Lesson Plan: Meet the Hackers


Meet the Hackers

Lesson Plan for grades 9–12
Time: 2 periods (50 min ea.)

INTRODUCTION

Despite its origins, the term “hacker” has come to evoke images of computer criminal sneaking across networks to cause damage, to steal information, or for some personal gain. However, this this portrayal may not reflect reality. For example, the term “white hat hackers” is commonly applied to a non-criminal, professional hired to learn about systems to better protect them. To better protect ourselves, we may need a more nuanced understanding of “hackers.”

In the game [d0x3d!], players act as hackers who attack a network to recover assets allegedly belonging to them. What type of hacker are these? What are their goals? What are the legal implications of their actions? This lesson explores the idea of a hacker and their motivations. It is intended to be taught over two 50 minute class periods.

SUMMARY

Students will learn who hackers are, the different types of hackers, and the legalities concerning hacking.

Objectives

  1. Students will be able to define the terms black-hat hacker, white-hat hacker, and gray-hat hacker.
  2. Students will be able to distinguish among types of hackers based on their motivations and actions.
  3. Students will be able to discuss different perspectives related to a court case about hacking, and use evidence to defend a position.

Standards

Assumed Student Prior Knowledge

This lesson assumes students have had prior experience with computer systems, the Internet and some awareness of the need for online safety and the threat of hackers.

Materials

Vocabulary


BACKGROUND FOR TEACHER

The term, “hacker” began to take its modern connotations in the 1960s and 1970s among university students. Most notably, the Massachusetts Institute of Technology (MIT) is often credited as the birthplace of the “hacker culture,” at a student group called the Tech Model Railroad Club (TMRC). TMRC reflected its members’ love and curiosity for how objects worked [TMRC]. The club was diverse in its interests related to model trains: one group was interested in accurate replicas of historical trains, another wanted to run trains on strict schedules, and another (the Signals and Power Subcommittee) created the circuits that made the model trains run. To understand or use technologies in new ways, students would modify “hack” them. The group eventually expanded into the world of computers and programming. Over time, “hacking” became less about model trains and began to take on its modern connotation of computer use and users.

Even among experts, “hacking” is an ambiguous term. GNU project founder Richard Stallman reflects on a possible definition [Stallman, 2002], writing:

It is hard to write a simple definition of something as varied as hacking, but I think what these activities have in common is playfulness, cleverness, and exploration. Thus, hacking means exploring the limits of what is possible, in a spirit of playful cleverness. Activities that display playful cleverness have ‘hack value’.

In the 1980s, the media took notice of one aspect of hacker culture perceived to be more dangerous than playful: circumventing and breaking computer security controls [Newsweek, 1983; Time, 1983]. During this decade, the movie WarGames increased the profile of self-described hackers. The term was adopted in several underground publications about circumventing security. Soon, words like “computer raider,” “cracker,” and “phreaker” faded from use, to be replaced by the term “hacker,” and “hacking” began to refer solely to circumventing computer controls. Many hackers have been fighting this perception ever since.

MOTIVATIONS OF MODERN HACKERS

Today, computer hackers have a variety of motivations. Some are motivated by the spirit of investigation. Some are interested in learning to better defend computer networks. Some have malicious intent, and typify the mainstream idea of a hacker. In response, the community has invented terminology to disentangle these roles, assigning to hackers a “hat” to reflect their motivations. The terminology is itself overly simplistic, originating from the Western movie genre where the sheriff wears a white hat and the bandit, a black one.

 

A white-hat hacker searches for system vulnerabilities, either as an employee (or with the permission) of the organization owning the system. White hats are often referred to as ethical hackers. When a white hat identifies a system weakness, they notify the organization for remediation, preventing it from exploitation by criminals. White hats may be motivated by reputation or pride (professional accomplishment), financial gain (through consulting work) or altruism.

A black-hat hacker compromises systems for the purpose of personal gain, causing harm or mischief.  Unlike white hats, black hats tend to not work within legal boundaries and do not feel restricted by a professional code of ethics. Black hats may be motivated by reputation or pride (bragging rights), financial gain (through criminal work) or mischief.

Somewhere between these is the gray-hat hacker. The Electronic Frontier Foundation characterizes gray hats as ethical security researchers who may inadvertently violate the law in an effort to research and improve security [EFF]. Gray hats may not have malicious intent. They will often bring vulnerabilities to a system owner’s attention, even when not contractually obligated to do so. Despite possible good intentions, a gray hat’s action may have serious legal implications. An affected organization may be within their right to file a criminal suit against a gray-hat hacker.

The hacktivist is a hacker that acts to advance a social, religious, or political ideology. These motivations have a strong influence on the types and style of exploits by these hackers. They are often associated with attacks that led to the victim’s embarrassment (website defacement) or financial loss (denial of service attacks), rather than those contributing to the hacktivist’s personal financial gain (money laundering, sending spam). The group Anonymous has become known for their politically-charged attacks on financial institutions, extreme religious organizations or even governments.

LEGAL ISSUES OF HACKING

It is important to understand the legal consequences (any) hackers may face when exposing or exploiting a system’s vulnerabilities. The legal landscape is broad and complex in this area. Here, we briefly describe two United States laws that may provide a setting for relevant class discussion.

The Computer Fraud and Abuse Act of 1986 (CFAA) was intended to punish individuals that damaged government computer systems or stole digital information. In 1988, Robert Morris became the first person convicted under the Computer Fraud and Abuse Act after creating a “worm,” a malicious program that replicates itself in order to spread across computers. Over time, the law has been broadened by Congress. The CFAA now criminalizes “exceeding authorized access” to any computer system, not just those managed by the U.S. government. Courts are still struggling to interpret the law in the context of an ever-changing technological landscape. For example, ambiguity in interpreting the CFAA has led to the criminal prosecution of Aaron Swartz and Andrew “weev” Auernheimer—two individuals whose actions don’t neatly fit into either black or white hat monikers [Liberty Beacon, 2013].

The Digital Millennium Copyright Act (DMCA) contains similar prohibitions that criminalize the circumvention of access controls, such as anti-piracy technology (in particular, tools that circumvent those technologies intended to protect the interests of copyright holders). In 2007, John Stottlemire was sued by Coupons.com for posting code and instructions that helped shoppers circumvent single-use protections on their downloadable coupons [Wired, 200;Ars Technica, 2008], allowing people to print multiple coupons.


ENGAGE

1. Engagement Discussion

In 2008, three MIT students—while doing research for their final project in the class “Computer and Network Security” class—discovered a vulnerability in the electronic magstripe card system used by Massachusetts Bay Transportation Authority (MBTA). The cash value of the card was encoded on the card itself, not in a remote database, which allowed the information on the card to be overwritten. The students submitted a presentation of their findings to the DEF CON Hacker Convention, demonstrating some of the vulnerabilities they discovered. The MBTA took legal action and filed a suit to prevent the students from presenting their work, claiming monetary damages and a threat to public safety. The MBTA further asserted that the students had a professional responsibility to notify them of the flaw before their public presentation, allowing the MBTA ample time to correct the flaw.

Pose the following questions to students:

2. Define “Hacker” 

Present students with the table below, summarizing hacker terms. Express that these terms are sometimes useful in discussions about hackers, but that not all security researchers can be understood purely in these terms.

Definition

Motivation

Possible Consequences

Black-hat hacker

Hacker who uses their skills in criminal or unethical ways.

Malicious intent. Bypass security illegally to compromise system. Steal data.

If caught, subject to relevant federal laws.

White-hat hacker

Hacker who is authorized to hack, and does so following some ethical guidelines.

Professional. Discover vulnerabilities, in order to prevent exploitation.

Legal, since hired by system owner.

Gray-hat hacker

Hacker who enters computer systems and networks without authorization, may include vigilantes and hacktivists.

Reputation. To expose vulnerabilities, but make system owner aware of them. Political position.

Actions may be unappreciated, and face legal consequences.

CHECK FOR UNDERSTANDING

Interpret

Divide students into groups of three, one for each type of hacker. Each student will:

  1. Read an assigned article from the “Article Bank.”
  2. Summarize the article to the members in their group.
  3. Discuss which “hat” the hacker from the article wears (a black hat, white hat, or gray hat).

Play

Play the game [d0x3d!] in groups of three or four. Afterwards, discuss the hacker roles students adopted during the game. Can students construct a background story for the game where these characters are white-hat hackers? Where they are black-hat hackers? Are there particular roles where they might not be able to wear one of these hats?

Defend 

Watch the following video, featuring a talk by journalist Misha Glenny:

Summarize Glenny’s position, incorporating the vocabulary terms black-hat and white-hat hacker. Try to construct the reasons supporting the counter-argument: why shouldn’t countries like the US hire criminal hackers?

ASSESSMENT: MBTA v. Anderson

Now that students are introduced to the context of the MBTA v. Anderson case during the in-class discussion (and have learned the “hat colors” for characterizing hackers), students may read the following articles. Both articles relate to the MBTA v. Anderson court case.

Questions for students to consider:

  1. What are the core arguments for each side?
  2. Should the students have notified the transportation authority before presenting their findings to the DEFCON Hacker Convention? Why or why not?
  3. Were the students’ First Amendment rights to free speech violated? Do they have a right to make public this type of information, even if that information may be harmful or embarrassing?
  4. Should hackers, in general, have a responsibility to disclose the vulnerabilities or weaknesses in a company’s system to the company?
  5. Which “hat” would you place on the MIT students and why?

EXTENSION ACTIVITIES

In the News

Find a news article about the hackitivst group, Anonymous. Summarize hacking they did, and their the apparent purpose or goal.

Mock Trial

Have a mock trial of the MBTA v. Anderson court case. Does the class trial arrive at the same conclusion that the real trial did?

Policy Essay

Introduce and discuss the CFAA. The U.S. Justice Department believes the CFAA can be applied broadly, to include “terms of use” violations and breaches of workplace computer-use policies. Is this fair? Breaching an click-through agreement or ignoring your boss may not be a good thing, but should it be a federal crime just because it involves a computer?

Hacker Narrative

Read and discuss the following article about a famous hacker named Kevin Mitnick.


ARTICLE BANK: Hacker Interviews

The following are interviews with hackers. Note: the titles and a small portion of each article may assert the “hat” of the hackers in question; for the discussion activity where students hypothesize the hat color, consider distributing copies of the interview after you have stripped this information from it.

Interview: Anonymous

http://www.pbs.org/wgbh/pages/frontline/shows/hackers/interviews/anon.html

Interview with a Hacker

http://www.freedomfromfearmagazine.org/index.php?option=com_content&view=article&id=303:interview-with-a-hacker-&catid=50:issue-7&Itemid=187

Note: The title and first answer assert a hat color.

Hackers Around the World: Janne Ahlberg

http://news.softpedia.com/news/Hackers-Around-the-World-Janne-Ahlberg-White-Hat-from-Finland-264793.shtml

        Note: The title and second paragraph assert a hat color.


REFERENCES


TableTop Security

Rev. 7/18/13

pg.  of