Teaching the world to hack (for good)
Jackie LeFevers (left), associate director of research operations for Arizona State University’s Center for Cybersecurity and Trusted Foundations, and Adam Doupé (far right), center director and an associate professor of computer science and engineering, chat with Tim Robinson, managing director of the ACTION AI Institute at the University of California, Santa Barbara, during DEF CON 33 in Las Vegas. LeFevers and Doupé were part of an ASU team that organized the first-ever DEF CON Academy, a training area designed to give new conference attendees an entry point into engagement with cybersecurity. Photo by Kelly deVos/ASU
Las Vegas in August is hot, loud and buzzing with neon. But inside the cavernous halls of a convention center, the real electricity came from laptops, not slot machines. This year, once again, more than 30,000 hackers, engineers and cyber-sleuths gathered for DEF CON 33, the world’s biggest hacking conference.
And for the first time ever, hackers had access to something new: DEF CON Academy, an open-access training ground hosted by faculty in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University.
DEF CON is famous for its intensity — walls of code scrolling at lightning speed, competitions that run through the night and a crew obsessed with breaking things to make them safer. For newcomers, though, that world can feel overwhelming to enter. DEF CON Academy was designed to change that.
“DEF CON has always been about community,” says Yan Shoshitaishvili, a Fulton Schools associate professor of computer science and engineering and head of the organizing team. “With the academy, we wanted to create a front door, a space where anyone, no matter their background, could sit down, learn the fundamentals and discover that yes, they too can be an ethical hacker.”
Hack first, ask questions later
Over three days, the academy pulsed with activity. An estimated 2,500 participants rotated between live talks, panel discussions and hands-on gamified activities powered by pwn.college, ASU’s globally used cybersecurity education platform. A team of more than 20 ASU cybersecurity students was available to set attendees up on provided laptops, answer questions and guide learners through exercises.
In a series of talks, all led by ASU student researchers, beginners learned how to hack the command line in “Terminal Tactics for Beginners.” Others dove into binary exploitation in “Exploiting Expectations: A Beginner’s Guide to Buffer Overflows.”
And more advanced attendees filled the room for “Deceit by Design,” in which Robert Wasinger, a cybersecurity researcher and Fulton Schools graduate teaching assistant, demonstrated how modern processors can betray users through speculative execution flaws like Spectre and Meltdown.
The crowd was standing-room-only. Laptops clicked, screens filled with code and cheers went up when participants solved challenges on the spot. During the conference, attendees solved more than 1,300 problems on the pwn.college platform.
“Cybersecurity isn’t something you can absorb just by reading about it,” Wasinger says. “You need to see a system fail in real time, understand why and then learn how to defend it. That’s the kind of visceral experience we built into the academy.”
Capture the flag: Break it to make it
At the heart of both DEF CON and the academy was the legendary capture-the-flag, or CTF, competition. Unlike the playground version of the game, cybersecurity CTFs ask players to break into software programs, reverse-engineer code or solve digital puzzles to uncover hidden “flags.” It’s part sport, part science and widely considered the training ground for the best hackers in the world.
The academy introduced attendees to CTF basics, offering them a way to practice the very same skills that power elite teams. During the “Professionally Dangerous: Ask the Experts in Vulnerability Research” panel, veteran hackers underscored why these competitions are vital.
Panelists, including Perri Adams, former special assistant to the director of the Defense Advanced Research Projects Agency, told attendees that capture-the-flag competitions are one of the most effective ways to get involved in cybersecurity. They emphasized that the challenges are uniquely valuable for teaching participants to think like attackers. For those just starting out, the experts noted, CTFs provide an unmatched entry point into the field.
That message resonated with the academy’s mission. By blending live tutorials with CTF-style exercises, ASU faculty members gave newcomers both the context and the confidence to begin hacking safely and ethically.
When curiosity becomes a career path
Cybersecurity threats are rising every year, and the talent pipeline isn’t keeping pace. Industry reports estimate there are 3.5 million open cybersecurity jobs worldwide, with three-quarters of a million unfilled positions in the U.S. alone. Closing that gap needs more than traditional coursework. It requires making cybersecurity approachable and engaging.
That’s what makes the academy so significant. It didn’t only showcase the faculty team’s technical expertise. It opened doors for hundreds of curious minds who might now consider careers in defending critical systems.
“What stood out was the energy,” says Jackie LeFevers, associate director of research operations for the Center for Cybersecurity and Trusted Foundations, the research center that led organizing efforts. “We had students, hobbyists and industry professionals jumping in, asking questions and solving problems. That’s what we’re trying to spark: a movement where anyone can see themselves as part of the cybersecurity solution.”
Turning research into real-world impact
The DEF CON Academy wasn’t the only stage where ASU’s experts made waves. The Shellphish hacking team, co-led at ASU by Shoshitaishvili and fellow Fulton Schools associate professors of computer science and engineering Adam Doupé, Fish Wang and Tiffany Bao, competed in the finals of the AI Cyber Challenge, taking fifth place in the high-stakes competition from DARPA and the Advanced Research Projects Agency for Health.
Their system, ARTIPHISHELL, deployed artificial intelligence to detect and patch security vulnerabilities in widely used, open-source software. The team’s cyber reasoning system is available for the public to access, test and use.
The combination of education, competition and innovation on display reflects ASU’s broad approach to cybersecurity: Give students real-world challenges, have top researchers mentor them and push the boundaries of both knowledge and practice.
“The problems in cybersecurity are massive, but so is the talent and curiosity out there,” Shoshitaishvili says. “With initiatives like DEF CON Academy, we’re making sure more people have the tools to turn that curiosity into impact.”
More Science and technology
New research by ASU paleoanthropologists: 2 ancient human ancestors were neighbors
In 2009, scientists found eight bones from the foot of an ancient human ancestor within layers of million-year-old sediment in the Afar Rift in Ethiopia. The team, led by Arizona State University…
When facts aren’t enough
In the age of viral headlines and endless scrolling, misinformation travels faster than the truth. Even careful readers can be swayed by stories that sound factual but twist logic in subtle ways that…
Scientists discover new turtle that lived alongside 'Lucy' species
Shell pieces and a rare skull of a 3-million-year-old freshwater turtle are providing scientists at Arizona State University with new insight into what the environment was like when Australopithecus…