Questions and Answers About Hacker Highschool

I field a lot of email as PM of Hacker Highschool. Sometimes I get such good questions that I have to share the answers. Recently I got this message.

On 7/26/14 8:30 AM, Officer X wrote:
> Greetings,
> Somehow, I stumbled upon Hacker High School a few months ago and was looking in to it a bit more recently when I found your interview from 2012. I had a few questions if you don’t mind since you’re literally the only person in the country who is doing this. (From what I can tell, at least…)
> 1. Why hasn’t ISECOM and Hacker High School caught on more in the United States?
> 2. How can I get access to the Hacker High School materials to begin a program in my community? I currently teach a bit of internet safety in my community, but I’ve been reading quite a bit of Kevin Mitnick’s books lately. Time and again he mentions how early the gifted hackers start doing this – in high school, if not before that! This is something we absolutely should be doing.
> 3. You mentioned Hacker Night School for adults. That seemed rather fascinating, but I can’t seem to find anything for that. Would this be helpful for someone working towards their Certified Ethical Hacker exam? I’m currently studying for that, and have a bit of background in IT myself (was working a part-time job until a few months ago as an IT tech). But overall, I’m thirsty for knowledge myself and was intrigued by Night School.

> Thank you!

> Officer X

Good morning X – and thanks for bringing a smile to my Saturday morning.

I have to laugh at the truth of your statement that I’m the only person in the country doing this. In terms of teaching HHS, I guess it’s correct. But we actually do have quite a number of people in the US working with us, and I’d like to draw you into that fold. Let me see if I can get to the gist of your questions.

First, ISECOM. ISECOM has been very resolutely non-profit throughout its existence, which works very well in Europe, South America and even in the former Soviet bloc – but not in the US. Some past collaborators with ISECOM have wanted to be for-profit, and so they broke off and launched their own organizations. We’re basically fine with that, because we are a research organization, and what we’re looking for are the true roots of security issues, and truly effective, research-driven solutions, rather than a business model.

Are you familiar with the OSSTMM, ISECOM’s major project? It’s essentially *the* authoritative open-source security testing model. (Please don’t just take my word for it.) It’s not about “best practices,” long series of checkboxes or rote memorization. It is, however, always 5-10 years ahead of most other certs.

If we were already offering ISECOM certs here, I’d be selling you on the much less expensive, much more current OPST (OSSTMM Professional Security Tester)/OPSA (OSSTMM Professional Security Analyst) curriculum
– but that’s not up and running yet in the US, meaning you’d have to train in Europe. My efforts to update and popularize HHS are really part of bootstrapping the whole ISECOM curriculum here in the US.

Now, on the subject of materials, actually you can get everything that’s been released on the lessons page:
– and I am working with a team of about 140 volunteers to complete rewriting the first 12 lessons, and develop another 10-15 lessons.

I’ll bet, though, that what you’re looking for is teacher’s materials. That’s the “secret” agenda behind running HHS at Warehouse508 here in Albuquerque: I’m documenting every step of the way so I can build a manual and a big pile of other material. Up until recently, HHS was simply the lessons themselves, and optionally access to the online “hacking lab.” Businesses running HHS for profit pay a $150 yearly license fee, which comes with online lab access. Not-for-profit entities can use the lessons (only) for free. But there hasn’t been a teacher’s manual – yet.

You are dead spot on about sparking early interest. We’ve done the opposite in the US, showing our young people that these jobs have already left the building. HHS is exactly intended to provide that early spark. Of course, that requires teachers with the courage to teach it, and schools that will run it. I tried very hard to establish HHS at a local university, but I think it’s going to work very well here in Albuquerque now that we’ve hooked up with a local nonprofit.

Hacker Night School. You’re right: we very, very much want to build it, and we can use HHS as a foundation. Given that we work entirely volunteer and not-for-profit, it’s a slow process. People have suggested, “Crack the whip!” But I’ve learned that’s extremely counter to our intents. Pete somehow gets these world-renowned security pros to give big chunks of their time and expertise to HHS. Let’s just say it’s not in my interest to push them hard. Like to work with some of them? Take a look at
and see if there’s a lesson (10 and above) that you’d like to join. I’ll hook you up.

So building HHS is not a quick process. HNS, on the other hand, will go much more quickly. We just have to finish at least the first 12 lessons of HHS. I have such a vast store of material people have submitted, we can go much deeper. I should note that one submission (rejected by us) involved Pwning a Police Car, and another discussed hacking the frequency-hopping security features of police radio (yes, also unpublished) – just in your professional area. Interesting, no?

You are more than welcome to use the lessons for free in not-for-profit situations. If you’d like access to the online lab you’ll need to buy a license; it’s a nice way to let students play with minimal risk. If you’d like to get involved in the project, you’re also welcome to join – just let me know. Thanks –


* * *