Hacker U.

It is a war zone out there, on our networks. And the front lines are our high school networks, where budding hackers and kids who want to think of themselves are daily practicing their penetration skills, network penetration that is. And what happens when they graduate? They get to practice some more on college networks, where the good ones can get paid as research assistants to security start-ups. If they get really good, these folks get to go to conferences such as the upcoming romps in the desert next week, Black Hat/Defcon, Here they are celebrated for their exploits and the press has a field day writing about all the trouble caused. Is there any wonder why something is wrong with this picture? We reward people for the wrong things.

I was thinking about this recently, as I had the opportunity to interview a school district’s network administrator this week. As I was talking to him, I was flashing back on my own in-school experience. Five years ago, I had a part-time job teaching a bunch of high school boys on beginning networking topics, and the class was an eye-opener for me. I found out, for example, how hard it was to teach someone how to do subnetting. And that faced with the really hard work of protocol decodes, the kids just wanted to login as system administrator and leave it at that. Some of the guys are now out of college and have jobs in the IT industry, something that I am very proud of. (And some of them are still slackers, something that I am not proud of.)

But anyway, back to the attacks. My school district source was very clear about his frustrations in trying to keep the kids under control, and told me of a continuing struggle of his private battle between the forces of good and evil, and it isn’t pretty.

He locks down his network pretty tightly. He runs a content filter, so they can’t grab p0rn sites and go to other objectionable places, but even still these filters don’t stop everyone, especially students who have time on their hands and know how to reconfigure their browsers to hit proxy servers to avoid the filters. “It is amazing how clever the kids are at finding proxy servers to get around our blocks,” he told me. Many of the proxy sites use SSL connections, and “It didn’t take long for the kids to figure out how that worked.” So he has to lock down proxy servers now too, and more than that has to scan his network everyday to see if the kids have exploited something new. He has even gone so far as to assign static IP addresses, all the better to keep track of where the rogue user might be entering his network.

What I find interesting about this school district — and I am sure that they are typical — is that so many of their issues are threats from within. The days of having a perimeter and keeping the bad guys on the outside are so over. I was interested to learn that there is a whole class of newish products that go under various headings such as “extrusion detection” and “data leakage monitors” to track and prevent insiders from doing bad things, such as sending your entire customer file to their hotmail accounts.

That isn’t to say that there are plenty of bad guys out there scanning away: when I was at Stanford last month doing some tests for Information Security magazine, we had someone try to penetrate one of the SSL VPN boxes that I was testing. (They didn’t get in, but still was spooky to watch as we were going about our business at hand.) Turns out they get thousands of attempts every hour of every day. It helps that they are a very visible target, but still: put a new PC on the Internet, and someone will try to break in within a few seconds nowadays. You gotta have protection!

The technology has changed in five years since I was teaching, but the attitudes and methods haven’t. Back when I was in the classroom, we had networked PCs and I often taught from the back of the room, the better to see what the kids were doing. Most of the time, they were checking their overnight ratings on CS or IM’ing their friends telling them about their overnight ratings. Soon, the district put a stop to that, but they still could use the Web IM client (this is in the days before there were products to specifically block IM traffic). Now we have peer-to-peer music sharing and MySpace to worry about. “It is amazing how often the kids want to check their MySpace pages — they can’t go a couple of hours without trying to login,” my school source was telling me.

Now that summer is here, the district relaxes its policies for the staff a bit — they can download streaming music during the summer but not once school is back in session. And indeed, when we were scanning the network we saw one staffer listening to Internet radio and having a nice time taking all that bandwidth.

As a parent, I operated under the maxim of protect but verify, and it is a good one for a networked school district — or even any corporate environment — to operate under as well. One way is to install remote desktop software on every machine in your network, so the support people can reach out and touch someone’s PC if they are having problems, or doing something that they shouldn’t. A hospital that I visited last month had implemented this solution. They found it useful when their activity logs showed some spike in network traffic coming at either an odd hour or from an odd place. A quick look-see would generate a phone call to the user’s boss: “Do you know what your staff is doing with their PC?” No one I know wants to receive that phone call. My source at the hospital told me that he found an ex-employee who still had login credentials was using the network the night after he was fired — and didn’t realize that every mouse click was being watched.

Yes, we have come a long way since I was teaching Networking 101. But if I have learned anything over the years, it is getting harder to protect and verify our networks, as the users and exploit tools get more sophisticated. You just can’t stand still, and have to continue to tighten things up.

0 thoughts on “Hacker U.

  1. David

    I enjoyed your article on hackers and the problems of school districts. While I know you focus was more at a University level, the problem of “inappropriate usage” exists all the way to the Elementary levels. I sit on a local school board, and while its not this problem that is number one (school funding and financial operations will always have that place), it is a growing concern.

    Having spent time talking about the problem, my own personal view is that the first line of defense (before any firewall) is parents…they need to instill a sense of right or wrong wrt internet usage, just like we do for all other types of social interaction and issues. It’s easy for poarents to understand the problem of drug use and many know the warning signs.

    However, I think there might actually be a very critical and impartant gap right now, where you have very sophisticated and techno-knowledgable kids and less educated adults (parents) who know nothing of the “technology problem”, nor what to do to make sure their children are acting appropriately. That carries all the way through one’s educational career and results in the things you are talking about today at the university level, and even into the general workplace.

    It’s a shame we have to spend millions of dollars to lock down these threats from enterprising young souls. It would serve our generation of young people better if we spent quality time with our kids and warned them of the dangers/risks and responsbilites of the use of technology in today’s world…but it seems that someone is going to have to educated the parents first.

  2. As the proprietor of the Peacefire.org website, I’d like to defend these students for a minute 🙂

    First of all, we give people a downloadable program that they can install on their home computer to turn it into a new SSL-enabled circumvention Web server and use that URL from the school network. For people who don’t have a computer to install their own Circumventor, we run a mailing list where we mail out a new site every few days. This means that if it ever took any skill to get around school blockers, it certainly doesn’t any more, and any student who uses anything other than our super-easy methods is using a flamethrower to kill a fly.

    But this is not a “threat” in the traditional security sense. It doesn’t enable anybody to run programs above their privilege level, or read and write data that they shouldn’t have access to. So I think it’s wrong to lump it in with other true “security threats”. Ethically, I would not aid people in doing anything that represented a true security threat, such as accessing files not owned by them.

    So why do we do it? Well, for most of human history, teenagers have been considered essentially adults and not “children”. When teenagers were given responsibility and allowed to earn the rewards of their own labor, they had to rise to the challege (or else, literally, starve to death). It’s just that these days, education has gotten so bloated that teenagers are prevented from becoming independent by all the throwaway work they’re forced to do in school. People answer this by saying that it’s important for teenagers to learn certain things like American History in order to be productive members of society. But if they really believe this, then why not make it mandatory for *everybody*? If you really do need to know your American History to be an informed voter, then there’s even *more* of an argument for making it mandatory for adults, than for minors! There’s no argument for forcing it on minors but not on adults; that just keeps teenagers from becoming self-sufficient sooner.

    Look at it this way: if the government interrupted your consulting career and marched you off to a building where you were forced to do mostly throwaway work for 7 hours a day, wouldn’t you feel a bit resentful? And, presumably, justified in sneaking around whatever restrictions they placed on you?

    As for the “safety” issue, I know that no politician, and in fact virtually no person, actually believes that uncensored Internet access is truly dangerous, and the reason I know this is that nobody has ever come out in favor of charging parents with child endangerment for letting their kids get on the unfiltered Internet. If anybody believed that uncensored Internet access really was dangerous, wouldn’t that be the logical conclusion? If it’s dangerous without your parents’ permission, it’s dangerous with your parents’ permission, too. When something really is dangerous, like riding a bicycle without a helmet, there is no “parental permission” exemption. In fact, in many states, there’s not even an “adult” exemption to the helmet law — because the danger is real, the law applies to everybody! If a politician says that something is “dangerous for minors without their parents’ permission”, that’s essentially an admission that it’s not really dangerous. It sounds like another excuse for keeping teenagers from becoming self-sufficient — and then, ironically, the fact that they’re not self-sufficient is used to deny them other rights as well.

    Most people have never really thought about what rights teenagers should have, and why. That’s not meant to be condescending but to be accurate — if you ask most people why they think minors’ rights should be restricted, the answers are variations of “Lost of other people believe it so I guess I believe it too.” This includes “societal norms”, “courts have ruled…” etc. And if you look at what the judges write in their rulings, even they are saying, “According to contemporary community standards…” — which is another variation on the same thing. (Some people instead say “brain development”, but they don’t apply that argument consistently — they would never argue for restricting the civil rights of an adult with a mental age of 15, but they would argue for it in the case of a real 15-year-old.)

    Be careful of anything that is frequently defended with the “Lots of other people believe it” line.

    From Bennett Haselton

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.