The kids who might save the internet
Kristoffer Von Hassel could open smartphone apps before he could walk. By age 2, a time when most kids are still in diapers, he had bypassed the 鈥渢oddler lock鈥 on his parents鈥 Android phone. Then, at 5, young Kristoffer discovered how to outwit the parental controls on his father鈥檚 Xbox One, which were meant to keep him from playing violent video games such as Call of Duty.聽
It wasn鈥檛 a trivial discovery. He鈥檇 uncovered a serious security loophole in the game鈥檚 software. When his dad, Robert Davies, found out, he laid out two options: They could expose the flaw on YouTube to alert everyone else to the secret way in, or they could reveal it to Microsoft, which makes the Xbox.聽
Kristoffer thought about it and asked what bad guys would do if they learned about the workaround. 鈥淪omebody could steal an Xbox and use your bug to get on to it,鈥 Mr. Davies, a computer engineer, recalls telling him. 鈥淗e said, 鈥極h no, we can鈥檛 have that. We鈥檝e got to tell Microsoft.鈥 鈥
Microsoft fixed the flaw within a week. And Kristoffer became known as the world鈥檚 youngest hacker when he made the company鈥檚 list of security researchers who had found dangerous vulnerabilities in Microsoft鈥檚 products. 鈥淲hen I jammed the buttons, I probably saved Microsoft鈥檚 b-u-t-t,鈥 says Kristoffer, now 8, from his bedroom, which is filled with space posters and coding books, in the family鈥檚 San Diego apartment. 鈥淭hank goodness I found it, because it could have went into the wrong hands.鈥
Kristoffer is part of a new generation of wunderkinds, many of them lugging school backpacks and still wearing braces, that just might help save tomorrow鈥檚 internet. Idealistic and computer savvy, they are mastering the mysterious numerical codes that underpin the digital world in the hope of making the web a more secure place.
Today, everything in kids鈥 lives is captured in silicon chips and chronicled on Facebook. As tweens and teens, they effortlessly swap selfies on Snapchat and Instagram. Most would rather text than talk.
Yet the massive digital ecosystem they inherited is fragile, broken, and unsafe. Built without security in mind, it鈥檚 constructed on vulnerable code. As a result, malicious hackers are taking advantage. From Yahoo to the US government, breaches of highly sensitive or highly personal networks have become commonplace. Stolen celebrity photos are the new tabloid staple. The insecurity of the internet is injecting itself into presidential politics ahead of the November election. In the not too distant future, digital attacks may even set off the next war.
Adults, who laid the internet鈥檚 insecure foundation, have so far been unable to patch the security holes or stem the tide of cybercrime. 鈥淭here are smart, serious people thinking long and hard about these problems 鈥 and we don鈥檛 have the solutions we need,鈥 says Stephen Cobb, a senior researcher at the cybersecurity firm ESET, who helps organize a cybersecurity boot camp for kids each summer in San Diego. 鈥淚 personally have to place a lot of hope and faith into the next generation. They are more willing to challenge assumptions in technology than older people, who may feel things are established or difficult to change. It鈥檚 the idealism of youth which may inspire alternative approaches to design and deployment of digital technology.鈥
While Kristoffer鈥檚 discovery may have been the result of a bit of serendipity 鈥 and youthful mischievousness 鈥 there鈥檚 a whole community of brilliant young tinkerers intent on hacking the internet with the same exuberance. Only they aren鈥檛 trying to break the web. They鈥檙e trying to put it back together.
鈥淐yFi鈥 is a soft-spoken 15-year-old聽who is an avid skier and sailor and likes ripped jeans. She carries a two-foot-long pet snake named Calcifer almost everywhere she goes. By day, she totes a backpack to her experimental high school focused on technology in Silicon Valley. But she also has a secret identity: She鈥檚 one of the most prominent young hackers in the country.聽
鈥淥ur generation has a responsibility to make the internet safer and better,鈥 says CyFi (who wants to keep her name anonymous and only go by her online moniker) in an interview at her high school where the hallways bustle with kids in Converse sneakers. 鈥淎s the internet gets even more connected to our homes and our schools and our education and everything, there鈥檚 going to be a ton more vulnerabilities.鈥
CyFi first gained prominence in the tech press at age 10 when she hacked a kids鈥 game on her iPad. That year, PC Magazine called her 鈥渁 Girl Scout by day and a hacker by night.鈥 With the encouragement of her mother (who also works in the cybersecurity industry), CyFi took her talents to the vaunted DEF CON hacker conference in Las Vegas, where she cofounded what鈥檚 now known as r00tz Asylum, a hub for ethical hacking workshops for kids.
As adults at DEF CON electronically infiltrate everything from ATMs to surveillance drones, r00tz is a 鈥渟afe playground where [kids] can learn the basics of hacking without getting themselves into trouble,鈥 says CyFi. When launched in 2011, it drew about 100 kids. With CyFi as teacher and lead digital sleuth, the group uncovered 40 vulnerabilities in mobile apps. The next year, they found 180.
Now, r00tz Asylum has grown into a veritable security conference itself, drawing roughly 600 young people ages 8 to 16. This year at DEF CON, parents lined up all three mornings waiting to drop off their kids. In the sessions, youngsters rip apart smartphones, laptops, and other gadgets at what鈥檚 called the 鈥渏unkyard鈥 to learn how the devices work. Sparks fly as the young hackers solder hardware. Some of them march up on stage and, standing near the podium because they are too short to see over it, give speeches on hacking the video game Minecraft and other tricks.聽
All around, they learn cryptography and simulate how they would thwart a real-world cyberattack. They鈥檙e also developing a culture 鈥 with hacker names and sunglasses 鈥 to help protect themselves against the vast landscape of digital threats they face today, from internet thieves who want to steal their identity to data brokers who buy and sell their personal information, to companies that might want to sue them for exposing mistakes they made in their code. 鈥淵ou know how superheroes go by their superhero names, like Superman and stuff? It鈥檚 good to have a hacker name,鈥 CyFi says, 鈥渟o the villains don鈥檛 know how to get you.鈥澛
R00tz has become so big that it鈥檚 drawing corporate sponsors such as AT&T, Adobe, and Facebook. Volunteers from well-known tech companies speak and teach at the sessions.聽
To ensure the kids only hack for good, there鈥檚 a strict honor code, which includes the admonitions: 鈥淥nly hack things you own. Do not hack anything you rely on. Respect the rights of others. Know the law, the possible risk, and the consequences for breaking it.鈥 The warnings are paired with encouragement. 鈥淩00tz is about creating a better world. You have the power and responsibility to do so. Now go do it!鈥 the code says. 鈥淲e are here to help.鈥澛
In many ways, hacking聽has now become mainstream. Major tech companies such as Apple and Facebook are crowdsourcing their security, encouraging people to search for bugs in their products and report them so they can be fixed. Serious discoveries bring major rewards in the form of bounties. Some professional hackers earn as much as $100,000 a year just hunting for security flaws in tech products.聽
Kids are benefiting from this new security ethos, too. At r00tz, researchers set up devices for the kids to infiltrate.聽
CyFi says hacking into one of Samsung鈥檚 newest smart TVs, as part of a bounty program set up by the company, was a 鈥渞eally important moment for me.鈥 She was 12 at the time.聽
She entered a string of code that turned on the television鈥檚 camera. This exposed the possibility of someone remotely hacking into a TV and being able to watch people while they sat on the couch viewing 鈥淕ame of Thrones鈥 or 鈥淢adame Secretary.鈥 Samsung awarded her $1,000 for exposing the flaw. 鈥淚 think bug bounty programs are really important,鈥 she says, 鈥渂ecause it eliminates that worry of wondering, 鈥極h, is this company going to be really mad about me poking around in their system?鈥 鈥
Bug bounties are a great incentive for kids around the world. A 10-year-old from Finland, for instance, made headlines for winning $10,000 this May for finding a big security problem with the photo-sharing app Instagram.
Companies haven鈥檛 always welcomed this kind of intrusiveness, of course. Consider the experience of Cris Thomas, a noted hacker who goes by the name 鈥淪pace Rogue.鈥 When he first started tinkering with computers back in the 1980s and 鈥90s, there were no safe spaces for hackers or bug-bounty programs. There weren鈥檛 even many computers. The machines were so expensive and rare, Mr. Thomas says, that he would ride his bicycle around Boston, diving into dumpsters near the Massachusetts Institute of Technology (MIT) to look for spare parts with which to assemble his own.
Now, according to one recent study, three-quarters of children in the United States have their own mobile device by age 4. The internet has also made it easier to learn about how all these devices work and about hacking into them. When Thomas was in his early 20s, he had to teach himself. Today鈥檚 young hackers can find unlimited information at the tap of a key. 鈥淭oday, you鈥檙e trying to investigate something; you can just find a YouTube video about it online,鈥 he says. 鈥淲ant to learn to code? There are classes for free at MIT.鈥
Early hackers were also usually viewed with suspicion. Authorities thought they were either trying to steal data or destroy systems. 鈥淚 was always looking over my shoulder, wondering if I was going to get raided by the government, or the FBI, even though I wasn鈥檛 doing anything bad,鈥 says Thomas.聽
Now, kids are actively encouraged to do 鈥渨hite hat鈥 鈥 or ethical 鈥 hacking. In fact, a flood of corporate money is going into training programs for young people with the hope of filling a cybersecurity workforce shortage already estimated at 1 million jobs.
One of the biggest efforts is CyberPatriot, a cyberdefense competition organized by the Air Force Association to test the technical skills of high-schoolers and middle-schoolers and inspire them to go into cybersecurity or related technology fields. Since 2009, more than 85,000 students have participated in the competition. The Northrop Grumman Foundation 鈥 the philanthropic arm of the defense contractor 鈥 is the primary sponsor, and organizations such as Cisco, Facebook, Microsoft, and the Department of Homeland Security all contribute to the roughly $3 million a year it costs to run the competition, an elementary school education initiative, and dozens of cybersecurity summer camps.聽
Programs like CyberPatriot are helping to turn hacking from a fringe hobby into a cool team sport 鈥 and drawing some of the nation鈥檚 best and brightest young people. 鈥淓ven though I may look like a 鈥榥erd鈥 on the outside,鈥 says Andrew Wang, 14, laughing as he makes quotation marks with his fingers, 鈥減eople will at least acknowledge that I have that competitive spirit.鈥 A freshman at Del Norte High School in a residential community just north of downtown San Diego, Andrew is among 70 students in his district鈥檚 program. 鈥淓veryone wants to win,鈥 he says.聽
At last year鈥檚 CyberPatriot finals in Baltimore, Andrew captained the middle school team that beat out 468 others to win the national competition. The contest, in which students take on the role of IT professionals at a fake company and try to keep its services running as attackers infiltrate the system, is great real-world training. 鈥淭here鈥檚 an actual red team attacking you,鈥 Andrew says. Winning 鈥渞eally depends on your ability to fix things on the fly.鈥澛
To Andrew, though, his victory meant more than a free trip to the East Coast and missing school. He personally feels a responsibility to protect his friends and family. 鈥淲hen I was 8, I thought it would be a great idea to click a link from a random, unidentified sender,鈥 he recalls. That one click allowed a hacker to sabotage the family computer. 鈥淚 thought I had completely broken the system,鈥 he says, 鈥渁nd my parents were really mad at me, too.鈥澛
So Andrew taught himself how to use security tools to eliminate the virus from the computer. 鈥淲hen I fixed it, all that doubt and worry went away. And I thought, 鈥楳aybe computers aren鈥檛 as hard as I thought initially,鈥 he says.聽
Some gifted children聽are working to pass on their technical knowhow to other children. Take Reuben Paul of Pflugerville, Texas, a suburb of Austin. Lean and brown-eyed, he is a veritable Renaissance kid. He does gymnastics, plays drums and piano, takes martial arts, and, of course, is a computer whiz. He鈥檚 also a chief executive officer, at age 10.聽
Reuben has been learning about cybersecurity since he was 6 from his father, who has an interesting r茅sum茅 himself: He鈥檚 a former shark researcher-turned-computer security specialist.聽
Reuben was gaining international recognition as CEO of his own for-profit company, Prudent Games 鈥 which creates fun cybersecurity, science, and math games to sell in online app stores 鈥 when he had an epiphany: 鈥淚 thought, 鈥業鈥檓 learning about cybersecurity, but what about the kids that aren鈥檛 鈥 the ones that are getting hurt in the cyberworld, and aren鈥檛 safe and secure?鈥 鈥
So he formed the nonprofit CyberShaolin, which makes educational videos and games to help kids learn about complex cybersecurity topics. The name derives from two of Reuben鈥檚 passions: computers and martial arts (at age 7, he became the country鈥檚 youngest black belt in his style of kung fu).聽
Like kung fu, cybersecurity is made up of attacks and defenses. So just like martial artists, beginners in his CyberShaolin 鈥渄igital black belt program鈥 start with a white belt. 鈥淵ou鈥檒l learn simple things: What is the internet, what is security, what is a computer, basically,鈥 he says. Then, as the kids advance, they earn more belts as they learn about basic attacks 鈥 such as phishing or wireless intrusions. There are both blocks and defenses, 鈥渙r how to defend yourself using encryption and other types of things,鈥 he says. By the time you are a black belt, Reuben says, 鈥測ou should know everything about security. You should be a security pro.鈥
Reuben鈥檚 family is talking with the local Texas school district to see about using some of the videos in the curriculum. And the well-known Russian-based cybersecurity company Kaspersky Lab is the nonprofit鈥檚 first sponsor.
鈥淲e were first thinking we would make [kids] pay for it, but then I said, 鈥楴o, cybersecurity education should be free for all kids to learn,鈥 鈥 says Reuben.
Akul Arora is helping his local school district in California deal with electronic intruders as well. After Akul, 15, went through the CyberPatriot program at Del Norte High School, he started to notice hackers were getting into the school鈥檚 computers. 鈥淪ome member of the network doesn鈥檛 know what they鈥檙e doing and they let something in,鈥 he says. 鈥淪ometimes in the morning announcements, [school officials] say, 鈥楨verybody change your passwords.鈥 鈥澛
So Akul volunteered to help the district develop a training program to teach the students and teachers about the dangers of phishing emails and viruses. He鈥檚 also teaching kids at his former elementary school the basics, such as how to differentiate between secure and unsecured websites.
鈥淲ithout dissing teachers at all, I think a lot of teachers are not very technology-centered. So I feel when they鈥檙e teaching technology, they鈥檙e just repeating what鈥檚 on a slide deck or materials given to them,鈥 he says. 鈥淢y advantage with the students is that I鈥檓 of their generation and understand the problems they face in cybersecurity, and that helps me connect with them better.鈥澛
Some of the most advanced聽kids are already becoming cybersecurity professionals, moving a step beyond taking computers apart in their basements and bedrooms like their predecessors. The upstairs bedroom of 14-year-old Paul Vann doubles as the worldwide headquarters of his company, Vann Tech. Next to his bed in Fredericksburg, Va., is a laboratory packed with devices designed to break into people鈥檚 Wi-Fi networks, data analysis software, a computer loaded with advanced hacking tools, and a 3-D printer.聽
Paul鈥檚 latest venture: a start-up that pushes the boundaries of how to test a company鈥檚 security. 鈥淥nce I have the funding, I think we need a building, and we definitely need more employees,鈥 says Paul, who talks 鈥 and thinks 鈥 at fiber-optic speed. 鈥淚 can鈥檛 be the only one developing projects.鈥
On the side, Paul attends college courses in theoretical physics 鈥 but he鈥檚 too young to get credit 鈥 and takes free math courses online through MIT. He is also trying to build an 鈥渋nvisibility cloak鈥 like the one in the 鈥淗arry Potter鈥 books using theories rooted in acousto-optics.聽
Yet he has faced one recurring problem in his foray into adult capitalism: getting grown-ups to take him seriously. 鈥淭hey don鈥檛 respect you as much as they would an adult,鈥 he says.
Paul, who has spoken at three different cybersecurity conferences, got into hacking after reading a book by self-described 鈥渂reak-in artist鈥 Kevin Mitnick called 鈥淕host in the Wires.鈥 It chronicles Mr. Mitnick鈥檚 escapades in two decades of hacking, which famously included stealing proprietary code from companies and snooping on the National Security Agency鈥檚 phone calls in the 1980s and 鈥90s.
But, Paul complains, 鈥淭hey never talked about how he did it.鈥 So he downloaded online hacking tools and started teaching himself through YouTube videos. 鈥淢y first thing I wanted to learn was Wi-Fi [hacking] 鈥 that鈥檚 the easiest way you can hack someone if you鈥檙e not with them.鈥
The tutorials were successful. Paul saw how he could break into Wi-Fi networks within a three-mile radius of his home. But Paul, who is close to becoming an Eagle Scout, also wanted to make sure he didn鈥檛 do anything wrong. So he asked his neighbors, when they came over for dinner, for permission to hack into their home internet. 鈥淭hey said, 鈥楽ure, as long as you don鈥檛 do any damage.鈥 鈥
As his parents and friends ate downstairs, Paul went to his bedroom laboratory. 鈥淚 was finally able to break into something without getting into trouble,鈥 he says.聽
Paul understands the morality of hacking. 鈥淚t鈥檚 really important you consider ethics before you try to break into another system 鈥 and you want to make sure whatever you鈥檙e doing is not going to harm that system,鈥 he says. 鈥淎nd whatever you do, tell the person.鈥澛
In other words, don鈥檛 wear an invisibility cloak.聽
