Every industry and every profession can benefit from people who are as creative, resourceful, and motivated as hackers.
There are so many great things you can do better with hacker skills whether working as a chef, artist, engineer, designer, or even in medicine.
They know how to teach themselves how things work and how groups of things work together so that they can change them the way they want to, adjusting them, personalizing them, and even improving them. So the hacker skillset is good for many careers and we need to make that clear. The last thing we want to do is box them into "cybersecurity" because the world needs more hackers.
“Anyone wanna help us make hacking lessons for teens?”
That's how it all started, an open source community to teach hacking to teens called Hacker Highschool (www.hackerhighschool.org).
Teaching the mindset of the hacker is like coaching gymnastics; you can give students the equipment and tell them about form but they still need to teach themselves how to land back on that skinny beam. That was just our first complication. And it was the only one we got right the first time.
Besides that we had two others going against us. The second complication was that most high school teachers do not know enough about hacking to teach it on a technical level. And third, most school administrations thought we were playing with fire, or at least trying to teach setting fires to aspiring arsonists.
Now as we enter into our second revision of the Hacker Highschool lessons, we're making sure to get the other two right as well. Since what we got right was the methodology we knew that as long as the lessons followed this method teens were interested in doing the lessons and teaching themselves.
So the first thing we created is the Contributor Guide (http://hackerhighschool.org/lessons/HHS_en0_Contributor_Guide.pdf) which became required reading for all volunteers. In it we explained what we want to make and how to do it.
We wanted the teens to think what they're doing is bad/evil/dangerous so it's exciting. We also never wanted to use “evil hacker” or “bad guy” or similar terms in our explanations about various hacking activities because we wanted to avoid giving the teens an us/them feeling that makes them question what side they are on.
As we saw it, they're all hackers. And we made it clear that if you break the law you're a criminal. So they need to be extra careful because breaking the law happens not because they're necessarily evil but because either they've been careless while hacking or lawmakers were careless in crafting a stupid law.
Ultimately we want teens to think what they can do as hackers makes them powerful and dangerous. Because it does. But it also shows them they have so much more to learn. In psychology, studies have shown that amateurs are the most self-delusional thinking they know what they're doing and it isn't until one starts to study a field that they realize how little they actually know. Another study by the ISECOM and the United Nations UNICRI called the Hacker Profiling Project confirmed that it's the amateurs who do the most damage as hackers through sheer carelessness.
So we knew we needed to get teenagers to the point where they realize how small they were in a big field. Because it's true that hacking is a huge field and the one who knows the most about how things work and interoperate is going to be the most powerful. That teaches students to respect that small bit of power they get from the lessons and to want to know how to keep teaching things to themselves.
And this works because teens don't think like adults do. They don't process punishments and rewards like adults do. So we decided to make the lessons for them, and not for the adults who run the schools.
Fortunately, many teachers understood this. But what they worried about when it came to allowing Hacker Highschool in their classrooms was how little they themselves knew about hacking.
“Hack everything but harm none.”
Hacker Highschool v2 Lesson 1: Being a Hacker
We first tried to solve the problem of inexperienced teachers by offering free classes on the lessons to teachers. That pretty much failed. So next we tried to make a teacher's guide. But it didn't get much support and we didn't have the resources to make anything comprehensive enough.
The problem only went away once we figured out and successfully explained to the teachers to do nothing. To be like gymnastics coaches. They were there to provide the equipment and assure good form but the teens needed to go through each lesson on their own and figure it out themselves. The process of how to figure stuff out was the exact thing we really wanted them to learn and that doesn't work if you try to teach it.
When we first asked the open source community for help back in 2003, the ISECOM project mailing list had about 1000 subscribers on it from around the world. I knew how powerful open source could be as I had created the Open Source Security Testing Methodology Manual (www.osstmm.org) just over two years before. The OSSTMM grew fast and got a lot of respect from security professionals, government officials, and even hackers. But now I was suggesting we start something that some people called “reckless” as most of them thought I wanted to teach kids to be criminal hackers.
When we were creating the OSSTMM we operated as a loose, open source group called Ideahamster. It wasn't long before government agencies asked us to change our name since it was difficult to get their fellow security colleagues to take the name Ideahamster seriously. So we created ISECOM as a non-profit organization.
Hacker Highschool was the first new project for ISECOM. I knew if I could get ISECOM contributor support by appealing to the current OSSTMM contributors we could get it done. We could make hacking lessons for teens. And that's exactly what happened.
At that time making hacking lessons was not exactly new. What was new was the method. We wanted to do it formally as lessons and workbooks specifically for high school students, taking advantage of research about how teenagers learn and how hackers figure things out to really get our practical knowledge across to them.
The truth was that more and more teens were coming online and they were unprepared for what was already there: scammers, malware, thieves, bullies, and unethical businesses. Some teens were already finding out how insecure we all were because of the hacking tools and tips that disseminated through newsgroups, chat, and public websites.
While this motivation to teach themselves was great, the information they got was inconsistent and often far from accurate. So it was time to teach them the right way or else they'd never be able to reliably secure themselves and they'd probably end up doing more damage just playing with tools. Also they would need a safe environment, a group of vulnerable servers to try out their new knowledge on without hurting anyone. So we knew what we needed to do.
I approached Jaume Abella, the Director of Networking at La Salle University, Barcelona for help. He was a huge supporter of what we were doing with open source. He provided the network space for us to build a closed set of test systems and some students to help us fill it with vulnerable systems.
ISECOM bought three new PCs with fallback power supplies and five ethernet cards each to host the virtual servers and set them up in an unused part of the Department of Networking office. An Italian security company, @MediaService, run in part by the famous European hacker, Raoul Chiesa, had already helped with the OSSTMM and they were immediately drawn to this new project. A Swiss company renowned for their technical hacking techniques, Dreamlab Inc., jumped in too.
Between @MediaService, Dreamlab, and LaSalle, Barcelona, we had the know-how to make a solid test network. And we did. While the test network was being developed we found enough volunteers to get twelve lessons written. Kim Truett was working with us at the time and she with her husband Chuck, a professional writer, used their teen son as a test subject for the lessons while they did final edits.
Marta Barceló, the co-founder of ISECOM, designed and packaged the lessons professionally, created a slick web site for them, and by 2004 she published it all online free and open source. Sort of. At the time, copyleft for documents, especially a methodology, was surrounded by unknowns. A volunteer who happened to be studying law came to us with the information that a methodology was a Trade Secret and therefore wasn't covered by copyleft. All we wanted to make sure that kids and any type of high schools can use them free in any way they'd like.
As for the test network, it was also free but unfortunately only available to schools. We couldn't handle large capacity or frequent administration of login accounts so we restricted it only to high schools and legitimate home schools. But this was just the start and we had to learn. Eventually though we created an Open Methodology License based on the spirit of the GPL to handle Open Trade Secrets and switched all our projects to the OML and a Common Criteria license.
We were also novices at maintaining an open source community and struggled to keep up with all the interest that the OSSTMM brought. We had been taken by surprise then and really weren't ready for any kind of growth. So when Hacker Highschool was released, we were nearly crushed. Making accounts for the test network suddenly became my new job. E-mails had to go unanswered because if I thought that the 50 a day I got from the OSSTMM was excessive, the extra 150 I got with it now was completely unmanageable.
Additionally, teaching hacking to kids kicked up a bit of a media storm. Local TV stations as well as the BBC and Euronews sent camera crews. Radio Free America did a phone interview. The Italian newspaper Avvenire did a story for their popular Sunday insert magazine and even IEEE wrote about it in there magazine. This only continued to drown us in requests. But open source also has the freedom to fix itself.
Since we weren't responding in a timely fashion, the community rerouted around us. People began to make and submit translations. A few of them were just parents who were keen to give the lessons to their kids and so they translated it for them and then gave them back to us to share with others. Other volunteers filled in to give support for teachers who were interested in the lessons but didn't know how to teach the class.
Some people put the lessons online with Moodle to offer as free classes to teens. Other, anonymous, supporters re-packaged the lessons as single e-books, tweaking out the content, dropping them in file shares, and thankfully leaving the attribution. Forums popped up where teens shared how to get answers to the exercises. And even La Salle, Barcelona put computers on a bus and made a mobile computer lab to drive around to area schools and teach it.
No Hacker Left Behind
And that's how it went for a long while. Other research projects took precedence for ISECOM but Hacker Highschool remained a dominant project and growing over the years, currently reaching about 250,000 downloads per month.
Dreamlab Inc. sent us three new rack-mounted servers fully configured, which have been installed in the La Salle Barcelona server room. And every year new La Salle, Barcelona students take on the job of improving the test network (http://proyectos.salleurl.edu/grado-telematica/lostproject/) as part of their final projects. Unfortunately though the lessons haven't changed at all. Until now.
“Don't think you can just be a great hacker. Only by doing great hacks with great humility can you be great.”
Hacker Highschool v2 Lesson 1: Being a Hacker
That's because Glenn Norman showed up. Glenn is an adjunct faculty member at the University of New Mexico and New Mexico State University and an avid hang glider (so you can picture the kind of fearless daredevil he is). He told me he wanted to teach Hacker Highschool as a summer camp at UNM and wanted to help update the lessons. I sent notices out to the project mailing list, which now reaches over 30,000 subscribers, and there were many people interested in helping.
Since Glenn was interested in having them ready for his summer camp at the end of June, he took over spearheading the operation and editing the submissions. In the end over 60 people have been committed over the past few months of development. One of the volunteers is a 16 year old hacker himself.
We have also had great support from various subject matter experts who have donated their time as tech editors. This has been especially important as we have also expanded the number of lessons to 21 to cover new technologies (and buzzwords):
- Being a Hacker
- Basic Commands in Windows, Linux and OSX
- Ports and Protocols
- Services and Connections
- System Identification
- Attack Analysis
- Digital Forensics
- E-mail Security and Privacy
- Web Security and Privacy
- Internet Legalities and Ethics
- Cloud Computing
- Document Grinding
- Vulnerabilities and Exploits
- Mobile Phones
- Physical Security
- Wireless Security
- Social Engineering
We are currently wrapping up the development of the lessons (final review, final edits, and final formatting). We have some translators eagerly waiting to begin porting the lessons into their own languages. Meanwhile Glenn has begun to sling the project into a grown-up version called Hacker Night School so that anyone can learn the hacker skill set.
But really the whole project is alive with development energy again as it encompasses many areas of research from psychology and sociology to technology and education. You really get a feel for how all the contributors are working to engage young, clever, and curious minds. Most of all, we're just having fun with it. And I personally can't wait to see what people do with v2 once it's live.
I'm very proud to say that we're making some of the hackers of tomorrow. And they're the people who will redesign, re-invent, and hack their way into our future.
Excerpts also previously posted at OpenSource