My Years With Hacker Highschool: Should We Be Training Hackers?

Glenn Norman

Flash forward from my first conversations on LinkedIn with Pete Herzog in 2010 to February of 2015, and one of the most persistent topics about Hacker Highschool: Should we be doing what we were doing at all? Were we training evil little script-kiddies, or maybe al-Qaida?

That whole line of thinking leads straight back to the problem of definition: “hacker” means something very different to the public than it does to the hacking community itself. Yes, we were in fact trying to bring young people into the hacking community, but no, we were not leading anyone to a life of crime. Far from it. Examples of ominous consequences are sprinkled liberally through Hacker Highschool, and discussion of exactly how visible you are when you’re doing inquisitive things.

The Hechinger Report tackled exactly this issue in the article “Should we train more students to be hackers?” by Chris Berdik, who defines it brilliantly (see links below):

For many people, the word ‘hacker’ conjures up shadowy criminals unleashing malicious cyber attacks. Beyond the headlines, however, there’s a whole world of hacking that has nothing to do with criminality and everything to do with becoming inventive, autonomous and more secure members of a society immersed in technology. Broadly speaking, these young hackers fall into two groups — security hackers, who learn how computer networks can be attacked in order to better defend them, and hackathon hackers, who compete in all-night coding binges to invent new applications and re-engineer hardware.

Notice that there’s no major third group called “criminals.” One way or another, it’s all about the engineering, about figuring things out and making things work and keeping things running. There’s a definite mentality here, maybe similar to aspiring chessmaster mentality or violin virtuoso-in-training mentality.

Chris quotes me:

“It’s the hacker mentality,” and technology employers can’t get enough of it, says Glenn Norman, a network security consultant who teaches the subject at the University of New Mexico.

Norman also teaches security hacking to high school students at an after-school club in Albuquerque called Warehouse 508. He’s a co-developer of “Hacker High School,” a nine-lesson curriculum published by the Institute for Security and Open Methodologies (ISECOM), a nonprofit network security consultancy.

The whole reason I was into all of this was the grins I get when my students open a whole new set of digital eyes on the universe. But I could see, as my teaching career approached two decades, a long, steep decline in younger students. My security courses brought lots of mature network admins and developers, but fewer and fewer students under 30. Were high school students losing interest? Or were they, I began to suspect, being steered away? Consider:

As college hackathons proliferated, high school hackers started to filter into the competitions. Soon, they started high-school hackathons. One of the first was held in March, 2014, at Bergen County Academies High School in Hackensack, New Jersey. Jared Zoneraich, now a senior at the school, organized the all-night coding bash (hackBCA) along with other kids he’d met at college hackathons. Four hundred students showed up….

I think there’s plenty of interest, if the will can be found. I’ve worked on too many hiring committees in my consulting career seeking highly qualified and specialized people that I knew would eventually be hired on an H-1B visa. There’s a huge debate on both sides about whether there really is a STEM worker shortage, whether the US can or does generate as many tech workers as the enterprise needs, whether we really need to bring tens of thousands of tech workers from overseas when we have American workers training their own cheap replacements.

So I hooked up with, and then managed, Hacker Highschool, and promoted it locally and nationally. It was a time-sucker and I loved it. But it wasn’t sustainable for me.

Hacker High School’s founder, Pete Herzog, managing director at ISECOM, says that despite the curriculum’s popularity, it’s becoming too costly to support and update, and won’t survive much longer without corporate sponsorship.

How true.

Google cache:

Perma Link:

Hacker Highschool: Foreword and Copyright Statement

Foreword From Glenn Norman, Project Manager, 2012-1016


As I’ve described in an earlier entry, I first got in touch with Pete Herzog and ISECOM ( in 2010 through LinkedIn because, as a professional editor, I thought I could make a contribution to the writing and layout of some of his products. Initially I thought about working on the OSSTMM (, but accepted Pete’s offer to work on lessons for Hacker Highschool ( In 2012 Pete asked me to take on the job of unpaid volunteer Project Manager for the Hacker Highschool Version 2 Rewrite Project, which I accepted.

Over the next four years I managed over 10,000 emails, almost 100 contributors and over 200 supporters of the project. Some of the lessons went through as many as 50 drafts, all of which I managed and edited. I learned a tremendous lot about hacking, hackers and hacker culture, most of it positive. By 2016, however, financial pressures forced me to relinquish the role of Project Manager.

The Hacker Highschool materials are open and free to the public, released under a Creative Commons Non-Commercial, No Deriviatives, Attribution Required License, which is an extension of copyright not formally embodied in law. Formal, legal copyright, of course, is always owned by the creator of a work, unless the creator is paid, or signs away rights in a contract. This means that all materials contributed to Hacker Highschool remain the copyright property of the contributors.

After my departure, ISECOM chose to keep our contributions but remove the names of several people from the Contributors pages, including mine.

So to preserve record of the contributions of the many good people of the Hacker Highschool rewrite project, here are the lessons that are my work product as the volunteer Project Manager of the Hacker Highschool Version 2 Rewrite Project from 2012-2016.

Parts of these lessons are Copyright © 2016 Glenn Norman, including editing, arrangement, verifying and integrating contributed materials, and original text. All rights are reserved, though these documents may be freely distributed provided this statement remains intact.

All other materials remain the copyrighted property of their respective contributors, beyond their use and acknowledgment in Hacker Highschool Version 2.

More Hacker Highschool Q&A

Hi X:
Good questions all. Here goes:

On 9/5/14 1:51 AM, X wrote:


Good morning Glenn:


I am interested but I need to get a better sense of your vision, where resources are lacking to meet that vision and where our resources can be donated to assist.

This breaks into:

1. ISECOM’s vision for HHS.
HHS has always been a tiny by-project of ISECOM’s, and ISECOM is very decidedly not a business.
HHS is philanthropic, non-profit, open and free in the strictest sense of the words.

HHS will begin paying its own way as we take student testing live and take teacher certification training and testing live. We already sell hack-lab access and commercial licenses. Our principle goal is creating a self-sustaining operation, where students become teachers of subsequent classes, and teachers and security pros continue to update materials.

2. Where can HHS use help/resources.
a. My primary mission is completing the lesson curriculum. You can see the near-current list at:
It’s missing the newly proposed and begun Lesson 23, Hacking Crypto. Nice contributions going on there, and in Bullying.
Interested in working on a lesson? Let me know.

b. We need more exercises, and test developers. This is much tougher than it sounds. HHS is about hacking. We’re less about teaching How TCP Works than about How TCP Works And How To Subvert It With Hping3. Some people get it beautifully. See Lesson 7 for some good examples of Exercises. I’m always keenly interested in ideas.

c. Teachers clamor endlessly for materials. Many cry out, very few develop. 😉
If you do curriculum development, welcome!

3. What you can do, aside from all this.
Not everyone wants to be a contributor, in the sense of contributing written material. And few people develop tests, and few write training materials.

But you can discuss this curriculum as an option where it’s relevant to you. Since you’re involved in your son’s schooling, drop the name to the right person. At the current stage of materials development our marketing plan is personal and viral. As materials mature they’ll be more appropriate to present to school boards, for instance, and I can justifiably ask more time from ISECOM’s marketing people.

4. Wait a minute, there’s no business plan here.
That’s exactly right. ISECOM is a non-profit philanthropic research institute.

Nothing, however, stops me from running HHS classes as part of my larger ISECOM curriculum, i.e. in my own business. Anyone can. Are you familiar with ISECOM’s main project, the OSSTMM? ( I teach to and consult with the DoD/DoE and national labs, and this line of certs is on fire. This aspect of ISECOM is my main job. See:



Can you articulate under a best case scenario what you envision HHS to evolve to?  Adoption as a required digital curriculum with real time student assessments?  Or?

We are not Cyber Patriot, and we’re not necessarily for everybody. I can think of people who would smile at that question. Required? Not really. Sophisticated real-time student assessments? Actually, we can do all that stuff. We work with Mettl ( on some very powerful testing; it can grade the quality of the code you produce, for the love of pete.

But the tests are not cheap to create, host, grade. Did I mention that HHS is non-profit? This is very much an area I’m pursuing. It simply needs some serious work. And a hard economic reality: we can’t provide that kind of thing for free.



Competitively, at Defcon I learned of: Representatives assisting the next generation from this group were active and I would conservatively estimate at least 100 students both teen and pre-teen participated.  While had some big backers (e.g., Google) at Defcon, their weaknesses is the lack of focus in the public edu sector for this type curriculum. 

Yes, we’re aware of them. Some contributors are loudly opinionated about them. 😉

r00tz does one-off classes on interesting stuff at conventions. It’s a cool format in a cool venue. Some of it might not be appropriate for the intended audience in that isolated context. This has been a big, big, big deal for HHS. We’re distributed in Russia and Ukraine. Some things you can do freely in Spain will get you arrested in the US. Some things you can do in the US will get you shot in Russia.

So: Big Difference 1 is that we’re a semester-length curriculum, with the option to teach all-or-part as time, interest or Summer Camp allows.

We are very much not “white hat” or any hat. We teach the actual techniques on the live tools, rather than teaching “patch often and don’t click.”

We don’t do a final exercise that consists of patching and defending as fast as you can. To a degree, we’re the other guys: the guys you’re patching and defending against. I run VMs for my students to tear to pieces, for instance. Then I turn them on each other. It’s a kick.

And along with a higher degree of awareness we teach a heightened sense that things will come home to you. We give lots of examples of criminal hackers who are enjoying extended adventures in the Russian prison system, for instance. Every fun sneaky tool comes with ominous warnings, for example that nmap probes are easily recognizable and sourced. But there are plenty of positive examples as well: repressed people DESERVE those hidden hill-top suitcase cell-phone towers!

I’m thinking of Aneesh, a teenage contributor in deepest poverty-striken India and very much our target demographic. He learned to hack, found a weakness in the CIA – and promptly politely informed them of it. He now has a job with Google. (And here I am, still cranking out lessons for HHS.) 😉
HE’S what I want to see, and American kids with that kind of chops, too!




I’ve been doing curriculum development for 25 years, IT consulting for 20, security work for 15, HHS for four. I’ll be supporting it until I drop. It’ll stay free, “open source” (Creative Commons) and non-profit. Which leads to:

5. If you’d like to run it for your son’s school, that’s the final and best way you could contribute. Help me build this fire. I’m all about showing ISECOM some smoke.

Does this answer some questions? Let me know – thanks –

* * *

Questions and Answers About Hacker Highschool

I field a lot of email as PM of Hacker Highschool. Sometimes I get such good questions that I have to share the answers. Recently I got this message.

On 7/26/14 8:30 AM, Officer X wrote:
> Greetings,
> Somehow, I stumbled upon Hacker High School a few months ago and was looking in to it a bit more recently when I found your interview from 2012. I had a few questions if you don’t mind since you’re literally the only person in the country who is doing this. (From what I can tell, at least…)
> 1. Why hasn’t ISECOM and Hacker High School caught on more in the United States?
> 2. How can I get access to the Hacker High School materials to begin a program in my community? I currently teach a bit of internet safety in my community, but I’ve been reading quite a bit of Kevin Mitnick’s books lately. Time and again he mentions how early the gifted hackers start doing this – in high school, if not before that! This is something we absolutely should be doing.
> 3. You mentioned Hacker Night School for adults. That seemed rather fascinating, but I can’t seem to find anything for that. Would this be helpful for someone working towards their Certified Ethical Hacker exam? I’m currently studying for that, and have a bit of background in IT myself (was working a part-time job until a few months ago as an IT tech). But overall, I’m thirsty for knowledge myself and was intrigued by Night School.

> Thank you!

> Officer X

Good morning X – and thanks for bringing a smile to my Saturday morning.

I have to laugh at the truth of your statement that I’m the only person in the country doing this. In terms of teaching HHS, I guess it’s correct. But we actually do have quite a number of people in the US working with us, and I’d like to draw you into that fold. Let me see if I can get to the gist of your questions.

First, ISECOM. ISECOM has been very resolutely non-profit throughout its existence, which works very well in Europe, South America and even in the former Soviet bloc – but not in the US. Some past collaborators with ISECOM have wanted to be for-profit, and so they broke off and launched their own organizations. We’re basically fine with that, because we are a research organization, and what we’re looking for are the true roots of security issues, and truly effective, research-driven solutions, rather than a business model.

Are you familiar with the OSSTMM, ISECOM’s major project? It’s essentially *the* authoritative open-source security testing model. (Please don’t just take my word for it.) It’s not about “best practices,” long series of checkboxes or rote memorization. It is, however, always 5-10 years ahead of most other certs.

If we were already offering ISECOM certs here, I’d be selling you on the much less expensive, much more current OPST (OSSTMM Professional Security Tester)/OPSA (OSSTMM Professional Security Analyst) curriculum
– but that’s not up and running yet in the US, meaning you’d have to train in Europe. My efforts to update and popularize HHS are really part of bootstrapping the whole ISECOM curriculum here in the US.

Now, on the subject of materials, actually you can get everything that’s been released on the lessons page:
– and I am working with a team of about 140 volunteers to complete rewriting the first 12 lessons, and develop another 10-15 lessons.

I’ll bet, though, that what you’re looking for is teacher’s materials. That’s the “secret” agenda behind running HHS at Warehouse508 here in Albuquerque: I’m documenting every step of the way so I can build a manual and a big pile of other material. Up until recently, HHS was simply the lessons themselves, and optionally access to the online “hacking lab.” Businesses running HHS for profit pay a $150 yearly license fee, which comes with online lab access. Not-for-profit entities can use the lessons (only) for free. But there hasn’t been a teacher’s manual – yet.

You are dead spot on about sparking early interest. We’ve done the opposite in the US, showing our young people that these jobs have already left the building. HHS is exactly intended to provide that early spark. Of course, that requires teachers with the courage to teach it, and schools that will run it. I tried very hard to establish HHS at a local university, but I think it’s going to work very well here in Albuquerque now that we’ve hooked up with a local nonprofit.

Hacker Night School. You’re right: we very, very much want to build it, and we can use HHS as a foundation. Given that we work entirely volunteer and not-for-profit, it’s a slow process. People have suggested, “Crack the whip!” But I’ve learned that’s extremely counter to our intents. Pete somehow gets these world-renowned security pros to give big chunks of their time and expertise to HHS. Let’s just say it’s not in my interest to push them hard. Like to work with some of them? Take a look at
and see if there’s a lesson (10 and above) that you’d like to join. I’ll hook you up.

So building HHS is not a quick process. HNS, on the other hand, will go much more quickly. We just have to finish at least the first 12 lessons of HHS. I have such a vast store of material people have submitted, we can go much deeper. I should note that one submission (rejected by us) involved Pwning a Police Car, and another discussed hacking the frequency-hopping security features of police radio (yes, also unpublished) – just in your professional area. Interesting, no?

You are more than welcome to use the lessons for free in not-for-profit situations. If you’d like access to the online lab you’ll need to buy a license; it’s a nice way to let students play with minimal risk. If you’d like to get involved in the project, you’re also welcome to join – just let me know. Thanks –


* * *

Hacker Highschool is running at Warehouse508

Hacker Highschool ( in cooperation with teen venue Warehouse508 ( will be running this Fall semester, beginning September 10. Classes will run on Wednesday afternoons from 4-6 PM for 12 weeks. Information on signing up will be posted on the Warehouse508 website.

If you’re on my obscure website, it’s likely because you know I manage the Hacker Highschool v.2 Project. Some 150 volunteers from literally all around the world have come together to build this curriculum and continuously improve it. We’ve got most of the first 12 lessons rewritten for v.2, and teams are working on (as of today) 11 more, with more really good lessons being proposed all the time.

Lots of teachers have asked for a teacher’s manual, which is under construction now: I’m taking this opportunity of teaching HHS at W508 to document as much as I can about proposing the course, choosing how many hours to teach it, setting up lab space, setting up (in our case) virtual machines for students to work on, setting up network access to the hacking test lab at La Salle University and anything else I can document. So for now, it’s not ready, but if you’re looking for it, interested in it or ready to help build it, contact me.

We owe huge thanks to the many people who are making this possible, and I’ll start by giving big and expressive thanks to the team at Warehouse508, Andy, April, Victor and more. There is so much more to come, and you guys have the fun attitudes to make it a joy. Thank you!

* * *

RoboRAVE: from a middle-school gym to an international event

There’s a very cool event born and grown right here in Albuquerque: RoboRAVE, for 2014 a three-day event at the Albuquerque Convention Center, runs simultaneously in several countries including, appropriately, Alburquerque, Spain; Columbia; China; France; and the Czech Republic. You can find a Alb. Journal article at

I see that a nonprofit called Inquiry Facilitators has run some 200 workshops for students. The original project rose from CNM teacher Fabian Lopez, who spread his enthusiasm to several other teachers including the one vastly motivated Olga Vasquez, who teaches high school robotics, rocketry and microsystems at East Mountain High near Albuquerque. In other words, a small core of three or four people made all this happen.

We could replicate this growth with Hacker Highschool ( using the same methods: start with a one-day event, make it fun and truly interesting, and spread the word. Run it in several cities, if possible, and share video and screen captures. This seems to me (now that Hacker Highschool has eaten my life) like a valid immediate model.

Team HHS, comments? Email them to me.


[Hacker Highschool : Cyberbullying : “Alex Wonder” game helps kids fight cyberbullying]

One major Hacker Highschool lesson we projected was Lesson 22, Cyberbullying. At we’ll move forward at a much faster pace on this issue, particularly if we keep getting good submissions.

Material dealing with cyberbullying is available by the ton on the Internet, but as with all subjects, separating the wheat from the chaff is difficult.

Some authorities suggest reporting bullying immediately; here in New Mexico, that will get you branded as a snitch, which will not be good for your future health. Others suggest turning the tables and finding ways to turn the brutality back on the bully. While this may be satisfying, it also simply perpetuates bullying.

How about one of the popular trends in training, “game-ification?” is trying this approach,  as Hope Gillette reports on

Alex Wonder Kid Cyberdetective is a new game introduced by designed to help children safely navigate the Internet. Children follow the adventures of Alex Wonder as he helps children learn to identify the warning signs of cyberbullying and learn how to responsibly use the Internet.

The basic technique is “stop, block and tell.” I personally become immediately skeptical, for the reason I mention above. But the game-based learning style may be effective. You can download the game from; it requires that Adobe Air be installed.

If you give it a try please drop me a line and tell me what you think.

The people at have an interesting piece, “What is Cyberbullying and How to Stop It” ( There are some excellent charts about the laws on bullying and sexting in the different US states, and my particular interest, some discussion of tactics for dealing with bullying.

My question to my readers is: Will these methods work? Do you know of any, or of better ones? Register to comment on and tell us what you think.


Educational Models: Massively Open Online Courses

I’ve been managing the Hacker Highschool v.2 project for over a year now, and it’s become nearly an (unpaid) full-time job driven, to some degree, by altruism. The requests we at ISECOM (the creator of Hacker Highschool) are fielding include online courses, teacher training and certification, online communities for both students and teachers, answer keys for the exercises and a whole lot more.

All this has us thinking about the learning styles of both adults and teens. Many of my friends are teachers at UNM, CNM and other institutions, and several of them have led “hybrid” courses that include both time in class and time online with the class community. We’ve all taught the traditional in-classroom courses, and some of us have developed e-learning materials that students use on their own.

What would you think works best? In-class, followed by hybrid, followed by solo e-learning, right?


The hybrid classes are substantially better for younger learners. That makes this model attractive for Hacker Highschool, but perhaps less so for trainings that involve older learners.

How about duration models? Is the weekend “boot camp” less effective than a class that meets 12 hours a week for three weeks? Is a semester-long, three-hours-per-week traditional 16-week class even better? I wish I could tell you, but the evidence is all over the map. Many of my colleagues are leery, though, of the boot camp format, simply because people can’t do intensive learning eight hours  a day.

So what about MOOCs, massively open online courses? “Free education for everybody” sounds nice, but students and cultures are so extremely diverse that it’s hard to imagine, much less construct, courses that work for “everybody.”

Consider this article, “A MOOC Delusion: Why Visions to Educate the World Are Absurd”. Ghanashyam Sharma, an assistant professor in writing and rhetoric at the State University of New York at Stony Brook, argues that “No matter how much hype is generated or money is invested in accessing learners worldwide, the ‘massive’ component and the lack of student-teacher interaction will continue to plague this mode of online education for non-American learners.”


The LoST Project: a testbed network for hackers

ISECOM and La Salle – Ramon Llull University have collaborated in building an eLearning environment for specifically dedicated to trainers and students of ethical hacking. This has long been a tricky issue: how do you train up those young (or not so young) hackers? Turn them loose in the wild?

The LoST Project gives us an opportunity to test their skills on virtual machines representing a variety of targets, from PCs to database servers. And because it’s designed to grow with each graduate student contributor, it should stay relevant for years going forward. Check it out at: