How to raise a white hat hacker

Many of today's tech-savvy kids demonstrate the sort of curiosity that makes them ideally suited to become tomorrow's ethical hackers. The trick is teaching them how to use those instincts for good, and steering them away from the darker corners of the Internet.

Ann Hermes/The Christian Science Monitor

April 25, 2016

My son hacked his first device when he was 6 years old. He discovered an exploit in my iPad that let him bypass parental controls and refill the tablet with games that I had deleted. 

In about four years since then, he's become something of a hacker phenom. He tricked his grandmother into revealing the PlayStation password by impersonating his dad via text messages. He's defeated the parental lock on the TV by guessing the password. He's purchased $600 worth of Garfield books by accessing Amazon from a logged-in computer. He's circumvented the time limits on his screen time by changing his computer's clock at the end of each gaming session. He even completely locked out his grandmother from her iPhone by replacing her thumbprint with his own.

In fact, it's rare that a week goes by without my husband or me refining some aspect of the complex set of parental restrictions, network filters, and physical locks that keep my son from spending 24 hours a day playing video games.

It’s easy to get upset over his behavior – and I often do. It's easy for kids like him to get into serious trouble. From Reddit to the Dark Web, there’s no shortage of advice on how to do everything from short-circuiting parental cellphone monitoring to setting up and deploying malicious software.

But instead of always punishing or discouraging my son's hacking pursuits, we have tried to find creative ways of encouraging them in hopes of channeling that tech ingenuity toward positive ends. Hopefully, that way he'll develop his skills and potential without getting sucked into the temptations of mischief or crime. After all, his skills and tech curiosity can easily be applied to good, and the world desperately needs more “white hat” or ethical hackers who can root out security flaws to make the Internet safer.

The hacker way

The security industry today is full of professionals who started testing the bounds of technology when they were kids. But they grew up in the dark days before the user-friendly Internet. Techie children had to learn to code in order to do anything interesting with a computer. Kids who tired of the safe confines of the local electronic bulletin board could use those coding skills to hack their way into other, closed virtual spaces. It didn’t take malicious intention to become a hacker, just curiosity.

“Before the ubiquitous Internet, finding kindred hacker spirits was very difficult,” recalls Sabino Marquez, an information risk strategist. "If you had a modem in the mid-to-late 80s, you could dial into bulletin board systems around the world and try to meet new hacker friends that way. That's how I learned the craft of hacking."

In contrast, today's kids have a staggering array of options to scratch their tech itch. They have their own starter smartphones and kid-optimized tablets. They have games and toys that teach them to code, and code-free environments that let them create their own video games. They have walled gardens that let them experiment with social media before they're old enough to join Facebook, and their own guidebooks for using Facebook and Instagram once they reach the glorious age of 13. There's no longer any need to hack your way into the wide world of online information or the global community of Internet geeks, because it's all as close as your computer or phone.

My muddle to mediocrity: When good enough is good enough

Even in this world of online abundance, however, there are some kids who still show that hacker inclination to push the limits of technology, curiosity, and parental indulgence. These are the kids, like my son, who somehow find a way to get back into the devices their parents have locked them out of, or discover the dark mysteries of 4chan while they're still in middle school.

They may well be the children who are most likely to grow up to be white hat hackers, but they're also the kids who are most likely to run afoul of federal computer laws before they finish high school.

Steering them in the right direction begins with the basics: ensuring kids know how to code. Apps such as Move the Turtle and Lightbot Jr. can teach the fundamentals of programming logic to preschoolers; when kids get a little older, you can introduce them to Scratch, a visual programming language designed for kids. For avid Minecrafters, learning to build your own Minecraft mods may be the most appealing entry point into programming, and can help kids get into Javascript. From there, resources such as Code Academy or Khan Academy can help kids transition into learning programming languages and building their own apps.

Rewarding clever kids 

Encouraging kids' tech ingenuity isn't just about technical skills, however. It's also about cultivating an attitude. Young people may grow up glued to their computers and smartphones, but most of them simply use the devices, sites, and software that other people have built for them. That's the antithesis of what tech journalist Steven Levy described as the hacker's "hands-on imperative" – an ideological and practical commitment to opening up, tinkering with, and understanding the technologies we use.

To raise a hacker, you need to get your kid’s hands dirty, and teach them to take apart or build their own tools instead of just accepting technology as-is.

John Adams, the head of information security at Bolt.com and former security team lead for Twitter, recommends asking kids to think critically about the technology they're already using by saying something like, "Great, you can send a text message. How do you think that works?"

If your kid makes up an answer (as my son is prone to do), probe them to dig deeper, so they learn to approach tech problems using the scientific method. Mr. Adams suggests saying: "You think that's true, let's test it."

Since it's now easier to buy than to build most technologies, you may have to introduce some artificial constraints on your kid’s tech access if you want to unleash their inner hacker. Offer to buy a build-your-own-computer kit instead of a pre-fab Windows box. Tell them they can have that blog they've been asking for, but only if they set it up from scratch (and make them start with an actual hand-coded HTML page).

I gave in to my son's relentless nagging for a Minecraft server (which lets him host multiplayer games) but only once he agreed to spend a day reading up on server configuration and setting up a server ourselves, using an old Mac. Solve your kid's crashing computer, and you've fixed it for a week. Teach your child to google her own solution, and you’ve got her started on a lifelong path of DIY tech support.

Once you've let the hacker genie out of the bottle, however, you need to make sure your child understands the difference between white hack and black hat (the bad guys). That begins with a conversation: My little hacker summarizes what he’s learned by saying, “A black hat hacker hacks for his own profit without telling anybody. A white hack hacker tells people about it, and gets paid by people to do that."

Of course, there’s a difference between knowing the path, and walking the path. So what do you do if your little hacker decides that white-hat life is getting dull, and wants to experience the excitement of breaking into something forbidden?

"That's very, very cut and dried now," Adams says. "You're not allowed to penetration test anyone's system without permission. Can you discover flaws in something? Sure. Can you penetration test? No." 

Adams offers an analogy your kids may relate to. "It's like lockpicking," he says. "We teach people not to pick a lock they don't own."

Penetration test your home

To help your child internalize the idea that you should only test systems you've got permission to test, give them permission to test your own devices and networks. You may want to place your work computer out-of-bounds, but otherwise, give your child a standing invitation to find gaps in your parental restrictions or password protections. Along with that invitation, introduce the idea that it’s a hacker’s job to report any vulnerabilities they might uncover.

When your child finds a way around your parental controls, praise her cleverness, and show her how to document her discovery in a blog post or an error report to the company behind the tech.

If there’s any reluctance to report these discoveries — after all, who doesn’t like having backdoor access to the family computer? — you could follow the standard industry practice of offering a bounty for any vulnerability a hacker uncovers.

Our kids can now get an extra 45 minutes of video game time if they find a gap in any of our parental restrictions, which they can report through a Google Form we set up. While this doesn’t stop our son from occasionally “forgetting” to tell us that he’s found a new way to access his favorite online games, it has reduced the typical lag between when our son finds a gap in the system, and when we’re able to close it.

Hacker mentors

Perhaps the best way to encourage your kids to pursue white hat hacking – and to stay away from black hat activities – is to introduce them to programmers, engineers, and security professionals. The ideal folks are those who make a tech career sound exciting, and ideally, can play some role in mentoring your baby hacker.

In my son’s case, that role has been played by Mr. Marquez, the security strategist. The two of them have bonded over their shared love of video games and their shared hatred of vegetables, and our son now sees our info security pal as a model for what he’d like to do when he grows up. "Hacker kids are not like other kids," says Marquez. "You really have to cater to their sense of curiosity while simultaneously instilling iron-clad ethics to ensure that they do no evil."

Introducing a child to the skills, mindset, and people of the white hat hacking world is no guarantee that he or she will grow up to be an information security professional, of course. Many of these kids will grow up to be software developers, system administrators, or game designers, or even – gasp! – pursue careers entirely outside of the tech world.

But wherever they land in the adult world, their tech skills and security smarts will not only ensure that they use the Internet responsibly, but will help them become constructive contributors to a security and privacy-aware online culture.