Good hack, bad hack: A cybersecurity camp teaches the ethics of hacking
Cybersecurity is a serious issue these days as hackers intrude into almost every part of our lives. That’s led to a growing demand for “white hats” or good hackers who can defend us. But changes in the law have made some activities illegal and that’s making it harder to hire.
ESET’s CyberSecurity Bootcamp is aiming to change that. The IT security firm put on the camp for Westview High’s Cybersecurity Team in San Diego. Vineel Adusumilli graduated from the school and is headed to MIT.
“There are nine computers in here and there’s another giant tower here called ‘The Sinister Purveyor of Doom,’ which we’re supposed to hack as part of our training,” Adusumilli said.
The Sinister Purveyor of Doom mimics a company server. The high school students get points for cracking passwords, accessing files and for causing mayhem like launching an attack that locks out users. Cameron Camp is a security researcher at ESET and he’s defending the system. His job isn’t to teach these kids how to hack into systems, they’re already pretty good at that. Instead, Camp is there to teach them how to hack ethically.
“You’ve got two ways you can go, you can go work for the good guys, good pay, travel to interesting countries, never have to look over your shoulder,” Camp told the high school students. “If you go to the dark side, you’re going to go to jail.”
The word hacker has become shorthand for cybercriminal. But hacker used to describe people who found a clever, creative -- and often unconventional -- way to create things. Black hats deface websites, steal credit card numbers or corporate secrets. And then the white hats, they use their power for good.
Camp focuses on the gray, middle ground that lots of hackers wander into.
“It’s the people who say that I can’t do this so I’m going to show them that nothing is impenetrable,” said Griffin Stamp, who’s going to be a junior at Westview High.
Sitting across from him is Dennis Aleynikov, who just graduated and is headed to San Francisco to work at a start-up. Dennis is looking up a program called “Cookie Hijacker”
“It scans the air for anybody accessing any kind of Facebook, gmail whatnot, you can log in as them, done,” Dennis said.
“So you can just sign in as me?” I ask.
“Yup,” he said.
Testing the limits and breaking things is engineering 101. To build systems, you also need to know how to take them apart, said Stephen Cobb, ESET’s Security Evangelist.
“You look at Steve Jobs and Steve Wozniak, who started Apple, and they made equipment to bypass charges on telephones,” Cobbs said.
But these days the stakes are a lot higher as almost everything we do is stored online. And a lot of activities that were once tolerated are now crimes.
“A lot of the early hacking was breaking into university systems. These were young people exploring the technology and learning by exploring,” Cobbs said.
Universities traditionally looked the other way but in recent years, the Federal Government hasn’t, said Jennifer Granick, director of Civil Liberties at Stanford Law School’s “Center for Internet and Society”
“There’s more interest on the part of prosecutors for bringing cases and the laws have actually changed to become more broad and the sentences are greater,” said Grannick. As a result, unsuspecting techies are getting caught up in the dragnet. Law enforcement officials have gone after hackers who publically disclosed flaws in computer networks, and Internet activists who hack to promote the free flow of information.
Gordon Romney is a professor at National University in San Diego and he says IT security firms often rely on government contracts, which require security clearances.
“That creates a real dilemma for us because some of the best minds are those individuals, who sometimes not knowing what they’re doing or just for the thrill of it, pursued things that led them to getting caught,” Romney said. He adds something will have to be done to “distinguish between exploratory type of activity that are on the gray side of ethical behavior.”
Back at the boot camp, the students appear to get it. They figured out how to access everybody’s grade from the school’s website. But instead of making the grades public, they informed some very grateful school district officials. Now, that is a white hat.