Society

AUDIE CORNISH, HOST:

When it comes to summer camps, there's something for every kind of kid. There are soccer camps, theater camps, circus camps. But a camp devoted to breaking stuff, well, that may seem a bit odd but it exists and it's called r00tz. It takes place at the annual hacking convention, Def-con. And as NPR's Steve Henn reports, it's goal is to teach children to pick locks, hack Smart TVs and, most importantly, take a part and understand the technology that surrounds them.

STEVE HENN, BYLINE: The scene inside r00tz a couple weeks ago was a bit of a madhouse - controlled chaos, little kids everywhere. Brendan Herman was trying to program a machine to draw pictures on ping pong balls. Can you describe your hat for me?

BRENDAN HERMAN: It's a tin foil...

HENN: You're wearing a tin foil hat?

HERMAN: Yes.

HENN: So why?

HERMAN: To protect me from aliens.

HENN: Adults covered in tattoos, explained circuits and simple switches. Some kids milled around watching. Others, like Owen Chilcoat, sat hunched over their tablets, scrolling through code.

OWEN CHILCOAT: I am just messing around with it trying to figure out stuff and trying to break it.

TED RISHER: More often than not, we have to wipe the tablet and start again. But he's having fun at it and I think that's important.

HENN: That was Owen's dad, Ted. On the other side of the room, Mark Risher created a website dedicated to teaching kids to hack.

MARK RISHER: We built SaaSCrack for the r00tz, for the Def-Con kids event.

HENN: The site teaches kids how to poke around in online software and websites looking for vulnerabilities. And it works like a game.

RISHER: This guy here is already on the leader board with 300 points.

HENN: If your target audience is 18 to 13-year-olds, a name like SaaSCrack gets attention, but I wondered - now do you get both of the jokes? There are two jokes, I think. I'm quizzing Tye Harmer, a 13-year-old. He just smirks. Okay. He said he knew what one was and pointed. But do you know what SaaS is?

Software as a Service? Oh, yeah, yeah. SaaS, which is really just software you subscribe to online, isn't always as secure as we might hope. Think about all those websites we sign into every day, that we bank with and buy things from. Figuring out how SaaS can be cracked could help these kids avoid hundreds of headaches later in life.

But hacking computers, tablets and apps is just the beginning. All sorts of things are now connected to the Net.

MARC ROGERS: I think it's going to be everywhere. Everything that could possibly be connected will be connected.

HENN: Marc Rogers is a security expert at Lookout, a firm that searches Smartphones for malware.

ROGERS: We have watches that can be connected. You have televisions that are connected. You have radios that are connected. My stereo system calls Japan on a regular basis.

HENN: Even thermostats are connected to the Net and run software.

ROGERS: The flip side is by changing things like this, we also change their value for a bad guy.

HERMAN: Hack one connected thermostat and a burglar could figure out when you are out of town. Hack a million connected thermostats and you can attack the electrical grid. And Rogers says the security in many so-called smart things is so lax, hacking into them is child's play.

NEAL DELOSRUYES: Just for the fun of it, I just wanted to try it out.

HENN: Back at r00tz, 13-year-old Neal Delosruyes decided that he'd like to try to hack a smart TV at camp.

DELOSRUYES: And this is my first year so I just wanted to try some new things.

HENN: Now to be fair, Delosruyes had some fairly accomplished teachers. Aaron Grattafiori and Josh Yavor work at the security firm iSEC Partners. A couple of months ago, they figured out how to hack into Samsung's smart TVs.

AARON GRATTAFIORI: We could, you know, hijack a TV and see the camera remotely.

HENN: They could turn the camera on, take pictures, record video and the owners would never know. Makes you rethink the whole TV in the bedroom thing. But Aaron and Josh told Samsung about the problems and Samsung made some fixes. Still, a lot of other little bugs remained.

GRATTAFIORI: I know that there are at least a couple of bugs in the Facebook app.

HENN: Aaron talked to some friends at Facebook and it turns out that Facebook app was actually built by Samsung for its own TVs. Then, Aaron and Josh had an idea, why not teach kids how to find those bugs? He ran it by Facebook.

GRATTAFIORI: They were definitely game with the idea of having the kids find bugs. They definitely thought that was cool.

HENN: I mean, it helps them out, right?

GRATTAFIORI: Yeah, exactly.

HENN: Not good for Facebook to have an app that...

GRATTAFIORI: It's their name so they don't want their users at risk, so hopefully they can have a, you know, 10-year-old do it.

HENN: Both Facebook and Samsung have something called a bug bounty program. That means these companies will pay hackers real money if they find security holes in their products and report them. These bounties can be worth thousands per bug. And within just a few hours, the kids at this camp found three bugs.

They don't know yet how much the bugs are worth, but...

CY-FI: I knew it was a minimum of a thousand dollars.

HENN: That's Cy-Fi. Now, do you get to keep all the cash or how is it going to work?

CY-FI: I get a third of it. Then another third goes to my education and then another third goes to my favorite nonprofit.

HENN: Cy-Fi is giving that third to the Electronic Frontier Foundation. She's 13. She's been the victim of identity theft and she doesn't think kids should use their real names online. Her friend, Neal Delosruyes, found a bug, too. But he's going to give some of his cash to his church to help underprivileged children in Africa. Talk about a white hat hacker. Steve Henn, NPR News.

Copyright © 2013 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR’s programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

NPR thanks our sponsors

Become an NPR sponsor

Support comes from