http://cosmiclog.msnbc.msn.com/archive/2007/05/21/199009.aspx
By Alan Boyle
May 21, 2007
They weathered the worst that hackers could throw at them, and still
kept their computer network running strong. Fueled by pizzas and pop, 19
teams of high-school students pulled an all-nighter over the weekend,
during a computer security competition aimed at rewarding kids for being
the good guys rather than the bad guys.
"The kids had a blast," said Doug Jacobson, director of the Iowa State
University's Information Assurance Center and one of the organizers of
the weekend's High School Cyber Defense Competition at the Ames campus.
The idea behind Iowa State's high-school contest - as well as its big
brother, the National Collegiate Cyber Defense Competition - is to turn
students into system administrators for their own computer networks. On
the big night, the student "Blue Teams" are pitted against a "Red Team"
of upper-class and professional security experts who try to hack those
systems.
"It's like the real world," said Jessica Archer, project manager for the
collegiate program.
The competitions run overnight, lasting 15 hours for the high schools
and 24 hours for the colleges. During that time frame, the students are
asked to change passwords, reconfigure Web sites, deal with
sometimes-clueless network users and cope with anomalies ranging from
hardware failures to mock fire drills. All the time, the Red Team
members are trying to hack their way into the networks - and often
succeeding.
"One of the things they love to do is put pictures of themselves on the
kids' Web sites," Jacobson said.
During last weekend's competition, judges doled out demerits for system
downtime, exploited network vulnerabilities and anomalies that aren't
dealt with. The teams could have some demerits taken away by fixing the
problems and explaining how they did it. At the end of the competition,
the team with the fewest demerits won.
For the second year in a row, West Des Moines Valley High School took
the weekend's top honors. Team adviser Dave Cochran credited the win to
a high degree of preparation, with support from professional mentors at
a local computer security firm. But team member Michael Flagg, a
17-year-old junior, said plain old vigilance played a role as well.
"How we won is that we watched our network activity like a hawk," he
told me. "The purpose of my machine was for people to write code. The
second they'd write, I would open that [code] up, and if I identified it
as a threat, I would just delete it right beneath them, even before they
could run it. We got a few points for that."
This might sound a lot like work and not much like play - but once the
cat-and-mouse competition gets going, it's as gripping as a video game.
"Typically what we see is that none of the teams will take breaks,"
Archer told me. "They're so focused and so into it that they just sit in
the room the whole time, working."
Archer was talking about college students, but the high schoolers
clearly felt the same way. "I'm going to do this again next year," Flagg
said. Here's what the other members of Valley High's team said:
* Ryan Tew, an 18-year-old senior and budding computer scientist, was
the school's only returning Blue Team member. "This time, it was
pretty much the same. There was a lot more activity throughout the
night. ... The thing I learned the most about was how to use Active
Directory to limit different users' activity on the computers."
* Jordan Shkolnick, a 17-year-old senior, was the team's only woman. She
admitted that she sometimes found herself doing "girlie" jobs but for
the most part was treated as one of the guys. And being a female
computer whiz isn't all bad: "Basically, it gives you an advantage,
because they don't think you know anything or can do anything - so you
can take them by surprise."
* Joel Miller, a 16-year-old junior, said this weekend's contest was a
huge learning experience: "Everything was a surprise. We just didn't
know what was going to happen when we went into this, because they try
to keep us on our toes. ... When you're working with other people, it
makes it a lot more fun."
* Trevor Nelson, an 18-year-old senior, said his classmates thought it
was "pretty cool" that he was on the Cyber Security team. "Some of
them wish they knew about it before, because they wanted to join," he
said.
* Joel Miller, a 16-year-old junior, said this weekend's contest was a
huge learning experience: "Everything was a surprise. We just didn't
know what was going to happen when we went into this, because they try
to keep us on our toes. ... When you're working with other people, it
makes it a lot more fun."
* David Turner, a 17-year-old junior, said that he had no experience
with computer security issues before joining the team - and that his
involvement has given him a new perspective on computer hacking. "I
hadn't heard about the bright side of hacking," he said. "I never
realized that this kind of stuff could be put to a good use."
Jacobson said that's a big take-home lesson for kids who run counter to
the stereotype of a teenage hacker.
"It's not really complicated to get the hacking tools and go attack
something," the professor told me. "What they realize is how challenging
it is to defend. ... You have to win every confrontation, and the
attacker has to win only one."
Of course, the Red Team gets to have their fun as well. "They look
forward to the high school competition because they get to play on the
other side," Jacobson said. "They get to be the bad people."
For high schoolers as well as college students, Cyber Defense marathons
are much more than one night of geek glory: On the collegiate level,
Texas A&M University won last month's nationwide competition and will be
invited to the Department of Homeland Security's Cyber Storm II security
exercise next year. I have a feeling those kids won't have to worry too
much about finding jobs when they graduate.
On the high school level, the schools that participated in the Iowa
contest get to keep the computer equipment they were given during the
buildup to this weekend's event - thanks to the project's sponsors. And
Jacobson is already laying plans for a bigger, better "IT-Olympics" at
Des Moines' Hilton Coliseum next April.
"We hope to have about 1,000 kids next year," Jacobson said.
_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon May 21 2007 - 22:55:05 PDT