And I don't have other good analogies around the world but that is how we got connected between the village and the relationship between the two. So that's great. Although interesting, sorry, interesting thing. The CAA unlike the FAA, it's an independent regulator. So while the government sort of give us regulations we're funded directly by industry. Yeah, that is a big difference. Thank you for that. Who's next? Yeah, I can jump in. Yeah. The aviation ISAC, Olivia's well-versed. So the ISAC, I said, effectively we work as we're a non-profit and we work to sort of enable and promote information and intelligence sharing within the aviation industry as a whole to sort of protect everybody. And that's sort of the mission really. We do that in a sort of a bunch of different ways. Yeah, it's very extensive and I've seen a lot of the work over the years. So good. Ladies, who would like to go next? Jenny, you can go. Thanks. I don't know if this applies so much as a university student but university obviously involved in a lot of interesting research. And then while on this degree I'm also trying to get involved in a bunch of working groups for things that I'm interested in. I'm involved in the technical documentation working group in the interplanetary networking SIG. I'm involved or I'm just starting to get involved with the DNS private exchange working group within the IETF. And there's a lot of really cool projects right now. So I have like my degree and four on the side. Awesome. And is the, I know you're a undergrad is through Cal Poly, correct? My undergrad is actually through Kingston in the UK. Oh my gosh, okay. I keep thinking of how we've gotten connected through the other topics that we talked about. So all right, that's good. Olivia, over to you. So I work for a department of energy national laboratory in Los Alamos and in the intelligence and space research division. My focus right now is on product security for cybersecurity and it supports our mission of national security, science, energy and environmental management. And what's awesome is that if you think about national security as a whole it covers a bunch of stuff. So to be able to throw in my aviation experience because aviation is part of critical infrastructure I'm hoping to lend some of the items that I've learned in the past towards the new types of programs I'm supporting at Lannell. Nice, absolutely. So where you came from, where you are right now I think here's the important part. What's a typical day look like? And really let's get behind the scenes. It's not just a typical day but what are the things you really like about working where you are? You talked about why you got there. What do you really like about it? Cause there's plenty of good things but also on the honest side is what are the things you don't like? And probably the good things that motivate you to keep staying there and the other choices that you made but like to get your thoughts on that and give the audience some background and understanding of yeah, here's the goods and bads but if there's more goods that'd be nice to hear. Hopefully that's the case. Anybody want to jump on that grenade and start us off? I think so. Yeah, you go first, Olivia. My typical day is that there is no such thing as a typical day. I believe that too. Yeah, I don't care if you work for government or an industry just cybersecurity is so unique. The way that it's divvied up I can support several programs like I'm supporting a satellite program. I'm doing regular like operational infrastructure type work. So it just varies on whatever the needs are of the day. What I really like about the environment there at the lab is that they're so mellow. It's a great comfortable work environment. I've run the gamut of different types of environments whether or not it was government or industry where especially in commercial like you're trying to work on things. Luckily I'm not on an incident response team anymore. So I'm not getting calls on Christmas Day saying, hey, this thing got hacked or we think we might have a breach or whatever. But it's just nice to have like the regular day-to-day of supporting what goes on normally within our division. Yeah, nice. And that is at a government lab. So the fact that there is the variety and a laid-back idea that I did not expect to hear. So that is good. That's awesome. Thomas, I think you were jumping in before. Yeah. So obviously, as Olivia said, there isn't a normal day. I've gone from doing careers talks to primary school students, to doing threat modeling, to phoning a load of air operators about what cyber requirements they're following and everything in between. I think definitely one of the biggest drawbacks, unfortunately, as I said earlier, I'm dyslexic. So reading isn't quite my forte. And unfortunately, there is a lot of reading when it comes to being a regulator because you've got to read all the standards and then I've got to read up on how airplane procedure is formed. So currently my next big threat model which I'm going to be tackling is going to be on basically the large aircraft. And I've got to look up how all those procedures work and what are common things within airplanes. But definitely some of the best things and stuff like the team I get to work with are absolutely incredible. So one of the best things in my day is sometimes I'll get a ping and it's the WhatsApp and so on to put a good meme on there. And I think the important part of what you're saying is in all the things you just described, what you told me earlier is that you've only been there six months. You're now officially out of your probation and a CAA employee. So that's good news there too. So a lot going on in just a short time. Yeah, it was officially this morning I got it. Nice, congrats. Ginny, how about you? So typical day with university is pretty self-structured especially this year for some reason. So there's a lot of defining my own schedule which is honestly something I really like about this year. And that also means that I get to be involved in individual projects that I'm excited about. And one of the things that I wasn't expecting as much that I'm really grateful for is that there are so many cool projects happening and people are so willing to take you on board if you just say that you're willing to show up consistently on time and ready to help. And that's it. You can get it to some really cool stuff. Life lessons, that's perfect. For downsides, I'd say it does make sure that you tackle stuff from a whole bunch of different areas that you might not be as suited to each one as well as the last. And you might, for example, find that you aren't super into advanced graph theory. But end of the day, it's a small price to pay to find new subjects that I didn't know I liked before. Yeah, gotcha. Declan? Yeah, I really have to echo this, the sentiment that there's no generic day. There's a couple of routines I have when I get out, check the news feed, see if there's anything popping off from the day before and things. Usually it's just a matter of getting a text message when it is happening though. So one of my favorite parts of the job though is around my area of disclosure management. So getting to engage with a lot of different researchers from a lot of different backgrounds, different expertise, it's so interesting. And it's sort of led up to one of my favorite experiences which was we had a researcher contact us and we were able to get it solved within less than 24 hours from initial lowest to fully downward, which was, oh, I thought it was really impressive. But yeah, don't like, it's gotta be the hours, it's gotta be the changing of the hours, especially the rest of the team are American. It's a really small team as well, so there's a lot to do. We sort of share areas. So sometimes having to work like. I can imagine, you're on the bad side of the time change in that too. So what you said of one of the best things that you did and I meant to ask this earlier also to get your thoughts on what's the thing that you liked the most, what's the thing you're most proud of in what you've been doing? And again, that has been enjoyable in the role that you're in right now. Jenny, you wanna start off? I think it's honestly been getting to work with working groups that there's been that freedom to kind of bring my university experience and help like with the interplanetary networking SIG, we've been working on this library project to gather all technical documentation around DTN, which is a lot, but because I've had the flexibility to do so much on that project, I'm gonna be the one who gets to kind of announce it. And that's very exciting to me. So yeah. Yeah, that's awesome. Is that something only for folks like you that are going to school and being able to attach or is that open to others? Nope, I just showed up and asked to help. So you might have people asking you how they can get involved. So that's good to know. That's what I wanna make sure. Thomas, how about you? Ooh, I think definitely the best thing is watching the impact of what you do starts like having its ripple effects. Like at one point, I think during my six months, I've made probably the biggest spreadsheet I've ever made of just different planes and all the things which are applicable to them. And now I'm starting to see as each member of the team is using this to basically just grab the bits they need and immediately help the aerodromes, the aer operators. It's been really cool just watching how what you do has such a big impact. So Thomas, I, as somebody previously in the government, back in the government right now, the fact that you see progress in only six months, that is a proud moment. So please keep doing those types of things, that's awesome. Olivia, how about you? Similar to what Thomas said back when I was working more directly with aviation, I was supporting a security testing type effort for aircraft issues. And to see the ripple effect of like, we were one of the first to help sort of point out some items and I know Declan has a little more insight into what I'm saying. The aviation ISAC was like an amazing vehicle to help share that information in like a safe environment. And to see the ripple effect of other air carriers and vendors say, you know what, this is a thing we should be concerned about, that was pretty cool. And then moreover to what I'm doing in Los Alamos right now is to have my current management recognize, you know what, your past experience actually does translate and it works now. But the fact that they recognize that, it's been pretty amazing. And that, is that a, I mean, I think it's a big jump going from an aviation focus to a space focus. Oh, definitely. You're saying there's still plenty of overlap and benefits there. Yes, it's great as a starting point, but then I get a quick reality check of, that doesn't work in space, that only works through restrooms. I'm quickly learning what the differences are and I feel similar to a college student again that I have to start over in certain parts. Yeah, yeah, I got you, I got you. So in the last few minutes that we have, I think the other thing I wanna make sure that would be valuable to our audience is what is your sage advice from all of your wisdom in the time, the path that got you where you are, what are the, if somebody wants to follow in your steps and do what you're doing, what would you say, yes or no about that? Are there huge mistakes? Yes, but do it this way, things to avoid and resources that they can look into to do things similar to what you've done. So I'll open up the floor to whoever wants to jump on that one. Yeah, I can jump in here. So it's not coming from a, not a traditional sort of education background. The biggest thing for me getting to where I was was getting involved with the information security community and industry long before I applied to many jobs. There's communities out there like the Many Hats Club and the Pixel Second things on Discord and other places were absolutely invaluable and you'd meet some awesome people on land so much and then the mistakes, don't make it your entire life, don't get burnt out, have other interests because you will get burnt out and it's important to sort of look after yourself that way. Yeah, awesome. Who's next? I'll go. So for the university path, I definitely think that if I wasn't sure that I would be able to branch out and look at individual projects in addition to my degree, I would not be in a degree program right now. I think that it's a great option to, force myself to look at all these different areas and be aware of my blind spots. But in addition to that, I do want to make sure I can kind of hone in and if I find a subject that's interesting to me, I wanna give it the chance to fascinate me possibly. Yeah, for advice, I actually was interested in possibly asking you Declan because you mentioned responsible disclosures as part of what you do. One thing that has been a bit of a challenge in the university setting is sometimes I will run into other students that are not so keen on responsible disclosure and a lot more into bragging. And I'm wondering how you would suggest dealing with that. Oh, that's a difficult one. That is a good one. So let me do this. That's a great teaser because Declan's talk, not only will he have his talk that he's gonna record, but he'll have the live Q and A. So that is a great question. Either I either join it or Declan remember that because that's one you can throw out in the room in the Q and A and I'm with you because that is an issue that I think everybody has seen and there's been a lot of different approaches and I've seen it on the government side and I've seen it on the hacker side and just there's progress. That's the good news, but that is a great question. All right, Thomas, what you got for us? I definitely say as someone who went down the university route as well, internships could be some of the best ways of getting just like hands-on information. I think my internship between my second and my third year was at Immersive Labs and there's quite a funny story with it where at one point I was working with a content engineer and somehow we took down half the website whilst we were just trying to work with some sort of lab and I believe it was between about five and seven front-end developers came up to our desk and were like, you've done something. Can you please go through the steps exactly what you've done? You've taken down half the websites. Man. That is the intern did it, but that's actually an intern story. And the result of that? The result of that was absolutely nothing. We got the website back up. That's the cliffhanger. We can't end this talk with a, we took down the website and that was the end of the story. Thank you, I'm glad it had a good outcome. That's right, good. Olivia, to finish us off, please. My piece of advice would be pretty much what everybody else has said. You know, you're not going to have to just roll into the thought of being a lifelong learner. So you need to have your education work for you. One thing I'm sort of frustrated still within this industry is that the onus of having a degree is still really, really large and I wish it wasn't because I know of some amazing researchers, hackers, just good industry professionals that don't have degrees and it shouldn't matter. And I know it's going to take a while for the government space to change that, but I think people are starting to really see the value in that if you have that work experience, who cares if you have the piece of paper? And for myself personally, I never thought I was going to get an advanced degree after undergrad, but like Thomas said, I had an internship where they were like, hey, after you finish undergrad, if you get your masters, it's going to help you move up in the ranks. And now that I'm at Los Alamos, they are a huge proponent of education. So if you're looking for an environment, here's my plug. If you're looking for an environment where you want the freedom to continue to learn and do research, it is amazing. I actually got the opportunity to pursue a PhD and I'm going to do that in the fall at Colorado State within cyber physical systems and critical infrastructure. So make your education have a purpose and my research, the purpose of that is going to be help solving real-world problems that I've experienced within my past companies because I know even though I moved company, you may take the girl out of aviation, but you can't take the aviation out of the girl. So I'm still trying to find ways that I can give back no matter what. Awesome, yep, the purpose, the focus. Jenny, you mentioned it before. Declan, you have the same thing, just a different path there and Thomas has some of the similarities. So thank you all, this is exactly, I hope what the audience is looking for and everyone can let us know that the live chat has been going the entire time so I'm sure there'll be plenty of questions and more to follow after this. I will put as the final closing comment other than thank you all for being a part of this. Hopefully you've seen over my shoulder the Blinky Things which is the DefCon 28 2020 badge that we made and sold online and this year's DefCon 29 badge which we have both of those for sale in the village. Please, if you're on site, come visit us and if you missed out on the virtual sales, I'm sorry, we'll see what we can do to keep producing and we appreciate everybody's support for the work that we do and then time joining us today. So thank you everyone. Thank you. Thank you.