Student hackers are a blessing and a curse to schools

Computer hacker Billy Hoffman is a star student and a troublemaker, the kind of scholar universities hate to love.

The most talented computer engineering students are also often the most curious. They want to explore new ways to find and use information, and that often involves breaking the law. Higher-education institutions want to encourage and keep the most talented students, but they often have to discipline them for being too curious.

“A lot of times people will do hacking or exploring at school,” said Hoffman, a 22-year-old student at Georgia Tech. “Colleges are pretty tolerant at the professorial level. They understand learning these processes is important. … The only way you can build stuff tomorrow is to learn about it today.”

Still, Hoffman did get into trouble when he hacked into a campus debit card system using a knife and a laptop. The debit card system is used at Georgia Tech and 223 other colleges to handle purchases of everything from textbooks to 10 minutes on dorm dryers.

Hoffman published information about the card readers on a web site, telling students how to trick the cards into giving out free soft drinks, tickets to sporting events, or anything else the school sells.

That angered card-maker Blackboard Inc., which in April got a judge to bar Hoffman from talking about flaws in the cards. He had been scheduled to give a speech at a hacking convention. (See: “Judge: Student can’t discuss potential flaws in school transaction system”

The university was caught between the company and its student, who had clearly violated the school’s computer-use rules. Hoffman consented to sign a paper saying he wouldn’t break computer rules again, but wasn’t punished further.

“We don’t want to believe our co-workers and fellow students are a threat to our own environment,” said Patrick Gray, director of Atlanta-based Internet Security Systems’ research and design branch. “It’s much easier to take something when you have access.”

Over the last three years, hackers have increasingly used university computers to launch some of the most visible Internet attacks against web sites including Yahoo, eBay, Amazon, and CNN.

These attacks often originate with students who can easily plant hidden programs on powerful and public university computers. Then the software can be activated from a remote location to simultaneously overwhelm web sites.

Universities say they want to foster an environment where students have the resources they need to become computer experts. Dorm rooms come with fast connections, and classrooms have secure independent networks cut off from the outside internet—ideal for simulated hacking that can’t hurt anyone.

But at the same time, they don’t want students using the technology for excessive music or movie sharing, or to deface a government web page for the fun of it.

Most students stay within the rules because they know it’s important to their future, said Richard DeMillo, dean of the Georgia Tech college of computing.

“They want to get jobs. We send our students to companies and government agencies that really depend on having that level of expertise,” he said.

At Massachusetts Institute of Technology, the school encourages an environment that looks down on hacking, said Jeff Schiller, network manager and security architect.

“A lot of our students, if they wanted to do harm, they’re quite knowledgeable and would know what to do,” he said. “Breaking into a computer, that’s pedestrian. Anyone can do it. In the culture we have here, you don’t gain stature from doing that.”

There’s no way to ensure students will use their knowledge responsibly, Gray said. Often, universities and businesses only have themselves to blame for not protecting themselves.

Part of the difficulty is that students want access to all the information they can get their hands on, while authorities try to restrict that kind of freedom, said Pete Wellborn, Hoffman’s attorney.

“We don’t want to move so far toward an Orwellian state of intellectual property that it becomes illegal to take things apart and see what makes them tick,” Wellborn said. “There has to be a happy medium.”

By far the most common way students misuse university resources is by downloading music, said Richard Fagen, director of information technology services at the California Institute of Technology.

When the Recording Industry Association of America notifies Caltech of a student illegally sharing music, the school tells the student to remove the copyrighted material from the system, Fagen said.

“In every case I know of, that has worked,” he said. “In this day and age, most people in this age group know what’s right and wrong. They could probably figure it out that it’s not smart.”

The best way to turn potential internet vandals into legitimate computer geniuses is through continued education, said Andrew Robinson, president of the Internet Security Foundation, a nonprofit organization based in Portland, Maine, whose mission is to raise awareness of information security issues.

When students have proper resources and guidance, they’re much more likely to use their knowledge constructively, he said. Like martial arts classes, education and training help pupils understand how to use their talents.

“This group already has all the skills they need to be malefactors if they want, with or without us,” said Robinson, who runs a class for teenagers that teaches information security and professional ethics. “Yes, they’re learning things that can be used for evil, or the dark side, but the focus of the course is how to use them for good.”


Internet Security Foundation

Internet Security Systems

Hoffman’s site

Want to share a great resource? Let us know at