Entries Tagged "schools"

Page 8 of 9

What is a Hacker?

A hacker is someone who thinks outside the box. It’s someone who discards conventional wisdom, and does something else instead. It’s someone who looks at the edge and wonders what’s beyond. It’s someone who sees a set of rules and wonders what happens if you don’t follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.

I wrote that last sentence in the year 2000, in my book Secrets and Lies. And I’m sticking to that definition.

This is what else I wrote in Secrets and Lies (pages 43-44):

Hackers are as old as curiosity, although the term itself is modern. Galileo was a hacker. Mme. Curie was one, too. Aristotle wasn’t. (Aristotle had some theoretical proof that women had fewer teeth than men. A hacker would have simply counted his wife’s teeth. A good hacker would have counted his wife’s teeth without her knowing about it, while she was asleep. A good bad hacker might remove some of them, just to prove a point.)

When I was in college, I knew a group similar to hackers: the key freaks. They wanted access, and their goal was to have a key to every lock on campus. They would study lockpicking and learn new techniques, trade maps of the steam tunnels and where they led, and exchange copies of keys with each other. A locked door was a challenge, a personal affront to their ability. These people weren’t out to do damage—stealing stuff wasn’t their objective—although they certainly could have. Their hobby was the power to go anywhere they wanted to.

Remember the phone phreaks of yesteryear, the ones who could whistle into payphones and make free phone calls. Sure, they stole phone service. But it wasn’t like they needed to make eight-hour calls to Manila or McMurdo. And their real work was secret knowledge: The phone network was a vast maze of information. They wanted to know the system better than the designers, and they wanted the ability to modify it to their will. Understanding how the phone system worked—that was the true prize. Other early hackers were ham-radio hobbyists and model-train enthusiasts.

Richard Feynman was a hacker; read any of his books.

Computer hackers follow these evolutionary lines. Or, they are the same genus operating on a new system. Computers, and networks in particular, are the new landscape to be explored. Networks provide the ultimate maze of steam tunnels, where a new hacking technique becomes a key that can open computer after computer. And inside is knowledge, understanding. Access. How things work. Why things work. It’s all out there, waiting to be discovered.

Computers are the perfect playground for hackers. Computers, and computer networks, are vast treasure troves of secret knowledge. The Internet is an immense landscape of undiscovered information. The more you know, the more you can do.

And it should be no surprise that many hackers have focused their skills on computer security. Not only is it often the obstacle between the hacker and knowledge, and therefore something to be defeated, but also the very mindset necessary to be good at security is exactly the same mindset that hackers have: thinking outside the box, breaking the rules, exploring the limitations of a system. The easiest way to break a security system is to figure out what the system’s designers hadn’t thought of: that’s security hacking.

Hackers cheat. And breaking security regularly involves cheating. It’s figuring out a smart card’s RSA key by looking at the power fluctuations, because the designers of the card never realized anyone could do that. It’s self-signing a piece of code, because the signature-verification system didn’t think someone might try that. It’s using a piece of a protocol to break a completely different protocol, because all previous security analysis only looked at protocols individually and not in pairs.

That’s security hacking: breaking a system by thinking differently.

It all sounds criminal: recovering encrypted text, fooling signature algorithms, breaking protocols. But honestly, that’s just the way we security people talk. Hacking isn’t criminal. All the examples two paragraphs above were performed by respected security professionals, and all were presented at security conferences.

I remember one conversation I had at a Crypto conference, early in my career. It was outside amongst the jumbo shrimp, chocolate-covered strawberries, and other delectables. A bunch of us were talking about some cryptographic system, including Brian Snow of the NSA. Someone described an unconventional attack, one that didn’t follow the normal rules of cryptanalysis. I don’t remember any of the details, but I remember my response after hearing the description of the attack.

“That’s cheating,” I said.

Because it was.

I also remember Brian turning to look at me. He didn’t say anything, but his look conveyed everything. “There’s no such thing as cheating in this business.”

Because there isn’t.

Hacking is cheating, and it’s how we get better at security. It’s only after someone invents a new attack that the rest of us can figure out how to defend against it.

For years I have refused to play the semantic “hacker” vs. “cracker” game. There are good hackers and bad hackers, just as there are good electricians and bad electricians. “Hacker” is a mindset and a skill set; what you do with it is a different issue.

And I believe the best computer security experts have the hacker mindset. When I look to hire people, I look for someone who can’t walk into a store without figuring out how to shoplift. I look for someone who can’t test a computer security program without trying to get around it. I look for someone who, when told that things work in a particular way, immediately asks how things stop working if you do something else.

We need these people in security, and we need them on our side. Criminals are always trying to figure out how to break security systems. Field a new system—an ATM, an online banking system, a gambling machine—and criminals will try to make an illegal profit off it. They’ll figure it out eventually, because some hackers are also criminals. But if we have hackers working for us, they’ll figure it out first—and then we can defend ourselves.

It’s our only hope for security in this fast-moving technological world of ours.

This essay appeared in the Summer 2006 issue of 2600.

Posted on September 14, 2006 at 7:13 AMView Comments

Cheating on Tests

“How to Cheat Good.”

Edit > Paste Special > Unformatted Text

This is my Number 1 piece of advice, even if it is numbered eight. When you copy things from the web into Word, ignoring #3 above, don’t just “Edit > Paste” it into your document. When I am reading a document in black, Times New Roman, 12pt, and it suddenly changes to blue, Helvetica, 10pt (yes, really), I’m going to guess that something odd may be going on. This seems to happen in about 1% of student work turned in, and periodically makes me feel like becoming a hermit.

Posted on May 25, 2006 at 12:26 PMView Comments

Al Qaeda Hacker Captured

Irhabi 007 has been captured.

For almost two years, intelligence services around the world tried to uncover the identity of an Internet hacker who had become a key conduit for al-Qaeda. The savvy, English-speaking, presumably young webmaster taunted his pursuers, calling himself Irhabi—Terrorist—007. He hacked into American university computers, propagandized for the Iraq insurgents led by Abu Musab al-Zarqawi and taught other online jihadists how to wield their computers for the cause.

Assuming the British authorities are to be believed, he definitely was a terrorist:

Suddenly last fall, Irhabi 007 disappeared from the message boards. The postings ended after Scotland Yard arrested a 22-year-old West Londoner, Younis Tsouli, suspected of participating in an alleged bomb plot. In November, British authorities brought a range of charges against him related to that plot. Only later, according to our sources familiar with the British probe, was Tsouli’s other suspected identity revealed. British investigators eventually confirmed to us that they believe he is Irhabi 007.

[…]

Tsouli has been charged with eight offenses including conspiracy to murder, conspiracy to cause an explosion, conspiracy to cause a public nuisance, conspiracy to obtain money by deception and offences relating to the possession of articles for terrorist purposes and fundraising.

Okay. So he was a terrorist. And he used the Internet, both as a communication tool and to break into networks. But this does not make him a cyberterrorist.

Interesting article, though.

Here’s the Slashdot thread on the topic.

Posted on March 28, 2006 at 7:27 AMView Comments

School Bus Drivers to Foil Terrorist Plots

This is a great example of a movie-plot threat:

Already mindful of motorists with road rage and kids with weapons, bus drivers are being warned of far more grisly scenarios. Like this one: Terrorists monitor a punctual driver for weeks, then hijack a bus and load the friendly yellow vehicle with enough explosives to take down a building.

It’s so bizarre it’s comical.

But don’t worry:

An alert school bus driver could foil that plan, security expert Jeffrey Beatty recently told a class of 250 of drivers in Norfolk, Va.

So we’re funding counterterrorism training for school bus drivers:

Financed by the Homeland Security Department, school bus drivers are being trained to watch for potential terrorists, people who may be casing their routes or plotting to blow up their buses.

[…]

The new effort is part of Highway Watch, an industry safety program run by the American Trucking Associations and financed since 2003 with $50 million in homeland security money.

So far, tens of thousands of bus operators have been trained in places large and small, from Dallas and New York City to Kure Beach, N.C., Hopewell, Va., and Mount Pleasant, Texas.

The commentary borders on the surreal:

Kenneth Trump, a school safety consultant who tracks security trends, said being prepared is not being alarmist. “Denying and downplaying schools and school buses as potential terror targets here in the U.S.,” Trump said, “would be foolish.”

This is certainly a complete waste of money. Possibly it’s even bad for security, as bus drivers have to divide their attention between real threats—automobile accidents involving children—and movie-plot terrorist threats. And there’s the ever-creeping surveillance society:

“Today it’s bus drivers, tomorrow it could be postal officials, and the next day, it could be, ‘Why don’t we have this program in place for the people who deliver the newspaper to the door?’ ” Rollins said. “We could quickly get into a society where we’re all spying on each other. It may be well intentioned, but there is a concern of going a bit too far.”

What should we do this with money instead? We should fund things that actually help defend against terrorism: intelligence, investigation, emergency response. Trying to correctly guess what the terrorists are planning is generally a waste of resources; investing in security countermeasures that will help regardless of what the terrorists are planning is much smarter.

Posted on February 21, 2006 at 9:07 AMView Comments

The Kutztown 13

Thirteen Pennsylvania high-school kids—Kutztown 13—are being charged with felonies:

They’re being called the Kutztown 13—a group of high schoolers charged with felonies for bypassing security with school-issued laptops, downloading forbidden internet goodies and using monitoring software to spy on district administrators.

The students, their families and outraged supporters say authorities are overreacting, punishing the kids not for any heinous behavior—no malicious acts are alleged—but rather because they outsmarted the district’s technology workers….

The trouble began last fall after the district issued some 600 Apple iBook laptops to every student at the high school about 50 miles northwest of Philadelphia. The computers were loaded with a filtering program that limited Internet access. They also had software that let administrators see what students were viewing on their screens.

But those barriers proved easily surmountable: The administrative password that allowed students to reconfigure computers and obtain unrestricted Internet access was easy to obtain. A shortened version of the school’s street address, the password was taped to the backs of the computers.

The password got passed around and students began downloading such forbidden programs as the popular iChat instant-messaging tool.

At least one student viewed pornography. Some students also turned off the remote monitoring function and turned the tables on their elders_ using it to view administrators’ own computer screens.

There’s more to the story, though. Here’s some good commentary on the issue:

What the parents don’t mention—but the school did in a press release—is that it wasn’t as if the school came down with the Hammer of God out of nowhere.

These kids were caught and punished for doing this stuff, and their parents informed.

Over and over.

Quoth the release:

“Unfortunately, after repeated warnings and disciplinary actions, a few students continued to misuse the school-issued laptops to varying degrees. The disciplinary actions included detentions, in-school suspensions, loss of Internet access, and loss of computer privileges. After each disciplinary action, parents received either written notification or telephone calls.”

What was the parents’ reaction those disciplinary actions? Some of them complained that—despite signing a document agreeing to the acceptable use policy—the kids should be able to do whatever they wanted to with the free machines.

“We signed it, but we didn’t mean it”?

Yes, the kids should be punished. No, a felony comviction is not the way to punish them.

The problem is that the punishment doesn’t fit the crime. Breaking the rules is what kids do. Society needs to deal with that, yes, but it needs to deal with that in a way that doesn’t ruin lives. Deterrence is critical if we are to ever have a lawful society on the internet, but deterrence has to come from rational prosecution. This simply isn’t rational.

EDITED TO ADD (2 Sep): It seems that charges have been dropped.

Posted on August 22, 2005 at 6:56 AMView Comments

Plagiarism and Academia: Personal Experience

A paper published in the December 2004 issue of the SIGCSE Bulletin, “Cryptanalysis of some encryption/cipher schemes using related key attack,” by Khawaja Amer Hayat, Umar Waqar Anis, and S. Tauseef-ur-Rehman, is the same as a paper that John Kelsey, David Wagner, and I published in 1997.

It’s clearly plagiarism. Sentences have been reworded or summarized a bit and many typos have been introduced, but otherwise it’s the same paper. It’s copied, with the same section, paragraph, and sentence structure—right down to the same mathematical variable names. It has the same quirks in the way references are cited. And so on.

We wrote two papers on the topic; this is the second. They don’t list either of our papers in their bibliography. They do have a lurking reference to “[KSW96]” (the first of our two papers) in the body of their introduction and design principles, presumably copied from our text; but a full citation for “[KSW96]” isn’t in their bibliography. Perhaps they were worried that one of the referees would read the papers listed in their bibliography, and notice the plagiarism.

The three authors are from the International Islamic University in Islamabad, Pakistan. The third author, S. Tauseef-Ur-Rehman, is a department head (and faculty member) in the Telecommunications Engineering Department at this Pakistani institution. If you believe his story—which is probably correct—he had nothing to do with the research, but just appended his name to a paper by two of his students. (This is not unusual; it happens all the time in universities all over the world.) But that doesn’t get him off the hook. He’s still responsible for anything he puts his name on.

And we’re not the only ones. The same three authors plagiarized this paper by French cryptographer Serge Vaudenay and others.

I wrote to the editor of the SIGCSE Bulletin, who removed the paper from their website and demanded official letters of admission and apology. (The apologies are at the bottom of this page.) They said that they would ban them from submitting again, but have since backpedaled. Mark Mandelbaum, Director of the Office of Publications at ACM, now says that ACM has no policy on plagiarism and that nothing additional will be done. I’ve also written to Springer-Verlag, the publisher of my original paper.

I don’t blame the journals for letting these papers through. I’ve refereed papers, and it’s pretty much impossible to verify that a piece of research is original. We’re largely self-policing.

Mostly, the system works. These three have been found out, and should be fired and/or expelled. Certainly ACM should ban them from submitting anything, and I am very surprised at their claim that they have no policy with regards to plagiarism. Academic plagiarism is serious enough to warrant that level of response. I don’t know if the system works in Pakistan, though. I hope it does. These people knew the risks when they did it. And then they did it again.

If I sound angry, I’m not. I’m more amused. I’ve heard of researchers from developing countries resorting to plagiarism to pad their CVs, but I’m surprised see it happen to me. I mean, really; if they were going to do this, wouldn’t it have been smarter to pick a more obscure author?

And it’s nice to know that our work is still considered relevant eight years later.

EDITED TO ADD: Another paper, “Analysis of Real-time Transport Protocol Security,” by Junaid Aslam, Saad Rafique and S. Tauseef-ur-Rehman”, has been plagiarized from this original: Real-time Transport Protocol (RTP) security,” by Ville Hallivuori.

EDITED TO ADD: Ron Boisvert, the Co-Chair of the ACM Publications Board, has said this:

1. ACM has always been a champion for high ethical standards among computing professionals. Respecting intellectual property rights is certainly a part of this, as is clearly reflected in the ACM Code of Ethics.

2. ACM has always acted quickly and decisively to deal with allegations of plagarism related to its publications, and remains committed to doing so in the future.

3. In the past, such incidents of plagarism were rare. However, in recent years the number of such incidents has grown considerably. As a result, the ACM Publications Board has recently begun work to develop a more explicit policy on plagarism. In doing so we hope to lay out (a) what constitutes plagarism, as well as various levels of plagarism, (b) ACM procedures for handling allegations of plagarism, and (c) specific penalties which will be leveled against those found to have committed plagarism at each of the identified levels. When this new “policy” is in place, we hope to widely publicize it in order to draw increased attention to this growing problem.

EDITED TO ADD: There’s a news story with some new developments.

EDITED TO ADD: Over the past couple of weeks, I have been getting repeated e-mails from people, presumably faculty and administrators of the International Islamic University, to close comments in this blog entry. The justification usually given is that there is an official investigation underway so there’s no longer any reason for comments, or that Tauseef has been fired so there’s no longer any reason for comments, or that the comments are harmful to the reputation of the university or the country.

I have responded that I will not close comments on this blog entry. I have, and will continue to, delete posts that are incoherent or hostile (there have been examples of both).

Blog comments are anonymous. There is no way for me to verify the identity of posters, and I don’t. I have, and will continue to, remove any posts purporting to come from a person it does not come, but generally the only way I can figure that out is if the real person e-mails me and asks.

Otherwise, consider this a forum for anonymous free speech. The comments here are unvetted and unverified. They might be true, and they might be false. Readers are expected to understand that, and I believe for the most part they do.

In the United States, we have a saying that the antidote for bad speech is more speech. I invite anyone who disagrees with the comments on the page to post their own opinions.

Posted on August 1, 2005 at 6:07 AMView Comments

Student Hacks System to Alter Grades

This is an interesting story:

A UCSB student is being charged with four felonies after she allegedly stole the identity of two professors and used the information to change her own and several other students’ grades, police said.

The Universty of California Santa Barbara has a custom program, eGrades, where faculty can submit and alter grades. It’s password protected, of course. But there’s a backup system, so that faculty who forget their password can reset it using their Social Security number and date of birth.

A student worked for an insurance company, and she was able to obtain SSN and DOB for two faculty members. She used that information to reset their passwords and change grades.

Police, university officials and campus computer specialists said Ramirez’s alleged illegal access to the computer grading system was not the result of a deficiency or flaw in the program.

Sounds like a flaw in the program to me. It’s even one I’ve written about: a primary security mechanism that fails to a less-secure secondary mechanism.

Posted on April 1, 2005 at 2:36 PMView Comments

Fingerprinting Students

A nascent security trend in the U.S. is tracking schoolchildren when they get on and off school buses.

Hoping to prevent the loss of a child through kidnapping or more innocent circumstances, a few schools have begun monitoring student arrivals and departures using technology similar to that used to track livestock and pallets of retail shipments.

A school district in Spring, Texas, is using computerized ID badges to record this information, and wirelessly sending it to police headquarters. Another school district, in Phoenix, is doing the same thing with fingerprint readers. The system is supposed to help prevent the loss of a child, whether through kidnapping or accident.

What’s going on here? Have these people lost their minds? Tracking kids as they get on and off school buses is a ridiculous idea. It’s expensive, invasive, and doesn’t increase security very much.

Security is always a trade-off. In Beyond Fear, I delineated a five-step process to evaluate security countermeasures. The idea is to be able to determine, rationally, whether a countermeasure is worth it. In the book, I applied the five-step process to everything from home burglar alarms to military action against terrorism. Let’s apply it in this case.

Step 1: What assets are you trying to protect? Children.

Step 2: What are the risks to these assets? Loss of the child, either due to kidnapping or accident. Child kidnapping is a serious problem in the U.S.; the odds of a child being abducted by a family member are one in 340 and by a non-family member are 1 in 1200 (per year). (These statistics are for 1999, and are from NISMART-2, U.S. Department of Justice. My guess is that the current rates in Spring, Texas, are much lower.) Very few of these kidnappings involve school buses, so it’s unclear how serious the specific risks being addressed here are.

Step 3: How well does the security solution mitigate those risks? Not very well.

Let’s imagine how this system might provide security in the event of a kidnapping. If a kidnapper—assume it’s someone the child knows—goes onto the school bus and takes the child off at the wrong stop, the system would record that. Otherwise—if the kidnapping took place either before the child got on the bus or after the child got off—the system wouldn’t record anything suspicious. Yes, it would tell investigators if the kidnapping happened before morning attendance and either before or after the school bus ride, but is that one piece of information worth this entire tracking system? I doubt it.

You could imagine a movie-plot scenario where this kind of tracking system could help the hero recover the kidnapped child, but it hardly seems useful in the general case.

Step 4: What other risks does the security solution cause? The additional risk is the data collected through constant surveillance. Where is this information collected? Who has access to it? How long is it stored? These are important security questions that get no mention.

Step 5: What costs and trade-offs does the security solution impose? There are two. The first is obvious: money. I don’t have it figured, but it’s expensive to outfit every child with an ID card and every school bus with this system. The second cost is more intangible: a loss of privacy. We are raising children who think it normal that their daily movements are watched and recorded by the police. That feeling of privacy is not something we should give up lightly.

So, finally: is this system worth it? No. The security gained is not worth the money and privacy spent. If the goal is to make children safer, the money would be better spent elsewhere: guards at the schools, education programs for the children, etc.

If this system makes so little sense, why have at least two cities in the U.S. implemented it? The obvious answer is that the school districts didn’t think the problem through. Either they were seduced by the technology, or by the companies that built the system. But there’s another, more interesting, possibility.

In Beyond Fear, I talk about the notion of agenda. The five-step process is a subjective one, and should be evaluated from the point of view of the person making the trade-off decision. If you imagine that the school officials are making the trade-off, then the system suddenly makes sense.

If a kidnapping occurs on school property, the subsequent investigation could easily hurt school officials. They could even lose their jobs. If you view this security countermeasure as one protecting them just as much as it protects children, it suddenly makes more sense. The trade-off might not be worth it in general, but it’s worth it to them.

Kidnapping is a real problem, and countermeasures that help reduce the risk are a good thing. But remember that security is always a trade off, and a good security system is one where the security benefits are worth the money, convenience, and liberties that are being given up. Quite simply, this system isn’t worth it.

Posted on January 11, 2005 at 9:49 AMView Comments

1 6 7 8 9

Sidebar photo of Bruce Schneier by Joe MacInnis.