picoCTF: Teaching 10,000 High School Students to Hack

Peter Chapmanpeter@cmu.edu

1/15/2014Carnegie Mellon University

This material is based upon work supported by the National Science Foundation Graduate Research Fellowship under Grant No. 0946825.

2

Technology has the potential to truly revolutionize education by simultaneously reducing cost and increasing quality.

Founded Fall 2011

3

Udacity

2,500 Students over 400 Teams

Collegiate High Schools

4

Carnegie Mellon University2012

5

High School Computer Science Education

Eighty-two percent of surveyed U.S. millennials say no high school teacher or guidance counselor ever mentioned to them the idea of a career in cybersecurity.

Roughly 30,000 high students from 2,000 schools took the AP CS exam in 2013.

There is a nationwide shortage of computer security and computer science experts.

“It will take a national strategy, similar to the effort to upgrade science and mathematics education in the 1950’s, to meet this challenge.”

7

picoCTFA competition-based computer security educational experience targeting high school students.

Introduce real-world offensive and defensive skills to all backgrounds.

Build the event around an interactive game to motivate students and teachers.

8

Capture the Flag CompetitionsCTFs

[1]

DIGITAL

Open-Ended and Difficult

9

Traditional CTF Competitions

Cryptography

Digital Forensics

Reverse Engineering

Binary Exploitation

Web Security

10

picoCTF Goals

1. An authentic, fun, and interactive hacking experience.

2. Encourage students to pursue degrees of computer science, regardless of incoming background.

3. Nationally recognize and inspire top competitors to become industry leaders.

11

What is a hacker?

12

HACKER: someone who seeks and exploits weaknesses in a computer system or computer network.

13

Provides a service!

We make vending machines!

I made the case.

I designed the keypad.

14

Let’s meet Kelly.

15

Let’s meet Collin.

?

16

An Idea!

?

17

Checks denomination of coin by size.

Checks inserted object by size.

RealityExpectation

18

How to fix it?

Let‘s check the weight too.

19

Another Idea!

?Computer security is a back-and-forth between attackers

and defenders.

We refer to our assumptions about the attacker as our

'threat model’.

20

Why teach hacking?

HACKER: Someone that exploits the gap between what is expected and what is possible.

Understanding how to break systems is necessary in order to defend them well.

21

The Team

22

Entertainment Technology Center

Experts in game development and design.

23

April 26 7:00 AM EDT - May 6 11:59 PM EDT

A polished presentation to welcome students and add legitimacy.

24

25

26

Sponsors

27

Success!

1,938 Participating Teams

8-10,000 Students

The largest computer security competition ever held.

955 Participating Schools

57 Computer Security Challenges

28

955 different schools.

29

Unsolicited Message from Pennsylvania Teacher

Wow! I haven't seen something like this light the fire of such a wide range of students in my 22 years of teaching computer science… Neither robotics, ACSL, face-face or online traditional programming contests, Logo, Alice, block based languages a la Scratch or AppInventor, early HTML development, or any other single CS phenomenon has ever inspired so many students to fight to get access in the computer lab after school and ask me cerebral questions such as bit-wise arithmetic or syntax questions on languages they haven't learned in school!

THERE IS NO DOUBT IN MY MIND THAT THIS CONTEST WILL SINGLE-HANDEDLY ATTRACT MANY STUDENTS TO CAREERS IN CYBERSECURITY AND COMPUTER SCIENCE IN GENERAL!

30

picoCTF 2014

• Fall Competition Date• Focused Computer Security Curriculum and

Educational Content• Emerging Partnerships to Expand Scope• Team and Instructor Management• Robust Communication System

31

picoCTF

Largest computer security competition ever held.

• Polish and presentation matter at scale.• Leverage existing organizations

for support and growth.

32