Gabriel Hogan ’27 Co-authors Workshop Paper In the paper, the junior computer science and business administration double major explored architectural VPN vulnerabilities and the systemic challenges that allow them to persist.

By Lily Caldwell
March 30, 2026

Washington and Lee University student Gabriel Hogan ’27 recently co-authored a workshop paper titled “Architectural VPN Vulnerabilities, Disclosure Fatigue and Structural Failures,” which was presented at the 2026 Workshop on Free and Open Communications on the Internet.

Hogan produced the paper with William Tolley, former visiting assistant professor of computer science at W&L and current assistant professor of mathematics and computer science at Hampden-Sydney College; Bowdoin College assistant professor of computer science Jeffrey Knockel; Jedidiah Crandall, an associate professor at Arizona State University; and Hampden-Sydney student Everett Morse.

The paper explains how VPN vulnerabilities are handled in practice, following their disclosure to major technology companies and tracking how those issues evolve over time. The study builds on earlier work by Tolley’s research group, Breakpointing Bad, in 2019, which showed that even when a VPN is employed, an attacker on the same network can determine what websites a user is visiting. This vulnerability had been reported through responsible disclosure to large companies, giving them the opportunity to fix their issues. However, Hogan and his co-authors demonstrate that these repeated patches addressed surface symptoms rather than the root cause, leaving the underlying vulnerability intact.

“What our research shows is that this system doesn’t always work as intended,” said Hogan, a computer science and business administration double major from Spotsylvania, Virginia. “Over the course of seven years, our team repeatedly followed proper disclosure processes, but the same underlying vulnerabilities continued to persist. Even after multiple disclosures and patches, we were able to recreate the attacks.”

Hogan worked on testing and validating the vulnerability on Apple’s iOS platform, drawing on his experience developing iOS applications. His work confirmed that the attack could be reproduced on current up-to-date systems.

“Working with Professor Tolley is always an incredible experience,” said Hogan. “He approaches security issues with a different lens and pushes me to think about larger systemic and global internet freedom issues. For this paper, he shifted the focus from just verifying a vulnerability, to why the system allowed it to happen again in the first place and what we could do to address it.”

Beyond verifying technical flaws or vulnerabilities, their research examines broader challenges in cybersecurity disclosure as a result of “institutional governance failures.” The authors argue that these patterns highlight the need for more comprehensive approaches to addressing long-term security risks. By documenting how vulnerabilities can persist across multiple years and fixes, the research aims to encourage greater accountability and more thorough, systemic solutions from technology companies.

“Langdon Winner’s essay ‘Do Artifacts Have Politics?’ really shaped how we approached this work,” said Tolley. “I assign it in my classes because it pushes students to see that infrastructure is not neutral. Systems can encode power, access and exclusion. Gabe really took that idea and ran with it on this project. We were not just asking whether a VPN vulnerability existed, but what assumptions in the system allowed it to persist. Once you look at internet infrastructure this way, these outcomes stop looking like accidents and start looking like consequences of how the system is built.”

Hogan is a Johnson Scholar and the co-founder of Glacier Integration, a cybersecurity compliance and enterprise software development company. At Glacier, he serves as a compliance project manager, helping small businesses prepare for audits and produce evidence for SOC 2 and PCI DSS standards. On campus, he works at the Lenfest Center for the Arts as a performance technical adviser, where he applies his computer science skills to his interest in live event sound, lighting design and production.

If you know a W&L faculty member who has done great, accolade-worthy things, tell us about them! Nominate them for an accolade.