Sunday 8 April 2012

We should teach our kids how to hack and give them passion for programming

(from my draft's folder) Here is a thread I had a while back on the topic of 'what to teach UK kids at school to get them motivated in development' (and ultimately on secure development)

My view is that we need to teach them 'how to hack' (in the true sense of the word and on the 'exploiting sites/vulnerabilities' point of view), since first we need to open their minds and get them passionate about programming.

My comments are the ones NOT in italic

> I think that if you want to inspire a new generation into AppSec we
> should teach them how to hack & exploit vulnerabilities.

This is decidedly A Bad Idea (TM). One must teach the correct way to do
things. One does not use bad examples to teach good behaviour.

since when learning how to hack and exploit security issues is bad examples?

It takes real skill, focus, determination, knowledge and passion to find and exploit those issues. It's much more like detective work.

The key problem is that it is very hard to visualize what you mean by 'good behaviour' until what you call 'bad behaviour' is understood.

We are discussing what to do with an ICT curriculum in schools, when youth
have little to no computer science or development background. They need to
learn the correct thing first.

NO, absolutely not.

They need to learn passion and love and craftsmanship first.

Programming is an Artistic endeavour, just like Maths (if you don't understand what I mean, I would point you to Paul Lockhart's "A Matematician's Lament" which is amazing and clearly explains what Math's should be all about: )

In fact, we should be careful not to make the same mistakes (for programming and secure programming) that the Math's crowd did when they set up the current Math's curricular
Only when they have a strong grounding in
best practices (which themselves are the subject of some debate) is a
comparison against broken software useful.

Skiping the fact that even professionals in the programming and appSec industry still have not come up with definitions and standards of 'best practices', you can't teach by showing solutions. You teach (and learn effectively) by providing a 'problem scenario' (where security is just a component), and then letting the students find multiple ways to tackle (with the teacher providing clues along the way)
Consider spelling. One does not teach spelling by providing a long list of
misspelled words to children who don't yet know how to spell.

sorry, but actually you do :)

I have a 6 and 8 year old and just saw this happening in front of me. In the beginning the teachers are much more focused on getting the kid interested in reading books, and they are not that bothered if the kid reads the wrong word. The key is that the kid learns to like reading.

Correct spelling actually comes after reading, where once the kid starts to learn how to sound things, he/she is thought the gramatical rules and eventually have speling tests on blocks of words. Even then, the teachers will reward kids that make good efforts and write down a spelling that phonetically is equivalent

For example, I have in front of me a drawing from my 6 years old where she has these words pointing to a picture:

  • iys
  • nows
  • grat
  • pursn 
can you guess what they means? :)

One teaches
the correct spelling first. Once the foundations are well built, one might
introduce incorrect examples as a means of testing or reinforcing the
learning. But the most important thing to teach first is the right thing
to do.

Ironically, what you describe is how a lot of computing and programming actually is taught today, and it is clearly is not working.

Note that I had a LOT of teachers at university and college that used those techniques, and I learned more about computers trying to write C++ and Assembly to play tricks on my colleges, than I ever did via the 'building good foundations' way

Hacking and exploiting are cool in the way that graffiti and vandalism are

That is your pre-conceived ideas of hacking, and maybe this is where we have to part ways. 

If you study history you will see that most computing advances where created by hacking activities, and reducing it to 'vandalism' is bringing down this conversation to a very low level.

You might as well say it is a 'terrorist activity' and remove any rationality from this thread
They are destructive activities that cannot, on their own, create

I believe in science they call this 'experimentation' , 'validation' and 'peer-review'. 

Again if you think that only destructive actions come from hacking and security exploitation, then there is not a lot I can say that will change your mind.
They certainly don't need to be taught to kids who don't yet
know how to do good development.

I happen to think the exact oposite, so maybe it is better if we just agree to disagree :)