GenCyber

Over the years the NSF has financed various summer camps for high school students, designed to get them interested in mathematics or other areas of science. This summer they’ve teamed up with the NSA to deal with the problem of bad press due to the Snowden revelations by organizing a massive new program of quite different summer camps. The program is called GenCyber, and the New York Times today has an article about it here. This year the NSA/NSF is funding 43 camps (for a list, see here), with 1400 youngsters attending them, the plan is to expand to 200 camps over the next few years.

The NSA official in charge, Steven LaFountain explains how the PR aspect works:

Mr. LaFountain said the agency would not make sales pitches to campers, but hoped that the work of the agency would be enough to lure them into the field.

“We’re not trying to make these camps something to make people pro-N.S.A. or to try to make ourselves look good,” he said. “I think we’ll look good naturally just because we’re doing something that I think will benefit a lot of students and eventually the country as a whole.”

According to the New York Times, one sort of thing being taught is how to crack password files:

“We basically tried a dictionary attack,” Ben Winiger, 16, of Johnson City, Tenn., said as he typed a new command into John The Ripper, a software tool that helps test and break passwords. “Now we’re trying a brute-force attack.”

Others in the room stumbled through the exercise more slowly, getting help from faculty instructors who had prepped them with a lecture on the ethics of hacking. In other words, they were effectively told, do not try this at home.

“Now, I don’t want anybody getting in trouble now that you know how to use this puppy,” Darrell Andrews, one of the camp’s instructors, warned loudly. “Right? Right?” he added with emphasis.

Teaching thousands of kids how to crack password files? What could go wrong with that?

The program at Marymount features indoctrination visits to the NSA together with the hacking instruction, and one of the instructors seems to realize part of the problem:

And here at Marymount University, where campers are staying in dorms for their two-week program, visits to the N.S.A. and a security operations center break up classroom time.

The idea — and the challenge — of the camp, according to its head, Diana Murphy, a professor of information technology at Marymount, is to first teach students how to hack, so they can understand and defend against attackers they might encounter in cyberspace.

“It’s a fine balance for me as a teacher, because you have to teach them some of the hacking techniques, and layer that in with an ethical discussion,” Ms. Murphy said in an interview before camp began.

“They are most interested in the attacking things.”


Update
: CNN has an article up today about this here.

This entry was posted in Uncategorized. Bookmark the permalink.

39 Responses to GenCyber

  1. telemurk says:

    Thank you for posting this. It’s the first I’ve seen about it.

    What an insane waste of resources with a high potential to create all sorts of disastrous blowback down the road.
    I can’t imagine what possible legitimate role the NSF can play here. Are they now so corrupted by NSA money and pressure that all common sense and all moral standards have been erased by excuses and equivocation?

    A slight suggestion would be to instead spend government money on math camps, run by the “old” NSF. That might lead to just as many future NSA recruits eventually, but also to engineers, climate scientists, and, yes, physicists and mathematicians-but with no potential downside and no compromising of the ideals
    of academe and of science. And, not incidentally, with the result of providing a much better background for the students.

    As for the NSA itself, instead of wasting money on this, they might still pull Thomas Drake’s Thin Thread approach out of the dustbin and thereby have a chance at catching real threats like the Tennessee
    shooter, before it happens. To avoid offending the corporate lobbyists, that could even be run in parallel to the currently in vogue and 1000 times more expensive “create an infinite haystack” approach.

  2. Peter Woit says:

    telemurk,
    It seems to me that the NSA tactic of making grants through the NSF here is much the same as the way they use the AMS to make grants. Involving these two organizations allows them to take advantage of their high credibility and reputation. I know of no evidence that both organizations aren’t willing sellers.

  3. Chris W. says:

    Concerning the reference in telemurk’s comment, Wikipedia has an informative article on the NSA’s ThinThread project (active during the 90s), for those who aren’t familiar with it.

  4. Michael Weiss says:

    Readers interested in the original generation of post-Sputnik NSF-supported summer science camps should check out “The Summer Science Program,” now in its 57th year and supported by its alumni. Designed for rising high-school seniors with a passion for physics and mathematics, SSP has focused on celestial mechanics (from foundations to observational astronomy) and was originally supported by Caltech faculty, including Richard Feynman and Maarten Schmidt in the 1960s and 1970s. SSP currently has two campuses (Boulder, CO and Socorro, NM), with a third campus planned in the life sciences. See link: http://www.summerscience.org and Wiki page. SSP is international in its outreach and remarkable for its mentorship of young women. The extraordinary alumni of SSP exemplify the wisdom of inspiring the next generation.

  5. wereatheist says:

    Teaching thousands of kids how to crack password files? What could go wrong with that?

    They teachthem cracking password files. But the interesting thing is to get these password files 🙂

  6. Peter Woit says:

    wereatheist,
    Presumably breaking into systems to get the password file was in one of the earlier lesson plans…

  7. Jeff M says:

    It’s really upsetting that the NSF and the AMS get involved with the NSA, but it certainly goes way back, at least with the AMS. The NSA always has a big booth at the yearly AMS meetings, talking about how they hire more mathematicians than anyone else. Used to give me a good laugh in graduate school, since there is no way in hell I could ever have gotten security clearance, not that I ever wanted to work for the NSA 🙂

  8. Richard Séguin says:

    Is this displacing other types of summer math and science programs? I hope not. In the 1960s I attended two 6-7 week NSF sponsored math programs for high school students at universities, although at that time we did not call them “camps.” They were fabulous experiences, and they were not polluted by politics, dubious ethics, and indoctrination, which impressionable kids should not be exposed to.

    I’m sure that the NSA could have directly sponsored these things by themselves, but using the NSF as a front softens and confuses apparent intentions.

  9. Peter Shor says:

    The NSA is the by far largest employer of mathematicians in the country. Clearly, the AMS needs to have some relationship with them. (Just like the American Physical Society needs to have some relationship with the Department of Energy, one of whose objectives is the building of bigger and better atomic bombs.) But maybe they need to think about this relationship more carefully than they have in the past.

  10. Peter Woit says:

    Peter Shor,
    The problem is that, unlike the DOE weapons labs, the NSA deceives the public about what it is doing, to the extent for instance of having the National Intelligence Director lie to Congress under oath about this. Without Snowden, none of this would be known. What most bothers me about the AMS is the way they allowed themselves to be used by the NSA to mislead the math community in this way (about the back-doored elliptic curves). These summer camps seem to me to have a goal again of misleading the public, in this case kids and their parents, by whitewashing the story of what the NSA actually does.

    Besides this, there’s the other issue of whether training kids in running tools to break into computer systems is a good idea. The DOE analog would be summer camps for kids on how to design nuclear weapons….

  11. KenW says:

    We ought to be careful about getting all morally indignant. The nation needs its next generation of code-breakers and it starts with puzzle-solving, which is much enjoyed by kids with the right temperament They should be encouraged and, eventually, recruited as one would recruit talent for any government job.

    Recruiting them at this young age makes me nervous, however. Mathematical talent surfaces at an early age, and they can handle that. But the ethical issues require a more mature mind. The schools should certainly do a better job of teaching math, including tricky stuff like puzzle-solving

    But I’m uncomfortable about this NSA program.

  12. Richard Séguin says:

    “Teaching thousands of kids how to crack password files? What could go wrong with that?”

    Of course this could backfire! Once these young kids learn from the government that hacking is a cool problem from all angles, how long will it be before many of these curious, internet savvy, kids discover and connect with the underground hacker bandits and all their cool tools.

  13. Peter Woit says:

    KenW,
    The NSF and the NSA have for a long time been sponsoring activities for schoolchildren and undergrads promoting problem solving, and hoping to get students interested in this, partly to provide a workforce for the NSA for the future. This program is however something new and different. Looking at the various websites for the different camps, there’s a heavy emphasis on:
    1. scaring children about the supposed cyberthreats to the US homeland.
    2. promising them a well-paid career working for the NSA or someone else defending against such threats.

  14. telemurk says:

    This is just getting worse and worse:
    ” This program is however something new and different. Looking at the various websites for the different camps, there’s a heavy emphasis on:
    1. scaring children about the supposed cyberthreats to the US homeland.
    2. promising them a well-paid career working for the NSA or someone else defending against such threats.”

    As the father of a young child, I think (1.) is not only ill-considered but is borderline criminal. Just because China and Russia and North Korea might employ such tactics doesn’t mean we should necessarily rush to emulate them. A background in trust and idealism like that I picked up in part from Boy Scouts, inspiring and admirable math and history and English teachers in public school in a University town (ok I was lucky), would arguably serve not only the children, the world but also the nation much better than this. They will have their whole later lives to learn cynicism and fear of the other.

    The reason the whistleblowers’ revelations (Snowden, Binney, Drake and so on) are so disturbing is not only because of the
    facts revealed, but because of the subtext: the people involved, at least at the higher levels, are willing to lie to Congress under oath, to intentionally manipulate public opinion to get what they want, all the while making dubious but self-serving policy decisions like this. That is, the programs not only have the potential for being abused but that is already happening, on multiple fronts. If the foxes are in charge of the hen house, what should we expect- and revelations like these can only increase our suspicion that the very wrong people are in charge. A wrong-headed program will select for bad leadership as those who are more reflective and perceptive are shunted aside or worse. “Trust us”, they say? And why, exactly, if you keep on proving the opposite?

  15. Ben R says:

    I don’t think you should be upset about kids learning to use password crackers in summer camp. The idea that this would make them more likely to hack websites is like the idea that playing violent video games predisposes kids to real-world violence. I think there’s no evidence that that’s true, and some evidence that it actually has the opposite effect, maybe by removing some of the forbidden-fruit aspect of it, or by providing a safe outlet for their curiosity. Anyone who protects any data with a password, which is anyone at all these days, needs a basic understanding of how dictionary attacks work so that they pick passwords that aren’t vulnerable to dictionary attacks. We also need kids who are interested in computer security and study it in college so that they can build more secure systems and keep everyone safe. You could just as well discourage kids from learning about any other subject that they might turn to evil. Like chemistry. Sure, let’s teach teenagers how to synthesize chemical compounds—what could possibly go wrong? And don’t get me started about physics.

  16. Axl says:

    I totally agree with Ben R. Plus, I think these teenagers know about the events of the past couple of years with regards to Snowden and that the NSA might be trying to pull a PR stunt and “groom” the next generation (though I don’t think it’s true). These kids aren’t stupid. They’re there because they’re interested and they know full well what the NSA has done and what they are capable of.

  17. Peter Woit says:

    Axl,
    I’m glad to hear that US 13 year old children are a lot more sophisticated about the NSA than many of the research mathematicians I’ve talked to, not to mention the general adult population. Impressive…

  18. Fred P says:

    They are learning password cracking. Note that password cracking software tools and instructions on how to use it are both freely available on the internet, and I’d expect any high-schooler interested in the subject to be able to access (and use) it easily on their own.

    If your passwords aren’t secure against dictionary and/or brute-force attacks, they aren’t secure (which is, I’d assume, the point of the exercise). When possible, my passwords are 128 random characters; as I use PasswordSafe, I never see them. This doesn’t mean that my passwords are secure; just that they are as resistant as I can make them against several classes of attacks. Password length/complexity is, of course, not a defense against rainbow tables.

  19. Axl says:

    Peter,

    You never watched or read the news when you were 13? When you were 13, did you think that everybody was good and nobody had ulterior motives and everyone was being genuine? Impressive…

  20. zzz says:

    “they know full well what the NSA has done”

    Really ?? because I don’t and I am 40 something years old.

  21. Axl says:

    zzz,

    I meant that they know they deceived the public and that they have spied on American citizens and collect their data. Of course, nobody (except for the NSA) knows full well what the NSA has done. I’m sure these tech savvy teenagers know about Snowden, etc.

    Anyway, the camp actually looks interesting and fun, regardless of what the NSA hopes to gain from this. These kids have heard of the Snowden revelations, and that we can’t really trust the NSA. And the NSA isn’t putting a gun to their heads to work for them after they graduate. So I’m not sure what people are so upset about. I would participate in this camp if I was a teenager and had the time.

  22. Low Math, Meekly Interacting says:

    I’m not about to sing the praises of the NSA. But I look at what happened to the OPM recently, and it becomes harder to argue against those with the attittude that, yeah, they’re mendacious, amoral spooks, but they’re OUR mendacious, amoral spooks. To posess superior cybersecurity is to have the ability to circumvent someone else’s inferior security, generally. I’m not sure whether I’d be more disturbed that the NSA deliberately strong-armed NIST into breaking Dual_EC_DRGB if I found out Chinese hackers were so much more clever that they wouldn’t have to to gain an edge. We should aspire to promote higher ethical standards in our government, obviously, but I wouldn’t want enlightened democracies to find themselves highly vulnerable to cyberattack because we couldn’t tolerate our youth learning how to hack. At least it’s somewhat out in the open, and if we are to be secure, then we need young people to learn these skills and be passionate about them.

    I’m quite sympathetic to your stance, Peter, and it’s admirably high-minded and scrupulous. But it’s not a high-minded, scrupulous world we inhabit. If this approach is inappropriate (and I’m not saying it isn’t), how better to stimulate interest among young people in cybersecurity expertise, which is an incredibly valuable asset we simply must promote?

  23. Peter Woit says:

    LMMI,
    Computer and network security is not a new problem, and there’s a huge ($100 billion/year order of magnitude) industry already in place devoted to dealing with it. Any problems with recruiting good people to enter the cybersecurity industry can be dealt with in the usual capitalist manner (pay them well and provide good working conditions and training).

    I just don’t see the argument that the solution to failures of the security setup at a government agency is to have the NSA setting up summer camps for children. It does though look a lot like a solution for the NSA to the PR problem created for them by Snowden…

  24. G.S. says:

    Peter,

    By that logic, we shouldn’t ever try to engage a teenager’s interest or teach him/her a skill. If it’s important enough, just pay them well as an adult and the good ones will be motivated purely by money to learn what’s necessary on the job. I’d like to see academic departments try that strategy to lure grad students.

  25. Peter Woit says:

    G.S.,
    I just don’t see any evidence that an insufficient number of people are interested in hacking or computer security. No matter what the skill, companies always complain that it’s hard to hire good people, and by that they always mean that it’s hard to get good people to work for what they would prefer to pay.

    The only problem with hiring in this field that I’ve heard of is that, post-Snowden, the NSA itself has found it harder to get good people to work for them (for obvious reasons). I don’t think these summer camps are motivated by solving any actual problem except the NSA’s PR one, and their attempt to do this by going after children is pretty problematic.

  26. G.S. says:

    It’s not your main point, but I’ve been working at software companies for several years now. Some of my responsibilities have included recruiting at job fairs, reading resumes, and conducting interviews for a number of positions, ranging from software/algorithm engineer to IT and computer security. What I mean when I complain that it’s hard to find good people is that it really is hard to find good people. There are a lot of applicants who think they can write professional code or work IT but who are woefully inadequate for the jobs. There are some who are qualified technically, but are completely inept at dealing with people in a professional environment — I think everyone has experienced at least one IT guy like that. The true talents are needles in a haystack.

  27. They are literally creating script kiddies.

  28. Low Math, Meekly Interacting says:

    Well, the private sector is good at competition, but it wants to sell to everyone, friend or foe of liberty and democracy. If loyalty to something other than shareholder interests is desired, I’d hope for a trustworthy national agency. Not that the NSA has demonstrated much ability to provide that, of course, but the kids in that article were getting some ethics classes along with learning how to crack bad passwords. The irony isn’t lost on me, but maybe it’s a start.

  29. Anonymous says:

    It’s clear that the NSA realizes it has an image problem and is actively working to change that impression. They have been actively recruiting undergraduates at the University of Utah for their summer program going so far as to invite a recent Utah alumnus / NSA hire to do the recruiting. Although NSA representatives claim analysts must work out of Ft. Meade many expect the situation to change fairly soon due to a recent addition here in the state:

    http://www.wired.com/2012/03/ff_nsadatacenter/

    There is also rampant speculation that part of the motivation for the Utah location is to not only draw from computer science programs, but also to tap into an extraordinary source for future linguists needed in critical languages (e.g. Mandarin, Russian, etc. )

    http://www.npr.org/2014/06/07/319805068/lessons-from-the-language-boot-camp-for-mormon-missionaries

    “The approach has also gained traction in the U.S. military. In fact, the ties between the U.S. military and the MTC run pretty deep. The Army’s Intelligence Brigade, made up of linguists, is based in Utah and draws on former missionaries to fill its ranks.”

  30. Michael Hutchings says:

    I keep hearing that the NSA is the largest US employer of mathematicians, but does anyone have any actual numbers or estimates? (I was rather surprised by the large scale of this summer camp program.)

  31. David J. Littleboy says:

    In addition to the “what could possibly go wrong” problem, the intellectual vacuity of the program is horrific. Couldn’t they think of something of intellectual value to teach? Sheesh. There is a bit of math (theory of computation, cryptography) and engineering (programming languages, operating systems) in the computer area that has some intellectual content. But this is so stupid it sounds like a parody…

  32. Peter Woit says:

    Fred P.,
    That supposed “shortage” is of top cybersecurity executives, sounds to me like just the usual “shortage” of “stars” in every field (although as G.S. points out, really good people are a minority, but I think this is true in most fields).

    Pretty much everything about the NSA is highly classified including their budget, number of employees, and presumably also the number of mathematicians working there (although maybe they told the kids being given tours of the place as part of their summer camp experience). I’d be a little bit suspicious about that “30-40” 2013 number, since I would have guessed that the NSA expanded quite a bit post-9/11/2001, so would have thought the recent numbers would be higher than the 2001 number. Maybe one issue is how you count who is a “mathematician”, since a lot of the work they do is applied work on the borders with other fields.

  33. RandomPaddy says:

    The profession of “cyptologist” needs to be terminologically separated from “mathematician” in much the same way as “theoretical physicist” and “computer scientist” were seperated in the post war/Manhatten Project era. It’s fine for cryptologists to wander in and out of math conferences and vice versa, but this effective domination of the profession — certainly in terms of youth recruitment programmes at least — is not healthy or desireable in the long term. It’s leading to politicisation and increasing ructions. My own fear is that it will lead to nationalist/ideological splits in mathematics, a feat even the cold war did not achieve.

    These NSF camps should be “cryptography” camps, designed not to generate interest in “mathematics and science” generally, but codebreaking specifically. De-Facto this is the case, but their de-jure designation as “science” camps is leading to somewhat justified worries about an effective nationalisation of the mathematical profession by its now largest employer. This could be avoided completely, and turned in a win-win for everyone, if the distinction was clearly made between “cryprography” and “mathematics”.

    The NSA, its policies, and uses of mathematics lies very much in the temporal realm of politics. A profession of “cryptolgy” could exist alongside this realm; Mathematics cannot. It’s a subtle, indeed soft redefinition, but it should start happenning sooner rather than later before the NSA embarks on any more such gaucheries.

  34. telemurk says:

    It’s an interesting discussion. But I think the idea that the NSA is actually “protecting” us is questionable given the many revelations of Binney, Drake, Kiriakou, Snowden and so on. Listening to some of the interviews on YouTube with these very intelligent, certainly courageous and (at least to their own way of thinking) very patriotic folks is an enlightening experience.

    Two small further points:
    -an IT security guy I met on an airplane told me that the speculation is that it was actually the Russians and not the Chinese who stole the personnel data; he said that was much more their style, and that perhaps for US political reasons it was more interesting to pressure the Chinese;
    -No doubt the kids who do go to these camps – especially the good ones-will forever be on the radar of the NSA, whether or not they end up working there, perhaps diminishing the odds they will use any hacking skills for (non-government-sanctioned) nefarious purposes.

  35. Joshua Rubin says:

    I am writing in defense of teaching about password cracking, and about understanding the tools bad guys are using.

    Passwords are one way of establishing the rights that should be granted by a computer system. Others exist too — something you know, something you have, or a physical characteristic. Sometimes two of those are used. Sometimes two people must cooperate. Designers must understand the tradeoffs.

    A good system must protect against realistic threats. It is important to be able to spell out those threats. The bad guys might make an educated guess about one person’s password . The bad guys might have a complete copy of everything on the computer system, but not have any password. The bad guys might want the password of any account, not a specific one. The bad guys might be monitoring everything the computer does, in real time. The bad guys might have resources that far exceed your own. The bad guys might know far more than you know. The bad guy might pretend to be a user who forgot their password. The bad guy might be the system administrator. The bad guy might be your love interest.

    Just as physics students need to play with air tables, future security folks need to play with cracking tools. Doing uses a different part of the brain than reading or listening.

  36. Tom Leinster says:

    Michael Hutchings asked “I keep hearing that the NSA is the largest US employer of mathematicians, but does anyone have any actual numbers or estimates?”

    In testimony to the Senate Judiciary Committee on 2 October 2013, Keith Alexander (then director of the NSA) stated that the NSA employed 1013 mathematicians and that they were the largest employer of mathematicians in the USA. He didn’t elaborate on what he meant by “mathematician”. Link here.

  37. Pingback: Math and Physics Summer Camps | Not Even Wrong

  38. Pingback: Short Items | Not Even Wrong

Comments are closed.