Archive for June, 2013

Next up: A lock-picking contest for students

Saturday, June 1st, 2013

I often read news stories about the special kind of foolishness exhibited by schools.  They leave me scratching my head wondering, what were they thinking?  How could they have possibly believed this was a good idea?  Most of the time, these stories concern hysterical overreactions to trivial misbehaviors, lame-brained “zero tolerance” policies, and dumb grading practices (such as half credit for zero work). 

Then I came across the story of a nearby school (Peru, Indiana) deliberately encouraging criminal behavior.  In this case, a misguided employee of the district decided it would be a great idea to interest students in the wholesome pursuit of computer hacking.  We’re not talking about hacking a game to inflate a player’s score.  Nor are we talking about hacking Lego Mindstorms or Roomba vacuum cleaners to add functionality.  No, we’re talking about a contest to see who could be the first to hack into the school’s computer network.

The entire hacker subculture is predicated on the idea that breaking and entering is acceptable if it happens in cyberspace.  This is not the legal view, of course.  Hackers – when caught – are routinely tried and sentenced to prison terms for breaking into servers.  In a recent case a “brilliant” hacker, who believed that his special cause justified his assault on servers at MIT, committed suicide rather than face the consequences of his clearly illegal enterprise.  Is this a culture to which we want to introduce our children?  Peru High School thinks it is.

The excuses are pretty flimsy: “They’re going to be sitting in the dark at home finding bad ways to use their skills.”  The solution to this alleged problem is to enhance those skills by substituting a “good” way to use them.  This is the same “they’re going to do it anyway” reasoning that leads to taxpayer-funded condoms for 12-year-olds (no parental consent required).

The employee responsible for the contest also claimed that “It tells us how much our students might know, how much danger they pose to our network.”  This sounds plausible on the surface, but in reality, it’s just lazy.  Current students are hardly the only threat.  For example, in a famous case involving an East German spy, the first step to gain entry into U.S. military networks was to hack into a server used by astronomers at Lawrence Labs at UC Berkeley. 

Learning the limitations of current students yields no useful information anyway – a student actually finding an unknown vulnerability would be bad news indeed.  Any network administrator should learn and apply best practices to securing the school’s servers and not worry about what complete amateurs (the winner “didn’t know anything when she started the contest”) might be able to do.

The contest was presented as an exercise in computer security, with students challenged to “inspect the security of [a client’s] network and find any potential security risks”.  But learning how to pick a lock does not confer the knowledge to design a better one.  Hacking was the only skill required and success in hacking was the only obvious outcome.

As a software developer for 40 years, I can understand why the programmer who ran the contest might enjoy putting this challenge before students.  But as a professor for 20 of those years, I have to ask, where were the teachers?  What professional educator thought it would be a good idea to promote skills that are used almost exclusively by criminals?

Posted in Academia, Culture | No Comments »