In Hacker Highschool, students learn to redesign the future

Knowledge is power: A hacker's curriculum
Image by opensource.com
submit to reddit
 
(49 votes)

It might sound strange, but every industry and profession could benefit from an employee as creative, resourceful, and motivated as a hacker. Hackers can teach themselves how things work and how groups of things work together. Hackers know how to modify things—to adjust, personalize, and even improve them. And it is the hacker whose skillset is diverse, unique, and powerful enough to be dangerous in the hands of the wrong person. Enter ISECOMa non-profit, open source research group focused on next-generation security and professional security development and accreditationand its popular project, Hacker Highschool.

Studies have shown that an amateur in any particular field is most likely to entertain the self-delusion that he knows enough to master it. But once he gets some professional training, he begins to understand that learning is a continuous process and no one ever "knows it all." A similar but more targeted study by ISECOM and the United Nations UNICRI, called the Hacker Profiling Project, shows it's amateur hackers who do the most damage out of carelessness.

We know how important it is to show teen hackers how to gain knowledge and skills so as to move beyond the amateur level. We need to get teens to realize how small they are in the bigger world of hacking. We just need a way to do it responsibly. We figured if we could properly introduce the world of hacking to teenagers we could make them safer online, as well as open up new ways of thinking and the resourcefulness necessary to enhance any profession they find themselves in some day.

Hackers unite

Our main focus was to teach junior high and highschool students (and their teachers). The project became known as Hacker Highschool and now offers license-free, security and privacy awareness teaching materials that students can follow on their own without the need of extra instruction from professionals or teachers.

"Hack everything but harm none."
--Hacker Highschool v2 Lesson 1: Being a Hacker

We craft lessons to work with any free "live Linux" CD, which will boot off a PC with a CD-ROM drive, to perform the lessons. Additionally, we provide access to an Internet-based test lab built and maintained specifically for Hacker Highschool.

Here's the curriculum we provide teachers as a supplement to student course work or as part of after-school and club activities:

01 Being a Hacker
02 Basic Commands in Windows, Linux and OSX
03 Ports and Protocols
04 Services and Connections
05 System Identification
06 Malware
07 Attack Analysis
08 Digital Forensics
09 E-mail Security and Privacy
10 Web Security and Privacy
11 Passwords
12 Internet Legalities and Ethics
13 Cloud Computing
14 Databases
15 Document Grinding
16 Vulnerabilities and Exploits
17 Mobile Phones
18 Physical Security
19 Wireless Security
20 Social Engineering
21 Hacktivism

We began teaching it formally as lessons and workbooks to high school students, taking advantage of studies showing how teenagers learn and how hackers figure things out. The truth was, more and more teens were coming online but were unprepared for what was out there: scammers, malware, thieves, bullies, and unethical businesses. And some teens were already finding out how insecure things were by using hacking tools and tips disseminated by newsgroups, chat, and public websites.

So, while motivation for these teens to teach themselves was great, the information they got was inconsistent and often far from accurate. It was time to teach them the right way (or else they'd have a hard time reliably securing themselves in the future and probably end up doing more damage). We gave them a safe environment—a group of vulnerable servers on which to test their new knowledge without hurting anyone.

Build it and they will hack

Before Hacker Highschool, making hacking lesson plans wasn't exactly new. What was new was our method. In 2003 I approached Jaume Abella, the Director of Networking at La Salle University, Barcelona for help. He was a huge supporter of what we were doing with open source and provided the network space for us to build a closed set of test systems and some students to help us fill it. ISECOM bought three new PCs with fallback power supplies and five ethernet cards each to host the virtual servers, and set them up in an unused part of the Department of Networking office.

An Italian security company, @MediaService, run in part by the famous European hacker, Raoul Chiesa, had already helped with the OSSTMM and they were immediately drawn to this new project. And a Swiss company renowned for their technical hacking techniques, Dreamlab Inc., jumped in too. Between @MediaService, Dreamlab, and LaSalle, Barcelona, we had the know-how to make a solid test network.

While the test network was being developed, we found volunteers to write 12 lessons for the curriculum. Kim Truett was working with us at the time and she (along with her husband, Chuck, a professional writer) used their teen son as a test subject for the lessons while they did final edits. Marta Barceló, the co-founder of ISECOM, designed and packaged the lessons professionally, created a slick website for them, and by 2004 she published it all online, free and open source.

Additionally, "teaching hacking to kids" kicked up a bit of a media storm. Local TV stations as well as the BBC and Euronews sent camera crews. Radio Free America did a phone interview. The Italian newspaper Avvenire did a story for its popular Sunday insert magazine and even IEEE wrote about it in its magazine. We were overwhelmed with requests, but open source has the freedom to fix itself, so when we couldn't respond to these requests in a timely fashion, the community rerouted around us.

Parents keen on giving the lessons to their kids translated them and sent them back to us to share. Others volunteered to give support to teachers who were interested in the lessons but didn't know how to teach the class. Some put the lessons online with Moodle, offering the curriculum as a free class to teens, and other anonymous supporters re-packaged the lessons as single e-books, tweaking the content, dropping them in P2P file shares, and thankfully leaving the attribution. Then, forums popped up where teens shared how to get answers to the exercises.

La Salle, Barcelona even created a mobile computer lab, stocking a bus with computers to visit various schools. 

What the teachers learned

Our first goal with Hacker Highschool was to explain the mindset of a hacker to the teachers. It was a bit like teaching them to be gymnastic coaches. We explained that they needed to give their students the equipment and educate them about form, but that they'd have to expect their students to land back on that skinny beam by themselves. This was one of our toughest challenges, and somehow, we got it right the first time.

The next two goals were a bit more challenging. First, most teachers don't know enough about hacking to teach it on a technical level. And second, most school administrations thought we were playing with fire, or at least teaching aspiring arsonists how to start one. 

"Don't think you can just be a great hacker. Only by doing great hacks with great humility can you be great."
--Hacker Highschool v2 Lesson 1: Being a Hacker

Our methodology was solid right off the bat, so that’s where we began. We created a Contributor Guide that became required reading for all volunteers and teachers, underlining a valuable point for our students: hacking is not inherently bad/evil/dangerous but they do need to be careful. 

We also never use "evil hacker" or "bad guy" or similar terms in our explanations about various hacking activities because we want to avoid giving the teens an "us vs. them" feeling that makes them afraid to try anything. As we saw it, they're all hackers in training. And we make it clear that if they break the law they're criminals.

With these lessons we transport them to a more dangerous place but being a student of the Hacker Highschool curriculum is an exciting way to learn and improve on important life skills.

No hacker left behind

When we first asked the open source community for help back in 2003, the ISECOM project mailing list had about 1000 subscribers on it from around the world. I knew how powerful open source could be as I had created the Open Source Security Testing Methodology Manual (OSSTMM) just over two years before.

The OSSTMM had grown fast and received a lot of respect from security professionals, government officials, and even hackers. But now I was suggesting we start something some called "reckless" and most thought I wanted to teach kids to be criminal hackers.

Today, Hacker Highschool is still a dominant project and growing—currently reaching about 250,000 downloads per month. We are wrapping up the development of the second lesson plan revision and have some translators already porting the lessons into their own languages.

Meanwhile Glenn Norman, the Hacker Highschool project manager and an adjunct faculty member at the University of New Mexico and New Mexico State University, has begun to sling the project into a grown-up version called Hacker Night School so that anyone can learn a hacker's skillset. The whole project is alive with development as it encompasses many areas of research from psychology and sociology to technology and eduction. And all of the contributors are working together to engage young, clever, and curious minds.

Most of all, we're just having fun with it. I'm very proud to say that we're generating some of the greatest hackers of tomorrow—the ones who will redesign and re-invent the world, hacking their way into our future.

""
Creative Commons License

10 Comments

isharacomix's picture
Open Minded

I can't believe I've never heard of this!

One of the things that really draws me to security was the way that topics in InfoSec are able to help motivate curiosity to learn about how the systems we take for granted really work. I would love to see how a computer science curriculum that uses security as its long-term motivator fares.

Many CSC courses use gaming or mobile development to motivate learning, but it feels like these subjects simply encourage results-based curiosity (how do I make the guy move to the right?). Security, on the other hand, encourages people to think about systems and implementations themselves, funneling the creativity and curiosity towards the subject of Computer Science.

peteherzog's picture
Open Minded

I completely agree with you! That's what I love about security/hacking as well. I think a lot of the comp sci and even the newer security-centered majors need to focus more on how things work and work together or else they're never going to "get it". Big software is written by many people using many pre-built code pieces and then tested for some security but mostly functionality. It takes a hacker to see the big picture and how all the pieces work (or fail) together under certain conditions.

Thanks for your comment and take a look at some of our other projects you probably never heard of either ;) The www.badpeopleproject.org is shaping up pretty well too!

Winged Gringo's picture

HACKER NIGHT SCHOOL
I want to hack my way to the future. I figure I will be great because clearly, I have whacked my way through the past. When do I start?

peteherzog's picture
Open Minded

How much you willing to help get the Night School going ;) We've got some really good people dedicated to HHS and they all will move to HNS when we're done. But that can still take a couple months until the last lesson is out. So the more people who help out the faster we'll have HNS ready. (As a side note, I'm sure the new HHS lessons will have things that will be new or interesting to you already as well.)

bbehrens's picture
Open Source Sensei

As everyone can see, our expert is here to answer your questions--so please don't be shy. And thanks, Pete!

Bilbo's picture

Hi! I did some hacking in my twenties and now in my thirties I do more of administration of people. But I still love hacking and at my spare time, I try to get myself updated but the update process is slow :) How can I help out and as well learn from your hacking school?

peteherzog's picture
Open Minded

Isn't managing people a kind of hacking ;) Sure, we can always use more help. Drop an e-mail to info@hackerhighschool.org and we'll get you set up to help with various lessons. I have to admit, with so much great info passing through the lessons it's impossible not to learn new things while reviewing and updating them.

gscarborough's picture
Open Minded

Pete - This is the first time I have heard of HHS and I wish it would have been around when I was that age. I work for the Rochester Institute of Technology and until just recently was the advisor for SPARSA (sparsa.org), a student club focused around security started shortly after 9/11. The club pre-exists the current security degree we now offer and I can tell you, there was a lot of trepidation at the thought of a hacker club on campus. I am happy to say that in 10 years we have only had one or two minor incidents (nothing even requiring punishment, just a warning to use better jusgdement). I have made sure that my students understand the consequences of having any kind of criminal record and the need for security clearances in this field. Are you using distro like Damn Vulnerable Linux as targets in your test bed?

peteherzog's picture
Open Minded

I'm a big fan of RIT as I've seen a few great hackers come through your doors so I'd like to see collaboration with you. Our test bed is our own and now completely virtual and is an ongoing project at La Salle University, Barcelona, where it's housed. Every year it gets a bit more advanced as new students take on new challenges with it to improve it as part of their final projects. See http://proyectos.salleurl.edu/grado-telematica/lostproject/ I'm sure they'd love a collaboration and we can share what we've built and designed with you so we can have more people improving it: especially administration, accounting, portability, and performance. We are also partnering with a university in Lithuania as well so this could be an area of HHS that moves fast and grows large. After all, a versatile test bed is something everyone could use for trying anything before they go live, isn't it :) Contact me directly via e-mail and let's move things forward.

Don Watkins's picture
Open Minded

This is a great resource. Thank you so much for your work with this course. I've been teaching a technology awareness class for 7th graders for 3 years now and was looking for something with real value to add to the course. You've made my day today with "Hacker High School." You've proven that once again nothing beats open source. Great Work!!!!