The hacker who goes by the pseudonym CyFi won't share her real name and declines to be photographed without her signature aviator sunglasses.
At the annual Def Con hacking conference here Friday, Gen. Keith Alexander, director of the National Security Agency and head of the U.S. Cyber Command, brought CyFi on stage during his keynote address and called her "the most important person for our future."
CyFi is 11 years old.
For the second year in a row, Def Con organizers included a full schedule of Def Con Kids programs for beginner hackers ages 8 to 18. The children and teens, who must be accompanied by a parent, learned how to pick locks, competed to find the most bugs in mobile apps and learned about digital forensics by investigating a mock crime scene in a hotel room. Some skilled young hackers also taught classes and gave talks.
To kick off the conference, Def Con founder and veteran hacker Jeff Moss welcomed the kids with a talk on the ethics of hacking and rules for how to stay out of trouble with the law.
"I think it's harder for you guys now than it was for me," Moss told a room of kids and their parents.
Moss started the conference in 1992 because he wanted an open place for hackers to meet in person and share information. Twenty years later, the young attendees from Def Con's early years have grown up, established careers and started families.
Now they bring their own children to Def Con to soak up the knowledge and culture, but this new generation faces a different set of rules and a maze of new laws -- not to mention parents who are savvy enough to know what they're up to and keen on keeping their progeny out of trouble.
Navigating the law
"I just want to open it, but don't want to see what's on the other side," a young woman told and Moss and Lauren Gelman, an attorney who works in the field of Internet law and policy.
Many of Def Con Kids' school-age hackers are driven by the challenge of finding vulnerabilities in security systems and networks, not stealing information or money, or selling their knowledge to third parties. These "white-hat" hackers report any issues they find directly to the developers or relevant companies so they can be more secure.
But good intentions aren't always enough when it comes to staying out of legal trouble.
When Moss was starting out, computer technology wasn't widely understood by law enforcement, and laws weren't yet in place that classified his actions as illegal.
"Technically, I wasn't committing any crimes. I wasn't stealing any money, wasn't trying to break anything," said Moss. The U.S. and international governments have since drafted complicated laws that criminalize many aspects of hacking.
However, Gelman pointed out that in many cases, the rules are still not clear or current, and that current laws are far behind what Def Con attendees are doing. She recommended the kids avoid breaking laws by asking for permission before testing any systems, and if that's not possible, to find a situation where they can ask for approval.
"The lawyer perspective and mother perspective and ethics perspective is you can get in a lot of trouble if you don't ask for permission." Gelman is married to journalist and former hacker Kevin Poulsen and has two children.
Moss has his own test for deciding whether to hack something: "My rule of thumb is, do I completely own it? If yes, I can hack it."
If hackers are unsure whether they are breaking the law, Gelman suggests they check the Electronic Frontier Foundation's (EFF) site, which spells out rules for everyone from bloggers to coders. The 22-year-old organization also provides legal assistance for those who do get in trouble, taking on some cases itself or referring people to attorneys.
Building a reputation
Breaking the law isn't the only concern Moss, Gelman and parents have for the budding hackers -- true anonymity online is harder to come by and a bad reputation can follow these kids into adulthood.
Moss warned the kids that everything they do online now until they die will be backed up to the cloud. "That makes life more difficult for you guys, because if you get in trouble now, you're screwed."
Twenty years ago, hackers could operate in the shadows without leaving much of a trail. Chat logs weren't recorded for long and hackers' handles weren't easily traceable to their real-life identities. Now, most communications that take place online are stored permanently and some can be dug up by law enforcement and human-resources departments.
Moss was just a kid himself when he got started with computers.
At 13, his father brought home an IBM computer for the family. By 14, Moss was online creating a new identity for himself, conversing with adults who were oblivious to his real age and spoke to him like an equal.
"I couldn't drive a car, but I could have conversations about politics with people in Russia," he said.
In those days, if someone made a mistake or needed a fresh start, they could create a new online identity. Moss got a do-over at an early age and recreated himself online as Dark Tangent, which grew into a trusted and respected identity he still uses now.
Today, a fresh start is harder to come by and old communications can surface at any time. Facebook CEO Mark Zuckerberg learned this the hard way when embarrassing instant-message conversations from his college days were made public years later.
"Your reputation is the most important thing you own," said Moss, urging the young hackers to behave ethically, not because it will make their parents happy, but because they are the ones who will have to live with the results.
Hacking for good
With so many dangers, why would parents encourage their children to hack at all? Def Con Kids organizers believe in the good that can come from hacking, including making the country more secure and helping encourage freedom of speech around the world.
"Technology can really change the world," said Gelman, citing the liberation-technology movement that encourages hackers to help people spread messages from countries where online communication is restricted.
The U.S. government sees the potential in these bright young minds as well.
The Department of Defense ran the digital forensics program at Def Con Kids, hoping to encourage more education and interest in the field. And Alexander met with three of the children before going on stage to give his keynote address.
"This is our future," Alexander said of the kids. "What you're doing here to help train those folks is absolutely superb, and you should be proud."
