Practicing the Dark Arts, Wearing a White Hat
By Marcia Goodrich
Ryan Sears '13 has an unusual skillset. He is a white-hat hacker, an expert in detecting, breaching, and fixing weaknesses in computer security systems. If he were a bad guy, he would be the stuff of nightmares. Fortunately, he is not.
That does not make him less formidable. When Sears invades a computer system—and he has invaded many—he places himself in a criminal frame of mind. "I ask, if I were evil, what could I do with this?" he said. "And then I never do evil, I just report my findings."
Sears' skills earned him a slot in the Google Security Hall of Fame while he was still an undergrad, for discovering a vulnerability in Gmail that would allow ne'er-do-wells to take over accounts. His reward? "They paid me $3,133.70 for an hour's work."
Sears has been captivated by computing's cat-and-mouse underworld since he was a twelve-year-old going to school and learning to crack video games. "Security has always been my passion," he said. "It seemed to call me. It's this weird, digital dark-arts practice, and there are no parallels in the real world."
Sears understands it so well that he was hired by the defense contractor Palantir while still an undergraduate. The company's modest mission: "We're here to help solve the world's hardest problems." Bloomberg BusinessWeek* called the multi-billion-dollar Silicon Valley firm the "darling of the intelligence and law enforcement communities" for its ability to solve the 9/11 problem: it assembles a constellation of apparently unrelated data—twinkly bits that on their own appear innocent—and raises the alarm if together they signal some nefarious intent.
Sears was first put in the public eye after he won the 2010 US Cyber Challenge, an Olympics of sorts for up-and-coming cyber-security wonks.
"That put me in the spotlight," he said. As a sophomore, he was flown to the White House for a meet and greet with officials from the likes of the FBI, the Secret Service, and the National Security Agency. He found their world fascinating, but in the end, after talking with Palantir, said no thanks to government service. "Security work is what I've known I've wanted to do forever, but there are ethical reasons I chose not to take the government route, and private industry will pay me more," he said with a shrug. "Plus I don't have to deal with any bureaucratic nonsense."
It's a step up from his previous job.
Sears got on Michigan Tech's radar after joining the Information Technology group. He started on the bottom rung, as a student worker in user support, but was soon promoted. After tackling increasingly complex assignments with aplomb, he was inducted into IT's equivalent of the Navy SEALs: Team Bulldozer. "When something happened that nobody could figure out, it would go to my group," Sears says.
In his eight years at Michigan Tech, Greg Booth hasn't worked with anyone quite like Sears. "He's scary smart, but in a good way," said the senior application systems analyst. "He has blocked a number of attacks on our servers. Sometimes problems would arise that we couldn't pursue, and we could give them to Ryan. He would always come up with a solution."
Sears' work with Booth and other IT staff was ideal preparation for his dream job with Palantir. "I can't overstate how important that's been," he said.
The IT staff were equally complimentary. "He's going to be an extremely hard person to replace," said David Hale, IT senior security officer. "But I'm very, very happy he found the job with Palantir. I would have liked to hire him, but we just can't pay him what he's worth."
Sears has a bright future, Hale predicted. "He will do very well out there. We'll see how long it is before somebody else snatches him up," he said. "When it comes to security work, Ryan's a natural."
On the academic side, Sears' most influential teacher was Brian Davis '91, who taught him about the underpinnings of computing. "I remember thinking, ‘Holy crap! This is how computers work,'" Sears recalled. "I didn't realize that all your computer does is add, which is an amazing thing. Computers turn simple addition into smartphones, movies, aviation equipment—everything."
Davis is now an associate professor at Embry-Riddle Aeronautical University, in Prescott, Arizona. "Ryan is very intelligent, but there are aspects of the computer that people don't typically discuss," he said. "Ryan knew everything about a, b, and c, but didn't know how they related. I provided the linkage, so he could see the big picture."
Sears is the sort of student teachers don't forget. "When I started working with him, he was a second-year, and even then he was the most capable person in computing security at Tech, including both faculty and staff," Davis said. His skills were such that he even assumed a teaching role in some of his classes.
A prodigy in his field, Sears nonetheless struggled with some required courses—he failed calculus twice at Tech before taking it from a community college and transferring the credit. Yet he was so proficient in his discipline that many of his major courses seemed a waste of his time.
The cumulative frustration nearly drove him to drop out, but he persevered. Six years after enrolling at Tech, Sears completed his BS in Computer Network and System Administration in May, mostly to please his family, especially his grandmother.
His mentor is glad Sears toughed it out. "I'm glad to hear Ryan's planning to graduate," Davis said last spring, noting that too often, self-taught computer wunderkinder drop out under similar circumstances, only to find themselves stuck in dead-end jobs for lack of a college diploma.
While in school, Sears worked remotely for Palantir from home and commuted to Palo Alto once a month. After graduation, he went to California to work as an information security engineer. As the name suggests, it's an open-ended position. Typical challenges are uncovering bank fraud or foiling "distributed denial of service" attacks on websites.
"In the hacker realm, especially among black hats, knocking websites off the air is a big deal," Sears said. "One of the first things I did at Palantir was re-architect our web server so it could stand up to a denial of service attack."
Co-worker Booth was sorry to see him leave.
"When Ryan said he got a job at Palantir, I was blown away," he said. "It's like you're in a band with someone who tells you he's going to go play with the Rolling Stones. You're kind of annoyed because you are losing him, but then you are also happy because he made it, and he deserved to make it."
The shadowy world of black and white hats can be an alarming place, said Booth. "But it's also reassuring that there are good people like Ryan on the right side."
*http://www.businessweek.com/magazine/palantir-the-vanguard-of-cyberterror-security-11222011.html “Palantir, the War on Terror’s Secret Weapon,” by Ashlee Vance and Brad Stone, Nov. 22, 2011
Michigan Technological University is a public research university, home to more than 7,000 students from 54 countries. Founded in 1885, the University offers more than 120 undergraduate and graduate degree programs in science and technology, engineering, forestry, business and economics, health professions, humanities, mathematics, and social sciences. Our campus in Michigan’s Upper Peninsula overlooks the Keweenaw Waterway and is just a few miles from Lake Superior.