Summer Hacking School

June 9 - July 28, 2010
7:00pm - 8:00pm
HT building, Northern New Mexico College (drop-in, not through NNMC)
EspaƱola, New Mexico

Before you can design secure systems, you need to understand how attacks happen; and before you can understand how attacks happen, you have to know how to attack. In summer hacking school, you'll learn about all aspects of computer security, from the obvious: math and programming; to the subtle: sociology and law.

These aren't lectures, they're interactive discussions where we talk about the things that interest you. I only come prepared with a brief outline. Some classes have parts where you can use your laptop to try things out; if you don't have a laptop, don't worry, you can pair up with someone else.

The textbook for this discussion series is Little Brother by Cory Doctorow. It's a free download, available in many formats (for iPod, J2ME for many mobile phones, PDF for computers, and more).

Thanks to NNMC for letting us use their space!

June 9: Social Engineering

In the first class, we'll get right to what everyone wants to know: how to hack your friend's Facebook account. We'll talk about spam, scams, and phishing, how the bad guys turn your own kindness against you, and how you can spot these tricks.

We'll learn how to "spoof" email to make it look like it's coming from anyone in the world, what measures are being put into place to make this difficult, and why it's taking so long to fix the problem.

We'll also start working on the final project: tricking our volunteers (your friends and family) into doing something they shouldn't do on their computers.

More about this class

June 16: Being Sneaky

We will talk about what your ISP can see, what they can't see, and how you can be in charge of deciding this. We'll learn about the difference between authentication, encryption, and anonymity. We'll discuss steganography (hiding information, like the Trojan Horse), and we'll discuss the benefits to society as well as the costs to society of these techniques.

Lastly, you will create a PGP key pair, and sign everybody else's, so we can use public channels to exchange secret messages with each other.

More about this class

June 23: Electronic Fingerprints

What if you were on vacation in New Khavistan, when you stumbled across important information about a plan to invade EspaƱola? How would you make contact with the CIA while avoiding being detected by the New Khavistan secret police?

Following on to the previous week, we'll go over what sort of fingerprints you leave behind while using computers. You'll dream up ways to have secure authenticated anonymous communication with the CIA, and I'll be the secret police and tell you whether things will or won't work. Avoiding detection isn't as easy as you might think!

Just for Devin, we'll talk about different techniques to get around firewalls, anonymize web surfing, and tunnel traffic in strange and exciting ways.

Lab: we'll trace some email, and then try to send some untraceable email to each other.

June 30: Codebreaking

In this class, we'll go over the last 1000 years of encryption technology, starting with the monoalphabetic substitution cipher used almost until World War I, and how to crack it.

We'll finish up with SSL/TLS, and talk about the current balance of power between those who want to communicate securely and those who want to read those communications.

You'll get to try your hand at breaking some actual encryption, and learn a technique to pass secret messages using only a deck of cards, which is considered stronger encryption than what your mobile phone uses!

July 7: Viruses and Worms

How they work, who's behind them, and the money involved.

Lab: Play tanks

July 14: Hacking the Web

HTML forms, JavaScript, XSS

Lab: Rewrite an HTML form to buy a digital camera for $1

July 21: We Launch Our Attack

We'll use this entire class to perfect our attacks against our friends, and launch the attacks when we're all done.

July 28: Results

We'll see how our attacks did, talk about Def Con in Las Vegas, and pick hacker names for ourselves.