The kids who might save the internet
A new generation of cybersecurity prodigies breaks into networks – just to make them safer. Meet the young hackers trying to keep the web from tilting to the dark side.
Ann Hermes/Staff
Kristoffer Von Hassel could open smartphone apps before he could walk. By age 2, a time when most kids are still in diapers, he had bypassed the “toddler lock” on his parents’ Android phone. Then, at 5, young Kristoffer discovered how to outwit the parental controls on his father’s Xbox One, which were meant to keep him from playing violent video games such as Call of Duty.
It wasn’t a trivial discovery. He’d uncovered a serious security loophole in the game’s software. When his dad, Robert Davies, found out, he laid out two options: They could expose the flaw on YouTube to alert everyone else to the secret way in, or they could reveal it to Microsoft, which makes the Xbox.
Kristoffer thought about it and asked what bad guys would do if they learned about the workaround. “Somebody could steal an Xbox and use your bug to get on to it,” Mr. Davies, a computer engineer, recalls telling him. “He said, ‘Oh no, we can’t have that. We’ve got to tell Microsoft.’ ”
Microsoft fixed the flaw within a week. And Kristoffer became known as the world’s youngest hacker when he made the company’s list of security researchers who had found dangerous vulnerabilities in Microsoft’s products. “When I jammed the buttons, I probably saved Microsoft’s b-u-t-t,” says Kristoffer, now 8, from his bedroom, which is filled with space posters and coding books, in the family’s San Diego apartment. “Thank goodness I found it, because it could have went into the wrong hands.”
Kristoffer is part of a new generation of wunderkinds, many of them lugging school backpacks and still wearing braces, that just might help save tomorrow’s internet. Idealistic and computer savvy, they are mastering the mysterious numerical codes that underpin the digital world in the hope of making the web a more secure place.
Today, everything in kids’ lives is captured in silicon chips and chronicled on Facebook. As tweens and teens, they effortlessly swap selfies on Snapchat and Instagram. Most would rather text than talk.
Yet the massive digital ecosystem they inherited is fragile, broken, and unsafe. Built without security in mind, it’s constructed on vulnerable code. As a result, malicious hackers are taking advantage. From Yahoo to the US government, breaches of highly sensitive or highly personal networks have become commonplace. Stolen celebrity photos are the new tabloid staple. The insecurity of the internet is injecting itself into presidential politics ahead of the November election. In the not too distant future, digital attacks may even set off the next war.
Adults, who laid the internet’s insecure foundation, have so far been unable to patch the security holes or stem the tide of cybercrime. “There are smart, serious people thinking long and hard about these problems – and we don’t have the solutions we need,” says Stephen Cobb, a senior researcher at the cybersecurity firm ESET, who helps organize a cybersecurity boot camp for kids each summer in San Diego. “I personally have to place a lot of hope and faith into the next generation. They are more willing to challenge assumptions in technology than older people, who may feel things are established or difficult to change. It’s the idealism of youth which may inspire alternative approaches to design and deployment of digital technology.”
While Kristoffer’s discovery may have been the result of a bit of serendipity – and youthful mischievousness – there’s a whole community of brilliant young tinkerers intent on hacking the internet with the same exuberance. Only they aren’t trying to break the web. They’re trying to put it back together.
“CyFi” is a soft-spoken 15-year-old who is an avid skier and sailor and likes ripped jeans. She carries a two-foot-long pet snake named Calcifer almost everywhere she goes. By day, she totes a backpack to her experimental high school focused on technology in Silicon Valley. But she also has a secret identity: She’s one of the most prominent young hackers in the country.
“Our generation has a responsibility to make the internet safer and better,” says CyFi (who wants to keep her name anonymous and only go by her online moniker) in an interview at her high school where the hallways bustle with kids in Converse sneakers. “As the internet gets even more connected to our homes and our schools and our education and everything, there’s going to be a ton more vulnerabilities.”
CyFi first gained prominence in the tech press at age 10 when she hacked a kids’ game on her iPad. That year, PC Magazine called her “a Girl Scout by day and a hacker by night.” With the encouragement of her mother (who also works in the cybersecurity industry), CyFi took her talents to the vaunted DEF CON hacker conference in Las Vegas, where she cofounded what’s now known as r00tz Asylum, a hub for ethical hacking workshops for kids.
As adults at DEF CON electronically infiltrate everything from ATMs to surveillance drones, r00tz is a “safe playground where [kids] can learn the basics of hacking without getting themselves into trouble,” says CyFi. When launched in 2011, it drew about 100 kids. With CyFi as teacher and lead digital sleuth, the group uncovered 40 vulnerabilities in mobile apps. The next year, they found 180.
Now, r00tz Asylum has grown into a veritable security conference itself, drawing roughly 600 young people ages 8 to 16. This year at DEF CON, parents lined up all three mornings waiting to drop off their kids. In the sessions, youngsters rip apart smartphones, laptops, and other gadgets at what’s called the “junkyard” to learn how the devices work. Sparks fly as the young hackers solder hardware. Some of them march up on stage and, standing near the podium because they are too short to see over it, give speeches on hacking the video game Minecraft and other tricks.
All around, they learn cryptography and simulate how they would thwart a real-world cyberattack. They’re also developing a culture – with hacker names and sunglasses – to help protect themselves against the vast landscape of digital threats they face today, from internet thieves who want to steal their identity to data brokers who buy and sell their personal information, to companies that might want to sue them for exposing mistakes they made in their code. “You know how superheroes go by their superhero names, like Superman and stuff? It’s good to have a hacker name,” CyFi says, “so the villains don’t know how to get you.”
R00tz has become so big that it’s drawing corporate sponsors such as AT&T, Adobe, and Facebook. Volunteers from well-known tech companies speak and teach at the sessions.
To ensure the kids only hack for good, there’s a strict honor code, which includes the admonitions: “Only hack things you own. Do not hack anything you rely on. Respect the rights of others. Know the law, the possible risk, and the consequences for breaking it.” The warnings are paired with encouragement. “R00tz is about creating a better world. You have the power and responsibility to do so. Now go do it!” the code says. “We are here to help.”
In many ways, hacking has now become mainstream. Major tech companies such as Apple and Facebook are crowdsourcing their security, encouraging people to search for bugs in their products and report them so they can be fixed. Serious discoveries bring major rewards in the form of bounties. Some professional hackers earn as much as $100,000 a year just hunting for security flaws in tech products.
Kids are benefiting from this new security ethos, too. At r00tz, researchers set up devices for the kids to infiltrate.
CyFi says hacking into one of Samsung’s newest smart TVs, as part of a bounty program set up by the company, was a “really important moment for me.” She was 12 at the time.
She entered a string of code that turned on the television’s camera. This exposed the possibility of someone remotely hacking into a TV and being able to watch people while they sat on the couch viewing “Game of Thrones” or “Madame Secretary.” Samsung awarded her $1,000 for exposing the flaw. “I think bug bounty programs are really important,” she says, “because it eliminates that worry of wondering, ‘Oh, is this company going to be really mad about me poking around in their system?’ ”
Bug bounties are a great incentive for kids around the world. A 10-year-old from Finland, for instance, made headlines for winning $10,000 this May for finding a big security problem with the photo-sharing app Instagram.
Companies haven’t always welcomed this kind of intrusiveness, of course. Consider the experience of Cris Thomas, a noted hacker who goes by the name “Space Rogue.” When he first started tinkering with computers back in the 1980s and ’90s, there were no safe spaces for hackers or bug-bounty programs. There weren’t even many computers. The machines were so expensive and rare, Mr. Thomas says, that he would ride his bicycle around Boston, diving into dumpsters near the Massachusetts Institute of Technology (MIT) to look for spare parts with which to assemble his own.
Now, according to one recent study, three-quarters of children in the United States have their own mobile device by age 4. The internet has also made it easier to learn about how all these devices work and about hacking into them. When Thomas was in his early 20s, he had to teach himself. Today’s young hackers can find unlimited information at the tap of a key. “Today, you’re trying to investigate something; you can just find a YouTube video about it online,” he says. “Want to learn to code? There are classes for free at MIT.”
Early hackers were also usually viewed with suspicion. Authorities thought they were either trying to steal data or destroy systems. “I was always looking over my shoulder, wondering if I was going to get raided by the government, or the FBI, even though I wasn’t doing anything bad,” says Thomas.
Now, kids are actively encouraged to do “white hat” – or ethical – hacking. In fact, a flood of corporate money is going into training programs for young people with the hope of filling a cybersecurity workforce shortage already estimated at 1 million jobs.
One of the biggest efforts is CyberPatriot, a cyberdefense competition organized by the Air Force Association to test the technical skills of high-schoolers and middle-schoolers and inspire them to go into cybersecurity or related technology fields. Since 2009, more than 85,000 students have participated in the competition. The Northrop Grumman Foundation – the philanthropic arm of the defense contractor – is the primary sponsor, and organizations such as Cisco, Facebook, Microsoft, and the Department of Homeland Security all contribute to the roughly $3 million a year it costs to run the competition, an elementary school education initiative, and dozens of cybersecurity summer camps.
Programs like CyberPatriot are helping to turn hacking from a fringe hobby into a cool team sport – and drawing some of the nation’s best and brightest young people. “Even though I may look like a ‘nerd’ on the outside,” says Andrew Wang, 14, laughing as he makes quotation marks with his fingers, “people will at least acknowledge that I have that competitive spirit.” A freshman at Del Norte High School in a residential community just north of downtown San Diego, Andrew is among 70 students in his district’s program. “Everyone wants to win,” he says.
At last year’s CyberPatriot finals in Baltimore, Andrew captained the middle school team that beat out 468 others to win the national competition. The contest, in which students take on the role of IT professionals at a fake company and try to keep its services running as attackers infiltrate the system, is great real-world training. “There’s an actual red team attacking you,” Andrew says. Winning “really depends on your ability to fix things on the fly.”
To Andrew, though, his victory meant more than a free trip to the East Coast and missing school. He personally feels a responsibility to protect his friends and family. “When I was 8, I thought it would be a great idea to click a link from a random, unidentified sender,” he recalls. That one click allowed a hacker to sabotage the family computer. “I thought I had completely broken the system,” he says, “and my parents were really mad at me, too.”
So Andrew taught himself how to use security tools to eliminate the virus from the computer. “When I fixed it, all that doubt and worry went away. And I thought, ‘Maybe computers aren’t as hard as I thought initially,” he says.
Some gifted children are working to pass on their technical knowhow to other children. Take Reuben Paul of Pflugerville, Texas, a suburb of Austin. Lean and brown-eyed, he is a veritable Renaissance kid. He does gymnastics, plays drums and piano, takes martial arts, and, of course, is a computer whiz. He’s also a chief executive officer, at age 10.
Reuben has been learning about cybersecurity since he was 6 from his father, who has an interesting résumé himself: He’s a former shark researcher-turned-computer security specialist.
Reuben was gaining international recognition as CEO of his own for-profit company, Prudent Games – which creates fun cybersecurity, science, and math games to sell in online app stores – when he had an epiphany: “I thought, ‘I’m learning about cybersecurity, but what about the kids that aren’t – the ones that are getting hurt in the cyberworld, and aren’t safe and secure?’ ”
So he formed the nonprofit CyberShaolin, which makes educational videos and games to help kids learn about complex cybersecurity topics. The name derives from two of Reuben’s passions: computers and martial arts (at age 7, he became the country’s youngest black belt in his style of kung fu).
Like kung fu, cybersecurity is made up of attacks and defenses. So just like martial artists, beginners in his CyberShaolin “digital black belt program” start with a white belt. “You’ll learn simple things: What is the internet, what is security, what is a computer, basically,” he says. Then, as the kids advance, they earn more belts as they learn about basic attacks – such as phishing or wireless intrusions. There are both blocks and defenses, “or how to defend yourself using encryption and other types of things,” he says. By the time you are a black belt, Reuben says, “you should know everything about security. You should be a security pro.”
Reuben’s family is talking with the local Texas school district to see about using some of the videos in the curriculum. And the well-known Russian-based cybersecurity company Kaspersky Lab is the nonprofit’s first sponsor.
“We were first thinking we would make [kids] pay for it, but then I said, ‘No, cybersecurity education should be free for all kids to learn,’ ” says Reuben.
Akul Arora is helping his local school district in California deal with electronic intruders as well. After Akul, 15, went through the CyberPatriot program at Del Norte High School, he started to notice hackers were getting into the school’s computers. “Some member of the network doesn’t know what they’re doing and they let something in,” he says. “Sometimes in the morning announcements, [school officials] say, ‘Everybody change your passwords.’ ”
So Akul volunteered to help the district develop a training program to teach the students and teachers about the dangers of phishing emails and viruses. He’s also teaching kids at his former elementary school the basics, such as how to differentiate between secure and unsecured websites.
“Without dissing teachers at all, I think a lot of teachers are not very technology-centered. So I feel when they’re teaching technology, they’re just repeating what’s on a slide deck or materials given to them,” he says. “My advantage with the students is that I’m of their generation and understand the problems they face in cybersecurity, and that helps me connect with them better.”
Some of the most advanced kids are already becoming cybersecurity professionals, moving a step beyond taking computers apart in their basements and bedrooms like their predecessors. The upstairs bedroom of 14-year-old Paul Vann doubles as the worldwide headquarters of his company, Vann Tech. Next to his bed in Fredericksburg, Va., is a laboratory packed with devices designed to break into people’s Wi-Fi networks, data analysis software, a computer loaded with advanced hacking tools, and a 3-D printer.
Paul’s latest venture: a start-up that pushes the boundaries of how to test a company’s security. “Once I have the funding, I think we need a building, and we definitely need more employees,” says Paul, who talks – and thinks – at fiber-optic speed. “I can’t be the only one developing projects.”
On the side, Paul attends college courses in theoretical physics – but he’s too young to get credit – and takes free math courses online through MIT. He is also trying to build an “invisibility cloak” like the one in the “Harry Potter” books using theories rooted in acousto-optics.
Yet he has faced one recurring problem in his foray into adult capitalism: getting grown-ups to take him seriously. “They don’t respect you as much as they would an adult,” he says.
Paul, who has spoken at three different cybersecurity conferences, got into hacking after reading a book by self-described “break-in artist” Kevin Mitnick called “Ghost in the Wires.” It chronicles Mr. Mitnick’s escapades in two decades of hacking, which famously included stealing proprietary code from companies and snooping on the National Security Agency’s phone calls in the 1980s and ’90s.
But, Paul complains, “They never talked about how he did it.” So he downloaded online hacking tools and started teaching himself through YouTube videos. “My first thing I wanted to learn was Wi-Fi [hacking] – that’s the easiest way you can hack someone if you’re not with them.”
The tutorials were successful. Paul saw how he could break into Wi-Fi networks within a three-mile radius of his home. But Paul, who is close to becoming an Eagle Scout, also wanted to make sure he didn’t do anything wrong. So he asked his neighbors, when they came over for dinner, for permission to hack into their home internet. “They said, ‘Sure, as long as you don’t do any damage.’ ”
As his parents and friends ate downstairs, Paul went to his bedroom laboratory. “I was finally able to break into something without getting into trouble,” he says.
Paul understands the morality of hacking. “It’s really important you consider ethics before you try to break into another system – and you want to make sure whatever you’re doing is not going to harm that system,” he says. “And whatever you do, tell the person.”
In other words, don’t wear an invisibility cloak.