MESSAGE
| DATE | 2003-06-04 |
| FROM | From: "Inker, Evan"
|
| SUBJECT | Subject: [hangout] Enlisting the Young as White-Hat Hackers
|
Can anyone explain in any real sense why Maine provides so well for its
Students yet in NY, you don't even have Internet Access in all schools yet
or an adequate number of PC's?
Enlisting the Young as White-Hat Hackers
By JULIE FLAHERTY
ESTBROOK, Me. -- ON a Wednesday evening, in an office suite appointed with
Pentium II's and little else, 10 teenagers were doing Andrew Robinson's
bidding. Fortified by pizza and soda, they studied a computer system's
weaknesses, looking for ways to break in and steal information. Mr. Robinson
urged them on, like a modern-day Fagin goading his band of pickpockets.
Mr. Robinson, 38, who runs a small information security company in nearby
Portland, had less-than-nefarious plans in mind, however. His free
after-school program is intended to teach teenagers the basics of ethical
hacking, or protecting a company's computer system from attack by learning
how to attack it yourself.
The program, called Tiger Team, named for the professional consultants who
analyze system security risk, teaches young hackers to use their skills for
good instead of evil. Working as two teams, the teenagers play a virtual
game of capture the flag, trying to crack the other team's network and do
damage while defending their own. An honor code keeps them from creating
mischief outside their labs.
Mr. Robinson got the idea for this "information security sandbox" three
years ago at a job fair, where he met a teenager who had been arrested for
low-level hacking. Mr. Robinson saw his setbacks as a waste, considering the
constant demand for information security professionals. So he created a
nonprofit organization, the Information Security Foundation, dedicated to
educating the public about information security. Its pilot project, Tiger
Team, began last month.
"Here's how you can do this legally, within a moral and ethical framework,
and make a good amount of money doing it," Mr. Robinson said. "It fills the
need of the companies, and more and more since 9/11, it fills the need of
the country for cybersecurity."
It could also fill a need for the state of Maine, which loses many of its
skilled young people to jobs in other states. Mr. Robinson estimated that
someone with five years of experience in information security could command
a salary of $70,000 to $90,000 here.
"That's in the top 1 percent of wage earners in the state," he said. "For at
least a few hundred kids, perhaps we can provide an alternative to leaving.
They can do this from their homes, and a lot of people do."
Finding participants was easy. About 50 teenagers from southern Maine
contacted Mr. Robinson after reading about his idea in the local newspapers.
More than a third said they had done something that could be construed as
hacking.
"There were a couple who refused to answer the question about whether they
had been in trouble for it," Mr. Robinson said. "I think most of that was
just bravado."
He doubts he will convert anyone truly attracted to hacking's antisocial
side. "Somebody who was sort of the Elite Hackzor, or whatever you want to
call it, would probably not have applied for this program." he said. "If
they were already in the dark side, they would probably not come here."
The teenagers, boys who average about 16 years in age, do wield some power.
All were required to have experience configuring different kinds of
operating systems, including a Mac or Unix-based one, and writing computer
programs.
"They weren't script kiddies," Mr. Robinson said, referring to system
crackers who wage attacks with programs written by savvier coders, often
without understanding them. "They have all the skills that they need to
cause trouble, and some of them may have even started doing some of those
things just for fun."
The most serious breaches the applicants confessed to were outwitting a Web
site's access controls to view content that they shouldn't have. "You can
use your imagination for what that might be for, in this case, all teenage
boys," Mr. Robinson said.
In the second week of the seven-week program, the students sat patiently
through two presentations on the business side of information security, from
creating a risk assessment to securing management support. But the third
speaker had trouble getting through his talk on finding a system's
weaknesses because the students interrupted with questions.
"We put the interesting things last," said Justin Smith, 27, a Tiger Team
volunteer and a network analyst in Mr. Robinson's company, NMI InfoSecurity
Solutions. Mr. Smith said the students had performed so well that the
instructors had to accelerate the instruction.
"I kept saying that we were going to have a hard time staying ahead of these
guys," he said. (Indeed, they were bright enough to cajole Mr. Robinson into
ordering them pizza.)
Between lectures, the two teams zipped off to their separate lab rooms,
where competition was already building.
"There's been a little bit of window spying," said Tristan Fisher, 18.
Perhaps some shifty scouting technique employing Microsoft Windows?
Not quite.
"We're on the first floor," Mr. Fisher said, pulling aside the blinds to
reveal the parking lot. "Every now and then we'll see someone walk over to
our window and peek in."
An unclosed lab door is also fair game. Mr. Robinson, who is careful to turn
all important paperwork on his desk face down before receiving visitors,
teaches students that not all hacking is done electronically.
Scott Anderson, 18, a high school senior, is giving serious thought to going
into the information security profession. "This is probably the only link I
have to getting a job when I graduate," he said, adding that he had barely
passing grades.
Good grades are not a requirement for the program. Mr. Robinson, who related
that he himself had excellent standardized test scores but poor grades, said
he empathized with students who say they are bored with school. It was not
until an uncle who taught computer science at the University of Maine got
him into some college-level classes, he said, that he saw his own future
open up.
Bill Seretta thought the program was just right for his son Will, a
10th-grader with computer inclinations and "grades all over the map."
"If he didn't have to go to school he wouldn't," Mr. Seretta said. "The
structure doesn't interest him."
Although all the participants count computing as a hobby, Mr. Seretta
considers the format - hands on, fast-paced - more important than the
subject. "This is about learning and not technology," he said.
The office space, the computers and the Internet connection have all been
donated, mostly by banks and other organizations that recognize the need for
information security. But Mr. Robinson met with some initial qualms.
"Some of them grilled us pretty heavily on the concept of, 'Well, aren't you
training hackers?' " he said. "I go, yeah. I have a black belt in martial
arts. If I wanted to be a bad guy, I could go and hurt people. But I don't
do it. That's not the emphasis of the program."
The students are getting a good dose of ethics along with some sobering
words about legal repercussions. Scheduled guest speakers include a lawyer
and a police officer, and Mr. Robinson is hoping to recruit a speaker from
the Federal Bureau of Investigation.
"Yes, we are teaching them to be hackers," he said, "but wouldn't you rather
have them on your side?"
****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************
____________________________
NYLXS: New Yorker Free Software Users Scene
Fair Use -
because it's either fair use or useless....
NYLXS is a trademark of NYLXS, Inc
|
|
