PG - Practice Safe Cyber: The Miseducation of American Students on Internet Safety - Vivienne Pustel

okay you can touch relies because they don't mature it past our custom okay good cool hi everybody welcome to Vivian pastels talk on practice safe cyber all right good afternoon thank you all so much for joining me for my very first really real conference talk I'm Vivian pastel and this is practice safe cyber the mis-education of american students on internet safety this talk is going to be lots of fun for all of us I promise but it's gonna get really fun during Q&A when I pop open my moral support flask so ready your questions anyways let's start talking about some educational travesties alright so I am here to speak to you from the other side of the

infosec divide I am not in the industry although I am looking for a job so considering crossing that divide I am just a humble fan this is my third besides Las Vegas and def con so I'm kind of new but the smell is wearing off I've been avoiding warranties and breaking computers since i was about 12 and as of now I am a former high school teacher from Oakland a graduate student and education researcher here to tell you about the horrors being perpetrated upon our impressionable youths so this talk is several things first what it isn't this talk is not a hard code talk there will be no samples no keyboard pounding no maximizing or minimizing or

quickly moving around the screen of windows what this talk is is a fresh new perspective on some of the challenges facing the infosec industry from the point of view of someone who isn't embedded in this [ __ ] all day because I'm a teacher there's some optional extra credit homework at the end and because I'm me there's a lot of cat gifts so why care about the perspective of a high school teacher who is not in the industry well have you felt stressed out lately users pissing you off project managers maybe even your organizational leadership how's your blood pressure how are your health insurance premiums have you tried to hire anyone has it driven you a little bit crazy are you just

surly and like complaining I do I am here for you this is the talk for you and also this real housewife has clearly at some point tried to hire someone in the infosec industry so what this is is students as citizens and the idea of the Internet as a human right I'm not saying every kid needs to be a hacker sure it would be great if we were spewing little leet haxorus out of school left and right but doing that isn't a requirement we just need to meet the basic needs and rights of our students in today's society Internet is a basic need and should be seen as a human right Thank You eff eighty percent of middle school

of middle skill level jobs and that is jobs that require less than a bachelor's degree require tech skills and at least fifty eight percent of Millennials have low problem-solving skills with technology which going back to my previous slide you've probably noticed in the workplace and ninety-one percent of Millennials do not believe that they have problematic levels of tech competency you have probably also witnessed this so what the hell are problematic levels the program for international assessment of adult competencies is a 2012 survey that measures tech skills from below level 1 through 2 level 3 Jesus wall of text level two is the minimum standard skill level to access professional and social benefits of technology level 1 means

someone is it unable to solve a problem whose solution takes several steps and requires a small number of computer applications so for example they might have difficulty finding information in a spreadsheet by sorting rows and columns and then they would have a difficult time getting that information into an email to send it to the person who asked for it yeah below level one would have difficulty sorting email responses into pre-existing folders yeah and nineteen percent of Millennials I hate that I'm like mocking my generation and it's like the hot thing to mock Millennials but whatever this is a tragedy so nineteen percent of Millennials score below level one and seventy-eight percent of those don't think that they're lacking in

skills fifty-eight percent of Millennials score level one so you've probably seen this again and experience this frustration at work in short the big problem is that we have this misconception that using technology is the same as using it well that just because like I've got my handy dandy little smartphone here and I can swipe right on tinder that means I know how to operate a computer this is not true so there is this idea kids have smart phones these days they know what they're doing first off it's a completely different skill set and basic computer literacy classes are disappearing from schools because of this assumption kids just know in 10th grade classroom I had kids who had

never used a qwerty keyboard before in their lives and it's not because they're teaching Dvorak time spent interfacing with technology devices is not the same as problem solving with technology devices or understanding how to truly use these devices or the internet and that's the root of the problem is that we have this idea that because kids are on Facebook all the time they know what they're doing this slide is a little bit of a tangent but I found this information to be incredibly valuable as students are having less and less exposure to technology in schools it's being demonstrated over and over that early exposure to technology computer science and problem-solving and critical thinking using technology is essential

to inspiring the next generation of the tech workforce so that whole bit about the pipeline problem and how hard it is to hire competent people here's part of the root problem not only our students not being exposed to CS they're often not even being exposed to basic skills like keyboarding and attaching a document to an email which means that if they do eventually say in college or later on in life stumble on CS or infosec they're grossly underprepared to engage with it so what our our kids being taught not much so yeah CS courses an enrollment have declined over the last decade meanwhile hours of instruction in high schools have gone up the class of 2009 received roughly four

hundred and twenty hours more of classroom instruction than the class of nineteen ninety I don't know what they're doing with that time dance basket weaving I don't know so a major part of the problem however is that teachers don't feel equipped to teach technology or to even use it in the classroom surveyed sixty-two percent of teachers self-identified as uncomfortable with technology and that that inhibited their use in the classroom and having been in the trenches I'm amazed the number is so low like sixty-two percent that's actually not bad basically none of my colleagues expected students to use computers and they themselves avoided it as much as they possibly could so since data-driven instruction is a current educational

trend here is some data driven the lack of instruction a chart because numbers make everything serious you can see that this is the percentage of high school students enrolled in computer science over the last roughly two decades and although it's a drop of six percent that is a statistically significant difference and more importantly every other stem field was having significant increases in enrollment so things like calculus are just like shooting up physics shooting up chemistry shooting up but CS is going down so 42 thousand or more high schools in the United States in 2011 only two thousand one hundred of them were qualified to offer the AP computer science exam and out of that 3101 students took it that's like

the size of the high school I taught at that's nothing compare that with the numbers for students taking AP government AP US history and AP English literature and do not give me that crap about CS being so much harder than humanities like yes CS is hard but so is calculus and that went up so did physics and I think we can all agree that the apcs exam really isn't that hard so there's a serious issue with what's being offered and the quality of the instruction for us to be getting such low numbers and for in fact it to be declining charts don't lie look at those numbers look at them going up except CS so sad what the hell's yes all right so

I figured obviously classes aren't being offered what are our kids being exposed to so I decided to take a look at acceptable use policies for many students the AUP might be the only instruction that they ever receive about using technology safely and appropriately so I decided to take a look I surveyed the a eps of district or districts around Silicon Valley where I'm based because I figured that if we can't get it right here then we're definitely [ __ ] everywhere bay area districts that I surveyed were San Francisco redwood city san jose mountain view san mateo santa clara palo alto Oakland Berkeley as well as I picked up a couple a UPS from around the country

via my mentor so we have Clark County here in Nevada Cincinnati Ohio and Central Kitsap in Washington so abandon all hope ye who log on here the short version a UPS are [ __ ] every single AUP included a statement that students have zero expectation to privacy documents and email accounts can be searched and surveyed without notice and without cause those are my two favorite parts of them yeah no notice no cause and the issue with this is that students must agree to these terms in order to use technology in school which is often mandated especially this is particularly important for students who don't have access to technology at home because this may be their only opportunity to

work with a computer these a ups are essentially founded on the idea that students will willingly surrender their rights that is my thought on this so here are some of my favorite quotes from the a UPS I read through I read these so you guys don't have to I hope you really appreciate my sacrifice users shall not promote the use of alcohol or tobacco harmful matter includes matter taken as a whole which the average person applying contemporary statewide standards appeals to the prurient interests and his matter which depicts or describes in a patently offensive way sexual conduct and which lacks serious literary artistic political or scientific value for minors if any of you know what the [ __ ] that

means please exactly users shall not engage in damaging degrading or wasting any tech resource oh my god don't even get me started on schools still on Windows XP it's a situation people okay come on come on buddy go all right a personal favorite material placed on student web pages are expected to meet academic standards of proper spelling and grammar

damn kids with their slang all right again this cat sums up my emotions not enough face palms in the world all right everything is forbidden nothing is permitted what I find really telling is that a ups are structured around everything that students cannot do so all of the items I'm about to put up there appeared in some form or another in every single AUP file sharing chatting and use of social media sexting or sexual messaging looking at inappropriate content which we know just means boobs playing games Palo Alto specifically bans world of warcraft which like i want to know the story of why they realized they had to do that posting anonymously I [ __ ] you not they

ban posting anonymously good luck on sending chain letters or spamming cyberbullying okay I can work with that and charging devices at school they're like you are expected to bring a device and use it all day but you may not charge it that's obviously a school bus

so it's all about that basic control but I learned from reading a UPS is exactly what I already know from being a teacher which is we are far more focused on controlling student behavior than actually teaching them anything most policies in place are based around the idea that all students are bad pretty much all of the a UPS focused on controlling behavior and codes of conduct but nothing about preserving student safety or imparting skills this is the closest thing that it comes to giving instruction around how to be safe online don't share personal information don't agree to meet anyone if you get a message that makes you uncomfortable please tell a teacher or other staff

member so in short the greatest threat to our students is their own naughtiness and other people's naughtiness sex is the greatest threat on the Internet avoid pedobear but he's always there alright so a little more of the horrifying if a student finds an inappropriate cider image he or she must immediately minimize the program and contact the instructor because the first thing I'm going to do when I'm in high school and I find boobs is I'm going to tell my teacher my assumption is that this is so that students can be disciplined accordingly and that site can be added to the blacklist I understand that student use of the technological resources is for educational purposes only I understand

that it is impossible for district redacted to restrict access to all controversial materials in other words if my kid sees boobs at school I can't sue you for it and just let that sink in you must not tell your logins or passwords to another person except to a teacher or other adult at school because adults on the internet are all pedobear adults in the classroom are really just there to protect you by yet accessing your account how it works so things that are notably absent because just as telling as what is present in an AUP is what isn't present not a single AUP includes a password policy other than you're responsible for having one nothing on

how to create a strong password no expectation of password changes not even a policy around default passwords having to be changed after initial login and I'm not going to tell you how long my email password was my staff ID number because I just kept forgetting to change it there's no expiration nothing around things like two-factor authentication metadata malware encryption if concepts such as proxies VMs or encryption are addressed it is always specifically to forbid them so what this means I forgot that pictures there I love that picture what this means is that students are not learning anything other than that they need to cover their school's asses legally all of these restrictions are just to keep schools from being sued so

there's no explanation of what any of these things such as proxies VPNs VMs administrative access there's no explanation of what any of it means which means students are going to end up doing it accidentally it's gonna happen and also this means that they don't know the ways in which these tools can help or protect them and they will not have access to these skills to be able to utilize them in the future and that's important instead our students are trained to accept a lack of ownership over their lives their data and even their passwords computer security is not about protecting yourself it's about protecting your organization's legal ass Thank You mr. dubious cat so there are things that are

going right I don't want this to be all doom and gloom happy cat so roots Asylum will be happening at Def Con in just a few days Pat kid Khan has happened several times hacker high school and code org are two organizations I love that they offer curriculum materials and trainings for teachers and school staff to help increase tech exposure and education in schools because again if teachers don't feel confident instructing students around technology they're not going to do it but these programs provide them with the support to be able to do that because especially in Silicon Valley if you can be a software engineer you're not going to be teaching for 40k a year so we have to

teach the people that are in the classroom how to teach this cyber Patriot regardless of your opinion of DoD sponsored events brings age-appropriate and well structured infosec training to middle and high school aged students complete with curriculum materials so same thing teachers without a background can run a club I did that so I can vouch for their their materials the major flaw with these models however click the head sorry about that the major flaw with these models is that a number of these really rely on Puckett uhhh really relies on kids having someone who's pushing them into these programs and events or is providing support and guidance how many kids do you think will be at roots Asylum who don't have a

parent at Def Con yeah so it's kind of the football parent syndrome and infosec where we've got all these great excited parents who are like you're gonna be a linebacker just like me hack all the things and if you do not have a parent in infosec you have no idea what the hell is going on and you're not getting exposed so okay come on there remember ok so if I've lit even the smallest of fire under your ass here's how you can get involved please fully give a [ __ ] so this is your optional extra credit homework email schools districts or politicians this is a very small thing you can do especially if you are great at writing scripts that

send out daily emails going goddammit politician why the [ __ ] haven't you fixed computer science education yet don't even have to do much just set up your script tell them like go to schools and districts tell them about programs like co.org hacker high school cyber Patriot etc because that way they don't have to spend money which they hate and you give them an answer medium levels of involvement attend a PTA or a school board meeting and raise hell you do not have to have a kid in a school in order to go to these things you are a taxpayer yell at them to spend your money well and finally large this is for the few

the proud those who hate having a life volunteer go help teachers offer to run a professional development session at a school sponsored programs or clubs things like cyber Patriot are always looking for industry professionals to work with these teachers and help make them happen also half has migrated East and hack kid is not happening this year so get involved make it happen so your action items we all really like to mock raising awareness but this is a place where it's really worthwhile because it is not your job or even my job to fix this problem it is however our job to make those responsible so violently uncomfortable that they do something the real issue here is that

most people don't know [ __ ] they don't know what's going on and so if you let them know they will react like parents care teachers care but they don't know so raising a ruckus can really go a long way talk tweet text facebook whatever works for you volunteering and getting involved is great but as I said that's for people who really hate free time and as much as I would love if everyone did that I get it so please think about what I've said here today and the bleak future that we face when you get home start raising some hell why is my next slide something that has already happened [ __ ] open office all right

so you've seen this you seen this there we are that's what I'm trying to get to before I switch over to you questions I want to thank everyone that made this happen which is the b-side selection committee for giving me a chance Aaron Jacobs AKA sec barbie for her mentorship Jesse Erwin for her awesome work on issues of security in ed tech and her promotion of the idea of ed sec when she speaks you should absolutely go to her talks they are fantastic Kevin Neely my informal mentor teacher and driving force behind getting cyber Patriot into Oakland schools and Travis car who unofficially sponsored this talk by buying me a lot of drinks and sitting in

pubs with me while I made this slide deck so it is now time for questions and drinks this is my favorite part so please ask good questions yes it's about common core all right so the the things that trended up it's not so much a correlation with common core there is a little bit but actually this is the first year that the science standards have been rolled out for common core so that's sort of there but what it really is is the frantic rush to look impressive for college applications and so kids are cramming their schedule full of AP every single the [ __ ] thing they can find whether or not they're prepared for it and whether or not the

teachers are prepared for it yeah yes so just the comment on my experience when to volunteer to help my district of the challenges that I've run into his teachers are overworked and underpaid and they don't want to do things outside of my home worth it yes I understand but it's just the challenge of somebody who wants to help out to be told well you have to do it from eight to five because that's more contractually obligated to be there yeah mama game to be my job yes and that is absolutely like one of the major issues um some people have the flexibility to be able to go and do things during daytime hours some people don't and

that's a really valid issue and as much as I hated working like 12 hour days I wish more people would do it just because yeah like we're not going to be able to get people in outside of work hours very often that's where things like PTA meetings are worthwhile because then hopefully something happens and at least you can light a fire under their asses to get them to actually spend a little bit of money to hire someone to come in during working hours but yeah very true yes Phillip so one of the convention was that schools maybe is building tools and general craft built throughout the idea that jewelry that was controlling yes how much are the

things that you're recommending are constantly battling against that and always have to battle against and how much of a long-term solution has been moved into making schools not fundamentally about controlling bad children and actually about helping in teaching like halfling what do we need day dawns like actually trying to fix a real problem in that video if I could answer that I probably wouldn't have quit teaching but [ __ ] that [ __ ] um so I think things like pushing for more actual instruction of even just basic computer literacy skills is one of the things that like I think a major root of this problem is the idea that technology is ubiquitous and therefore kids know what they're doing

and don't need to be taught anything and I think getting kids learning like how to use a freaking computer and not just a smartphone would be a really important first step because then you know that kids are eventually going to start exploring so yes sir 30 years ago they were teaching the lesson I had all the static ation worth adequate and put some burlas below the intrigue again we had a version T&CS industry emerging security industry throughout and where the results right so what's the other health what's the thing that's missing that's not it were getting a bushes yeah and competency are they or the other outcomes missing so first off that's an awesome question I'm going to super

quick paraphrase for people is basically 30 years ago computer literacy skills weren't a thing but here you all are um so off you feel like other than computer literacy what's the problem and I think like that's a really good question and I think that part of it is that we're not really looking at and teaching critical thinking skills so like that is that's huge is that kids sit down at computers when they do finally get exposed to them and instead of having this adventurous sense of I'm gonna see what happens if i push that it's like well I don't know how to do this miss P miss P what do i do as opposed to I'm going to figure

this out for myself and I think also 30 years ago computers were so new and the idea of like I think it was just a sort of a different atmosphere then there's still a little bit of this idea of computers are like a weird nice dirty thing but not in the same way and that they are so omnipresent that I think there's no longer simply by sitting in front of a computer you aren't necessarily going this is so cool I'm gonna try a bunch of things you're like I'm gonna check facebook and I think that's also the other big difference is that to interact with a computer is a very different experience yes now I

think there's more demand now like there weren't as much too man 30 years ago yep so there is enough supply weird about it but now there's weirdos that's why we see this yeah i'm just saying i think i agree with that but also i'm just really jaded about how schools work and I'm just pretty disappointed with them so i am happy since it's lunch time I'm totally happy to stay here and answer more questions but I'm getting flagged the talk is technically over so if anyone wants to ask more questions I will totally answer them but you're also free to go [Applause]