Students learn to 'think like a hacker' in UC Berkeley experimental course


Computer science students at the University of California, Berkeley, are gaining real-world experience in cybersecurity and ethical hacking this semester — and with real-world payoffs.

About 100 advanced computer science students are enrolled in an experimental “cyberwar” course led by Doug Tygar, a professor of computer science and information at Berkeley.

As part of the course, students have joined the community of so-called white hat hackers at HackerOne, a vulnerability coordination and bug bounty platform. HackerOne connects hackers — which number more than 140,000, CEO Mårten Mickos said — with tech companies, private businesses and federal agencies to hunt for vulnerabilities.

The program represents a first for HackerOne in working formally with a higher ed institution. A growing number of universities, however, are stepping up efforts to develop curricula around cybersecurity disciplines in the face of chronic shortages of trained cybersecurity professionals.

“So far, a large number of students seem to enjoy the course and be doing well in it,” Tygar told EdScoop. That includes juniors, seniors, graduate students and one “exceptionally talented” first-year undergraduate. “Unless students can learn to ‘think like a hacker,’ they will not be able to effectively defend systems.”

In a typical scenario, one of HackerOne’s customers — say, Uber, AirBnB or Twitter, or perhaps the U.S. Army or Department of Defense — will present an attack surface it wants tested, like a live website or application. From there, HackerOne calls on its hackers — which, as of this semester, include Berkeley students — and says, “time to hunt,” Mickos told EdScoop.

“And they will go and hunt for vulnerabilities in that defined attack surface,” he said. “When they find something — but only if they find something — they will report it through our system. The customer will then say, ‘Yeah, you’re right. This is valid.’ And then [the customer] will pay a bounty back to the hacker as a reward.”

These hackers are exceptionally valuable to the companies they’re examining, Mickos said. Since HackerOne was founded in 2015, its customers have fixed over 55,000 vulnerabilities. “And you know that even one can cause a data breach, like with Equifax,” he said.

If the hackers are good — meaning, if they find vulnerabilities — they can make a lot of money. That goes for the Berkeley students as well.

It’s not easy to find security vulnerabilities — and it’s not supposed to be, either — but with the right training and traits, anyone can be a hacker, Mickos said.

“If you are really curious and driven, you can become one of the best on your own,” he said. “If you know computer science very well, you have a great foundation in becoming one of the best. But you need both to be a superstar.”

About midway through the semester, just one student so far has earned a bounty. Mickos suspects they’ll soon see an uptick, and that maybe about 10 of the 100 students will earn a bounty by the end of the fall term.

That’s actually more optimistic than their standard success rate. Of HackerOne’s community of hackers, only 15,000 have ever found something to report, and only one-third of those have been rewarded a bounty for it, he said.

The Berkeley students are working individually and in teams. If a team finds a vulnerability and earns a bounty, it’s up to them to decide how to split the monetary reward, Tygar said.

Some of the targets they’re working on can be found on HackerOne’s directory, where names like Yahoo, Starbucks, Slack and Snapchat are at the top of the list. The most common bounties are $50, $100, $250 or $500, but some companies offer rewards as high as $2,500, according to the site.

The bulk of the course consists of students searching for vulnerabilities, but there’s also a lecture portion which teaches students how to conduct penetration testing, Tygar said.

“I wanted to give students real-world experience in finding security vulnerabilities,” he said. “That’s an absolute necessary requirement to be a successful security engineer. Security engineers need to know how to ‘think like a hacker’ in order to build effective defenses.”

HackerOne wanted to get involved — both by lending its platform and by sending guest lecturers to the class — because “cybersecurity has had far too little attention,” even in college-level computer science programs, Mickos said.

“So, it doesn’t matter whether these students become cybersecurity experts,” he said. “Everybody needs to learn a little bit about cybersecurity, and this is a great way to expose them to it. … It’s a fun, gamified way, and they’ll come out of it saying, ‘Yeah, of course, cybersecurity should be a part of everything we do.’”