Slashdot Mirror
After-School Hacking Special
securitas writes "The NY Times writes about an after-school program that teaches teenagers how to hack, attack and defend systems. There doesn't seem to have been the same uproar as the virus-creation course at the University of Calgary (see previous Slashdot thread), even though the participants in Tiger Team (the name of the program) are younger than the university students."
Yeah! Finally we after-schooler AD&Ders have a group nerdier than us to beat up!
Trolling is a art,
Little Johny: Hey, Jimmy try this script out. First one is free tell your friends.
If you educate talented kids on how to defend systems you could produce some very valuable assets to the future security community. Learning how to hack goes hand in hand with learning security because you need to have the same level of knowledge as the hackers (preferably better). If they can see the profit potential of using this knowledge for good then they will probably be swayed from the dark side.
After learning how to break systems fom a prominate IDS designer, I can honestly say that I will design much more secure systems myself. Becuase of my age, I don't feel the need to go out and try what we learned on real systems to see if I can cause havoc.
However, I wonder why the adults behind this "after school program" think that kids will have the same degree of responsibility that university students do when learning these things. What is to keep them from going out and writing viruses, unleasing them upon the Internet and generally causing lots of trouble after learning how to "protect" systems.
didn't have any spinny flaming skulls on it, and their wasnt a single biohazard sign anywhere! :(
I severely doubt it's integrity and capability with regard to teaching me the kiddie skillz I need to get by on IRC nowadays!
- DemonShadowHa>0rSpawnNeo
--------------- THERE IS NO SPOON
--------------- HACK THE MPAA RIAA AND AA
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
Timmy: Hi Susie!
Susie: Hi Timmy! Wanna go get a malted milk?
Timmy: Nah, I've got something keener to do.
Susie: What then?
Timmy: I don't think you would get it.
Susie: Come on! We're best friends, right?
Timmy: OK then. I'm gonna go home and hack.
Susie: (pause) Gosh Timmy! You shouldn't hack!
Timmy: Why not?
Susie: Hackers are theives and cost lots of folks money! They're akin to a device that breaks the lock on your house!
Timmy: Aw shucks, you're so old fashioned. I gotta go, see you tomorrow.
[ Susie walks away sadly. ]
[ The next day... ]
Teacher: Rodney?
Rodney: Here.
Teacher: Susie?
Susie (sadly): Here.
Teacher: Timmy?
[ silence ]
Teacher: Susie, do you know where Timmy is?
Susie: I sure do, Mrs. Martin. He went to jail.
[ murmurs from the classmates ]
Susie: He was downloadin' music and stuff, and he got caught. He's really in a darn pickle now.
Teacher: Class, let this be a lesson to you all. Good kids don't hack. If somebody asks you to hack, just say, "I don't hack. That's whack."
It's great to teach others, but without the background, or the teaching of consequenses (I can't spell worth a damn), that could bite the school in the arse.
Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
Sig changed for readability by G.W.
Tiger team.
Anyone else see visions of the football team, glee club and chess team in an ad-hoc alliance, beating the living shit out of the "tiger team"?
I don't need no instructions to know how to rock!!!!
I'm curious where they get their teachers. In order to make this program worthwhile (IE - the kids learn something about security), you would need someone with some significant experience and knowledge.
I know that I was in high school a few years ago, the head netadmin/sysadmin was worse than pitiful, a MS Certification only type of person. The only systems he ever hacked into were those in a computer game. Granted, I did go to private HS, and IT was not at the top of their budget priorities.
Regardless, it brings up a good point of having competent people teaching these types of classes, and how difficult it is for schools feeling the budget crunch to find competency.
We can then hope that industry picks these students up and listens to them. Some companies won't like what the clueful have to say about their software. But every other company in the world needs to hear it.
Friends don't help friends install M$ junk.
If it's their own code, yes. What these kids are being trained to do is find holes in other peoples' code, so a company can fix the insecurities.
There's a good reason people are getting paid $90,000 a year to hack into computers of big companies, despite your scepticism.
Chemistry classes teach kids how to make explosive materials, physics classes teach the physics of crushing someone's head in with a bowling ball. No court would find them responsible, unless the teacher was encouraging activity.
From what the article says, he's strongly encouraging ethical behavior. Personally, I wish I had something like this in high school.
In a really simple contrived world maybe.
Explaining a buffer overflow and actaully programming one are two different things. And programming an expliot for one drives the idea home even better.
I'm not saying that they should be trying to hack nsa.gov or something. However, when you actaully have a chance to play with a virus or recent exploit in a controlled environment you will get a better understanding.
That is why folks honeypot and such. They can actually figure out what are the techniques used in the wild and how to defeat those techniques.
Norris/Palin 2012
Fact: We deserve leaders who can kick your ass and field dress your carcass.
I can relate to this from personal experience.
:-( [we theorized that he learned afterwards that Linux was Haxx0r material, so he banned it, but we'll never know for sure :-) ].
During my high school years, I had been banned for a time from using computers at the school library, only because of my programming knowledge was superior to that of the teacher of Computer class (this was 1994 - the guy even thought the Net was an useless fad!). Rumor must have spread that I could hack a machine by looking at it, or something of the sort, since they didn't want me near a two-meter radius of any terminal. At first I didn't give a damn since I limited my computer stuff to home and that class...
However at some point the professor hired some "security expert" consultant to assess threats to the network, and my name appeared on top of a list of people who allegedly had "hacking tools" in their network space. This was too much (I only used it for school papers, and I could prove it) and I had to go to the professor and threaten to sue for libel. Of course I didn't had to go so far, since the professor apologized, removed my name for the list, and restored my normal access to the library computers. Since then I didn't have any problems (even the librarians asked for help afterwards).
What the moral of this story? Ignorant professors == bad news. If kids are smart enough to want to learn hacking, or programming, then they should allow their creativity to be expressed. Or else you will fall into idiotic situations like what I have lived.
PS: As a matter the fact the professor, much to his credit, at some point offered to create a "Linux club" (1995). However, the college grad supposed to sponsor the club dissapeared after the first meeting... so we never had anything...
The ENIAC Demo Competition
Most people don't care about theoreticals. They care about what they can see and what affects them. If you show them their page in Lynx and Mozilla and Opera, perhaps they will understand the need for standardization. If you show them that no one else can compile their program, they might start writing standardized code.
The point is, people aren't going to understand that they have hackable systems unless you hack them and say, "Look what I found!" By proving the flaws in their systems you inspire them to fix them, creating secure systems.
Like they say, there's no teacher like bad experience.
Of course, if you're teaching programmers that's the way to do it. But programmers are not the ones who deal with security problems every day, SysAdmins do.
Typically a SysAdmin staff does not consist of programmers, and even if they are programmers, their job is not to write the security-intensive code and send the company to bankruptcy while they re-implement the OS, the terminal emulators, the network protocol, etc. Their job is to solve problems using the most efficient solution, and this often includes using other people's already developed, tested, code.
Their job is to install it, configure it, manipulate it and understand at a high level how it works; and when things inevitably go bad, minimize the damage and fix it quickly.
Learning to predict HOW things can go bad would help a lot.
Freedom is the freedom to say 2+2=4, everything else follows...
While many adults want to shelter our children from anything that may harm them, I would advocate teaching children (at an appropriate age) how to responsibly make use of dangerous tools. These would include using a firearm, various contact sports, martial arts, chemistry, computer security, and so on. Of course, there are morons who will mis-apply their karate or hacking skill, but then there will be many more trained peers to counter them.
If everyone is equally stronger and more knowledgable, the entire system is stronger. The world cannot be populated with softies who leave security to the "experts".
- James
I don't know where you went to school, but most of my chem classes were equations, and we never did get to try the "crushing head with bowling ball" in physics. Head-crushing was kind of frowned upon, both during and outside of school.
If he was really into encouraging ethical behaviour, he'd first teach them the difference between hackers and crackers.
Then, you've got to keep in mind how insecure most school networks are, and how unsophisticated most adult users at schools are:
Q: What's your password?
A: 'password'/'my name'/'my birthdate'/it's written on the post-it on/under/beside the monitor/keyboard/mouse
Sort of like mixing matches and gasoline. It's not a question of 'if' there's going to be a fire, but 'how badly are you going to get burned'.
Mind if I back this up for you, FroMan?
My Prof in Netprog showed us a old version of some crappy software (that has been since been repaired). He then installed the code on a server and proceeded to hack into the machine. Seeing this live demo followed up by code analysis REALLY hit home buffer overruns. I really believe this made me a better programmer.
In this case, we learned to "hack" but there was certainly no harm and no foul. I remember to check/fix overruns, but I would have to check my notes on the steps for hacking it.
Holy s-, it's Jesus!
Not to mention other activities which just as often don't encourage self-control, such as physically intensive competitive sports.
I think the teacher found a very adequate metaphor: when you teach martial arts you're teaching ways to hurt, and sometimes kill. There is no doubt this sort of knowledge can be misused to hurt people; it was perfected for that purpose.
Yet it is also taught and learned mostly for other reasons: for self-defense, for sportsmanship, for physical and/or psychological self-improvement. Sometimes kids are taught martial arts to (gasp!) teach self-control, responsability and discipline.
Society trusts that kind of training because the ethics and discipline are ingrained in the practical teaching, it's not just a chapter and a lecture in the curriculum. Perhaps a similar approach can be used for something like this.
Freedom is the freedom to say 2+2=4, everything else follows...
If anyone has any questions about the Tiger Team, I am on the Board of Directors and would be glad to answer them.