More Hacker Highschool Q&A

Hi X:
Good questions all. Here goes:

On 9/5/14 1:51 AM, X wrote:


Good morning Glenn:


I am interested but I need to get a better sense of your vision, where resources are lacking to meet that vision and where our resources can be donated to assist.

This breaks into:

1. ISECOM’s vision for HHS.
HHS has always been a tiny by-project of ISECOM’s, and ISECOM is very decidedly not a business.
HHS is philanthropic, non-profit, open and free in the strictest sense of the words.

HHS will begin paying its own way as we take student testing live and take teacher certification training and testing live. We already sell hack-lab access and commercial licenses. Our principle goal is creating a self-sustaining operation, where students become teachers of subsequent classes, and teachers and security pros continue to update materials.

2. Where can HHS use help/resources.
a. My primary mission is completing the lesson curriculum. You can see the near-current list at:
It’s missing the newly proposed and begun Lesson 23, Hacking Crypto. Nice contributions going on there, and in Bullying.
Interested in working on a lesson? Let me know.

b. We need more exercises, and test developers. This is much tougher than it sounds. HHS is about hacking. We’re less about teaching How TCP Works than about How TCP Works And How To Subvert It With Hping3. Some people get it beautifully. See Lesson 7 for some good examples of Exercises. I’m always keenly interested in ideas.

c. Teachers clamor endlessly for materials. Many cry out, very few develop. 😉
If you do curriculum development, welcome!

3. What you can do, aside from all this.
Not everyone wants to be a contributor, in the sense of contributing written material. And few people develop tests, and few write training materials.

But you can discuss this curriculum as an option where it’s relevant to you. Since you’re involved in your son’s schooling, drop the name to the right person. At the current stage of materials development our marketing plan is personal and viral. As materials mature they’ll be more appropriate to present to school boards, for instance, and I can justifiably ask more time from ISECOM’s marketing people.

4. Wait a minute, there’s no business plan here.
That’s exactly right. ISECOM is a non-profit philanthropic research institute.

Nothing, however, stops me from running HHS classes as part of my larger ISECOM curriculum, i.e. in my own business. Anyone can. Are you familiar with ISECOM’s main project, the OSSTMM? ( I teach to and consult with the DoD/DoE and national labs, and this line of certs is on fire. This aspect of ISECOM is my main job. See:



Can you articulate under a best case scenario what you envision HHS to evolve to?  Adoption as a required digital curriculum with real time student assessments?  Or?

We are not Cyber Patriot, and we’re not necessarily for everybody. I can think of people who would smile at that question. Required? Not really. Sophisticated real-time student assessments? Actually, we can do all that stuff. We work with Mettl ( on some very powerful testing; it can grade the quality of the code you produce, for the love of pete.

But the tests are not cheap to create, host, grade. Did I mention that HHS is non-profit? This is very much an area I’m pursuing. It simply needs some serious work. And a hard economic reality: we can’t provide that kind of thing for free.



Competitively, at Defcon I learned of: Representatives assisting the next generation from this group were active and I would conservatively estimate at least 100 students both teen and pre-teen participated.  While had some big backers (e.g., Google) at Defcon, their weaknesses is the lack of focus in the public edu sector for this type curriculum. 

Yes, we’re aware of them. Some contributors are loudly opinionated about them. 😉

r00tz does one-off classes on interesting stuff at conventions. It’s a cool format in a cool venue. Some of it might not be appropriate for the intended audience in that isolated context. This has been a big, big, big deal for HHS. We’re distributed in Russia and Ukraine. Some things you can do freely in Spain will get you arrested in the US. Some things you can do in the US will get you shot in Russia.

So: Big Difference 1 is that we’re a semester-length curriculum, with the option to teach all-or-part as time, interest or Summer Camp allows.

We are very much not “white hat” or any hat. We teach the actual techniques on the live tools, rather than teaching “patch often and don’t click.”

We don’t do a final exercise that consists of patching and defending as fast as you can. To a degree, we’re the other guys: the guys you’re patching and defending against. I run VMs for my students to tear to pieces, for instance. Then I turn them on each other. It’s a kick.

And along with a higher degree of awareness we teach a heightened sense that things will come home to you. We give lots of examples of criminal hackers who are enjoying extended adventures in the Russian prison system, for instance. Every fun sneaky tool comes with ominous warnings, for example that nmap probes are easily recognizable and sourced. But there are plenty of positive examples as well: repressed people DESERVE those hidden hill-top suitcase cell-phone towers!

I’m thinking of Aneesh, a teenage contributor in deepest poverty-striken India and very much our target demographic. He learned to hack, found a weakness in the CIA – and promptly politely informed them of it. He now has a job with Google. (And here I am, still cranking out lessons for HHS.) 😉
HE’S what I want to see, and American kids with that kind of chops, too!




I’ve been doing curriculum development for 25 years, IT consulting for 20, security work for 15, HHS for four. I’ll be supporting it until I drop. It’ll stay free, “open source” (Creative Commons) and non-profit. Which leads to:

5. If you’d like to run it for your son’s school, that’s the final and best way you could contribute. Help me build this fire. I’m all about showing ISECOM some smoke.

Does this answer some questions? Let me know – thanks –

* * *