On a white board, someone has scrawled out an intricate sequence of numbers and a flowchart. Students are tapping away on laptops and working through lines of code with the inspired intensity of artists.
Nasir Memon is the lab director of the Information Systems and Internet Security laboratory in the Polytechnic Institute of New York University, but he’s conceded free rein of the place to his students. “We provide them a lab and they do whatever they want," he said. "I say, ‘Don’t expect to learn anything from me.’”
So lots of students stay past midnight at the 24-hour lab to work and play. “What the outside world does in technology, we want to be five years ahead of them,” said graduate student Jeyavijayan Rajendran, who studies hardware design insecurities amongst other things. “That drives us crazy.”
In this nondescript space, a little deviant magic is happening. “I met someone who had the sparkle in his eye,” said Memon, “He said, ‘I just like to break things, I just want to find a place where I can poke it and bring it down.’”
The center of gravity
As a breeding ground for information security professionals, this Brooklyn lab has always historically been inhabited by those interested in how systems can be bent in ways not conceived by their original designers. And it’s ended up being a center of gravity for New York City’s hacker culture, said Dino Dai Zovi.
The Park Slope-based Dai Zovi, known within the hacker community for his exploits of MacBooks, was roped into teaching pen testing – the simulation of hacker attacks - at NYU-Poly a couple of years ago. Pen testers are paid to exploit vulnerabilities in companies’ IT systems so that they can be patched and secured.
In the early 90s, NYU-Poly churned out followers of the secretive, underground hacker subculture group, the Masters of Deception. MOD comprised rebellious teenagers interested in phone phreaking and controlling the emerging Internet. “It was an amateur hacker group, kind of illegal and lots of them went to Poly,” said Dai Zovi.
The MOD kids grew up, and the hacker subculture quieted down for a while. Then Massachusetts-based @stake, one of the early security companies that provided offensive tech expertise, came to town and opened a New York office in the early 2000s. “They would do things that were incredibly radical," said Dai Zovi, who worked at @stake as a consultant. "They would find vulnerabilities at corporations and publish them.
“We’d do a lot of fuzzing – basically sending a lot of malformed requests to a server – till it crashed. I heard people say, ‘it’s not a New York pen test if stuff doesn’t crash,’” Dai Zovi added, beaming. “Let’s just say that the New York office was a little more rambunctious.”
When anti-viral company Symantec bought @stake in 2004, disgruntled employees that were unhappy with a new corporate culture left and formed their own firms, contributing to a flowering info security industry in New York.
When Dan Guido, a security analyst at the boutique security firm iSEC Partners, was brought on board to NYU-Poly to coordinate a pen testing course, he brought friends in the hacker crowd to teach the class with him, reinstating NYU-Poly as a meeting point for security crowd.
When Dai Zovi referred to Guido as a “Defense Against the Dark Arts Professor Snape of sorts,” when they met up at The General Greene in Fort Greene for brunch, both chuckled over their coffee and eggs.
“Here’s a security community centered around New York and it’s lopsided towards Brooklyn now because a large number of us have decided to live in Brooklyn,” said Guido, who resides in Brooklyn Heights.
Both had just survived a Friday night of barhopping while trying to impress an Australian security analyst and get him to move to New York.
“We have an interest in making New York one of the most interesting security scenes in the world,” said Guido. “And we are slowly attracting people one by one - from San Francisco to Iceland.”
While pen testing requires its practitioners to think like cyber attackers, both feel uncomfortable about being called hackers. “I never thought I deserved it,” said Guido. “The hacking community is a brutal technical meritocracy. We all think that we’ve never done enough, we’ve never given back enough.”
“If you call yourself a hacker, you better make sure there are no real hackers around you,” said Dai Zovi, “because if they hear you, they’ll just knock you down flat, break into your machines and post all your private photos on the Internet and say, ‘really, you think you’re hot shit?’”
Dai Zovi got swept into hacking while tinkering with his dad’s Commodore 64 as a kid in the 90s. He browsed through underground bulletins and hacking manuals before “understanding how things work at such a deep level so I could just bend it to my will.”
Guido remembers feeling misunderstood as a kid growing up. After reporting vulnerabilities in his high school's IT systems to administrators, “they hated me for this anyway and I was banned from using any computers in the school for most of my junior and the rest of my senior year,” he said.
But when he took part in a hacking competition organized by NYU-Poly, Guido began to see security as a way of life. Guido, unlike Dai Zovi, described himself as a product of a university education.
The cyber challenges hosted by NYU-Poly provides controlled set-ups in which young people can be net ninjas without having to be afraid of being criminals.
An opportunity for participants to show off their chops, it’s also a chance for industry and government agencies to woo future cyber sleuths. The corporate and government presence at these events reveal a growing recognition that hacking skills are an asset, and when managed carefully, can be channeled into valuable defense in the threat landscape.
At the end of July, the US Cyber Challenge, a group affiliated with the nonprofit Center for Internet Security, held a Capture The Flag competition at NYU-Poly, requiring players to exploit vulnerabilities in a computer lab set-up.
This October, NYU-Poly will hold a cybersecurity awareness week where students are flown in from across the country to compete in various information security competitions.
NYU-Poly student Julian Cohen, 19, who is helping to design this year’s Capture The Flag competition, said he wants to create puzzles with sophisticated solutions with simplicity at their core. He learned how systems worked on his own and found his playgroup in like-minded friends who gathered on IRC.
When prompted by a NYU-Poly spokesperson on why he considered what he did important, he paused for a while, chose his words carefully, and then framed his answer with an ironic smile, “It's important to understand how things work, so that when we can break them, we can fix them.”
He’s savvy, if not a little cagey. When asked how he identifies himself, he said, “I wouldn’t tell people on the street, ‘I’m a hacker,’ I’d tell them, ‘I do computer security.’”