Slashdot Mirror
After-School Hacking Special
securitas writes "The NY Times writes about an after-school program that teaches teenagers how to hack, attack and defend systems. There doesn't seem to have been the same uproar as the virus-creation course at the University of Calgary (see previous Slashdot thread), even though the participants in Tiger Team (the name of the program) are younger than the university students."
If you educate talented kids on how to defend systems you could produce some very valuable assets to the future security community. Learning how to hack goes hand in hand with learning security because you need to have the same level of knowledge as the hackers (preferably better). If they can see the profit potential of using this knowledge for good then they will probably be swayed from the dark side.
An interesting point. With University students, namely engineers, they are required to take at least one, sometimes several ethics courses designed to encourage responsible practices later on in their careers.
Hopefully, something similar will be put in place for these highschool students, though it may not be as effective due to the generally lower level of maturity.
In C++, friends can touch each others private parts.
I'm still of the mindset that the best way for high school kids to learn things is on their own. No matter what, throughout high school, the most I learned was all on my own time. I didn't have ANY courses in my school about anything related to computers (except a "typing" class), so, in an effort to actually try and challenge myself, I ordered a few books off of Amazon.com, and taught myself C++. And, I think that if I had access to a class that simply taught C++ with proprietary textbooks and software, I wouldn't have appreciated the experience nearly as much.
Trent Polack
www.polycat.net
You don't teach people how to create security systems by teaching them to break into bad systems.
You teach them to comment their code, watch the buffers and never let programs leave the box unless you absolutly have to.
This whole hacker mythology is poor.
Doesn't matter what the emphasis is from the instructors' point of view, all it takes is one script-kiddie to hack a site, and the teacher (and by extension, the school) are up for both civil lawsuits and criminal liability (contributing to the delinquency of a minor, etc).
Especially since he agreed that he was teaching kids to hack.
Remember, just because you CAN do something (in this case teaching kids to hack) doesn't mean you HAVE to.
It's good to know you considered it useful. I've been completely amazed at the uproar over U of C's virus course. (I'm considering taking it but it doesn't fit into my schedule well. :( ) All these threats like "don't apply for a job here if you took the course". And beautiful circular arguments like "Only bad programmers write viruses so if you take the course you are a bad programmer". Very interesting.
Random is the New Order.
I was watching a documentary about teenagers on TLC or Discovery a few months back. They had studies that suggested the part of the brain enables you to predict the consequences of your actions may not develope until the end of puberty . Thus teenagers may be irresponsible becuase their brains are wired that way.
UNIX/Linux Consulting
I doubt that ethics courses will really help all that much. As a medical researcher, I've been forced to sit through any number of such classes. I don't think any of them taught me anything I didn't already know, except how to comply with innumerable arcane Federal regulations (which is useful, but isn't really the same as ethics anyway). Most of the ethics components offered useful advice like "Don't lie to your patients." (I never would've thought of that, and now that you've told us, I'm sure all the immoral people out there will immediately stop doing it!) When instructors tried to present more complicated ethical issues, they usually could not adequately defend their "answers," and were viciously beset from all sides by doctors (and occasionally techs like me) who actually understood the moral complexities of the situations the ethicists were talking about.
I think such classes are basically there to help stave off lawsuits; they allow you to say "Hey, we tried, we gave him ethics training; if he violates it, that's HIS responsibility." It gets rid of the (usually bullshit) argument that the kid simply didn't know it's wrong.
If it's their own code, yes. What these kids are being trained to do is find holes in other peoples' code, so a company can fix the insecurities.
There's a good reason people are getting paid $90,000 a year to hack into computers of big companies, despite your scepticism.
I can relate to this from personal experience.
:-( [we theorized that he learned afterwards that Linux was Haxx0r material, so he banned it, but we'll never know for sure :-) ].
During my high school years, I had been banned for a time from using computers at the school library, only because of my programming knowledge was superior to that of the teacher of Computer class (this was 1994 - the guy even thought the Net was an useless fad!). Rumor must have spread that I could hack a machine by looking at it, or something of the sort, since they didn't want me near a two-meter radius of any terminal. At first I didn't give a damn since I limited my computer stuff to home and that class...
However at some point the professor hired some "security expert" consultant to assess threats to the network, and my name appeared on top of a list of people who allegedly had "hacking tools" in their network space. This was too much (I only used it for school papers, and I could prove it) and I had to go to the professor and threaten to sue for libel. Of course I didn't had to go so far, since the professor apologized, removed my name for the list, and restored my normal access to the library computers. Since then I didn't have any problems (even the librarians asked for help afterwards).
What the moral of this story? Ignorant professors == bad news. If kids are smart enough to want to learn hacking, or programming, then they should allow their creativity to be expressed. Or else you will fall into idiotic situations like what I have lived.
PS: As a matter the fact the professor, much to his credit, at some point offered to create a "Linux club" (1995). However, the college grad supposed to sponsor the club dissapeared after the first meeting... so we never had anything...
The ENIAC Demo Competition
This sounds like the North Korean story from a few days ago, so here are lines from both stories and you can guess which article the students are from:
- "White-hat Hackers" or "Cyber terrorists"
- "hunger stricken" or "fortified with pizza"
- "another weapon" or "band of pickpockets"
- "creating mischief" or "training hackers"
Not a fair comparison, I know. All of the above is out of context.
Esteem isn't a zero sum game
Mind if I back this up for you, FroMan?
My Prof in Netprog showed us a old version of some crappy software (that has been since been repaired). He then installed the code on a server and proceeded to hack into the machine. Seeing this live demo followed up by code analysis REALLY hit home buffer overruns. I really believe this made me a better programmer.
In this case, we learned to "hack" but there was certainly no harm and no foul. I remember to check/fix overruns, but I would have to check my notes on the steps for hacking it.
Holy s-, it's Jesus!
At least college students are (hopefully) smart enough to want to learn something serious about computers. With highschool kids, 95% of them would be content with having a button saying "break into someone's system" that would do just that. However, we hope that in our nation's universities, students are taking the computer classes because that is the field they would like to go into, and as such they will refrain from doing stupid things. My college offers a security class, but there is no way to take it before at least your 4th semester in school, and AFTER you know C++, Java, Assembly language, and have the department approve you. And they don't teach you how to hack either. Sure you will come out of the class knowing how to break into some systems, but the focus of the class is not on cracking, but securing a network or a computer. The kids in NY public schools are just going to become script kiddies. We have enough of those already.
LOL that sonds like a show that we have here in PBS (houston) the bad guy of the show is named "hacker" and he gos around doing all sort of bad tings, and the who point of the story is that hackers are bad, I think i am going to write PBS and tell them to take that crap off the tv. giving hackers bad names.
If anyone has any questions about the Tiger Team, I am on the Board of Directors and would be glad to answer them.
Percent of marching band members in my college who were female: 50%
Percent of CS majors in my college who were female: about 5%
Any questions?
Yes, but any security professional worth his salt knows how to hack. You have to know how to break the system in order to fix it. This includes probing your own code for holes; Microsoft could use people like this to just sit there and pick away at IIS (or some such server software) and find the holes before the software is released. This way nobody else finds them first. Of course, the potential for abuse is high, especially among high school kids, who have no fear of breaking the law, so I don't know that this is the appropriate place to do it. You've got to make sure the students are mature enough to handle the material before you teach it to them.
(And before you slashdot youngins chime in, yes, you may be ethical, but I doubt most of your classmates would be. And it's oh so tempting for a geek to show off how he can hack stuff because other people think it's cool..)
The way you describe it, it actually sounds quite attractive and a great idea for training security staff. But I felt that the way it was originally described to me focused way too much on the hacking aspect, which I would think would turn off your average suit. "Hacker" is such a dirty word these days; it doesn't seem all that safe to use it. Just recently, someone I know almost got into some serious trouble because a clueless manager overheard him talking about enjoying the hacking simulator in the new Matrix game! It took a bit of explanation to calm everyone down. ;)
:)
I totally "get" the usefulness of the tiger-team approach, I just think it's a little dangerous to spin it as hacker training, especially in an article that is going to be read by the clueless.
Having said that, I think maybe I would like to modify part of my position, i.e. the part where I said that people shouldn't learn hacking skills but rather should focus on system hardening. Now that you mention it, I can see the usefulness of teams taking turns attacking and defending. In fact it sounds like a blast, besides being very informative.
Still, there's GOT to be a better way to spin this to the media. People are bound to react badly, don't you think? I don't have a lot of faith in people suddenly developing open minds...
Farewell! It's been a fine buncha years!