Wearing The White Hat — Hackers Seek Certification To ‘Go Legit’
The sound of rapid typing fills a dark apartment, illuminated only by a dim computer monitor. Elliot Alderson gazes at a command prompt on his screen with strings of code consuming all of his attention. His goal is shutting down one of the biggest conglomerates in the world as he hacks his way into Evil Corp, relinquishing the common people of debt. This scene appears frequently on the award-winning television series, Mr. Robot, and is the most recent media portrayal of a contemporary hacker.
Around holiday time of 2013, Target experienced a data breach that resulted in the theft of personal and credit-debit card information of forty million customers. The credit information of these holiday shoppers was then sold on the black market, making a net income of $53 million.
That is the dark side of hacking — people using their coding skills for malicious reasons. But that’s not all there is to hacking. Ethical, or white-hat hacking, is the term that refers to hackers who use their skills to discover and fix vulnerabilities in a corporation’s computer system to keep malicious hackers from getting in.
“Well it’s the same thing as unethical hacking except you have permission from the target,” says Sam Bowne, a professor in the Computer Networking and Information Systems (CNIS) Department at City College of San Francisco. “So you attack a computer system, or a person or building, and you use the same techniques as criminals use. They know you’re doing it, they have approved it, and are using it as a security test.¨
In such a technologically-reliant era, being hacked is a big concern, especially with an open supply of information online as more services are offered digitally. The need for ethical hackers or “security specialists” to check corporate systems will continue to grow as the world becomes more digitally inclined.
“Cyber attacks and their sophistication are growing exponentially, while the cyber workforce is striving to strengthen and sustain the talent needed to protect, detect, defend, and respond to these attacks,” Marie Baker, senior engineer at the Software Engineering Institute, writes in her paper, “Striving for Effective Cyber Workforce Development.” “Effective cyber workforce development — increasing the number of qualified professionals in the field and having the right tools to advance their prowess in information security operations — is challenging.”
Many online and onsite programs have been created to meet the growing need for skilled hackers. There are even school clubs, such as San Francisco State University’s Hacking Club, available for those interested in learning more about the skills needed to be a white-hat hacker.
City College of San Francisco is one of the education institutions that offers courses and certificates in cyber security and in-network defense, both of which require students to take an ethical hacking course. In the program the students are given challenges that will give them experience defending and attacking systems in a controlled environment.
“Most of the programs are good, and it’s necessary,” Bowne says. “I mean the colleges have not kept up, so the industries have taken over the whole thing. Many of the people don’t learn anything in school that’s relevant to this stuff at all. They do it all on their own.”
Another program, HackReactor — a coding boot camp in San Francisco — doesn’t actually teach students how to hack, but teaches the skills that hackers need to know. Around their office, students can be seen sitting around at computer monitors working closely with the people around them. This relaxed atmosphere allows the students to work with their peers and resembles a professional workplace environment.
“We teach a bit of security, we do a very minor amount in cryptography, we talk about things like hashing passwords, salty passwords, things like that,” says Joshua Wyatt, the lead curriculum engineer at HackReactor.
Network defense courses are the norm for most coding and software engineering classes. At SF State, there is Computer Science 650: Secure Networked Systems, a class that teaches students how to create and operate a secure network. Security plays a key role for networks and applications. Students at HackReactor acknowledge this, and they even attempted to create an application to find weaknesses in their network.
“A couple cycles ago there was a senior project that came out of here where people were trying to build a vulnerability tester,” Wyatt says. “You do see it from time to time, but for example in ethical hacking, there’s much IT [information technology] understanding you need to know … We teach them all sorts of things.”
While there are programs, clubs, and classes that teach hacking, most four-year universities don’t offer actual security or hacking programs. Students like Shane Cota, computer science major at SF State, have to learn about hacking on their own or explore different avenues, such as going to another school or program.
“I’d like to go back to City College once I graduate,” Cota says. “Start taking Sam’s classes. Sam himself told me that the certificate itself is worthless, but it still shows that you did a curriculum.”
Though there is a need and programs are available to learn more about hacking, there are still those who are skeptical about teaching such skills. The article, “The Ethics of Hacking: Should It Be Taught?” published by Software Quality Professional, found that people are against teaching students how to hack because it’s not guaranteed that the students won’t use those skills for malevolent purposes.
There are also those who are skeptical about hacking, and hackers in general, due to the actions of unethical hackers. According to a paper written by Professor Gabriella Coleman, a McGill University anthropologist who focuses on hacker culture, the word hacker often has a negative connotation. In the news and in the media, most of the time when one hears or reads about hackers, it is due to them doing something illegal.
“One of the things I want to do is physical security, which is just a nice way to say lock picking, and that has a connotation right there,” says Cota. “So I do my best to spin it, you know call it ethical hacking, physical security, blah, blah, blah. But we’re sitting around picking locks. That can be misconstrued as something negative. It really isn’t, but it can be.”