2023–24 Projects:
Advisor: Jeff Ondich
Term: Winter
One of my favorite movies is Sneakers (1992), an action romp about a ragtag band of loveable misfit hackers-for-hire. It's implausible, it's dated, and it's jam-packed with all the stupid computer hacker tropes you have ever seen. But if you ask me "Hey Jeff, wanna stop working and watch Sneakers instead?", I'll say yes.
One of the few believable things about this movie is how they make their money. The aforementioned misfits, led by the ever-debonair Robert Redford, will get hired by a business to try to break the business's security, and if they're successful, the business will be able to patch vulnerabilities in its security practices. This kind of contract, a "break into my systems so the evil-doers won't be able to" sort of affair, is called penetration testing (more commonly known as pentesting, ethical hacking, or red-teaming), and in 2023, it's a big business in its own right.
Testing computer systems for vulnerabilities is a big deal. If you follow information security news for just a few weeks, you'll see stories of attacks on hospitals, and energy infrastructure, whole national governments, and much more. People get hurt by cyberattacks.
Securing information systems is easier said than done. Pentesting is an essential tool if we hope to create and maintain secure systems.
If you want to become a pentester, you need all sorts of knowledge. Some of it you can get just by being a CS major at Carleton. But there are also specialized skills that require a lot of practice, many of which we don't teach (much) in our curriculum. One very common way to acquire these skills is to practice breaking into vulnerable computer systems designed specifically for educating pentesters. Many companies offer these hackable "boxes"—Hack the Box, Over the Wire, Immersive Labs, etc.
For this comps project, you will create your own vulnerable computer systems and corresponding learning modules intended to help challenge and educate ethical hackers. In the process, you will learn many hacking techniques and get yourself well on your way to being able to pursue one of the several ethical hacking certification exams.
This project has no mandatory requirements. That said, you can get a lot farther in this project if you already know something about computer security. One way to acquire relevant knowledge is to take CS338 Computer Security, which will be offered during Fall 2023. If you want to be on this comps team, I encourage you to list CS338 as your top choice for the fall Match if you don't have another CS requirement you need to put at the top of your list. I expect that there will be a few students in this comps project who have not taken CS338, and we will make that work.