Meet Our Instructors: Developing a Hacker Mindset with Chris McMahon
Cybersecurity expert Chris McMahon (and CodePath’s instructor) had always considered himself a tech-native. He grew up interested in computers, and by the 1990s, he was building his own websites. His interest and proficiency parlayed itself into a career as a software engineer. In a past life, Chris worked as a backend developer for major corporations like Citigroup and IBM. At one point, he even served as a VP of Systems Engineering at Bank of America.
Given his background in fintech, Chris understood the need for secure systems to help protect others’ valuable information. By all means, it would be an understatement to say that Chris was tech savvy. But when Chris found his personal systems compromised by an ex-partner, he was forced to re-evaluate his approach to cybersecurity.
Since this painful event, Chris has sought to help others rethink cybersecurity. One of the manifestations of Chris’ effort is CodePath’s Intro to Cybersecurity course, which will be taught this Spring semester to nearly 1,000 college students across the US. Alongside Alex Stamos, the former Chief Security Officer at Facebook, Chris helped CodePath develop Intro to Cybersecurity’s curriculum in a way that would give future software engineers and cybersecurity specialists the “hacker mindset” required to succeed in the rapidly changing landscape of information security.
Back in December 2020, I got a chance to chat with Chris and learned how Chris’ personal experience shaped his re-learning of Cybersecurity, as well as how he’s oriented Intro to Cybersecurity to be a survey of methodology and problem solving.
You can read our conversation below. (Note: edits have been made for brevity and clarity.)
My questions are in bold, while Chris’s answers are italicized.
Why did you design the Intro to Cybersecurity course the way you did?
We [the team at CodePath] wanted to offer something in the security space to engineers. It was a strong interest of mine already. And I had a lot of knowledge that I felt wasn’t well represented in the materials that I encountered while learning it. A lot of the educational and training materials on cybersecurity that I encountered were really geared towards enterprise solutions with only corporate use cases. I was really concerned with the individual and what could be done on the individual level. So I wanted to address that gap.
I also think that offensive security, in particular, is something that was not taught to me as a coder; we learned defensive security. We learned defensive coding, how to harden our applications, and how to protect against common exploits, but we never really learned what those exploits were beyond maybe a cursory description. And the best way to actually understand the vulnerabilities is to perform the exploits oneself.
That creates a security mindset that will take an engineer a lot further than learning XYZ defensive coding techniques that will likely be obsolete very soon or will be subsumed into the platform that they’re building with. But if you think like a hacker, and have that security mindset, then you will constantly be looking for potential issues that need to be addressed, and you’ll have a much more holistic advocacy for security, even in your own work, even if that work isn’t security-focused. I wanted to give students that hands on experience and share the joy that I got from my own learnings.
You mention being concerned with the individual. What sparked your interest in cybersecurity at an individual level?
It was definitely something that I was always interested in. And it was something that I always had to work with in the context of my job. But again, all of the security training that I received was very enterprise-focused, very much about protecting a company or an organization and its assets and its intellectual property, and not really focused on the end user.
And then, some years ago, I was in a relationship with somebody, and that relationship did not end well. This person worked with somebody to compromise my system so that she could spy on me and did that for some time. And it was a very difficult time, and it felt like a big betrayal. But that formed an effort to understand, “How could this have happened? How is this done?”
In order to understand that, I started by asking, “What are all the possible vectors?” so I started making an inventory of all the potential vulnerabilities of my own digital footprint. I was stunned at how many different ways there were to compromise my setup, how even my very small digital world had a whole lot of vulnerabilities that were inherited by the infrastructure that I was using.
I was already doing a lot of the very basic things that we’re all told to do, like not to reuse passwords, use a password manager, use two factor authentication, all of that advice had gotten through. But there was this whole other level of hygiene that I had to learn in order to really make sure that I was protected to at least a reasonable degree, and then to honestly confront the possibility that no matter what I did, there was always going to be some level of vulnerability.
It was interesting to me just how much of the advice I had gotten proved to be useless in my particular situation. It also really opened up the idea of assessing and modeling a threat based on the [hacker] and what their likely intentions would be and what that meant for my security posture. What happened to me was very personal, and very personally challenging in a way that viscerally taught me the lesson. But it inspired a deep kind of learning that I would not have pursued if it were just an ordinary interest. The stakes felt really, really high after this happened. And that drove a lot of learning that took me very far.
And it really informed a lot of my perspectives about, “who is security training for and who is benefiting from this training, and what are the implicit assumptions in any kind of training material that I’m working with? What may be important to an end user?”
A lot of these questions got opened up like this, and it ended up being an incredibly valuable and transformative experience, albeit initially a traumatic one.
It also created a deep empathy in me for other victims of stalkerware and things like that, many of whom are women. My experience [as a man being victimized by this type of cyber crime] wasn’t really standard.
And I see that their needs are not being met. Again, because the threat models around stalkerware, in these kinds of personal attacks, aren’t being taken as seriously or are not as high of a priority because there’s not as much capital at stake. Since I have been involved in security, I’ve been contacted by a lot of people who have been targeted in similar ways, typically by ex-partners, but sometimes family members. And they have nowhere to turn, and they don’t have good sources of advice.
Within cybersecurity, is there any specific niche that you’re particularly enthusiastic about?
I really love research into vulnerabilities and exploits. A few months ago, there was an amazing writeup about an iOS exploit published. A researcher named Ian Beer with Google’s Project Zero demoed it and published a really beautiful explanation of how he was able to take over an iOS device without any user interaction, without physical access, without even having to be on the same Wi Fi network, by leveraging one of iOS’s core features when it comes to sharing. It was just a beautiful exploit, and even more than that– the way that he has presented it and documented it. He was very clear about what was involved in the exploit. The way that it was presented was accessible, so that you didn’t have to have his level of knowledge to really understand his work. I think that’s a sign of someone who cares deeply about this stuff and about other people seeing it and understanding and engaging with his work. And that really lights my fire, I love that kind of thing. So when a really brilliant researcher publishes original work, and I see that person get recognition not just in monetary form (from Apple in this case), but also from the rest of the industry. I love seeing a job well done like that.
What are some of your current career aspirations?
[One of my aspirations] is to translate my love of technology into something that is effective in terms of communication and demonstrating how security breaches can happen. I really love working with CodePath because . . .I have this really amazing opportunity to interact with people at the beginning of their career, when they’re making choices that will alter the trajectory of their entire career.
That small choice made when you are studying engineering in college could result in something phenomenal happening. Being a part of that process and working with people at that stage is really rewarding. So a lot of my aspirations are to do that effectively, to open up the accessibility of technology. Particularly, making cybersecurity more diverse and helping support engineers from diverse backgrounds. More women, more minorities, more people that didn’t or don’t have the same resources and advantages that I have had, but have every bit of the aptitude and passion it takes to succeed.
Finding a way to democratize the resources so that they reach more people that don’t normally have these types of advantages is an aspiration of mine, too. And that’s one of the reasons why I really believe in CodePath’s mission.
What are some outcomes that you’re looking for in this course?
As I said before, I really want to encourage development of the security mindset, the hacker mindset. I really want to instill that, because training — any type of training — can’t address all areas of security, it certainly can’t address all of them in sufficient depth. So Intro to Cybersecurity is more of a survey in that sense. Rather than imparting specific knowledge, a big part of what we’re trying to do is raise awareness of the myriad ways that security impacts engineering. Instead of giving students a better fishing net, we’re teaching them how to think like the fish that get through those nets.
We could teach X number of vulnerabilities and exploits, which we do, and we could teach a certain number of defensive coding techniques, which we also do, but that will never be sufficient on its own, partly because it would be impossible to be comprehensive, even if things weren’t constantly evolving, which they always are. So, creating the mindset is really important, and that’s what we’ve tried to work into the course beyond all the techniques
What would you say is your favorite part of your job?
One of the one of the things I’ve really enjoyed in the past is being a mediator between people that aren’t technology natives but are stakeholders in a business or a project, and people who are technology natives who are used to communicating solely within that paradigm, and maybe don’t relate as well to people who can’t. So serving as a bridge between those two worlds, that problem comes up again and again. And I really enjoy being in the midst of that and facilitating dialogue between those two kinds of parties.
What advice do you have for people aspiring to be in your current position?
My primary advice would be to find the thing that lights your fire intellectually. Almost all of us have this experience where we will go down a rabbit hole–where we’ll be reading and we’ll look up and hours have passed. Or maybe we stay up way past our bedtime because we want to solve this one problem, or we want to finish this one thing.
So my first advice is try to get as clear as you can on what those passions are. And it doesn’t have to be some big overarching passion, it can be a very specific micro passion that seems impossibly niche. But if you can collect a few of those, you can kind of start to assemble them together into a larger overarching passion.
Finding what drives you will galvanize the kind of learning and proficiency that will help you standout no matter what you’re doing.
A fun final question for you: if you had a million dollar windfall, what would you do with it?
I’ve been asked this a few times, and I’d like to turn it on its head and say, “What are the things that I could do right now, that I would still be doing, even if I had a million dollars?”
I always think of what wouldn’t change, which helps create that dream world without needing the million dollars. So I would still be really interested in security. I’d still spend hours trying to understand something like that recent iOS exploit. There’s just something so joyful about that to me. I would still follow my fancy and go down different technological rabbit holes, about not just security, but all over the space. I would still really be interested in seeing the opportunities for elevating the communication that is happening between different players and stakeholders both in and out of the field.
Thinking about the question in that way lets me create that world right now, every day, without needing the winning lottery ticket.
CodePath’s cybersecurity course is offered both remotely and across nearly 25 partner universities and colleges. For more information about CodePath and our courses, visit www.codepath.org/classes.