Can schools teach computer security without turning kids into cybercriminals?
Teens often explore the world by tinkering with it. How can you channel that impulse and turn it into real engineering? Send them to Hacker High School.
It’s not a real school, of course. The Institute for Security and Open Methodologies (ISECOM), a nonprofit technology research organization based in New York City and Barcelona, uses the allure of hacking to teach kids computer security through an open-source curriculum. "I’m trying to make students resourceful," says Institute managing director Peter Herzog. "We don’t spoon-feed them."
Herzog knows this firsthand. As a child, he was a self-trained hacker. Even his toy cars didn’t go unhacked—he once put a solar panel on one. In 2001, following stints as an engineer for Intel and IBM, Herzog applied his do-it-yourself ethos to launching the Institute. It grew out of the Ideahamster Organization, an online community of engineers with a tongue-in-cheek name for the people responsible for innovation.
After disseminating their own security solutions, the group began a certification and training program for businesses, schools, and government agencies that’s been used by organizations as large as Wal-Mart and the U.S. military. The group’s Open Source Security Testing Methodology Manual OSSTMM) is now a widely used standard, particularly in South America and Europe. Its adoption brought to light a similar need at the educational level. "A lot of young people had no clue about what hacking really was," Herzog says. "For us, it’s about really deeply understanding something operationally so you can manipulate it the way you want to."
Herzog launched the Hacker High School curriculum in 2004, with funds from ISECOM and fees from OSSTMM certifications. Despite its name, the program is designed to be used by elementary and middle schools as well. Over 100 schools around the world are already on board. The goal was to equip kids with the means to defend themselves against ID theft, malware, and other online attacks.
The group worked with an academic partner, La Salle Ramon Llull University, in Barcelona, as well as the open-source community online. Jaume Abella, a professor of engineering at La Salle, says Hacker High School is an effective way to both attract students into the field of computer security and educate them about the line between legal and illegal hacking. "We teach them to be careful," he says.
Rather than function as a textbook course, HHS stresses exploration and innovation. "A lot of computer science classes make students look up answers themselves," Herzog says, "but if you know what you’re looking for, you’ll only find what you expect." To participate, teachers need Internet-connected computers and the HHS lesson plans, which are available for free online. The syllabus begins by introducing students to the concept of ethical hacking and continues with such topics as ports and protocols, attack analysis, and digital forensics. The entire coursework—a dozen lessons in all—can be completed in as little as six weeks.
Exercises test students’ understanding of the material on multiple levels. A lesson on e-mail security, for example, teaches students to identify the level of cryptography used in their own messaging program. That same lesson may also ask them to contrast opposing views on technological openness from Phil Zimmermann, creator of the Pretty Good Privacy software (better privacy through better cryptography) and science fiction author David Brin (computers have killed privacy; get over it). For a lesson on malware, students go online to find examples of boot sector, polymorphic, and macro viruses. They must also determine how Code Red, Nimda, and other famous worms exploited software vulnerabilities.
Students investigate problems on a test network that HHS has created. Herzog built it himself out of a motley collection of personal computers by adding a backup power supply, five Ethernet cards, and 4 gigabytes of RAM running a variety of operating systems. A additional set of rack-mounted servers, donated by Dreamlab Technologies, of Switzerland, are housed at La Salle. "It gives them a safe place to try things," Herzog says.
With everyone spending more and more time online, the need for computer security knowledge is only increasing. In addition to updating the lesson plans, Herzog and Abella are hosting HHS intensive training sessions at La Salle for high school students from around Spain. Dimas Galih Adrianto, a student from La Salle, says the program has brought a necessary freshness to computer studies and, most important, stimulated his interest in programming. "It’s helped me a lot in my learning," he says. Another student, who prefers using his online handle, JFFTantra, calls the material "indispensable" and says it has deepened his understanding.
An effort is under way to make the HHS program required in all high schools throughout Switzerland. That might seem to some to open Pandora’s box, but for Herzog, the risk of vulnerability outweighs the threat of students becoming hackers in the bad sense. "I’m not concerned they will use this for evil," Herzog says. "That’s like saying a carpentry class will teach someone to be a serial killer. I don’t see the connection."
If there is a connection, teachers seem to find it manageable. "I always tell my students that everything they learn can be used for both good and not-so-good purposes," says Sam Black, a computer science instructor at Lubbock High School, in Texas, who uses the Hacker High School curriculum in an advanced placement computer class. "The real test is how they choose to use their knowledge," he adds.
Graeme Stevens, an information technology specialist teacher at Swans International Sierra Blanca in Málaga, Spain, teaches the HHS course to his senior students. Students are asked to sign a code of conduct before participating, and violations are prosecuted. Stevens has been pleased by the way students have taken to the idea that there’s bad hacking and good hacking. He says he finds that "many of them are quite outspoken against illegal hacking. In fact, they are almost evangelical about it!"
Eric Brown, a teacher who has integrated the HHS curriculum into his computer basics classes at Keokuk High School, in Iowa, believes that teaching ethical hacking was not a threat. "It shouldn’t matter if a student figures out they can telnet to port 25 on the mail server and tell what mail server is running there, or how to wget a file from their home network share," Brown says—these are examples of things that the kids were doing anyway.
"It has given them ideas and things to look out for at home and also on to their careers," says Gerard MacManus, a computer science instructor at Papatoetoe High School, in Papatoetoe, New Zealand. "It has also given them an awareness of their legal and moral responsibilities. Plus, they also like the fact that when you say ’Hacker High School’ really fast it sounds like ’hack a high school.’"
Calling the program Hacker High School has proved controversial. Brown, the teacher in Iowa, recalls that his principal’s eyes "shot wide open" when he told him the name of the curriculum.
"Some schools in America don’t want to do it because of the name," Herzog says, "but without the name, who can you attract?"
About the Author
David Kushner is an IEEE Spectrum contributing editor who also writes for Wired, Rolling Stone , and Mother Jones. He’s the author of the bestselling book Masters of Doom: How Two Guys Created an Empire and Transformed Pop Culture.
To Probe Further
Where does Hacker High School belong on IEEE Spectrum’s hacker matrix?