From zero to the top in 18 months: How to get involved with CTFs

so hello everybody um Welcome to our talk thank you for having us here at bides Buffalo um so there are two names um I'm Quinn no I'm Brian if your name wasn't Brian that could have worked you could have owned it okay um so he is a profess profess at RPI uh I'm a student at RPI we're kind of coming at this from two different angles and it's talking about the CTF team at RPI how we kind of raise from the ground to where we are now and how to enjoy and fuel a passion for cyber security so first up my name is quin kado uh I'm from Pennsylvania I'm a rising Rising softmore at uh RPI and I'm

pursuing a dual degree in CS and it uh after school I plan to pursue a career in cyber security that's why I'm here talking to everybody today um and outside of school I like to read I like to play with my dog and yeah um and I'm Brian I am a professor at RPI um I'm also the director of the cyber security research lab at RPI and the sponsor for the CTF team um as well um what do I say here oh I say when I grow up I hope to be half as good at cyber security as Quinn is um and in the past life I really was a professional musician so that last part's actually um

quite true what instrument bassoon and Contra bassoon I get OBO a lot but it's bassoon and Contra bassoon it with you next yeah bring it with me next time yeah exactly yeah um so a University of Maryland study found that hackers attack every 39 seconds uh and among these hackers uh one in three americ Americans every year are affected by these attacks so maybe in the time it takes you to drive down the street to a friend's house or maybe you to order a drink at Starbucks or even possibly you to wash a plate after dinner somebody has been affected by these attacks and I'm not saying this to scare anybody I'm sure a lot of the people in this room

already uh know about this statistic um but I just want to bring it especially to a lot of the newer members of cyber security to just emphasize the importance of cyber security and uh what we deem a great way to learn about cyber security and get into the field is through ctfs and uh get hands-on experience through

them so what we're hoping for you all take away from this talk is thinking about what a replicable model for cyber security excellence using ctfs can look like both for schools and also for the individual students within those schools um so our agenda for today we broken up to six parts um so we will talk about um what we call the rensler cyber security collaboratory um like I mentioned this is both a research lab at RPI and a CTF team um so who we are what we do we'll talk about how we are structured um we'll talk about the different kinds of structure that go into building and maintaining a CTF team at a university um we'll talk about the

things that we teach um both what we teach and how we teach it um we will give you kind of our lessons that we learned over the past two years um and then we'll draw some conclusions and then we'll open up to Q&A at the end all right so the RCC for short um or the rentler cyber security collaboratory if we're going to extend it out um timeline we started in about spring of 2021 um so RPI actually did used to have a CTF team prior called rpis SEC um and then for a number of reasons Co being one of those reasons they kind of fell um into inactivity and as the security Professor on campus I would email them on occasion

saying hey I have these students what are you all doing I want to send my students to all of your events and your um meetings and things like that so rpsc was a totally student run club and I often did not get a response back from them and at some point I decided Well how hard could it be to just start my own CTF team and figure out how to make this all work and take it from there so we had no active CTF team at RPI in Spring of 2021 in Fall of 22 um I had a couple of students not terribly many students at the time in security but I had a couple

about 14 or so and I said hey um I've been offered to um have a discount for us to play in this large Nationwide CTF do you want to do it and they said sure and we didn't really know what that was going to look like all we knew is I could register them I would be their coach um we knew the dates of the CTF they went and played it and much to our surprise our pleasant surprise um one of the students in that group actually ended up winning a challenge coin from that CTF event um that was top 500 out of about six or 7,000 students across the country and we thought that was the

greatest thing ever and figured we could probably get more students in the future to win those challenge coins if we could find a way to actually formalize what it is that we were doing instead of just having this informal Gathering of students who just decided like yeah that's a great idea we should we should try out this thing um so fast forward a year to fall of 2023 We Begin holding weekly regular meetings to teach students all the skills that they will need to succeed in ctfs um that ultimately ends up culminating in a nationwide CTF that we'll talk a little bit about later called the national cyber league in which RPI was ranked the

number one Collegiate CTF team number one University out of all the universities that competed there were about 521 universities that competed um like really small schools you probably never heard of if you're in cyber security like the same Institute like the US Military Academy you know like very very small you know very insignificant cyber security schools um and we ranked at the top um for that semester um and so this has continued on today um now we are much more formalized even than we were even a semester ago um so we would like to chat with you about kind of all those successes that we've had and things that might we might do differently um along

the way and this is us these are just a bunch of pictures of us um throughout the year so in the top right corner is our large team from Fall of 23 um we sometimes have students playing smaller ctfs and small teams kind of self-organized those are the two photos on the bottom um those are our cyber seed I think they were cyber seed teams um from this year in the top left corner is some of our research groups um particularly the students who do um Quantum Computing and Quantum security research with me which we'll also talk about a little bit at the end of the talk um so this is us I just thought thought it be nice to shout

everybody out and and show you uh who we are and what we all look like so in each of the slides there you can see our little logo on the top right for you guys um uh in a little print below the RCC you can't see it up there but our motto is Inspire defend and secure so first up Inspire we really try and uh engage members of the community especially around campus we're lucky to be at a very technology centered School and so we put up Flyers we have introductory ctfs to really engage people all around campus and it just to inspire as much newcomers as possible I was one of those newcomers I still

consider myself relatively new obviously and um I can just attest to how much the inspiring really works at our campus and how we structure it and um the first part of our motto it just is very uh good for everybody around campus and then next up is defend so that's actually learning these skills to defend uh through lectures which will we we will get into the structure of the RCC a little bit later um and then our Hands-On experiences through ctfs and then secure we want to prepare our students for the workforce and to overall create a more sub secure uh cyber security kind of world and one of the nice things about the secure part um

of of our motto is we don't actually wait for them to go off into the world um we actually partner with our IT services we call them c um they're like our actual like help desk and IT services people um so our students before they even graduate are doing things like pen testing our club websites for vulnerabilities um they are doing things like making um posters and other things for security awareness around campus that get that get posted around campus in our cctvs around campus um yeah so they're doing a lot of those secure things as part of their education in the Campus Community before they even leave us um and go off into the

world uh so next up kind of like I said before how we are structuring so what I think is important for anyone who is looking to start a CTF team whether it's on campus or just among a group of friends is is to have some sort of regular structure so since we're on a campus we follow the weekly schedule of classes and all the other events at school um but there is something for students to look forward to every single day with the RCC most of those things revolve around the CTF team or other events or other things that we do that are connected to the CTF team um so on Mondays and Thursdays are usually

when I am teaching infoset classes almost everyone who plays on the CTF team eventually ends up coming to one of my classes usually they take a lot more than just one of my classes um Monday afternoons we reserve for one of our research teams the particularly the quantum research team if we're allowed to say we have a day off Tuesday would usually be our quote unquote day off but we still often times do find things to do um we do have a couple of Partners um corporate Partners in and around the Capital District New York area that we will sometime go and talk at their meetings where we will otherwise engage with those companies so students are are

actually coming face to face with actual pen testing companies while they are still students um they've been very kind to us they've actually hired some of our students as interns to do red teaming stuff um while they are in college so they're able to supplement their CTF knowledge at these internships Wednesdays are all the other research groups that are not related to the quantum computer and Quantum security so these can be anything from generative Ai and cyber security awareness training research to people who are working on compiler mitigations to people who are working on reverse engineering Wi-Fi routers um and often times these students draw from the CTF players who are looking to do more they

get involved with the CTF they find that they really enjoy this cyber security thing and they want to know what else is there out in the larger world of cyber security and then I often times will then enroll them into my research lab um and then Thursdays like I said it's class and then Fridays is our RCC leadership meeting so we do have a leadership group of students of which Quinn is one of them and every Friday morning um they will meet in my office with me and we'll kind of talk through um in a future slide kind of what we actually do on those meetings but the point is every single day of the week

there is something for these students to look forward to with the CTF team which I think is is important if we want to think about how do we actually structure a CTF team that can be successful at your University another thing to think about when we thinking about structure is there's a number of different ways that we can think about structure so there may be like the literal structure that we just talked about this idea of regularity predictability Planning Group visibility all that boring organizational stuff which is important which a lot of people don't think about when thinking about ctfs someone has got to organize those ctfs teams have to organize themselves to go play in those ctfs right so don't

discount the importance of that kind of non sitting at your computer typing away at the challenge um but there's also leadership I tend to think of leadership as individual visibility where structure might be group visibility I think of in terms of something like pushing your Ed space this idea of putting students putting yourselves in this position where you don't feel totally comfortable but you also don't feel totally panicked right that's usually the place where like actual learning ends up happening um also continuity I think that's just a reality about universities is while I might end up staying for a really really long time they all leave me after four to five years right so we're always thinking about how that we

are going to replace and think about fostering the next generation of our leadership in the next generation of our players um and then soft I put soft in quotation marks we can debate uh if we like the term or not but the reality is right the ability to communicate right the ability to talk to other people about what you do the ability to lead all those things that are not quote unquote Technical and these are still critically important to a successful career in cyber security is a thing that you can use your CTF team to help hone in your students and then lastly a sponsorship money of course is the big thing um but there's also time right it

takes time to learn these things it takes time to coach students encouragement listening healthy pushing um which I think ultimately for me produces really lasting relationships with my students um like I have students who leave and like 5 10 years will still email me asking questions as if they've like never left the university um something that's really important for me in terms of sponsorship is I've never secretive about it so most of the stuff is funded through grants and I will tell them if I'm applying for a grant I will tell them if I win I will tell them if I lose um so they always feel like they have ownership about the direction that

our CTF team is going in so how the RCC is structured it is very student run um it's taught by around five kind of passionate student lecturers and officers who rotate teaching during each of the meetings um depending we kind of have a structure where at the beginning of the semester we kind of decide what topics we want to teach and then from there um uh closer to the date we decide who exactly is teaching them um the first we first initially introduce the topic we Show an example of what we were doing and then we allow students to practice on their own uh to get them ready for ctfs that we practice obviously the hands-on experience is a

very important aspect of the RCC so that they can G gain valuable experience so in terms of visibility so one thing that we are very aggressive about is postering we put posters all over campus all the time it is pretty hard to walk around rpi's campus and not see posters inviting students to come play in CTF tournaments with us um every week um every day at RPI we have this thing called morning mail which is an email blast that goes to all faculty staff and students and every Wednesday the day of our CTF team meetings there will be a blurb that says come join the CTF team no experience needed if you're you're a new person we especially want

you to come out and play with us um so visibility is all those things that is a positive reinforcement of the group um it's never like internal personal personalized bragging it's all about showing that this is a fun and exciting place that if you join up with us you will also find to be a very fun and exciting place um there's an interesting story about um so the NCL which we'll talk about in a little bit um the end of last this past season there was a student who had posted to their Discord about how upset they were that their Professor is going to get all this credit for how well the student did despite the fact that the student had

literally never met their faculty coach ever had never come to anything had never done anything um and a bunch of our students actually chimed in to say well our faculty coach comes to all of our meetings and he's always there and he's always willing to um participate with us right so that's the kind of visibility I'm talking about right um not like self bragging but making sure that everyone knows that we are this welcoming and open space and everyone can come and join us um other ways you can do visibility we do have a LinkedIn page um we post pretty much everything we do on our LinkedIn page um down the bottom that's that morning mail thing I

was talking about so every single Wednesday that goes to every single students in box so students quite literally can't go even a week without having something about the RCC being put in front of them um and then we also have an Instagram that also is pretty popular RPI likes to post about all of our successes as well so how the RC is actually LED um so like I said we have a weekly leadership meeting every Friday um soon as we'll hang out in my office we will talk about what things we actually have to teach for the remainder of the semester so we actually will schedule out all of the topics that we want to cover over the

course of the semester um we will talk talk about um who is teaching what particular thing each week some students end up specializing in certain categories and they are just better suited to teach certain things versus others um we will also work together on designing our teaching tools so we will work together on the slides we will work together on whatever other Hands-On teaching tools that we plan to be using over the coming weeks um for the moment leadership is usually either I will recognize emerging leadership among the younger students or something sometimes it's nominated to me by the current

leadership so for I guess a lesson to take away if you're thinking about building your own is I think a lot about our leadership group as something that I guide but never prescribe right so my job on those Friday meetings it's not to tell the leadership group what it is that they should be doing it's to listen about what they want to do and help guide them towards how they might be able to achieve that so maybe things like refereeing ties that they're split over things that they should be doing um helping students keep on track sometimes suggesting strategies um and things that I want to see done again I'm not going to be able to force them to do things

but helping them see maybe what they can accomplish over time um but then I'm hands off I kind of let them do it um and sometimes that means they are going to fail you're going to find out that students are actually not going to fail anywhere near as often as she's giving me dirty looks as often as you think they are going to uh they often do like rise to the occasion and surprise you um quite a number of times but the idea here is to give them ownership right the RCC is not my lab I mean I guess in like some weird abstract sense it is my lab and my CTF team but I don't get to play

in the ctfs the students play in the ctfs and there's no way that they are going to invest the time and effort and energy into the CTF if they feel like they're just doing it for my glory right they are doing it for themselves um and they are interested in seeing their own growth over time using these ctfs sponsoring like I said mostly grant-funded you will be surprised how little money it takes to run a CTF team so I've run a CTF team for two years on about $1,800 um I did just get $25,000 though towards the CTF team so um that was nice um but you can do it very very cheaply if you don't know where to start and you

don't have the institutional resources to get money quickly um you can also partner with industry and other people in your Campus Community um right find other people who are looking to get into cyber security industries that are already in cyber security that are willing to to work with your students willing to take your students on as interns um and then time like I said I'm at every single one of these events um I get to know the students really really well um I think it's really cool it's always cool to like see students like solve their first Challenge and see them get like super excited U my favorite part of my infoset class is when I make

them all do a buffer overflow for the first time um just like see them all light up and like oh my God I got the computer to do something that it's not supposed to do um right but you're never going to develop those kinds of relationships and really kind of be rewarded by seeing them light up like that unless you're willing to actually put the time into all of them um because time is honestly worth more than money like I said so far we've done two years of all of this un effectively $1,800 and the vast majority of that I am not kidding has gone to Pizza um right feeding them over the ctfs right is not

gone to like anything else other than feeding them um right so money is useful I'm not going to say that money is not useful but you can be very creative about what resources you have and where they end up getting allocated um but it's like the students like right the time that they're actually spending on this this is where they're learning this is where they're growing right and like I said they're going to remember all those cool things that they did and you want them to remember all those cool things that you did so I'm not going to say it's not a lot of work to be a very active faculty sponsor of a CTF team it

is but if you're looking to very quickly grow a CTF team if you're very quickly looking to get a CTF team that is more than just students who meet occasionally and then it dies for a couple years and then a couple more students come by you need that kind of Faculty consistency so you need to invest the time into your CTF Team all right so we'll talk a little bit about what we teach um and how we teach it so our big CTF is the national cyber League um where the NCL for short um I like it because you get two events per semester you get an individual game and a team game um it's a really good

broad array of skills like if you have no idea where to start with ctfs um the NCL is actually pretty good place to start because not only did they cover a huge amount of real world cyber security tasks they will literally teach you everything you need to know to do well in the CTF um they have a gym that usually opens like at the very beginning of the semester like January and August and it's open for the whole semester and they will teach you every single skill that you need to be successful into actual competitions they usually also have a practice game the week before the two main tournaments um so that students can really hone their skills um and

those those practice games are usually much closer in difficulty to the real thing than the the they call it the gym the practice stuff earlier on and as one of those new student students I definitely can see the importance of the NCL and how approach how approachable it is these are the eight kind of categories sometimes they switch a little bit but these are the main eight categories that we teach that kind of through the ncl's platform and we kind of take what the categories they already have available and we break them up every week we teach either this topic specifically or sub categories within this topic um and for the new people open source

intelligence basically just publicly available information and kind of being able to Deep dive into a certain subject um exploitation and enumeration um hacking into computer programs slash making them behave in a way that they weren't supposed to initially uh web application security uh exploiting servers that run on the web or network uh forensics kind of finding Clues cles to reconstruct Hax or finding Clues to reconstruct attack so kind of like what we do forensics uh crime wise and like a regular CRI crime lab very similar to that but on your computer uh cryptography uh the science of obscuring data so it can only be read by the intended user but then we kind of uh

exploiting this uh obscure obscuration of data uh scanning this is analyzing Network ports and services that they are running on for weaknesses log analysis this is reading the outputs of different services on your servers to see if there's anything unexpected or any malicious Hardware uh password cracking analyzing passwords to see what the hash that they might have are and then using Brute Force programs to attack them so as newbies there are a lot to learn um one the other things that's nice about the NCL is that um like I said it's very very approachable um however it is still very challenging for your experienced student but they almost have never have anyone who solves all

the challenges in a tournament so there's still something for even your very experien students to get out of something like the NCL um so we focus it on part just because it's really well timed for our semester their main tournaments are like the last two or three weeks of our semester so we kind of build up over the course of the semester to this C minating experience um it allows us to bring in new players every semester I make everyone in my infoset course sign up for it and they have to play in it as part of their grade um so right anyone takes infoset course with me they have to learn CTF skills they have to play in a CTF it is

part of their grade but it allows us to bring in new players every single semester without fail I will have students come up to me who have never taken a cyber security course before and say to me something like I'm so glad I took this course I really wish I knew about ctfs before my very final semester in college because now I'm going off into the workforce and I could have been doing this for years but I only did this once and that's going to have to be good enough um but Focus doesn't mean exclusion right so we focus on one CTF but students are allowed to play in as many ctfs as we want we end up playing about

10 or so ttf tournaments every year across both semesters um usually students usually small groups of students will come to me and say hey I want to play in this thing I'll say great is it free if so go for it um if you need a faculty advisor just put my name down is it going to cost money that's okay too just let me know how much it's going to cost and I'll figure out a way to sponsor you for that CTF um and sometimes these ctfs give give out money for players who score really well or teams that score really well before anyone ask I do let them keep the money um I don't take the money from them if

they win it it's theirs to keep we actually deci a team win 500 bucks at Cyber seed and so they're very happy with their with their winnings um so what what have we learned and what do I think you can all rethink that you can learn from us inciting your own CTF team um so if I had to boil if we had to boil down our six main successes um for me my three that are on this list I would say grew the cyber security program when I started as professor in 2019 I had two cyber security students I think maybe three in total in the program um now we have closer to 30 35 so I guess I'm

being a little bit conservative with that 400% number it's more like a th% growth in The Last 5 Years um in no small part to the CTF teams visibility students see how successful the CTF team is and they say I want to do that and they come and find us and they join up with us um even the students who are not security Focus track students within our major um still come and play play with us on the CTF team quite literally every single major at RPI has at least one student who is playing in our ctfs or coming to our meetings every week and RPI has majes like architecture and we do in fact have an architecture student

who will come by every so often um and Par participate with us um so that visibility has really paid dividends in growing interest among the students when you grow interest among the students you raise the profile of what you're doing at your University I have quite literally had my program director be pulled over by a member of rpi's Board of Trustees to be told that they know that the RCC is our program that I'm the one doing it and that we should get the credit in what we call itsws our program for our CTF team um which I think is really quite cool right that kind of visibility is how you are going to get

more resources to grow this thing even further um and also just very recently our admissions Department um they've started doing a new campaign particularly for international students where they've highlighted I think like three or four of the big stories that kind of are the best the best of RPI and the RCC is one of the stories that they chose right so that kind of profile is going to attract talented students not just from all across the country but from all across the world into our CTF team kind of further bolstering our growth and from the kind of student perspective two things that I that really stood out to me was growing leadership and soft skills um so

planning organizing teaching mentoring standing up here today talking to you all I was still nervous before this but that's okay it's all part of the process um being able to step up and become one of the officers of the RCC lead meetings when I could it really allowed me to gain better communication skills and Leadership skills planning out the meetings and I think this is not just for the officers I think the students involved in the ctfs it is a very um good experience and if you want to get involved and go into leadership it is very accessible for you so it's for all the students in RCC and then also conference talks we're here today high F

siid Buffalo um just another one of the successes that we've experienced so if I could start over thinking back to Spring of 2021 uh my advice to myself would be don't wait um I quite literally would email the rpis SEC well who I thought at least was the rpis SEC leadership student leadership and not hear back from them and then not do anything um and I could have had a CTF team for probably a year and a half two years before I actually started so if you have any interest in either starting a CTF team at your University we're just going off and playing ctfs on your own don't wait just start doing it nothing may make sense to you um some of

my favorite stories and she's got one of them is students will come up to me the first time they come and say I don't understand a single thing that happened today and then all I say to them is come back next week and eventually things will begin to make sense to you so don't wait um because ultimately lost time is lost opport that you're never going to get back another important thing to focus on is not separating ctfs are part of your entire holistic growth you don't want to say oh I'm doing cyber security I'm getting my exam and I'm practicing for it but oh ctfs are different ctfs are part of your entire growth as a human

and as someone with a passion in cyber security so you should bring them into all aspects of what we're doing kind of like the RCC we are a cyber security and CTF team however we also do research we're also having students doing pen testing and other avenues of cyber security so it's important that they are focusing on more and are a part of your entire growth and so this was a big thing for me especially for any students in the room uh don't be afraid of how much you don't know uh like Brian was saying earlier uh when I first kind of attended an RCC meeting I was very confused I really kind of didn't know what was

going on at first and he was just welcome back and I think that idea of welcome back is really stuck with me I think him not being like Oh it's okay like you'll learn more like just welcome back it's as simple as that it's just coming back continuing to practice and continuing to engage your skills and not kind of being at a point where you're like oh you'll learn everything no you'll always have things that you need to know and you don't know and I think just continuing through the kind of learning cycle and understanding that you'll have failures you'll have moments of where you should have known something and you might not have but as long as

you kind of repeat this cycle and even if you're confident one second someone else will say something and you're like wow I really don't know that part of it either and so repeating the cycle and never really being happy with you are and always wanting to continuously learn is a very big part of cyber security that I have found um so kind of like what we were saying before you really want to supplement ctfs with other cyber security work that you're doing or just other work that you're doing in general um RPI just recently got a quantum computer and so the RCC has done research with the quantum computer the one on your left uh is the project that

I was personally on with we kind of uh built a word classifier that would help a large language model with Quantum the quantum machine and the other group uh used Quantum power and the quantum machine to crack uh RSA encryption and so both of these things just prove how the RCC is supplementing ctfs and not simply focusing just on them and then also it's important to make friends uh this is a collab that we did with acmw which is a group that I am in on campus it's kind of like our woman in CS group and we did a cyber security Workshop you want to allow people that aren't in your orbit to see what you are

about to invite them to join you and even if they aren't interested it's just important to get the engagement out there and kind of spread your message and of course you know this is towards building the future that we want want to see um there are a lot of people who spend a lot of time in cyber security and Tech broadly but in cyber security talking about Dei surprisingly we don't talk about Dei all that much within the RCC we just kind of live it um 80% of all the researchers who work in my lab are women um and as of next semester 100% of the RCC leadership will also be women so if this is the future that we say we want

to see in the world let's go build it um and it can be built in some ways this was kind of um it emerged upon me I would ask who wants to lead these things and it would always be my women students who would jump at the occasion to lead things but I mean it's great I mean they're all they're all quite wonderful um and quite happy to see that we do have such strong female leadership emerging within cyber security I know as a student um I kind of didn't realize that there was even a disparity in cyber security at first when I joined RPI because of these statistics exactly um kind of when I got more talking about it

more with Brian I realized that there is like there needs to be more represented people within cyber security but the fact that students going into it don't even need to have that barrier I think is very important um and I also just want to emphasize RPI is a 70% basically uh male school so even having these statistics at a 70% uh male University is I think very impressive so one of the things I want to leave you all with if you're on the professor's side of building a CTF team is to embrace we right I'm here with a student I always put my name last on everything um when I talk about what we're doing at the RCC I always put them

front and center um I like I said I use wi and I put put their name first what I do what my job is is to help them shape the narrative that they want for the RCC and then let them go out and and share that narrative with the world um of course as all faculty do we work pretty hard to make sure that they kind of forget their mistakes when they make mistakes um but we make it very easy for them to always have their successes like literally at their fingertips um so in my office um all the trophies that we wanton are like literally on my desk like they can pick come up at any time

the letter that we have saying that we came in number one in the nation hanging in my office like they can go look at it anytime that they want and for the students or really anybody uh interested in in cyber security and maybe new um first up is Finding Your Passion if I'm assuming a lot of people in this room your passion is cyber security great if not sure you can take this to another field as well um but finding what makes you tick is very important and after this real moment of realization you want to go after this feeling and you don't want to have the fear uh to pursue and I think a

lot of the times this fear to pursue can be the most difficult part um so when I was first coming to RPI uh I was scared to go to the RCC meetings um I it I felt it really daunting and this is a real exchange between me and one of my friends uh you don't have to read it exactly if you don't want to it's basically us talking about the cyber security meetings and um us organizing a time to meet before the meetings it was on Tuesday or uh Thursday and we both were like yeah we're going on Thursday we need to go together and even like 2 hours is I believe before the meeting I

was like Hey like do you want to meet up 5 minutes beforehand like I don't even want to walk in alone like this fear to even go to the meetings really held me back at first I think and for the few first few meetings like if my friend was like oh like I can't really go I'd be like oh yeah I probably won't go either but the RCC fostered a very good environment and I am very comfortable now just going to the meetings but that first fear and that first step in the right direction was definitely one of the hardest for me and so I think another important thing is to take opportunities but as much as you can

handle uh for my University RPI it's very I feel like opportunities just keep coming to me I'm very lucky in that aspect the RCC also um a lot of things that I've seen were just posted up on our Discord and I could click on the link and be like yeah I want to apply for this we'll see if I get it or not but why not go for it so research may be required for this step depending on where you are you can research ctfs they're happening all the time if you really want to get into them and there's always opportunities available in cyber security which I am I've seen and I really enjoy and just be careful not to

burn yourself out uh it's really difficult to deal with burnout I've experienced a little bit my second semester and I'm sure I will experience it again and it was probably just the beginning um but just kind of allow yourself to have that rest and I also think no matter how big or how small you always want to be working towards a goal or towards something that is also in the direction of your passion of cyber security so always keep your goals in the back of your mind so when I realized my passion at the beginning of the school year I attended the weekly RCC meetings and I kind of went through the entire year participating in the

NCL uh joining the research team uh and then after finals I was like okay what now what can I also do now during the summer to pursue my passion and so now I'm here speaking at besides Buffalo I did take a rest that's also important um but I'm here speaking of besides Buffalo that is also towards my passion and then even after this um I'm going to take the certified in cyber security exam uh in late June and so I'll start studying for that so I always try and have something aligned towards my goals and towards my passion that I think will really help me and kind of keep up with my passion and kind of check in with myself and make a

more successful future and so thank you um for listening to us

talk and we have a little bit of time so we're happy to take any questions that people might have yes so a lot of this is around um students and people they're getting into but uh I have to work at a company we're trying to build out a cyber Champion program and this seems like a great way to try to this similarly encourage will get more involved in cyber security obviously like this is a work environment like there's no curricular things like that what uh what type of things have you found that might be able to transition into that work people CTF yeah so um so yeah I guess you don't have the regular schedule of of a

semester to go through but one of the nice things about ctfs is they're literally going on all the time like you can go to CTF time.org I guarantee you there's going to be a dozen of them that are starting um tomorrow I would say for the work environment um so is there someone who can I suppose not be a champion but a champion of the Champions almost right someone who can be the point person who is going to say okay I'm going to clear away the work hurdles for these people to get these skills and right whatever that's going to take that could be complicated depending on where you work I'm not going to take that take that

away from you at all but but but finding some institutionalized apparatus and structure to see that upskilling happen I think that's really kind of what was the single most successful thing here and I don't think it's Unique to the university setting maybe it's easier at the University setting but it's not unique it just requires us to figure out what structure was going to best allow us to get them in front of a CTF and so and I don't know your business particularly but I'm sure there's some mechanism for that to happen so identifying what that is and what that looks like I think would be my first step does that answer your question yeah absolutely no there's immediately I was

thinking of a couple like Career Training CL that existing yeah so this is like hack the box and um what's the other big one try hack me yeah yeah yeah right so there are kind of things that are already built um for kind of that work environment but I think it's not just having access to that which is important but really having the ability to carve out the time to make sure that they are doing it um is I think honestly the harder part you can just pay them a bunch of money to get access um but ensuring that they're actually able to do it and will do it is a harder harder thing to get at do you think like

meetups is the way to go usually like you get in the room I found that getting in the room is what's going to be the most most beneficial um you know I think and I'm sure you can speak through this too you know they look forward to Wednesdays you know I mean you can probably talk more about this than I than I can but they really do look forward to those Wednesday night meetings that we have it makes a lot of the ctfs being over the weekend it makes those weekend ctfs um seem more like a social event where they happen to be doing something that's also benefiting their careers than it is something that they're doing

cuz I make them do a lot of work which I also do but U right just kind of that reframing of what there is what it is that they are doing why they are here and what they're getting out of and you can probably talk to that too yeah and for the NCL specifically uh it's about like a 72 hour yeah it's from Friday to Sunday yeah it's a 72-hour competition and we normally don't have access to our the buildings uh on the weekends but we gain special access and we break up in rooms for this and I think that having that solid room to actually do the CTF in is really beneficial to have us all

there and um just have us work together and be able to talk about it together um also I know our weekly meetings were at 700 on weekdays this me uh this past time I have a lab technically my CS lab from 6:00 to 8: I finish it early every time to get to the meetings um so I can be there so just again that ex experience of all being together in one centralized physical room I think is very important awesome that helps a lot thank you mine's not a question but I kind of agree I try to get a bunch of people out there to do like a sand hity C everyone was super gungho and we're doing

challenges and then it start got a little bit more challenging and then everybody kind of faded off yeah and it was all remote cuz none of us were in the same area so I yeah I fix that with I buy the them pizza and stuff um so so in the NCL we we do have one team that you know they play to win and and they wi they win trophies every semester they come to the top five teams every semester and if you're looking for me that weekend I'm probably in whatever room they're in sitting there telling them well your score is not high enough to win a trophy so like what are we doing like come on so sometimes you know

not seriously you know chastising them but kind of that that humorous push when kind of motivation dips a little bit um can also go a long way it doesn't have to be anything super long or dramatic it can just be joking with them like hey why aren't we winning a trophy yet things like that anybody else yes I got one real quick um in regards to doing community events for your University um do you have a pipeline that's set up of bringing any like students in from like let's say community colleges or coming in from high school for recruitment oh that is a great question not yet but that is on my immediate radar the reason why I asked

that is because I teach at a local community college now down in Maryland and I've built a cyber team there I've hosted I've hosted competitions there um and we have a recruitment pipeline set up where when the students graduate they will either go to a fouryear university and compete with their cyber team there so I didn't know if that was something you were looking to be yeah that is that is very much on my radar so we're so RPI is actually situated literally right next door to Troy High School so we have a large High School right there um and our local Community College HCC is maybe 10 minutes away um and fairly large so

yes I kind of want to figure out how to make that pipeline happen towards us and RPI as a university has already started partnering with hbcc the local community college so I think it would be relatively easy for us to yeah for example we we now have like a chip manufacturing major that's split between the two um we're there's lots of Chip faps coming to the Capital District things like that awesome really cool one question I have for you then what is your favorite category that you like to compete in for the N oh interesting I can tell you I can pull my phone I can tell you which one you've done best oh don't do that don't do

that the one I've recently learned more about like the collab that I threw up a little bit uh was password cracking I don't know if it's definitely my favorite cuz it's just kind of sitting there waiting for it to work um and kind of waiting for the Brute Force to go through but I also really enjoy the kind of the Journey of OSN is always fun uh and kind of the I also kind of think that cryptography is also kind of a journey so I'll give you those three I don't have a favorite any other questions if not thank you for coming enjoy the rest of your time here [Applause]