How to raise a white hat hacker
My son hacked his first device when听he was 6 years old. He discovered an exploit in my iPad that let him bypass parental controls and听refill the tablet with games that I had deleted.听
In about four years since then, he's become something of a hacker听phenom. He tricked his grandmother into revealing the PlayStation password by impersonating his dad via text messages. He's defeated the parental lock on the TV by guessing the password. He's purchased听$600 worth of Garfield books by accessing Amazon from a logged-in computer. He's听circumvented the time limits on his screen time by changing his computer's clock at the end of each gaming session. He even completely locked out his grandmother from her iPhone by replacing her thumbprint with his own.
In fact, it's听rare that a week goes by without my husband or me refining some aspect of the complex set of parental restrictions, network filters, and physical locks that keep my son from spending 24 hours a day playing video games.
It鈥檚 easy to get upset over his behavior 鈥撎齛nd I often do. It's easy for kids like him to get into serious trouble.听From Reddit to the Dark Web, there鈥檚 no shortage of advice on how to do everything from short-circuiting parental cellphone monitoring to setting up and deploying malicious software.
But instead of always punishing or discouraging my son's hacking pursuits, we have tried to find creative ways of encouraging them in hopes of听channeling that tech ingenuity toward positive ends. Hopefully, that way he'll develop his skills and potential without getting sucked into the temptations of mischief or crime.听After all, his skills and tech听curiosity听can easily听be听applied to good,听and the听world desperately needs more听鈥渨hite hat鈥澨齩r ethical hackers who can root out security flaws to make the Internet safer.
The hacker way
The security industry today is full of professionals听who started听testing the bounds of technology when they were kids. But they grew up in the dark days before the user-friendly Internet. Techie children had听to learn to code in order to do anything interesting with a computer.听Kids who tired of the safe confines of the local electronic bulletin board could use those coding skills to hack their way into other, closed virtual spaces. It didn鈥檛 take malicious intention to become a hacker, just curiosity.
鈥淏efore the ubiquitous Internet, finding kindred hacker spirits was very difficult,鈥 recalls Sabino Marquez, an information risk strategist. "If you had a modem in the mid-to-late 80s, you could dial into bulletin board systems around the world and try to meet new hacker friends that way. That's how I learned the craft of hacking."
In contrast, today's kids have a staggering array of options to scratch their tech itch. They have their own starter smartphones and kid-optimized tablets. They have games and toys that teach them to code, and code-free environments that let them create their own video games. They have walled gardens that let them experiment with social media before they're old enough to join Facebook, and their own guidebooks for using Facebook and Instagram once they reach the glorious age of 13. There's no longer any need to hack your way into the wide world of online information or the global community of Internet geeks, because it's all as close as your computer or phone.
Even in this world of online abundance, however, there are some kids who still show that hacker inclination to push the limits of technology, curiosity, and parental indulgence. These are the kids, like my son, who somehow find a way to get back into the devices their parents have locked them out of, or discover the dark mysteries of 4chan while they're still in middle school.
They may well be the children who are most likely to grow up to be white hat hackers, but they're also the kids who are most likely to run afoul of federal computer laws before they finish high school.
Steering them in the right direction听begins with the basics: ensuring kids know how to code. Apps such as听听补苍诲听听can teach the fundamentals of programming logic to preschoolers; when kids get a little older, you can introduce them to听, a visual programming language designed for kids. For avid Minecrafters, learning to build your own Minecraft mods may be the most appealing entry point into programming, and can help kids get into Javascript. From there, resources such as听听辞谤听听can help kids transition into learning programming languages and building their own apps.
Rewarding clever kids听
Encouraging kids' tech ingenuity isn't just about technical skills, however. It's also about cultivating an attitude. Young people may grow up glued to their computers and smartphones, but most of them simply use the devices, sites, and software that other people have built for them. That's the antithesis of what tech journalist Steven Levy described as the hacker's "hands-on imperative" 鈥 an ideological and practical commitment to opening up, tinkering with, and understanding the technologies we use.
To raise a hacker, you need to get your kid鈥檚 hands dirty, and teach them to take apart or build their own tools instead of just accepting technology as-is.
John Adams, the head of information security at Bolt.com and former security team lead for Twitter, recommends asking kids to think critically about the technology they're already using by saying something like,听"Great,听you听can听send听a听text听message.听How听do听you听think听that听works?"
If your kid makes up an听answer (as my son is prone to do), probe them to dig deeper, so they learn to approach tech problems using the scientific method. Mr. Adams suggests saying: "You think that's true, let's test it."
Since it's now easier to buy than to build most technologies, you may have to introduce some artificial constraints on your kid鈥檚 tech access if you want to unleash their inner hacker. Offer to buy a build-your-own-computer kit听instead of a pre-fab Windows box. Tell them they can have that blog they've been asking for, but only if they set it up from scratch (and make them start with an actual hand-coded HTML page).
I gave in to my son's relentless nagging for a Minecraft server (which lets him host multiplayer games) but only once he agreed to spend a day reading up on server configuration and setting up a server ourselves, using an old Mac. Solve your kid's crashing computer, and you've fixed it for a week. Teach your child to google her own solution, and you鈥檝e got her started on a lifelong path of DIY tech support.
Once you've let the hacker genie out of the bottle, however, you need to make sure your child understands the difference between white hack and black hat (the bad guys). That begins with a conversation:听My little hacker听summarizes what he鈥檚 learned by saying, 鈥淎 black hat hacker hacks for his own profit without telling anybody.听A white hack hacker tells people about it, and gets paid by people to do that."
Of course, there鈥檚 a difference between knowing the path, and walking the path. So what do you do if your little hacker decides that white-hat life is getting dull, and wants to experience the excitement of breaking into something forbidden?
"That's very, very cut and dried now," Adams says. "You're听not听allowed听to听penetration听test听anyone's听system听without听permission. Can听you听discover听flaws听in听something?听Sure.听Can听you听penetration听test? No."听
Adams offers an analogy your kids may relate to. "It's听like听lockpicking," he says. "We听teach听people听not听to听pick听a听lock听they听don't听own."
Penetration test your home
To help your child internalize the idea that you should only test systems you've got permission to test, give them permission to test your own devices and networks. You may want to place your work computer out-of-bounds, but otherwise, give your child a standing invitation to find gaps in your parental restrictions or password protections. Along with that invitation, introduce the idea that it鈥檚 a hacker鈥檚 job to report any vulnerabilities they might uncover.
When your child finds a way around your parental controls, praise her cleverness, and show her how to document her discovery in a blog post or an error report to the company behind the tech.
If there鈥檚 any reluctance to report these discoveries 鈥 after all, who doesn鈥檛 like having backdoor access to the family computer? 鈥 you could follow the standard industry practice of offering a bounty for any vulnerability a hacker uncovers.
Our kids can now get an extra 45 minutes of video game time if they find a gap in any of our parental restrictions, which they can report through a Google Form we set up. While this doesn鈥檛 stop our son from occasionally 鈥渇orgetting鈥 to tell us that he鈥檚 found a new way to access his favorite online games, it has reduced the typical lag between when our son finds a gap in the system, and when we鈥檙e able to close it.
Hacker mentors
Perhaps the best way to encourage your kids to pursue white hat hacking 鈥 and to stay away from black hat activities 鈥 is to introduce them听to听programmers, engineers, and security professionals. The ideal folks are those who make a tech career sound exciting, and ideally, can play some role in mentoring your baby hacker.
In my son鈥檚 case, that role has been played by Mr. Marquez, the security strategist. The two of them have bonded over their shared love of video games and their shared hatred of vegetables, and our son now sees our info security pal as a model for what he鈥檇 like to do when he grows up. "Hacker kids are not like other kids," says Marquez. "You really have to cater to their sense of curiosity while simultaneously instilling iron-clad ethics to ensure that they do no evil."
Introducing a child to the skills, mindset, and people of the white hat hacking world is no guarantee that he or she will grow up to be an information security professional, of course. Many of these kids will grow up to be software developers, system administrators,听or game designers, or even 鈥撎gasp!听鈥 pursue careers entirely outside of the tech world.
But wherever they land in the adult world, their tech skills and security smarts will not only ensure that they use the Internet responsibly, but will help them become constructive contributors to a security and privacy-aware online culture.
听
