Cybersecurity Awareness Month is a collaboration between government and private industry to raise awareness about digital security and empower everyone to protect their personal data from digital forms of crime. The Department of Information Systems is participating by profiling faculty and alumni over the course of the month who specialize in cybersecurity with their teaching, research, and work.
Chuck Miller ’11, musical composition, M.S. ’23, information systems is a Falcon Complete Associate Analyst with CrowdStrike, Inc. A recent graduate of our Online MS program, Miller is active in the InfoSec community. He recently presented at DEFCON31 and mentions how all the televisions in the hotel were hacked during the event. Miller also talks about how he transitioned from a musical career to cybersecurity and how he got involved with fundraising for the American Cancer Society.
Information Systems: You are a recent graduate of our Online MS program. Can you talk a little bit about your experience at UMBC and how you decided to join the program?
Chuck Miller: A fellow alumni from the UMBC Music program graduated from the MS in IS program a few years before I enrolled, so I got to see the benefits he experienced in his life and career firsthand. Tech is something I’ve always done in an effort to support my passion for music, but balancing the two in that way ultimately left me feeling unfulfilled in both. There were a lot of things in my life culminating in the decision to try and pivot into Cybersecurity: a dead-end tech sales job, my recent marriage and commitment to help raise my two wonderful step-daughters, and a loss of interest in the music I’d once felt so driven by. It was definitely one of those proverbial “sink or swim” moments in my life where I had to figure out a way to start providing something better for the ones I cared about or we were never going to get out of poverty. I’m very lucky that I find InfoSec (Information Security) so interesting, but the decision was by choice and hinged upon the MS in IS program. I supplemented my degree with multiple relevant certifications to help fine tune my resume to exactly what I wanted, but the comprehensive courseware at UMBC was at the crux of this career change. Not to mention, two out of the three certifications I got have exam prep courses within the program (Net+ and Sec+).
With any academic endeavor you very much “get what you put in,” but during grad school I put in a ton of effort and received so much more knowledge, support, and expertise from the professors than I ever could have expected. Dr. Michael Brown was kind enough to co-author my first academic paper with me and even flew out to Vegas to help me present it at DEFCON31. It’s that kind of support and expertise that I will remain eternally grateful for. My life and career (and bank account) are completely different than they were 3 years ago and that 100% began with the decision to enroll in the UMBC Master’s in Information Systems.
Information Systems: Was it important for you to attend fully online?
Chuck Miller: Yes, absolutely. I wouldn’t have been able to attend the program without it being entirely online and, similarly to my experience with working from home, I was able to focus better, study harder, and put more hours in. I will say though, the onus of attendance falls entirely on the student when the courses are fully remote. There’s nothing wrong with needing the structure of a classroom to keep yourself on track, but if you have the self-motivation to stay focused and driven when no one is watching, I cannot think of a better option for would-be tech professionals that are too busy to attend class in person.
Information Systems: You went to UMBC for your undergraduate degree as well, majoring in musical composition. What led to the change to pursue information systems and cybersecurity?
Chuck Miller: Initially my decision to get into tech right after undergrad was a financial one. Healthcare, paychecks, 401ks, etc. those don’t really come with most music industry professions. As the years went on I became increasingly disenchanted by both the music industry and music academia. Rules and art hardly mix outside of a classroom and I’d lost the energy (or desire) to try and untangle that mess to figure out how I fit into it anymore. It was a terribly depressing place to be, losing my interest in music, but it’s really only in those moments where you realize what’s most important to you. Once I made the conscious decision to get passionate about tech, to hyper-focus cybersecurity, to start reading hacker blogs every day and get excited about cool new discoveries in the field, I also regained my love for music. I keep my guitar right next to my desk and practice more now than I have since undergrad. I just do it with fun tech youtube content playing at the same time.
Information Systems: While you were in graduate school, you worked on a research paper with Dr. Michael Brown and in August 2023 you presented this research at DEFCON 31 in Las Vegas. The presentation is titled, “Domain Fronting Fuzzing: Using Python Scripting to Identify Frontable Proxies in the Cloudflare and Azure Clouds.” Can you talk a little bit about this and how the idea for this topic came about?
Chuck Miller: I think part of what helped us get into DEFCON was just how organically this topic came to fruition. During my senior capstone class with Dr. Augusto Casas I was allowed to pick the topic for my paper, so I reached out to a friend of a friend who’s been a Penetration Tester for over a decade and basically asked “what should I write my paper on?” He said something like “I have allegedly had some success with Domain Fronting, try that,” which I still find hilariously coy.
I spent the next 2-3 months reading literally every single research paper I could find on the topic and watching every single youtube video put out by other security researchers on domain fronting. Seems silly now, but I even found a “text-to-speech” app that would read papers to me so I could keep researching while at the gym. I was seriously down in it, haha. I was trying to recreate the findings from security researchers like Raphael Mudge and Vincent Yiu using python automation when Microsoft came out in November 2022 saying they blocked domain fronting on all Azure products. I pointed my little python app at Microsoft.com and got 6 domain fronted packets successfully returned. Still to this day, I feel like this discovery pales in comparison to the complexity of the other research presented at DEFCON, but holy cow was I excited to get those first true positive responses. I have a feeling this might be true for most researchers, but nowadays I’m much more excited about the next step in the discovery process. The paper serves as a proof of concept, but I’ll be much more excited once we turn it into a full-blown privacy solution.
Information Systems: DEFCON is known for its lively atmosphere and engaging activities, besides being able to present your work, what were some of the highlights of the conference?
Chuck Miller: The other presentations and the workshops! It is so jam packed with cool things to learn that there’s hardly time to get from one presentation to another, and if you’re attending a presentation you’re missing another one happening at the same time. There are people there truly breaking the barriers of research and discovery in tech and they’re so excited to talk to you and teach you about what they’ve learned. I didn’t get to see it because the line was across the building, but the Social Engineering Village had a live competition where volunteers would cold-call customer support centers in front of a live audience and compete to see who could extract the most confidential company information. If that’s not the most DEFCON thing you’ve ever heard I’m not sure what is! Well, that or the fact that anyone who connected to the Apple TV in their hotel rooms got hacked. I’ll be going back next year as an attendee for sure.
Information Systems: In addition to your work with CrowdStrike, and presenting at conferences, you work directly with the American Cancer Society and Apex Systems to host the quarterly Gamers vs Cancer eSports tournament series on Twitch. How did you first get involved with fundraising for the American Cancer Society via this eSports series? What is your fundraising total to date?
Chuck Miller: Actually, the way I got the gig hosting these tournaments on Twitch was after competing in one of their tournaments a few years ago, my team got so completely obliterated that I decided to find another way to participate that didn’t involve getting my butt kicked. It just so happened that I knew the employee at Apex who was master-minding the entire thing and asked her if she thought they could benefit from someone hosting the event online. I had already been running my own twitch channel as a hobby with my stepdaughters at that point so it wasn’t like I had to buy anything new. Besides, the content basically writes itself. All I do is show up, talk trash, interview some of the bravest people you can meet, and have fun. Apex Systems has raised over $1 million for the American Cancer Society and Gamers vs. Cancer broke $10k just before our last tournament in April. The $10k may sound small, but let me tell you, going from 3 average viewers to 30 feels big. Going from just entry fees as donations to making nearly $5k in a night feels bigger. I love this little project so much and we’ve got Fortnite Zero-Builds coming in December so find me on LinkedIn if you want to sign up!
Information Systems: October is National Cybersecurity Awareness Month. Could you share a few cybersecurity tips and tricks that our community can follow to protect themselves online?
Chuck Miller: The best tip I can think of is to stay curious. Google is the most powerful resource on the internet with ChatGPT hot on its heels. I have spent countless hours Googling questions and asking ChatGPT to “explain this concept to me as if you were an expert in the field.” Never in the history of humanity have we had such widespread access to such truly potent and reliable research. You can, without hyperbole, become a competent hacker by watching youtube and reading blogs. I highly recommend structured courses and certificates too, but it’s definitely possible. Go chase the rabbit down the hole and let me know what you find at the bottom.