Hacker Highschool: Pete Herzog [ML BSide]

Pete Hertzog is a security expert and an educator with a vision: he wants our kids to learn about cybersecurity, and not just about not talking to strangers online - he wants them to learn even more advanced stuff, such as security analysis and hacking. Pete spoke with Nate Nelson about his Hacker Highschool initiative, and the lessons he learned from it.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Pete Herzog

Co-Founder, Urvin.AI, ISECOM.

Pete Herzog is an experienced security expert with as much time in the trenches as in the tower with both offense and defense. He has advised on how to protect some of the most iconic organizations in the world without judgement and full discretion. He has shown start-ups how to change products to reach their full potential and multi-nationals how to overcome growing pains in security and privacy. He does this through The Institute for Security and Open Methodologies (ISECOM), the global organization he co-founded to research security, trust, and privacy in people, networks, systems, and processes. He promotes the best traits of hackers: resourcefulness, discovery, deep-dive research, learning from failure, problem-solving, and empathy.

Episode Transcript:

Transcription edited by @hakinadey

[Ran] Hi, and welcome to Cybereason’s Malicious Life B-side.
A few months ago, my youngest kid, Marom, who is 9 years old, asked me if I can help him create a new Fortnite account. It’s really an epic account, but anyway, that caught me by surprise, because I knew he spent almost all the money he gets from us and his grandparents on skins and fancy weapons, plus the literally hundreds of hours he spent on leveling up his character. So why create a new account? Well, Marom was reluctant to explain initially, but after some prodding, I got him to fess up. It turns out, he fell for a scammer who promised him an even better character with even better guns and axes and silly llamas or whatever else they have there.
Don’t ask me. I tried playing Fortnite a few times, but gave up after I got my ass kicked by one 6-year-old kid too many. Damn brats, I was kicking asses on Doom and Quake when your dads weren’t born yet.
Anyway, Marom knew that he wasn’t supposed to talk to strangers on the internet and suddenly never give anyone his password, but he couldn’t resist the temptation. After he told me, we tried to get his account back, but it was already too late. The miserable look on Marom’s face when he realized the characters he spent so much time and money on are gone for good.
I knew he learned a painful life lesson and that he’ll probably be much more careful in the future, but I sure wish he didn’t have to learn it the hard way.
Education is something that I feel we haven’t discussed enough of here in Malicious Life, even though I think this is an extremely important topic, one that probably deserves its own podcast.
Kids today are growing up in a very digital environment and are exposed to many of the dangers that us grown-ups are exposed to. If we were cavemen and this was a jungle, we would probably spend a lot of time teaching our kids about poisonous mushrooms and dangerous animals. Well, the internet is our jungle and our kids need to learn about poisonous malware and dangerous scammers, the earlier, the better.
Our guest today is Pete Herzog, a security expert and an educator with a vision. He wants our kids to learn about cybersecurity and not just about not talking to strangers online. He wants them to learn even more advanced stuff, such as security analysis and hacking. Yes, security analysis at age 12. Is that too early? Well, have a listen to Pete’s conversation with Nate Nelson, our senior producer and judge for yourselves.
Enjoy the episode.

[Nate] All right, Pete, how about you start off by just introducing who you are?

[Pete] Hi, I’m Pete Herzog.
I am the managing director of an organization called ISECOM, the Institute for Security and Open Methodologies, which is a nonprofit organization. I’ve been running for close to 22 years now. And I’m also the acting CEO of an AI company called Urvin, and the two basically work hand in hand.
Obviously, one is AI, the other is security research. That’s what ISECOM does. And from ISECOM, we have Hacker High School, which is a project which we started in 2003, which I’ve been running with a group of volunteers. And that’s actually, it’s been growing every year. It’s been getting better and better. So that’s basically who I am. I’m a security guy. I was a, I guess you could say I was a hacker from the beginning. That’s who I am. I was one of the first people on IBM’s hacking team back in ’97, was it? So I was one of the first members of that back when it was still called e-security and wasn’t called hacking or ethical hacking or anything.
So I’m a long time hacker slash hacker enthusiast.

[Nate] Let’s introduce the problem here.
Whether it’s a lack of security talent in the market or a proliferation of people who don’t really know how to properly navigate information on the web, or maybe just a proliferation of malicious hackers online, how is our world in your view suffering from how we are educating or perhaps not educating, for lack of a better term, internet citizens?

[Pete] I am not a fan of internet citizens as a word, but I understand why it’s used. I just think that it puts a bad perspective in it. Like we really know what makes a good citizen. We don’t know what makes a good citizen. How are we going to know what makes a good internet citizen? Or at least even if we know how to do it or we think we know, we haven’t been having much success getting there.
So that’s a tough one. Where are we right now? I think we have a problem because we have so many young people on the internet, on devices, in so many different ways, I say different ways because some are through chats, some are through social networks, some are through apps, just many different ways to do it. And for the first time in human history that we see this is that young people are expected to sort of make an identity for themselves, say who they are, because that’s what’s required online is explain who they are when they don’t even know who they are. So they have to put who they are, their hobbies, their interests, and sell themselves to the world when they don’t really have their own identity yet. Many of them are struggling.
And this is causing many problems, you know, everything from young people not being able to come up with a good self-image because they’re constantly comparing themselves and their lives to other people to the fact that their privacy is being stripped away for nothing, for next to nothing.
And on top of that, they really don’t know how to use these things. I mean, these are just tools that are put in their hands, very powerful tools, and they don’t really know how they work. Not saying that you have to know exactly how, for instance, a car works in order to drive it, but you do have to have some knowledge over it and know what’s going to happen when you turn the wheel this way or that way.
And I think that’s one of the things that’s missing from education from young people now, which of course then spills over into the bigger problem of professionals. Where are we at with professionals? Do we have enough? Do we have the right kind?
I think this problem where we are with cybersecurity professionals has been exacerbated by the fact that for the last 30 years, the way of getting to here has been maybe a little too capitalistic, a little short-sighted on the good that could be done for humanity.

[Nate] And just to be clear, when you’re talking about young people not really knowing how the car works, what exactly are you referring to?

[Pete] Yeah, that’s the thing. This is such a broad topic. So if you want to just focus in on one small area, and let’s look at the social part of it.
So normal human behavior is to have a small social network where you learn, you make mistakes, you figure out how to get along with other people. You might have somebody who takes advantage of you.
But again, these are all small scale. That scale has been made absolutely huge. It’s been made internationally huge. And now you are socializing on a level where humans haven’t before. You have many more people capable of taking advantage of you, and they do. Many more people being able to attack you, which has never happened before to this size.
I used to joke that the internet was created because it allowed people to now steal from really, really far away.
But if you look at what’s happening to young people is that before they could even come to grips on how society works and how there are some bad actors and how they can be manipulated and how, yeah, bad things do happen to people, they’re already in it. They’re in it way too young, again, before they even have an identity or know themselves. And I see this a lot with young people where they fall for things that 35 plus year old people wouldn’t fall for because they’ve seen it. And they’ve also grown through a normal social network where they got to make mistakes without dire consequences.
Now, what are these dire consequences? It’s hard to say exactly. I mean, there’s loss of money. That’s an easy one. The loss of privacy, loss of reputation. You can get into sexting or any of these kinds of interactions where young people end up on Pornhub or whatever without their knowledge. This whole ex-girlfriend revenge thing was a real thing. They even built websites out of it. And we heard from a lot of young people reaching out to us, male and females, saying that they – how do they get themselves off that they have somebody that they shared photos with now posting them online?
And is this small stuff compared to what, you know, are they losing homes or are their families in jeopardy? Probably not. Not yet. All of this stuff can extrapolate, get worse.
I don’t like to be one of those gloomy doomsayers, you know, because, I mean, risk is risk. Anything can happen. It’s just that it’s happening to them way younger than it needs to.

[Nate] Now, how have you proposed to address the kinds of problems that we’ve been talking about?

[Pete] Well, one of the things we like to do is make young people aware that there’s many fields out there.
Obviously, one thing that school has always been good at is giving people a good foundation, right? Reading, writing, arithmetic, that kind of thing, and then extrapolating from there. As we get into the more modern times, obviously, they’ve gone from typing to computer skills. They’ve tried to update the skills of the young people as they’re going through school, but they’re really good at a foundation.
And I think that’s the same thing that we’re trying to do as well, is go back to making sure that they have a solid security analysis foundation, that they understand what security is, what it should look like. Threats come and go, they change the way they handle things all the time, the way attacks come in, that all changes. But there is a foundation of security.
Sure, it gets faster, prettier, smarter, but there’s still that foundation of how you analyze things, how you know when something is secure, how you know when there’s controls in place for future security.
So we try to give them this basis. That’s one way of doing it. And the other way of doing it is making sure that they understand that the future is way open.
I mean, when I was in high school, obviously, there was no hacking job. I was 27 when I ended up on IBM’s hacking team. It was my first job with a hacker role, a hacker title. And even there, they were very conservative about what they put on the business card. But who knew that I’d be able to try to break in the systems? It just wasn’t a thing when I was a teenager. And it’s the same thing now.
I mean, you have no idea what jobs are going to be available for them in the future. However, a good foundation is definitely going to serve them whatever they do. And because of that, having that good foundation, they should choose where they’re most comfortable, where they’re happy. And if that’s in a more IT role, if that’s with a big company or a small company, it doesn’t matter.
The foundation in security stays.

[Nate] And would you describe to me in some more detail what this foundation that you’re speaking of actually looks like?

[Pete] We do think about these things because obviously anybody can jump on YouTube these days and watch videos of people who say they’re hackers and how to make you a hacker. And we know that the kids are going to be there and they’re going to look at these things. And so we have to give them something more formal, something that they can build on.
So in Hacker High School, which is the project that we run, one of the first things we do is we play this game called Jack of All Trades. Now I do this with other professional training courses we do with adults. We do some work with Cyber Command and NATO and other government agencies around the world, militaries. And they all, whether it’s, you know, the thing is a lot of military or young people you’re talking, they join in at 18. So anywhere from 18 to 22, which Hacker High School kind of says 12 to 22. So that’s our sweet spot.
And if we want to look at what are we teaching them, well, in this Jack of All Trades, the first thing we tell them is, okay, there’s a scenario. And we give them a thought exercise and we say, you walk into a room, there’s a light switch on the wall and a light bulb hanging from the ceiling. Take one minute now to list 10 ways to shut off that light. And the idea here is that we want them to start being able to analyze things and see how they approach it, which is of course problem solving. And then we start giving them the tools on how to approach it properly so that they have something to lean on. We give them the knowledge and the tools.
So for example, everybody says, shut off the switch, break the bulb. Those are the easy ones. But then we start giving them tools and we say, we teach them about supply chain, okay. What is providing the electricity there? And they say, okay, well, there’s wires and then there’s the power plant. Okay. And so then of course they go to cutting the wires and blowing up the power plant. It’s always about breaking things, right? So we give them those tools and we explain to them that there’s a supply here. But things have to work in a certain way. So then the next thing we tell them is, okay, there’s channels for these things. You can help break these down in the channel. So one of the channels is physical. You’ve already done that. You’ve blown up and cut everything you can.
Now there’s another channel called human. How do people interact with that? Well, I guess I could ask somebody to shut off the light for me. Okay. How else does that affect? And you go down the chain now with these different channels, okay, the humans working at the power plant. What can I do with them? Well, I can social engineer them to shut off the power. Okay. You can do that.
And then they understand that concept and we go through physical and wireless and, you know, wireless is not just wireless networks. There’s from the light bulb itself, it’s giving off, well, depending on the bulb. But that’s another part of analysis. We asked them how come they haven’t asked what kind of bulb it is or things like that. But going into it, this is a learning exercise. So we tell them, yes, the more you understand then about what kind of bulb it is and how that bulb works exactly, you’re going to be able to secure it.
And that’s a whole motto we have in hacker high school is that if you don’t know how it works, you can’t secure it basically. So of course they investigate and we say, okay, it’s an incandescent bulb. So then they know it has a wire and that wire vibrates at 60 or 50 Hertz depending where you are. And so now that we know that, can we blast it with something to reverse the wave function? And yes, you can. And then you can stop the vibration.
So all of these things they’re building and they’re understanding that these are ways to attack it and ways to defend it. So you have your channels, you have your supply chain, you have your deeper understanding of how it works. And then you have what we call the four point process. Now we’re getting into real analysis. So you look at interactions, how do you interact with it? Can I touch it? Can I break it? What do you do to it?
Then you have emanations. What is it giving off? Well, it’s giving off light. It’s giving off a frequency. There’s more to it. It’s giving off people’s paychecks because there’s people working at the thing. So what’s something you can do? Well, I can stop paying the bill and wait. And then they’ll just shut off the lights on their own. There’s this whole thought process behind this.
Sorry, the fourth one was environment. The two that are missing are the resources. But the point is we’re teaching them this foundation, something that they can use for anything and everything.
And now, I mean, since we teach this, like the four point process is used for lots of things, whether it’s IT or security, I mean, be able to understand how things work is really what the four point process is about. So for example, in the light situation, if you look at the environment, this thing, this light bulb has to operate in a certain environment. OK, we know that. So how can we change that? And then you get answers like, well, we fill the room with water. That’s one way of doing it. You know, you change the environment.
So we give this entire process and they have a toolkit then to use. They have a place where they can step through piece by piece and you can apply this to anything and everything. And this is really the structure that we’re trying to give them because we don’t know where they’re going to end up in the future.
But those analysis techniques, man, I used it the other week for we’re trying to come up with a help desk scenario, support scenario for a new application that a client was using.
This was through Urvin and the client got this new AI application. So we’re trying to in case they had problems, we’re trying to set the support network so that we could fix any problems that might occur while it was in operation. So we wrote up this plan while with the client and while doing this plan, I was going through the 4PP in my head and I was thinking, huh, what are we missing? So I went through interaction, yes, and resources are there and then emanations, what are we learning? We have to secure this and who’s getting this? And then I saw environment. I’m like, we don’t mention the environment.
And I started thinking and looking through the support plan, I said, OK, yeah, they need to tell us where are they running this application. We don’t even, you know, how are we supposed to diagnose a problem if we don’t know what server it’s on or what environment, what’s it running on? And as stupid as it sounds, it helped us make a complete support.
This is why I’m saying that this is a basis. This is a basis towards everything and whether it’s security or like I said, because we don’t know where these kids are going to end up.

[AD] The attack surface has never been larger or more diverse, yet defenders are still forced to piece together intelligence from numerous siloed solutions that produce a flood of alerts in order to detect and end complex malicious operations. No more.
Defenders can now leverage AI-driven Cybereason XDR powered by Google Chronicle to predict, understand and end sophisticated attacks with the only solution on the market that delivers planetary-scale protection that allows them to predict attacker behavior through a revolutionary, Cybereason-centric detection and response approach.
Cybereason and Google Cloud are dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere.
Learn more about Cybereason XDR powered by Google Chronicle at cybereason.com slash platform slash XDR.

[Nate] So you at one point mentioned an age range 12 to 22. Now 12 seems kind of young to me. Why do you think that kids are ready at that age?
At what age do you think that hackers are born?

[Pete] Oh, that’s a good one. I think it depends on the influences you have, obviously, like anything else that you want to do.
For us, hacking is understanding problem solving and being resourceful about things. I think we determine with 12, 13-ish, about 12s on the early side, but you see kids starting to really become more resourceful. I mean, they do at a young age and again, depends on the influence.
Like sarcasm, right? If you’re a sarcastic person, you have kids, they understand sarcasm at a really young age compared to other kids where it might not be as common in the family. I mean, I know for my own kids, they picked up lockpicking and a lot of other things, you know, including the four-point process at a very young age because it was something that we always talked about or used in the family.
But I think for most people, if you want to look at it, 12 is about an age where you can expect them to be organized to start thinking things through, to be a bit resourceful and say, oh, I don’t have a pencil, but I have a marker, you know, and this kind of very basic stuff and being able to think through those things.
Again, it is on the young side and we’re not expecting much from them. As a matter of fact, young people learn through narrative. So the reason why we say 12 to 22 is because, right, your brain is forming and your frontal lobe isn’t finished even until you’re about 26, 27. So as you’re getting more logical and more understanding of risk as you get older, we’re trying to shape that with them and keeping that in mind, we know that we can address these things and make sure that we teach them the way that they learn best.
And again, since reason is one of the last things to come and logic later on towards the end is that we know that they learn best through narrative and that story. So like with 12, 13 in Hacker High School, every lesson has a range of stories in it. We call the stories Game On, it’s about a hacker character, her name is Jace, and she goes through her processes and things that she does. It’s a little story about her and it’s broken down to different pieces throughout the lesson. And of course, it’s called Game On and at the end of every story is Game Over because she’s so enthusiastic about what she does that she makes mistakes or breaks things or hurts someone’s feelings. And it’s always a Game Over at the end.
So we try to teach them these life lessons the way they learn best, which is through narrative, make them stories, but also make sure that they have a lot of empathy. Because I can’t go and have kids signing a contract saying, I will not be an evil hacker because, well, for one, they’re under the legal age of signing a contract and two, who’d believe it? So the best thing to do is actually give them empathy of what could happen. How do other people feel when this happens to them? What are the consequences for everyone?
So that’s why we can start with 12, 13, but with stories, stories and some physical security usually. We talk about locks, maybe there’s some lock picking and start teaching them a little bit about how networks work and getting on using computer systems correctly.

[Nate] And now on the other side of things, I personally run into and talk with a lot of folks who are involved with or otherwise run security companies. And what I hear a lot is that the pool of available talent is relatively low. There are more jobs out there, especially I’m thinking actually in industrial security, than there are candidates who are qualified to fill them.
And so what these companies end up doing is, in some cases, trying to train people who aren’t necessarily security professionals to be in security. And of course, that’s not terribly easy.
Pete, do you think that the way that you train young people can reasonably be ported to work for folks in their 30s and 40s who may not be in that sort of prime young multiple age, but are sort of new hires in a new space?

[Pete] This we learned the hard way.
So back in the early days of Hacker High School, back in 2003, we were all full of enthusiasm over this. We thought that we could teach all these teachers to sort of learn this stuff and then teach the students. And what we found was that adults, they didn’t have the same enthusiasm for learning as young people did. And trying to get them to learn all this new terminology in this whole new world was a bit overwhelming. And a lot of them either didn’t try at all, they just backed away right from the beginning, or they tried a little bit and gave up way too early. And we saw this then going forward, as a matter of fact, this was kind of the reason why Hacker
High School got created in the beginning anyways, because we have professional certifications for security testers and analysts and such things. And what we found was that the younger the student who took the exam, like if we had a college student who would get certified, they tended to score higher than adults who’d been working the field for 10, 15 years. We were joking around, we said, I wonder if we went back to high school age if they’d be even better. Because the whole idea was that they didn’t have to unlearn bad habits, but it was more than that. It was this enthusiasm and being exposed to this new world and trying to adjust to it and do things a different way sometimes.
So as we got into actually doing sort of security awareness, which we found later didn’t work, and it doesn’t work the way people think it does, right on through doing what’s called, I mean, what’s the word for that where they try to take like mechanics and make them cybersecurity people like sort of give them new professions. People who want that because they’re out of work or whatever. There’s a term for that. Sorry, I don’t remember. But we looked into that and it was absolutely clear we could not approach it the same way we did with young people, even though a lot of the same knowledge would be applied.
And so what we had to do was understand that we had to give them enough to do the job that they wanted to do, in which case, depending on where they were going to be. So a lot of it, again, I go back to IT and maintenance of security rather than actually being cybersecurity professionals and writing up policies and making up plans and doing in-depth analysis.
What we needed them to do was to be able to apply the analysis in their own realm, in their own little world. And by doing that, we wouldn’t overwhelm them because it was their world. I could go into one of these factory workers whose job has now been somewhat automated and they’re doing more now with online. So some cybersecurity is necessary. And we give them things, simpler things like the four-point process, but we break it down in easy ways and work with them directly on how they apply it to their job, not in abstracts.
Wow, I just said a whole lot just to get back to the point that with these older workers, with these adult workers, you can’t go in abstracts. You have to be very concrete. I think that’s the difference.

[Nate] All right. How about a parting thought to leave us with, Pete?

[Pete] Well, one of the things that I think is important is understanding how different groups learn. I think that’s really important and giving them some cybersecurity to go on.
Again, when I say you need to give them something concrete, I don’t mean practical concrete. We like to give them these little rules like how long a password should be, how often they should change it. We need to give them the why, and that’s whether they’re young or old. We have to give them the why. Why is this this way?
And it has to be packaged in a way that they can fall back on all the time and that they realize that how much of this is about trust and third parties. And if I have an account here on this website or that website, that is information I’m giving them and if they get hacked, then somebody is going to have that account and that password, which they can then try to apply to my other things.
You really have to package this information to them in a way that’s applicable, that’s concrete, but not in these lots of little things to memorize. That’s probably the worst thing and to dumb it down for them is even worse. I see that a lot happening too, is the dumbing down of what people should be doing.
Let’s focus on the why, help them understand it, help them understand how, and that’s going to do a lot more for people doing the right thing than just because they had to memorize a bunch of rules.
And I think that’s true with anything, you know, whatever activity you do.

[Nate] Pete, that should just about do it. Thank you.

[Pete] Well, thanks for having me and I really appreciate you having me to talk about this because I think we need a lot more people thinking about this. I’m just one person and I’ve been occupying my brain with this for about 22 years now and it’s hard to come up with solutions because it’s such a complicated problem.