Imagine a world where security guards learn to be robbers first. The guards take a class where they don black masks and smash through a glass case to appropriate jewels, or stick-up a bank and zip away.
Once they've demonstrated their mastery of the challenges, and signed contracts vowing to never use their skills for evil, the guards graduate. If they choose, they can seek Ethical Bank Robbing certificates, or can hop right in to a career in security.
That's essentially how many young hackers (the friendly kind) are trained today. The first step for students, before moving into a government or Big Business job where they work to prevent hacks, is to learn the darker side of the trade: exploiting loopholes, thieving from servers, cracking passwords--and not just learning those techniques but actually performing them, in a classroom set up especially for the experience.
The resulting classes--which have been cropping up at universities across the country for years now--are the closest thing around to official, sanctioned training grounds for hackers. With the Department of Defense and private industries looking to protect their secrets, the job's only getting more important.
Pinning down when the first hacking class was taught, or even getting a count of them, is tough. For one thing, they go by different names: there are classes for "ethical hacking," "penetration testing," "topics in security," and more.
One reason for that fragmentation might be that it's not always easy to start teaching one of these classes. Sam Bowne, a professor of ethical hacking at City College of San Francisco, encountered concerns at first with teaching students about what's essentially criminal behavior in a free zone. Eventually, he told the administration that if any students strayed to the dark side, the university could "fire me and that would be the end of the class."
The students in that first class, and Bowne's subsequent classes, didn't use their powers for evil, at least as far as we know. "It's possible that some of them are smart enough to be master criminals and smart enough to fool me, but I kind of doubt it." He adds: "Really my students are not as dangerous as I wish they were."
Although it's hard to find a case where a student in an ethical hacking class was caught up in a hacking scandal, other, similar classes have invoked ire. George Ledin, a professor at Sonoma State University, found himself in some controversy for teaching students how to create malware--the viruses that latch on to computers and surreptitiously steal information. Some anti-virus companies threatened to blacklist any of Ledin's students from being hired. In some ways, what's taught in ethical hacking classes is comparable to Ledin's class, although more accepted in academics than making malware.
Most of the ethical hacking classes share similar methods: a professor sets up a secure server, and only allows students to access it from computers in a designated lab. Those computers are connected to each other, but not to the internet at large. That turns them into the digital equivalent of dissection frogs--real-world learning tools placed in a not-quite-real-world setting. Professors can program the server with common vulnerabilities, and the students, as they learn the tricks of the trade, can hack inside using the skills they learn in the classroom. The names of those skills are esoteric--SQL injection, buffer overflow vulnerabilities, session hijacking--but can be broadly understood as people attempting to break in somewhere they wouldn't normally be wanted.
At John Black's class at the University of Colorado, Boulder, for instance, Black structures the class like a game: students work through a series of "levels," where, after they reach a goal by hacking past defenses, they earn access to the next level. The students, meanwhile, can see what level the other students are on as they go.
Students learn the tricks they need to break past a system's defenses, but not when to use which tricks. In other words, they get the keys, not the locks. "We won't tell them exactly how to do it--they have to go and figure it out," Black says. A student might, for example, use programs to broadly search for vulnerabilities in a computer. Once they find the weak point, they dig in with the relevant tool.
That think-fast concept is taken one step further by Giovanni Vigna, whose Advanced Topics in Security class at the University of California, Santa Barbara inspired Black's. There the learning process is similar, but the class is also a proving ground for what's ultimately a test: iCTF, or International Capture The Flag, a competition where hackers across the world compete in a head-to-head, real-time hack-off. Each team--there were 80 teams of about a dozen at this year's competition--keeps a bit of code hidden on their computers, and every other team attempts to spirit away the other teams' code, while simultaneously defending their own. To do that, they need to know the ins and outs of both offensive and defensive hacking strategies. After spending weeks learning to "think about the stuff that the guy didn't think about," as Vigna describes it, they go in for competing against actual hackers.
"Usually they get annihilated, sometimes they do okay," Vigna says.
It's easy, of course, to learn this sort of thing on your own. Sites like hackthissite.org let users learn the hacking process, too. That's not so difficult. "You can be a 14-year-old child and clever and hack into these big, important companies," Bowne says. What matters, he says, are the skills to understand those hackers, then lock them out. But to do that, you have to understand how they think.
Graduating with honors from these classes is one thing, but finding a job afterward is another. Students can take an unrelated class and receive certificates, like Certified Ethical Hacker. Some hirers (like the Department of Defense) require one or more of these certificates, but their merit's debatable. "They're good checklists, but I think that a good security expert is somebody who's been in the field and has experience," Vigna says.
What hacker classes do is give some formality to the process. There are standardized tests in classes (usually), and at least employers have some guarantee their potential hire is on the up-and-up.
As for students straight out of school? Well, they can tell recruiters in an interview that they've taken a class and learned X, Y, and Z. But some extracurricular activities couldn't hurt.
Skylar Sokol was a student in Black's class. He was looking for a career in the industry, and started a hacking club at the university. The team competed in a 10-team, live competition, as part of the National Collegiate Cyber Defense Competition. They took second. Then, something else happened. "One of the people from the company I got hired at ended up coming into our room and giving me a business card," he says.
Sounds a little closer to baseball scouting than corporate recruiting, maybe, but that's not without precedent: the NSA has even gone trolling at hacker conferences to pick up talent.
"I see this as the next generation of locksmiths," Vigna says. Just, you know, the kind of locksmiths that went to lock-picking school first.
Great article that speaks the truth. Amazing how the trend of attacks are going up but the job market is not following for security analyst or penetration testers. I have my CEH and I am a licensed pen-tester. It is good to see schools starting to offer these courses for defensive purposes.
the biggest defense from a hacker is being a hacker, that might sound tautolitive but honestly it's the best way.
while many if not all of the students in this course are going to use this knowledge for good the statement stands that they are still being taught how to be a hacker.
the government already views the veterans, retired and former soldiers with a suspicious eye because they were taught to kill. how much more so will they view college students who are being taught to, honestly speaking, be the most effective weapon against a corrupt government.
nothing on the internet is sacred or safe.
to mars or bust!
Indeed I agree with you guys. Wouldn't it make sense to teach children these basic principles of what the internet opens up? Any computer geek child would love to do this, and in this process over time might because another great mind for us, or strive through school and help learn new ways to keep our information save. It really doesnt sound like a bad idea if you think about it.
Take a knife for example, we ran around as little boys and fiddled and widdled, made things in the woods with them, cut things to see what they looked like inside.. just because we had the knife and new what it did, didnt mean we ran around and killed cats or cut people. I think it would be safe to say most children would use the principles of hacking to help keep themselves safe, and possibly others.
My cousin and I were really into computers when we were kids, we watched the growth from floppy disk to the internet being invented, and we self taught how to mess with each other by learning how to "connect" into each others computers at will in our teenage years. I could print something out on his printer from my house just to mess with him, (example I printed a naked lady out from my house when I knew his mom was home) or he would make my CD drive open and close to mess with me.. It was actually fun innocent things between us, never any thought of using it to commit criminal acts.
I think this is a GREAT idea.. start it in middle school as a requirement with coding!
* I’m living the future so the present is my past *
my neighbor's step-aunt makes $73/hr on the internet. She has been laid off for 9 months but last month her check was $12471 just working on the internet for a few hours. find here>>>>>. www.jobs25.com
Hacking is like a chess game but the winner gets more than the loser.
its a good thing i'm learning this now than later.
* Remember the Past, look to the future, live in the present. wise people can say this with ease, youngster have to think about it. *