Academics

Hacking It

SRA major Jonathan Shuffler uses his computer hacking skills to keep company networks safe. Credit: Penn State. Creative Commons

Jonathan Shuffler is a hacker. He can get into your computer system and find out all kinds of personal information. He can use that information to steal your identity, take your money, and ruin you. Shuffler can do that, but he won’t because he is what’s called an ethical or white hat hacker. In other words, he’s a good guy.

For as long as he can remember, the security and risk analysis major has loved computers: how they work, what they can be used for, and everything in between. “When I was a kid, I was always into computer shows and the bad guys and the good guys. I always looked up to the bad guys, in a way,” he chuckled. But Shuffler says his strong belief in leadership, honor and courage put him on the straight-and-narrow to use hacking for good. “I attempt to compromise an organization’s infrastructure to find vulnerabilities for the sole purpose of improving security. Unlike the bad guys, black hat hackers, who get into systems without permission to cause harm, I do it with permission to make the organization aware of security flaws.”

Most of Shuffler’s hacking skill is self-taught, something he started dabbling in as early as age 10. He has spent countless hours sitting at his computer then and now, hours full of trial and error, and, of course, a lot of failure before success. “I don’t think a lot of people get into this kind of thing unless they have the motivation to learn it. It's dry stuff most of the time. You're just doing things that may or may not work until you figure it out, but I have the drive and the desire to do it. I find it interesting.”

Shuffler came to Penn State Altoona with a lot of technical knowledge but says he was lacking in skills necessary to translate it all to a business level. The classes he takes at Penn State Altoona help him put together his know-how with theory so that he can give an analysis of risks or vulnerabilities companies might have.

When doing white hat hacking work, Shuffler’s first step is to gather information and identify potential threats to a system such as spyware and phishing, network attacks, or operating systems attacks. He can then report his findings with a full assessment. “I'm not just someone who tells you what's wrong with your business, I can give you an enumeration of what could happen if vulnerabilities aren’t patched. That's the biggest thing I've learned from my classes. I'm able to take information I've learned, and my reports, and present it all in a more business friendly way that communicates the bottom line, what these companies stand to lose.” Those reports can sometimes be 200-300 pages depending on the company’s server or what issues it might have.

Shuffler says breaches can happen to anyone and any business anywhere, citing the recent T Mobile and Ashley Madison dating website hacks. “It's just a matter of time before it will happen to a company. The best way to react to that is to be aware. The best way to be aware is to do it yourself, aggressively attacking with the idea of defending.”

Most of the time Shuffler is also able to fix network insecurities himself, which he feels is just one more thing that sets him apart from so many others in the field. “You have to have something unique about you that makes you better or gets you hired over everyone else. Something that makes you different.” He goes on to say that while the SRA degree is a general one, because he has trained himself very specifically in the white hat hacking area, he will have the edge to build a successful career. “You might go to interviews with thousands of people from the same degree, who might have a better GPA or might be involved in more campus activities and that may put them ahead of you. But if you're able to give potential employers a list of what you can do, your toolsets and modules and programs you actually have experience with, then you come out on top.”

Shuffler will graduate in the summer or fall of 2016. On top of earning his degree, he is also taking the Offensive Security Certified Professional course on his own. He will take the test in December, a 24-hour examination in which he must try to compromise a whole system that models networks found in the real world. This certification is highly regarded in the field, along with the Offensive Security Certified Expert credentials he can also obtain after he passes the OSCP. He will be able to work from just about anywhere and make a good living, although he says that, for him, it’s not about the money he can bring in.

“It's human nature to want to know things you don't. For me, it’s knowing someone or something better than they know themselves, finding out the information that typically you wouldn't have the ability to know or shouldn't know because of security standards," he said. "It’s unique, it's a thrill. It's like riding really fast in a car. Just knowing more, that's what it comes down to. I want to know more and use that for good.”

Last Updated October 26, 2015