Hacking lessons for teens reduce security threats

In Hacker Highschool, students learn to redesign the future

An open card catalog
Image by : 

Subscribe now

Get the highlights in your inbox every week.

It might sound strange, but every industry and profession could benefit from an employee as creative, resourceful, and motivated as a hacker. Hackers can teach themselves how things work and how groups of things work together. Hackers know how to modify things—to adjust, personalize, and even improve them. And it is the hacker whose skillset is diverse, unique, and powerful enough to be dangerous in the hands of the wrong person. Enter ISECOMa non-profit, open source research group focused on next-generation security and professional security development and accreditationand its popular project, Hacker Highschool.

Studies have shown that an amateur in any particular field is most likely to entertain the self-delusion that he knows enough to master it. But once he gets some professional training, he begins to understand that learning is a continuous process and no one ever "knows it all." A similar but more targeted study by ISECOM and the United Nations UNICRI, called the Hacker Profiling Project, shows it's amateur hackers who do the most damage out of carelessness.

We know how important it is to show teen hackers how to gain knowledge and skills so as to move beyond the amateur level. We need to get teens to realize how small they are in the bigger world of hacking. We just need a way to do it responsibly. We figured if we could properly introduce the world of hacking to teenagers we could make them safer online, as well as open up new ways of thinking and the resourcefulness necessary to enhance any profession they find themselves in some day.

Hackers unite

Our main focus was to teach junior high and highschool students (and their teachers). The project became known as Hacker Highschool and now offers license-free, security and privacy awareness teaching materials that students can follow on their own without the need of extra instruction from professionals or teachers.

"Hack everything but harm none."
--Hacker Highschool v2 Lesson 1: Being a Hacker

We craft lessons to work with any free "live Linux" CD, which will boot off a PC with a CD-ROM drive, to perform the lessons. Additionally, we provide access to an Internet-based test lab built and maintained specifically for Hacker Highschool.

Here's the curriculum we provide teachers as a supplement to student course work or as part of after-school and club activities:

01 Being a Hacker
02 Basic Commands in Windows, Linux and OSX
03 Ports and Protocols
04 Services and Connections
05 System Identification
06 Malware
07 Attack Analysis
08 Digital Forensics
09 E-mail Security and Privacy
10 Web Security and Privacy
11 Passwords
12 Internet Legalities and Ethics
13 Cloud Computing
14 Databases
15 Document Grinding
16 Vulnerabilities and Exploits
17 Mobile Phones
18 Physical Security
19 Wireless Security
20 Social Engineering
21 Hacktivism

We began teaching it formally as lessons and workbooks to high school students, taking advantage of studies showing how teenagers learn and how hackers figure things out. The truth was, more and more teens were coming online but were unprepared for what was out there: scammers, malware, thieves, bullies, and unethical businesses. And some teens were already finding out how insecure things were by using hacking tools and tips disseminated by newsgroups, chat, and public websites.

So, while motivation for these teens to teach themselves was great, the information they got was inconsistent and often far from accurate. It was time to teach them the right way (or else they'd have a hard time reliably securing themselves in the future and probably end up doing more damage). We gave them a safe environment—a group of vulnerable servers on which to test their new knowledge without hurting anyone.

Build it and they will hack

Before Hacker Highschool, making hacking lesson plans wasn't exactly new. What was new was our method. In 2003 I approached Jaume Abella, the Director of Networking at La Salle University, Barcelona for help. He was a huge supporter of what we were doing with open source and provided the network space for us to build a closed set of test systems and some students to help us fill it. ISECOM bought three new PCs with fallback power supplies and five ethernet cards each to host the virtual servers, and set them up in an unused part of the Department of Networking office.

An Italian security company, @MediaService, run in part by the famous European hacker, Raoul Chiesa, had already helped with the OSSTMM and they were immediately drawn to this new project. And a Swiss company renowned for their technical hacking techniques, Dreamlab Inc., jumped in too. Between @MediaService, Dreamlab, and LaSalle, Barcelona, we had the know-how to make a solid test network.

While the test network was being developed, we found volunteers to write 12 lessons for the curriculum. Kim Truett was working with us at the time and she (along with her husband, Chuck, a professional writer) used their teen son as a test subject for the lessons while they did final edits. Marta Barceló, the co-founder of ISECOM, designed and packaged the lessons professionally, created a slick website for them, and by 2004 she published it all online, free and open source.

Additionally, "teaching hacking to kids" kicked up a bit of a media storm. Local TV stations as well as the BBC and Euronews sent camera crews. Radio Free America did a phone interview. The Italian newspaper Avvenire did a story for its popular Sunday insert magazine and even IEEE wrote about it in its magazine. We were overwhelmed with requests, but open source has the freedom to fix itself, so when we couldn't respond to these requests in a timely fashion, the community rerouted around us.

Parents keen on giving the lessons to their kids translated them and sent them back to us to share. Others volunteered to give support to teachers who were interested in the lessons but didn't know how to teach the class. Some put the lessons online with Moodle, offering the curriculum as a free class to teens, and other anonymous supporters re-packaged the lessons as single e-books, tweaking the content, dropping them in P2P file shares, and thankfully leaving the attribution. Then, forums popped up where teens shared how to get answers to the exercises.

La Salle, Barcelona even created a mobile computer lab, stocking a bus with computers to visit various schools. 

What the teachers learned

Our first goal with Hacker Highschool was to explain the mindset of a hacker to the teachers. It was a bit like teaching them to be gymnastic coaches. We explained that they needed to give their students the equipment and educate them about form, but that they'd have to expect their students to land back on that skinny beam by themselves. This was one of our toughest challenges, and somehow, we got it right the first time.

The next two goals were a bit more challenging. First, most teachers don't know enough about hacking to teach it on a technical level. And second, most school administrations thought we were playing with fire, or at least teaching aspiring arsonists how to start one. 

"Don't think you can just be a great hacker. Only by doing great hacks with great humility can you be great."
--Hacker Highschool v2 Lesson 1: Being a Hacker

Our methodology was solid right off the bat, so that’s where we began. We created a Contributor Guide that became required reading for all volunteers and teachers, underlining a valuable point for our students: hacking is not inherently bad/evil/dangerous but they do need to be careful. 

We also never use "evil hacker" or "bad guy" or similar terms in our explanations about various hacking activities because we want to avoid giving the teens an "us vs. them" feeling that makes them afraid to try anything. As we saw it, they're all hackers in training. And we make it clear that if they break the law they're criminals.

With these lessons we transport them to a more dangerous place but being a student of the Hacker Highschool curriculum is an exciting way to learn and improve on important life skills.

No hacker left behind

When we first asked the open source community for help back in 2003, the ISECOM project mailing list had about 1000 subscribers on it from around the world. I knew how powerful open source could be as I had created the Open Source Security Testing Methodology Manual (OSSTMM) just over two years before.

The OSSTMM had grown fast and received a lot of respect from security professionals, government officials, and even hackers. But now I was suggesting we start something some called "reckless" and most thought I wanted to teach kids to be criminal hackers.

Today, Hacker Highschool is still a dominant project and growing—currently reaching about 250,000 downloads per month. We are wrapping up the development of the second lesson plan revision and have some translators already porting the lessons into their own languages.

Meanwhile Glenn Norman, the Hacker Highschool project manager and an adjunct faculty member at the University of New Mexico and New Mexico State University, has begun to sling the project into a grown-up version called Hacker Night School so that anyone can learn a hacker's skillset. The whole project is alive with development as it encompasses many areas of research from psychology and sociology to technology and eduction. And all of the contributors are working together to engage young, clever, and curious minds.

Most of all, we're just having fun with it. I'm very proud to say that we're generating some of the greatest hackers of tomorrow—the ones who will redesign and re-invent the world, hacking their way into our future.


About the author

Pete Herzog - I am an avid Maker, Hacker, and Researcher. I teach my kids to hack, pick locks, look things up, and question authority. I'm also the co-founder of ISECOM (www.isecom.org) and as Managing Director am directly involved in all ISECOM projects. In 2000, I created the OSSTMM (www.osstmm.org) for security testing and analysis. I am still the lead developer of the OSSTMM but have also lead the...