This weekend I gave a turbo-talk at NYU's Courant Splash!. cSplash is a math and science festival for high school students. I arrived at the event a bit early and spent some time talking to past teachers. I was really interested in whether the students were receptive of some of the advanced topics given in math and science. I had never given a presentation to high school students so I wasn't sure if they'd participate. As it turns out, some of the students signed up for the festival themselves, as opposed to my miss-conception that their respective school had registered them. (I wish I was that motivated in high school.)
My talk was titled "Fun with Computer Security". I attempted to inspire students, who already had some interest, to work towards becoming information security experts. As such, I wanted to show them something interesting, not another lecture on theory and best-practice. I recalled my enthusiasm from security conventions such as Defcon and Shmoocon and how the best talks we those with examples of technology failing. Before I could demonstrate some black-hat techniques I needed to assure them that they should only use their skills for good.
More importantly, I wanted to show them how they could learn using black-hat techniques without involving other parties. As I was setting up the projector I overhead some of the students talking about their recent hardware purchases. I had planned to demonstrate using virtualization, and now knew that suggesting virtualization software to practice on would be prefect. I gave them names and links, and diligent as they were, all took notes. After the students knew why and how, I showed them what they could do by beginning with an outdated zero-day on an un-patched system. Since I had used Laurent Gaffié's SMB 2.0 Remote BSOD in my Network Forensics class last year I already had some vulnerable test-systems configured. I also tried to use BackTrack to rewrite a Windows SAM file but my Windows 2000 AS took too long to boot a second time. Thankfully I had a "saved state" where I could use Metasploit to quickly show how attackers can exploit Windows 2000 AS without having physical access. (I was using a default install of Windows 2000 AS which was also pre-installed from preparing for the 2010 NE-CCDC.)
I finished the talk with references to information security scholarships, job opportunities, conferences, and competitions. Afterward a few students came to talk some more about their interests, hopefully I provided some adequate information and motivation. The experience helped me out a lot. I read a post on Errata Security which gave an outline to planning an InfoSec career. Their bit about public speaking is very true and useful. I say: if you cannot inspire a student then you sure as hell wont be able to inspire your future upper-management.