For teenaged Ymir Vigfusson, hacking into company servers was like playing Pac-Man at an arcade. It was a game, one that appeared to be isolated from any real consequences, said Vigfusson, who is now an assistant professor in the Department of Mathematics and Computer Science. At the age of 15, Vigfusson and a few friends accidentally damaged a server at Islandia, an Internet provider in Iceland, and consequently reported his misdoing to the company.
“I remember the sinking feeling of, ‘Oh my god, what is going to happen right now?’” Vigfusson said. “If we get reported to the police … that will be the end of it.”
Iceland at the time did not have a legal framework to punish hackers, said Vigfusson. And fortunately for Vigfusson and his friends, Islandia offered them full-time positions for finding a vulnerability in the code. Though they were let off the hook, Vigfusson said that the experience served as a wake-up call.
“I feel like I have the responsibility to catch kid hackers who are in the same shoes. They are young, they have nobody to guide them, they are just playing around and [don’t] really realize the boundary of what is right and wrong,” Vigfusson said. “I try to guide them to do something constructive with their skills.”
An Iceland native, Vigfusson received a Ph.D. in computer science from Cornell University (N.Y.) in 2010. Since then, he has co-founded an information security company called Syndis, taught computer security courses at Emory and researched the spread of epidemics.
At Emory, Vigfusson teaches “Computer Security,” a course that focuses on advanced vulnerabilities, exploits and defense technologies.
In his course “Computer Security,” Vigfusson said he encourages his students to go on the offensive through breaking into a restricted system. According to Andrew Jones (18C), his task is to enter commands in a computer program that will take full control of a remote mini-computer, designed by Vigfusson.
“I teach people how things break. If you can teach people how things break, they can learn how to fix things, and it’s much more fun,” Vigfusson said. “ I feel like in some sense I can teach them [to work with the system] responsibly.”
While Vigfusson likens homework assignments to a game of capture the flag, he said that any hacking must be done under a legal and ethical framework in mind.
“[Vigfusson] is so invested in doing this because he wants to help people who are interested in hacking learn how to do it in a safe, ethical and legal way,” Jones said.
Through his wife and visiting assistant professor, Rebecca Mitchell, Vigfusson was introduced to the possibilities of blending public policy and computer science.
Since then, Nishant Kishore (16PH) approached Vigfusson to conduct research and create a program that predicts epidemics by coupling large-scale cell phone metadata from Iceland with information about the onset of swine flu in 2009.
“The point of the experiment is to leverage these massive data sets that exist out there,” Kishore said. “It’s rare to link health details to call records. That is novel.”
This year, a team of three Emory faculty members, including Vigfusson, were provided a $380,000 grant award from the Centers for Disease Control and Prevention (CDC) to detect and respond to threats from drug-resistant pathogens.
According to a University Oct. 25 press release, the researchers have developed a fully-functional algorithm that identifies multiple strains and clones of malaria and can trace the sources of the E. coli outbreak by analyzing drops of blood in fecal matter. Vigfusson said that their solution provides a window into cheaper and more reliable medical interventions compared to deep genome sequencing.
Before coming to the United States, Vigfusson hoped to start a business that would enable people to see the ‘blind spots’ within an organization. At Syndis, Vigfusson helps teach companies how to identify risks and vulnerabilities in their source code and simulate real-world attacks to appraise the quality of a programming department’s response.
His work has allowed him to return to what seemed to be a simple, fun game for his 15-year-old self: hacking. But unlike his past self, he now hopes to work within the system and prepare corporations for the unexpected.
“The knowledge of how to break stuff allows you to create it better,” Vigfusson said. “What if someone is malicious or what if something fails? That’s the mindset that needs to change for computer science to become more robust.”