Interview: Security Consultant Moriah Tobin

Deja vu Security’s team members have observably distinct backgrounds: Our staff hails from all over the world, and can do everything from hack your car to design buildings. One—a Security Consultant named Moriah Tobin—can operate a nuclear reactor.

Tobin has been with Deja for a little over a year and is currently leading security assessments of some of the most prolific technologies in the world. But she didn’t start out as a hacker. In fact, she had wanted to be something entirely different from the time she was thirteen-years-old: a physicist.

Tobin got her bachelor’s degree at Reed College—a private liberal arts college in Portland, Oregon. Reed might be small in stature, but the way Tobin describes it, it seems to have big things going for it. One of those is its personality. She explains that the “unofficial seal” of Reed is “communism, atheism, and free love,” and that it’s a “hippie school that focuses on critical thinking skills.” She says proudly, “I loved that everyone was very bright and passionate, and I’m still close with a lot of them.” A second big thing Reed has going for it? Its nuclear reactor.

Reed College is known for having the only nuclear reactor in the United States that’s operated primarily by undergraduate students, and Tobin—a physics major—was one of them. “I had a senior operator’s (SRO) license, which took me two years to get. I got my licenses because it seemed like an amazing opportunity, and I was going to take advantage of an amazing opportunity when it came my way.”

At one point, Tobin noticed that the reactor’s energy spectra had, to her knowledge, never been measured, but that being able to do so was key to conducting future research. So to prepare for her undergraduate thesis, she designed a brand-new standard operating procedure for the reactor. Then, for the thesis itself, she compared the energy spectra of the neutrons at the top of the neutron beam to the ones in the middle of the core.

But one of Tobin’s favorite parts of working at the nuclear reactor had nothing to do with designing world-changing experimental research setups—it was teaching other, non-experts, about nuclear power, and making what she considers important scientific knowledge accessible to non-technical audiences. She described a somewhat gross but highly amusing event the staff at the reactor used for education: “We would have high school students come in to learn about nuclear physics and radiation, and we’d tell them to bring in their parents’ fingernail clippings. We were able to show them how precise neutron activation analysis is by analyzing the clippings for microscopic levels of gold and correctly indicating which of the clippings came from their parents’ wedding ring fingers.” This neutron activation analysis technology can also be used in things like archaeology, where, for example, scientists need to be able to verify what exactly is in a clay sample at an excavation site, so they can learn about ancient trade routes connecting to the area. “People have a lot of cultural fear of reactors and radiation, so by seeing some of those things and learning more [about what nuclear technology can do], we can alleviate that fear. I even like talking to people in airplanes who tell me things like they’re worried about their microwave. I think everyone should have access [to scientific information] and not feel like someone’s talking down to them.”

After her time at Reed, Tobin moved to the Midwest to start her PhD in neutrino physics at the University of Wisconsin Madison. You might think there’s no way she could do anything cooler than operate a nuclear reactor, but you’d be wrong. While at UW Madison, Tobin worked for the Icecube Neutrino Observatory, which conducts research on neutrinos at the South Pole–an observatory which earlier this summer confirmed for the first time a specific origin for cosmic rays that hit Earth. Tobin describes her experience on the project: “We used hot water drills to bore holes through the ice, and then there’s not-quite-two-miles of cabling connecting the detectors leading them down. This had to be constructed with a lot of fail-safes, because once the ice freezes, there’s no going back down to fix something if it breaks. And when you have that much cabling, you have to make sure your cabling is strong enough to carry the weight of that much cabling.” (Knowing that last part sounds confusing, she smiles and and waits for it to register.) “Every twenty-four hours we got satellite data for the detector, and then once a year we would get tapes that had to come by boat. We had custom-made software on the experiment that used C++ and Python, and we used that software to analyze the data that came in.”

This is when Tobin first became interested in in-depth programming. “I thought I was going to continue in physics, and a lot of that data analysis is done using programming, so I wanted to make sure I developed all my technical competencies in order to be an effective researcher and mentor to other people.” Surprising no one, this physicist who’d developed an entirely new operating procedure at a nuclear reactor as an undergraduate also ended up changing the way this international observatory did things: She noticed it had no internal training program for the C++ portion of the custom-made software they used in their research, so she advocated for one until they implemented it. “I thought it was very important,” she says matter-of-factly.

Unfortunately for physics but fortunately for cybersecurity, Tobin eventually decided she didn’t want to be a physicist anymore. “I struggled to come to that realization, because I’d wanted to be a physicist since I was in eighth grade. But I didn’t want to write a [dissertation] I didn’t care about. It’s more important that I keep learning things that are interesting.” Having studied a fair bit of programming to work with highly technical physics research data, Tobin pivoted into computer science. “I like making things. I used to do ceramics, and I’ve taken machine shop courses. I used to do carpentry for fun in my friend’s basement during grad school. I also like to do things I feel have a positive impact on the world. I felt like I could do both those things through programming.” While studying for developer interviews, she found a reference to a security textbook and started reading it “for fun.” Her next step took her to a meetup for women in cybersecurity, where she found someone who wanted to help her out. “[This other attendee] said, ‘Tell me more about your experiences,’ and by the time we were done talking, she’d asked for my resume.” This helpful new acquaintance turned out to be a Security Consultant at Deja vu Security. Tobin’s been with the Deja team ever since.

How does a scientific researcher fare as a hacker? Turns out, pretty well. “There are a lot of ways in which security consulting is similar to research. You need to evaluate and understand weak points, and how to attack those based on how they’re related to others. And communicating highly technical ideas to very different audiences effectively is an important part of research and also of security. If you can’t communicate to a client the impact of a thing you’ve found, you might as well have not found it.” She goes on: “Physics as a field is not about memorization—it’s about taking bits of information you’ve learned and applying them cohesively to new situations. That’s sort of how security consulting works, too. You might have information about all these different topics, but usually the situation is not exactly [what you’ve experienced before]. So you need to transpose those relevant pieces of information to the new situation; you need to combine and synthesize knowledge.” She adds that her math skills from her time in physics have also helped her become skilled in cryptography, a key part of cybersecurity.

Tobin doesn’t have a typical day, but she does have a typical month, since Deja engagements average between two and five weeks, though some can go on much longer. In a typical month, she says she spends the most time on “technical problems—deciding how to approach and attack [vulnerabilities], and then following through.” Tobin is a team lead, meaning she’s responsible for helping organize, plan, and execute Deja’s security assessments. “I have to ensure communication lines are staying open and that the consultants on the engagement have access to the clients’ resources they need to actually do the job effectively. What tests are we going to do, and what permissions do we need to do those tests? Do those test environments work the way we expect them to? And there needs to be communication if there’s a discrepancy between what something’s supposed to do and what we experimentally find.” At the end of engagements, Tobin helps write reports on the team’s security findings—vulnerabilities, observations or “yellow light issues,” project boundaries and limitations, and so on–and then delivers the reports to clients.

Being in cybersecurity has changed many of Tobin’s own behaviors related to technology. For starters, she has two personal computers. One is a “dirty” laptop, which she uses for risky tasks—like if she needs to click links she’s unfamiliar with. She also never logs into anything on the dirty laptop, ensuring it contains no personal information. On her “clean” computer, she does all her banking and other important transactions using one browser, and then slightly less important things but ones that are still tied to her personal information on yet another browser. She logs out of websites when she’s done using them, even when the computers are just sitting at home; she explains in a helpful tone, “Sometimes session tokens don’t expire unless you log out.”

It doesn’t take much prodding to get Tobin to talk about why she likes being at Deja. “I have two favorite things. The first favorite is the people. When I first started working at Deja, the phrase I would use [to describe how I felt] was, ‘The culture was a higher bar than I thought was reasonably achievable.’ As a society we have a tendency to say we don’t tolerate toxic behaviors, but most places don’t walk the walk. I’ve never been in a situation before where I’ve worked with so many people who are conscientious of how their behavior affects other humans around them. I’d love to live in a society where that’s normal, but that’s not the one we live in. Some of my friends have bosses who yell at them. [In some companies], technical skills are valued above people’s ability to work with others.” Principled, Tobin explains, “It’s very important to me to be a part of the world I want to live in.” On her second favorite part of working at Deja: “I get exposed to all different types of technologies, and then all of the different security techniques related to those technologies. You start projects and have to get up-to-speed on all these new things, and even if you’re familiar with all those things, they’re still related to each other in new ways. So you have to figure out how you’re going to attack that system, which keeps you on your toes. It’s a constant learning experience. I’ve said that if I ever stopped growing, I might as well be dead. What’s the point of continuing to exist if you’re not continuing to grow? That’s one of my fundamental drives as a person, and I like being able to very actively live that with the technical aspect of my job.”

Moriah Tobin has gone from operating a nuclear reactor to researching neutrinos at the South Pole, and Deja is extremely proud to have her here with us now, helping secure some of the most important and prolific technologies on the planet.

Come work with Moriah Tobin and other Security Consultants like her: careers@dejavusecurity.com

Hire Moriah Tobin and other Security Consultants like her: secure@dejavusecurity.com