Narrator 00:01
This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:10
Welcome to CyberSound. I’m your host, Jason Pufahl, joined, as always, by Steve Maresca, and today we’ve got John Madura. John, thanks for joining.
John Madura 00:19
Nice to be here.
Jason Pufahl 00:20
You’re, so you’re the Department Chair for Technology Education at The Morgan School.
John Madura 00:24
I am, yes.
Jason Pufahl 00:26
And I’m gonna, I’m coming out of the gates with this, which is we had a great warm up conversation earlier in the week. Great enough, I think, that we actually wanted to have probably a little bit of an ongoing series. So we don’t know if what the, what the frequency of the series will be but, I mean, Steve and I have talked a bunch about sort of technology, young people, sensitivity and understanding of privacy and all of that, right?
Steve Maresca 00:49
So much of security is people.
Jason Pufahl 00:52
So much of it. And this is a, this is a group we need to educate. So, because it’s a series, normally, I probably wouldn’t say, “Hey, give us a semi-long intro of your background,” but I think you have an interesting background, and it’s probably useful for people to know who you are a little bit if you come back.
John Madura 01:09
Sure. Yes. So I’m currently a Technology Education teacher at The Morgan School in Clinton, Connecticut. I’ve been there for years. I’m so excited. I used to start in the math department. I taught traditional math classes for a number of years, but I’ve always seemed to as much as I seem to avoid it come back into the cybersecurity field. You know, I started as a mathematics major, but I was always interested in computation and computability, more like theoretical computer science. It was great, but I always want to go to medical school like that was kind of my joy. So I was like, I just pursued it because I loved it. And I was like, Hey, this is great. I’m just doing my pre med stuff. And then 9/11 happened. I got very interested in serving my country, and they looked at my background, and thought, hey, he would be perfect for cryptology, information warfare work. And I thought, this is pretty good. I went to cryptology school. I fell in love with it. I did yes, in Pensacola, Florida, which is, was great. I did my officer candidate training there as well. So it’s, it’s a beautiful place to be, if you like windowless rooms all the time. No, but it was a it was intense fire hose of everything you need to know about working in signals intelligence. I fell in love with it, and I was assigned to the National Security Agency. I got to work on both sides of their Directorates, which was great, very unique experience. For like, a five year tour there, I got to work in Information Assurance, where I did a little bit more of like counterintelligence work on the human side. We mentioned the human side that was really fascinating, looking at nation state actors who may be trying to exploit systems in the United States, with the war in Iraq and the global war on terror, I got assigned to the Signals Intelligence Directorate on the other side doing exploitation of cell phones, which was really fun because it was before global positioning was really easy to do with cell phones, so it was really fascinating work. The deployments were tough. That was the only difficult challenge, but I knew I loved the material. I still love to teach. I love to learn. Sort of where I got really interested in the connection between computer science and data. Really, I thought a lot about computability, but we did a lot with metadata and cell phones, and that’s where I got really kind of fascinated. It’s been kind of a theme in my work ever since. But, you know, there weren’t really cybersecurity, you know, programs in high schools when I first started teaching back in 2010.
Jason Pufahl 02:11
You did? Yeah, some basic programming, probably.
John Madura 03:53
Exactly, basic programming theory stuff.
Steve Maresca 03:56
What brought you into education? What was the transition there?
John Madura 04:00
I always loved to teach. When I when I was considering whether I was going to stay in the military or even go into civilian kind of contract work or even stay at the agency. I thought, wow, this is a really tough lifestyle. I always loved coaching and teaching. That was kind of one of my real passions as well. Mathematics was a really nice way to do that. So it was a it was a good way to sort of get into the teaching piece. Over time. I’ve gotten more into the cybersecurity angle, though, so.
Jason Pufahl 04:31
So maybe spend a minute some of the courses that you teach. There any any particular ones that maybe you started from scratch? Or, you know, what does the program look like?
John Madura 04:41
Yes, so the program right now is a great question, because we’re a small high school, probably about 400 students in our Technology Education Department. That’s a broad field of possible disciplines, and we started to think about the things that some of our staff brought that were really strong points. And certainly I bring a little bit with information technology, mathematics and cryptology. So we started to try to build that up a little bit. Two of the new courses we’ve started there in the past four years are a data science course, which is that was first, and that’s been wildly popular. We teach some R programming language. We’re moving into some Python. So again, I think it’s a really nice compliment to the cybersecurity class that we launched this year, which, again, another wildly popular class.
Steve Maresca 05:32
And honestly, you know, R is not normally taught in high school settings, so that’s kind of awesome in a lot of respect.
John Madura 05:38
We had no programming so we had a traditional AP Computer Science Principles course, but that’s really a broad study of computation. Don’t get me wrong, there’s a lot of programming in there, but it’s not really designed to really focus on that as a tool. So this was a real opportunity to do that through R and data science course. So yeah, good point.
Steve Maresca 05:59
I think you know, applied, actual learning is where it’s at. I think many students get lost in the theory. We like it, we need it. But, you know, introduction is practical, right?
John Madura 06:10
Absolutely. You know, I’m a big believer in, you know, tools are are part of your thinking process, right? I think that you can learn and examine what you do by learning how to use tools. I mean, we can’t work in a technology department where you don’t emphasize how to use tools and use them ethically, use them responsibly. I mean, when you use a lathe, right, that teaches you about material, right? Just like, how does a tool in cyberspace – how does that teach you about the environment that you’re working in? So I believe that too.
Steve Maresca 06:42
So, so in that way, you we’ve talked about ethics indirectly a couple times explicitly a second ago. What are the, what are the things that students struggle at today, in that regard? Yhey’re they’re learning, their critical thinking skills aren’t fully developed. You know, where do they stand and where do they need to go?
John Madura 06:58
Yeah, I think that’s a great point. I think one of the things that I think people misunderstand about high schools in general is that, you know, I work a lot with people in industry, being in a career and technology education field. So we talk to employers all the time, and they actually really love our students. Students in general. They learn critical thinking. They have learned to be lifelong learners. Where there is a gap, though, is I think in this digital sphere, it’s just not the same as the physical world. And I think where students, like kind of look at kind of trying to negotiate some of that stuff, the tools are super important. And I think when they look at our students, kind of coming out of high school, they’re like, “Hey, you guys can adapt to new things, but kind of looking at the psychology of that is, like, really important.” And I think the tool piece is, I’m going to continue to emphasize that. I think we were trying to build crafts people in that way. And I think, again, that’s really the kind of the key of our success so far.
Jason Pufahl 08:02
So, I’m going to take it a step further. It sounds like you’re alluding to real behavioral differences when they’re sort of dealing with either IT or online behaviors versus, I think you call, the physical world, right? So I mean, do you see real ethical, you see ethical behavior differences when they’re doing something online?
John Madura 08:24
I do this has been the most surprising thing to me. And I think this is what your question was getting at. I think there is a kind of a gap where, if you, I think, presented students with a similar situation, maybe the details change about maybe stealing something physically versus stealing something digitally. There’s definitely a disconnect there, and I think that’s really, really important to recognize. Because I think if we assume that they’re just going to operate in the same way, I think that gets it’s leading us to a little bit of trouble, like we use the example of students talk all the time about stealing credentials right off of, you know, for software like Netflix or something like that.
Jason Pufahl 09:03
Copyright issues.
John Madura 09:04
Copyright issues, or sharing a password, or sharing any kind of credentials. And they don’t seem to think that that’s an issue because of the anonymity out there. Think there’s like tech is a black box. And they think, well, there’s really not the same accountability. I mean, if you think about this, there’s no like social reinforcement in the same way that there isn’t a physical world.
Steve Maresca 09:27
I think back to the behaviors of kids, you know, cracking a game, getting a license. There’s, it’s an intangible effect. No one’s harmed in terms of their immediate
John Madura 09:37
Yes.
Steve Maresca 09:38
So, you know, there’s a disconnect between cause and effect in that regard.
John Madura 09:42
Absolutely 100% and I think making those connections is really important. And again, thinking about how things work physically, I think because there’s so much confusion or anonymity and loneliness out there, just like you see. Like, you’re by yourself, and there’s like, not people watching you, but like that really shouldn’t be the motivation for being a good actor. And I think that’s what, I think the most important aspect of this course is like being a good digital citizen.
Steve Maresca 10:13
So when you see behaviors like curious students with aptitude that don’t have the developmental skills to recognize what they should or shouldn’t be doing, how are you redirecting? For example, we’ve encountered kids who scan a network say, “Hey, I found a vulnerability and I tried to break in.” That’s maybe a good action to take. Maybe not
John Madura 10:34
Exactly. I think one of the things I think about as like a teacher in planning a lesson, right? Is that there’s a concept I want to always start with, about demystifying whatever concept we’re looking at, right? Like, how does a phishing activity or a phishing attempt work? And so kids will be like, I know what that is, but I don’t really know much about it. They seem to see some of the consequences of bad stories. But like, so we start with that, kind of like guiding question. We work into the tools to, sort of to demystify what phishing is. How does it work, right? How do you use, like, a social engineering toolkit, right? That’s that’s supplied on Kali Linux or something. So they go through and sort of understand the mechanics of it, but we never leave it there. We start with, like, a case study. Where has this gone wrong? Where has somebody gotten into trouble with this? Or where has this created, you know, ethical problems somewhere else? So getting them to reflect on that is, like huge part of it. I put them in roles. For example, say, hey, you’re the network administrator, or you’re someone selling legacy software, right? What are your responsibilities, tou know, when something bad happens? And so it’s kind of dealing with all of these ethical questions like that. Kind of bringing the tools alive, is a huge part. And I would never do that without doing some of that work as well with students.
Steve Maresca 12:00
Really important.
John Madura 12:01
Yeah, yeah. It’s, it’s like, again, it kind of goes back to the purpose of this, which, you know, the weakest part of, I feel like, of any system is the human. And so if I neglect that part of it, right? Am I not? I’m not doing my job anymore, right? I’m just sort of teaching kids to break into stuff, right? That’s not really the…
Jason Pufahl 12:18
So I think we’ll spend some time on the, you know, how do you, how do you train the human, I think, in upcoming discussions, but diving in a little bit. So you talked about you have a data science course. Yes, you’ve got a cybersecurity course. You’re doing some programming. Do you find your students really gravitate toward one particular discipline? You know, is cybersecurity the favorite? Is, you know, programming the favorite? I’m, you know, I’m kind of interested in a little bit of a discussion around what, you know, what things do you see students gravitating towards as employers, you know, what types of things, you know, I’m imagining, AI must come up all the time, right? But in some way that they don’t really know what that actually means, or what it means for a career. They dive into that a little bit.
John Madura 13:02
Yeah, so I can speak to that. All the new courses that we’ve unveiled in the last couple of years have been wildly popular, so that, I think speaks to the sort of general just need and desire for students to kind of understand this world they’re spending a lot of time in. And I think they’re seeing jobs that are connected. You know, we had Jeff and Matt come down to our high school talk to students making those kind of real connections. That’s like, “Hey, I’ve seen this tool in class. Wait, I could do this as a professional, right?” I mean, so that’s a really big piece, and they do work as like, kind of like elders of the community to say, “Hey, this is how we function as professionals,”
Steve Maresca 13:45
Right.
John Madura 13:46
That filters down to some of your behavior, but you could also be a professional like us as well.
Jason Pufahl 13:51
Snd there’s nothing more glamorous than a cybersecurity professional.
John Madura 13:54
I mean, seriously, they do think it’s really cool though.
Jason Pufahl 13:57
Yeah, I have no doubt.
John Madura 13:57
It seems magical. And that’s sort of one of the gaps we’re trying to break is this sort of magical jump from, like, being a consumer of what’s out there to being someone who really knows what’s going on.
Steve Maresca 14:09
It’s, it’s mysterious and powerful in the eyes. Yes, it’s, you know, elevated in terms of the Hollywood portrayal, right?
John Madura 14:17
Yeah, there’s that!
Steve Maresca 14:17
So there’s, there’s some sort of appeal, yeah, even though it’s maybe poorly defined from those areas.
Jason Pufahl 14:24
We talk about the Hollywood piece all the time. Part of our training always is this image of a hacker and a hoodie, right? That’s stereotypical, but people think these are hugely technical, wildly complicated, probably charming in the social engineering sense, and then you encounter most of the real world people like, wow, all right, this is who I’m working with, right? But you know, tech be having this incredible technical acumen isn’t, isn’t the only thing that’s important in in succeeding.
Steve Maresca 14:55
So away from the mystery of what is driving interest?
Jason Pufahl 15:03
Yeah.
Steve Maresca 15:03
I mean, we’ve seen waves of this for the last 20 years. But what is, what is the current crop of students? What’s the current cohort interested in? I think, you know, if I had to pick, I think they’re, they’re fascinated with the cybersecurity course, for sure. I think, like the interesting factor that may get kids not to do it is they feel like that technical jump. They see these people doing like that, what you see in the movies, but they definitely want to know what’s going on. And we’ve sort of pitched the course as this kind of dual angle of like, hey, being good digital citizen with some agency. That’s what I think, is drawing them. That’s what’s making them interested in it is the the opportunity to become like an active agent in the world that they’re really kind of confused by a lot of times, and they see behavior that may be in school that is different online, right? And why? And why does my, why does somebody fall for a silly spam email when that seems obviously not legitimate, right? But like we talk about the social factors and the psychological factors that make you, in a moment, be a little bit more susceptible to something like that. And it’s I think, like them understanding, connecting the like mystery, the black box piece with something I could actually do and perform on there instead of just consume – that’s a big driver. Plus, they see some of the, you know, salaries and that sort of stuff, and they want a skill so be able to do stuff. Yeah, silly, quick reaction question. Are students or adults in your sphere more capable of detecting some of the things we’re talking about from a phishing standpoint? Who finds it first?
John Madura 16:49
Great, great, great question. Um, well, I think the students are a little bit… Boy, that’s a good one. Um, I think that. Okay, I’ll put it this way. I’ll answer it this way, because it’s really tough to pick. I would say this. I think the students think they’re better.
Steve Maresca 17:06
Okay.
John Madura 17:07
That’s what I would definitely say. Because I don’t know about you guys, but we have, in the last like, probably six months, seen an uptick in the phishing emails. Absolutely. Yeah, right. Like it’s been almost more than the past four years combined. It’s a fire hose. Yeah, it’s in so one of my favorite activities is to share the ones that get through our systems with the students. And I will always find out somebody clicked on one, and I’ll be like, would you click on this? And they would never be, “no.”
Jason Pufahl 17:36
That’s crazy.
John Madura 17:37
I know better. But you know, we’ve done a phishing exercise where we’ve used the social engineering toolkit, and you’d be surprised how well they easily they fall for it. And so I think they think they’re better, they think they’re more savvy. But I think with AI generating some of these, you know, phishing emails, it’s it’s also getting harder to detect for them as well. It’s getting very sophisticated.
Jason Pufahl 18:03
Yeah, and I think they’re, you know, I’ve got my own 18 and 16 year olds, and I know they aren’t really slaves to their email, so that’s a help, because they’re definitely not in their inboxes, but, but I suspect actually sort of your SMS and, you know, text phishing is probably more effective for that age group, in a lot of ways, they’re gonna they pay a lot more attention to texts than emails.
John Madura 18:24
When things get through, they definitely do. I think, you know, there’s certainly, as a professional, a teacher, in there, you’re probably a little bit more apt to maybe click on some things, because you’re like, hey, this sounds like it’s part of my job to do that urgency, right, to click on things. But I don’t know, it’s a good question.
Steve Maresca 18:41
I mean, sometimes, in my opinion, with my seven year old, hope she doesn’t hear this at some point. But there’s a perception that the app is in the box. It’s in the tablet. Yeah, there’s an awareness that there’s an outside world involved. is sometimes actually lost.
John Madura 19:01
Absolutely.
Steve Maresca 19:02
And honestly, teaching that is really hard. I don’t know if any of that applies, but simply understanding where the data flows and what you’re giving away or what you’re keeping is, I think, fundamental to a lot.
Jason Pufahl 19:13
So I think we should table that. So here’s the fear. We knew this was going to be a problem, right? Well, we roll in here. Next thing, you know, an hour goes by and we’ve got all our series. I think, I think that would be a great discussion for them. Really, really, queue that piece up. Yeah, that’s a good one, because there’s, you know, there’s another 20 minutes, but, you know, and I think we wanted to try to constrain this one a little bit too, you know, your background and maybe some of the things that students are interested in. But yeah. I mean spending, spending time on, you know, how do you teach students to be concerned about their data? How do they, how do we kind of really drive home that, you know, they’re all about the data that they create, that they are, that they have, and being mindful of that, I honestly think privacy and security is not top of mind for most young people.
John Madura 20:10
No, not at all.
Jason Pufahl 20:11
Yeah, so we’ll focus on that, and you’ll probably, as soon as you have a month or two, we’ll have you back. I don’t know. I don’t know. Like I said, we really could go around here for quite a while. So I think I’ll end and just really thank you for joining because I knew, I knew this would be fun when we met.
John Madura 20:28
Absolutely.
Jason Pufahl 20:29
I’m keen on what the upcoming conversations will be. Steve and I have had a couple of sort of young people and I guess, sort of security, tangential conversations, but candidly, not with an actual educator.
John Madura 20:43
Yeah!
Jason Pufahl 20:44
I’m really, I’m really keen on having somebody in here who can bring that perspective.
John Madura 20:47
That’d be great. Yeah, I loved this, it’s been a great conversation. Lots of fun.
Jason Pufahl 20:51
Well, thanks for joining. And, you know, a lot of our listeners have kids, so if you’ve got questions, you know, reach out to us, and we’re happy. We’re happy to sort of field them to you. We’re happy to add them to a future discussion, and we’ll go from there. So as always, thanks for listening. Thanks to both of you for joining. Thank you.
Narrator 21:08
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant. Stay resilient. This has been CyberSound.
