Slashdot Mirror
After-School Hacking Special
securitas writes "The NY Times writes about an after-school program that teaches teenagers how to hack, attack and defend systems. There doesn't seem to have been the same uproar as the virus-creation course at the University of Calgary (see previous Slashdot thread), even though the participants in Tiger Team (the name of the program) are younger than the university students."
Little Johny: Hey, Jimmy try this script out. First one is free tell your friends.
After learning how to break systems fom a prominate IDS designer, I can honestly say that I will design much more secure systems myself. Becuase of my age, I don't feel the need to go out and try what we learned on real systems to see if I can cause havoc.
However, I wonder why the adults behind this "after school program" think that kids will have the same degree of responsibility that university students do when learning these things. What is to keep them from going out and writing viruses, unleasing them upon the Internet and generally causing lots of trouble after learning how to "protect" systems.
It's great to teach others, but without the background, or the teaching of consequenses (I can't spell worth a damn), that could bite the school in the arse.
Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
Sig changed for readability by G.W.
I'm curious where they get their teachers. In order to make this program worthwhile (IE - the kids learn something about security), you would need someone with some significant experience and knowledge.
I know that I was in high school a few years ago, the head netadmin/sysadmin was worse than pitiful, a MS Certification only type of person. The only systems he ever hacked into were those in a computer game. Granted, I did go to private HS, and IT was not at the top of their budget priorities.
Regardless, it brings up a good point of having competent people teaching these types of classes, and how difficult it is for schools feeling the budget crunch to find competency.
We can then hope that industry picks these students up and listens to them. Some companies won't like what the clueful have to say about their software. But every other company in the world needs to hear it.
Friends don't help friends install M$ junk.
*sigh*
I can remeber when I used to say I was a hacker and that was a good thing. That was back when hacker was closer to the dictionary, a hacker or hack was someone who worked long hours.
This grumpy old man moment was brought to you by...
Come the revolution, the Bourgeois, Capitalistic, "A PARKING STICKER HOLDERS", will be first against the wall!
Wasn't everyone throwing a fit about N.Korea doing this, in a slashdot article this week?
Chemistry classes teach kids how to make explosive materials, physics classes teach the physics of crushing someone's head in with a bowling ball. No court would find them responsible, unless the teacher was encouraging activity.
From what the article says, he's strongly encouraging ethical behavior. Personally, I wish I had something like this in high school.
In a really simple contrived world maybe.
Explaining a buffer overflow and actaully programming one are two different things. And programming an expliot for one drives the idea home even better.
I'm not saying that they should be trying to hack nsa.gov or something. However, when you actaully have a chance to play with a virus or recent exploit in a controlled environment you will get a better understanding.
That is why folks honeypot and such. They can actually figure out what are the techniques used in the wild and how to defeat those techniques.
Norris/Palin 2012
Fact: We deserve leaders who can kick your ass and field dress your carcass.
Most people don't care about theoreticals. They care about what they can see and what affects them. If you show them their page in Lynx and Mozilla and Opera, perhaps they will understand the need for standardization. If you show them that no one else can compile their program, they might start writing standardized code.
The point is, people aren't going to understand that they have hackable systems unless you hack them and say, "Look what I found!" By proving the flaws in their systems you inspire them to fix them, creating secure systems.
Like they say, there's no teacher like bad experience.
While many adults want to shelter our children from anything that may harm them, I would advocate teaching children (at an appropriate age) how to responsibly make use of dangerous tools. These would include using a firearm, various contact sports, martial arts, chemistry, computer security, and so on. Of course, there are morons who will mis-apply their karate or hacking skill, but then there will be many more trained peers to counter them.
If everyone is equally stronger and more knowledgable, the entire system is stronger. The world cannot be populated with softies who leave security to the "experts".
- James
I don't know where you went to school, but most of my chem classes were equations, and we never did get to try the "crushing head with bowling ball" in physics. Head-crushing was kind of frowned upon, both during and outside of school.
If he was really into encouraging ethical behaviour, he'd first teach them the difference between hackers and crackers.
Then, you've got to keep in mind how insecure most school networks are, and how unsophisticated most adult users at schools are:
Q: What's your password?
A: 'password'/'my name'/'my birthdate'/it's written on the post-it on/under/beside the monitor/keyboard/mouse
Sort of like mixing matches and gasoline. It's not a question of 'if' there's going to be a fire, but 'how badly are you going to get burned'.
Not to mention other activities which just as often don't encourage self-control, such as physically intensive competitive sports.
I think the teacher found a very adequate metaphor: when you teach martial arts you're teaching ways to hurt, and sometimes kill. There is no doubt this sort of knowledge can be misused to hurt people; it was perfected for that purpose.
Yet it is also taught and learned mostly for other reasons: for self-defense, for sportsmanship, for physical and/or psychological self-improvement. Sometimes kids are taught martial arts to (gasp!) teach self-control, responsability and discipline.
Society trusts that kind of training because the ethics and discipline are ingrained in the practical teaching, it's not just a chapter and a lecture in the curriculum. Perhaps a similar approach can be used for something like this.
Freedom is the freedom to say 2+2=4, everything else follows...
Sort of like mixing matches and gasoline. It's not a question of 'if' there's going to be a fire, but 'how badly are you going to get burned'.
You don't seem to have alot of faith in the next generation, or indeed in your fellow human beings. You expound a tired point, which has been used by the less clueful of the world to stop everything from sex ed to skeet shooting.
The point of this class is twofold - first, much like a karate or skeet shooting class, to teach respect and self control for the skills.
Secondly, this class exposes the students to the facts - they learn the facts behind cracker attacks, and what can be done to stop them. Its much easier to make the right decisions when you have the right facts. Otherwise, these kids are going to go out, and experiment on their own - and its much more difficult to tell the difference between right and wrong when you randomly try out root kits that you found on an underground hacker website late at night.
You can't just hide this from people, and hope that it will go away - you will always have hackers, just like you will have always pregenant teenagers. Perhaps with the correct facts, the future crackers of America can make the right decisions. They're going to figure out how to crack your machine anyway - the question is, what color hat do you want them to wear?
Do you have Linux and a DotPal? Click here now!
ChrisNowinski said: "You don't teach people how to create security systems by teaching them to break into bad systems.
You teach them to comment their code, watch the buffers and never let programs leave the box unless you absolutly have to.
This whole hacker mythology is poor."
I agree. Instead of teaching people how to hack systems, wouldn't it make more sense to teach them how to set up firewalls properly, restrict setuid, restrict the number of services running, set up a patching strategy, and run an intrusion detection system like PSAD? People interested in programming could take a course focused on verifying user input, and avoiding buffer overruns. That sort of thing would be useful to kids, instead of just making them unemployable.
And, this WILL make it hard for them to get a job. Who on earth is going to want to hire a kid who already has experience hacking? Imagine what the legal staff would say, the kind of liability the company would be up against if he or she decided to have a little fun using his work PC, especially when the company KNEW he was a hacker and gave him net access anyway!
I think that every HR Drone who sees a resume from one of these kids is going to at least briefly envision the following exchange taking place:
Lawyer: "So, you knew that Joey was a hacker -- it's right here in his resume. You knew that, correct?"
HR Drone: "That is correct."
Lawyer: "But you hired him anyway. And, you gave him access to the net, Visual Basic development tools, and access to your servers."
HR Drone: "Well, he WAS a developer..."
Lawyer: "Yes, but also a hacker."
HR Drone: "Yes."
Lawyer: (voice rising, Perry Mason style): "So, you KNEW he was a hacker, and you gave him everything he would need to do whatever he might want to do -- including take down Wall Street's trading systems for two whole days?"
HR Drone: "God, when you put it THAT way, you make it sound like it was our fault or something!"
Lawyer: "Perhaps it is. Your hacker cost Wall Street tens of millions of dollars in lost trades. Maybe if you'd have hired someone who HADN'T expressed an interest in hacking, we wouldn't be in this courtroom in the first place. You DID have other applicants, I assume?"
HR Drone: "We had over 100."
Lawyer: "But you chose the hacker."
HR Drone: "Yes."
Lawyer: "No further questions."
The above fantasy would scare any HR Droid senseless. And, you just KNOW it's the first thing they'll think of when they see a resume from one of these kids.
Farewell! It's been a fine buncha years!
I don't necessarily see a problem with this. How many 'white hat' do the same things every day in test labs and for clients? This could be good career training for them. However, I've observed kids often view hacking, etc as something cool to do, without thinking of the consequences. While they're running this program, they should be teaching ethics and legality. Otherwise these kids might take this program as a license to hack.
--
Luck is just skill you didn't know you had.
Most likely, the teacher involved with a program like this is the defacto 'resident tech' of the school, being the one-person network admin/troubleshooter/etc. Having a face and personality assosciated with 'The Admin, my Enemy' can give a whole new perspective to the 'up-and-coming' hacker. This can be good or bad ('y'know, X isn't so bad, maybe I shouldn't target the school' vs. 'Oh, I -hate- that fscker, time to bring on the hurt'), but at least it can bring up the point that there's a real PERSON behind that box they're hacking. If done right, clubs like this can help cultivate the 'old-school hacker mentality' by having in-depth discussions of ethics, legalities, etc.
We live in a world where 'morals' are generally defined by social groups. If a kid getting his feet wet is exposed to nothing but script kiddies and their sites, just guess which way he's most likely to turn out...
There's no wrong way, to eat a Rhesus...
How does can an effective teacher control the use of the knowledege she/he places in the hands of adolesents?
Your analogy is wrong, this is more closely like a chemistry teacher teaching how to make bombs, a physics teacher how to make projectile weapons, and a music teacher how to make rap music.
If this class was about computer security then your analogy would hold true.
And to commence feeding: your comment on hacking experience being bad is totally groundless: I wouldn't trust an architect who couldn't tell me the points in a building vulnerable to bombing, and I wouldn't trust a sysadmin who didn't have at least a basic knowledge of hacking techniques.
That's it. I'm no longer part of Team Sanity.