CyberWire Daily - Ian Blumenfeld: Swimming in a pool of cyber. [Research] [Career Notes]
Episode Date: November 19, 2023Ian Blumenfeld, a Research Director from Two Six Technologies sits down to share his story with us. Ian begins his story by sharing he wanted to be a scientist, slowly he began to figure out and pinpo...int more of what he liked about science, which ended up being math. Ian explains how math began to become a passion for him, and he eventually tried to pursue a career in it by teaching. He discovered teaching was not the thing for him and then started to move into the direction he wanted too, taking on more and more challenging roles until he landed where he is today. Ian says "If you're a smart person and you have skills in coding, you can swim. So it's okay to jump. It's okay to jump into the lake, you can swim. Something will get you out. You will have, you will be able to find a job. So, if you see something that looks cool, if you see something that advances you to the next stage of your career, if you have to take a little bit of a risk, it's okay." Ian wants to be someone who helped make the world a little better when it comes to code and wants to shares his desires and passions with the community. We thank Ian for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Learn more at zscaler.com slash security.
Hi, my name is Ian Blumenfeld, and I am the Research Director for High Assurance Solutions at 2S6 Technologies. I always used to say when I was a kid, I want to be a scientist.
Actually, I remember when I got my first business cards,
when I worked at CyberPoint, actually,
the first time I ever had business cards in my life,
I got them printed and my job title was scientist.
And I was like,
sweet, I did it. I wanted to frame my business card because I had achieved the goal of becoming
a scientist. So when I got to high school, I was like, I really want to study chemistry.
And I did chemistry and I really liked it.
And I realized after a while playing around with chemistry that the part of chemistry that I really liked was called physics.
And so in high school, I decided I changed.
I was going to be a scientist, but I wasn't going to be a chemist anymore.
I was going to be a physicist.
I got to college and I started out and I wanted to be a physics major. I played around with physics for a while and the part of physics I really liked was
actually called math. And so I ended up switching my major from physics to mathematics. In my first
semester of college, I kept getting more and more abstract, right? So I went from more concrete to more abstract, and I just kept going and going and going until I was just dealing with problems in like sort of pure logic.
And that's kind of what I wanted to do when I got to grad school.
And kind of that's what I did study in grad school.
Well, so I got out of school.
It was a very strange circumstance.
I ended up leaving grad school before I finished my PhD.
I was ABD.
I was in some personal life situations that led to me leaving early.
And I left and I became a high school math teacher
because I didn't know what else to do with my life.
I like to joke that I did not have the temperament to be a high school teacher.
I found this guy named Jim, and he had worked previously as an NSA mathematician. And he said,
Ian, you are not happy as a math teacher, but you know what would make you really happy
if you were an NSA mathematician? And I said, Jim, I don't know anything about cryptography.
I don't know anything about computers. At the time, I really didn't know anything about computers.
And he said, well, why don't you apply and take the test and see how you do? And so I kind of
decided that I wanted to try to move on from teaching and see if I could try another career,
you know, see if there was something else for me. I went through, I took the test, I did my interviews, you know, I went through all of the security clearance stuff and
I got hired and I started at guy who is still at NSA.
His name was Sean.
And Sean did a little bit of, he did logic from the computer science side.
And I had done logic from the mathematician side in grad school.
And he worked for this part of NSA called the National Information Assurance
Research Laboratory,
R2. And he
was like, Ian, you should come do a
tour with us.
And what we did in R2
was
we looked at various
and sundry pieces of cryptographic software
implementations or specifications.
We made sure that the software was doing what the specification did.
And I kind of fell in love with that because I just loved the idea
that there's code everywhere and it's buggy and it's broken.
But sometimes something is just so important,
you can't just test it.
This R2 kind of work. I did it like four times for four different offices, including it. This R2 kind of work.
I did it like four times for four different offices,
including it actually in R2.
And then I got hired after my development program,
I got hired directly into R2.
I was in MSA for probably like four and a half years about.
And then for a variety of silly reasons,
a lot of folks in MSA do this,
they eventually end up leaving and going and working for,
going and becoming a contractor instead.
And that's how I ended up at CyberPoint.
So I took the job at CyberPoint.
And then I think I worked there for,
I worked at CyberPoint long and often.
I've actually bounced around a few defense contractors,
including a place called Galois,
which worked with us when I was at NSA.
And then Johns Hopkins Applied Physics Lab,
I went to after a while.
And I was there for about two years.
I got a call from an old friend of mine
who had worked with us when I was at Goveye and said, we need someone here at Apple who knows both formal methods and formal verification, like the high assurance stuff I did, as well as cryptography.
And the person I thought of in the world who knew this stuff is you. And I said, well, I had never considered working at Apple. Like that's not a thing that I thought was in the cards for me.
I said, okay, let me see. I'll interview.
And so I did. I interviewed at Apple and I got the job.
And it was really a tough choice whether we wanted to move
because we had to move to Cupertino in California, which was rough.
It was really far from family. But we decided to go on a little bit of an adventure. And we went out there for
a couple of years. You know, personal stuff, you know, sort of said, you know, I think I want to
do this. I love this work. It's really fun. It's really impactful. But I really need to be on the
East Coast. I got a call by a recruiter who sort of told me that this company
called Two Six Labs was setting up a new group and they really wanted to study cryptography.
And would I come and be like the first employee? And I said, okay, but you guys don't have very
much work in that area. And like, well, yeah, you're going to win it for us. You're going to
go build it. And I was like, well, let's give it a try. And I joined and I was working on other
stuff. I wasn't working on the sort of my stuff that was really in my wheelhouse it a try. And I joined and I was working on other stuff. You know, I wasn't working on the sort of my stuff
that was really in my wheelhouse for a while.
But about a year into my tenure at Q6,
and this was around 2019,
we started winning stuff like left and right.
We're winning all these contracts in my field
in informal verification.
And it was just like, oh, well,
I got to start hiring people now
because I have all these titles to work.
I guess I'm in charge of some people.
So I started like calling up all my old friends and I started being like, do you want to come work with me? And we started hiring and we did that for about, you know, did that for a little
while and the pandemic hit and then it was like, okay, well, that was weird.
I have been phenomenally lucky in my life.
And I don't want to presume that everybody else will get as lucky as I got.
But here's what I have to say.
If you're a smart person and you have skills in coding, you can swim.
So it's okay to jump.
It's okay to jump into the lake.
You can swim. Something will get you out. You will be able to find a job. So if you see something that looks cool, if you see something that advances you to the next stage of your career, if you have to take a little bit of a risk, it's okay. Because we are a very lucky group, us tech people. You have a lot of safety nets,
and I recommend you use them by taking more chances than you think you might need to, or might want to. I like to make it so that people think of me as someone who helped turn a world where
there was just a lot of places for people who could do bad stuff into a world where
it was really hard for them to do bad stuff.
I sort of have this philosophy in my group that we always say people first,
science second, money third. And, you know, all three are important when you're running a company,
but I think, I hope from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.