Lesson Plan: Meet the Hackers
Meet the Hackers
Despite its origins, the term “hacker” has come to evoke images of computer criminal sneaking across networks to cause damage, to steal information, or for some personal gain. However, this this portrayal may not reflect reality. For example, the term “white hat hackers” is commonly applied to a non-criminal, professional hired to learn about systems to better protect them. To better protect ourselves, we may need a more nuanced understanding of “hackers.”
In the game [d0x3d!], players act as hackers who attack a network to recover assets allegedly belonging to them. What type of hacker are these? What are their goals? What are the legal implications of their actions? This lesson explores the idea of a hacker and their motivations. It is intended to be taught over two 50 minute class periods.
Students will learn who hackers are, the different types of hackers, and the legalities concerning hacking.
This lesson assumes students have had prior experience with computer systems, the Internet and some awareness of the need for online safety and the threat of hackers.
BACKGROUND FOR TEACHER
The term, “hacker” began to take its modern connotations in the 1960s and 1970s among university students. Most notably, the Massachusetts Institute of Technology (MIT) is often credited as the birthplace of the “hacker culture,” at a student group called the Tech Model Railroad Club (TMRC). TMRC reflected its members’ love and curiosity for how objects worked [TMRC]. The club was diverse in its interests related to model trains: one group was interested in accurate replicas of historical trains, another wanted to run trains on strict schedules, and another (the Signals and Power Subcommittee) created the circuits that made the model trains run. To understand or use technologies in new ways, students would modify “hack” them. The group eventually expanded into the world of computers and programming. Over time, “hacking” became less about model trains and began to take on its modern connotation of computer use and users.
Even among experts, “hacking” is an ambiguous term. GNU project founder Richard Stallman reflects on a possible definition [Stallman, 2002], writing:
It is hard to write a simple definition of something as varied as hacking, but I think what these activities have in common is playfulness, cleverness, and exploration. Thus, hacking means exploring the limits of what is possible, in a spirit of playful cleverness. Activities that display playful cleverness have ‘hack value’.
In the 1980s, the media took notice of one aspect of hacker culture perceived to be more dangerous than playful: circumventing and breaking computer security controls [Newsweek, 1983; Time, 1983]. During this decade, the movie WarGames increased the profile of self-described hackers. The term was adopted in several underground publications about circumventing security. Soon, words like “computer raider,” “cracker,” and “phreaker” faded from use, to be replaced by the term “hacker,” and “hacking” began to refer solely to circumventing computer controls. Many hackers have been fighting this perception ever since.
Today, computer hackers have a variety of motivations. Some are motivated by the spirit of investigation. Some are interested in learning to better defend computer networks. Some have malicious intent, and typify the mainstream idea of a hacker. In response, the community has invented terminology to disentangle these roles, assigning to hackers a “hat” to reflect their motivations. The terminology is itself overly simplistic, originating from the Western movie genre where the sheriff wears a white hat and the bandit, a black one.
A white-hat hacker searches for system vulnerabilities, either as an employee (or with the permission) of the organization owning the system. White hats are often referred to as ethical hackers. When a white hat identifies a system weakness, they notify the organization for remediation, preventing it from exploitation by criminals. White hats may be motivated by reputation or pride (professional accomplishment), financial gain (through consulting work) or altruism.
A black-hat hacker compromises systems for the purpose of personal gain, causing harm or mischief. Unlike white hats, black hats tend to not work within legal boundaries and do not feel restricted by a professional code of ethics. Black hats may be motivated by reputation or pride (bragging rights), financial gain (through criminal work) or mischief.
Somewhere between these is the gray-hat hacker. The Electronic Frontier Foundation characterizes gray hats as ethical security researchers who may inadvertently violate the law in an effort to research and improve security [EFF]. Gray hats may not have malicious intent. They will often bring vulnerabilities to a system owner’s attention, even when not contractually obligated to do so. Despite possible good intentions, a gray hat’s action may have serious legal implications. An affected organization may be within their right to file a criminal suit against a gray-hat hacker.
The hacktivist is a hacker that acts to advance a social, religious, or political ideology. These motivations have a strong influence on the types and style of exploits by these hackers. They are often associated with attacks that led to the victim’s embarrassment (website defacement) or financial loss (denial of service attacks), rather than those contributing to the hacktivist’s personal financial gain (money laundering, sending spam). The group Anonymous has become known for their politically-charged attacks on financial institutions, extreme religious organizations or even governments.
It is important to understand the legal consequences (any) hackers may face when exposing or exploiting a system’s vulnerabilities. The legal landscape is broad and complex in this area. Here, we briefly describe two United States laws that may provide a setting for relevant class discussion.
The Computer Fraud and Abuse Act of 1986 (CFAA) was intended to punish individuals that damaged government computer systems or stole digital information. In 1988, Robert Morris became the first person convicted under the Computer Fraud and Abuse Act after creating a “worm,” a malicious program that replicates itself in order to spread across computers. Over time, the law has been broadened by Congress. The CFAA now criminalizes “exceeding authorized access” to any computer system, not just those managed by the U.S. government. Courts are still struggling to interpret the law in the context of an ever-changing technological landscape. For example, ambiguity in interpreting the CFAA has led to the criminal prosecution of Aaron Swartz and Andrew “weev” Auernheimer—two individuals whose actions don’t neatly fit into either black or white hat monikers [Liberty Beacon, 2013].
The Digital Millennium Copyright Act (DMCA) contains similar prohibitions that criminalize the circumvention of access controls, such as anti-piracy technology (in particular, tools that circumvent those technologies intended to protect the interests of copyright holders). In 2007, John Stottlemire was sued by Coupons.com for posting code and instructions that helped shoppers circumvent single-use protections on their downloadable coupons [Wired, 200;Ars Technica, 2008], allowing people to print multiple coupons.
1. Engagement Discussion
In 2008, three MIT students—while doing research for their final project in the class “Computer and Network Security” class—discovered a vulnerability in the electronic magstripe card system used by Massachusetts Bay Transportation Authority (MBTA). The cash value of the card was encoded on the card itself, not in a remote database, which allowed the information on the card to be overwritten. The students submitted a presentation of their findings to the DEF CON Hacker Convention, demonstrating some of the vulnerabilities they discovered. The MBTA took legal action and filed a suit to prevent the students from presenting their work, claiming monetary damages and a threat to public safety. The MBTA further asserted that the students had a professional responsibility to notify them of the flaw before their public presentation, allowing the MBTA ample time to correct the flaw.
Pose the following questions to students:
2. Define “Hacker”
Present students with the table below, summarizing hacker terms. Express that these terms are sometimes useful in discussions about hackers, but that not all security researchers can be understood purely in these terms.
Hacker who uses their skills in criminal or unethical ways.
Malicious intent. Bypass security illegally to compromise system. Steal data.
If caught, subject to relevant federal laws.
Hacker who is authorized to hack, and does so following some ethical guidelines.
Professional. Discover vulnerabilities, in order to prevent exploitation.
Legal, since hired by system owner.
Hacker who enters computer systems and networks without authorization, may include vigilantes and hacktivists.
Reputation. To expose vulnerabilities, but make system owner aware of them. Political position.
Actions may be unappreciated, and face legal consequences.
Divide students into groups of three, one for each type of hacker. Each student will:
Play the game [d0x3d!] in groups of three or four. Afterwards, discuss the hacker roles students adopted during the game. Can students construct a background story for the game where these characters are white-hat hackers? Where they are black-hat hackers? Are there particular roles where they might not be able to wear one of these hats?
Watch the following video, featuring a talk by journalist Misha Glenny:
Summarize Glenny’s position, incorporating the vocabulary terms black-hat and white-hat hacker. Try to construct the reasons supporting the counter-argument: why shouldn’t countries like the US hire criminal hackers?
ASSESSMENT: MBTA v. Anderson
Now that students are introduced to the context of the MBTA v. Anderson case during the in-class discussion (and have learned the “hat colors” for characterizing hackers), students may read the following articles. Both articles relate to the MBTA v. Anderson court case.
Questions for students to consider:
Find a news article about the hackitivst group, Anonymous. Summarize hacking they did, and their the apparent purpose or goal.
Have a mock trial of the MBTA v. Anderson court case. Does the class trial arrive at the same conclusion that the real trial did?
Read and discuss the following article about a famous hacker named Kevin Mitnick.
ARTICLE BANK: Hacker Interviews
The following are interviews with hackers. Note: the titles and a small portion of each article may assert the “hat” of the hackers in question; for the discussion activity where students hypothesize the hat color, consider distributing copies of the interview after you have stripped this information from it.
Interview with a Hacker
Note: The title and first answer assert a hat color.
Hackers Around the World: Janne Ahlberg
Note: The title and second paragraph assert a hat color.