Widgets Magazine
Different routes to hacking: self-teaching versus university
Some argue that self-taught hackers, rather than university-educated ones, are more adept at breaking into systems (RYAN COHEN/The Stanford Daily).

Different routes to hacking: self-teaching versus university

The cybersecurity space is constantly changing as hackers discover new vulnerabilities and methods for defending against such attacks. Creativity is highly prized in this space, and some argue that self-taught hackers are more adept at breaking into computer systems due to their nontraditional methods and inherent curiosity.

The Daily spoke with University professors, students and a cybersecurity startup to examine the value of different computer science (CS) educations in hacking and beyond.

University versus self-teaching

CS 155: Computer and Network Security is often one of the first classes on cybersecurity that students will take at Stanford. The class is highly project-based and teaches students how to both break into systems and learn to write defensible code.

Professor of Computer Science and Vice Provost for Teaching and Learning John Mitchell, who co-teaches CS 155, argues that the best type of CS education is a holistic one.

“The best case is to learn to have a big, broad view of the field you’re interested in,” he said. “Understand something about the history, trends and where the field’s going and where the future is. That’s the kind of perspective that you get at a university, especially a research university, where the faculty and graduate students are involved in inventing the future of the field.”

However, others argue that some hackers who have not received comprehensive university educations in computer science are still incredibly successful at breaking into systems.

Synack, a cybersecurity startup, vets and interacts with many self-taught hackers in addition to university-educated hackers. In its crowd-sourced “penetration testing” model, successful hackers are paid a bounty for vulnerabilities they find in a Synack client’s web applications, host and infrastructure, and mobile applications. Effectively, client companies pay Synack’s vetted crowd of hackers to purposefully break into their systems to understand their own vulnerabilities and strengthen the companies against future attacks.

Andrew Medearis, manager of community operations at Synack, noted that self-taught hackers often have an immense curiosity that drives them to become experts in their specific fields. They have a niche and deep understanding of hacking, he said, setting them apart from university-educated hackers.

“The formally educated CS majors with [information security] specialties have the same opportunity for curiosity; it can just be a slower pace due to the overwhelming amount of other topics that college presents them,” he said. “So if you’re going through a university education in CS, you’re picking up on developing code and learning the stacks and databases and the whole gambit, whereas with self-taught hacking, you can focus on SQLi [a type of attack] and manipulating specific databases without being distracted by wider trends of computer science in general.”

But Professor of Computer Science Dan Boneh, who co-teaches CS 155, argued that even though there is a set syllabus in computer science classes, his role in the class is simply to act as a guide for students. For example, his homework assignments are pointers to topics that he encourages his students to research further outside of class.

“Our world has changed quite a bit in that there’s so much information available on the web,” he said. “There are a lot of materials you can learn yourself. The issue is that most people don’t know what to learn — what’s important and what’s not important. I view my role as conveying information and conveying knowledge as a guide.”

Student perspective

Regardless of the type of education a hacker receives, an anonymous Stanford student claimed that what’s important is hands-on engagement.

While in high school, the anonymous source learned how to code by reading textbooks online and briefly engaged in a phishing campaign for fun, and he maintains that he did not use users’ collected information for malicious purposes. He also broke into his school district’s Wi-Fi to gain control of the entire network. The source now studies computer science at Stanford.

However, while the student appreciated what he learned from self-taught hacking, he also said he thinks that Stanford CS students can be equally successful in the same areas.

“If a Stanford student finishes the CS curriculum but does not invest the time in learning the newest vulnerabilities and attacks and the broad landscape, then they’re not going to be at the top of the hacking world,” the source said. “But they definitely have the foundations to do it.”

On campus, some CS groups gear themselves toward the security industry and aim to encourage public interest in the area.

The Stanford Cyber Initiative and the Applied Cybersecurity student group offer opportunities to pursue research and further studies in cybersecurity. Founded in 2015 with a grant from the Hewlett Foundation, the Initiative funds research across disciplines and supports the student group, which participates in competitions, brings in guest speakers and hosts workshops.

Brad Girardeau ’16 M.S. ’17, a member of the Applied Cybersecurity student group, led an introductory workshop on web security and hacking in February.

“We’re trying to build that community [of people interested in security],” he said. “There are certainly a lot of people who are interested in security — some are already doing it, and some are getting into it now — but it’s definitely a growing thing. It’s hard to get a feel for how big that really is on campus. Any sort of organized community is still in its infancy.”

Sarah Ortlip-Sommers contributed reporting to this article, as Anne-Marie Hwang is an intern at Synack, Inc.

Contact Anne-Marie Hwang at amhwang ‘at’ stanford.edu.