As most of you know, the announcement email from CyberPatrior recently arrived, and it's time to get going with your teams to find and fix the vulnerabilities.
What is your first step?
This link will take you to a nicely prepared video explaining the steps in some detail. https://www.youtube.com/watch?v=4UveDN7xn9I It may be slightly out-of-date, but it will give you a good idea of the steps involved. You can also follow the steps I've outlined below.
Let's assume that you are going to start with the Windows 7 image. This is what you'll see in your email from CP.
Click or copy and paste the link (not the image above but the actual link in your email) to the instructions and password in a browser.
First, read the instructions!
That page will give you the download links. What you will download will be a .zip file. Put it in a folder that you have created for the files and instructions for this training round. Run the checksum verification software (WinMD5) mentioned in the instructions and THEN (using the password contained in the email sent to the coaches) unzip the file. The password will look like this H6xU2nK7sFRa but it will be a different combination of upper and lower case letter and numbers. Once it is unzipped, start the VMware software and click on Open a virtual machine. Browse until you find the recently unzipped image, open the folder and click on the file name that looks like this: cpx_win7_training.vmx You may have to answer a question as to whether you copied the image; answer in the affirmative! Yes. I copied the image...
Next, read the instructions again!
From now on, we will refer to the training image as the guest and your own, personal computer as the host. Your host computer is running the guest image in VMware.
Once the guest image opens, read AND PRINT OUT the README file. To print it you will most likely have to open it, select all (ctrl-a), copy all (ctrl-c), and then paste what you have copied into a text editor on your host machine. Then you can print it. Setting up the guest image to print is possible but a beast of a task. Definitely not for the faint of heart.
When printed out, go through the README with your team and highlight and number each of the items that will need your attention. A possible list might include the following:
Next, download the Windows 10 pre-flight checklist. While this training image is a Windows 7 image, many of the items on the checklist are similar. At this point, you will want to open the scoring document that you see on the Desktop, the document that will tell you about each vulnerability that you discover and remedy.
Go through the list and make necessary changes, writing down each change as you make it! At some point you will start hearing the Mario scoring sound effects. If you happen to make a change that loses you points, you will be notified, and you can use your list of changes to backtrack and regain your lost points.
PS -- Follow the same basic procedure with the Ubuntu image and the Server 2008 image. You will find an Ubuntu checklist on the same page as the Windows 10 checklist, and the Windows 10 checklist will help, to a degree, with the Server 2008 image.
How to use Notepad++ to suggest a topic sentence for a Shakespeare essay...
So, it's that time again when you have to write an essay on a work you've just finished in English class, and you're stumped. No ideas. Nada. Nothing. The tabula is completely rasa.
What if there were a way you could use technology to kick start your Macbeth essay?
First, download a copy of Notepad++, a wonderfully simple but very talented text editor for your PC. Have a Mac? Try using Coda, a Mac compatible editor available here.
Next, download a text version of Macbeth. I have always had success with downloads from Gutenberg, but you may have another, favorite source. Choose a text-only or plain text version. To download the text, you may have to right-click the text of the play on the page, select Save As..., and name it Macbeth.txt.
Then, open the text file in Notepad++. Once the file is open:
If you enable Bookmark line, you'll be able to step through the play with the F2 key and visit each use of the word blood (and bloody and bloodier because you didn't check "Match whole word only").
Finally, you can ease into your essay with a topic sentence based on what you found. "While Shakespeare's Macbeth employs the word blood and its variants forty-one times, it is only in the witches' scenes that we realize...."
Imagine a team of five kids who, because they have shown grit and cleverness in their middle-school years, are hired to protect the computer network of a small non-profit from hackers. They arrive on foot, by public bus, and by bicycle; two of them are dropped off by their parents.
Back-packs and parkas, wool caps and gloves litter the reception area of Public Pantry at the edge of the Dogtown neighborhood in St. Louis. Two of the kids, a girl born in Mexico and a boy whose single mom traces her roots to Ireland and Italy, begin to harden the operating system of an ancient PC used to keep track of food donations.
The other three, twins whose grandfather helped build the caissons for the Eads Bridge in 1873 and a pale, blond haired girl whose eyes avoid contact, start their mission by attaching a miniature computer, a Raspberry Pi, to the Ethernet port of the Public Pantry’s receptionist’s state-of-the-art computer, a recent donation from a local philanthropist. Keyboards click, monitors display black terminals with white characters. A laminated check-list makes its way back and forth between the two groups of cyber sleuths. There are cries of, “Yes…” and “Got’cha!”
Fast forward to the next year, in the spring. All five kids score above the 90th percentile on the Technology and Engineering Literacy portion of the annual NAEP test.
Fast forward to three different high school graduation exercises, where three of the five team members graduate with honors and will attend college in the fall. The two other members of the Lab Rats, a team name emblazoned on t-shirts they proudly wear under their different colored gowns, accept their diplomas, book awards, and cash prizes; they have already been hired by local cyber security contractors because of their having passed the System Security exam in their junior and senior years of high school. As high school graduates, they are only a year away from certification as cybersecurity professionals, earning $40,000 a year as interns in a hungry and rapidly expanding new-collar field.
Step back in time five or six years and meet the Social Studies teacher who empowered these young adults to become self-motivated and accomplished members of the 21st Century’s digerati. By all accounts, she’s a nominal in an ordinal or cardinal world, preferring a Moleskine notebook and a fountain pen to a tablet, relying on a radio for her music rather than streaming, reading a newspaper every morning before walking to school. She'll tell you that she's really a Luddite. She even knows who they were and sympathizes with them.
As a second year teacher in a progressive middle school she was volunteered to coach an all-girls after-school robotics team. When the funding for the robots fell through and three of the girls decided to play volleyball instead, she signed herself up as a coach and recruited three more kids to form the Lab Rats, a cyber security team, to compete in the Cyber Patriot competitions.
The rest, as they say, is history.
Imagine, if you will, a conversation with this teacher and coach:
How does an analog teacher coach a digital team? I figured that if I were asking the kids to learn the ropes of computer security, I could learn as well. I also knew that, from working with middle schoolers, they would learn at a faster rate than I and would soon be teaching me. This paradigm helped all of us feel comfortable with the process of protecting computers from hackers.
What was most daunting in getting your team up and running? The sign up process itself was a bit confusing. As in any new sport, the rules shape the playing field and the structure of the competition. It’s a bit like starting out to coach a baseball team if you’ve never seen a live game, just still photos of a World Series final game. Imagine trying to put together an ice hockey team if all you’ve heard are descriptions of ice and seen a picture of a puck. Once I found out that I could sign up as a coach first and register my kids later, I started to breathe easier.
What helped you the most? A small non-profit called Tech Lab STL gave me hands-on, step-by-step guidance in signing up as a coach and getting practice materials together for my team. Another non-profit, Midwest Cyber Center, offered help by providing mentors to teach the more difficult and technical parts of cyber security; they also helped put together summer cyber camps to introduce middle and high school kids to cyber security. These kids are really excited about joining our teams when school opens in the fall.
What continuing help did you receive? We asked for and got a lot of curricula pieces such as YouTube videos and tutorials. These really helped the kids understand what they had to do to find and fix the weaknesses in the Windows and Linux operating systems. Repairing these vulnerabilities are at the heart of the competitions. There is more than enough first rate teaching material out there, but it is a bit like taking a drink from a fire-hydrant*. Tech Lab STL and MC2 laid out curriculum for team training, like the drills coaches run during sports practice. They provided a structure, a path. Without a tech background, I could never have done this on my own. As a teacher, I know the value of a curriculum guide, a lesson plan.
What support are you looking for as you go forward as a coach? I’d love to have a source of sample images, as they call the virtual computer operating systems that are at the heart of the competitions. Once a competition is over, the images that the teams have been working with are deleted, so it is difficult to use the last competition as a teaching tool, the way we use going over a test in the classroom. In the classroom, I know the kids just want to get their grades and move on, but it’s different in this world. They really do want to know what they missed! I wish they felt that way when we go over a Civics test.
I’m in the process of having each of my two teams build vulnerabilities into an image and give it to the other team as practice. Making these OS images vulnerable teaches as much about cyber security as trying to find and fix competition vulnerabilities, and the teams absolutely love the in-house combat. Maybe someone could create a repository of student-made images to share with other teams. It would be like a pre-season scrimmage in soccer or volleyball. Everyone would improve!
What is your proudest moment as a cyber coach? We have yet to win at the national level, but one of our teams made it into the national semifinals in February. Our team sponsor, a business in the Cortex district here in town, gave the kids and me white felt fedoras as symbols of their skill and determination as white hat ethical hackers. For someone who still wears a watch with hands, that was quite a thrill... and a fashion statement!
*Mitch Kapor, writing about the Internet
Clive Thompson reminds us in Wired that there is a shift in how coders might appear in the workplace. Ginni Rometti, CEO of IBM, tells us that many new jobs in tech do not require a college or even an associate degree. These jobs she calls new collar jobs.
Thus the title of our blog.
Here, in the format of an imagined Q & A, are some thoughts on where we are, philosophically, in getting our local youth into the tech arena.
How can our youth, many without a college degree, compete in the new tech era?
Before the advent of code academies, most practitioners of the arcane arts of coding spent their formative years in four-year Computer Science degree programs in universities or colleges. This career path is changing. A fulfilling and solid career based on focused coding abilities is analogous to a career as a machinist or welder.
Don't these new jobs in tech require the depth of knowledge that only comes from a four year degree?
Let's look at the world of law. Much of the work behind the scenes at many law firms is handled by paralegals, knowledgeable, tireless, and focused individuals who do not need a law degree to add value to the profession. In the same vein, a four year BS degree in CS is hardly necessary for keeping the web presence of a local business up to snuff.
Is this like what was known as vocational education back in the 1960s?
There seems to be a swing back toward the rewards of specific, vocational training in tech and code and away from the debt inducing promises of a four year year college degree. To be fair, however, a four year degree can produce the job applicant that a start-up might hire to team-build a new digital world from the get-go.
Why wouldn't a start-up or even an established tech company prefer to hire someone with a four year degree to manage the front end of a company web site?
What computer languages should a young adult learn to break into the tech field?
That is a bit like walking into a dark, beery space with a neon sign reading gnilgneuY in red behind you and, by listening to the loudest members of the crowd, trying to figure out if Ford is better than Chevy.
The best answer is to look around and see what is being taught locally. Learning code the first time is often easier face-to-face in a structured environment like a classroom. It also helps to investigate what language allows you to do what you want to do digitally. Mobile apps? Web pages? Build games? Hack at the command line or console level? Each has its own proponents.
Go online to the various forums and listen to the chatter. Listen long enough and you will find a language that sounds worth your time to learn or at least investigate. That is how I was drawn to Python (simple syntax, sense of humor among its developers...).
Note: Whenever I hear someone say that they would rather push a Ford than drive a Chevy (or the digital equivalent), I leave that particular rant because I know I will learn nothing helpful.
So, outside of a CS degree, what would be the best way to learn how to code?
I think that there should be more apprenticeship programs in coding the way that there are for becoming a sheet-metal worker, a plumber, or a diesel mechanic, perhaps a program run by a software company or, in the case of open-source software, by the organization or user group that created it. A certificate could be issued upon completion of the apprenticeship attesting to the apprentice's degree of mastery of the software.