Teens often explore the world by tinkering with it. How can you channel that impulse and turn it into real engineering? Send them to Hacker High School.
It’s not a real school, of course. The Institute for Security and Open Methodologies (ISECOM), a nonprofit technology research organization based in New York City and Barcelona, uses the allure of hacking to teach kids computer security through an open-source curriculum. "I’m trying to make students resourceful," says Institute managing director Peter Herzog. "We don’t spoon-feed them."
Herzog knows this firsthand. As a child, he was a self-trained hacker. Even his toy cars didn’t go unhacked—he once put a solar panel on one. In 2001, following stints as an engineer for Intel and IBM, Herzog applied his do-it-yourself ethos to launching the Institute. It grew out of the Ideahamster Organization, an online community of engineers with a tongue-in-cheek name for the people responsible for innovation.
After disseminating their own security solutions, the group began a certification and training program for businesses, schools, and government agencies that’s been used by organizations as large as Wal-Mart and the U.S. military. The group’s Open Source Security Testing Methodology Manual OSSTMM) is now a widely used standard, particularly in South America and Europe. Its adoption brought to light a similar need at the educational level. "A lot of young people had no clue about what hacking really was," Herzog says. "For us, it’s about really deeply understanding something operationally so you can manipulate it the way you want to."
Herzog launched the Hacker High School curriculum in 2004, with funds from ISECOM and fees from OSSTMM certifications. Despite its name, the program is designed to be used by elementary and middle schools as well. Over 100 schools around the world are already on board. The goal was to equip kids with the means to defend themselves against ID theft, malware, and other online attacks.
The group worked with an academic partner, La Salle Ramon Llull University, in Barcelona, as well as the open-source community online. Jaume Abella, a professor of engineering at La Salle, says Hacker High School is an effective way to both attract students into the field of computer security and educate them about the line between legal and illegal hacking. "We teach them to be careful," he says.
Rather than function as a textbook course, HHS stresses exploration and innovation. "A lot of computer science classes make students look up answers themselves," Herzog says, "but if you know what you’re looking for, you’ll only find what you expect." To participate, teachers need Internet-connected computers and the HHS lesson plans, which are available for free online. The syllabus begins by introducing students to the concept of ethical hacking and continues with such topics as ports and protocols, attack analysis, and digital forensics. The entire coursework—a dozen lessons in all—can be completed in as little as six weeks.
Exercises test students’ understanding of the material on multiple levels. A lesson on e-mail security, for example, teaches students to identify the level of cryptography used in their own messaging program. That same lesson may also ask them to contrast opposing views on technological openness from Phil Zimmermann, creator of the Pretty Good Privacy software (better privacy through better cryptography) and science fiction author David Brin (computers have killed privacy; get over it). For a lesson on malware, students go online to find examples of boot sector, polymorphic, and macro viruses. They must also determine how Code Red, Nimda, and other famous worms exploited software vulnerabilities.
Students investigate problems on a test network that HHS has created. Herzog built it himself out of a motley collection of personal computers by adding a backup power supply, five Ethernet cards, and 4 gigabytes of RAM running a variety of operating systems. A additional set of rack-mounted servers, donated by Dreamlab Technologies, of Switzerland, are housed at La Salle. "It gives them a safe place to try things," Herzog says.