The Hackers and Me: How to Study Hacking?
Marco Squarcina talks about the hardships and rewards of getting to the roots of codes and programs, and what hackers do at TU Wien.
How did you become a hacker?
Marco Squarcina: My story is quite different from other people who got into hacking. For me, computers were just a way to make electronic music. I wasn’t particularly interested in video games either. Then, in my last year of high school, I installed my first Linux-based operating system. That changed the way I used to see computers. At the time, using Linux as your primary system was a bit of a mess. Things were not running smoothly, and fixing bugs required a significant understanding of low-level details of the operating system. Although I probably spent more time keeping my system together than doing something with the installed applications, the whole process was broadening my horizon, and I started appreciating a side of computers that I couldn’t catch before.
When I joined the university, I became interested in what most people consider the “boring part” of security: protecting a system instead of exploiting it. Soon I realized that I only had a partial knowledge of defenses because I was lacking in the offensive part. So, I started to explore how to break a system rather than fix it – all this to better understand the protection techniques. […]
Around that time, I think it was 2009, I created an academic CTF team (CTF is short for “Capture the Flag”) with some friends and the computer security professor at my former university in Venice. In a nutshell, CTFs are hacking competitions where teams get points by identifying, attacking, and fixing vulnerabilities in computer programs. The event organizers create these custom programs and introduce vulnerabilities that simulate realistic flaws of cryptographic protocols, applications, websites, etc. Clearly, these competitions are perfectly legal since they take place in a confined network and do not involve attacking real systems.
CTF after CTF, my team started becoming quite successful. That gave us the opportunity to travel to several countries and participate in top hacking competitions. More recently, in 2017, we founded a team that goes under the name of “mhackeroni”… the name was my idea, and I think it’s the best possible name for an Italian hacking team [laughs]. We also participated in DEF CON CTF – the “Olympics” of hacking – in Las Vegas for the last 4 years, which affirmed mhackeroni as one of the best teams worldwide. We also have an excellent team at TU Wien in collaboration with SBA Research called “We_0wn_Y0u”. It’s one of the oldest groups still around (founded back in 2004), and it’s an honor for me to be one of the current coordinators.
Who can participate in hacking competitions at TU Wien and when is the next event?
Marco Squarcina: We are always looking for motivated people to join the team! There are no requirements for that aside from being motivated and committed. Everything else can be learned and practiced together as a group. Unfortunately, some students wrongly assume they’re not good enough to participate in these activities, losing this opportunity. International competitions can indeed be tough and frustrating, especially at the beginning, but playing with the support of a team makes the learning process much easier and also fun! I encourage everyone who’s interested in giving it a try, especially women and people of other genders who are still underrepresented in the CTF community.
We participate in international competitions every month, and the next big event is DEF CON CTF qualifications at the end of May. Anyone interested in knowing more about the team and participating can email me, and I will be glad to help!
Hacking competitions also play a central role in teaching activities at TU Wien. We created a virtual lab to provide hands-on experience to our students as part of the security lectures coordinated by our group:
- Introduction to Security (VU, 184.783), bachelor
- Introduction to Security (UE, 192.082), bachelor
- Systems and Applications Security (VU, 192.112), master
- Attacks and Defenses in Computer Security (UE, 192.111)
- Grundkonzepte der Security und Privacy (VU, 191.124)
The virtual-lab offers a gamified learning experience to the participants and provides a safe, legal, and remotely accessible environment in which the concepts that we teach are put into practice. For the largest part of our students, this is the first contact they have with applied IT security topics and their feedback about our activities is always positive!
Do you think that students also keep hacking at home?
Marco Squarcina: I hope they do, but ethically and without risking legal consequences. What we teach can be easily translated into the real world, that’s why we always stress the ethical factor in our lectures. For instance, access to our virtual labs is granted only to students who submit a declaration of responsible usage of the abilities learned during the courses. And when my students accidentally discover a vulnerability in public applications or websites, I always support them in the disclosure process.
Why does TU Wien Informatics teach these hacking-related topics? In what way do students profit from it?
Marco Squarcina: IT security is a field where job offers are in great demand. Multiple reports identified millions of unfulfilled positions worldwide caused by a shortage of qualified cybersecurity professionals (this is usually called the “cybersecurity skills gap”). Hands-on activities like CTFs have a long track record of being one of the best ways to bootstrap a brilliant career in cybersecurity. There are several reasons that can explain why: the synthetic problems found in CTFs are usually hard, sometimes even harder than those found in real systems. Participants are challenged with systems they’ve never seen before, forcing them to be flexible and quick. Furthermore, soft skills like communicating and working as a team are fundamental to being competitive. Overall, it’s a combination of acquiring skills and a mindset that stimulates thinking out of the box to approach new problems creatively.
I remember being confronted years ago with prejudices about hacking like “Why do you teach students how to break systems”, “this is not ethical”, etc. Luckily, now people realize that you can’t foster the next generations of professionals by showing only one side of the story. Learning how to attack a system is required to understand how to protect it and possibly design better defenses. Take padlocks as an example: their design improved as more tools and tricks were developed to break them. Suppose you want to create padlocks that are better than existing ones. In that case, you need to know everything about existing models and all possible ways those models can be unintentionally opened.
Thank you for the interview!
About Marco Squarcina
Marco Squarcina is a PostDoc Researcher at the Security and Privacy Research Unit at TU Wien Informatics, which he joined at the end of 2018 after receiving his Ph.D. in Computer Science at Ca’ Foscari University of Venice. His research interests mainly focus on web security, and his results are regularly published in top-tier security venues.
As a long-standing participant in international hacking competitions, he collaborates with the European Union Agency for Cybersecurity (ENISA) to provide advanced training for young talents. Marco is currently teaching several security-related courses at TU Wien. He is also among the coordinators of the local academic hacking team We_Own_You:~$.
About “The Hackers and Me”
Already published in the series „The hackers and me”:
- Hacking and Politics. Interview with Marco Squarcina
- Messaging Services. Interview with Martina Lindorfer
- The Password. Interview with Marco Squarcina (in German)
- Scamming. Interview with Matteo Maffei (in German)
- Phishing. Interview with Matteo Maffei (in German)