 Welcome to Security Matters Hawaii. I know I'm not Andrew. Our award-winning host is away for the week. He'll be back with you very soon. Until then, you've got to deal with me. I'm Dave, formerly the Cyber Guy. I'm now known as the Professor. I work for the University of Hawaii Cappy Aligny Community College and I teach Network Security and Ethical Hacking. I'm here with some guys from Instacom. We're going to talk about their organization. It's an open source community organization. They run Hacker High School. I know you want to know all about it. First of all, he hears Auk, you're the managing director, Instacom, and Bob Monroe. You have such a difficult name. It's tough. No, you want to be board member, but you're also a technical writer. Yes. So you help with this stuff. I am pretty much the lead writer. You're the author. He's one of the main writers on there. So I would say that most of the writing is handled by the two of us, right? Pretty much. Yeah. So this will work. Well, tell me, first of all, a little bit about you, who you are, how you got into this organization, and then what is the organization? So basically, ISACOM, the Institute for Security and Open Methodologies, is an organization we built to support the Ostom, which is the open source security testing methodology manual. A manual for penetration testing and analysis. It's basically a standard that I wish I didn't name that because I had no idea it was going to be so successful. I would have named it something like The Dragon or something cool, right? But I did what I did, and so I'm stuck with it now for almost 20 years. Yeah. It's okay. From now on, every one of my blocks is going to be The Dragon. I'm going to talk about The Dragon, and that's what it is. Something cool. Yeah, I don't know. Hawaii, mongoose. But yeah, so I'm stuck with this name. Anyway, so we built the organization to support it, and what ended up happening is that we were certifying people in the Ostom as a standard, which is a way of how you penetration test and do security analysis and this kind of thing. And what we found was that the younger, the younger the person was taking the exam because we were doing some universities, the better they were scoring. And just we were talking, I was one of the University of La Salle that we were working with at the time. We still have a great partnership. And I said to the head guy there, Jalmai said, so I wonder how young we can go, and they'll still pick this up because their grades were getting better the younger because they didn't have to unlearn all the crap, basically. That's the problem with the girls, isn't it? We have to unlearn and open our minds and accept the new, right? They just kind of absorb it. That's right. They just take it as that's it. That's how it is. And that's how it works. And since it's very logical and it makes sense, they just pick it up right away as the way to go. And so we sort of put this thing together called Hacker High School back in 2003 already. Just as I know, I know, and it just did miserably. Nobody wanted it. Teachers wouldn't learn. They we've put on these classes for teachers to to learn security to bring cyber and my space was still popular. It will still going. We had 12 lessons out there. And it was we just couldn't get schools to pick it up. They were afraid of the word hacker. They were afraid of having kids have this sort of independent learning. They were afraid and we couldn't get teachers to learn it to want to bring in the schools. You talked about public schools, all schools. As a matter of fact, the only schools who really picked up on it back then was private schools, especially religious private schools. I was going to say working with the Department of Education in any area, massively difficult when it comes to learning outcomes, right? So you try to introduce something like hacking as a learning outcome. Oh, it's a big bureaucracy in the way, but private schools would have a little bit more openness and opportunity to to expand and to so military academies was another one that that picked up on it. I would hope so. And we did pretty well there. But it just I mean, it was a it was a project that was just an albatross really, it was just bringing us down. We were we were doing well with certifications in the Ostum. We're really trying to get this out to young people because it was so important, but nobody was touching it until about 2014. I think we had a big turn around was the big news on 2014 was kind of this asymptotic curve of accelerated hacking. It just so is that you think that was the the fulcrum? I think that was a big part of it. I think well back in 2012, we started rewriting all the lessons so that the students teach themselves. We we we really focused back in 2009 already we started working on how people learn in general we started doing this whole neuro hacking thing for for for social engineering and all this kind of stuff and and my favorite is my favorite toys the human mind. Yeah, I love messing with people. So social engineering. Awesome. So we use this to figure out how teens actually learned. And then did you figure it out? Yes, actually, we did. We did raise 14s and I taught high school. I still don't know. It's gonna impart this wisdom. Well, it's right there. We actually made it based on how they learn. That was the whole point. Sure, it's not perfect for everything but for the most part based on the information we know about learning. We went the best way we could and and so we we put as much effort into to making this. Bob did a lot of the narratives. He he kind of guided the the storyline for for each lesson that we did. So all paragraphs only 140 words. Actually, this next version is gonna have to be right? Yeah, it's just emojis. Actually, they didn't really do well with that. So that's I like this. It's it's it's a kind of a self guided tour. Yeah, it's completely self learning. We took the we took the actual teachers out of it. We we put in what happened was we stumbled into this thing called gradeless learning that there was this huge thing for it online. This sounds like something at a Santa Cruz, California. I tell you and and we thought, you know, it was it was at least grassroots effort. They were trying to get picked up and we were grassroots effort. You know, we stopped going to the schools. I talked to one superintendent from a bunch of schools, I think in Philadelphia, I think it was and and she said, we love the idea. We this was back in 2014 already. We love the idea. We think it would be great. We don't want to deal with PDFs. If you guys made books, we would buy them and we would do it. They just didn't want to have to print out the material. Oh, so it was like this this light went off like, oh my god, we should have water saying people don't want it for free. They want to buy it. But and and then that's too bad. I know. So we left the free ones out there. We made books from it. I we made actually these three books and another book on how the hackers told Christmas. We did all four books in one month to present it at RSA. So we did one one book a week and yeah and it's I think we sold out at RSA, right? We sold out in two days. We had it back off. Yeah and we had to start getting print outs to shipped to people. We sold over yeah thousands and now they're just people are picking up on it. They're getting translated into other languages. We're getting the whole set now translated into Polish because they want to put all their military runs through it as part of basic training. They want to they want a version of this not exactly this. It's most of the same stuff the same material. It's just with less teen but the the the people entering the military there are 18, 19. So they actually fit within our that's your demographic. In our demographic. Yeah. So Bob was also telling me you were in somewhat 50 countries or 50 languages. No, 12 different. We're translating in different languages. 50 countries. Yeah, we're somewhere around that. That's a huge organization but you guys don't seem like you're that large in staff. Right. Just doing this incredible work worldwide on minimal resources. We get a lot of volunteers people in their own countries who want to run it. We have a guy Starry out in in Myanmar. He just loved it. He took over. He started a Facebook page on it. He started you know bringing I think he's got 5,000 people plus. As a matter of fact it's very popular. It's probably our most popular country. And they just self teach. They used the PDF lessons. They translated themselves and that's what a lot of places do. They just run it. We've got a guy now in Russia who's doing the translations. We let people just take over. Is that a good idea? You know we get we we thought about this. We did. Well there was an incident where it was in Spain. I got an email back from a gentleman that was translating it in Spain and he wrote me back and he said if I translate this one particular exercise police cars right yeah if I translate this into Spanish I could be arrested. I said then don't translate that part. It was about hacking police cars and and there it's it's not even something you can joke about or talk about. And you know obviously we allow certainly way and we end up making a lot of good connections in different countries where we can have other people proof what's already been translated. That way somebody doesn't stick things in there that shouldn't be you know. Well that's so odd. I always thought Spain was such a casual ongoing place. Kingdom of Spain. It's a monarchy. I mean yeah but they're so relaxed. Depends where. I'm totally kidding. Maybe along the med somewhere here. Not the rest of the country. There's different rules in different countries everywhere so. I would imagine how do you keep track of that. You have a spreadsheet somewhere. We use Slack. We use yeah we use spreadsheets. You guys use Slack. Yeah. And how do you keep that secure. We don't have to an open organization so we just have to worry about the integrity of the stuff. All right good. It's just more for communications. Our students were using Slack for some of their communication. I said watch what you're putting out there. And I had to you know reemphasize some of the communication methods they use because you know you were telling me his group of this technology it's kind of ubiquitous. They just kind of accept it. But some of them really do need to know the foundations of the technology. Now we always tell your smartphone and I asked them what's the lowest tech word that you can come up with to describe that device. And none of them got it until one person who's in his 40 said it's a radio. And it transmits every single direction all at the same time unencrypted. So that's why you don't text somebody let's kill them tonight. Yes you know now it's evidence. That's why you signal for that. What is a wicker there's a I can't keep up with them all honestly. They come and then they go. So we actually use teenagers to tell us what what they're doing and some of the parents will take screenshots of the of the of the phones to show us the main apps because the the teams will put on the main page the main apps that they use. So that way they can share with us what's going on and we investigate and honestly I some of them make no sense to me they're just not interesting like it's such a grind to actually be on some of these apps games. That's just kind of being a parent. You know this is a grind to be an apparent kind of investigate what your kids are doing. Eventually everyone gives up that's high school. I'm glad you guys are introducing this hacker high school when the teens are at the point where the parents can't keep up anymore you're introducing this material that actually guides them down you know a path that was we think is acceptable. Right rather than well we can say the dark side. We don't tell them what to do. That's that's one of the things about learning for teens is you can't just go and say no do this because then they'll say screw you we're going to do something else and really my daughters were like that. Yeah really. No I'm kidding totally like that. That's the rebellion. And that's the point. I mean so we wrote the lessons with empathy with thought about consequences but never telling them don't do this don't which is what all of the other material out there and there's there's no real curriculum out there but what is out there for schools especially for free starts with page one you're a criminal if you download this if you do this if you do you know and it's all that you know do not do not and of course where's the success in that you know it's it's wonderful that you're teaching people how this happens I don't think a lot of people in organizations any organization actually understand this unless you've had this kind of training you don't understand that unless you learn how the hackers do what they do it's extraordinarily difficult to catch somebody who's doing that on your network but if you've done it you know I'm going to leave footprints here I'm going to have to break in here this is the protocol that I'm going to use metasploits a great tool and it uses all these other scripts and if you can learn how that the hackers do that then you can mitigate that on a network and you can defend yourself but I don't think a lot of organizations understand that that's why I think this is so glorious well part of the hacking part of it though is also the how hackers teach themselves and how they work in small groups and they they get information and they research all sort of problem solving and self learning part of part of what every school would want you think you know that that they would think that they can go out in but it makes them better students at the I mean you've been teaching no teenagers for a while right right here in Hawaii two and a half years and you're survived well one of the one of the concepts we bring across is a mechanic needs to be able to take apart an engine needs to be able to take apart a car to fix it sure a surgeon same thing needs to know how they do autopsies and they work on cadavers and everything else most professions you don't you need to know how the thing works how whatever it is that you're working in so we take the same approach in order for me to know how a network works I need to know how to take it apart one minute break and we're coming right back and you're going to continue on that point because it's a great point we got to pay some bills have a couple of commercials got it everybody's security matters will be right back hey stand the energy man here on think tech Hawaii and they won't let me do political commentary so I'm stuck doing energy stuff but I really like energy stuff so I'm going to keep on doing it so join me every Friday on stand the energy man at lunchtime at noon on my lunch hour we're going to talk about everything energy especially if it begins with the word hydrogen we're going to definitely be talking about it we'll talk about how we can make Hawaii cleaner how we can make the world a better place just basically save the planet even miss america can't even talk about stuff like that anymore we got it nailed down here so we'll see you on Friday at noon with stand the energy man along Aloha this is Winston Welch I am your host of out and about where every other week Mondays at three we explore a variety of topics in our city state nation and world and events organizations the people that fuel them it's a really interesting show we welcome you to tune in and we welcome your suggestions for shows you got a lot of them out there and we have an awesome studio here where we can get your ideas out as well so I look forward to you tuning in every other week where we've got some great guests and great topics you're going to learn a lot you're going to come away inspired like I do so I'll see you every other week here at three o'clock on Monday afternoon welcome back to security matters I'm your guest host Dave Stevens the professor I'm here with Pete Herzog Bob Monroe of ISACOM and Bob you were just telling us about how you like your teachers to break it down and teach others how to break down the systems that they need to fix you were telling us about the analogy of the auto mechanic he used to know how to break down an entire engine before he can start to fix engines so tell us more about that theory and how you put that into books well for example one of the classes I did a couple of weeks ago to demonstrate how radio communication works how cell phones work two soup cans a piece of string connect them and you got one kid on one end the other kid on the other end and they get us understand how a wave works across it across the string and it's very inexpensive but it illustrates the point of how a radio works how a cell phone works how it talks to the tower and tower communicates back to it very simple the denial of service works yeah put the string in there you got a DDoS you put it in multiple places you got a DDoS but the but the principal idea behind it is being able to disassemble something and yes you may not be able to put it back together again but the idea is for you to learn from what you took apart and then you figure out how to put it back together again you need to do that same thing with security networks when we do auditing and when we do the Austin we need to know exactly how that network works what are the interactions how the environment works and students are our teams we're teaching are phenomenal when it comes to this their curiosity levels are to the roof we were talking the other day we got nine year olds that are running bash scripts that fifth grader I was talking to before the show running around with two computer books in this backpack it's part of the interest and I think that's one of the biggest problems with school in general it was when I went I don't know about you guys but I got really bored learning the revolutionary war for the eighth time in every grade you do the same history class my teenagers now they're books I look at their history books I'm like who learns like this no wonder I was so bored at school it's so boring it is boring stuff and the thing is the story like what my wife started doing actually for helping them learn history is start teaching it like the gossip it is that they're used to hearing on TV like the Kardashians and stuff she actually can take all the things with the monarchy and the fights and everything the infighting and turn it into drama that they're used to hearing this was also occurring at that time I love that hit kind of history I mean the Madness of King George or whatever but that makes it interesting yeah make it interesting that's hard to do with a lot of topics and I think that's how computers used to get caught I mean when I don't know of how old you guys are I was learning in the early 80s computers at college it was significantly boring because you had to go through electrical engineering first because they wanted you to know all the components of the computer before you could actually deal with drum memory you had to learn how the electricity was inside the drum memory and storing bits and bytes but now it's just hey take this computer and typing these words and now you have a Python script and it just kind of works you don't need to know how the mainboard was assembled right and I think that's what's interesting and it's now and it's fast paced right it's not this long slog through electrical engineering before you can do so no we try to get them hands on immediately as fast as possible so that they can they can actually start learning and then of course we throw in the pieces of as it goes along I mean we have 11 lessons throughout these three books we have a 12 lesson online that's going to be integrated into the book later as we do the rewrites but yeah we try to get them hands on as fast as possible so they don't lose interest we come up with all sorts of games and and things that that they can do and of course we have to deal with I mean some of the things that people don't think about because they're like oh why do you say this why do you do it that way and we say well for one we have an international audience now everybody's going to understand English the same way I mean just asking the security community what a penetration test is and you'll get you know 500 different answers you know so we have to deal with that okay and we also have to deal with different laws different customs different cultures because it's out there for everyone and it's you know so we have to keep that in mind as we go forward we want them to get their hands on we want them to start learning but we also have to keep everybody in mind and and how they learn and how they approach where do you start them off I mean if you got these 12 lessons what's that first lesson like what do you what do you what's your kickoff right in the beginning is the third beginning is on coming up in since yeah command lines syntax the difference between Linux the difference between windows difference between Mac are you just Mac that's great a lot of people just leave that off the table no there we have all three we have the very first lesson is called being a hacker and it's all about the idea of hacking is learning it's it's not just breaking into things it's about how you figure things out because when I I mean my title on the in the business world is hacker analysts so what do I do I take things apart I go to a company I break things down into pieces that's what the awesome is about how to categorize things that there's only two ways to steal anything there's only three ways that that that you have operational security we have these things numbered that was the whole point of the awesome why it was a big deal when it came out was because we said forget everything that people think they know about cyber security and let's re reinvestigate it let's research it from the ground up as if we know nothing and find the truth what are the facts that we actually can know about it and once we found the facts then you can build security you can take it apart you can you can really diagnose it because you know how all the pieces are supposed to work that's how Greek discoveries and science are made anyway let's take what we know break it down and see if there's a piece that we missed or if we can expand we were amazed how nobody had done that before this was what this was 2000 nobody had broken it down yet the cyber security was still in its infancy and that's almost 20 years ago now but this is young science anyway right we knew how to break stuff way back in the 70s yeah but not how to prevent that stuff being broken until people like you started saying well how do we stop that let's break that down how did this happen how did they figure this out what is the system like exactly and so the first lesson let's get to that is being a hacker right just going through running stuff like what IP config or what's out there in the network or sure all that that's lesson two is the command line stuff all that how what makes up the network how you move around there's there's a few things on directories but we try to keep it interesting it's basically getting around the computer whichever computer you're using lesson one being a hacker is more about how you apply yourself where do you get your resources how do you how do you learn this and then lesson two is command line and stuff but right from lesson one we're having them give themselves a hacker name start thinking about how we're going yeah really so that's great yeah so learning as fast as possible where you can go out there read the things in the communities because the truth is many of them are already out there asking questions in hacker groups how do I how do I break into Facebook how do I break into Instagram how do I and actually I wrote an article how to hack Instagram which is one of the most popular articles of all time because so many people bring it so many people Google it and and really it's just an intro to hacker high school that's really what the article was it was you know hacking is a grind you know you don't just hack into Facebook oh that's one of the most frequent things I have to tell my students they get a little impatient with me and then I teach college and they're impatient with me I keep telling them it's not like NCIS would there's that one girl that can like do 16 keystrokes and have someone's complete life in front of them not even the NSA can do that I mean there's pieces gonna be they're gonna be missing you have to go out you have to use open source intelligence you have to use your scripts you have to do some of the dark web work and gather intelligence and then start going through the process of reconnaissance and foot printing and scanning and all that other stuff before you even break into something before you even do anything illegal you're gonna know what you're going back to right yeah yeah yeah it's it's it's amazing that people didn't know I tell them a lot that you know if you're gonna hack a company how do you know what scripts to use even if you're gonna go be a script kitty how do you know what scripts to use because you don't know the operating system right how do you know it's Windows what's security level what's you know what are the protections are they using Palo Alto Networks Cisco oh what's the one from Asia a sonic wall you know you don't know those things until you go out and read things like LinkedIn or our monster or whatever the job posting is and they say oh we need someone to work on Palo Alto Networks oh okay so you're using Palo Alto Networks that that kind of that kind of digging work is something people don't realize about what hacking is you have to know how discovery from the from a macro on a micro level you have to know how everything works together and how the thing works itself better better than the people who made it because usually the people who make it they're only putting other parts together a lot of development today is taking libraries from here and there and this and that and and they're developing in that way and they don't even know how it all works which is why a lot of vulnerable software is a library vulnerable vulnerable that's right yeah I would expect in the future we're gonna start discovering a lot of JavaScript frameworks have a lot of great vulnerabilities and I haven't seen a lot come out yet but there's just so many there's so ubiquitous out there we're gonna see a lot of hacking using those libraries because they're inserted into so many websites right well we did we did some some math on this that's that's the other thing we work with a lot of universities we do a lot of math there's there's actually university in Rome who's who has PhD doctoral students doing Austin so they're really yeah we're getting a lot of great research based on what we've done matter of fact Austin 4 was supposed to come out but there's so much great research coming out from so many different angles it's really hard to put it together now and make sure that we review the research that's done before we put it in it's it's been so you have one chariot and 500 horses yeah pretty much pretty much it's it's it is that's a great analogy that's where we're at wow these lessons books are all based off of the Austin so they're they're actually real security it's not just so they're getting real lessons in defense real real information on on how to move forward and actually not just break things but also how to secure them based on what you learn how to analyze at the end of this are they working towards a certification you can offer somebody who takes this course yes we we started now because there was such a demand for it we have this thing called certified hacker analyst which is we worked with IBM on on lesson 12 because they wanted junior sock analysts and so with all the information so see security operation center right sorry got to speak to the chiefs right so yeah that was the ideas because there's so many job openings still I mean numbers vary from 2 million to 2.2 whatever a couple years we're going to be three and a half million dollars or jobs short yeah exactly so it was about getting people interested in getting them going in this so we worked with IBM on lesson 12 which was that and there was this need for schools to have a certification direction for it so we came up with certified hacker analyst which is based on all the material in these three books that's how you get the grants and you're gonna have a goal yeah we got about 30 seconds left so let's let's discuss how you guys are putting this into high schools and how people who watch the show can get involved how can I get involved if I just known about this and I just saw this well basically you have people like Bob who just taken upon themselves to be a teacher okay he applied himself he has the resources he just does it and we get a lot of teachers like that who just want this in their school and they're willing to go forward even if they have no security ability because they know it's about getting students to teach themselves and working in groups what sort of greatest learning they go to hackerhighschool.org hackerhighschool.org they get all the information alright you guys got about 10 seconds to promo your stuff and a yeah I have to come on back I do a show of cyber underground on Fridays if you guys are around we'll do another show we'll discuss this even more if you want but thanks for coming around and I'm sorry Andrew couldn't be here wonderful come on out again give us updates maybe come out six months three months yeah you should come out you're here you talk about the school in the classes he's got great stories about what the students have figured out I mean we're building this up like crazy we have so many cool things going on so many new toys coming out for this that schools can just get hackers in a box basically they get all the kit right in a box and they can they can start I love it thanks for coming out guys thanks a lot thank you for having me thanks thanks for joining us on security matters everybody Andrew will be back presently and you won't have to deal with me anymore and just stay safe