

Ask HN: Fun lures to teach a little brother to hack? - jobeirne

I have a brother who has struggled with behaving at school since kindergarten; he is now 15 and, because of recent and increased upheaval on his part (I can't say I blame him) is now being home schooled. He's a very intelligent kid who     loves computers and I'd like to take an active role in his education.<p>I'm currently a university student studying computer science, so I figured I'd put together a "Hack101" curriculum which we could work though during the course of the year as an elective alongside his core subjects; the class would  serve to lure him into computing via subjects more appealing to his demographic, i.e. mischievous, (somewhat) deprecated tricks that would be exciting for a youngish guy.<p>Thus far I have a couple of topics in mind, two being buffer overflow and mail spoofing; of course, these two take some working up to---that's how I plan to sneak in some legitimately useful material like x86 familiarity, stack architecture, and maybe some TCP/IP stuff.<p>I'm seeking other fun, relatively innocuous topics we could cover and possibly some resources on them. Any suggestions? Thanks very much!
======
rubinelli
Did I read it right? Do you really want to raise another script kiddie? There
are tons of ways to teach him ethical hacking, games are the easiest and the
most fun. Show him how to mod a shooter, or download something like Game Maker
and show him how to create a simple platform game. Don't teach him the kind of
silly trick that can put him in more trouble.

By the way, why you are assuming that, because he likes computers, he will
like hacking? Most male teenagers like cars, but very few of them are
interested in fixing or modding them. Help him find his own vocation, and
support him. He doesn't seem to be the kind of kid you can "shape", anyway.

~~~
jobeirne
Hey whoa pal, I didn't say I was going to hand him a copy of L0phtCrack and
tell him to get to it (note my use of the word 'innocuous'):

First of all, I said that we would be talking about deprecated tricks, just
silly things where the exploit environment would have to be set up such that
one could use these tricks.

Secondly, more of the citizenry should be aware exactly of how the most common
exploits work as to prevent future pieces of software from suffering the same
poor design.

Thirdly, I chose security topics because I myself am interested in them; I
wanted to choose a topic that I'd be interested in as well because that way I
have the tenacity to actually develop lesson plans, lectures and homework
throughout the year.

~~~
swolchok
"First of all, I said that we would be talking about deprecated tricks, just
silly things where the exploit environment would have to be set up such that
one could use these tricks."

Even the crusty old stack-based buffer overflow can still be exploitable if
the people who wrote the code in question didn't use any mitigations. It's
plugging my own work, but the Green Dam censorware vulnerabilities from June
(<http://www.cse.umich.edu/~jhalderm/pub/gd>) were stack-based overflows, and
I got a remote shell in the lab through Firefox on Windows XP. Apparently, DEP
was not properly activated in that build of Firefox. It's even worse with
unpatched XP, which, IIRC, has no DEP at all.

------
swolchok
You may be able to bait him into learning how to program by showing him what
the effect of a successful exploit is (i.e., remote shell). However, I think
it takes too long to learn how to program alone to attempt to teach someone to
program for the first time _and_ teach security at the same time. Nonetheless,
the reading list for my advisor's graduate-level security course is on its
website at <http://www.eecs.umich.edu/courses/eecs588/>, and there's a new
undergraduate security course being taught this semester at
<http://www.eecs.umich.edu/courses/eecs398/> . Porting Aleph One's _Smashing
the Stack for Fun and Profit_ to AMD64 is a useful exercise.

DSPython is a Python port to the Nintendo DS. If he's into that, you might be
able to get him to learn to program with the goal of making DS games. I tried
this with my younger cousin, but he's too young (under 10) to have the
required attention span. My patches to get DSPython working with newer
devKitPro are at <http://github.com/swolchok/dspython/tree/master> .

~~~
jobeirne
He's not completely new; he's done some C and Lua, so it wouldn't be a dead
start. Great information, thanks very much.

------
pavelludiq
The way i started hacking, was to thinker game config files, or mess with game
mods and see what are they made off. I actually did dis with only one
game(Lock on), because i am not much of a gamer. Lock on was a good choice
because i was obsessed with russian war planes and aviation, and because it
had an active modding community. I regret not actualy learning how to make
mods(other than skins for the planes) but i used to thinker a lot with config
files and some of the simple mods.

If you're 16, and the most advanced thing you've done with your computer is to
reinstall windows, a moddable game and notepad can do you a lot of good.

Plus, the game is really cool, i learned all sorts of stuff about planes,
physics, tactics and i got to blow up American tanks with the Su-25's
impressive arsenal.

