Company trains teen hackers to provide security services

04/06/2003 Written by Julie Flaherty

WEST­BROOK, Maine On a Wednes­day evening, in an office suite appointed with Pen­tium IIs and lit­tle else, 10 teenagers were doing Andrew Robinson’s bid­ding. For­ti­fied by pizza and soda, they stud­ied a com­puter system’s weak­nesses, look­ing for ways to break in and steal information.Robin­son urged them on, like a modern-​day Fagin goad­ing his band of pickpockets.

Robin­son, 38, who runs a small infor­ma­tion secu­rity com­pany in nearby Port­land, had less-​than-​nefarious plans in mind, how­ever. His free after-​school pro­gram is intended to teach teenagers the basics of eth­i­cal hack­ing, or pro­tect­ing a company’s com­puter sys­tem from attack by learn­ing how to attack it your­self. The pro­gram, called Tiger Team, named for the pro­fes­sional con­sul­tants who ana­lyze sys­tem secu­rity risk, teaches young hack­ers to use their skills for good instead of evil. Work­ing as two teams, the teenagers play a vir­tual game of cap­ture the flag, try­ing to crack the other team’s net­work and do dam­age while defend­ing their own. An honor code keeps them from cre­at­ing mis­chief out­side their labs.

Robin­son got the idea for this “infor­ma­tion secu­rity sand­box” three years ago at a job fair, where he met a teenager who had been arrested for low-​level hack­ing. Robin­son saw his set­backs as a waste, con­sid­er­ing the con­stant demand for infor­ma­tion secu­rity pro­fes­sion­als. So he cre­ated a non­profit orga­ni­za­tion, the Inter­net Secu­rity Foun­da­tion, ded­i­cated to edu­cat­ing the pub­lic about infor­ma­tion secu­rity. Its pilot project, Tiger Team, began last month.

“Here’s how you can do this legally, within a moral and eth­i­cal frame­work, and make a good amount of money doing it,” Robin­son said. “It fills the need of the com­pa­nies, and more and more since 9/​11, it fills the need of the coun­try for cyber­se­cu­rity.”

Find­ing par­tic­i­pants was easy. About 50 teenagers from south­ern Maine con­tacted Robin­son after read­ing about his idea in the local news­pa­pers. More than a third said they had done some­thing that could be con­strued as hack­ing.

“There were a cou­ple who refused to answer the ques­tion about whether they had been in trou­ble for it,” Robin­son said. “I think most of that was just bravado.”

He doubts he will con­vert any­one truly attracted to hacking’s anti­so­cial side. “Some­body who was sort of the Elite Hack­zor, or what­ever you want to call it, would prob­a­bly not have applied for this pro­gram.” he said. “If they were already in the dark side, they would prob­a­bly not come here.”

The teenagers, boys who aver­age about 16 years in age, do wield some power. All were required to have expe­ri­ence con­fig­ur­ing dif­fer­ent kinds of oper­at­ing sys­tems, includ­ing a Mac or Unix-​based one, and writ­ing com­puter pro­grams.

“They weren’t script kid­dies,” Robin­son said, refer­ring to sys­tem crack­ers who wage attacks with pro­grams writ­ten by more savvy coders. “They have all the skills that they need to cause trou­ble, and some of them may have even started doing some of those things just for fun.”

The most seri­ous breaches the appli­cants con­fessed to were out­wit­ting a Web site’s access con­trols to view con­tent that they should not have.

In the sec­ond week of the seven-​week pro­gram, the stu­dents sat patiently through two pre­sen­ta­tions on the busi­ness side of infor­ma­tion secu­rity, from cre­at­ing a risk assess­ment to secur­ing man­age­ment sup­port. But the third speaker had trou­ble get­ting through his talk on find­ing a system’s weak­nesses because the stu­dents inter­rupted with ques­tions.

“We put the inter­est­ing things last,” said Justin Smith, 27, a Tiger Team vol­un­teer and a net­work ana­lyst in Robinson’s com­pany, NMI InfoS­e­cu­rity Solu­tions. Smith said the stu­dents had per­formed so well that the instruc­tors had to accel­er­ate the instruc­tion.

Between lec­tures, the two teams zipped off to their sep­a­rate lab rooms, where com­pe­ti­tion was already build­ing.

“There’s been a lit­tle bit of win­dow spy­ing,” said Tris­tan Fisher, 18.

Per­haps some shifty scout­ing tech­nique employ­ing Microsoft Win­dows? Not quite.

“We’re on the first floor,” Fisher said, pulling aside the blinds to reveal the park­ing lot. “Every now and then we’ll see some­one walk over to our win­dow and peek in.”

An unclosed lab door is also fair game. Robin­son, who is care­ful to turn all impor­tant paper­work on his desk face down before receiv­ing vis­i­tors, teaches stu­dents that not all hack­ing is done elec­tron­i­cally.

Scott Ander­son, 18, a high school senior, is giv­ing seri­ous thought to going into the infor­ma­tion secu­rity pro­fes­sion. “This is prob­a­bly the only link I have to get­ting a job when I grad­u­ate,” he said, adding that he had barely pass­ing grades.

Good grades are not a require­ment for the pro­gram. Robin­son, who related that he him­self had excel­lent stan­dard­ized test scores but poor grades, said he empathized with stu­dents who say they are bored with school. It was not until an uncle who taught com­puter sci­ence at the Uni­ver­sity of Maine got him into some college-​level classes, he said, that he saw his own future open up.

The office space, the com­put­ers and the Inter­net con­nec­tion have all been donated, mostly by banks and other orga­ni­za­tions that rec­og­nize the need for infor­ma­tion secu­rity. But Robin­son met with some ini­tial qualms.

“Some of them grilled us pretty heav­ily on the con­cept of, ‘Well, aren’t you train­ing hack­ers?’” he said. “I go, yeah. I have a black belt in mar­tial arts. If I wanted to be a bad guy, I could go and hurt peo­ple. But I don’t do it. That’s not the empha­sis of the pro­gram.”

The stu­dents are get­ting a good dose of ethics along with some sober­ing words about legal reper­cus­sions.

“Yes, we are teach­ing them to be hack­ers,” he said, “but wouldn’t you rather have them on your side?”