Imagine a world where security guards learn to be robbers first. The guards take a class where they don black masks and smash through a glass case to appropriate jewels, or stick-up a bank and zip away.
Once they’ve demonstrated their mastery of the challenges, and signed contracts vowing to never use their skills for evil, the guards graduate. If they choose, they can seek Ethical Bank Robbing certificates, or can hop right in to a career in security.
That’s essentially how many young hackers (the friendly kind) are trained today. The first step for students, before moving into a government or Big Business job where they work to prevent hacks, is to learn the darker side of the trade: exploiting loopholes, thieving from servers, cracking passwords–and not just learning those techniques but actually performing them, in a classroom set up especially for the experience.
The resulting classes–which have been cropping up at universities across the country for years now–are the closest thing around to official, sanctioned training grounds for hackers. With the Department of Defense and private industries looking to protect their secrets, the job’s only getting more important.
* * *
Pinning down when the first hacking class was taught, or even getting a count of them, is tough. For one thing, they go by different names: there are classes for “ethical hacking,” “penetration testing,” “topics in security,” and more.
One reason for that fragmentation might be that it’s not always easy to start teaching one of these classes. Sam Bowne, a professor of ethical hacking at City College of San Francisco, encountered concerns at first with teaching students about what’s essentially criminal behavior in a free zone. Eventually, he told the administration that if any students strayed to the dark side, the university could “fire me and that would be the end of the class.”
The students in that first class, and Bowne’s subsequent classes, didn’t use their powers for evil, at least as far as we know. “It’s possible that some of them are smart enough to be master criminals and smart enough to fool me, but I kind of doubt it.” He adds: “Really my students are not as dangerous as I wish they were.”
Although it’s hard to find a case where a student in an ethical hacking class was caught up in a hacking scandal, other, similar classes have invoked ire. George Ledin, a professor at Sonoma State University, found himself in some controversy for teaching students how to create malware–the viruses that latch on to computers and surreptitiously steal information. Some anti-virus companies threatened to blacklist any of Ledin’s students from being hired. In some ways, what’s taught in ethical hacking classes is comparable to Ledin’s class, although more accepted in academics than making malware.
Most of the ethical hacking classes share similar methods: a professor sets up a secure server, and only allows students to access it from computers in a designated lab. Those computers are connected to each other, but not to the internet at large. That turns them into the digital equivalent of dissection frogs–real-world learning tools placed in a not-quite-real-world setting. Professors can program the server with common vulnerabilities, and the students, as they learn the tricks of the trade, can hack inside using the skills they learn in the classroom. The names of those skills are esoteric–SQL injection, buffer overflow vulnerabilities, session hijacking–but can be broadly understood as people attempting to break in somewhere they wouldn’t normally be wanted.
At John Black’s class at the University of Colorado, Boulder, for instance, Black structures the class like a game: students work through a series of “levels,” where, after they reach a goal by hacking past defenses, they earn access to the next level. The students, meanwhile, can see what level the other students are on as they go.
Students learn the tricks they need to break past a system’s defenses, but not when to use which tricks. In other words, they get the keys, not the locks. “We won’t tell them exactly how to do it–they have to go and figure it out,” Black says. A student might, for example, use programs to broadly search for vulnerabilities in a computer. Once they find the weak point, they dig in with the relevant tool.
Students get the keys, not the locks.That think-fast concept is taken one step further by Giovanni Vigna, whose Advanced Topics in Security class at the University of California, Santa Barbara inspired Black’s. There the learning process is similar, but the class is also a proving ground for what’s ultimately a test: iCTF, or International Capture The Flag, a competition where hackers across the world compete in a head-to-head, real-time hack-off. Each team–there were 80 teams of about a dozen at this year’s competition–keeps a bit of code hidden on their computers, and every other team attempts to spirit away the other teams’ code, while simultaneously defending their own. To do that, they need to know the ins and outs of both offensive and defensive hacking strategies. After spending weeks learning to “think about the stuff that the guy didn’t think about,” as Vigna describes it, they go in for competing against actual hackers.
“Usually they get annihilated, sometimes they do okay,” Vigna says.
It’s easy, of course, to learn this sort of thing on your own. Sites like hackthissite.org let users learn the hacking process, too. That’s not so difficult. “You can be a 14-year-old child and clever and hack into these big, important companies,” Bowne says. What matters, he says, are the skills to understand those hackers, then lock them out. But to do that, you have to understand how they think.
* * *
Graduating with honors from these classes is one thing, but finding a job afterward is another. Students can take an unrelated class and receive certificates, like Certified Ethical Hacker. Some hirers (like the Department of Defense) require one or more of these certificates, but their merit’s debatable. “They’re good checklists, but I think that a good security expert is somebody who’s been in the field and has experience,” Vigna says.
What hacker classes do is give some formality to the process. There are standardized tests in classes (usually), and at least employers have some guarantee their potential hire is on the up-and-up.
As for students straight out of school? Well, they can tell recruiters in an interview that they’ve taken a class and learned X, Y, and Z. But some extracurricular activities couldn’t hurt.
Skylar Sokol was a student in Black’s class. He was looking for a career in the industry, and started a hacking club at the university. The team competed in a 10-team, live competition, as part of the National Collegiate Cyber Defense Competition. They took second. Then, something else happened. “One of the people from the company I got hired at ended up coming into our room and giving me a business card,” he says.
Sounds a little closer to baseball scouting than corporate recruiting, maybe, but that’s not without precedent: the NSA has even gone trolling at hacker conferences to pick up talent.
“I see this as the next generation of locksmiths,” Vigna says. Just, you know, the kind of locksmiths that went to lock-picking school first.