Code.org Will Teach 'Cybersecurity Hygiene' to Millions of Students

Long-time Slashdot reader theodp writes: Mr. President," Code.org founder Hadi Partovi told President Joe Biden and tech CEOs from Microsoft, Amazon, Google, Apple, and IBM at Wednesday's Presidential Summit on Cybersecurity, "America's cybersecurity problem is an education problem. I loved [Microsoft CEO] Satya Nadella's wonderful analogy to the car industry, and like Satya said, we need standards for seatbelts in every car for sure. But if none of the drivers took a course in basic safety skills, our roads could never, ever be safe. That's the current state of affairs on the roads of the internet. Without proper education, we can't address our nation's weakest link. If you look around, every CEO is nodding their head because they know we need a plan to educate every American on basic cyber security hygiene, and also a plan to staff up our cyber defense workforce. This needs to start early, in K-12, and reach everybody."

A newly-released White House Fact Sheet announcing "Ambitious Initiatives to Bolster the Nation's Cybersecurity" notes that tech-bankrolled "Code.org announced it will teach cybersecurity concepts to over 3 million students across 35,000 classrooms over 3 years, to teach a diverse population of students how to stay safe online, and to build interest in cybersecurity as a potential career."

Start with the CEOs.

[Fly Swatter]

Teach them about the value of security first, they appear to need it.

Re: since the 90s

[RazorSharp]

That is stupid. It is the fault of developers, standards bodies, and legislators for making the internet unsafe for casual users. We run JavaScript on client machines because it takes the load off the server and allows companies to take control of the user in various ways. If these companies wanted to, they could come up with an alternative to JavaScript that is extremely dumb and requires all the actual execution to occur on the server side. They can do it with video games and other media they do not want

Good luck with that

[Dorianny]

"basic cyber security hygiene" is mostly just simple common sense. I'm not sure you can teach that.

Like "don't touch a hot stov."?

[raymorris]

Common sense like "don't put your hand in a hot stove"?
I've taught two people that. It's common because pretty much all of our parents taught us these things.

I've discovered that MOST people don't actually know how to pick a good password. When I've posted my method here it's been mod +5, apparently because a lot of people reading didn't already know.

So yeah the cerebral teaching needs to be done - not everyone knows how to be safe.

Even more, I think what people do know intellectually, they haven't internal

Re:

[theCoder]

In a recent pentest, the red team (attackers) took advantage of two mess-ups by one of our senior network engineers. He was quite cavalier about having config files containing passwords all over his hard drive. We had to spend six weeks going through every file in his drive to find all of the secrets, and change the passwords on every switch and router (hundreds or thousands of them).

You bet your ass he learned something from that experience. He's not reckless with passwords anymore! In fact he's becoming t

Re:

[raymorris]

That's a good question, and I'm sure it's you on the PKI - and Pizza Hut.

For the config files backups / copies, two things were supposed to be done and have been done now. Either of these two commands make it so the password isn't visible in the config files:

# enable algorithm-type scrypt secret cisco
# enable algorithm-type sha256 secret cisco

The "sha256" in the last command doesn't actually mean it uses a sha256 hash. It's actually pdkf2 using sha256

That way he can save the configuration, and reuse it, wit

Ps - without a password vault

[raymorris]

By the way, if you don't have a password vault, there is something you can do quickly and easily that is a great improvement vs the typical Excel spreadsheet.

Click File > Info > Protect Workbook > Encrypt with a password

That encrypts the spreadsheet with AES256, so that's 90% of the way to turning that spreadsheet into a half decent password manager. It only takes ales maybe 30 seconds and it's a big improvement in security.

Re:

[theCoder]

Thanks for the great information! I had no idea that routers and such had these better management functions (I don't actually manage any). But it's great to hear that the state of the art can provide much better security than I thought!

Re:

[s4080326]

Pretty good advice, I think one of the biggest problems with cybersecurity is that the majority of people are either in the "don't care/ won't affect us" or the "anything but best practice is garbage" camps. It's like SMS 2-factor, yes is broken but it is one hell of a lot better than nothing.

Don't DOS yourself

[raymorris]

Yeah there are a few things to keep in mind in terms of security. The first is that security consists of THREE pillars:

Confidentiality
Integrity
Availability

When you say "security" most people think about confidentiality. Availability is just as important.

You might think that the job of a security person to to fend off attacks. That's true. One important category of attack we want to protect against is the DOS attack, or Denial Of Service. A denial of service is when the people who are supposed to be able to

Re:

[jenningsthecat]

First you said "You can bet those passwords are written down, because in 2.5 months when I make a new random one, I need to the one to change it". Then a little later you said "I do use Keepass, which at least is encrypted, but many my browser knows, too".

First - what the actual fuck? You have Keepass yet you write passwords down? Why?

Second, why do you let your browser store passwords? I sure hope they aren't important ones such as online banking!

Re:

[theCoder]

Sorry, maybe that was confusing. I consider storing things in Keepass to be writing them down. I very rarely (maybe never?) actually physically write a password!

No, I don't keep financial passwords in my browser. A lot of financial websites try to thwart that anyway by having a two step login process.

"Don't upload your files to the cloud"

[TheNameOfNick]

That isn't on the curriculum, is it?

Continuing Saga

[Retired ICS]

The primary reason that the state of "Cybersecurity" is what it is today is precisely because there sorts of incompetent shitheads pretend that they are capable of teaching the modern children how to generate "safe and secure" systems.

The copy & paste crowd that is output by these sort of lunatic organizations are not only incapable of doing anything that is "safe and secure", the output copy & paste morons are even completely incapable of understanding what it is they are doing or trying to accomplish.

How Much Will K-12 Initiatives Thwart Cybercrime?

[theodp]

Joining Code.org in the White House initiative is tech-backed K-12 nonprofit Girls Who Code, which announced it will "establish a micro credentialing program for historically excluded groups in technology. The program will make scholarships and early career opportunities more accessible to underrepresented groups."

Out of touch elite

[quonset]

But if none of the drivers took a course in basic safety skills, our roads could never, ever be safe.

Quite obviously he hasn't driven a day in his life on American roads because it is clear the vast majority of drivers never took a course in basic safety skills. Between talking on the phone while driving, talking on the phone while turning a corner, failing to signal or yield when entering the highway, driving too fast for conditions [9cache.com], driving at speed into a fog bank [usatoday.com], ghetto driving, ghetto driving while l

Re:

[clovis]

I'm not sure how to catalog this one - it looks like the door after someone yells "doughnuts in the breakroom" in front of the syaadmins.
https://www.wsbtv.com/news/loc... [wsbtv.com]

Re:

[clovis]

sorry, please sed -i 's/syaadmins/sysadmins/g'

Code.org...

[VeryFluffyBunny]

...will 'teach' whatever's currently fashionable or in the news so it'll be out of date by the time its students are applying for college or university.

Code.org are sexist sows

[greytree]

Code.org FINED teachers for teachng boys

BOYCOTT SEXIST CODE.ORG

Is this a comedy routine?

[zkiwi34]

Seriously

Re:

[gweihir]

It has been for a while. But quite a few people do not seem to get the joke.

Yes, 'diverse'

[MysteriousPreacher]

This'll definitely improve cybersecurity awareness and among students who are female, black, or 'Latinx'. That's what code.org states as their target audience.

Nice to see the government throw its weight behind an initiative that sees children primarily by sex or skin colour.

Re:

[guruevi]

At least it's anti-racist, they never declared themselves to be non-racist, as Ibram X. Kendi declares, you have to fight racism with more racism.

Re:

[geminidomino]

Well, at least now we know what happened to all those homeopathy cranks.

Nope

[gweihir]

Understanding code security issues and being able to properly avoid them is something that takes real skill and experience. code.org will at best make the matter worse because it will make people think they have skills they very much do not have.

2 problems

[cellocgw]

First problem: the internet/web/etc. was never designed with security in mind, and the hundreds of different solutions duck-taped on haven't fixed that yet.
Second, and more glaring problem: YCFS