My Experience at NYU CS4CS
July 2023 (976 Words, 6 Minutes)
To preface, CS4CS is a free program provided by New York University (NYU) to teach high school students the fundamentals of cybersecurity in a structured, fun, and educational manner. I honestly wasn’t expecting much from the program, since I’ve done plenty of CTFs, HackTheBox, and learned quite a bit on TryHackMe. But I was wrong. I go into more detail below.
Initial Impressions
When the program first started, it covered the VERY basics. The instructors talked about what cybersecurity itself was, had us do some basic Python exercises, went into binary and hex, encodings, and some cryptography basics. I saw that the other students in the class didn’t know too much about cyber, and this made me a little overconfident (this will come back to bite me, as you will see later). The university had a CTF in the last two days of every week, and I found the first challenges pretty quick and easy, to say the least. Overall, I initially saw the program as a breeze and enjoyable experience, but nothing more than that. We got assigned a research paper, but the topics were pretty basic and hard to screw up. I picked password security as my research topic.
The Program Ramps Up
In the second week, the program definitely started to get on my level a lot more. We were taught web security, network security, stegonography, and even basic networking concepts such as routing and switching. It wasn’t CCIE R&S level depth or anything, but it was discussed at a fundamental level. We hacked a car too, which I found really fun and interesting. In this week, the stakes for the CTFs went up significantly. There was now a $75, $50, and $25 prize on the line per team member for 1st, 2nd, and 3rd place respectively. In this week’s CTF, I was not able to solve one of the stegonography challenges and fell into second place for a bit before jumping back into first place. In this week, I started to make some real friends as well. There were three guys that I loved talking to and now have permanent contact with outside of the program. On the Friday of this week, our team fell into third place after I struggled to solve a few of the challenges posted that day. I was nearly brought to tears by this. How could I, someone who’s played around with cybersecurity for years, lose to people who hadn’t even heard of the term before the program? It was a humiliating thought, but I had no way of expecting what would happen next.
The Final Week
In the final week, we talked about web security, packet captures, and log analysis. We used Wireshark a lot to view internet traffic, where the instructors asked us questions about what was in the packets. We analyzed logs in order to be able to write a report on what had happened to the system, and we learned SQL and SQL injection. I found these topics really cool and more on my level than anything else. Also, we had a two-day BlackHat style conference where industry professionals came to us and talked about different cybersecurity concepts, such as smartphone privacy and cloud security. I took full advantage of these conferences, talking and networking with the presenters whenever I could. I had in-depth conversations with these professionals, discussing hacking, resumés, career advancement, networking, and much more. My CCNA gave me increased credibility among them, led to more technical discussion between us, and a fantastic lunch (with my food fully paid by them to boot). In the final day, the CTF was on, and hard. Many of the challenges, I did not solve because I genuinely did not know what to do. There were OSINT challenges and hardware hacking challenges. I didn’t even know where to start with them. I got a few challenges, including one challenge where I had to go into a room and figure out an encoding, but that’s it. A classmate of mine wanted to combine forces in being “useless” (because I was not getting many flags), and that’s when I knew what was going to happen. We were not winning any of those prizes. By the end, a team had already cracked the final 500 point challenge, and we were down at sixth place. I was devestated. I had lost the opportunity to win a grand prize. I waved my goodbyes to my instructors and classmates; it was pretty bittersweet and we were all going to miss each other (there was even a girl who asked me to go out with some of her friends). Going back home, I looked back on the three weeks at the program. It was a wild ride, going from being top G to being in sixth place. I learned what my weak points were and what I needed to learn more about. At the end, it was a great experience, making new friends, learning a lot, having fun, networking, and learning important life lessons.
Lessons Learned
There were plenty of cybersecurity related things that I learned while at the program, but I won’t get into them here. Instead, I want to get into the life lessons I learned. Specifically, about modesty and humility. I thought that I knew about everything the program was going to teach, but I was severely mistaken. I communicated this to some classmates, saying that it was “easy” and that it was nothing I could handle. I told others about how our team was going to win the CTF in 1st place, and expected people to roll in. Looking back, it was behavior not suitable for a professional setting and not in my moral code. There are times to brag, but this was not it. A modest attitude is best, I always thought. Not only will people treat you better, but you will seem more trustworthy and curious to others. But more importantly, I learned to be humble. To be open to learning new things and never assume that your knowledge is better than anyone else’s. This is especially true in the IT field. I was so focused on showing off my “superior” knowledge that I forgot to actually focus on the CTF. In short: don’t ever think that you know everything or that you have it easy. If you do, you will quickly learn that it is the opposite, and the realization will hit you like a truck (as it did for me).
The Conclusion
If you are a parent or high school student in the NY/NJ area who is thinking about this program, I would tell you to apply a hundred times over. It will be a great experience if you are just starting out, and a very humbling one if you already have some independent or formal experience with cybersecurity (replace “you” with “your child” if you are a parent).