2016 in Review
A quick review of 2016. This year started off slow, but I didn’t think so at the time.
January - June
Continuing my PhD program, the Spring semester consisted of two work intensive courses (Formal Methods and Fundamentals of Program Analysis), assisting in teaching an undergraduate course in Software Evolution and Maintenance for 10 hours a week, and working 20 hours a week on our DARPA Space/Time Analysis for Cybersecurity (STAC) project. In February, DARPA hauled us in to their headquarters in Arlington, Virginia for a week of challenges to audit the Red team’s program binaries for vulnerabilities. Immediately after we were given 6 months to continue our audits and improve our results. By the end of the semester I was surviving minute to minute barely finishing my projects before their deadlines. While I made it through and everything worked out fine, it was the most stressful semester in all of my 11 years at Iowa State University combined (side note: I’ve been here too long).
In May, I buckled down, reworked and resubmitted some of my work to find it a home. During the last week of May, I attended the invite only Sixth Summer School on Formal Techniques in Menlo, CA, which is a week long summer school taught by some of the leading experts in the field. Shortly after I was notified that my talk, which was previously rejected at a smaller conference had found a home at DEFCON (my ultimate goal as a speaker and perhaps the largest and most well known computer security conference in the nation). Around the same time I was also invited to attend the US Cyber Challenge’s Western Regional Cyber Security Boot Camp in Cedar City, Utah because of my performance in a national online cybersecurity competition. So without further ado, I booked travel from Ames to Cedar City to Seattle to Las Vegas and finally back to Ames in what would be the start of many more travel engagements this year.
July - August
Between visiting friends and family for the 4th of July holidays and preparing for my DEFCON talk, I prepared for my PhD qualifying exam. After some late nights and three complete rewrites of my written report I was ready for the oral exam, which I was only able to schedule the day before all of my travels (many students joke that the hardest part of a PhD is getting all your committee professors together in one room at one time). On the way to my qualifiers, I heard something big hit my car. I immediately pulled over and jumped out to find a girl on her bike, thinking that I had hit her with my car. Turns out she was playing Pokemon Go and rode her bike without looking right into the intersection and hit the backside of my car. Nobody was hurt (she didn’t even fall off her bike), but I went to my qualifying exam with a little extra adrenaline than I expected, but despite all that I passed my exam and got to continue the PhD program.
With a little less stress on my shoulders, I left Ames for the US Cyber Challenge Security (USCC) Boot Camp. While it was my third time attending a UCSS camp, I still learned a lot (which is why I’ve kept coming back!) and I unexpectedly got a chance to be an instructor for half of a day when one of the instructors was having problems with a binary exploitation example and handed the course off to me because I had previously prepared a similar lab exercise for an undergraduate Operating Systems course I helped teach and was able to demonstrate the exploit on-the-fly. From Utah I went to visit a good friend in Seattle for a few days before we left together for the crazy world of Las Vegas where I would present at DEFCON.
True to form, DEFCON was a huge affair with an estimated 22 thousand attendees! After poking my nose in one of the main track rooms where I was supposed to present the next day and counting the number of seats I had a small 3 second long panic attack (napkin math: 25 seats per row on each side of the aisle and about 60 rows gave me 2 × 25 × 60 = 3000 seats per room!). Considering myself a seasoned speaker at this point, this was an unusual feeling for me. In retrospect I think I had a little bit of impostor syndrome at the time. Long story short, despite the fact I was the first talk Saturday morning after Friday’s late night party and I was competing with a well known security researcher with one of the more anticipated talks, I ended up filling a little shy of 2⁄3 of the room and most importantly the talk went very well (ignoring the fact that I absentmindedly forgot to show the grand finale demo that I had spent several weeks developing…). It was also the first time I had received two personal job offers before I had a chance to leave the room after speaking.
Meanwhile, some seeds that were planted back in 2015 and had sprouted in March 2016, had finally taken root in the form of an invitation by the Indian government to help teach a short course on program analysis and security in September at MNIT University in Jaipur, India. Unbeknownst be me at the time, I was beginning a long and stressful battle of acquiring a simple conference visa from Chicago’s Indian Consulate office.
Meanwhile I took an off week to go visit my Grandfather in Phoenix, Arizona and then got back in time to fly out to DC again for another DARPA meeting. Thanks to a friend who was looking out for me, my trip in DC ended with an evening spent bowling at the White House (coincidentally on the same day as my birthday). The extra day made my travel arrangements a bit tricky because I was supposed to be picking up a bunch of friends at the airport the next day for a wedding where I was the best man. It was a bit of a surprise when I bumped into one friend on a layover in Detroit on his outgoing flight to Des Moines where I was picking him up.
September - December
The day after the wedding I headed back to Ames to pack for my flight to India the next day. Thankfully with a bit of unexpected help from a friend of a friend I got my visa and an apology from the consulate just in time (literally an hour before I was about to leave town). Teaching in India was a very fulfilling experience, mostly due to the exceptionally bright and motivated students that attended the course. I spent the evenings chatting, eating, and taking in the sights despite the heat.
After returning from India, I traveled to Raleigh, North Carolina to present a paper at SCAM. I found a bar that only serves moonshine and moonshine cocktails that made for a fun evening. At the end of October I traveled to Baltimore, Maryland to present a tutorial at MILCOM.
During this time the organizers of the US Cyber Challenge boot camps reached out to me to ask if I would be an instructor for the 2017 camps. I agreed and will be teaching at the Delaware, Illinois, and Utah camps through July next year. I’m in the process of developing some new material that ties vulnerability detection, exploit development, and malware analysis all together via the common thread of fundamental concepts in program analysis. Then on the last day of November I was notified that I had been nominated and awarded Iowa State University’s Teaching Excellence Award.
During December I had to cancel a planned trip to present an accepted tutorial at the APSEC conference in Waikato, New Zealand because there weren’t enough registrations and an earthquake was making travel difficult (I guess visiting the Hobbit Shire will have to wait). The down time did however give me a much needed chance to finish some work I started back in May and write a paper that got accepted to the ICST conference in Tokyo, Japan in 2017. So it looks like next year is already shaping up nicely.
Note: There are still a few noteworthy events that started this year that I’m not quite ready to share yet because they are still unfolding. Life is always full of twists and turns.
2016 Drink Recipe: Place 1 bartender’s ice cube in a whiskey glass. Fill the glass to the top of the ice cube with Hendrick’s gin. Squeeze the juice of a quarter of a lime into the glass and garnish with the wedge. Top off the glass with Schweppes tonic water. Enjoy responsibly.