Hacking, cracking and the world of colored hats

How Watson is educating responsible hackers

Computer science students (left to right): David Demicco, Raymond Rolston and Anh Quach.
Computer science students (left to right): David Demicco, Raymond Rolston and Anh Quach.
Computer science students (left to right): David Demicco, Raymond Rolston and Anh Quach.

“There’s a negative connotation to the word ‘hacker’ and that’s somewhat misplaced,” says Kartik Gopalan, professor of computer science. “Hacking really means understanding how a computer system works and figuring out how to make it do new things, maybe things it wasn’t originally designed to do.”

“Hacking is only a tool; it’s not good or bad,” adds Emrah Akyol, assistant professor of electrical and computer engineering. “It all depends on who is hacking and for what purpose.”
Within the hacker community, there are three classifications of hackers.

Black, white and gray hats

“Crackers” or black-hat hackers deliberately and illegally break into computer systems or networks and exploit flaws for financial gain, political manipulation, to spread misinformation or to garner attention.

White-hat or ethical hackers break into systems to identify security flaws or bring attention to a cause. They are often employees of the organization being hacked or are hired to break in. White hats search for security holes so they can be fixed before anyone exploits them.

Gray-hat hackers break into systems deliberately and without permission, but without malicious intent. However, gray hats are still dangerous since they typically draw public attention to flaws, leaving vulnerabilities open to exploitation.
Gopalan believes hacking should have a positive, creative connotation. “In computer science/ computer programming, hackers are people who take delight in making existing systems do new things that were thought not to be possible,” he says.

Educating future cybersecurity experts

Computer science students must learn threat modeling, a method of optimizing network security by identifying objectives and vulnerabilities and then defining defenses to prevent or mitigate the effects of system threats or attacks.

“The threat model indicates what the attackers’ capabilities are, and the defenders try to defend around those capabilities,” says Aravind Prakash, assistant professor of computer science. “The job of white-hat hackers is to probe the system in different ways within the parameters of the threat model to try and break the system so we can secure it more effectively.”

That’s no easy task, Prakash says. “The deck is heavily stacked against defenders. They have to defend against all possible attacks, but attackers only need to find a single point of weakness,” he says.

In this case, it helps to think like a black hat. “We try to think what an attacker might do,” Prakash says. “That helps us design better solutions that will hopefully protect against black-hat hackers.”

While Prakash is teaching students to think like white- and black-hat hackers, Akyol is developing strategies for attackers and defenders of cyber-physical systems using mathematical game theory. He explains that cyber-physical attacks are cyberattacks that affect physical systems (such as industrial, transportation or power transmission systems), posing serious threats.

Akyol’s research group (comprising a postdoctoral scholar and a PhD student) is studying the spread of (mis)information over social networks such as the Russian interference in the 2016 U.S. presidential election — and he is part of a team investigating hacking into drone communications and control.

Coders and codes of ethics

All Watson undergraduate computer science students must take “Ethical, Global and Social Issues in Computing,” taught by George Weinschenk, lecturer, who believes his background in painting, English, philosophy and comparative literature gives him a unique perspective.

“I bring a lot of context, and I think context is what the students need to remind them they’re human beings in a partly automated workplace,” he says. “I feel it’s important to get them familiar with themselves and their context within communities, those being the teams they’re a part of, the classroom, the department and the [computer science] field.”

Weinschenk’s students are exposed to a variety of materials including professional codes of ethics, Google’s Code of Ethics, hacker ethic and even a moral-alignment matrix from Dungeons & Dragons.

David Demicco, a senior computer science major, believes Watson effectively presents the need for ethical responsibility to students. “Before students leave the program, they will have been exposed to both the reasons they need to be responsible and what that responsibility entails,” he says.

Weinschenk acknowledges, however, that it can be difficult for some students to ignore the lure of cracking and the dark web.

“In every class, there are at least one or two students who say, ‘I’m looking at the dark stuff and trying to figure it out,’” Weinschenk says. “And I try to bring them into a society of other people. I try to tell them, ‘You don’t have to be isolated and be prey to whatever you find on the internet.’ … I try to get them on the same page and then move on to the professional codes [of ethics] to talk about what is sustainable in the workplace and in their lives.”

A philosopher at heart, Weinschenk stresses the idea that we’re all connected and responsible to each other. “We are each other’s keepers,” he says. “Waking students up to a feeling of mutual respect and an obligation to each other takes a lot of doing in our world, but it’s a task I enjoy. It’s why I do this.”