Using Science Fiction to Teach Computer Security

Interesting paper: "Science Fiction Prototyping and Security Education: Cultivating Contextual and Societal Thinking in Computer Security Education and Beyond," by Tadayoshi Kohno and Brian David Johnson.

Abstract: Computer security courses typically cover a breadth of technical topics, including threat modeling, applied cryptography, software security, and Web security. The technical artifacts of computer systems -- and their associated computer security risks and defenses -- do not exist in isolation, however; rather, these systems interact intimately with the needs, beliefs, and values of people. This is especially true as computers become more pervasive, embedding themselves not only into laptops, desktops, and the Web, but also into our cars, medical devices, and toys. Therefore, in addition to the standard technical material, we argue that students would benefit from developing a mindset focused on the broader societal and contextual issues surrounding computer security systems and risks. We used science fiction (SF) prototyping to facilitate such societal and contextual thinking in a recent undergraduate computer security course. We report on our approach and experiences here, as well as our recommendations for future computer security and other computer science courses.

Posted on August 1, 2011 at 6:03 AM • 19 Comments

Comments

derfAugust 1, 2011 6:54 AM

This will be especially important once your computer has been mounted in your head. You don't want that hacked.

Richard Steven HackAugust 1, 2011 6:55 AM

Read the Shadowrun and Cyberpunk 2020 role playing games manuals and novels based on them.

Aside from the magic stuff in Shadowrun, we're pretty much on track to produce the sort of society described in these RPGs over the next 20-30 years: no privacy, corporations run everything, drugged up gangs roam the streets, and if you want to survive you'd better be good with both computers and guns.

Beyond that, the manuals go into pretty deep detail on what it takes to be a hacker when there are security cameras on every block, when everyone is identifiable via a national ID system linked to every transaction you do, when every corporation has counter-hackers and automated defenses on-line - and can also send armed attackers after you a la what the Pentagon is currently aiming for.

From Cyberpunk V3 Core Rules:

Quote

To achieve the essence of 203X, you need to master three concepts:

1) Style over Substance
It doesn’t matter how well you do something, as
long as you look good doing it. If you’re going to
blow it, make sure you look like you planned it
that way. Normally, clothes and looks don’t matter
in an adventure—in this world, having a leather armor jacket and mirrorshades is a serious
consideration .

2) Attitude is Everything
It’s truth. Think dangerous; be dangerous. Think
weak; be weak. Remember, everyone in the 2000's is carrying lots of lethal hardware and
high-tech enhancements. They won’t be
impressed by your new H&K smartgun unless
you swagger into the club looking like you know
how to use it—and are just itching for an excuse.
Never walk into a room when you can stride in.
Never look at someone unless you can make it
your best "killer" look. Use your best "I'm bad and
you aren't." smile. Don’t sit around the flat or
cube waiting for the next job. Get on out and hit
the clubs and hangouts. Make sure you’re where
the party starts.

3) Live on the Edge
The Edge is that nebulous zone where risk takers
and highriders go. On the Edge, you’ll risk your
cash, your rep, even your life on something as
vague as a principle or a big score. As a
Cyberpunk, you want to be the action, start the
rebellion, light the fire. Join great causes and
fight for big issues. Never drive slow when
you can drive fast. Throw yourself up against
danger and take it head on. Never play it too safe. Stay committed to the Edge.

Remember: The world of Cyberpunk is a violent,
dangerous place, filled with people who’d love to
rip your arm off and eat it. The traditional concepts of good and evil are replaced by the values of expedience—you do what you have to do to survive. If you can do some good along the way, great.

But don’t count on it.

End Quote

ChristopherAugust 1, 2011 7:34 AM

I always wanted to build a password platform such that your first mistype of your password is part of your password.

davidAugust 1, 2011 8:05 AM

Gee, makes my “Literature of the Future” English credits from the early 90’s look tame. We did read Mirror Shades and Snow Crash but the most interesting reads for the vision was stuff written in the early 1900’s. Take out the tech and look at the message; you’ll be surprised how much has changed (from a vision of utopia to, well, Snow Crash.)

Unfortunately, this is all backwards. It is fiction based on a game. Kind of like writing books on global conquest in the Risk universe. I would guess that a very small percentage of the “players” in the world of this fiction could really push an agenda in the larger “real” world.

FWIW
DLM

bobAugust 1, 2011 9:45 AM

"no privacy, corporations run everything, drugged up gangs roam the streets, and if you want to survive you'd better be good with both computers and guns."

Ha. You funny.

Petréa MitchellAugust 1, 2011 11:41 AM

Ooo, interesting idea: making use of the inherent narrative leanings of humans to think about the security implications more fully.

Since we're sharing reading recommendations, check out _The Cyberiad_. In general it does a better job than anything else I've read of conveying the experience of programming; and there are a few stories in there that are basically about security problems with a mixture of technical and social aspects. "The Second Sally, or The Offer of King Krool" is probably my favorite of those.

GraceAugust 1, 2011 12:17 PM

Interesting. My thesis adviser would never have let me pick a "soft" topic like this. I have to think if that is a good or bad thing.

This work was supported in part
by NSF Award CNS-0846065.

phred14August 1, 2011 2:27 PM

@DLM - At this point I have to fall back on one of my favorite recommendations, "A Logic Named Joe", a short story by Murray Leinster. He foresaw the internet, home computers, easy-access information databases, security problems - and the stuff that can go wrong. None of that is amazing, but the date is: He wrote this story in 1946. The relevant text (It's a short read.) is at:

http://www.baen.com/chapters/W200506/...

aynonymous randAugust 1, 2011 2:34 PM

> Aside from the magic stuff in Shadowrun, we're pretty much on track
> to produce the sort of society described in these RPGs over the next 20-30 years:
> no privacy, corporations run everything, drugged up gangs roam the streets,
> and if you want to survive you'd better be good with both computers and guns.

obligatory link to The Onion:

http://www.theonion.com/articles/...

The Future Will Be A Totalitarian Government Dystopia vs The Future Will Be A Privatized Corporate Dystopia

"When the ongoing trend of corporate mergers reaches critical mass in 2030, the scant handful of corporations that remain will be too powerful to resist and will ultimately supplant all government. National borders will crumble, replaced by warring corporate armies who deploy vat-grown Yakuza assassins to take down enemy CEOs in the name of commerce."

Richard Steven HackAugust 1, 2011 9:51 PM

It will be a while before assassins are "vat-grown" - since there are plenty of assassins to be found cheap these days and that probably won't change.

On the other hand, as Chiun in "The Destroyer" series likes to say, "Why hire a cheap assassin for poor results?"

Also, given that many problems can be laid at the feet of CEOs, having a bunch of them get assassinated isn't exactly a Bad Thing. That was an integral part of my terrorism plan back in the day. Given my dislike of Windows, you can guess who was at the top of the list. :-)

The funny part of the Onion piece is that the corporate dystopia reads almost exactly like it is now - which I assume was the point of the piece. While some might take that to mean the future isn't that bad, I'd say the opposite is true - it's a demonstration of how humans will accept any dystopia if it's sold right.

The Onion gets it right - the future WILL be a dystopia of some sort - until we Transhumans clean house (or just leave and let you all stew in your own mess.) That's the one thing most future prognosticators always miss - they assume humans will stay human. Maybe most will - but some won't. And those some are going to run the show.

Dirk PraetAugust 2, 2011 6:57 AM

However much I can see such an approach working for SF afficionados and other geeks, I kinda doubt it would amount to any result with the average manager or beancounter. They'd probably be more stimulated transposing the issue at hand to some fictitious Wall Street environment. Ever tried hitting on a girl you met at the local bar bringing up stories about Star Trek or Star Wars ? It's a recipe for disaster.

B. D. JohnsonAugust 2, 2011 10:47 AM

All I know is if *one* person did a MD500 check for the Kobayashi Maru simulator, James Kirk would have ended up just another disgraced cadet washout.

Petréa MitchellAugust 2, 2011 11:12 AM

Dirk Praet:

However much I can see such an approach working for SF afficionados and other geeks, I kinda doubt it would amount to any result with the average manager or beancounter. They'd probably be more stimulated transposing the issue at hand to some fictitious Wall Street environment.

Agreed, but I don't see the paper recommending this exact approach for anyone other than CS students anyway.

Ever tried hitting on a girl you met at the local bar bringing up stories about Star Trek or Star Wars ? It's a recipe for disaster.

Well, duh. The female Star Trek and Star Wars fans are going to be hanging out at the bookstore or gaming store.

And BTW, Bruce or Bruce's site admin, hooray for being able to use HTML in comments now!

ModeratorAugust 2, 2011 2:40 PM

Well, duh. The female Star Trek and Star Wars fans are going to be hanging out at the bookstore or gaming store.

And with that, the subject is closed. This blog is not the place to share "funny" pickup lines or talk about what celebrities you'd like to date; comments along those lines are being removed.

Petréa MitchellAugust 3, 2011 11:37 AM

Are apologies for having written in haste and said something we realized later didn't sound anything like what we meant allowed?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..