Seven-year old Audrey Jones's tight curls bounce wildly as she bangs screwdrivers on a bit of hardware. Later, she revels in the noise made as she spins around the disk of a now-dismantled hard drive. The day before, Audrey was soldering circuit boards and taking apart the pieces, according to her stepmother, Sarah Burall, a purple-haired artist who makes jewelry out of hardware.
Audrey was among hundreds of young people, ranging from kindergarteners to high school students, learning to be the next generation of hackers at a recent Las Vegas conference, r00tz Aslyum. Leading security researchers from around the world had gathered to teach this generation — and their parents — how to safely deploy the hacker mind-set in today's increasingly digital world.
"When a lot of us were growing up, we learned how technology worked by subverting it or breaking it," says Eva Galperin, a global policy analyst at the Electronic Frontier Foundation. "A lot of what was thought of as simple experimentation then would probably get you a visit [or worse] from law enforcement now."
R00tz, as it is more casually called, is staged to coincide with the hacker conference DEF CON, held in Las Vegas each August. Now in its fourth year, r00tz was originally called DEF CON Kids. But co-founder Nico Sell, who is also the chief executive and founder of the secure messaging app Wickr, says organizers realized that their target audience didn't want to be known as "kids."
"Root means to take full control of a computer or a device," Sell said, while "the word 'Asylum' actually means a safe place to learn." Just like 'hacker,' she says, it's a word that has been co-opted with negative connotations. But at r00tz, children are taught to be "white-hat hackers" — learning to improve digital security for themselves and the world around them.
"We have an honor code here," Sell explains, "because what we talk about is that hacking gives you superhuman powers, and with great power comes great responsibility."
This year was perhaps the biggest yet for the event, Sell said. There were roughly 200 kids and 200 parent chaperones, spread around a horseshoe-shaped theater at the Rio resort. Different stations around the room offered everything from cryptopuzzles and soldering to the "junkyard" of hard-drive pieces that kept Audrey so busy.
The event also attracted big-name sponsors, including Google, which distributed free Chromebooks to attendees. Some talks were adapted from the adult DEF CON schedule — from how to hack "lawful intercept" technology used by governments to spy on targets to the security vulnerabilities in airplanes and elevators.
Some talks were given by young attendees: Sixteen-year-old Esau Kang gave a talk on how attackers use tools such as Armitage and MetaSploit to find vulnerabilities in systems — and why it is so important to secure them. "Even someone with minimal programming experience could compromise your systems," he explained — including many of the young attendees in the room.
"It was a really good experience," Esau said. "I think it's really cool that this event is allowing kids to teach other kids about security."
R00tz can provide a safe place for kids to explore their hacker urges in more ways than one. First, the full DEF CON can sometimes get a bit too rowdy for younger children. But perhaps more important, r00tz provides an avenue for younger children to learn some of the ethical rules that now define the computer security space and pick up skills without trying things out in the digital wild, where there can be very serious consequences.
So it makes sense that among the rules at r00tz is "know the law and the possible risk and consequences for breaking it," Sell said.
Facebook Chief Security Officer Joe Sullivan spent an entire day at r00tz with his 12-year-old daughter. Sullivan said he had previously sent his daughter to a programming camp at Stanford but struggled to find a place to expose her to technical security skills. "This is the first one I've found," he said.
Afterwards, his daughter told him, “all the speakers were the same” — a takeaway he didn't quite understand at first because they had covered such a wide range of subjects. Then she explained: "They all dive into a subject, understand every detail about it and find what’s broken.”
"I learned something from seeing security through her eyes, so that’s why I think it was a great experience," he enthused.
And r00tz had another benefit, as well: diversity. Many of the young attendees were women. At Facebook, "we spend a lot of time focused on how do we find more diversity and how do we bring more younger people into security," Sullivan said. "As a team, we sponsored 10 scholarships to DEF CON for college students and have been doing a lot of high school programs."
And even those who were at first skeptical about the program are now on board. "I was very much against the idea of DEF CON Kids when it was first proposed," says longtime DEF CON attendee and presenter Brad Haines, who works in financial cybersecurity and goes by the handle Renderman. There was concern that the focus on children would divert attention and resources from the main conference, he said. "But the way it worked out, they have a separate space for it."
In fact, this year, Renderman even gave a presentation at r00tz, which he joked was a bit of a "mea culpa" for his earlier opposition. It is important, he said, to give children the opportunity to explore their technological urges. Renderman traces the development of his own skills to his experimentation taking things apart as a child, including his family's vacuum cleaner. That's something he has in common with Esau, who says he is "always breaking things."