Sometimes, heroes rock keyboards and college sweatshirts. Jack Cable got his start as a white-hat hacker when he accidentally discovered a vulnerability in a cryptocurrency website as a sophomore in high school.
In the years since, he’s hacked for good for big names such as Google, Facebook and the U.S. Department of Defense. Cable spoke to EdTech about Stanford’s bug bounty program and the evolving meaning of the word “hacker.”
What have you been working on at Stanford?
CABLE: I’ve been focusing on the theoretical side of computer science, as well as security. I’ve been doing some research in the area of network security, looking at cloud providers, and working with the new Stanford Internet Observatory, which tracks disinformation on social media.
EDTECH: Do you know what you’d like to do when you graduate?
CABLE: Two summers ago, I started working for the Defense Digital Service, the team that managed to hack the Pentagon in the first government bug bounty program. I’ve found government service to be something that I really enjoy. I’m interested in both exploring that and other areas to see what the best ways to improve security at scale are.
EDTECH: Universities guard incredibly sensitive and private data. From a hacker’s perspective, what can be done to protect that data?
CABLE: A good start is to engage the students at the university, and that’s what we’ve been doing at Stanford with the bug bounty program. And just through my own observations in working through that, looking at what leads to vulnerabilities in Stanford’s systems, one thing that stands out is a lot of education vendors are selling software to hundreds or thousands of schools but don’t necessarily have incentives to make their software secure. I’d say a considerable number of vulnerabilities that I’ve found through the bug bounty program have occurred not due to some misstep by the IT people, but due to an underlying vulnerability in the educational software or due to some misconfiguration because the vendor doesn’t make it easy to securely configure its software.
EDTECH: How would you suggest extending security best practices to the masses in higher ed?
CABLE: I think that it might get a little more interesting if you start thinking about how we can actually give people some baseline knowledge of how security works. For example, at Stanford, I was a teaching assistant for a class called Hack Lab that was taught last quarter. The class teaches practical hacking to students with no technical background. Most of the students in the class were not computer science students — many had never programmed in their life. But we were still able to teach them the actual techniques that would be used, say, if you were hacking into a system, and we did that in a very practical setting.
EDTECH: Are there any misperceptions about hackers that you wish you could correct?
CABLE: There’s always going to be an attitude to some extent that hackers are criminals. But I think the good news is that the definition of “hacker” is changing, and people are starting to see that hackers really are essential to protecting systems by providing feedback an organization would never be able to get internally. In order to secure your systems, you need to bring in an outside point of view. You can’t just do it yourself.
A good start is to engage the students at the university, and that’s what we’ve been doing at Stanford with the bug bounty program.
Founder of Stanford University's Bug Bounty Program
Learn How Schools and Universities Can Thwart Cyberattackers
EDTECH: You came into your degree program already established in the field of cybersecurity. How has that influenced your experience?
CABLE: It helped me to really know what I wanted to do and dive deeper into that, while getting a better background, understanding more of the fundamentals and how it all plays together, and it gave me a good opportunity to help out at Stanford as well. At the start of last year, we launched the Stanford Bug Bounty Program, one of the first for a university.
EDTECH: How can computer science studies be enhanced to help people better face cybersecurity challenges?
CABLE: I think the role of universities in this is to train everyone who’s studying computer science not only how to be a good software developer, but also how to write software that has security at its heart. For instance, at Stanford, there’s currently no requirement for students to take a security class. A baseline knowledge of security can go a long way in ensuring that the code they write when they’re out there in the world is secure.
Photography by Cody Pickens