15 under 15: Rising stars in cybersecurity
Story by Sara Sorcher and photos and videos by Ann Hermes.
To see the project in its聽original form, visit projects.csmonitor.com/hackerkids
Kids born after the year 2000 have never lived a day without the internet. Everything in their lives is captured in silicon chips and chronicled on Facebook. Algorithms track how quickly they complete their homework; their text message confessions and #selfies are whisked to the cloud.
Yet the massive digital ecosystem they inherited is fragile, broken, and unsafe. Built without security in mind, it鈥檚 constructed on faulty code: From major companies such as Yahoo to the US government, breaches of highly sensitive or personal files have become commonplace. The insecurity of the internet is injecting itself into presidential politics ahead of the November election. In the not too distant future, digital attacks may set off the next war.
As they brace for an even more connected future, there鈥檚 a growing community of kids dedicated to fighting off the threat of cyberattacks.
海角大神's Passcode traveled across the country to meet 15 of these rising stars who are under 15 years old. They are part of a new generation of tinkerers and boundary pushers 鈥 many still lugging school backpacks and wearing braces 鈥 who are mastering the numerical codes that underpin the digital world. But they aren鈥檛 trying to break the internet. They鈥檙e trying to put it together more securely.
They are hunting software bugs, protecting school networks, and helping to safeguard electrical grids. They are entrepreneurs and community organizers bringing kids together to hack ethically. Unlike previous generations of hackers who were considered outlaws and deviants, these kids are now accepted by society and encouraged by adults.
After all, adults who laid the internet鈥檚 insecure foundation, have so far been unable to patch the security holes or stem the tide of cybercrime.
鈥淭here are smart, serious people thinking long and hard about these problems 鈥 and we don鈥檛 have the solutions we need,鈥漵ays Stephen Cobb, a senior security researcher at cybersecurity firm ESET, who coorganizes a Cyber Boot Camp for teens. 鈥淚 personally have to place a lot of hope and faith into the next generation. It鈥檚 the idealism of youth which may inspire alternative approaches to design and deployment of digital technology.鈥
As they work to fashion a better digital future, these wunderkindsare upending the longstanding cultural stereotypes that all young hackers are white, male, mischief-makers, prank-players and lawbreakers.
These are their stories.
CyFi
By day, the soft-spoken 15-year-old wears torn jeans and Converse sneakers to her experimental high school focused on technology in Silicon Valley. She鈥檚 an avid skier and sailor and carries her two-foot-long pet snake, a rosy boa named Calcifer, almost everywhere she goes.聽
But she has a secret identity: CyFi is one of the most prominent young hackers in the country.
To keep her alter-ego a mystery, CyFi refuses to reveal her real name when discussing her security research. She wears sunglasses to make it harder for people (or facial recognition algorithms) to recognize her features when she鈥檚 photographed. 鈥淵ou know how superheroes go by their superhero names, like Superman and stuff? It鈥檚 good to have a hacker name,鈥 CyFi says, 鈥渟o the villains don鈥檛 know how to get you.鈥
CyFi is not just hiding from nosy classmates or teachers. She鈥檚 responsible for the disclosure of security weaknesses in hundreds of products, from mobile apps to smart TVs, and worries companies might want to sue her for investigating mistakes in their code. Well aware of the Web鈥檚 dangers 鈥 digital thieves raided the database of the hospital where she was born and used her Social Security number and other information to buy a house and car under her real name 鈥 CyFi feels a personal responsibility to repair any digital security holes she discovers.
鈥淎s the internet gets even more connected to our homes and our schools and our education and everything, there鈥檚 going to be a ton more vulnerabilities,鈥 she says. 鈥淥ur generation has a responsibility to make the internet safer and better.鈥
CyFi first made headlines in the tech press at 10 for hacking Smurfs鈥 Village, an app that let kids to create their own virtual farms. She was giddy when she figured out a way to make her digital corn and berries flourish instantaneously 鈥 skirting payments and long wait times 鈥 by, essentially, fast-forwarding the time on her iPad.
CyFi鈥檚 mom, who works in the cybersecurity industry, walked in on her teaching a group of slack-jawed tweens how to break into their favorite games. Turns out, CyFi had unearthed a new class of previously undisclosed security weaknesses, otherwise known as zero days, spanning across all mobile devices. Criminals, CyFi鈥檚 mom explained, could take advantage of the app鈥檚 automatic trust of the device鈥檚 clock 鈥 a mistake most experienced developers wouldn鈥檛 make 鈥 to replace the time code with a malicious program to run on the app鈥檚 servers.
So CyFi emailed the companies that made the insecure games in hopes they would find a fix for her 鈥淭ime Traveler鈥 bug. 鈥淎t first, I was a little bummed my favorite apps did fix it and I couldn鈥檛 cheat,鈥 CyFi says. 鈥淏ut I thought, 鈥榠t鈥檚 OK, because I am making the internet safer.鈥欌
Instead of teaching her friends to cheat games for their own fun, CyFi took her talents to the vaunted DEF CON hacker conference in Las Vegas. She cofounded what鈥檚 now known as , a hub for ethical hacking workshops for kids, in 2011. With CyFi鈥檚 guidance, the 100 kids who came that first year banded together to discover 40 more vulnerabilities in mobile apps. The next year, they found 180. And CyFi led the charge to disclose these potentially dangerous security flaws to the companies, an effort that earned her a medal on stage in 2013 from Gen. Keith Alexander, the then-commander of the National Security Agency.
Today, as adults at DEF CON break into everything from ATMs to flying drones, r00tz is a 鈥渟afe playground where they can learn the basics of hacking without getting themselves into trouble,鈥 CyFi says.
It鈥檚 grown into a veritable security conference, drawing roughly 600 kids this summer in Las Vegas, with a nearly even split of girls and boys. This year at DEF CON, parents lined up each morning during the three-day event waiting to drop their kids off. There, they rip apart smartphones, laptops and other gadgets at the 鈥渏unkyard鈥 to learn how they work.
They solder hardware, wearing protective goggles to guard their eyes from the flames. They scramble to pick locks, learn cryptography and simulate how they would defend against a real-world cyberattack.
At r00tz, researchers will even set up the devices for the kids to try and hack. Breaking into one of Samsung鈥檚 newest smart TVs in a bounty program set up there when she was 12, CyFi says, 鈥渨as a really important moment for me.鈥
She entered a string of code that turned on the device鈥檚 camera, which exposed the possibility of an electronic intruder spying on people as they sat on the couch watching 鈥淕ame of Thrones.鈥 Samsung awarded her $1,000 for the bug. 鈥淚 think bug bounty programs are really important,鈥 she says, 鈥渂ecause it eliminates that worry of, oh, is this company going to be really mad about me poking around in their system?鈥
R00tz has become so big that it鈥檚 drawing corporate sponsors such as AT&T, AllClearID, Adobe and Facebook, and attracting volunteers from major tech companies. And to ensure the kids鈥 only hack for good, there鈥檚 a strict honor code: 鈥淭he Internet is a small place. Word gets around, fast. Follow these rules at all times: Only hack things you own. Do not hack anything you rely on. Respect the rights of others. Know the law, the possible risk, and the consequences for breaking it.鈥 That鈥檚 paired with encouragement. 鈥淩00tz is about creating a better world. You have the power and responsibility to do so. Now go do it!鈥 the code says. 鈥淲e are here to help.鈥
CyFi is already making a shopping list for next summer鈥檚 contests. She is budgeting for an array of internet-connected home devices, including speakers, toys, locks, security cameras, and even cooking devices for her army of kid hackers.
Shocked by the variety of connected devices her friends and their parents are bringing into their homes without considering their data security, CyFi wants to be an architect when she grows up and 鈥渋ntegrate the Internet of Things into houses, but securely,鈥 she says. 鈥淲hether it鈥檚 your blender or your oven or even feeding your dog, [our homes are] going to keep getting integrated.鈥
Kristoffer
Born in 2008, the year Apple launched its App Store, Kristoffer Von Hassel swiped before he walked. By age 2, a time when most kids are still in diapers, he had bypassed the 鈥渢oddler lock鈥 on his parents鈥 Android phone.
Then, at 5, young Kristoffer discovered how to outwit the parental controls on his dad鈥檚 XBox One, meant to keep him from playing violent video games like Call of Duty. With a few keystrokes, he figured out how to break in. 鈥淚 was desperate to get into games which I wasn鈥檛 allowed to play,鈥 recalls Kristoffer, now 8, from his San Diego apartment, holding a slice of pizza as an after-school snack.
It wasn鈥檛 a trivial discovery, either. Kristoffer, who looks (perhaps deceptively) innocent with his curly blond hair and board shorts, had uncovered a serious security loophole. When he found out, his dad Robert Davies, who works as computer systems engineer, laid out two options: They could expose the flaw on YouTube to alert everyone else to the secret way in, or reveal it to Microsoft, which makes the XBox.
Mr. Davies recalled their talk on a recent September afternoon, the sound of the ocean across the street filling the living room. Kristoffer thought about it, he said, and asked what would happen if bad guys learned about the workaround. 鈥淪omebody could steal an XBox and use your bug to get onto it,鈥 Davies told him. 鈥淗e said, 鈥極h no, we can鈥檛 have that, we鈥檝e got to tell Microsoft.鈥欌
Davies says he personally leans the other way, towards what鈥檚 known as the 鈥渇ull disclosure鈥 approach: making the bug report open to the public and letting the chips fall. 鈥淪o it鈥檚 interesting to see my son take the stark opposite approach, of working with the vendor.鈥
Microsoft fixed the flaw within a week. And Kristoffer became known as the world鈥檚 youngest hacker, when he made the company鈥檚 list of security researchers who found dangerous vulnerabilities in Microsoft鈥檚 products. 鈥淲hen I jammed the buttons I probably saved Microsoft鈥檚 b-u-t-t,鈥 he says from his bedroom, filled with space posters and coding books.
鈥淭hank goodness I found it, because it could have went into the wrong hands,鈥 he says. 鈥淚f hackers got control of all these internet-controlled devices, then we would really have no fun.鈥澛
Lately, Kristoffer says he鈥檚 been going after new targets, including tinkering with Roblox, an online gaming platform for kids. 鈥淚n my free time,鈥 he says, 鈥淚 like to go on YouTube and watch exploit videos.鈥
Reuben
Ever since Reuben Paul was in the first grade, he鈥檚 known what he wants to be when he grows up: 鈥淎 businessman by day, and a cyberspy by night.鈥
He鈥檚 not wasting any time. The lean, brown-eyed 5th grader from Pflugerville, Texas, is a chief executive officer at age 10 and is preparing for what he envisions as a life of adventure fending off America鈥檚 adversaries. Every weekend, Reuben, who is the country鈥檚 youngest second degree black belt in the Shaolin style of Kung Fu, practices his punches and kicks, and wields swords and daggers with fluid grace. While martial arts could be a bonus for any kind of future spy, Reuben is also sharpening his digital attacks and defenses. He has been learning to hack since he was 6 from his father, a former shark researcher-turned-computer security specialist.
As he earned international attention for his technical skills 鈥 speaking in front of audiences as large as 3,000 people from the GroundZero InfoSec Summit in Delhi, India to the RSA Conference in San Francisco - he had an epiphany. 鈥淚 thought, 鈥業鈥檓 learning about cybersecurity, but what about the kids that aren鈥檛 鈥 the ones that are getting hurt in the cyberworld, and aren鈥檛 safe and secure?鈥欌
So the ambitious kid with the nom-de-keyboard RAPst4r decided to blend his two passions 鈥 martial arts and cybersecurity 鈥 by founding a new nonprofit called CyberShaolin.
By creating an account on the website, kids can watch short educational videos and take quizzes as part of his 鈥淒igital Black Belt鈥 program. Reuben narrates the lessons on complex security topics using easy-to-understand analogies (one video, for instance, likens 鈥渢he crazy letters and numbers鈥 algorithms generate in cryptographic hashing to the mishmash of strawberry bits in a smoothie after a blender pulverizes the whole fruit).
Just like martial artists, beginners in Reuben鈥檚 program will start with white belts. 鈥淵ou鈥檒l learn simple things: What is the internet, what is security, what is a computer, basically,鈥 he says. Then, as the kids advance, they鈥檒l earn more belts as they learn about basic attacks 鈥 such as phishing or wireless intrusions. Then there are blocks and defenses, 鈥渙r, how to defend yourself using encryption and other types of things,鈥 he says. After every video, the kids will take a quiz to make sure they really learn the material. By black belt, Reuben says, 鈥測ou should know everything about security. You should be a security pro.鈥
Reuben鈥檚 family is already in talks with their local Texas school district about using some of the CyberShaolin videos in the curriculum. And cybersecurity company Kaspersky Lab is the organization鈥檚 first sponsor. Reuben鈥檚 family had considered making it a for-profit enterprise, but he insisted it should be a nonprofit. 鈥淲e were first thinking we would make [kids] pay for it, but then I said, 鈥楴o, education should be free for all kids to learn.鈥欌
Something of a renaissance kid, who also competes in gymnastics and plays drums and piano, Reuben is so busy he does his homework for Harmony School of Science in the car. But he still makes time for video games.
It鈥檚 that love of gaming that initially led Reuben to start his other company, Prudent Games, when he was 8.
With the motto 鈥淟earn while you play,鈥 Reuben makes apps that sell for up to $3 online. They include 鈥淐racker Proof,鈥 which he describes as 鈥渁 fun way to learn about strong passwords,鈥 and 鈥淐rack Me if You Can,鈥 in which players learn about brute force attacks where hackers can instruct a computer to enter every possible password until one is successful. 鈥淲e鈥檙e moving into an app generation,鈥 Reuben says, 鈥渁nd you must be aware of the dangers.鈥
Mira
Mira Modi is an entrepreneur working to make the world safer one password at a time.
The 12-year-old New Yorker learned about Diceware 鈥 a technique used to create truly random passwords by rolling dice 鈥 when her mother, Julia Angwin, a journalist who writes about surveillance and privacy at ProPublica, did research for her book 鈥.鈥
What started as a side hobby rolling dice for her mom鈥檚 friends in the summer of 2013 quickly turned into an enterprise so successful it left Mira鈥檚 wrists cramped. After word of made its way to news outlets such as Ars Technica and Mic.com, Mira鈥檚 business took off. She rolled dice at breakfast and while watching Harry Potter movies. She even had to quit Indian dance to make time.
The average person . But easy-to-remember passwords are also really easy to guess 鈥 or crack. 鈥淚f you were choosing your own password you鈥檇 probably associate it with something easy to remember, like, maybe your pet鈥檚 name,鈥 she says, 鈥渁nd that鈥檚 easier to guess than just random words.鈥
To create the Diceware passwords, Mira rolls a handful of five dice. She looks up each combination in a 60-page, printed Diceware dictionary in a binder she labeled 鈥渢op secret.鈥 There鈥檚 an assigned word that corresponds to every possible numeric permutation the dice can generate. A random roll yielding 52325, for instance, corresponds to the word 鈥渞ow鈥 in the Diceware dictionary.
The password she scrawls on a piece of paper for each customer is really more like a phrase, with the six words generated by the dice. Mira tells her clients to mix up the words with punctuation and capital letters to add extra security. She folds the passwords into envelopes and sends them in snail mail, which is, of course, much safer from hackers than sending an email.
Mira believes strong passwords are important but she admits that her security and privacy concerns are rare for her age group. Even her friends she鈥檚 plied with pizza to help with her dice-rolling refuse to take action. Some, she says, shaking her heard, even share their passwords on their social media accounts as a symbol of trust and friendship.
It鈥檚 clear her customers, though, are craving password security. She鈥檚 had nearly 2,000 orders. That would be a nice chunk of change for a kid 鈥 except, she realized, that after buying supplies like stamps, envelopes, and postage to places as far away as Spain and Tokyo, her margins thinned.
Plus, this small business owner is already learning the ways of the adult world: 鈥淭axes are the devil,鈥 she says, more than a bit grumpily.
Instead of flying her whole family to Harry Potter World as she鈥檇 hoped, the hyper-organized tween plowed her profits into a sticker-making machine and two planners to organize her business and school year.
And she鈥檚 already thinking about the future. 鈥淚 want to be a lawyer in computer tech,鈥 she says. 鈥淚 want to get a computer science degree so I can fight crime. There鈥檚 only, apparently, six lawyers in the world who have computer science and law degrees and none of them are women.鈥
Paul
The upstairs bedroom of 14-year-old Paul Vann doubles as the headquarters of his company, Vann Tech. Next to his bed is a laboratory jam-packed with devices designed to break into Wi-Fi networks, data analysis software, a computer loaded with advanced hacking tools and a 3-D printer.
Paul, who skipped a grade and is now a sophomore at Chancellor High School in Fredericksburg, Va., pads around his room in bare feet as he discusses his latest venture: a new startup that tests companies鈥 security. He wants to build a product that will give companies insight into the landscape of digital threats facing them 鈥 and create a visual display of the areas of their systems electronic intruders are targeting. 鈥淥nce I have the funding, I think we need a building and we definitely need more employees,鈥 says Paul, who talks 鈥 and thinks 鈥 at fiber optic speed. 鈥淚 can鈥檛 be the only one developing projects.鈥
On the side, he attends college courses in theoretical physics at the University of Mary Washington and takes free math classes online through the Massachusetts Institute of Technology 鈥 but he鈥檚 too young to get credit. The teen whose closet is chock-full of poster boards from science projects is also trying to build an 鈥渋nvisibility cloak鈥 like the one in the 鈥淗arry Potter鈥 books using theories rooted in acousto-optics.
Yet Paul, about to launch a round of grassroots fundraising for his company through Kickstarter this fall, laments one recurring problem in his foray into adult capitalism: getting grownups to take him seriously. 鈥淭hey don鈥檛 respect you as much as they would an adult,鈥 he says.
Paul got into hacking after reading a book by self-described 鈥渂reak-in artist鈥 Kevin Mitnick called 鈥淕host in the Wires.鈥 It chronicles Mr. Mitnick鈥檚 escapades in two decades of hacking, which famously included stealing proprietary code from companies and snooping on the National Security Agency鈥檚 phone calls in the 1980s and 鈥90s.
But, Paul complains, 鈥淭hey never talked about how he did it.鈥 So he downloaded online tools and started teaching himself through YouTube videos. 鈥淢y first thing I wanted to learn was Wi-Fi [hacking] 鈥 that鈥檚 the easiest way you can hack someone if you鈥檙e not with them.鈥
The tutorials were successful. Paul was excited to find out he鈥檇 learned how he could break into all the Wi-Fi networks in a 3 mile radius from his bedroom. But the Key Club volunteer who is almost an Eagle Scout also wanted to make sure he didn鈥檛 break any rules. He asked his neighbors when they were over for dinner if he could actually get into their home internet.
鈥淭hey said, 鈥楽ure, as long as you don鈥檛 do any damage,鈥欌 Paul says. As his parents and friends ate downstairs, Paul went to his bedroom laboratory. 鈥淚 was finally able to break into something without getting into trouble,鈥 he says.
Paul understands the consequences. 鈥淗acking is fun for me. If I were to have malicious intent, I could get in trouble for it and lose the privileges I have,鈥 he says. 鈥淚t鈥檚 really important you consider ethics before you try to break into another system 鈥 and you want to make sure whatever you鈥檙e doing is not going to harm that system. And whatever you do, tell the person.鈥
Paul moved on to bigger challenges. After attending a cybersecurity conference with his dad where he learned about honeypots, decoy computer systems designed to look like an attractive target for hackers, he designed his own digital trap. His honeypot was meant to look like an online portal National Security Agency employees could use to get into a government network. 鈥淚t鈥檚 almost like a trick,鈥 he says of honeypots. 鈥淲hen hackers are trying to break into it, they don鈥檛 know they鈥檙e being hacked back.鈥
The 12,000 intruders from all over the world 鈥 China, Russia and even within the US 鈥 likely didn鈥檛 know that a teen in Virginia could have stolen their files or data. But Paul didn鈥檛 want to do that. He just wanted to see who might be interested in targeting a seemingly vulnerable US government system 鈥 and how they would go about it. His honeypot taught him a valuable lesson for his company: 鈥淵ou can use that data [from honeypots] to help prevent those attacks from happening later,鈥 he says. He presented his findings last year to 200 people at DerbyCon, the largest southern information security conference.
After speaking there and at other cybersecurity conferences such as BSides Charm in Baltimore and Thotcon in Chicago, seven companies in cybersecurity, consulting and engineering fields approached Paul about internships. Too young to accept, he decided to launch his own research project: To track down the creator of the malicious software that allowed attackers to take down part of Ukraine鈥檚 power grid last December and turn off the lights for some 200,000 people. As policymakers and experts linked the BlackEnergy malware found on the infected systems to Russian hackers, Paul wanted to 鈥渇igure out exactly who is attacking.鈥
He used sophisticated data analysis tools to track the Internet Protocol (IP) address of the computers that used BlackEnergy malware in the attack in Ukraine, ultimately discovering codes and phrases embedded in them. He connected them to an alias for a person he says is wanted in many countries for fraud or cyberattacks but has never been publicly linked back to BlackEnergy.
Even though the suspect was using a virtual private network that showed his computer鈥檚 location as in the Netherlands, Paul used geolocation features from data mining tool Maltego to pinpoint what he believes is his true location in St. Petersburg, Russia. DerbyCon accepted his research for a talk this fall, but Paul says he was too busy with high school to make it.
Still, Paul says his digital sleuthing 鈥渃ould be important to the cybersecurity community because it could allow for the BlackEnergy malware to be better identified and understood, and it could also allow for others to prevent the team from attacking Ukraine鈥檚 energy sector again.鈥 If investigators were able to identify the suspect鈥檚 real name, he says, 鈥渨e could prevent the flow of malware throughout the black hat hacker community in Russia.鈥
Andrew
At Del Norte High School, in the residential community just north of downtown San Diego, there鈥檚 a lot of school pride, says Andrew Wang, 14. 鈥淒on鈥檛 flock on the hawk,鈥 he cautions, pointing to the school鈥檚 Nighthawk mascot emblazoned on sprawling school quad on which no superstitious student dares step foot. It鈥檚 not just sports stars and cheerleaders who get the attention. The flood of corporate money going into cybersecurity training programs for young people is helping morph hacking from what was once a fringe hobby into a team sport. 聽
Last year, when he was in eighth grade, Andrew captained the middle school team that beat out more than 460 others from across the country to win a popular national cyberdefense competition called . 鈥淓ven though I may look like a 鈥榥erd鈥 on the outside,鈥 says Andrew, laughing as he makes air quotes, 鈥減eople will at least acknowledge that I have that competitive spirit.鈥 Andrew, who plans to compete in the high school competition this year, is among 70 students in his district鈥檚 program. 鈥淓veryone wants to win.鈥
Organized by the Air Force Association, CyberPatriot tests the technical skills of tens of thousands of high school and middle school students with the goal of inspiring them to go into cybersecurity or other related technology and engineering fields. The Northrop Grumman Foundation 鈥 the philanthropic arm of the defense contractor 鈥 is the primary sponsor, and organizations such as Cisco, Facebook, Microsoft, and the Department of Homeland Security all contribute to the roughly $3 million a year it costs for the cyberdefense competitions, an elementary school education initiative, and dozens of cybersecurity summer camps. [Editor鈥檚 note: Northrop Grumman sponsors Passcode鈥檚 Security Culture section.]
Andrew and his team took on the role of IT professionals at a fake company and tried to keep its services running as attackers try to shut it down. It鈥檚 great real-world training, he says. 鈥淭here鈥檚 an actual red team attacking you,鈥 Andrew says. Winning 鈥渞eally depends on your ability to fix things on the fly.鈥
Andrew鈥檚 victory, though, meant more than heaping social media praise or even a gold medal. He learned the importance of cybersecurity at a very young age, when he made a dangerous mistake online. 聽鈥淲hen I was 8, I thought it would be a great idea to click a link from a random, unidentified sender,鈥 he recalls. That one click allowed a hacker to sabotage the family computer. 鈥淚 thought I had completely broken the system,鈥 he says, 鈥渁nd my parents were really mad at me, too.鈥
So Andrew taught himself how to use security tools to eliminate the virus. 鈥淲hen I fixed it, all that doubt and worry went away. And I thought, 鈥楳aybe computers aren鈥檛 as hard as I thought initially,鈥 he says. 鈥淜nowing I can protect myself makes me feel confident, and I know I can prevent infections from happening within the circle of my close friends and family.
With a cybersecurity workforce shortage estimated at 1 million jobs globally, Andrew says there is a new parity emerging in the tech world as adults realize they can鈥檛 solve all the problems themselves. 鈥淧eople who are experienced in this field,鈥 says Andrew, who hopes to one day develop a new method of encryption, 鈥渁re going to start being treated maybe not as kids, but as people who could change the future.鈥
Akul
During morning announcements, administrators at San Diego鈥檚 sprawling Del Norte High School will, every so often, instruct students to change their passwords.
For Akul Arora, 15, these loudspeakers were his rallying cry. 鈥淭here have been a lot of attacks on the school district,鈥 says the 15-year-old who honed his computer security skills training for the CyberPatriot competition and wanted to help out. He volunteered to help the school鈥檚 security pros over the summer and is finalizing a training program to teach the students and teachers about the dangers of phishing emails and viruses that 鈥渃ould get into a computer and ruin the entire district.
Each student has an account on the school鈥檚 network, says Akul, who sports big glasses and a trendy undercut hairstyle. And the attackers can get in largely because 鈥渟ome member of the network doesn鈥檛 know what they鈥檙e doing and they let something in.鈥
Akul is also expanding to teach kids at his former elementary school the basics, such as how to differentiate between secure and insecure websites. 鈥淲ithout dissing teachers at all, I think a lot of teachers are not very technology-centered. So I feel when they鈥檙e teaching technology, they鈥檙e just repeating what鈥檚 on a slide deck or materials given to them.鈥 That message, he says, will resonate more coming from him. 鈥淢y advantage with the students is that I鈥檓 of their generation and understand the problems they face in cybersecurity and that helps me connect with them better.鈥
As the internet started going mainstream back in the 鈥90s, there was a lot of fear and suspicion surrounding hackers. The general public, along with companies and law enforcement, didn鈥檛 really understand the difference between those seeking take down systems or steal data, and well-meaning researchers who were exploring systems to ultimately fix dangerous security problems. Many researchers feared they would be arrested.
But today, the idealism and civic-mindedness of kids like Akul appears to be helping change the outside perception that all hackers are dangerous. 鈥淲hen you introduce yourself and talk about cybersecurity, I think people think how cool and interesting it is,鈥 Akul says. 鈥淭he idea that everyone who is in cybersecurity wants to do hacking is overrated. You don鈥檛 have to think of everyone in cybersecurity as someone who wants to break into systems, but someone who wants to do something for the community.鈥
Kryptina
When Kryptina was 9, she became one of the world鈥檚 youngest users of bitcoin. She was also very likely the first girl to use the digital currency.
Her dad, who goes by his hacker name Tuxavant and is now a Las Vegas bitcoin consultant, was one of its earliest adopters. He was looking for a way to teach computer and finance skills to his young daughter, so they started mining bitcoin together.
In 2010, Tuxavant started giving Kryptina a bitcoin allowance. 鈥淚n the early days, it gave us a much more transparent view into what she was doing with her money,鈥 he says. 鈥淭here weren鈥檛 very many places she could spend it, so she would need to cash it out with us and we would know how she was spending it.鈥
When Kryptina wanted to buy 鈥渁 stick of gum or ice cream or something,鈥 Tuxavant says, 鈥渟he would spend me back some bitcoin and I would give her cash to go and buy whatever she wanted.鈥
At the time, one bitcoin was worth just six cents. Now that she鈥檚 15, it鈥檚 worth $635. 鈥淚 remember a story about a guy buying a pizza with 10,000 bitcoin,鈥 says Kryptina, who dyes her dark hair neon green and wears bright red lipstick. 鈥淚鈥檓 laughing because that would be worth so much right now, and he wasted it on a pizza.鈥
Today, bitcoin is much more popular: Tuxavant pays the bills for his office, landscaper and pool cleaner in bitcoin. Kryptina sets aside the electronic money for different financial goals, from her summer camp to saving up for a car. She even convinced her singing teacher to let her pay with bitcoin, which she loves so much she cowrote a song with her dad called 鈥溾 and sings it to the tune of Selena Gomez鈥檚 鈥淟ove you Like a Love Song.鈥
With more places to use bitcoin than ever before, their family allowance system has evolved, Tuxavant says, 鈥渋nto a convenience and security issue.鈥
Unlike stealing a credit card, where anyone who has the physical card can steal your money, no one can spend your bitcoin unless they have the secret digital code that鈥檚 known as a private key. But security is a big responsibility. If users don鈥檛 properly protect their private keys, digital thieves could steal them and spend their money. Think about it this way: If someone can see where you bury gold in your yard, Tuxavant says, they can dig it up when you go to work the next day.
So Kryptina is learning about data security to protect her money, and uses encryption to protect her private keys and makes backups of her data.
Even though her friends throw caution to the wind when it comes to their security 鈥 鈥渟ome people don鈥檛 even put passwords on their phones! My friends want to share their location of wherever they are,鈥 she laments 鈥 her own security precautions border on paranoid. She鈥檚 not just worried about bitcoin thieves but data brokers or other predators who might be able to track her down.
She only uses fake names online and wears sunglasses to make it harder for people and facial-recognition technology to find her. (She and her buddy CyFi, for instance, don鈥檛 even know each other鈥檚 real names, even though they see each other every summer at r00tz.) She changes the way she types on the web to make it harder for anyone who might be monitoring her online to recognize her speech patterns. And of course, she never connects to public Wi-Fi.
For his school science fair project, Evan Robertson didn鈥檛 even consider making a volcano. The sandy-haired kid wanted to try something more original, he says with a sly smile. 鈥淚 decided to test how many people care about their Wi-Fi security.鈥
Evan
The 11-year-old wearing a T-shirt that says 鈥渢his is what awesome looks like,鈥 exuded confidence from the at r00tz Asylum, where he presented his research this summer alongside the DEF CON hacking conference in Las Vegas.
Evan, who also performs in his elementary school choir and magic shows, used a Raspberry Pi 鈥 a small and affordable computer designed for people to learn programming 鈥 to create his own Wi-Fi hotspot. He hid the devices in grocery bags as he lurked in shops at local malls to test how many people would connect to a network just to get free internet connection.
To make his pop-up internet hotspot even less appealing for the masses, he wrote terms and conditions that, as he says 鈥渘o one in the universe should agree to.鈥 The terms explicitly said that anyone trying to connect to the network might have their data captured, changed, or redistributed however the administrator saw fit. They spelled out how that could include 鈥渞eading and responding to your emails, and bricking your device鈥 so it鈥檚 useless.
In case that wasn鈥檛 enough: 鈥淚f you are still reading this, you should definitely not connect to this network,鈥 the conditions said. 鈥淚t鈥檚 not radical, dude. Also we love cats. Have a good day.鈥
A total of 76 people connected. More than half - 40 people - accepted the terms and conditions. In a surprising twist, Evan says the percentage who accepted in a separate test at the BSides San Antonio security conference, where people are at least in theory more aware of the risks, was very similar.
Evan, who won first place for his experiment at his school鈥檚 science fair, went on to nab the gold at the Austin regional science fair and presented his research at BSides before going to r00tz. He learned a big lesson: 鈥淧eople would rather have free WiFi than a secure connection,鈥 he says. 鈥淧eople don鈥檛 read the terms and conditions 鈥 and security people do it just as much.鈥
Evan claims to be one of the rare few who do read notoriously long online terms and conditions in full and has tips for people who want to avoid becoming a victim of a network administrator with more malicious intent. Before you connect, Evan says, people should think about a few things: 鈥淲ho controls these [networks]? What are they doing with that information, and are they selling it or spying on you?鈥
Mollee
Mollee McDuff, 13, kicked off this summer鈥檚 r00tz Asylum with her popular talk about video game to give players more resources in the virtual worlds they create. She walked through strings of code on stage from behind her Macbook Pro with a sticker of the big-eared, purple Disney creature that was the inspiration for her hacker handle Stitch.
The girl with short hair wearing a hoodie and T-shirt that says 鈥淧eriodic Table of Minecraft,鈥 inspired the rapt kid-filled audience cheer as she proved her digital tricks could conjure up critical assets such as boats and mycelium. 鈥淭he possibilities are endless with programming,鈥 says Mollee, who鈥檚 from Colorado. She loves Minecraft, which is a 鈥渟andbox鈥 game that gives players the ability to create new worlds with mansions or palaces or other resources. But she loves making 鈥渕ods,鈥 or modifications, to make the games easier or harder, even more.
An avid gamer, she wants to create her own games when she grows up. 鈥淚 thought that its just a good way to get into programming because its pretty easy to do,鈥 she says. 鈥淚 figured, if I can get into this, then I can do bigger things later on.鈥 Still, she says, when tinkering with any systems, 鈥測ou have to be careful making sure it鈥檚 stuff that鈥檚 not malicious and you have to be doing it for good.鈥
Min and Isag
When Min Kim and Isag Kim (no relation) realized they were the only two students at their school who were signed up for CyberPatriot, the national cyberdefense competition, they never thought they had a shot at going very far. 鈥淚 just wanted to go to nationals since I would get to go to Baltimore and stay at the hotel and miss school for a week,鈥 says Min, 13, of last year鈥檚 middle school competition. 鈥淚 was just going all out for that. But I didn鈥檛 really think we would go. We only joked about it.鈥
Usually, teams have four or five students, but at Robert F. Kennedy Community Schools 鈥 part of the Los Angeles Unified School District 鈥 these two high academic achievers were the only ones who dared take on the challenge. 鈥淲e had to learn more and practice and study harder than anyone,鈥 Min says.
Her school-skipping fantasy came true. The duo made it to nationals, beating out some 460 teams from across the country to get there. It was an intense challenge. Min was literally running around the table, manning five computers running the Windows operating system and Isag was juggling three with Linux. They were trying to keep the services running at their mock company while a red team of attackers tried to break into their systems.
鈥淭hey [the attackers] would keep on leaving messages and we had to block them from logging us out of our computer,鈥 Min recalls. 鈥淲e were like, fighting them. When I first got hacked I was really scared and surprised because the mouse was moving, and I was yelling at Isag, 鈥業 got hacked!鈥 It was just going crazy.鈥
But it was also thrilling. The pair, who share a love for competition and Korean pop star G-Dragon, have known each other since third grade, and say it鈥檚 their bond together that helped them win the competition. Under pressure, Min says, 鈥測ou have to talk to each other about what鈥檚 going on. We just talked to each other naturally, since we were close.鈥 This was especially helpful, as Min says, 鈥渟ince we鈥檙e really shy around high schoolers or other middle schoolers most of the times.鈥
The competition also helped them build confidence. 鈥淕uys are meant to be energetic and more into adventure stuff and girls are kind of supposed to be like, princesses and very girly,鈥 says Isag, who is 14. 鈥淚t helps us know that girls can be just as good as boys.鈥
But this year, the program that manages the state-funded after school activities canceled the middle school CyberPatriot program, Min explains as she breaks into tears. Kids at their school aren鈥檛 joining the program, Isag adds, because they 鈥渄on鈥檛 like studying anything.鈥 But she believes it鈥檚 critical they start paying attention to these issues, even if it means more homework. 鈥淲hen you get hacked, you might not actually know [when] you have been hacked,鈥 Isag says. 鈥淚f you learn about cybersecurity, you鈥檒l know 鈥 and how to prevent it.鈥澛
Min and Isag can鈥檛 compete this year, but they are shadowing the high school鈥檚 CyberPatriot team and taking on side projects. Min, whose family is moving to Texas, hopes to work for a cybersecurity company one day before she runs her own. She is now working to get an online certification in security from the Computing Technology Industry Association (CompTIA), a nonprofit trade association, while Isag is researching Linux and learning to hack so she can 鈥減rotect the system better than any other people.鈥
If the program returns, Isag says, she has her eye on the prize. 鈥淚 would like to aim for first.鈥
Emmett
Emmett Brewer, who just turned 10 and goes by the online moniker p0wnyb0y, first got hooked on hacking competitions at r00tz Asylum two years ago when he won first place and a free Chromebook. As he began to plan this past summer鈥檚 sojourn to Las Vegas, the quiet but competitive kid from Austin who wears a striped polo shirt that matches his red and blue sneakers, was excited to learn Facebook had released its own open source , with the goal of making security education easier and more accessible.
So Emmett decided to about how to host these kinds of Capture the Flag competitions with friends. 鈥淚 thought it sounded fun, as everyone could play and you could learn stuff,鈥 says Evan, who has also contributed his own challenges to Facebook鈥檚 GitHub code-sharing repository. He gave step-by-step instructions for his 600-person audience at r00tz about how to set up the challenges. In order to win points, kids would have to find the answers to questions such as 鈥渨ho invented the internet,鈥 or complete tasks like converting text to binary code.
A fourth grader, Emmett is already proficient in using penetration testing tools such as Burp Suite or Reaver. 鈥淗acking is important to test out stuff and make sure it鈥檚 encrypted,鈥 he says. 鈥淚f you don鈥檛 have enough security, people can try to get in and mess around with your stuff.鈥 When he grows up, he wants to be 鈥渕aybe a penetration tester, because you try to hack the company you work for, and try to report those bugs.鈥
Blanca
Blanca Lombera, 15, had never considered a career in computers, until last year when she signed up for a cybersecurity and technology class on a whim.
Yet as an eighth grader at Lairon College Preparatory Academy, a public school where most students receive public assistance and learn English as a second language, computer security turned out to be a major source of inspiration.
Through the class taught by teacher Kathy Smith, who has led the charge to enroll her students in high-tech training programs that could elevate their job prospects down the line, Blanca attended a summer camp for hacker girls hosted by Facebook. She spoke on a panel for , an educational program at San Jose State University meant to guide middle school girls to look into computer science and cybersecurity and competed in CyberPatriot, the national cyberdefense competition. Students in Ms. Smith鈥檚 class learn to code at , learn JavaScript at Khan Academy, and audit online college courses such as 鈥淭he Ten Domains of Cybersecurity鈥 or 鈥淐omputer Science 101.鈥
Blanca, now a freshman at Andrew Hill High School, wants to go to college and then go into marketing at a tech company or be a software engineer. She would be the first in her family to do that. Born in Mexico, Blanca has lived in San Jose since she was 6. Her older siblings didn鈥檛 finish high school and her mom completed school until the 3rd grade. 鈥淭here are a lot of jobs [in cybersecurity],鈥 Blanca says. 鈥淐ompanies need people from other countries to fill them because they don鈥檛 have enough right here, and I鈥檓 living in Silicon Valley.鈥
Her career ambitions have kept her motivated despite the efforts of some kids to tear her down for earning recognition as a girl in tech. 鈥淭his kid was like, 鈥極h, you鈥檙e a woman. You can鈥檛 go into cybersecurity. That鈥檚 just for men,鈥 she recalls. 鈥淭hat hurt my feelings and I thought, 鈥極h, okay, I can鈥檛 do it.鈥欌
Then, she says, 鈥渁fter I walked away, I was like, 鈥榃hy do I have to listen to him? He鈥檚 not in security. He鈥檚 not in CyberPatriot. How can he know I can鈥檛 make it? It motivated me more to prove him wrong, and to show myself I am capable of many things, and you can鈥檛 let society define who you are. Nobody can tell you what to do.鈥
She also learned that nobody can tell her what not to do. When she discovered there weren鈥檛 any coding or cybersecurity classes or clubs when she got to high school, Blanca was really upset. 鈥淲e were looking forward to learning more things and be able to go on to a career in technology,鈥 she says. 鈥淚 heard [some kids] were thinking about creating a club but they were coding by hand because the school didn鈥檛 supply them with any computers.鈥
But Blanca didn鈥檛 let that stop her. She asked a high school teacher if she would be willing to coach a CyberPatriot team 鈥 just in time for the fall registration deadline.
Blanca鈥檚 team is all girls.
Matthew
The day that reps from Facebook and cybersecurity company FireEye came to his cybersecurity and tech class at Lairon College Preparatory Academy was a defining moment for Matthew Nguyen, 13. 鈥淭hey were really enjoying their jobs, so that made me think coding was fun,鈥 says the eighth grader in San Jose, Calif. 鈥淚 thought, 鈥業f they enjoy it, I can, too.鈥欌 With the goal of being a psychiatrist when he grows up, Matthew is already learning cybersecurity to better protect his future patients. 鈥淚f you were a doctor, or a psychiatrist, you鈥檇 want to keep your clients鈥 information secure,鈥 he says. 鈥淏ecause if their information were to leak out, then I鈥檇 be in huge trouble.鈥
He鈥檚 now an advocate for digital security in his school, teaching other students the lessons he鈥檚 learning. 鈥淭here are so many young kids who put themselves on the internet and they don鈥檛 know who is watching them. They just put things out there for anyone to see,鈥 he says. 鈥淟ike, anyone could easily find out where you live, whether you walk or drive home, and you could get kidnapped.鈥
Security, Matthew believes, is essential for all kids 鈥 not just those who plan to go into tech fields. Since almost every organization, from banks to retail stores, now relies on the internet and is customer information, the world will be safer if everyone understands the basics of security by the time they enter the workforce in a few years. 鈥淚f we don鈥檛 learn about cybersecurity,鈥 he wonders, 鈥渢hen who鈥檚 going to stop people from taking your information?鈥
Take action
One of our goals at Passcode, the 海角大神 Science Monitor鈥檚 digital security and privacy section, is to provide readers with pathways to take action and get involved.
So if you鈥檙e a kid 鈥 or parent 鈥 interested in learning more about digital security, here are some resources to get you started:
Summer ethical hacking workshops for kids in Las Vegas. A nonprofit cosponsored by the Wickr Foundation and tech companies is, according to its site, 鈥渁 place where kids learn white-hat hacking to better the world.鈥
A national cyberdefense competition for middle and high school students organized by the Air Force Association. There鈥檚 also an elementary school education initiative, and dozens of cybersecurity summer camps.
San Francisco-based book publisher with the goal 鈥渕ake computing accessible to technophile and novice alike.鈥 Also publishes books and games specifically for kids leaning to code.
A nonprofit with the vision that 鈥渆very student in every school should have the opportunity to learn computer science.鈥 Offers online courses including computer science fundamentals.
A web-based publication of almost all Massachusetts Institute of Technology course content.
: While its Certified Information Systems Security Professional () and Systems Security Certified Practitioner () certifications are geared more toward professionals, the group offers an Associate of (滨厂颁)虏 designation for those who pass the exam but don鈥檛 have the required work experience. They also offer and flashcards as a free resource and
Chicago-based organization 鈥渄edicated to bring the educational and communal benefits of white hat hacking conferences to children and young adults.鈥 Kids go for activities such as cryptography, coding, lock-picking, and other competitions in STEM and cybersecurity.
A cyberdefense competition open to all local high schools sponsored by the National Defense Industrial Association.
This multimedia project is part of Passcode鈥檚 security culture section. The goal of the Security Culture initiative is to empower people to understand the bigger picture of cybersecurity as it connects to some of the most personal parts of their lives: their job, their education, and the technology they use on a day-to-day basis. This initiative is generously supported by Northrop Grumman and (滨厂颁)虏.
